Zimbra 8.7.11 SSL/TLS Cipher Suites
- iodisciple
- Posts: 20
- Joined: Mon Oct 09, 2017 2:38 pm
- Location: Rotterdam
- ZCS/ZD Version: Zimbra 8.7.11_GA_1854
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
I'm using the free community edition so I believe I cannot very simply open a ticket
Thank you for all your help and time though!
Thank you for all your help and time though!
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
Ah, OK. You may want to add the output of "zmcontrol -v" to your profile so we can all see what version you are running.iodisciple wrote:I'm using the free community edition so I believe I cannot very simply open a ticket
Thank you for all your help and time though!
The control over Postfix ciphers is readily doable; some of your changes may not survive a Zimbra upgrade, but the basic methodology is here:
http://www.postfix.org/TLS_README.html#server_cipher
In the interim, while you may not be entitled to official support, anyone is entitled to open a bug report at bugzilla.zimbra.com, and I would urge you to file a bug report about this.
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
- iodisciple
- Posts: 20
- Joined: Mon Oct 09, 2017 2:38 pm
- Location: Rotterdam
- ZCS/ZD Version: Zimbra 8.7.11_GA_1854
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
Hi Mark,
I've edited my profile. My version is: Release 8.7.11_GA_1854.RHEL7_64_20170531151956 RHEL7_64 FOSS edition.
I will read your link soon and add a bug and will report back when I discover anything new.
Kind regards,
iodisciple
I've edited my profile. My version is: Release 8.7.11_GA_1854.RHEL7_64_20170531151956 RHEL7_64 FOSS edition.
I will read your link soon and add a bug and will report back when I discover anything new.
Kind regards,
iodisciple
- iodisciple
- Posts: 20
- Joined: Mon Oct 09, 2017 2:38 pm
- Location: Rotterdam
- ZCS/ZD Version: Zimbra 8.7.11_GA_1854
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
Unfortunately still no word on the bug
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
Just to be 100% certain, when you ran:iodisciple wrote:Unfortunately still no word on the bug
Code: Select all
zmprov gs `zmhostname` zimbraMtaSmtpTlsMandatoryCiphers
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
- iodisciple
- Posts: 20
- Joined: Mon Oct 09, 2017 2:38 pm
- Location: Rotterdam
- ZCS/ZD Version: Zimbra 8.7.11_GA_1854
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
Hi Mark,
Now it returns:
I'm not 100% sure this has always been the case.
Now it returns:
Code: Select all
# name server.domain.com
zimbraMtaSmtpTlsMandatoryCiphers: high
- L. Mark Stone
- Ambassador
- Posts: 2802
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
So, in thinking this through a bit further I think what you might want is to set up a separate Zimbra MTA server to handle port 587 submission traffic only, so you can pass your test.iodisciple wrote:Hi Mark,
Now it returns:I'm not 100% sure this has always been the case.Code: Select all
# name server.domain.com zimbraMtaSmtpTlsMandatoryCiphers: high
The existing Zimbra MTA server you can leave as is; it's purpose will be to handle inbound and web UI-generated outbound email as it does now. You could use a local firewall to block inbound 587 connections to this server.
The new Zimbra MTA server will be configured with an inbound firewall rule that blocks all but 587 connections, that has only strong ciphers and mandatory encryption enabled.
In this way your Outlook and other submission port users will have their email transfer to Zimbra to be encrypted strongly, but other email servers that don't support strong ciphers can still send and receive email with your Zimbra system.
Take a look at http://postfix.1071664.n5.nabble.com/St ... 88916.html for details on configuring Zimbra to use only secure ciphers.
Note this will take some customization work, which work may not survive Zimbra upgrades.
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
- iodisciple
- Posts: 20
- Joined: Mon Oct 09, 2017 2:38 pm
- Location: Rotterdam
- ZCS/ZD Version: Zimbra 8.7.11_GA_1854
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
Hi Mark,
Thanks again for your help. I had a good look at it and don't know for certain yet if I want to set it up like this. I have to create another Zimbra instance and for a lot of situations, this is too complex and too expensive. I'll let it sink in for a while
Thanks and regards,
iodisciple
Thanks again for your help. I had a good look at it and don't know for certain yet if I want to set it up like this. I have to create another Zimbra instance and for a lot of situations, this is too complex and too expensive. I'll let it sink in for a while
Thanks and regards,
iodisciple
-
- Posts: 15
- Joined: Wed Jun 29, 2016 9:00 am
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
Any update on this?
I'm facing the same issue, can't pass on Qualys scan. upgraded from 8.7 to Release 8.8.7_GA_1964.RHEL7_64_20180223145016 RHEL7_64 FOSS edition.
Thanks!
I'm facing the same issue, can't pass on Qualys scan. upgraded from 8.7 to Release 8.8.7_GA_1964.RHEL7_64_20180223145016 RHEL7_64 FOSS edition.
Thanks!