SecureConfiguration: Difference between revisions

No edit summary
(→‎Undesirable Content: add docm and rar)
(24 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{ZC}}{{Article Infobox|{{admin}}||{{ZCS 8.0}}|}}
{{BC|Certified}}
 
__FORCETOC__
<div class="col-md-12 ibox-content">
= Best-Practice Recommendations for a Secure Zimbra Configuration =
= Best-Practice Recommendations for a Secure Zimbra Configuration =
{{KB|{{ZC}}|{{ZCS 8.0}}||}}
{{WIP}}


The following recommendations are provided to ensure a best-practice security configuration. This includes the following:
The following recommendations are provided to ensure a best-practice security configuration. This includes the following:


* Run services only on secure channels
* Require encrypted logins
* Require encrypted logins
* Requiring secure interprocess communications
* Requiring secure interprocess communications
* Use end-to-end encryption with S/MIME
== Firewall ==
* Configure your firewall to allow '''only''' required [[Ports]].
* Restrict SSH and admin access via a VPN or known IP addresses only.
* Configure SSH to use [https://en.wikipedia.org/wiki/Two-factor_authentication two factor authentication].  References:
** https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-two-factor-authentication
** https://sysconfig.org.uk/two-factor-authentication-with-ssh.html
== SSL Certificates ==
1. Be sure to have properly configure SSL Certificates. Follow these references:
* [[Administration_Console_and_CLI_Certificate_Tools]]
* [[SSL_certificates_per_domain]]
2. If possible, use only Commercial CA-Signed Certs
== Secure Interprocess Communication ==
1. Make sure LDAP is supporting STARTTLS - should be set to "1":
zmlocalconfig ldap_starttls_supported
zmlocalconfig -e ldap_starttls_supported=1
2. Require interprocess security - should be set to 1:
zmlocalconfig zimbra_require_interprocess_security
zmlocalconfig -e zimbra_require_interprocess_security=1
3. Require secure LDAP from mailboxd - should be set to "true":
zmlocalconfig ldap_starttls_required
zmlocalconfig -e ldap_starttls_required=true
References: [[TLS/STARTTLS_Localconfig_Values]]


== Services ==
== Services ==
Line 12: Line 52:
Most secure is to only allow secure methods of accessing the system; however, be careful in making these changes, as all processes need to be configured to connect only to upstream encrypted listeners.
Most secure is to only allow secure methods of accessing the system; however, be careful in making these changes, as all processes need to be configured to connect only to upstream encrypted listeners.


1. Configure the proxy to only offer encrypted protocols
1. Configure the proxy to offer only encrypted HTTPS protocols (run this on every proxy):


zmprov gs `zmhostname` zimbraReverseProxyMailMode
  zmprov ms `zmhostname` zimbraReverseProxyMailMode https
  zmprov ms `zmhostname` zimbraReverseProxyMailMode https


2. Require Proxy to connect to upstream via SSL  
Note: it is possible to use "redirect" here, which will redirect HTTP requests to HTTPS using a "302 Redirect" response code. Please note, however, that some clients (such as ActiveSync devices) will not honor a 302 Redirect, and may try to pass unencrypted login information. It is recommended to use only https here for highest security.
 
2. Configure the mailstore to offer only encrypted HTTPS procotol:
 
zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https
 
3. Require Proxy to connect to upstream via SSL  


zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
  zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE
  zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE


zimbraReverseProxyImapStartTlsMode
== Encrypted Authentication ==


All authentication must be done over TLS/SSL.  Restart services after making these changes.


== Encrypted Logins ==
=== HTTP ===
 
1. HTTPS


  zmprov gs `zmhostname` zimbraMailClearTextPasswordEnabled
  zmprov gs `zmhostname` zimbraMailClearTextPasswordEnabled
  zmprov ms `zmhostname` zimbraMailClearTextPasswordEnabled FALSE
  zmprov ms `zmhostname` zimbraMailClearTextPasswordEnabled FALSE # if not already


2. IMAP4-SSL
=== IMAP4 ===


  zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled
  zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled
  zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE
  zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE # if not already


3. POP3-SSL
zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode
zimbraReverseProxyImapStartTlsMode: only
 
=== POP3 ===


  zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled
  zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled
  zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE
  zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE # if not already


== Secure Interprocess Communication ==
zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode
zimbraReverseProxyPop3StartTlsMode: only
 
=== SMTP ===
 
zmprov gs `zmhostname` zimbraMtaTlsAuthOnly
zmprov ms `zmhostname` zimbraMtaTlsAuthOnly TRUE # if not already
 
Use opportunistic outbound STARTTLS.  If not already, set to use "may". Note that it is not usually possible to use "encrypt" here, as you cannot require remote MTAs to use encryption:
 
zmlocalconfig postfix_smtp_tls_security_level
zmlocalconfig -e postfix_smtp_tls_security_level=may # if not already
 
Use opportunistic inbound STARTTLS.  If not already, set to use "may". Note that it is not usually possible to use "encrypt" here, as you cannot require remote MTAs to use encryption:
 
zmprov gs `zmhostname` zimbraMtaTlsSecurityLevel
zmprov ms `zmhostname` zimbraMtaTlsSecurityLevel may
 
== External LDAP Authentication ==
 
When using external LDAP authentication, check the following settings on domains and servers and ensure TLS is used during auth:
 
zmprov gs `zmhostname` zimbraAuthLdapStartTlsEnabled
zimbraAuthLdapStartTlsEnabled: TRUE
 
== End-to-End Encryption ==
 
1. Use [[SMIME_Certificates|S/MIME]]
 
2. As an Open Source alternative, use the [https://www.zimbra.org/extend/items/view/zimbra-openpgp-zimlet Zimbra OpenPGP Zimlet] by Barry de Graaff
 
3. Use a 3rd party client like [https://www.mozilla.org/en-US/thunderbird/ Thunderbird] with [https://www.enigmail.net/ Enigmail].


Text
== Undesirable Content ==
Avoid letting undesirable content into the ZCS platform altogether by:
# Setting/Tuning [[Anti-spam Strategies]]
# Consider also setting '''zimbraMtaBlockedExtension''' to reject email with specific types of attachments. For example (using bash expansion for brevity):
# add/remove file name extensions as makes sense in your environment
zmprov "+zimbraMtaBlockedExtension "{bat,cmd,docm,exe,js,lnk,ocx,rar,vbs,vbx}
# optionally, warn the recipient about the blocked message
zimbraVirusWarnRecipient TRUE


----------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------

Revision as of 01:38, 1 April 2016

Best-Practice Recommendations for a Secure Zimbra Configuration

   KB 21032        Last updated on 2016-04-1  




0.00
(0 votes)


The following recommendations are provided to ensure a best-practice security configuration. This includes the following:

  • Run services only on secure channels
  • Require encrypted logins
  • Requiring secure interprocess communications
  • Use end-to-end encryption with S/MIME

Firewall

SSL Certificates

1. Be sure to have properly configure SSL Certificates. Follow these references:

2. If possible, use only Commercial CA-Signed Certs

Secure Interprocess Communication

1. Make sure LDAP is supporting STARTTLS - should be set to "1":

zmlocalconfig ldap_starttls_supported
zmlocalconfig -e ldap_starttls_supported=1

2. Require interprocess security - should be set to 1:

zmlocalconfig zimbra_require_interprocess_security
zmlocalconfig -e zimbra_require_interprocess_security=1

3. Require secure LDAP from mailboxd - should be set to "true":

zmlocalconfig ldap_starttls_required
zmlocalconfig -e ldap_starttls_required=true

References: TLS/STARTTLS_Localconfig_Values

Services

Most secure is to only allow secure methods of accessing the system; however, be careful in making these changes, as all processes need to be configured to connect only to upstream encrypted listeners.

1. Configure the proxy to offer only encrypted HTTPS protocols (run this on every proxy):

zmprov gs `zmhostname` zimbraReverseProxyMailMode
zmprov ms `zmhostname` zimbraReverseProxyMailMode https

Note: it is possible to use "redirect" here, which will redirect HTTP requests to HTTPS using a "302 Redirect" response code. Please note, however, that some clients (such as ActiveSync devices) will not honor a 302 Redirect, and may try to pass unencrypted login information. It is recommended to use only https here for highest security.

2. Configure the mailstore to offer only encrypted HTTPS procotol:

zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https

3. Require Proxy to connect to upstream via SSL

zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE

Encrypted Authentication

All authentication must be done over TLS/SSL. Restart services after making these changes.

HTTP

zmprov gs `zmhostname` zimbraMailClearTextPasswordEnabled
zmprov ms `zmhostname` zimbraMailClearTextPasswordEnabled FALSE # if not already

IMAP4

zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled
zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE # if not already
zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode
zimbraReverseProxyImapStartTlsMode: only

POP3

zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled
zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE # if not already
zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode
zimbraReverseProxyPop3StartTlsMode: only

SMTP

zmprov gs `zmhostname` zimbraMtaTlsAuthOnly
zmprov ms `zmhostname` zimbraMtaTlsAuthOnly TRUE # if not already

Use opportunistic outbound STARTTLS. If not already, set to use "may". Note that it is not usually possible to use "encrypt" here, as you cannot require remote MTAs to use encryption:

zmlocalconfig postfix_smtp_tls_security_level
zmlocalconfig -e postfix_smtp_tls_security_level=may # if not already

Use opportunistic inbound STARTTLS. If not already, set to use "may". Note that it is not usually possible to use "encrypt" here, as you cannot require remote MTAs to use encryption:

zmprov gs `zmhostname` zimbraMtaTlsSecurityLevel
zmprov ms `zmhostname` zimbraMtaTlsSecurityLevel may

External LDAP Authentication

When using external LDAP authentication, check the following settings on domains and servers and ensure TLS is used during auth:

zmprov gs `zmhostname` zimbraAuthLdapStartTlsEnabled
zimbraAuthLdapStartTlsEnabled: TRUE

End-to-End Encryption

1. Use S/MIME

2. As an Open Source alternative, use the Zimbra OpenPGP Zimlet by Barry de Graaff

3. Use a 3rd party client like Thunderbird with Enigmail.

Undesirable Content

Avoid letting undesirable content into the ZCS platform altogether by:

  1. Setting/Tuning Anti-spam Strategies
  2. Consider also setting zimbraMtaBlockedExtension to reject email with specific types of attachments. For example (using bash expansion for brevity):
# add/remove file name extensions as makes sense in your environment
zmprov "+zimbraMtaBlockedExtension "{bat,cmd,docm,exe,js,lnk,ocx,rar,vbs,vbx}
# optionally, warn the recipient about the blocked message
zimbraVirusWarnRecipient TRUE

Verified Against: ZCS 8.0 Date Created: 06/28/2014
Article ID: https://wiki.zimbra.com/index.php?title=SecureConfiguration Date Modified: 2016-04-01



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search