Security/Collab/88
Security Settings for Zimbra Collaboration 8.8 series
Important: Upgrading from Older ZCS Versions
Defaults may change from version to version of ZCS. However, when upgrading some settings may not be updated to the new recommended default: possibly because the settings had been customized, installer limitations/bugs, or concerns that changes may impact existing users/clients. As such, it is highly recommended that you revisit settings after upgrading to ensure that values are set as expected/desired in your environment and security settings meet your requirements.
Depending upon the version you are upgrading from, you should (re)visit the security related recommendations and changes noted in earlier versions of this document (Security/Collab, Security/Collab/86, Security/Collab/87).
Neutralizing Mailsploit
As mentioned in the Security Center, to avoid Mailsploit it is recommend that all sites upgrading to manually set zimbraPrefShortEmailAddress to FALSE. This is the default for new 8.8.7 installs.
Recommended HTTP Headers
It is recommended to set most, if not all of the following HTTP headers for most ZCS deployments. Take a little time to determine what makes the most sense in your deployment.
Ref: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
See: https://wiki.zimbra.com/wiki/Secopstips