Postfix PCI Compliance in ZCS: Difference between revisions

No edit summary
No edit summary
 
(15 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{Article Infobox|{{admin}}||{{ZCS 5.0}}|}}===Reconfigure the Postfix SSL/TLS settings===
{{BC|Community Sandbox}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=Postfix PCI Compilance in Zimbra Collaboration=
{{KB|{{Unsupported}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}
{{WIP}}
==Reconfigure the Postfix SSL/TLS settings==


1.  Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade.
===Configuring Postfix for PCI Compliance===


2. Log in as root in the command line utility. Switch to the zimbra user account.
Reference - http://www.postfix.org/TLS_README.html
 
su - zimbra
 
3. Type the following commands:


  postconf -e smtpd_tls_ciphers=medium
====For ZCS 8.5, as the '''zimbra''' user====
  postconf -e smtpd_tls_protocols=\!SSLv2
  zmprov mcf zimbraMtaSmtpdTlsCiphers high
  postconf -e smtpd_tls_mandatory_ciphers=high
  zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'
  postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5"
  zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high
  zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'


The SSL/TLS settings are now reconfigured.  The changes will take effect immediately.
Within 2 minutes, zmconfigd will update postfix for you, and the system will be PCI compliant.


4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config.
====For ZCS 8.0 and previous, as the '''zimbra''' user====


  zmlocalconfig -e smtpd_tls_ciphers=medium
  zmlocalconfig -e smtpd_tls_ciphers=high
  zmlocalconfig -e smtpd_tls_protocols=\!SSLv2
  postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2
  zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
  zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
  zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5"
  postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES
 
Reference - http://www.postfix.org/TLS_README.html
 
5.      Use 'zmmtactl restart' to restart postfix.


The SSL/TLS settings are now reconfigured.  The changes will take effect within 2 minutes.  Note that '''smtpd_tls_protocols''' and '''smtpd_tls_exclude_ciphers''' will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.


{{Article Footer|unknown|11/30/2009}}
{{Article Footer|ZCS 7.2.0|11/30/2013}}


[[Category: SSL/TLS]]
[[Category: SSL/TLS]]
[[Category: ZCS 5.0]]
[[Category: ZCS 7.0]]
[[Category: ZCS 8.0]]
[[Category: ZCS 8.5]]

Latest revision as of 20:22, 12 July 2015

Postfix PCI Compilance in Zimbra Collaboration

   KB 3123        Last updated on 2015-07-12  




0.00
(0 votes)

Reconfigure the Postfix SSL/TLS settings

Configuring Postfix for PCI Compliance

Reference - http://www.postfix.org/TLS_README.html

For ZCS 8.5, as the zimbra user

zmprov mcf zimbraMtaSmtpdTlsCiphers high
zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'
zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high
zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'

Within 2 minutes, zmconfigd will update postfix for you, and the system will be PCI compliant.

For ZCS 8.0 and previous, as the zimbra user

zmlocalconfig -e smtpd_tls_ciphers=high
postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES

The SSL/TLS settings are now reconfigured. The changes will take effect within 2 minutes. Note that smtpd_tls_protocols and smtpd_tls_exclude_ciphers will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.

Verified Against: ZCS 7.2.0 Date Created: 11/30/2013
Article ID: https://wiki.zimbra.com/index.php?title=Postfix_PCI_Compliance_in_ZCS Date Modified: 2015-07-12



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search