Zimbra Forums

Hi,

We have used the Wiki entry:
https://wiki.zimbra.com/wiki/How_to_disable_SSLv3
to disable SSLv3 in Zimbra 8.5 (3042 patch 8.5.0_P2) with Proxy

For the MTA we ran:
zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'
as zimbra then restarted, and checked on port 25 with:
openssl s_client -connect mail.example.com:25 -ssl3 -starttls smtp
and got a good 'ssl handshake failure'.
However the server is still responding to SSLv3 requests on SMTP-SSL port 465 using the following command (from the Wiki):
timeout 3 openssl s_client -connect mail.example.com:465 -ssl3

After completing the Wiki checking all other ports gives the correct 'ssl handshake failure', except port 465 where SSLv3 is still being happily negotiated...
Has anyone any idea why?

Thanks for your time!

I am getting the same here
However on the very same page there's the "test":
for p in 993 995 443 ; do echo Port $p ; timeout 3 openssl s_client -connect `zmhostname`:$p -ssl3 |grep failure ; done
which gives output that would suggest that it's ok :
Port 993
-su: timeout: command not found
Port 995
-su: timeout: command not found
Port 443
-su: timeout: command not found


My only thought on this is that the "How to disable SSLv3" wiki is borked and needs updating
EDIT:
Apologies, the above was true late last night, but now it's been updated
postconf -e smtpd_tls_mandatory_protocols='!SSLv2,!SSLv3'

The wiki page has been updated a couple of hours ago.

The missing config line was in the bugzilla.

The described procedure in the wiki does not work for imap, I can still see ssl V3 enabled on those, https works correctly.

Thanks a lot, the missing line (now in the Wiki) was:
postconf -e smtpd_tls_mandatory_protocols='!SSLv2,!SSLv3'
SSLv3 is now also refused on port 465.