Postfix PCI Compliance in ZCS: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Article Infobox|{{admin}}|{{ZCS 6.0}}|{{ZCS | {{Article Infobox|{{admin}}|{{ZCS 6.0}}|{{ZCS 7.0}}|}}===Reconfigure the Postfix SSL/TLS settings=== | ||
1. Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade. | 1. Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade. | ||
| Line 9: | Line 9: | ||
3. Type the following commands: | 3. Type the following commands: | ||
postconf -e smtpd_tls_ciphers= | postconf -e smtpd_tls_ciphers=high | ||
postconf -e smtpd_tls_protocols=\!SSLv2 | postconf -e smtpd_tls_protocols=SSLv3,TLSv1,\!SSLv2 | ||
postconf -e smtpd_tls_mandatory_ciphers=high | postconf -e smtpd_tls_mandatory_ciphers=high | ||
postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES" | postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES" | ||
| Line 18: | Line 18: | ||
4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config. | 4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config. | ||
zmlocalconfig -e smtpd_tls_ciphers= | zmlocalconfig -e smtpd_tls_ciphers=high | ||
zmlocalconfig -e smtpd_tls_protocols=\!SSLv2 | zmlocalconfig -e smtpd_tls_protocols=SSLv3,TLSv1,\!SSLv2 | ||
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high | zmlocalconfig -e smtpd_tls_mandatory_ciphers=high | ||
zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES" | zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES" | ||
| Line 28: | Line 28: | ||
This was originally written for ZCS 5.0.19, and has since been updated and tested in ZCS 6.0. | This was originally written for ZCS 5.0.19, and has since been updated and tested in ZCS 6.0.8 and 7.2.0. Using the Qualys PCI scanning tool as the reference for passing the PCI network scan. | ||
{{Article Footer|ZCS 6.0.4|11/30/2009}} | {{Article Footer|ZCS 6.0.4|11/30/2009}} | ||
Revision as of 12:04, 16 August 2012
 Article Information |
|---|
| This article applies to the following ZCS versions. |
Reconfigure the Postfix SSL/TLS settings
1. Make a backup of /opt/zimbra/postfix/conf/main.cf in case you need to rollback or refer to after an upgrade.
2. Log in as root in the command line utility. Switch to the zimbra user account.
su - zimbra
3. Type the following commands:
postconf -e smtpd_tls_ciphers=high postconf -e smtpd_tls_protocols=SSLv3,TLSv1,\!SSLv2 postconf -e smtpd_tls_mandatory_ciphers=high postconf -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"
The SSL/TLS settings are now reconfigured. The changes will take effect immediately.
4. To ensure that your changes are not overwritten by a future Zimbra upgrade, you can set them in the local config.
zmlocalconfig -e smtpd_tls_ciphers=high zmlocalconfig -e smtpd_tls_protocols=SSLv3,TLSv1,\!SSLv2 zmlocalconfig -e smtpd_tls_mandatory_ciphers=high zmlocalconfig -e smtpd_tls_exclude_ciphers="aNULL, MD5, DES"
Reference - http://www.postfix.org/TLS_README.html
5. Use 'zmmtactl restart' to restart postfix.
This was originally written for ZCS 5.0.19, and has since been updated and tested in ZCS 6.0.8 and 7.2.0. Using the Qualys PCI scanning tool as the reference for passing the PCI network scan.
