Zimbra 8.7.11 SSL/TLS Cipher Suites
- iodisciple
- Posts: 20
- Joined: Mon Oct 09, 2017 2:38 pm
- Location: Rotterdam
- ZCS/ZD Version: Zimbra 8.7.11_GA_1854
Zimbra 8.7.11 SSL/TLS Cipher Suites
Hi all,
Been struggling with this for a while, hope somebody can help. I'm on a fully updated CentOS 7 box and fully updated Zimbra. Now from another machine I've ran OpenVAS to check the security and I was able to fix some stuff. Unfortunately I can't fix some Zimbra related things:
SSL/TLS: Report 'Anonymous' Cipher on port 465/tcp
SSL/TLS: Report Weak Cipher Suites on port 465/tcp
SSL/TLS: Report Weak Cipher Suites on port 587/tcp
I also had these error on my https 443 port but was able to fix it with a '$ zmprov mcf zimbraReverseProxySSLCiphers' command. It seems that these 465 and 587 ports don't use the Reverse proxy since the same command doesn't fix it for these ports.
I've also tried '$ zmprov mcf +zimbraSSLExcludeCipherSuites <cipher>' but doesn't do anything as well.
To cut a long story short: where can I disable weak(er) ciphers for ports 465 and 587.
Been struggling with this for a while, hope somebody can help. I'm on a fully updated CentOS 7 box and fully updated Zimbra. Now from another machine I've ran OpenVAS to check the security and I was able to fix some stuff. Unfortunately I can't fix some Zimbra related things:
SSL/TLS: Report 'Anonymous' Cipher on port 465/tcp
SSL/TLS: Report Weak Cipher Suites on port 465/tcp
SSL/TLS: Report Weak Cipher Suites on port 587/tcp
I also had these error on my https 443 port but was able to fix it with a '$ zmprov mcf zimbraReverseProxySSLCiphers' command. It seems that these 465 and 587 ports don't use the Reverse proxy since the same command doesn't fix it for these ports.
I've also tried '$ zmprov mcf +zimbraSSLExcludeCipherSuites <cipher>' but doesn't do anything as well.
To cut a long story short: where can I disable weak(er) ciphers for ports 465 and 587.
- iodisciple
- Posts: 20
- Joined: Mon Oct 09, 2017 2:38 pm
- Location: Rotterdam
- ZCS/ZD Version: Zimbra 8.7.11_GA_1854
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
Anyone?
More info needed?
More info needed?
- L. Mark Stone
- Ambassador
- Posts: 2796
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.6 Network Edition
- Contact:
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
Ports 465 and 587 are handled by Postfix and do not go through the Proxy. Those ports are used to allow end-user email clients like Outlook to be able to send email through Zimbra after authenticating.
I believe, but am less than 100% sure, that the config you are seeking to mdify is smtp_tls_mandatory_ciphers:
You could test in a lab by changing the value from the current (likely) "medium" to "high", then restart Zimbra and see what happens. If you are using Network Edition you are entitled to open a Support Case for something like this.
Note that if you do successfully change the value to "high" and pass your tests, that older clients which do not support more secure cipher suites will be unable to route email through your server as they now may be doing.
Hope that helps,
Mark
I believe, but am less than 100% sure, that the config you are seeking to mdify is smtp_tls_mandatory_ciphers:
Code: Select all
zimbra@smtp2:~$ zmprov desc -a zimbraMtaSmtpTlsMandatoryCiphers
zimbraMtaSmtpTlsMandatoryCiphers
Value for postconf smtp_tls_mandatory_ciphers
type : enum
value : export,low,medium,high,null
callback :
immutable : false
cardinality : single
requiredIn :
optionalIn : server,globalConfig
flags : serverInherited
defaults : medium
min :
max :
id : 1514
requiresRestart :
since : 8.5.0
deprecatedSince :
zimbra@smtp2:~$
Note that if you do successfully change the value to "high" and pass your tests, that older clients which do not support more secure cipher suites will be unable to route email through your server as they now may be doing.
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
- iodisciple
- Posts: 20
- Joined: Mon Oct 09, 2017 2:38 pm
- Location: Rotterdam
- ZCS/ZD Version: Zimbra 8.7.11_GA_1854
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
Hi Mark,
Many thanks for your feedback and apologies for my late response, I've been away for a couple of days. I'll test this ASAP.
Regards,
iodisiple
Many thanks for your feedback and apologies for my late response, I've been away for a couple of days. I'll test this ASAP.
Regards,
iodisiple
- iodisciple
- Posts: 20
- Joined: Mon Oct 09, 2017 2:38 pm
- Location: Rotterdam
- ZCS/ZD Version: Zimbra 8.7.11_GA_1854
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
Today I setup a test environment. Unfortunately, I think it goes wrong at step 1... Could you please give me the commands to set zimbraMtaSmtpTlsMandatoryCiphers at high? I've tried several, but it seems it doesn't stick.
- L. Mark Stone
- Ambassador
- Posts: 2796
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.6 Network Edition
- Contact:
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
iodisciple wrote:Today I setup a test environment. Unfortunately, I think it goes wrong at step 1... Could you please give me the commands to set zimbraMtaSmtpTlsMandatoryCiphers at high? I've tried several, but it seems it doesn't stick.
The description says it's both a global and a server-level variable, so first find out if it's set at the server level:
Code: Select all
zmprov gs `zmhostname` zimbraMtaSmtpTlsMandatoryCiphers
Code: Select all
zmprov mcf zimbraMtaSmtpTlsMandatoryCiphers high
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
- iodisciple
- Posts: 20
- Joined: Mon Oct 09, 2017 2:38 pm
- Location: Rotterdam
- ZCS/ZD Version: Zimbra 8.7.11_GA_1854
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
Awesome Mark, this shows me that I did indeed use the proper command before.
But unfortunately OpenVAS still reports the exact same problems
Do you have maybe more suggestions? Below the errors more specified.
SSL/TLS: Report 'Anonymous' Cipher Suites on port 465
SSL/TLS: Report Weak Cipher Suites on port 587
SSL/TLS: Report Weak Cipher Suites on port 465
Code: Select all
$ zmprov gs `zmhostname` zimbraMtaSmtpTlsMandatoryCiphers
# name myserver.mydomain.com
zimbraMtaSmtpTlsMandatoryCiphers: high
Do you have maybe more suggestions? Below the errors more specified.
SSL/TLS: Report 'Anonymous' Cipher Suites on port 465
Code: Select all
'Anonymous' cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
TLS_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_WITH_SEED_CBC_SHA
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
'Anonymous' cipher suites accepted by this service via the TLSv1.1 protocol:
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
TLS_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_WITH_SEED_CBC_SHA
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
'Anonymous' cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA256
TLS_DH_anon_WITH_AES_128_GCM_SHA256
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA256
TLS_DH_anon_WITH_AES_256_GCM_SHA384
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
TLS_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_WITH_SEED_CBC_SHA
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
Code: Select all
'Weak' cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_DH_anon_WITH_RC4_128_MD5
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA
'Weak' cipher suites accepted by this service via the TLSv1.1 protocol:
TLS_DH_anon_WITH_RC4_128_MD5
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA
'Weak' cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_DH_anon_WITH_RC4_128_MD5
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA
Code: Select all
'Weak' cipher suites accepted by this service via the TLSv1.0 protocol:
TLS_DH_anon_WITH_RC4_128_MD5
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA
'Weak' cipher suites accepted by this service via the TLSv1.1 protocol:
TLS_DH_anon_WITH_RC4_128_MD5
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA
'Weak' cipher suites accepted by this service via the TLSv1.2 protocol:
TLS_DH_anon_WITH_RC4_128_MD5
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDH_anon_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA
- L. Mark Stone
- Ambassador
- Posts: 2796
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.6 Network Edition
- Contact:
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
Did you restart Postfix?
zmmtactl restart
All the best,
Mark
zmmtactl restart
All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
- iodisciple
- Posts: 20
- Joined: Mon Oct 09, 2017 2:38 pm
- Location: Rotterdam
- ZCS/ZD Version: Zimbra 8.7.11_GA_1854
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
Yes, the whole server has been rebooted since.
- L. Mark Stone
- Ambassador
- Posts: 2796
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.6 Network Edition
- Contact:
Re: Zimbra 8.7.11 SSL/TLS Cipher Suites
I'd say it's time to open a ticket with Zimbra Support then.iodisciple wrote:Yes, the whole server has been rebooted since.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate