How to disable SSLv3
Due to the recent discovery of a new SSL vulnerability (CVE-2014-3566: Poodle SSLv3), this protocol has been considered unsafe. This is a protocol flaw and Zimbra might include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976.
As a workaround, this guide will help you on how to disable SSLv3 with Zimbra. This has been tested on both ZCS 8.0.8 and 8.5.0 releases.
zmprov mcf zimbraMtaSmtpdTlsProtocols '\!SSLv3'
postconf -e smtpd_tls_protocols=\!SSLv3
Run "zmmtactl stop ; zmmtactl start" to force the changes or wait for mailboxd to rewrite Postfix config from LDAP after 2 minutes.
If you are already disabling ciphers by following http://wiki.zimbra.com/wiki/Postfix_PCI_Compliance_in_ZCS, please also include SSLv3:
zmprov mcf zimbraMtaSmtpdTlsCiphers high zmprov mcf zimbraMtaSmtpdTlsProtocols '\!SSLv3,\!SSLv2,TLSv1,TLSv2' zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'
zmlocalconfig -e smtpd_tls_ciphers=high postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2,TLSv1,TLSv2 zmlocalconfig -e smtpd_tls_mandatory_ciphers=high postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES
Run "zmmtactl stop ; zmmtactl start" to apply the changes.
Note that smtpd_tls_protocols and smtpd_tls_exclude_ciphers will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.