Difference between revisions of "Cipher suites"

(Nginx Proxy Ciphers)
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{ZC}}{{WIP}}{{Article Infobox|{{admin}}||{{ZCS 8.0}} {{ZCS 7.0}} {{ZCS 6.0}} {{ZCS 5.0}}|}}
+
__FORCETOC__
 +
<div class="col-md-12 ibox-content">
 +
= Cipher suites =
 +
{{KB||{{ZCS 9.0}}|{{ZCS 8.8}}|}}
 +
{{WIP}}
  
= Introduction =
+
= Enable Strong Ciphers =
By default, the Zimbra mailbox server, ''zmmailboxd'', supports both strong and weak SSL/TLS cipher suites for '''IMAPS''', '''POP3S''', and '''HTTPS'''. A typical security requirement is to disable weak ciphers which usually includes SSL versions prior to SSLv3 and any cipher not supporting at least 128 bit.
+
Transport Layer Security (TLS) encrypts data sent over the Internet to ensure that eavesdroppers and hackers are unable to see what you transmit which is particularly useful for private and sensitive information such as passwords, credit card numbers, and personal correspondence. (further reading: https://www.internetsociety.org/deploy360/tls/basics)
 +
 
 +
In this article you will learn how to configure Zimbra to use only strong encryption ciphers for TLS.
 +
 
 +
= Generate ssl_ciphers for use with zimbraReverseProxySSLCiphers =
 +
 
 +
Since encryption is always evolving it is recommended to use Mozilla SSL Config generator that you can find at https://ssl-config.mozilla.org/
 +
 
 +
Select <code>Intermediate</code> and <code>Nginx</code> (Zimbra proxy is based on Nginx) at the time of writing this article this will select nginx 1.17.7 and OpenSSL 1.1.1d. The tool also reports the oldest supported clients that work with this configuration: Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9.
 +
 
 +
From the generated config file copy the value from <code>ssl_ciphers</code>:
 +
 
 +
<pre>ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;</pre>
 +
= Configuring Zimbra Proxy Nginx =
 +
 
 +
Configure Zimbra to use the above ciphers, and enable TLSv1.2 and TLSv1.3 like this:
 +
 
 +
<pre>zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
 +
zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
 +
 
 +
zmprov -l mcf zimbraReverseProxySSLCiphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
  
= Enable Strong Ciphers =
+
zmproxyctl restart</pre>
To enable strong ciphers, weak ciphers must be disabled. It is best practise to run a SSL/TLS cipher scan first to see which ciphers your server currently supports.
+
= Configuring Zimbra Mailbox =
 +
 
 +
Also configure Zimbra mailbox to allow the use of TLSv1.3. Open in a text editor <code>/opt/zimbra/conf/localconfig.xml</code> find the line <code>mailboxd_java_options</code> and set <code>TLSv1.2,TLSv1.3</code> in <code>https.protocols</code> and <code>jdk.tls.client.protocols</code>. Example result:
  
As of today it is recommended to test HTTPS/SSL against multiple checks:
+
<pre>&lt;key name=&quot;mailboxd_java_options&quot;&gt;
 +
  &lt;value&gt;-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true&lt;/value&gt;
 +
&lt;/key&gt;</pre>
 +
Then restart mailbox, or reboot your server:
  
[https://www.ssllabs.com/ssltest/index.html SSL Labs (Qualsys)]
+
<pre>zmmailboxdctl restart</pre>
+
== Configure additional HTTP headers ==
[https://sslcheck.globalsign.com GlobalSign]
 
  
[https://ssltools.websecurity.symantec.com/checker/#home Verisgin/Symantec]
+
The following headers will:
  
Once the supported weak ciphers are determined, they can be disabled one by one system wide using the '''zimbraSSLExcludeCipherSuites''' global directory attribute.
+
* Enable HTTP Strict Transport Security (HSTS)
 +
* Disable search indexing of your server by Google et al.
  
To disable weak ciphers use the ''zmprov'' command.  Be sure to prefix the attribute name with "+" when using mcf to keep existing values.
+
<pre>zmprov mcf +zimbraResponseHeader &quot;Strict-Transport-Security: max-age=31536000; includeSubDomains&quot;
 +
zmprov mcf +zimbraResponseHeader &quot;X-XSS-Protection: 1; mode=block&quot;
 +
zmprov mcf +zimbraResponseHeader &quot;X-Content-Type-Options: nosniff&quot;
 +
zmprov mcf +zimbraResponseHeader &quot;X-Robots-Tag: noindex&quot;
 +
zmprov mcf zimbraMailKeepOutWebCrawlers TRUE
 +
zmmailboxdctl restart</pre>
 +
= DH parameters =
  
su - zimbra
+
Use pre-defined DHE groups as recommended by [https://tools.ietf.org/html/rfc7919 IETF RFC 7919].
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher1>
 
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher2>
 
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher...>
 
zmprov mcf +zimbraSSLExcludeCipherSuites <cipherN>
 
zmmailboxdctl restart
 
  
The disabled ciphers in Zimbra by default include these:
+
Further reading:
  
$ zmprov gcf zimbraSSLExcludeCipherSuites
+
* https://weakdh.org/
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
+
* https://github.com/internetstandards/dhe_groups
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
 
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
 
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
 
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
 
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
 
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
 
  
Please note that curl by default will not connect to RC4 ciphers:
+
<pre>wget https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem -O /etc/ffdhe4096.pem
https://bugzilla.redhat.com/show_bug.cgi?id=807749
+
su - zimbra
 +
zmprov mcf zimbraSSLDHParam /etc/ffdhe4096.pem</pre>
 +
Reboot the server.
  
= Nginx Proxy Ciphers =
+
= Configuring Zimbra MTA Postfix =
  
Zimbra recommends that all sites (including single-server sites) use the Zimbra nginx proxy. The proxy provides an additional layer of security, defense in depth, and control. As of ZCS 8.7 or later, the nginx proxy is required in all ZCS installations.
+
Postix traffic is not routed through Zimbra proxy. Below commands show how to configure Zimbra MTA to use only strong TLS ciphers. In 2021 not all mail servers on the Internet support encryption. For maximum compatibility it is still recommended to use <code>Opportunistic TLS</code>. So that you can receive email via unencrypted transmissions. However you can set zimbraMtaTlsSecurityLevel to encrypt to force the use of TLS. This ''will'' result in mail delivery issues.
  
With the proxy, one can provide tight control over ciphers. The single valued '''zimbraReverseProxySSLCiphers''' attribute configures what cipher suites the nginx proxy will allow to be negotiated over SSL.  This affects HTTPS when the web proxy is enabled, and POP and IMAP when the mail proxy is enabled.  It is only possible to set this value in globalconfig.
+
To test the current state of the MTA run from the MTA:
  
The current recommended setting is (removes RC4 from the default in 8.6):
+
<pre>nmap --script ssl-enum-ciphers -p 25 your-mta-server.example.com</pre>
 +
The last line of output with Zimbra default config: least strength: F
  
<code>
+
<pre>openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_1</pre>
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
+
Then the following configuration will remove weak ciphers and disable some Postfix options that are considered unsecure.
</code>
 
  
It can be set using the '''zmprov mcf''' command:
+
Find the current list of ciphers for Postfix via:
  
$ zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
+
https://ssl-config.mozilla.org/#server=postfix
$ zmproxyctl restart # on all proxies
 
  
= SSL Protocols =
+
Configure it in Zimbra using:
  
As of ZCS 8.6, SSLv2 and SSLv3 are disabled by default. Only these SSL Protocols are enabled by default:
+
<pre>zmprov mcf zimbraMtaSmtpdTlsCiphers medium
 +
zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers  medium
 +
zmprov mcf zimbraMtaSmtpdTlsProtocols '&gt;=TLSv1.2'
 +
zmprov mcf zimbraMtaTlsSecurityLevel may
 +
postconf -e fast_flush_domains=&quot;&quot;
 +
postconf -e smtpd_etrn_restrictions=reject
 +
postconf -e disable_vrfy_command=yes
 +
postconf -e tls_medium_cipherlist=&quot;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384&quot;
 +
postconf -e tls_preempt_cipherlist=no
  
* TLSv1
+
zmprov gs `zmhostname` zimbraMtaTlsAuthOnly
* TLSv1.1
+
zmprov ms `zmhostname` zimbraMtaTlsAuthOnly TRUE # if not already (this is default)
* TLSv1.2
+
zmmtactl restart</pre>
 +
'''''IT IS VERY IMPORTANT tls_medium_cipherlist IS SET, setting just medium or high in zimbraMtaSmtpdTlsCiphers/zimbraMtaSmtpdTlsMandatoryCiphers will not work!!'''''
  
However, it has been found that certain older Microsoft Outlook clients (2011 and previous) require that the server also accept "SSLv2Hello". Enabling this does not mean that the server is actually allowing SSLv2, but it does mean that it allows the SSLv2Hello "introduction", before switching to TLSv1 or greater.
+
Above config was tested with email from Gmail (uses tls), Ubuntu 20 Postfix (uses tls), from Zimbra itself (uses lmtp) and http://ismyemailworking.com/ (uses plain text) and this all works.
  
If using the Zimbra nginx proxy, it is not necessary to add SSLv2Hello to the mailstore configuration. However, if not using the Zimbra nginx proxy and only using the mailstore for SSL handling (i.e., mailboxd), then you must enable SSLv2Hello protocol to allow older Outlook clients to work:
+
Run again to verify your set-up:
  
zmprov mcf +zimbraMailboxdSSLProtocols SSLv2Hello
+
<pre>nmap --script ssl-enum-ciphers -p 25 your-mta-server.example.com</pre>
zmmailboxdctl restart
+
The last line of output with Zimbra new config: least strength: A
  
In ZCS 8.7, SSLv2Hello will be enabled by default: https://bugzilla.zimbra.com/show_bug.cgi?id=97332
+
It seems TLS v1.3 is either not enabled or not tested via nmap, but you can verify that like so:
  
= Debugging Cipher issues =
+
<pre>openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_3
  
1. Jetty can use a Java startup option to log SSL and cipher debug data to /opt/zimbra/log/zmmailboxd.out:
+
openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_1</pre>
 +
Please note that you can best run nmap/openssl commands on your MTA server to avoid firewall and network blocking issues of port 25.
  
-Djavax.net.debug=ssl,handshake,data
+
= Configuring Zimbra LDAP OpenLDAP =
  
This can be added to the end of your mailboxd_java_options:
+
Zimbra stores passwords in LDAP and is not proxied via Zimbra proxy. To find your current TLS protocols and ciphers you can run nmap, but you will need a recent version of nmap.
  
a. Get your current mailboxd_java_options:
+
<pre>nmap --script ssl-enum-ciphers -p 389 your-ldap-server.example.com</pre>
 +
Check and see if TLSv1.0 and TLSv1.1 are enabled (default) and what the least strength cipher is for TLSv1.2 and above (default: A).
  
$ zmlocalconfig mailboxd_java_options
+
To force the use of TLS &gt;= v1.2 with strong Ciphers run the following:
  
b. Add the above to it:
+
<pre>zmlocalconfig -e ldap_common_tlsprotocolmin=&quot;3.3&quot;
 +
zmlocalconfig -e ldap_common_tlsciphersuite=&quot;HIGH&quot;</pre>
 +
In addition require TLS for LDAP (disable unencrypted LDAP) via:
  
  $ zmlocalconfig -e mailboxd_java_options="-server -Djava.awt.headless=true -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:NewRatio=2 -XX:PermSize=196m -XX:MaxPermSize=350m -XX:SoftRefLRUPolicyMSPerMB=1 -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCApplicationStoppedTime -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/opt/zimbra/log -XX:ErrorFile=/opt/zimbra/log/hs_err_pid%p.log -Dorg.apache.jasper.compiler.disablejsr199=true -Djava.net.preferIPv4Stack=true -XX:+PrintGCDateStamps -Xloggc:/opt/zimbra/log/gc.log -XX:-UseGCLogFileRotation -XX:NumberOfGCLogFiles=20 -XX:GCLogFileSize=4096K -Djavax.net.debug=ssl,handshake,data"
+
<pre>zmlocalconfig -e ldap_starttls_supported=1
 +
zmlocalconfig -e zimbra_require_interprocess_security=1
 +
zmlocalconfig -e ldap_starttls_required=true</pre>
 +
For this change it is recommended to restart Zimbra using <code>zmcontrol restart</code>.
  
c. SSL and cipher logging will now be written to /opt/zimbra/log/zmmailboxd.out
+
= Configuring POP3 =
  
2. OpenSSL can be used to test server availability of SSL protocols and ciphers. Please note, however, that the SSL ciphers are named differently in OpenSSL then they are in Java. You can find a mapping of those cipher names here:
+
It is recommended you disable the use of POP3 via a host firewall, in case you want to use POP3 anyway, disable the unencrypted sending of username and password and force the use of encryption with the following command:
  
* https://www.openssl.org/docs/apps/ciphers.html#cipher_suite_names
+
<pre>zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE</pre>
 +
Verify that TLS is required for POP3 via Zimbra Proxy, the setting should be <code>only</code> which is default.
  
These cipher names and category definitions (i.e., HIGH, MEDIUM, etc.) can be on that OpenSSL page above, and in turn are used in all Zimbra components that utilize OpenSSL, e.g., nginx, postfix, libcurl and others. Java/Jetty is not linked to OpenSSL, and therefore uses the longer cipher names indicated on this page.
+
<pre>zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode
 +
zimbraReverseProxyPop3StartTlsMode: only</pre>
 +
With the above setting the Zimbra POP3 implementation requires the client to issue the STLS command. This command will switch from cleartext to encrypted communications.
  
a. OpenSSL testing:
+
If the STLS command is not issued, any command the client sends such as AUTH or USER to Zimbra will result in an error and the client will not try authentication. This means the password is not send without encryption. In addition email contents and attachments are also transmitted using encrypted communication.
  
These OpenSSL commands largely replicate what many older clients (such as Outlook 2011) use:
+
== False positives in OpenVAS and warnings in email clients such as Thunderbird ==
  
openssl s_client -tls1 -cipher RC4-SHA -connect mail.example.com:443
+
Email clients and vulnerability scanner can send some commands in plain text to Zimbra, such as CAPA (to list capabilities) and Zimbra will respond to these without encryption. This will make vulnerability scanners such as OpenVAS believe POP3 is enabled for unencrypted connections. This is however not the case. The false positive will look like this:
openssl s_client -tls1 -cipher DES-CBC3-SHA -connect mail.example.com:443
 
  
However, as noted above, some of these may also require SSLv2Hello first. The above ciphers in turn map to these in the JVM/Jetty:
+
<code>The remote host is running a POP3 daemon that allows cleartext logins over unencrypted connections.</code>
  
TLS_RSA_WITH_RC4_128_SHA                RC4-SHA
+
For the same reason you can add your Zimbra account with POP3 to Thunderbird (and other clients) and select <code>Connection security: none</code> this will trigger a warning, saying your credentials will be transmitted without encryption. In reality the communication between the client and Zimbra will halt because of errors before authentication unless TLS is used.
TLS_RSA_WITH_3DES_EDE_CBC_SHA          DES-CBC3-SHA
 
  
= Bugs =
+
This has been verified by using Wireshark.
Prior to ZCS 5.0.10, the zimbraSSLExcludeCipherSuites attribute values are not picked up by the Jetty configuration for HTTPS.  To fix, replace all occurrences of ''zimbraSSLExcludeCipherSuites'' with ''zimbraSSLExcludeCipherSuitesXML'' in ''/opt/zimbra/jetty/etc/jetty.xml.in''.
 
  
cd /opt/zimbra/jetty/etc
+
= Configuring IMAP =
sed 's/%%zimbraSSLExcludeCipherSuites%%/%%zimbraSSLExcludeCipherSuitesXML%%/g' jetty.xml.in > /tmp/jetty.xml.in.new
 
cp jetty.xml.in /tmp/jetty.xml.in.old
 
mv /tmp/jetty.xml.in.new jetty.xml.in
 
zmmailboxdctl restart
 
  
Please see [http://bugzilla.zimbra.com/show_bug.cgi?id=30691 bug 30691] for more details. 
+
It is recommended you disable the use of IMAP via a host firewall, in case you want to use IMAP anyway, very that you have the following settings, that are the default and disable the unencrypted sending of username and password and force the use of encryption with the following command:
  
= References =
+
<pre>zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled
''J2SE cipher list'' http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#SunJSSE
+
zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE # if not already</pre>
 +
Verify that TLS is required for IMAP via Zimbra Proxy, the setting should be <code>only</code> which is default.
  
''OpenSSL ciphers list'' http://openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_
+
<pre>zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode
 +
zimbraReverseProxyImapStartTlsMode: only</pre>
 +
= Validate your settings online using SSL Labs =
  
 +
Go to https://www.ssllabs.com/ssltest/analyze.html and enter the the domain name of your Zimbra server. If you followed the steps in this article you should receive an A+ score and there should be no mention of weak ciphers in the report. This article was written in September 2021. In the report take a look at the client devices listed under <code>Handshake Simulation</code> these will give you an idea of the devices your users can use to connect to your Zimbra server. Also validate there are no weak ciphers listed under <code>Cipher Suites</code>.
  
{{Article Footer|Zimbra Collaboration Suite 5.0.9|10/1/2008}}
+
= Further reading =
  
[[Category: SSL/TLS]]
+
* https://wiki.zimbra.com/wiki/SecureConfiguration
[[Category: Mailbox]]
 

Latest revision as of 11:02, 2 March 2022

Cipher suites

   KB 2661        Last updated on 2022-03-2  




0.00
(0 votes)


Enable Strong Ciphers

Transport Layer Security (TLS) encrypts data sent over the Internet to ensure that eavesdroppers and hackers are unable to see what you transmit which is particularly useful for private and sensitive information such as passwords, credit card numbers, and personal correspondence. (further reading: https://www.internetsociety.org/deploy360/tls/basics)

In this article you will learn how to configure Zimbra to use only strong encryption ciphers for TLS.

Generate ssl_ciphers for use with zimbraReverseProxySSLCiphers

Since encryption is always evolving it is recommended to use Mozilla SSL Config generator that you can find at https://ssl-config.mozilla.org/

Select Intermediate and Nginx (Zimbra proxy is based on Nginx) at the time of writing this article this will select nginx 1.17.7 and OpenSSL 1.1.1d. The tool also reports the oldest supported clients that work with this configuration: Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9.

From the generated config file copy the value from ssl_ciphers:

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

Configuring Zimbra Proxy Nginx

Configure Zimbra to use the above ciphers, and enable TLSv1.2 and TLSv1.3 like this:

zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3

zmprov -l mcf zimbraReverseProxySSLCiphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'

zmproxyctl restart

Configuring Zimbra Mailbox

Also configure Zimbra mailbox to allow the use of TLSv1.3. Open in a text editor /opt/zimbra/conf/localconfig.xml find the line mailboxd_java_options and set TLSv1.2,TLSv1.3 in https.protocols and jdk.tls.client.protocols. Example result:

<key name="mailboxd_java_options">
  <value>-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true</value>
</key>

Then restart mailbox, or reboot your server:

zmmailboxdctl restart

Configure additional HTTP headers

The following headers will:

  • Enable HTTP Strict Transport Security (HSTS)
  • Disable search indexing of your server by Google et al.
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains"
zmprov mcf +zimbraResponseHeader "X-XSS-Protection: 1; mode=block"
zmprov mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff"
zmprov mcf +zimbraResponseHeader "X-Robots-Tag: noindex"
zmprov mcf zimbraMailKeepOutWebCrawlers TRUE
zmmailboxdctl restart

DH parameters

Use pre-defined DHE groups as recommended by IETF RFC 7919.

Further reading:

wget https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem -O /etc/ffdhe4096.pem
su - zimbra
zmprov mcf zimbraSSLDHParam /etc/ffdhe4096.pem

Reboot the server.

Configuring Zimbra MTA Postfix

Postix traffic is not routed through Zimbra proxy. Below commands show how to configure Zimbra MTA to use only strong TLS ciphers. In 2021 not all mail servers on the Internet support encryption. For maximum compatibility it is still recommended to use Opportunistic TLS. So that you can receive email via unencrypted transmissions. However you can set zimbraMtaTlsSecurityLevel to encrypt to force the use of TLS. This will result in mail delivery issues.

To test the current state of the MTA run from the MTA:

nmap --script ssl-enum-ciphers -p 25 your-mta-server.example.com

The last line of output with Zimbra default config: least strength: F

openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_1

Then the following configuration will remove weak ciphers and disable some Postfix options that are considered unsecure.

Find the current list of ciphers for Postfix via:

https://ssl-config.mozilla.org/#server=postfix

Configure it in Zimbra using:

zmprov mcf zimbraMtaSmtpdTlsCiphers medium
zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers  medium
zmprov mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2'
zmprov mcf zimbraMtaTlsSecurityLevel may
postconf -e fast_flush_domains=""
postconf -e smtpd_etrn_restrictions=reject
postconf -e disable_vrfy_command=yes
postconf -e tls_medium_cipherlist="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
postconf -e tls_preempt_cipherlist=no

zmprov gs `zmhostname` zimbraMtaTlsAuthOnly
zmprov ms `zmhostname` zimbraMtaTlsAuthOnly TRUE # if not already (this is default)
zmmtactl restart

IT IS VERY IMPORTANT tls_medium_cipherlist IS SET, setting just medium or high in zimbraMtaSmtpdTlsCiphers/zimbraMtaSmtpdTlsMandatoryCiphers will not work!!

Above config was tested with email from Gmail (uses tls), Ubuntu 20 Postfix (uses tls), from Zimbra itself (uses lmtp) and http://ismyemailworking.com/ (uses plain text) and this all works.

Run again to verify your set-up:

nmap --script ssl-enum-ciphers -p 25 your-mta-server.example.com

The last line of output with Zimbra new config: least strength: A

It seems TLS v1.3 is either not enabled or not tested via nmap, but you can verify that like so:

openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_3

openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_1

Please note that you can best run nmap/openssl commands on your MTA server to avoid firewall and network blocking issues of port 25.

Configuring Zimbra LDAP OpenLDAP

Zimbra stores passwords in LDAP and is not proxied via Zimbra proxy. To find your current TLS protocols and ciphers you can run nmap, but you will need a recent version of nmap.

nmap --script ssl-enum-ciphers -p 389 your-ldap-server.example.com

Check and see if TLSv1.0 and TLSv1.1 are enabled (default) and what the least strength cipher is for TLSv1.2 and above (default: A).

To force the use of TLS >= v1.2 with strong Ciphers run the following:

zmlocalconfig -e ldap_common_tlsprotocolmin="3.3"
zmlocalconfig -e ldap_common_tlsciphersuite="HIGH"

In addition require TLS for LDAP (disable unencrypted LDAP) via:

zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e zimbra_require_interprocess_security=1
zmlocalconfig -e ldap_starttls_required=true

For this change it is recommended to restart Zimbra using zmcontrol restart.

Configuring POP3

It is recommended you disable the use of POP3 via a host firewall, in case you want to use POP3 anyway, disable the unencrypted sending of username and password and force the use of encryption with the following command:

zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE

Verify that TLS is required for POP3 via Zimbra Proxy, the setting should be only which is default.

zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode
zimbraReverseProxyPop3StartTlsMode: only

With the above setting the Zimbra POP3 implementation requires the client to issue the STLS command. This command will switch from cleartext to encrypted communications.

If the STLS command is not issued, any command the client sends such as AUTH or USER to Zimbra will result in an error and the client will not try authentication. This means the password is not send without encryption. In addition email contents and attachments are also transmitted using encrypted communication.

False positives in OpenVAS and warnings in email clients such as Thunderbird

Email clients and vulnerability scanner can send some commands in plain text to Zimbra, such as CAPA (to list capabilities) and Zimbra will respond to these without encryption. This will make vulnerability scanners such as OpenVAS believe POP3 is enabled for unencrypted connections. This is however not the case. The false positive will look like this:

The remote host is running a POP3 daemon that allows cleartext logins over unencrypted connections.

For the same reason you can add your Zimbra account with POP3 to Thunderbird (and other clients) and select Connection security: none this will trigger a warning, saying your credentials will be transmitted without encryption. In reality the communication between the client and Zimbra will halt because of errors before authentication unless TLS is used.

This has been verified by using Wireshark.

Configuring IMAP

It is recommended you disable the use of IMAP via a host firewall, in case you want to use IMAP anyway, very that you have the following settings, that are the default and disable the unencrypted sending of username and password and force the use of encryption with the following command:

zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled
zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE # if not already

Verify that TLS is required for IMAP via Zimbra Proxy, the setting should be only which is default.

zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode
zimbraReverseProxyImapStartTlsMode: only

Validate your settings online using SSL Labs

Go to https://www.ssllabs.com/ssltest/analyze.html and enter the the domain name of your Zimbra server. If you followed the steps in this article you should receive an A+ score and there should be no mention of weak ciphers in the report. This article was written in September 2021. In the report take a look at the client devices listed under Handshake Simulation these will give you an idea of the devices your users can use to connect to your Zimbra server. Also validate there are no weak ciphers listed under Cipher Suites.

Further reading

Jump to: navigation, search