Difference between revisions of "Postfix PCI Compliance in ZCS"

Line 1: Line 1:
{{Article Infobox|{{admin}}|{{ZCS 6.0}}|{{ZCS 5.0}}|}}===Reconfigure the Postfix SSL/TLS settings===
+
{{Article Infobox|{{admin}}|{{ZCS 6.0}}|{{ZCS 7.0}}|}}===Reconfigure the Postfix SSL/TLS settings===
  
 
1.  Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade.
 
1.  Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade.
Line 9: Line 9:
 
3. Type the following commands:
 
3. Type the following commands:
  
  postconf -e smtpd_tls_ciphers=medium
+
  postconf -e smtpd_tls_ciphers=high
  postconf -e smtpd_tls_protocols=\!SSLv2
+
  postconf -e smtpd_tls_protocols=SSLv3,TLSv1,\!SSLv2
 
  postconf -e smtpd_tls_mandatory_ciphers=high
 
  postconf -e smtpd_tls_mandatory_ciphers=high
 
  postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"
 
  postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"
Line 18: Line 18:
 
4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config.
 
4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config.
  
  zmlocalconfig -e smtpd_tls_ciphers=medium
+
  zmlocalconfig -e smtpd_tls_ciphers=high
  zmlocalconfig -e smtpd_tls_protocols=\!SSLv2
+
  zmlocalconfig -e smtpd_tls_protocols=SSLv3,TLSv1,\!SSLv2
 
  zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
 
  zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
 
  zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"
 
  zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"
Line 28: Line 28:
  
  
This was originally written for ZCS 5.0.19, and has since been updated and tested in ZCS 6.0.4.  Using the Qualys PCI scanning tool as the reference for passing the PCI network scan.
+
This was originally written for ZCS 5.0.19, and has since been updated and tested in ZCS 6.0.8 and 7.2.0.  Using the Qualys PCI scanning tool as the reference for passing the PCI network scan.
  
 
{{Article Footer|ZCS 6.0.4|11/30/2009}}
 
{{Article Footer|ZCS 6.0.4|11/30/2009}}

Revision as of 12:04, 16 August 2012

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 6.0 Article ZCS 6.0 ZCS 7.0 Article ZCS 7.0

Reconfigure the Postfix SSL/TLS settings

1. Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade.

2. Log in as root in the command line utility. Switch to the zimbra user account.

su - zimbra

3. Type the following commands:

postconf -e smtpd_tls_ciphers=high
postconf -e smtpd_tls_protocols=SSLv3,TLSv1,\!SSLv2
postconf -e smtpd_tls_mandatory_ciphers=high
postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"

The SSL/TLS settings are now reconfigured. The changes will take effect immediately.

4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config.

zmlocalconfig -e smtpd_tls_ciphers=high
zmlocalconfig -e smtpd_tls_protocols=SSLv3,TLSv1,\!SSLv2
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"

Reference - http://www.postfix.org/TLS_README.html

5. Use 'zmmtactl restart' to restart postfix.


This was originally written for ZCS 5.0.19, and has since been updated and tested in ZCS 6.0.8 and 7.2.0. Using the Qualys PCI scanning tool as the reference for passing the PCI network scan.

Verified Against: ZCS 6.0.4 Date Created: 11/30/2009
Article ID: https://wiki.zimbra.com/index.php?title=Postfix_PCI_Compliance_in_ZCS Date Modified: 2012-08-16



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search