Zimbra 8.7.11 SSL/TLS Cipher Suites

[iodisciple]

I'm using the free community edition so I believe I cannot very simply open a ticket

Thank you for all your help and time though!

[L. Mark Stone]

I'm using the free community edition so I believe I cannot very simply open a ticket

Thank you for all your help and time though!

Ah, OK. You may want to add the output of "zmcontrol -v" to your profile so we can all see what version you are running.

The control over Postfix ciphers is readily doable; some of your changes may not survive a Zimbra upgrade, but the basic methodology is here:

http://www.postfix.org/TLS_README.html#server_cipher

In the interim, while you may not be entitled to official support, anyone is entitled to open a bug report at bugzilla.zimbra.com, and I would urge you to file a bug report about this.

Hope that helps,
Mark

[iodisciple]

Hi Mark,

I've edited my profile. My version is: Release 8.7.11_GA_1854.RHEL7_64_20170531151956 RHEL7_64 FOSS edition.

I will read your link soon and add a bug and will report back when I discover anything new.

Kind regards,
iodisciple

[iodisciple]

Unfortunately still no word on the bug

[L. Mark Stone]

Unfortunately still no word on the bug

Just to be 100% certain, when you ran:

Code: Select all

zmprov gs `zmhostname` zimbraMtaSmtpTlsMandatoryCiphers

it returned nothing?

[iodisciple]

Hi Mark,

Now it returns:

Code: Select all

# name server.domain.com
zimbraMtaSmtpTlsMandatoryCiphers: high

I'm not 100% sure this has always been the case.

[L. Mark Stone]

Hi Mark,

Now it returns:

Code: Select all

# name server.domain.com
zimbraMtaSmtpTlsMandatoryCiphers: high

I'm not 100% sure this has always been the case.

So, in thinking this through a bit further I think what you might want is to set up a separate Zimbra MTA server to handle port 587 submission traffic only, so you can pass your test.

The existing Zimbra MTA server you can leave as is; it's purpose will be to handle inbound and web UI-generated outbound email as it does now. You could use a local firewall to block inbound 587 connections to this server.

The new Zimbra MTA server will be configured with an inbound firewall rule that blocks all but 587 connections, that has only strong ciphers and mandatory encryption enabled.

In this way your Outlook and other submission port users will have their email transfer to Zimbra to be encrypted strongly, but other email servers that don't support strong ciphers can still send and receive email with your Zimbra system.

Take a look at http://postfix.1071664.n5.nabble.com/St ... 88916.html for details on configuring Zimbra to use only secure ciphers.

Note this will take some customization work, which work may not survive Zimbra upgrades.

Hope that helps,
Mark

[iodisciple]

Hi Mark,

Thanks again for your help. I had a good look at it and don't know for certain yet if I want to set it up like this. I have to create another Zimbra instance and for a lot of situations, this is too complex and too expensive. I'll let it sink in for a while

Thanks and regards,
iodisciple

[odiecoranes]

Any update on this?

I'm facing the same issue, can't pass on Qualys scan. upgraded from 8.7 to Release 8.8.7_GA_1964.RHEL7_64_20180223145016 RHEL7_64 FOSS edition.

Thanks!