Zimbra 8.8.15 P33: Re-enable TLSv1.0/1.1 for IMAPS/POP3S

[Winkee]

Hello!

Can you help me please to understand, how to re-enable TLSv1.0/1.1 for POP3S and IMAPS. After i updated my server to 8.8.15 P33 (from ~P20), these ports became TLSv1.2 only and my old clients doesn't connect to the server anymore.

As far as i understand, here is the option that should be responsible for IMAPS and POP3S config:

zimbra@sc-zimbra:~$ zmprov gs `zmhostname` zimbraMailboxdSSLProtocols
# name xxx
zimbraMailboxdSSLProtocols: TLSv1
zimbraMailboxdSSLProtocols: TLSv1.1
zimbraMailboxdSSLProtocols: TLSv1.2
zimbraMailboxdSSLProtocols: SSLv2Hello

And judging from the output, 1.0 and 1.1 should be enabled, but when i'm scanning my server with nmap, i'm seeing this:

993/tcp open imaps
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
|_ least strength: A
995/tcp open pop3s
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 1024) - A
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
|_ least strength: A

Only TLSv1.2 enabled, so i don't understand how to turn 1.0 and 1.1 back. Help me please.

Just in case full version number:

Release 8.8.15.GA.3869.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.15_P33.

[liverpoolfcfan]

Ideally you should not be re-enabling those as they create a security risk. The protocols will be enabled on the web UI as well as the IMAPS/POPS. You should look for alternatives to using IMAPS/POPS - or look for newer clients that support TLSv1.2 and 1.3. Alternatively, it might be possible to edit the nginx template file to only re-enable them for the IMAPS and POPS and firewall them to only allow certain IP ranges to connect. Any template modification would obviously be lost in a zimbra patch/upgrade.

If you must re-enable then then check your reverse proxy protocols

Code: Select all

zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1.3
zimbraReverseProxySSLProtocols: TLSv1.2

Remember it is a multi-record config so you need to use a + or - in front of the setting to add or remove an entry

zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.1
zmprov mcf +zimbraReverseProxySSLProtocols TLSv1

[Winkee]

liverpoolfcfan
I understand that these protocols are outdated, but it's fine in my case.

Here is the output for zimbraReverseProxySSLProtocols:

zmprov gcf zimbraReverseProxySSLProtocols

zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2

1.0 and 1.1 are enabled, but doesn't work, so seems like that after update it's no longer possible to turn these protocols back on. Thanks for your response!

[phoenix]

liverpoolfcfan
I understand that these protocols are outdated, but it's fine in my case.

How can they be fine in your environment when they're insecure? If the problem is your mail client then you need to address that and get a more secure and up to date client. You should not reduce the level of your server security just to accommodate in insecure connection from a client.

Perhaps you should get a client that supports activesync and install Z-Push.