Ajcody-Ciphers-Outlook-Troubleshooting: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 84: | Line 84: | ||
on proxies: /opt/zimbra/log/nginx.log | on proxies: /opt/zimbra/log/nginx.log | ||
on mailstores: /opt/zimbra/log/ews.log /opt/zimbra/log/access.log | on mailstores: /opt/zimbra/log/ews.log /opt/zimbra/log/access.log | ||
!!! NOTE - If You Aren't Running The ZCS Proxy Or Will Have Outlook Connect Directly To The Mailstore/Jetty !!! | |||
Then you'll need to modify the mailstores like this: | |||
[zimbra@ldap2 log]$ zmprov mcf -zimbraMailboxdSSLProtocols SSLv2Hello | |||
[zimbra@ldap2 log]$ zmmailboxdctl restart | |||
Stopping mailboxd...done. | |||
Starting mailboxd...done. | |||
Outlook should now be able to connect directly to the mailstores, in my example here using a | |||
single ZCS server with proxy and the mailstore services running on it, I'm now able to connect | |||
with Outlook using either port 443 [my proxy] or port 8443 [my mailstore/jetty]. Please note, | |||
in Outlook you'll need to leave the Use SSL box checked and then check the override if you want | |||
to test on different ports besides 443. | |||
If things still fail, you'll also want to provide the information below as well with all the | If things still fail, you'll also want to provide the information below as well with all the |
Revision as of 19:51, 15 January 2015
Bug: * "Mac Outlook 2011 requires 3DES or RC4 ciphers" ** https://bugzilla.zimbra.com/show_bug.cgi?id=97232 References: * https://www.openssl.org/docs/apps/ciphers.html ** will explain what HIGH and other variables used in zimbraReverseProxySSLCiphers * http://wiki.zimbra.com/wiki/Zimbra_Proxy_Manual:Installing_,_Configuring,_Disabling_the_Zimbra_Proxy#zmtlsctl ** http only mode? * http://wiki.zimbra.com/wiki/Zimbra_Proxy_Manual:Installing_,_Configuring,_Disabling_the_Zimbra_Proxy#Using_Existing_Servers_2 ** proxy isn't enabled for http/mail ? * Notes from various tests I did, saved for my reference. ** https://wiki.zimbra.com/wiki/Ajcody-Ciphers-Outlook First, you might want to get cipherscan. It's available at https://github.com/jvehent/cipherscan . Run this against your server's name, example : ./cipherscan ldap2.zimbra.DOMAIN.com It will default to port 443 . You can also check it against port 8443 [which is could be the port set on your mailstores if you setup proxy on it also, which I have done in this example] by doing: ./cipherscan ldap2.zimbra.DOMAIN.com:8443 Also, you could use the following to compare before/after results: * https://www.ssllabs.com/ssltest/ Second, the assumption is your running with the zcs proxy service is enabled for the various methods your attempting with Outlook 2011 [http{mail},pop,imap] and SSL is enabled for each of the access methods. Let's confirm your account that you'l test with is enabled for ews. [zimbra@ldap2 log]$ zmprov ga user1@ldap2.zimbra.DOMAIN.com zimbraFeatureEwsEnabled [zimbra@ldap2 log]$ zmlicense -p | grep -i ews Let's also get what your current zimbraReverseProxySSLCiphers is set for before you change it. [zimbra@ldap2 log]$ zmprov gcf zimbraReverseProxySSLCiphers Make sure the following isn't excluded: [zimbra@ldap2 log]$ zmprov gcf zimbraReverseProxySSLCiphers | grep TLS_RSA_WITH_3DES_EDE_CBC_SHA [zimbra@ldap2 log]$ Depending on what you have set, you'll need to adjust it to deal with the 3DES option. If you had manually set zimbraReverseProxySSLCiphers at some point in your ZCS server's history then our upgrade process will not change it. Below I include what is also the default for 8.6 and how to modify it for 3DES. The first example comes from what you might see if you upgraded from ZCS 7 and/or manually set it at some point to the default as it as in ZCS 7. If you want to see/confirm what is the default value for ZCS 8.6 , you can do the following below. !!!Please Note!!! You can't paste into your CLI the variable string if it has ! in it and you haven't manually put a \ in front of each ! . For 8.6, the default will have !3DES , we'll want that to be 3DES - as shown in exampe 2. [zimbra@ldap2 log]$ zmprov desc -a zimbraReverseProxySSLCiphers [example 1] [zimbra@ldap2 log]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:3DES:HIGH: [zimbra@ldap2 log]$ zmproxyctl restart [Note, I added additional \ below to the command so your cut/paste should be easier and on the wiki page it wouldn't be one continuous line.] [example 2] [zimbra@ldap2 log]$ zmprov mcf zimbraReverseProxySSLCiphers ECDHE-RSA-AES128-GCM-SHA256:\ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:\ DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:\ ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:\ ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:\ DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:\ DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:\ AES128:AES256:RC4-SHA:HIGH:3DES:\!aNULL:\!eNULL:\!EXPORT:\!DES:\!MD5:\!PSK [zimbra@ldap2 log]$zmproxyctl restart Once you've restarted the proxy services, you'll want to close down your Outlook session if you haven't already and relaunch it. With my testing, I didn't have to reconfigure the account in outlook that I had setup that was initially failing because of the cipher issue but I did have to relaunch outlook before it would sync after I made the server changes and restarted the proxy services. Log files to check are: on proxies: /opt/zimbra/log/nginx.log on mailstores: /opt/zimbra/log/ews.log /opt/zimbra/log/access.log !!! NOTE - If You Aren't Running The ZCS Proxy Or Will Have Outlook Connect Directly To The Mailstore/Jetty !!! Then you'll need to modify the mailstores like this: [zimbra@ldap2 log]$ zmprov mcf -zimbraMailboxdSSLProtocols SSLv2Hello [zimbra@ldap2 log]$ zmmailboxdctl restart Stopping mailboxd...done. Starting mailboxd...done. Outlook should now be able to connect directly to the mailstores, in my example here using a single ZCS server with proxy and the mailstore services running on it, I'm now able to connect with Outlook using either port 443 [my proxy] or port 8443 [my mailstore/jetty]. Please note, in Outlook you'll need to leave the Use SSL box checked and then check the override if you want to test on different ports besides 443. If things still fail, you'll also want to provide the information below as well with all the data/tests from above. Note, I'm including my output from my test box below from these commands. My test box was a single 8.6 ZCS server [clean install, no prior ZCS versions upgraded from] with all services enabled. [This command just needs to be shared once with us since it's your global variables] [zimbra@ldap2 log]$ zmprov gacf | egrep -i 'mailsslp|proxy|ciphers' | egrep -i 'ssl|cipher|enabled:|port:|mode' zimbraAdminProxyPort: 9071 zimbraImapProxyBindPort: 143 zimbraImapSSLProxyBindPort: 993 zimbraMailProxyPort: 0 zimbraMailSSLPort: 0 zimbraMailSSLProxyClientCertPort: 3443 zimbraMailSSLProxyPort: 0 zimbraMtaLmtpTlsCiphers: export zimbraMtaLmtpTlsMandatoryCiphers: medium zimbraMtaSmtpTlsCiphers: export zimbraMtaSmtpTlsMandatoryCiphers: medium zimbraMtaSmtpdTlsCiphers: export zimbraMtaSmtpdTlsMandatoryCiphers: medium zimbraPop3ProxyBindPort: 110 zimbraPop3SSLProxyBindPort: 995 zimbraReverseProxyAdminEnabled: FALSE zimbraReverseProxyClientCertMode: off zimbraReverseProxyDnsLookupInServerEnabled: TRUE zimbraReverseProxyHttpEnabled: FALSE zimbraReverseProxyHttpSSLPortAttribute: zimbraMailSSLPort zimbraReverseProxyImapSSLPortAttribute: zimbraImapSSLBindPort zimbraReverseProxyImapSaslGssapiEnabled: FALSE zimbraReverseProxyImapSaslPlainEnabled: TRUE zimbraReverseProxyImapStartTlsMode: only zimbraReverseProxyMailEnabled: TRUE zimbraReverseProxyMailImapEnabled: TRUE zimbraReverseProxyMailImapsEnabled: TRUE zimbraReverseProxyMailPop3Enabled: TRUE zimbraReverseProxyMailPop3sEnabled: TRUE zimbraReverseProxyPop3SSLPortAttribute: zimbraPop3SSLBindPort zimbraReverseProxyPop3SaslGssapiEnabled: FALSE zimbraReverseProxyPop3SaslPlainEnabled: TRUE zimbraReverseProxyPop3StartTlsMode: only zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256: DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384: ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA: DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA: AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256: RC4-SHA:HIGH:3DES:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK zimbraReverseProxySSLECDHCurve: prime256v1 zimbraReverseProxySSLProtocols: TLSv1 zimbraReverseProxySSLProtocols: TLSv1.1 zimbraReverseProxySSLProtocols: TLSv1.2 zimbraReverseProxySSLToUpstreamEnabled: TRUE zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5 zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA [This command should be ran on each of your proxy and mailstore servers] [zimbra@ldap2 log]$ zmprov gs `zmhostname` | egrep -i 'mailssl|proxy' | egrep -i 'ssl|cipher|enabled:|port:|mode' | sort zimbraAdminProxyPort: 9071 zimbraImapProxyBindPort: 143 zimbraImapSSLProxyBindPort: 993 zimbraMailProxyPort: 80 zimbraMailSSLClientCertMode: Disabled zimbraMailSSLClientCertOCSPEnabled: TRUE zimbraMailSSLClientCertPort: 9443 zimbraMailSSLPort: 8443 zimbraMailSSLProxyClientCertPort: 3443 zimbraMailSSLProxyPort: 443 zimbraPop3ProxyBindPort: 110 zimbraPop3SSLProxyBindPort: 995 zimbraReverseProxyAdminEnabled: FALSE zimbraReverseProxyClientCertMode: off zimbraReverseProxyDnsLookupInServerEnabled: TRUE zimbraReverseProxyHttpEnabled: TRUE zimbraReverseProxyImapSaslGssapiEnabled: FALSE zimbraReverseProxyImapSaslPlainEnabled: TRUE zimbraReverseProxyImapStartTlsMode: only zimbraReverseProxyMailEnabled: TRUE zimbraReverseProxyMailImapEnabled: TRUE zimbraReverseProxyMailImapsEnabled: TRUE zimbraReverseProxyMailMode: https zimbraReverseProxyMailPop3Enabled: TRUE zimbraReverseProxyMailPop3sEnabled: TRUE zimbraReverseProxyPop3SaslGssapiEnabled: FALSE zimbraReverseProxyPop3SaslPlainEnabled: TRUE zimbraReverseProxyPop3StartTlsMode: only zimbraReverseProxySSLProtocols: TLSv1 zimbraReverseProxySSLProtocols: TLSv1.1 zimbraReverseProxySSLProtocols: TLSv1.2 zimbraReverseProxySSLToUpstreamEnabled: TRUE zimbraServiceEnabled: proxy
Also, here are the results of my cipherscan after I made the changes. I tested both for the default port available through my proxy [443] and also against the 'mailstore/jetty' port that is different since I have the mailstore and proxy services running on the same box.
[root@ldap2 etc]# cd /tmp/cipherscan/cipherscan-master/ [root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.DOMAIN.com ............................ Target: ldap2.zimbra.DOMAIN.com:443 prio ciphersuite protocols pfs_keysize 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits 3 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits 4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits 5 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits 6 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 7 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits 8 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 9 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits 10 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 11 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits 12 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 13 AES128-GCM-SHA256 TLSv1.2 14 AES256-GCM-SHA384 TLSv1.2 15 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 16 AES128-SHA256 TLSv1.2 17 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 18 AES256-SHA256 TLSv1.2 19 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 20 RC4-SHA TLSv1,TLSv1.1,TLSv1.2 21 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 22 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 23 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 24 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 25 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 26 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 27 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature TLS ticket lifetime hint: 300 OCSP stapling: not supported Server side cipher ordering [root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.DOMAIN.com:8443 ................ Target: ldap2.zimbra.DOMAIN.com:8443 prio ciphersuite protocols pfs_keysize 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,B-571,570bits 2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,B-571,570bits 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits 5 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits 6 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 7 AES128-GCM-SHA256 TLSv1.2 8 AES128-SHA256 TLSv1.2 9 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 10 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 11 RC4-SHA TLSv1,TLSv1.1,TLSv1.2 12 RC4-MD5 TLSv1,TLSv1.1,TLSv1.2 13 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 14 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 15 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature TLS ticket lifetime hint: None OCSP stapling: not supported Client side cipher ordering