Postfix PCI Compliance in ZCS

From Zimbra :: Wiki

Jump to: navigation, search
Admin Article

Article Information

This article applies to the following ZCS versions.
  ZCS 6.0 Article  ZCS 6.0
  ZCS 7.0 Article  ZCS 7.0
  ZCS 8.0 Article  ZCS 8.0

Contents

Reconfigure the Postfix SSL/TLS settings

Configuring Postfix for PCI Compliance

Reference - http://www.postfix.org/TLS_README.html

For ZCS 8.5, as the zimbra user

zmprov mcf zimbraMtaSmtpdTlsCiphers high
zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'
zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high
zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'

Within 2 minutes, zmconfigd will update postfix for you, and the system will be PCI compliant.

For ZCS 8.0 and previous, as the zimbra user

zmlocalconfig -e smtpd_tls_ciphers=high
postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES

The SSL/TLS settings are now reconfigured. The changes will take effect within 2 minutes. Note that smtpd_tls_protocols and smtpd_tls_exclude_ciphers will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.

Verified Against: ZCS 7.2.0 Date Created: 11/30/2013
Article ID: http://wiki.zimbra.com/index.php?title=Postfix_PCI_Compliance_in_ZCS Date Modified: 11/8/2014
Personal tools