Enable Perfect Forward Secrecy in Zimbra 8+ ?
Enable Perfect Forward Secrecy in Zimbra 8+ ?
I want to setup Zibmra correctly for 'Perfect Forward Secrecy' support.
I've read this
TLS Forward Secrecy in Postfix
this,
Zimbra & SSL ciphers hardening
and this,
Ajcody-MTA-Postfix-Topics - Zimbra :: Wiki
In the last one I read,
The other variable/options for the "Postfix SMTP Server policy - SASL mechanism properties" you will need to know about are: forward_secrecy Require forward secrecy between sessions (breaking one session does not break earlier sessions).
But, I still don't see or understand how to specifically enable it for Zimbra ZCS 8.0.6.
What postconf/zmconfig/etc commands, or other edits, do I need to make to enable it?
I've read this
TLS Forward Secrecy in Postfix
this,
Zimbra & SSL ciphers hardening
and this,
Ajcody-MTA-Postfix-Topics - Zimbra :: Wiki
In the last one I read,
The other variable/options for the "Postfix SMTP Server policy - SASL mechanism properties" you will need to know about are: forward_secrecy Require forward secrecy between sessions (breaking one session does not break earlier sessions).
But, I still don't see or understand how to specifically enable it for Zimbra ZCS 8.0.6.
What postconf/zmconfig/etc commands, or other edits, do I need to make to enable it?
-
- Advanced member
- Posts: 157
- Joined: Sat Sep 13, 2014 2:59 am
Enable Perfect Forward Secrecy in Zimbra 8+ ?
You may be looking for this
https://bugzilla.zimbra.com/show_bug.cgi?id=85224
https://bugzilla.zimbra.com/show_bug.cgi?id=85224
Enable Perfect Forward Secrecy in Zimbra 8+ ?
That, unfortunately, references PFS only in the use case of nginx as ReverseProxy in front of Zimbra.
My use case is *NO* nginx -- i.e., just 'standalone' Zimbra.
This, then, begs the question of how to specify ciphers/order on the non-nginx case, which I'd asked here:
https://www.zimbra.com/forums/administr ... -case.html
My use case is *NO* nginx -- i.e., just 'standalone' Zimbra.
This, then, begs the question of how to specify ciphers/order on the non-nginx case, which I'd asked here:
https://www.zimbra.com/forums/administr ... -case.html
-
- Advanced member
- Posts: 145
- Joined: Fri Sep 12, 2014 10:32 pm
Enable Perfect Forward Secrecy in Zimbra 8+ ?
I agree this needs to be dealt with - especially considering the enormity of the whole Heartbleed fiasco. Zimbra engineers might want to be really careful how they propose to "fix" PFS on the Zimbra platform. Stating it's a feature request for an upcoming version of Zimbra is not enough. Might I recommend upping the key size to 4096, requiring 256-bit sig all the way to the CA root cert, make all default cipher suites 256-bit variants using TLS v1.2? If you need to something less, it's up to you to reconfigure - or contact Zimbra support on how to type:
zmprov mcf -zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (which, btw... don't do)
I would think Zimbra as a company would see recent news of flaws in OpenSSL as an opportunity to reach out to its customers and provide a means of making sure their setup is secure - and be able to prove it.
zmprov mcf -zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (which, btw... don't do)
I would think Zimbra as a company would see recent news of flaws in OpenSSL as an opportunity to reach out to its customers and provide a means of making sure their setup is secure - and be able to prove it.
Enable Perfect Forward Secrecy in Zimbra 8+ ?
feel free to join in @ BUG:
https://bugzilla.zimbra.com/show_bug.cgi?id=89054
https://bugzilla.zimbra.com/show_bug.cgi?id=89054
Enable Perfect Forward Secrecy in Zimbra 8+ ?
You can already do PFS with Zimbra as long as you have nginx installed, which is the recommended way to install already.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
-
- Advanced member
- Posts: 145
- Joined: Fri Sep 12, 2014 10:32 pm
Enable Perfect Forward Secrecy in Zimbra 8+ ?
of course you can. just as you can use a weak cipher to connect - unless you tell it not to. perhaps i was misunderstood, but a great majority of us already know how to make our zimbra installs more secure. i was making a suggestion on how you might want to better distribute information to your users.
dar1423 was looking for support on how to utilize PFS. he was told to check out bugzilla. i threw in my two cents thinking you might help him, and you respond with the above. seriously?
dar1423 was looking for support on how to utilize PFS. he was told to check out bugzilla. i threw in my two cents thinking you might help him, and you respond with the above. seriously?
Enable Perfect Forward Secrecy in Zimbra 8+ ?
yes, seriously. I took an hour yesterday writing up and documenting how to add nginx to his configuration so he can enable PFS. That's the solution until support for it can be added to Jetty. In any case, it is always advised to install proxy now.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Enable Perfect Forward Secrecy in Zimbra 8+ ?
um, know your facts
quanah & I had chatted in #irc. he suggested to ME to file the bug ...
quanah & I had chatted in #irc. he suggested to ME to file the bug ...
Enable Perfect Forward Secrecy in Zimbra 8+ ?
Yes, there is that too.
I.e., if you want PFS now, you have to install nginx, period. If you don't want to use nginx, you'll have to wait until the bug I had dar1423 file is completed.
I.e., if you want PFS now, you have to install nginx, period. If you don't want to use nginx, you'll have to wait until the bug I had dar1423 file is completed.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/