How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by liverpoolfcfan »

In file /opt/zimbra/conf/nginx/includes/nginx.conf.web I see references to our server as



server server.donaim.com:8080 fail_timeout=60s version=8.5.1_GA_3056;



Why would these still say 8.5.1? Is it possible something did not get updated correctly during the upgrade process?
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

I'm running my labs over Digitalocean that is virtualized environment and works good. Did you follow each step of this section of the Wiki?

https://wiki.zimbra.com/wiki/How_to_obt ... sing_Proxy

Can you send me by PM the SSL Labs link?
Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

The Wiki has been updated with the steps to enable properly the proxy in 8.0.9 and obtain the A+ using that Release :)

https://wiki.zimbra.com/wiki/How_to_obt ... tion_8.0.9

Hope it helps !
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by liverpoolfcfan »

Hi Jorge,

I came back around to this after a considerable time away from it. I have now gotten an A+ rating - but wanted to share what I found along the way in case it helps anyone else.

In troubleshooting an issue with the server statistics (different thread opened) I discovered that even though I had renamed the server from zimbra.mydomain.com to mail.mydomain.com to match our commercial certificate in order to get 8.6 to install, under the covers there were still some references to zimbra.mydomain.com

I found that the following two settings were still showing the old name
zimbraReverseProxyAvailableLookupTargets: zimbra.mydomain.com
zimbraReverseProxyUpstreamLoginServers: zimbra.mydomain.com

and the ssh key generated by sshkeygen and deployed by zmupdateauthkeys was still referencing the old name

A note of warning to anyone else who might find this thread in a search - the two keys mentioned are ARRAYS (clue in the names of course - they end with 's')

I mistakenly updated them first using
zmprov mcf zimbraReverseProxyAvailableLookupTargets mail.mydomain.com
zmprov mcf zimbraReverseProxyUpstreamLoginServers mail.mydomain.com

when I restarted zimbra all appeared to start up correctly - but on trying to use the Web client I got

------------------------------------
HTTP ERROR 502

Problem accessing ZCS upstream server. Cannot connect to the ZCS upstream server. Connection is refused.
Possible reasons:
upstream server is unreachable
upstream server is currently being upgraded
upstream server is down
Please contact your ZCS administrator to fix the problem.
------------------------------------

If you list the settings with zmprov gcf ... the results look correct but of course they are not. An array is expected and I hadn't specified the values approprately. Note: this also caused errors to pop up in the Admin tool while I tried to update the proxy settings - so that might be a clue for people too.

I went back and reset the values correctly with the + prefix
zmprov mcf zimbraReverseProxyAvailableLookupTargets ""
zmprov mcf +zimbraReverseProxyAvailableLookupTargets mail.mydomain.com
zmprov mcf zimbraReverseProxyUpstreamLoginServers ""
zmprov mcf +zimbraReverseProxyUpstreamLoginServers mail.mydomain.com

and restarted again.

This time it complained that I had an unexpected ";" at the end of the ssl_ciphers line in the nginx configuration. Very strange that it never cropped up anywhere before. I reset the cipher list using zmprov mcf zimbraReverseProxySSLCiphers using the string from the wiki.

On restarting again everything worked correctly.

I went to SSLLABS and got an A rating. Up from a B. Progress finally. But - comparing your results with mine, I could see that I was not getting the following line which was obviously the difference between the A and A+

"This server supports HTTP Strict Transport Security with long duration. Grade set to A+. MORE INFO »"

I double checked all the Strict Transport Security (HSTS) settings and everything looked correct. I remade the changes but it made no difference.

Finally, noting that the initial ssl_dhparam change had to be made in two files, whereas, the HSTS change was only specified for one file (Like root user, edit the next file /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and add ) I decided to try adding the same changes to the second file (/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template)

I restarted the proxy again, and retested at SSL labs. The missing line appeared and I got an A+

So, first off, thank you for your document and your support earlier. And, secondly, can you see if the wiki article needs updating to state the change should be in both template files.

By the way, if it makes a difference, our proxy is configured for "both" mode.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

Hello liverpool,

Thank you for your input, I've added the trick to the 8.6 part of course, as I remember to add it as well, sorry about that. Also I've edited your post with some format to make it easy to read.



Best regards and again, thank to you to follow the steps, give your feedback and help us to help others.



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by myriad »

Doesn't work for me! When I run the command as Zimbra: "zmdhparam -new 2048" I get: "Unknown option: new" and I'm afraid to go further (I'm not running proxy).
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

Hi,
Which version of zimbra are you running, and which part of the wiki are you following?

You should install proxy, it's much better to protect and improve Zimbra Security
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
myriad
Advanced member
Advanced member
Posts: 90
Joined: Fri Sep 12, 2014 11:51 pm
ZCS/ZD Version: Zimbra 9.0.0_ZEXTRAS_20211118.FOSS

Re: How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by myriad »

The version is in my sig. Actually, since I am running 8.7 I see Proxy is installed and running but I haven't configured it or anything yet. Would this be a good starting point for an existing server: https://wiki.zimbra.com/wiki/Enabling_Z ... _memcached?

Here is my existing config (although I haven't really configured anything):

Code: Select all

zimbraAdminPort: 7071
zimbraAdminProxyPort: 9071
zimbraImapBindPort: 7143
zimbraImapCleartextLoginEnabled: TRUE
zimbraImapProxyBindPort: 143
zimbraImapSSLBindPort: 7993
zimbraImapSSLProxyBindPort: 993
zimbraMailMode: redirect
zimbraMailPort: 80
zimbraMailProxyPort: 8080
zimbraMailReferMode: reverse-proxied
zimbraMailSSLPort: 443
zimbraMailSSLProxyPort: 8443
zimbraPop3BindPort: 7110
zimbraPop3CleartextLoginEnabled: TRUE
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLBindPort: 7995
zimbraPop3SSLProxyBindPort: 995
zimbraReverseProxyAdminEnabled: FALSE
zimbraReverseProxyHttpEnabled: TRUE
zimbraReverseProxyLookupTarget: TRUE
zimbraReverseProxyMailEnabled: TRUE
zimbraReverseProxySSLToUpstreamEnabled: TRUE

zimbraServiceEnabled: proxy
zimbraServiceEnabled: mailbox
zimbraServiceEnabled: memcached
Last edited by myriad on Thu Feb 02, 2017 5:54 pm, edited 1 time in total.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Re: How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

Let me try it and I will let you know
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
lovelord
Advanced member
Advanced member
Posts: 96
Joined: Sat Sep 13, 2014 12:23 am

Re: How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by lovelord »

Hi there,

strange behaviour. On 3 different zimbra OSE, 2 Community and 1 Network, following this guide

https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test

got 2 different results:

- A+ on Network Edition
- B on OSE Community

Network edition is : Release 8.8.12.GA.3794.UBUNTU16.64 UBUNTU16_64 NETWORK edition, Patch 8.8.12_P1 proxy.

ZCS 1 : Release 8.8.12.GA.3794.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.12_P3.
ZCS 2 : Release 8.8.12.GA.3794.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.12_P3.

ZCS 1 and ZCS 2 are Ubuntu 16.04 LTS upgraded from 12.04 LTS, but Network one is a brand new install. This is the only differences.

SSL Analisys says: This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.

Any suggest?
Post Reply