Postfix PCI Compliance in ZCS: Difference between revisions

No edit summary
No edit summary
 
(8 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Article Infobox|{{admin}}|{{ZCS 6.0}}|{{ZCS 7.0}}|}}===Reconfigure the Postfix SSL/TLS settings===
{{BC|Community Sandbox}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=Postfix PCI Compilance in Zimbra Collaboration=
{{KB|{{Unsupported}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}
{{WIP}}
==Reconfigure the Postfix SSL/TLS settings==


1.  Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade.
===Configuring Postfix for PCI Compliance===


2. Log in as root in the command line utility. Switch to the zimbra user account.
Reference - http://www.postfix.org/TLS_README.html


  su - zimbra
====For ZCS 8.5, as the '''zimbra''' user====
  zmprov mcf zimbraMtaSmtpdTlsCiphers high
zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'
zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high
zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'


3. Type the following commands:
Within 2 minutes, zmconfigd will update postfix for you, and the system will be PCI compliant.


postconf -e smtpd_tls_ciphers=high
====For ZCS 8.0 and previous, as the '''zimbra''' user====
postconf -e smtpd_tls_protocols=SSLv3,TLSv1,\!SSLv2
postconf -e smtpd_tls_mandatory_ciphers=high
postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES
 
The SSL/TLS settings are now reconfigured. The changes will take effect immediately.
 
4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config.


  zmlocalconfig -e smtpd_tls_ciphers=high
  zmlocalconfig -e smtpd_tls_ciphers=high
  zmlocalconfig -e smtpd_tls_protocols=SSLv3,TLSv1,\!SSLv2
  postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2
  zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
  zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
  zmlocalconfig -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES
  postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES
 
Reference - http://www.postfix.org/TLS_README.html
 
5.      Use 'zmmtactl restart' to restart postfix.
 


This was originally written for ZCS 5.0.19, and has since been updated and tested in ZCS 6.0.8 and 7.2.0.  Using the Qualys PCI scanning tool as the reference for passing the PCI network scan.
The SSL/TLS settings are now reconfigured. The changes will take effect within 2 minutes. Note that '''smtpd_tls_protocols''' and '''smtpd_tls_exclude_ciphers''' will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.


{{Article Footer|ZCS 6.0.4|11/30/2009}}
{{Article Footer|ZCS 7.2.0|11/30/2013}}


[[Category: SSL/TLS]]
[[Category: SSL/TLS]]
[[Category: ZCS 5.0]]
[[Category: ZCS 7.0]]
[[Category: ZCS 6.0]]
[[Category: ZCS 8.0]]
[[Category: ZCS 8.5]]

Latest revision as of 20:22, 12 July 2015

Postfix PCI Compilance in Zimbra Collaboration

   KB 3123        Last updated on 2015-07-12  




0.00
(0 votes)

Reconfigure the Postfix SSL/TLS settings

Configuring Postfix for PCI Compliance

Reference - http://www.postfix.org/TLS_README.html

For ZCS 8.5, as the zimbra user

zmprov mcf zimbraMtaSmtpdTlsCiphers high
zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'
zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high
zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'

Within 2 minutes, zmconfigd will update postfix for you, and the system will be PCI compliant.

For ZCS 8.0 and previous, as the zimbra user

zmlocalconfig -e smtpd_tls_ciphers=high
postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES

The SSL/TLS settings are now reconfigured. The changes will take effect within 2 minutes. Note that smtpd_tls_protocols and smtpd_tls_exclude_ciphers will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.

Verified Against: ZCS 7.2.0 Date Created: 11/30/2013
Article ID: https://wiki.zimbra.com/index.php?title=Postfix_PCI_Compliance_in_ZCS Date Modified: 2015-07-12



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search