If you need/have relaxed TLS, read this. You can still enforce TLS on other port. 587 "TLS authentication only"

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
e.o
Posts: 1
Joined: Tue Oct 24, 2017 12:36 pm

If you need/have relaxed TLS, read this. You can still enforce TLS on other port. 587 "TLS authentication only"

Post by e.o »

Hi,

I have a customer whose Zimbra needs to allow non TLS connections for only LAN legacy applications, without compromising external communications (client SMTP logins and mails aka submissions).
So I thought I don't force TLS with unchecking the "TLS authentication only" option and legacy applications worked. But there is lack of documentation what this action does for port 587.

So I spend some time figuring this out.. testing showed both ports allow insecure login now.
(TY for https://wiki.zimbra.com/wiki/Simple_Tro ... nd_Openssl )

So this setting affects both 25 and 587 ports the same way. If its checked then it ENFORCES encryption, aka disable LOGIN possibility if no TLS (secure connection).
It this setting is unchecked then it sets tls security option in postfix to MAY. This means it tries TLS but also accepts LOGIN to insecure (no TLS) connections.

As I'm fine with port 25 (LAN only allowed, incoming blocked by router's firewall, outgoing not containing passwords),
I'm not fine to relax 587 communication that must be allowed by router's firewall (containing user passwords).

# So heres the hotfix for this issue.. open file master.cf.in

Code: Select all

nano /opt/zimbra/common/conf/master.cf.in
# Find this part

Code: Select all

submission inet n      -       n       -       -       smtpd
%%uncomment SERVICE:opendkim%%  -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
        -o smtpd_tls_security_level= %%zimbraMtaTlsSecurityLevel%%
# change "%%zimbraMtaTlsSecurityLevel%%" to "encrypt" to enforce 587 to insist on STARTTLS connections only.

# Note that submission is the same as 587 and smtpd is 25 if you use default ports. "-o" are options for "connection lines"
# "%%zimbraMtaTlsSecurityLevel%%" is the value from Zimbra admin interface, if its uncheckd its "may", if checkd its "encrypt"
# Suit yourself to make fixed values for what connection you need or keep using "%%zimbraMtaTlsSecurityLevel%%" for other connection.

#With zimbra user:

Code: Select all

postfix reload
## Preferably from LAN, but not from server itself.. test with telnet
## Notice LOGIN options for 25 and none for 587 with plain telnet (no TLS)

Code: Select all

telnet servername 25
220 servername ESMTP Postfix
helo myworkstation
250 servername
ehlo myworkstation
250-servername
250-PIPELINING
250-SIZE 104857600
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN 
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
## Test other port with plain telnet..
## No more insecure logins possible :) , legacy SMTP sending works in LAN, everybody happy and secure.

Code: Select all

telnet servername 587
220 servername ESMTP Postfix
helo myworkstation
250 servername
ehlo myworkstation
250-servername
250-PIPELINING
250-SIZE 104857600
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Top
User avatar
iodisciple
Posts: 20
Joined: Mon Oct 09, 2017 2:38 pm
Location: Rotterdam
ZCS/ZD Version: Zimbra 8.7.11_GA_1854

Re: If you need/have relaxed TLS, read this. You can still enforce TLS on other port. 587 "TLS authentication only"

Post by iodisciple »

Nice work. I did some testing for a problem I'm having, to no avail, but this is some good knowledge to have!
Top
Post Reply

Return to “Administrators”