|
|
Line 5: |
Line 5: |
| The administrator will have to execute separate steps for enabling TLS 1.3 on Zimbra Proxy (Nginx) and Zimbra Mailstore. | | The administrator will have to execute separate steps for enabling TLS 1.3 on Zimbra Proxy (Nginx) and Zimbra Mailstore. |
|
| |
|
| === Execute the following steps on Zimbra Proxy (Nginx) ===
| | Please refer to: https://wiki.zimbra.com/wiki/Cipher_suites |
| | |
| Execute these commands as <code>zimbra</code> user
| |
| | |
| * View the existing '''zimbraReverseProxySSLProtocols''':
| |
| | |
| $ zmprov gcf zimbraReverseProxySSLProtocols
| |
| zimbraReverseProxySSLProtocols: TLSv1
| |
| zimbraReverseProxySSLProtocols: TLSv1.1
| |
| zimbraReverseProxySSLProtocols: TLSv1.2
| |
| | |
| * Add TLSv1.3 to existing '''zimbraReverseProxySSLProtocols'''.
| |
| $ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
| |
| | |
| * Verify TLSv1.3 is added to '''zimbraReverseProxySSLProtocols'''.
| |
| $ zmprov gcf zimbraReverseProxySSLProtocols
| |
| zimbraReverseProxySSLProtocols: TLSv1
| |
| zimbraReverseProxySSLProtocols: TLSv1.1
| |
| zimbraReverseProxySSLProtocols: TLSv1.2
| |
| zimbraReverseProxySSLProtocols: TLSv1.3
| |
| | |
| * View existing cipher's in '''zimbraReverseProxySSLCiphers'''.
| |
| $ zmprov gcf zimbraReverseProxySSLCiphers
| |
| zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
| |
| | |
| * Add TLSv1.3 cipher <code>TLS_AES_256_GCM_SHA384</code> to existing '''zimbraReverseProxySSLCiphers'''.
| |
| $ zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:TLS_AES_256_GCM_SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
| |
| | |
| * Restart Zimbra Proxy service:
| |
| $ zmproxyctl restart
| |
| | |
| === Execute the following steps on Zimbra Mailstore ===
| |
| | |
| Execute these commands as <code>zimbra</code> user
| |
| | |
| * Get your current <code>mailboxd_java_options</code>:
| |
| $ zmlocalconfig mailboxd_java_options
| |
| mailboxd_java_options = -server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true
| |
| | |
| Add the TLSv1.3 to <code>https.protocols</code> and <code>tls.client.protocols</code>:
| |
| $ zmlocalconfig -e mailboxd_java_options='-server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true'
| |
| | |
| * Restart Zimbra Mailbox service:
| |
| $ zmmailboxdctl restart
| |