Zimbra 8.7.11 SSL/TLS Cipher Suites

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Posts: 3
Joined: Mon Oct 09, 2017 2:38 pm

Zimbra 8.7.11 SSL/TLS Cipher Suites

Postby iodisciple » Mon Oct 09, 2017 2:56 pm

Hi all,

Been struggling with this for a while, hope somebody can help. I'm on a fully updated CentOS 7 box and fully updated Zimbra. Now from another machine I've ran OpenVAS to check the security and I was able to fix some stuff. Unfortunately I can't fix some Zimbra related things:

SSL/TLS: Report 'Anonymous' Cipher on port 465/tcp
SSL/TLS: Report Weak Cipher Suites on port 465/tcp
SSL/TLS: Report Weak Cipher Suites on port 587/tcp

I also had these error on my https 443 port but was able to fix it with a '$ zmprov mcf zimbraReverseProxySSLCiphers' command. It seems that these 465 and 587 ports don't use the Reverse proxy since the same command doesn't fix it for these ports.

I've also tried '$ zmprov mcf +zimbraSSLExcludeCipherSuites <cipher>' but doesn't do anything as well.

To cut a long story short: where can I disable weak(er) ciphers for ports 465 and 587.

Posts: 3
Joined: Mon Oct 09, 2017 2:38 pm

Re: Zimbra 8.7.11 SSL/TLS Cipher Suites

Postby iodisciple » Fri Oct 13, 2017 8:14 am

Anyone? :)

More info needed?
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1545
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.6.0 Patch 8

Re: Zimbra 8.7.11 SSL/TLS Cipher Suites

Postby L. Mark Stone » Fri Oct 13, 2017 11:57 am

Ports 465 and 587 are handled by Postfix and do not go through the Proxy. Those ports are used to allow end-user email clients like Outlook to be able to send email through Zimbra after authenticating.

I believe, but am less than 100% sure, that the config you are seeking to mdify is smtp_tls_mandatory_ciphers:

Code: Select all

zimbra@smtp2:~$ zmprov desc -a zimbraMtaSmtpTlsMandatoryCiphers
    Value for postconf smtp_tls_mandatory_ciphers

               type : enum
              value : export,low,medium,high,null
           callback :
          immutable : false
        cardinality : single
         requiredIn :
         optionalIn : server,globalConfig
              flags : serverInherited
           defaults : medium
                min :
                max :
                 id : 1514
    requiresRestart :
              since : 8.5.0
    deprecatedSince :


You could test in a lab by changing the value from the current (likely) "medium" to "high", then restart Zimbra and see what happens. If you are using Network Edition you are entitled to open a Support Case for something like this.

Note that if you do successfully change the value to "high" and pass your tests, that older clients which do not support more secure cipher suites will be unable to route email through your server as they now may be doing.

Hope that helps,
L. Mark Stone, General Manager
reliable networks, a Division of OTT Communications
HIPAA-Compliant Zimbra Hosting Provider since 2006 http://www.reliablenetworks.com
Zeta Alliancehttp://www.zetalliance.org/

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 13 guests