Difference between revisions of "Postfix PCI Compliance in ZCS"

m (moved PCI Compliance in Zimbra 5.0.x to Postfix PCI Compliance in ZCS: This can apply to both ZCS 5.0.x and 6.0.x.)
 
(14 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{Article Infobox|{{admin}}||{{ZCS 5.0}}|}}===Reconfigure the Postfix SSL/TLS settings===
+
{{BC|Community Sandbox}}
 +
__FORCETOC__
 +
<div class="col-md-12 ibox-content">
 +
=Postfix PCI Compilance in Zimbra Collaboration=
 +
{{KB|{{Unsupported}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}
 +
{{WIP}}
 +
==Reconfigure the Postfix SSL/TLS settings==
  
1.  Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade.
+
===Configuring Postfix for PCI Compliance===
  
2. Log in as root in the command line utility. Switch to the zimbra user account.
+
Reference - http://www.postfix.org/TLS_README.html
 
 
su - zimbra
 
 
 
3. Type the following commands:
 
  
  postconf -e smtpd_tls_ciphers=medium
+
====For ZCS 8.5, as the '''zimbra''' user====
  postconf -e smtpd_tls_protocols=\!SSLv2
+
  zmprov mcf zimbraMtaSmtpdTlsCiphers high
  postconf -e smtpd_tls_mandatory_ciphers=high
+
  zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'
  postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5"
+
  zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high
 +
  zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'
  
The SSL/TLS settings are now reconfigured.  The changes will take effect immediately.
+
Within 2 minutes, zmconfigd will update postfix for you, and the system will be PCI compliant.
  
4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config.
+
====For ZCS 8.0 and previous, as the '''zimbra''' user====
  
  zmlocalconfig -e smtpd_tls_ciphers=medium
+
  zmlocalconfig -e smtpd_tls_ciphers=high
  zmlocalconfig -e smtpd_tls_protocols=\!SSLv2
+
  postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2
 
  zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
 
  zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
  zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5"
+
  postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES
 
 
Reference - http://www.postfix.org/TLS_README.html
 
 
 
5.      Use 'zmmtactl restart' to restart postfix.
 
  
 +
The SSL/TLS settings are now reconfigured.  The changes will take effect within 2 minutes.  Note that '''smtpd_tls_protocols''' and '''smtpd_tls_exclude_ciphers''' will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.
  
{{Article Footer|unknown|11/30/2009}}
+
{{Article Footer|ZCS 7.2.0|11/30/2013}}
  
 
[[Category: SSL/TLS]]
 
[[Category: SSL/TLS]]
[[Category: ZCS 5.0]]
+
[[Category: ZCS 7.0]]
 +
[[Category: ZCS 8.0]]
 +
[[Category: ZCS 8.5]]

Latest revision as of 20:22, 12 July 2015

Postfix PCI Compilance in Zimbra Collaboration

   KB 3123        Last updated on 2015-07-12  




0.00
(0 votes)

Reconfigure the Postfix SSL/TLS settings

Configuring Postfix for PCI Compliance

Reference - http://www.postfix.org/TLS_README.html

For ZCS 8.5, as the zimbra user

zmprov mcf zimbraMtaSmtpdTlsCiphers high
zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'
zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high
zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'

Within 2 minutes, zmconfigd will update postfix for you, and the system will be PCI compliant.

For ZCS 8.0 and previous, as the zimbra user

zmlocalconfig -e smtpd_tls_ciphers=high
postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES

The SSL/TLS settings are now reconfigured. The changes will take effect within 2 minutes. Note that smtpd_tls_protocols and smtpd_tls_exclude_ciphers will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.

Verified Against: ZCS 7.2.0 Date Created: 11/30/2013
Article ID: https://wiki.zimbra.com/index.php?title=Postfix_PCI_Compliance_in_ZCS Date Modified: 2015-07-12



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search