Postfix PCI Compliance in ZCS

From Zimbra :: Wiki

Jump to: navigation, search
   Article-alert.png  - This article is a Work in Progress, and may be unfinished or missing sections.

Admin Article

Article Information

This article applies to the following ZCS versions.
  ZCS 6.0 Article  ZCS 6.0
  ZCS 7.0 Article  ZCS 7.0
  ZCS 8.0 Article  ZCS 8.0


Reconfigure the Postfix SSL/TLS settings

Configuring Postfix for PCI Compliance

Reference -

For ZCS 8.5, as the zimbra user

zmprov mcf zimbraMtaSmtpdTlsCiphers high
zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'
zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high
zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'

Within 2 minutes, zmconfigd will update postfix for you, and the system will be PCI compliant.

For ZCS 8.0 and previous, as the zimbra user

zmlocalconfig -e smtpd_tls_ciphers=high
postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES

The SSL/TLS settings are now reconfigured. The changes will take effect within 2 minutes. Note that smtpd_tls_protocols and smtpd_tls_exclude_ciphers will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.

Verified Against: ZCS 7.2.0 Date Created: 11/30/2013
Article ID: Date Modified: 04/1/2015
Personal tools