I already had the proxy enabled and running just fine. My setup involves one server dedicated to just the proxy service, and two backend servers which host the accounts/smtpd/etc. These were secured with SSL certificates from Namecheap during the last year without any major issues, and that included subdomains for virtuals.
I did make quite a bit of progress in the last few hours, but I now have some issues to fix.
DHParams: (working)
As I'm not on ZCS 8.7 yet, I generated the DH primes as indicated by the document for 8.6 instead, and placed its file in the correct place. That is now working, but I still doubt it had anything to do with the template files, but more to do with the placement of the file and its permissions. File cannot be generated by user zimbra (openssl error during generation) so it required 'chown zimbra:zimbra /opt/zimbra/conf/dhparams.pem'. My dhparams line was exactly the same except for the file location and permissions in the HTTPs templates.
My issue is that no matter what, the runtime configurations were not changing at all, and none of my directives were effected during SSL testing. On the proxy, it seems to be a lot more responsive to changes in the nginx template files (/opt/zimbra/conf/nginx/templates). However, the backend servers completely ignore it as they're not running nginx apparently (the includes directory is never populated with files). At the very least, they don't utilize the template files (no changes are effected), or somehow the majority of all of the directives are just flat ignored. I've put some of them in the very root of the configuration before all other includes, and still no go on any changes being effected which goes against how I understand nginx configuration files to work. The only thing I was missing myself was placing these directives before an include in the server section in specific template files, otherwise my own attempts closely match the document.
I think the dhparams.pem file needs to be generated with specific permissions and ownership.
HSTS: (not working)
I think the only command that may have worked is the zmprov mcf +zimbraResponseHeader. Instead of having no HSTS policy, I now have TWO policies
Now I would like to know how to remove one of the policies....
Modifications were made correctly, according to the document, for the HTTPS template files. Grepping /opt/zimbra shows me that only these two files have 'add_header "Strict-Transport-Security"'. That being said, I somehow have two HSTS policies coming back in the browser:
Code: Select all
max-age=15768000; includeSubDomains, max-age=31536000; includeSubDomains;
Ciphers: (too few!)
Also, I may have been too ambitious about the ciphers, as I have 4 ciphers left without server ordering being honored after using the zimbraSSLExcludedCiphers. I'm afraid that not very many client devices will be able to negotiate with those 4 ciphers.
How to get that set back to defaults would be nice, so I can attempt to pare down the ciphers again.
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH sect571r1 (eq. 15360 bits RSA) FS 112
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH sect571r1 (eq. 15360 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH sect571r1 (eq. 15360 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH sect571r1 (eq. 15360 bits RSA) FS 128
OCSP Stapling: (not supported in 8.6)
As an aside, OCSP stapling is not supported on 8.6 as the version of nginx running seems to be insufficient to understand those directives. Is the nginx version in 8.7 sufficient to enabling OCSP stapling?
Thanks for linking to that document, I now have at least A's for my testing!