How to disable TLSv1
How to disable deprecated TLS versions and enable TLS 1.3
Problem
The purpose of this article is to show how to disable deprecated TLS versions on Zimbra server.
Resolution
There are couple of components for which we can disable TLS versions:
1. Disable deprecated TLS versions for proxy server/s:
# Overwrite the current configuration to allow only v1.2 $ zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2 # Add TLSv1.3 $ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3 $ zmproxyctl restart
2. Disable deprecated TLS versions in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP)
# Overwrite the current configuration to allow only v1.2 $ zmprov ms `zmhostname` zimbraMailboxdSSLProtocols TLSv1.2 # Add TLSv1.3 $ zmprov ms `zmhostname` +zimbraMailboxdSSLProtocols TLSv1.3 $ zmmailboxdctl restart
3. Allow only TLSv1.2 and more for ports 465, 587 and 25:
$ zmprov mcf zimbraMtaSmtpTlsProtocols '>=TLSv1.2' $ zmprov mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2' $ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '>=TLSv1.2' $ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '>=TLSv1.2' $ zmmtactl restart
As an option, use nmap to check what protocols are active.
nmap --script ssl-enum-ciphers -p 443 proxy.example.com