Difference between revisions of "SecureConfiguration"

Line 34: Line 34:
 
  zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled
 
  zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled
 
  zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE
 
  zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE
 +
 +
zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode
 +
zimbraReverseProxyImapStartTlsMode: only
  
 
3. POP3-SSL
 
3. POP3-SSL
Line 39: Line 42:
 
  zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled
 
  zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled
 
  zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE
 
  zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE
 +
 +
zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode
 +
zimbraReverseProxyPop3StartTlsMode: only
  
 
== Secure Interprocess Communication ==
 
== Secure Interprocess Communication ==
  
Text
+
1. Make sure LDAP is supporting STARTTLS - should be set to "1":
 +
 
 +
zmlocalconfig ldap_starttls_supported
 +
 
 +
2. Require interprocess security - should be set to 1:
 +
 
 +
zmlocalconfig zimbra_require_interprocess_security
 +
 
 +
3. Require secure LDAP from mailboxd - should be set to "true":
 +
 
 +
zmlocalconfig ldap_starttls_required
 +
 
 +
References: see also [[TLS/STARTTLS_Localconfig_Values]]
 +
 
  
 
----------------------------------------------------------------------------------------------------------------------------
 
----------------------------------------------------------------------------------------------------------------------------

Revision as of 21:25, 28 June 2014

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.0 Article ZCS 8.0


Best-Practice Recommendations for a Secure Zimbra Configuration

The following recommendations are provided to ensure a best-practice security configuration. This includes the following:

  • Require encrypted logins
  • Requiring secure interprocess communications

Services

Most secure is to only allow secure methods of accessing the system; however, be careful in making these changes, as all processes need to be configured to connect only to upstream encrypted listeners.

1. Configure the proxy to only offer encrypted protocols

zmprov ms `zmhostname` zimbraReverseProxyMailMode https

2. Require Proxy to connect to upstream via SSL

zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE
zimbraReverseProxyImapStartTlsMode


Encrypted Logins

1. HTTPS

zmprov gs `zmhostname` zimbraMailClearTextPasswordEnabled
zmprov ms `zmhostname` zimbraMailClearTextPasswordEnabled FALSE

2. IMAP4-SSL

zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled
zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE
zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode
zimbraReverseProxyImapStartTlsMode: only

3. POP3-SSL

zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled
zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE

zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode
zimbraReverseProxyPop3StartTlsMode: only

Secure Interprocess Communication

1. Make sure LDAP is supporting STARTTLS - should be set to "1":

zmlocalconfig ldap_starttls_supported

2. Require interprocess security - should be set to 1:

zmlocalconfig zimbra_require_interprocess_security

3. Require secure LDAP from mailboxd - should be set to "true":

zmlocalconfig ldap_starttls_required

References: see also TLS/STARTTLS_Localconfig_Values



Verified Against: ZCS 8.0 Date Created: 06/28/2014
Article ID: https://wiki.zimbra.com/index.php?title=SecureConfiguration Date Modified: 2014-06-28



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search