Cipher suites: Difference between revisions
mNo edit summary |
|||
| (30 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
= Using Zimbra with strong TLS configuration = | |||
Transport Layer Security (TLS) encrypts data sent over the Internet to ensure that eavesdroppers and hackers are unable to see what you transmit which is particularly useful for private and sensitive information such as passwords, credit card numbers, and personal correspondence. (further reading: https://www.internetsociety.org/deploy360/tls/basics) | |||
In this article you will learn how to configure Zimbra to use only strong encryption ciphers for TLS. Configuration settings on this page are routinely validated by our QA team. | |||
<span id="_zimbra_openssl_fips_update"></span> | |||
= Zimbra OpenSSL FIPS update = | |||
If you installed or upgraded to Zimbra version 9.0.0.P34, 8.8.15.P41, 10.0.2 or higher, Zimbra will use OpenSSL 3.0.x and FIPS compliance for OpenSSL will be enabled by default. Using FIPS mode for OpenSSL is more secure as weak ciphers will not be available and many security issues do not affect OpenSSL FIPS. | |||
To find out if Zimbra OpenSSL is FIPS enabled, you can run the following command that should fail with ''Error setting digest'': | |||
<pre>/opt/zimbra/common/bin/openssl md5 /dev/null</pre> | |||
<span id="_generate_ssl_ciphers_for_use_with_zimbrareverseproxysslciphers"></span> | |||
= Generate ssl_ciphers for use with zimbraReverseProxySSLCiphers = | |||
''This section is removed as it is no longer relevant when using OpenSSL FIPS.'' | |||
<span id="_note_on_supporting_old_clients"></span> | |||
= Note on supporting old clients = | |||
Zimbra highly recommends running Zimbra OpenSSL in FIPS mode. Steps to enforce OS level FIPS or disable FIPS can be found in: https://wiki.zimbra.com/wiki/FIPS you should then harden TLS based on out-of-date recommendations from https://wiki.zimbra.com/index.php?title=Cipher_suites&oldid=69590 | |||
<span id="_configuring_zimbra_proxy_nginx"></span> | |||
= Configuring Zimbra Proxy Nginx = | |||
Configure Zimbra to use the ciphers provided by OpenSSL FIPS, and enable ''only'' TLSv1.2 and TLSv1.3 like this: | |||
<pre>zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2 | |||
zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3 | |||
zmprov -l mcf zimbraReverseProxySSLCiphers "" | |||
zmproxyctl restart</pre> | |||
<span id="_configuring_zimbra_mailbox"></span> | |||
= Configuring Zimbra Mailbox = | |||
Also configure Zimbra mailbox to allow the use of TLSv1.3. Open in a text editor <code>/opt/zimbra/conf/localconfig.xml</code> find the line <code>mailboxd_java_options</code> and set <code>TLSv1.2,TLSv1.3</code> in <code>https.protocols</code> and <code>jdk.tls.client.protocols</code>. Example result: | |||
< | <pre><key name="mailboxd_java_options"> | ||
<value>-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true</value> | |||
</ | </key></pre> | ||
Then restart mailbox, or reboot your server: | |||
<pre>zmmailboxdctl restart</pre> | |||
<span id="_configure_additional_http_headers"></span> | |||
== Configure additional HTTP headers == | |||
The following headers will: | |||
* Enable HTTP Strict Transport Security (HSTS) | |||
* Disable search indexing of your server by Google et al. | |||
<pre>zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains" | |||
zmprov mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff" | |||
zmprov mcf +zimbraResponseHeader "X-Robots-Tag: noindex" | |||
zmprov mcf +zimbraResponseHeader "Referrer-Policy: no-referrer" | |||
zmprov mcf zimbraMailKeepOutWebCrawlers TRUE | |||
zmmailboxdctl restart</pre> | |||
<span id="_dh_parameters"></span> | |||
= DH parameters = | |||
No longer self generated, use pre-defined DHE groups as recommended by [https://tools.ietf.org/html/rfc7919 IETF RFC 7919]. | |||
Note: the <code>zmdhparam</code> command will in most cases not work when used with OpenSSL FIPS. | |||
Further reading: | |||
* https://weakdh.org/ | |||
* https://github.com/internetstandards/dhe_groups | |||
<pre>wget https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem -O /etc/ffdhe4096.pem | |||
su - zimbra | |||
zmprov mcf zimbraSSLDHParam /etc/ffdhe4096.pem</pre> | |||
Reboot the server. | |||
= | <span id="_configuring_zimbra_mta_postfix"></span> | ||
= Configuring Zimbra MTA Postfix = | |||
Postfix traffic is not routed through Zimbra proxy. Below commands show how to configure Zimbra MTA to use only strong TLS ciphers. In 2023 not all mail servers on the Internet support encryption. For maximum compatibility it is still recommended to use <code>Opportunistic TLS</code>. So that you can receive email via unencrypted transmissions. However you can set zimbraMtaTlsSecurityLevel to encrypt to force the use of TLS. This ''will'' result in mail delivery issues. | |||
To test the current state of the MTA run from the MTA: | |||
<pre>nmap --script ssl-enum-ciphers -p 25 your-mta-server.example.com | |||
nmap --script ssl-enum-ciphers -p 465 your-mta-server.example.com</pre> | |||
The last line of output with Zimbra default config: least strength: F | |||
<pre>openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_1</pre> | |||
Configure Zimbra MTA Postfix using: | |||
$ | <pre>zmprov mcf zimbraMtaSmtpdTlsCiphers medium | ||
zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers medium | |||
zmprov mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2' | |||
zmprov mcf zimbraMtaTlsSecurityLevel may | |||
postconf -e fast_flush_domains="" | |||
postconf -e smtpd_etrn_restrictions=reject | |||
postconf -e disable_vrfy_command=yes | |||
postconf -e tls_medium_cipherlist=$(/opt/zimbra/common/bin/openssl ciphers) | |||
postconf -e tls_preempt_cipherlist=no | |||
zmprov gs `zmhostname` zimbraMtaTlsAuthOnly | |||
zmprov ms `zmhostname` zimbraMtaTlsAuthOnly TRUE # if not already (this is default) | |||
zmmtactl restart</pre> | |||
Run again to verify your set-up: | |||
<pre>nmap --script ssl-enum-ciphers -p 25 your-mta-server.example.com | |||
nmap --script ssl-enum-ciphers -p 465 your-mta-server.example.com</pre> | |||
The last line of output with Zimbra new config: least strength: A | |||
It seems TLS v1.3 is either not enabled or not tested via nmap, but you can verify that like so: | |||
<pre>openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_3 | |||
openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_1</pre> | |||
Please note that you can best run nmap/openssl commands on your MTA server to avoid firewall and network blocking issues of port 25. | |||
<span id="_configuring_zimbra_ldap_openldap"></span> | |||
= Configuring Zimbra LDAP OpenLDAP = | |||
Zimbra stores passwords in LDAP and is not proxied via Zimbra proxy. To find your current TLS protocols and ciphers you can run nmap, but you will need a recent version of nmap. | |||
<pre>nmap --script ssl-enum-ciphers -p 389 your-ldap-server.example.com</pre> | |||
Check and see if TLSv1.0 and TLSv1.1 are enabled (default) and what the least strength cipher is for TLSv1.2 and above (default: A). | |||
To force the use of TLS >= v1.2 with strong Ciphers run the following: | |||
<pre>zmlocalconfig -e ldap_common_tlsprotocolmin="3.3" | |||
zmlocalconfig -e ldap_common_tlsciphersuite="HIGH"</pre> | |||
In addition require TLS for LDAP (disable unencrypted LDAP) via: | |||
<pre>zmlocalconfig -e ldap_starttls_supported=1 | |||
zmlocalconfig -e zimbra_require_interprocess_security=1 | |||
zmlocalconfig -e ldap_starttls_required=true</pre> | |||
For this change it is recommended to restart Zimbra using <code>zmcontrol restart</code>. | |||
<span id="_configuring_pop3"></span> | |||
= Configuring POP3 = | |||
It is recommended you disable the use of POP3 via a host firewall, in case you want to use POP3 anyway, disable the unencrypted sending of username and password and force the use of encryption with the following command: | |||
<pre>zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE</pre> | |||
Verify that TLS is required for POP3 via Zimbra Proxy, the setting should be <code>only</code> which is default. | |||
<pre>zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode | |||
zimbraReverseProxyPop3StartTlsMode: only</pre> | |||
With the above setting the Zimbra POP3 implementation requires the client to issue the STLS command. This command will switch from cleartext to encrypted communications. | |||
If the STLS command is not issued, any command the client sends such as AUTH or USER to Zimbra will result in an error and the client will not try authentication. This means the password is not send without encryption. In addition email contents and attachments are also transmitted using encrypted communication. | |||
<span id="_false_positives_in_openvas_and_warnings_in_email_clients_such_as_thunderbird"></span> | |||
== False positives in OpenVAS and warnings in email clients such as Thunderbird == | |||
Email clients and vulnerability scanner can send some commands in plain text to Zimbra, such as CAPA (to list capabilities) and Zimbra will respond to these without encryption. This will make vulnerability scanners such as OpenVAS believe POP3 is enabled for unencrypted connections. This is however not the case. The false positive will look like this: | |||
<code>The remote host is running a POP3 daemon that allows cleartext logins over unencrypted connections.</code> | |||
For the same reason you can add your Zimbra account with POP3 to Thunderbird (and other clients) and select <code>Connection security: none</code> this will trigger a warning, saying your credentials will be transmitted without encryption. In reality the communication between the client and Zimbra will halt because of errors before authentication unless TLS is used. | |||
This has been verified by using Wireshark. | |||
<span id="_configuring_imap"></span> | |||
= Configuring IMAP = | |||
It is recommended you disable the use of IMAP via a host firewall, in case you want to use IMAP anyway, very that you have the following settings, that are the default and disable the unencrypted sending of username and password and force the use of encryption with the following command: | |||
<pre>zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled | |||
zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE # if not already</pre> | |||
Verify that TLS is required for IMAP via Zimbra Proxy, the setting should be <code>only</code> which is default. | |||
<pre>zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode | |||
zimbraReverseProxyImapStartTlsMode: only</pre> | |||
<span id="_troubleshooting_mail_clients"></span> | |||
= Troubleshooting mail clients = | |||
This guide verified against Thunderbird. If you have trouble connecting email clients to Zimbra after following the steps in this guide, please see: https://wiki.zimbra.com/wiki/Accessing_Zimbra_Collaboration_Server_with_Thunderbird | |||
<span id="_configuring_admin_ui"></span> | |||
= Configuring Admin UI = | |||
It is not recommended to expose the Admin UI to the Internet. Instead administrators should access Admin UI via a VPN. In any case you will need to make sure to proxy the Admin UI via Zimbra Proxy to make sure it uses the best TLS configuration. This means you should access Admin UI via the proxied port 9071, and deny access to port 7071 via a firewall. To enable this you should run as user Zimbra: | |||
<pre>/opt/zimbra/libexec/zmproxyconfig -e -w -C -H `zmhostname` | |||
zmproxyctl restart</pre> | |||
<span id="_validate_your_settings_online_using_ssl_labs"></span> | |||
= Validate your settings online using SSL Labs = | |||
Go to https://www.ssllabs.com/ssltest/analyze.html and enter the the domain name of your Zimbra server. If you followed the steps in this article you should receive an A+ score and there should be no mention of weak ciphers in the report. This article was written in September 2021. In the report take a look at the client devices listed under <code>Handshake Simulation</code> these will give you an idea of the devices your users can use to connect to your Zimbra server. Also validate there are no weak ciphers listed under <code>Cipher Suites</code>. | |||
<span id="_further_reading"></span> | |||
= Further reading = | |||
* https://wiki.zimbra.com/wiki/SecureConfiguration | |||
* https://wiki.zimbra.com/wiki/Postconf_keys | |||
Latest revision as of 11:49, 16 August 2023
Using Zimbra with strong TLS configuration
Transport Layer Security (TLS) encrypts data sent over the Internet to ensure that eavesdroppers and hackers are unable to see what you transmit which is particularly useful for private and sensitive information such as passwords, credit card numbers, and personal correspondence. (further reading: https://www.internetsociety.org/deploy360/tls/basics)
In this article you will learn how to configure Zimbra to use only strong encryption ciphers for TLS. Configuration settings on this page are routinely validated by our QA team.
Zimbra OpenSSL FIPS update
If you installed or upgraded to Zimbra version 9.0.0.P34, 8.8.15.P41, 10.0.2 or higher, Zimbra will use OpenSSL 3.0.x and FIPS compliance for OpenSSL will be enabled by default. Using FIPS mode for OpenSSL is more secure as weak ciphers will not be available and many security issues do not affect OpenSSL FIPS.
To find out if Zimbra OpenSSL is FIPS enabled, you can run the following command that should fail with Error setting digest:
/opt/zimbra/common/bin/openssl md5 /dev/null
Generate ssl_ciphers for use with zimbraReverseProxySSLCiphers
This section is removed as it is no longer relevant when using OpenSSL FIPS.
Note on supporting old clients
Zimbra highly recommends running Zimbra OpenSSL in FIPS mode. Steps to enforce OS level FIPS or disable FIPS can be found in: https://wiki.zimbra.com/wiki/FIPS you should then harden TLS based on out-of-date recommendations from https://wiki.zimbra.com/index.php?title=Cipher_suites&oldid=69590
Configuring Zimbra Proxy Nginx
Configure Zimbra to use the ciphers provided by OpenSSL FIPS, and enable only TLSv1.2 and TLSv1.3 like this:
zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2 zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3 zmprov -l mcf zimbraReverseProxySSLCiphers "" zmproxyctl restart
Configuring Zimbra Mailbox
Also configure Zimbra mailbox to allow the use of TLSv1.3. Open in a text editor /opt/zimbra/conf/localconfig.xml find the line mailboxd_java_options and set TLSv1.2,TLSv1.3 in https.protocols and jdk.tls.client.protocols. Example result:
<key name="mailboxd_java_options">
<value>-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true</value>
</key>
Then restart mailbox, or reboot your server:
zmmailboxdctl restart
Configure additional HTTP headers
The following headers will:
- Enable HTTP Strict Transport Security (HSTS)
- Disable search indexing of your server by Google et al.
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains" zmprov mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff" zmprov mcf +zimbraResponseHeader "X-Robots-Tag: noindex" zmprov mcf +zimbraResponseHeader "Referrer-Policy: no-referrer" zmprov mcf zimbraMailKeepOutWebCrawlers TRUE zmmailboxdctl restart
DH parameters
No longer self generated, use pre-defined DHE groups as recommended by IETF RFC 7919.
Note: the zmdhparam command will in most cases not work when used with OpenSSL FIPS.
Further reading:
wget https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem -O /etc/ffdhe4096.pem su - zimbra zmprov mcf zimbraSSLDHParam /etc/ffdhe4096.pem
Reboot the server.
Configuring Zimbra MTA Postfix
Postfix traffic is not routed through Zimbra proxy. Below commands show how to configure Zimbra MTA to use only strong TLS ciphers. In 2023 not all mail servers on the Internet support encryption. For maximum compatibility it is still recommended to use Opportunistic TLS. So that you can receive email via unencrypted transmissions. However you can set zimbraMtaTlsSecurityLevel to encrypt to force the use of TLS. This will result in mail delivery issues.
To test the current state of the MTA run from the MTA:
nmap --script ssl-enum-ciphers -p 25 your-mta-server.example.com nmap --script ssl-enum-ciphers -p 465 your-mta-server.example.com
The last line of output with Zimbra default config: least strength: F
openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_1
Configure Zimbra MTA Postfix using:
zmprov mcf zimbraMtaSmtpdTlsCiphers medium zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers medium zmprov mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2' zmprov mcf zimbraMtaTlsSecurityLevel may postconf -e fast_flush_domains="" postconf -e smtpd_etrn_restrictions=reject postconf -e disable_vrfy_command=yes postconf -e tls_medium_cipherlist=$(/opt/zimbra/common/bin/openssl ciphers) postconf -e tls_preempt_cipherlist=no zmprov gs `zmhostname` zimbraMtaTlsAuthOnly zmprov ms `zmhostname` zimbraMtaTlsAuthOnly TRUE # if not already (this is default) zmmtactl restart
Run again to verify your set-up:
nmap --script ssl-enum-ciphers -p 25 your-mta-server.example.com nmap --script ssl-enum-ciphers -p 465 your-mta-server.example.com
The last line of output with Zimbra new config: least strength: A
It seems TLS v1.3 is either not enabled or not tested via nmap, but you can verify that like so:
openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_3 openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_1
Please note that you can best run nmap/openssl commands on your MTA server to avoid firewall and network blocking issues of port 25.
Configuring Zimbra LDAP OpenLDAP
Zimbra stores passwords in LDAP and is not proxied via Zimbra proxy. To find your current TLS protocols and ciphers you can run nmap, but you will need a recent version of nmap.
nmap --script ssl-enum-ciphers -p 389 your-ldap-server.example.com
Check and see if TLSv1.0 and TLSv1.1 are enabled (default) and what the least strength cipher is for TLSv1.2 and above (default: A).
To force the use of TLS >= v1.2 with strong Ciphers run the following:
zmlocalconfig -e ldap_common_tlsprotocolmin="3.3" zmlocalconfig -e ldap_common_tlsciphersuite="HIGH"
In addition require TLS for LDAP (disable unencrypted LDAP) via:
zmlocalconfig -e ldap_starttls_supported=1 zmlocalconfig -e zimbra_require_interprocess_security=1 zmlocalconfig -e ldap_starttls_required=true
For this change it is recommended to restart Zimbra using zmcontrol restart.
Configuring POP3
It is recommended you disable the use of POP3 via a host firewall, in case you want to use POP3 anyway, disable the unencrypted sending of username and password and force the use of encryption with the following command:
zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE
Verify that TLS is required for POP3 via Zimbra Proxy, the setting should be only which is default.
zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode zimbraReverseProxyPop3StartTlsMode: only
With the above setting the Zimbra POP3 implementation requires the client to issue the STLS command. This command will switch from cleartext to encrypted communications.
If the STLS command is not issued, any command the client sends such as AUTH or USER to Zimbra will result in an error and the client will not try authentication. This means the password is not send without encryption. In addition email contents and attachments are also transmitted using encrypted communication.
False positives in OpenVAS and warnings in email clients such as Thunderbird
Email clients and vulnerability scanner can send some commands in plain text to Zimbra, such as CAPA (to list capabilities) and Zimbra will respond to these without encryption. This will make vulnerability scanners such as OpenVAS believe POP3 is enabled for unencrypted connections. This is however not the case. The false positive will look like this:
The remote host is running a POP3 daemon that allows cleartext logins over unencrypted connections.
For the same reason you can add your Zimbra account with POP3 to Thunderbird (and other clients) and select Connection security: none this will trigger a warning, saying your credentials will be transmitted without encryption. In reality the communication between the client and Zimbra will halt because of errors before authentication unless TLS is used.
This has been verified by using Wireshark.
Configuring IMAP
It is recommended you disable the use of IMAP via a host firewall, in case you want to use IMAP anyway, very that you have the following settings, that are the default and disable the unencrypted sending of username and password and force the use of encryption with the following command:
zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE # if not already
Verify that TLS is required for IMAP via Zimbra Proxy, the setting should be only which is default.
zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode zimbraReverseProxyImapStartTlsMode: only
Troubleshooting mail clients
This guide verified against Thunderbird. If you have trouble connecting email clients to Zimbra after following the steps in this guide, please see: https://wiki.zimbra.com/wiki/Accessing_Zimbra_Collaboration_Server_with_Thunderbird
Configuring Admin UI
It is not recommended to expose the Admin UI to the Internet. Instead administrators should access Admin UI via a VPN. In any case you will need to make sure to proxy the Admin UI via Zimbra Proxy to make sure it uses the best TLS configuration. This means you should access Admin UI via the proxied port 9071, and deny access to port 7071 via a firewall. To enable this you should run as user Zimbra:
/opt/zimbra/libexec/zmproxyconfig -e -w -C -H `zmhostname` zmproxyctl restart
Validate your settings online using SSL Labs
Go to https://www.ssllabs.com/ssltest/analyze.html and enter the the domain name of your Zimbra server. If you followed the steps in this article you should receive an A+ score and there should be no mention of weak ciphers in the report. This article was written in September 2021. In the report take a look at the client devices listed under Handshake Simulation these will give you an idea of the devices your users can use to connect to your Zimbra server. Also validate there are no weak ciphers listed under Cipher Suites.
