Enable Perfect Forward Secrecy in Zimbra 8+ ?

dar1423 · Post by **dar1423** » Sun Apr 13, 2014 2:03 pm

I want to setup Zibmra correctly for 'Perfect Forward Secrecy' support.
I've read this
TLS Forward Secrecy in Postfix
this,
Zimbra & SSL ciphers hardening
and this,
Ajcody-MTA-Postfix-Topics - Zimbra :: Wiki
In the last one I read,

The other variable/options for the "Postfix SMTP Server policy - SASL mechanism properties" you will need to know about are: forward_secrecy Require forward secrecy between sessions (breaking one session does not break earlier sessions).
But, I still don't see or understand how to specifically enable it for Zimbra ZCS 8.0.6.
What postconf/zmconfig/etc commands, or other edits, do I need to make to enable it?

15337Raunaq · Post by **15337Raunaq** » Tue Apr 15, 2014 8:17 am

You may be looking for this
https://bugzilla.zimbra.com/show_bug.cgi?id=85224

dar1423 · Post by **dar1423** » Tue Apr 15, 2014 8:32 am

That, unfortunately, references PFS only in the use case of nginx as ReverseProxy in front of Zimbra.
My use case is *NO* nginx -- i.e., just 'standalone' Zimbra.
This, then, begs the question of how to specify ciphers/order on the non-nginx case, which I'd asked here:
https://www.zimbra.com/forums/administr ... -case.html

danielfarrelly · Post by **danielfarrelly** » Thu Apr 17, 2014 5:45 pm

I agree this needs to be dealt with - especially considering the enormity of the whole Heartbleed fiasco. Zimbra engineers might want to be really careful how they propose to "fix" PFS on the Zimbra platform. Stating it's a feature request for an upcoming version of Zimbra is not enough. Might I recommend upping the key size to 4096, requiring 256-bit sig all the way to the CA root cert, make all default cipher suites 256-bit variants using TLS v1.2? If you need to something less, it's up to you to reconfigure - or contact Zimbra support on how to type:
zmprov mcf -zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (which, btw... don't do)
I would think Zimbra as a company would see recent news of flaws in OpenSSL as an opportunity to reach out to its customers and provide a means of making sure their setup is secure - and be able to prove it.

dar1423 · Post by **dar1423** » Thu Apr 17, 2014 5:53 pm

feel free to join in @ BUG:
https://bugzilla.zimbra.com/show_bug.cgi?id=89054

quanah · Post by **quanah** » Thu Apr 17, 2014 6:13 pm

You can already do PFS with Zimbra as long as you have nginx installed, which is the recommended way to install already.

danielfarrelly · Post by **danielfarrelly** » Thu Apr 17, 2014 6:39 pm

of course you can. just as you can use a weak cipher to connect - unless you tell it not to. perhaps i was misunderstood, but a great majority of us already know how to make our zimbra installs more secure. i was making a suggestion on how you might want to better distribute information to your users.
dar1423 was looking for support on how to utilize PFS. he was told to check out bugzilla. i threw in my two cents thinking you might help him, and you respond with the above. seriously?

quanah · Post by **quanah** » Thu Apr 17, 2014 6:43 pm

yes, seriously. I took an hour yesterday writing up and documenting how to add nginx to his configuration so he can enable PFS. That's the solution until support for it can be added to Jetty. In any case, it is always advised to install proxy now.

dar1423 · Post by **dar1423** » Thu Apr 17, 2014 6:44 pm

um, know your facts
quanah & I had chatted in #irc. he suggested to ME to file the bug ...

quanah · Post by **quanah** » Thu Apr 17, 2014 6:46 pm

Yes, there is that too.

I.e., if you want PFS now, you have to install nginx, period. If you don't want to use nginx, you'll have to wait until the bug I had dar1423 file is completed.