How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
-
- Elite member
- Posts: 1112
- Joined: Sat Sep 13, 2014 12:47 am
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
In file /opt/zimbra/conf/nginx/includes/nginx.conf.web I see references to our server as
server server.donaim.com:8080 fail_timeout=60s version=8.5.1_GA_3056;
Why would these still say 8.5.1? Is it possible something did not get updated correctly during the upgrade process?
server server.donaim.com:8080 fail_timeout=60s version=8.5.1_GA_3056;
Why would these still say 8.5.1? Is it possible something did not get updated correctly during the upgrade process?
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
I'm running my labs over Digitalocean that is virtualized environment and works good. Did you follow each step of this section of the Wiki?
https://wiki.zimbra.com/wiki/How_to_obt ... sing_Proxy
Can you send me by PM the SSL Labs link?
Best regards
https://wiki.zimbra.com/wiki/How_to_obt ... sing_Proxy
Can you send me by PM the SSL Labs link?
Best regards
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
The Wiki has been updated with the steps to enable properly the proxy in 8.0.9 and obtain the A+ using that Release
https://wiki.zimbra.com/wiki/How_to_obt ... tion_8.0.9
Hope it helps !
https://wiki.zimbra.com/wiki/How_to_obt ... tion_8.0.9
Hope it helps !
-
- Elite member
- Posts: 1112
- Joined: Sat Sep 13, 2014 12:47 am
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
Hi Jorge,
I came back around to this after a considerable time away from it. I have now gotten an A+ rating - but wanted to share what I found along the way in case it helps anyone else.
In troubleshooting an issue with the server statistics (different thread opened) I discovered that even though I had renamed the server from zimbra.mydomain.com to mail.mydomain.com to match our commercial certificate in order to get 8.6 to install, under the covers there were still some references to zimbra.mydomain.com
I found that the following two settings were still showing the old name
zimbraReverseProxyAvailableLookupTargets: zimbra.mydomain.com
zimbraReverseProxyUpstreamLoginServers: zimbra.mydomain.com
and the ssh key generated by sshkeygen and deployed by zmupdateauthkeys was still referencing the old name
A note of warning to anyone else who might find this thread in a search - the two keys mentioned are ARRAYS (clue in the names of course - they end with 's')
I mistakenly updated them first using
zmprov mcf zimbraReverseProxyAvailableLookupTargets mail.mydomain.com
zmprov mcf zimbraReverseProxyUpstreamLoginServers mail.mydomain.com
when I restarted zimbra all appeared to start up correctly - but on trying to use the Web client I got
------------------------------------
HTTP ERROR 502
Problem accessing ZCS upstream server. Cannot connect to the ZCS upstream server. Connection is refused.
Possible reasons:
upstream server is unreachable
upstream server is currently being upgraded
upstream server is down
Please contact your ZCS administrator to fix the problem.
------------------------------------
If you list the settings with zmprov gcf ... the results look correct but of course they are not. An array is expected and I hadn't specified the values approprately. Note: this also caused errors to pop up in the Admin tool while I tried to update the proxy settings - so that might be a clue for people too.
I went back and reset the values correctly with the + prefix
zmprov mcf zimbraReverseProxyAvailableLookupTargets ""
zmprov mcf +zimbraReverseProxyAvailableLookupTargets mail.mydomain.com
zmprov mcf zimbraReverseProxyUpstreamLoginServers ""
zmprov mcf +zimbraReverseProxyUpstreamLoginServers mail.mydomain.com
and restarted again.
This time it complained that I had an unexpected ";" at the end of the ssl_ciphers line in the nginx configuration. Very strange that it never cropped up anywhere before. I reset the cipher list using zmprov mcf zimbraReverseProxySSLCiphers using the string from the wiki.
On restarting again everything worked correctly.
I went to SSLLABS and got an A rating. Up from a B. Progress finally. But - comparing your results with mine, I could see that I was not getting the following line which was obviously the difference between the A and A+
"This server supports HTTP Strict Transport Security with long duration. Grade set to A+. MORE INFO »"
I double checked all the Strict Transport Security (HSTS) settings and everything looked correct. I remade the changes but it made no difference.
Finally, noting that the initial ssl_dhparam change had to be made in two files, whereas, the HSTS change was only specified for one file (Like root user, edit the next file /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and add ) I decided to try adding the same changes to the second file (/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template)
I restarted the proxy again, and retested at SSL labs. The missing line appeared and I got an A+
So, first off, thank you for your document and your support earlier. And, secondly, can you see if the wiki article needs updating to state the change should be in both template files.
By the way, if it makes a difference, our proxy is configured for "both" mode.
I came back around to this after a considerable time away from it. I have now gotten an A+ rating - but wanted to share what I found along the way in case it helps anyone else.
In troubleshooting an issue with the server statistics (different thread opened) I discovered that even though I had renamed the server from zimbra.mydomain.com to mail.mydomain.com to match our commercial certificate in order to get 8.6 to install, under the covers there were still some references to zimbra.mydomain.com
I found that the following two settings were still showing the old name
zimbraReverseProxyAvailableLookupTargets: zimbra.mydomain.com
zimbraReverseProxyUpstreamLoginServers: zimbra.mydomain.com
and the ssh key generated by sshkeygen and deployed by zmupdateauthkeys was still referencing the old name
A note of warning to anyone else who might find this thread in a search - the two keys mentioned are ARRAYS (clue in the names of course - they end with 's')
I mistakenly updated them first using
zmprov mcf zimbraReverseProxyAvailableLookupTargets mail.mydomain.com
zmprov mcf zimbraReverseProxyUpstreamLoginServers mail.mydomain.com
when I restarted zimbra all appeared to start up correctly - but on trying to use the Web client I got
------------------------------------
HTTP ERROR 502
Problem accessing ZCS upstream server. Cannot connect to the ZCS upstream server. Connection is refused.
Possible reasons:
upstream server is unreachable
upstream server is currently being upgraded
upstream server is down
Please contact your ZCS administrator to fix the problem.
------------------------------------
If you list the settings with zmprov gcf ... the results look correct but of course they are not. An array is expected and I hadn't specified the values approprately. Note: this also caused errors to pop up in the Admin tool while I tried to update the proxy settings - so that might be a clue for people too.
I went back and reset the values correctly with the + prefix
zmprov mcf zimbraReverseProxyAvailableLookupTargets ""
zmprov mcf +zimbraReverseProxyAvailableLookupTargets mail.mydomain.com
zmprov mcf zimbraReverseProxyUpstreamLoginServers ""
zmprov mcf +zimbraReverseProxyUpstreamLoginServers mail.mydomain.com
and restarted again.
This time it complained that I had an unexpected ";" at the end of the ssl_ciphers line in the nginx configuration. Very strange that it never cropped up anywhere before. I reset the cipher list using zmprov mcf zimbraReverseProxySSLCiphers using the string from the wiki.
On restarting again everything worked correctly.
I went to SSLLABS and got an A rating. Up from a B. Progress finally. But - comparing your results with mine, I could see that I was not getting the following line which was obviously the difference between the A and A+
"This server supports HTTP Strict Transport Security with long duration. Grade set to A+. MORE INFO »"
I double checked all the Strict Transport Security (HSTS) settings and everything looked correct. I remade the changes but it made no difference.
Finally, noting that the initial ssl_dhparam change had to be made in two files, whereas, the HSTS change was only specified for one file (Like root user, edit the next file /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and add ) I decided to try adding the same changes to the second file (/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template)
I restarted the proxy again, and retested at SSL labs. The missing line appeared and I got an A+
So, first off, thank you for your document and your support earlier. And, secondly, can you see if the wiki article needs updating to state the change should be in both template files.
By the way, if it makes a difference, our proxy is configured for "both" mode.
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
Hello liverpool,
Thank you for your input, I've added the trick to the 8.6 part of course, as I remember to add it as well, sorry about that. Also I've edited your post with some format to make it easy to read.
Best regards and again, thank to you to follow the steps, give your feedback and help us to help others.
Best regards
Thank you for your input, I've added the trick to the 8.6 part of course, as I remember to add it as well, sorry about that. Also I've edited your post with some format to make it easy to read.
Best regards and again, thank to you to follow the steps, give your feedback and help us to help others.
Best regards
- myriad
- Advanced member
- Posts: 90
- Joined: Fri Sep 12, 2014 11:51 pm
- ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS
Re: How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
Doesn't work for me! When I run the command as Zimbra: "zmdhparam -new 2048" I get: "Unknown option: new" and I'm afraid to go further (I'm not running proxy).
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
Hi,
Which version of zimbra are you running, and which part of the wiki are you following?
You should install proxy, it's much better to protect and improve Zimbra Security
Which version of zimbra are you running, and which part of the wiki are you following?
You should install proxy, it's much better to protect and improve Zimbra Security
- myriad
- Advanced member
- Posts: 90
- Joined: Fri Sep 12, 2014 11:51 pm
- ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS
Re: How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
The version is in my sig. Actually, since I am running 8.7 I see Proxy is installed and running but I haven't configured it or anything yet. Would this be a good starting point for an existing server: https://wiki.zimbra.com/wiki/Enabling_Z ... _memcached?
Here is my existing config (although I haven't really configured anything):
Here is my existing config (although I haven't really configured anything):
Code: Select all
zimbraAdminPort: 7071
zimbraAdminProxyPort: 9071
zimbraImapBindPort: 7143
zimbraImapCleartextLoginEnabled: TRUE
zimbraImapProxyBindPort: 143
zimbraImapSSLBindPort: 7993
zimbraImapSSLProxyBindPort: 993
zimbraMailMode: redirect
zimbraMailPort: 80
zimbraMailProxyPort: 8080
zimbraMailReferMode: reverse-proxied
zimbraMailSSLPort: 443
zimbraMailSSLProxyPort: 8443
zimbraPop3BindPort: 7110
zimbraPop3CleartextLoginEnabled: TRUE
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLBindPort: 7995
zimbraPop3SSLProxyBindPort: 995
zimbraReverseProxyAdminEnabled: FALSE
zimbraReverseProxyHttpEnabled: TRUE
zimbraReverseProxyLookupTarget: TRUE
zimbraReverseProxyMailEnabled: TRUE
zimbraReverseProxySSLToUpstreamEnabled: TRUE
zimbraServiceEnabled: proxy
zimbraServiceEnabled: mailbox
zimbraServiceEnabled: memcached
Last edited by myriad on Thu Feb 02, 2017 5:54 pm, edited 1 time in total.
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Re: How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
Let me try it and I will let you know
Re: How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
Hi there,
strange behaviour. On 3 different zimbra OSE, 2 Community and 1 Network, following this guide
https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test
got 2 different results:
- A+ on Network Edition
- B on OSE Community
Network edition is : Release 8.8.12.GA.3794.UBUNTU16.64 UBUNTU16_64 NETWORK edition, Patch 8.8.12_P1 proxy.
ZCS 1 : Release 8.8.12.GA.3794.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.12_P3.
ZCS 2 : Release 8.8.12.GA.3794.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.12_P3.
ZCS 1 and ZCS 2 are Ubuntu 16.04 LTS upgraded from 12.04 LTS, but Network one is a brand new install. This is the only differences.
SSL Analisys says: This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
Any suggest?
strange behaviour. On 3 different zimbra OSE, 2 Community and 1 Network, following this guide
https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test
got 2 different results:
- A+ on Network Edition
- B on OSE Community
Network edition is : Release 8.8.12.GA.3794.UBUNTU16.64 UBUNTU16_64 NETWORK edition, Patch 8.8.12_P1 proxy.
ZCS 1 : Release 8.8.12.GA.3794.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.12_P3.
ZCS 2 : Release 8.8.12.GA.3794.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.12_P3.
ZCS 1 and ZCS 2 are Ubuntu 16.04 LTS upgraded from 12.04 LTS, but Network one is a brand new install. This is the only differences.
SSL Analisys says: This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
Any suggest?