How to disable TLSv1

How to disable deprecated TLS versions and enable TLS 1.3

   KB 23852        Last updated on 2022-08-26  

(0 votes)


The purpose of this article is to show how to disable deprecated TLS versions on Zimbra server.


There are couple of components for which we can disable TLS versions:

1. Disable deprecated TLS versions for proxy server/s:

# Overwrite the current configuration to allow only v1.2
$ zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
# Add TLSv1.3
$ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
$ zmproxyctl restart

2. Disable deprecated TLS versions in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP)

# Overwrite the current configuration to allow only v1.2
$ zmprov ms `zmhostname` zimbraMailboxdSSLProtocols TLSv1.2
# Add TLSv1.3
$ zmprov ms `zmhostname` +zimbraMailboxdSSLProtocols TLSv1.3
$ zmmailboxdctl restart

3. Allow only TLSv1.2 and more for ports 465, 587 and 25:

$ zmprov mcf zimbraMtaSmtpTlsProtocols '>=TLSv1.2'
$ zmprov mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2'
$ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '>=TLSv1.2' 
$ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '>=TLSv1.2' 
$ zmmtactl restart

As an option, use nmap to check what protocols are active.

nmap --script ssl-enum-ciphers -p 443

Verified Against: Zimbra Collaboration 8.8.11, 8.8.12, 8.8.15, 9 Date Created: 26/08/2022
Article ID: Date Modified: 2022-08-26

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Wiki/KB reviewed by SME1 SME2 COPY EDITOR Last edit by Zeiko2
Jump to: navigation, search