Zimbra OSE: 8.8.10
Host: Ubuntu Xenial (16.04)
Certificate issued by: Let's Encrypt
Here are the TLS-related setttings
Code: Select all
zmprov gs `zmhostname` | grep -i TLS
zimbraMailboxdSSLProtocols: TLSv1
zimbraMailboxdSSLProtocols: TLSv1.1
zimbraMailboxdSSLProtocols: TLSv1.2
zimbraMtaLmtpTlsCiphers: export
zimbraMtaLmtpTlsLoglevel: 0
zimbraMtaLmtpTlsMandatoryCiphers: medium
zimbraMtaLmtpTlsMandatoryProtocols: !SSLv2, !SSLv3
zimbraMtaLmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaLmtpTlsSecurityLevel: may
zimbraMtaSmtpTlsCiphers: export
zimbraMtaSmtpTlsDaneInsecureMXPolicy: dane
zimbraMtaSmtpTlsLoglevel: 0
zimbraMtaSmtpTlsMandatoryCiphers: medium
zimbraMtaSmtpTlsMandatoryProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpTlsSecurityLevel: may
zimbraMtaSmtpdSaslTlsSecurityOptions: $smtpd_sasl_security_options
zimbraMtaSmtpdTlsAskCcert: no
zimbraMtaSmtpdTlsCcertVerifydepth: 9
zimbraMtaSmtpdTlsCiphers: export
zimbraMtaSmtpdTlsLoglevel: 1
zimbraMtaSmtpdTlsMandatoryCiphers: medium
zimbraMtaSmtpdTlsMandatoryProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpdTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpdTlsReceivedHeader: no
zimbraMtaTlsAppendDefaultCA: no
zimbraMtaTlsAuthOnly: TRUE
zimbraMtaTlsSecurityLevel: may
zimbraReverseProxyImapStartTlsMode: on
zimbraReverseProxyPop3StartTlsMode: only
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraSaslGssapiRequiresTls: FALSE
Code: Select all
zmprov gs `zmhostname` | grep -i SSL | grep -vi tls
zimbraChatXmppSslPort: 5223
zimbraChatXmppSslPortEnabled: FALSE
zimbraHttpSSLNumThreads: 50
zimbraImapSSLBindOnStartup: TRUE
zimbraImapSSLBindPort: 7993
zimbraImapSSLProxyBindPort: 993
zimbraImapSSLServerEnabled: TRUE
zimbraMailSSLClientCertMode: Disabled
zimbraMailSSLClientCertOCSPEnabled: TRUE
zimbraMailSSLClientCertPort: 9443
zimbraMailSSLPort: 8443
zimbraMailSSLProxyClientCertPort: 3443
zimbraMailSSLProxyPort: 443
zimbraMailboxdSSLProtocols: SSLv2Hello
zimbraMailboxdSSLRenegotiationAllowed: TRUE
zimbraMtaDefaultProcessLimit: 100
zimbraMtaPostscreenAccessList: permit_mynetworks
zimbraNotifySSLBindPort: 7036
zimbraNotifySSLServerEnabled: TRUE
zimbraPop3SSLBindOnStartup: TRUE
zimbraPop3SSLBindPort: 7995
zimbraPop3SSLProxyBindPort: 995
zimbraPop3SSLServerEnabled: TRUE
zimbraRemoteImapSSLBindPort: 8993
zimbraRemoteImapSSLServerEnabled: FALSE
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
zimbraReverseProxySSLSessionCacheSize: 10m
zimbraReverseProxySSLSessionTimeout: 10m
zimbraReverseProxySSLToUpstreamEnabled: TRUE
zimbraReverseProxyXmppBoshSSL: FALSE
zimbraSSLCertificate: -----BEGIN CERTIFICATE-----
zimbraSSLExcludeCipherSuites: .*_RC4_.*
zimbraSSLPrivateKey: VALUE-BLOCKED
zimbraStatThreadNamePrefix: ImapSSLServer
zimbraStatThreadNamePrefix: Pop3SSLServer
Code: Select all
$ openssl s_client -showcerts -connect localhost:993
CONNECTED(00000003)
139833695114904:error:1408E098:SSL routines:ssl3_get_message:excessive message size:s3_both.c:417:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 16455 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1639504835
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
$ openssl s_client -starttls smtp -crlf -connect localhost:587
CONNECTED(00000003)
140416041027224:error:1408E098:SSL routines:ssl3_get_message:excessive message size:s3_both.c:417:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 16674 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1639493066
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
$ openssl s_client -starttls smtp -crlf -connect localhost:25
CONNECTED(00000003)
140406780569240:error:1408E098:SSL routines:ssl3_get_message:excessive message size:s3_both.c:417:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 16674 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1639493120
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Code: Select all
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem complete-fullchain.pem