How to disable TLSv1

How to disable deprecated TLS versions and enable TLS 1.3

   KB 23852        Last updated on 2022-08-26  

(one vote)


The purpose of this article is to show how to disable deprecated TLS versions on Zimbra server.


There are couple of components for which we can disable TLS versions:

1. Disable deprecated TLS versions for proxy server/s:

# Overwrite the current configuration to allow only v1.2
$ zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
# Add TLSv1.3
$ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
$ zmproxyctl restart

2. Disable deprecated TLS versions in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP)

# Overwrite the current configuration to allow only v1.2
$ zmprov ms `zmhostname` zimbraMailboxdSSLProtocols TLSv1.2
# Add TLSv1.3
$ zmprov ms `zmhostname` +zimbraMailboxdSSLProtocols TLSv1.3
$ zmmailboxdctl restart

3. Allow only TLSv1.2 and more for ports 465, 587 and 25:

$ zmprov mcf zimbraMtaSmtpTlsProtocols '>=TLSv1.2'
$ zmprov mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2'
$ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '>=TLSv1.2' 
$ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '>=TLSv1.2' 
$ zmmtactl restart

As an option, use nmap to check what protocols are active.

nmap --script ssl-enum-ciphers -p 443

Verified Against: Zimbra Collaboration 8.8.11, 8.8.12, 8.8.15, 9 Date Created: 26/08/2022
Article ID: Date Modified: 2022-08-26

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Wiki/KB reviewed by SME1 SME2 COPY EDITOR Last edit by Zeiko2
Jump to: navigation, search