Missing SSL/TLS encryption for SMTP and IMAP

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
spatocs
Posts: 1
Joined: Tue Dec 14, 2021 2:47 pm

Missing SSL/TLS encryption for SMTP and IMAP

Post by spatocs »

I recently installed Zimbra OSE on a new server. I use a certificate from Let's Encrypt. The certificate works correctly for the web UI, but no certificate is used with SMTP or IMAP.

Zimbra OSE: 8.8.10
Host: Ubuntu Xenial (16.04)
Certificate issued by: Let's Encrypt

Here are the TLS-related setttings

Code: Select all

zmprov gs `zmhostname` | grep -i TLS
zimbraMailboxdSSLProtocols: TLSv1
zimbraMailboxdSSLProtocols: TLSv1.1
zimbraMailboxdSSLProtocols: TLSv1.2
zimbraMtaLmtpTlsCiphers: export
zimbraMtaLmtpTlsLoglevel: 0
zimbraMtaLmtpTlsMandatoryCiphers: medium
zimbraMtaLmtpTlsMandatoryProtocols: !SSLv2, !SSLv3
zimbraMtaLmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaLmtpTlsSecurityLevel: may
zimbraMtaSmtpTlsCiphers: export
zimbraMtaSmtpTlsDaneInsecureMXPolicy: dane
zimbraMtaSmtpTlsLoglevel: 0
zimbraMtaSmtpTlsMandatoryCiphers: medium
zimbraMtaSmtpTlsMandatoryProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpTlsSecurityLevel: may
zimbraMtaSmtpdSaslTlsSecurityOptions: $smtpd_sasl_security_options
zimbraMtaSmtpdTlsAskCcert: no
zimbraMtaSmtpdTlsCcertVerifydepth: 9
zimbraMtaSmtpdTlsCiphers: export
zimbraMtaSmtpdTlsLoglevel: 1
zimbraMtaSmtpdTlsMandatoryCiphers: medium
zimbraMtaSmtpdTlsMandatoryProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpdTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpdTlsReceivedHeader: no
zimbraMtaTlsAppendDefaultCA: no
zimbraMtaTlsAuthOnly: TRUE
zimbraMtaTlsSecurityLevel: may
zimbraReverseProxyImapStartTlsMode: on
zimbraReverseProxyPop3StartTlsMode: only
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraSaslGssapiRequiresTls: FALSE
And SSL settings:

Code: Select all

zmprov gs `zmhostname` | grep -i SSL | grep -vi tls
zimbraChatXmppSslPort: 5223
zimbraChatXmppSslPortEnabled: FALSE
zimbraHttpSSLNumThreads: 50
zimbraImapSSLBindOnStartup: TRUE
zimbraImapSSLBindPort: 7993
zimbraImapSSLProxyBindPort: 993
zimbraImapSSLServerEnabled: TRUE
zimbraMailSSLClientCertMode: Disabled
zimbraMailSSLClientCertOCSPEnabled: TRUE
zimbraMailSSLClientCertPort: 9443
zimbraMailSSLPort: 8443
zimbraMailSSLProxyClientCertPort: 3443
zimbraMailSSLProxyPort: 443
zimbraMailboxdSSLProtocols: SSLv2Hello
zimbraMailboxdSSLRenegotiationAllowed: TRUE
zimbraMtaDefaultProcessLimit: 100
zimbraMtaPostscreenAccessList: permit_mynetworks
zimbraNotifySSLBindPort: 7036
zimbraNotifySSLServerEnabled: TRUE
zimbraPop3SSLBindOnStartup: TRUE
zimbraPop3SSLBindPort: 7995
zimbraPop3SSLProxyBindPort: 995
zimbraPop3SSLServerEnabled: TRUE
zimbraRemoteImapSSLBindPort: 8993
zimbraRemoteImapSSLServerEnabled: FALSE
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
zimbraReverseProxySSLSessionCacheSize: 10m
zimbraReverseProxySSLSessionTimeout: 10m
zimbraReverseProxySSLToUpstreamEnabled: TRUE
zimbraReverseProxyXmppBoshSSL: FALSE
zimbraSSLCertificate: -----BEGIN CERTIFICATE-----
zimbraSSLExcludeCipherSuites: .*_RC4_.*
zimbraSSLPrivateKey: VALUE-BLOCKED
zimbraStatThreadNamePrefix: ImapSSLServer
zimbraStatThreadNamePrefix: Pop3SSLServer
Here are the tests I've run:

Code: Select all

$ openssl s_client -showcerts -connect localhost:993
CONNECTED(00000003)
139833695114904:error:1408E098:SSL routines:ssl3_get_message:excessive message size:s3_both.c:417:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 16455 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1639504835
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

$ openssl s_client -starttls smtp -crlf -connect localhost:587
CONNECTED(00000003)
140416041027224:error:1408E098:SSL routines:ssl3_get_message:excessive message size:s3_both.c:417:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 16674 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1639493066
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

$ openssl s_client -starttls smtp -crlf -connect localhost:25
CONNECTED(00000003)
140406780569240:error:1408E098:SSL routines:ssl3_get_message:excessive message size:s3_both.c:417:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 16674 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1639493120
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
I deployed the cert using:

Code: Select all

/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem complete-fullchain.pem
What do I need to do in order to get SSL/TLS working for SMTP and IMAP? Right now my users are using IMAP and SMTP without any encryption turned on.
Post Reply