I tried to secure my server a bit more and remove older protocols and ciphers and test it with ssllabs.com.
Unfortunately partly it does not work.
My steps:
Code: Select all
$ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1
$ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1.1
$ zmproxyctl restart
$ zmprov ms 'myhost' -zimbraMailboxdSSLProtocols TLSv1
$ zmprov ms 'myhost' -zimbraMailboxdSSLProtocols TLSv1.1
$ zmmailboxdctl restart
$ zmprov mcf zimbraMtaSmtpTlsProtocols '!SSLv2,!SSLv3,!TLSv1,!TLSv1.1' //works
$ zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3,!TLSv1,!TLSv1.1' //works
$ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '!SSLv2,!SSLv3,!TLSv1,!TLSv1.1' //works
$ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '!SSLv2,!SSLv3,!TLSv1,!TLSv1.1' //works
$ zmmtactl restart
$ zmdhparam set -new 3072
$ zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
$ zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000" //works
$ zmcontrol restart
The MTA protocols seem ok, but in https TLSv1 an 1.1 and the old DH 1024 and some other weak ciphers are still enabled.
Is there anything else to do?
(Zimbra 8.8.15_GA_3980 on CentOS 7)
Thanks!