Can I make TLS mandatory on zimbra 8.8.15

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
bisi
Posts: 21
Joined: Sat Sep 13, 2014 2:43 am
ZCS/ZD Version: many versions&clients from 6.x up

Can I make TLS mandatory on zimbra 8.8.15

Post by bisi »

I have spent quite a bit of time chasing my tail on this, and need some direction / background.

I have a client with Release 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18_64 FOSS edition, Patch 8.8.15_P35

The client is a law firm, and the insurance company is pressing them to use "mandatory TLS", by which they seem to mean the Zimbra server will not send to an MX host if the receiver does not successfully negotiate TLS encryption, and the Zimbra server will refuse to accept messages if the TLS "handshake" is not completed.

Currently Zimbra has the postfix setting

Code: Select all

smtpd_tls_security_level = may

I have verified that it does send and receive "opportunistic" TLS email, but it will also both send and accept unencrypted mail.

Yes, the client is happy to have email delivery failures, both inbound and outbound if the message can't be TLS-encrypted.

My attempts to make this happen (enforce TLS) were informed by this typically succinct note on the page "Postfix TLS Support", and resulted in fatal errors in Zimbra (not a big surprise). Sadly, I did not record the exact failure mode, but IIRC, zimbra failed to start.
You can ENFORCE the use of TLS, so that the Postfix SMTP server announces STARTTLS and accepts no mail without TLS encryption, by setting "smtpd_tls_security_level = encrypt". According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced Postfix SMTP server. This option is off by default and should only seldom be used.

Example:

/etc/postfix/main.cf:
smtpd_tls_security_level = encrypt
Evidence of fall-back to unencrypted was gathered from the "testMandatoryTo:" and "testMandatoryFrom:" options at the checkTLS service.
https://www.checktls.com/TestReceiver?ASSURETLS

So, where to from here? I feel like I'm missing a big piece of the puzzle.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Can I make TLS mandatory on zimbra 8.8.15

Post by L. Mark Stone »

This is discussed also in the Zimbra Cipher Suites wiki:

https://wiki.zimbra.com/wiki/Cipher_suites

In the article you will see the LDAP attribute: zimbraMtaTlsSecurityLevel which can be set to encrypt:

Code: Select all

zmprov mcf zimbraMtaTlsSecurityLevel encrypt && zmmtactl restart
The description for any attribute often has other useful information:

Code: Select all

zmprov desc -a zimbraMtaTlsSecurityLevel
Disclaimer: I've never done this, and "encrypt" is not listed in the "value" choices output from the immediately above command. If it doesn't work, you could readily revert.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Post Reply