SecureConfiguration: Difference between revisions
No edit summary |
|||
(23 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
{{ | {{BC|Certified}} | ||
__FORCETOC__ | |||
<div class="col-md-12 ibox-content"> | |||
= Best-Practice Recommendations for a Secure Zimbra Configuration = | |||
{{KB|{{ZC}}|{{ZCS 8.0}}||}} | |||
{{WIP}} | |||
Please also read: https://wiki.zimbra.com/wiki/Cipher_suites | |||
The following recommendations are provided to ensure a best-practice security configuration. This includes the following: | The following recommendations are provided to ensure a best-practice security configuration. This includes the following: | ||
* Run services only on secure channels | |||
* Require encrypted logins | * Require encrypted logins | ||
* Requiring secure interprocess communications | * Requiring secure interprocess communications | ||
* Use end-to-end encryption with S/MIME | |||
== Firewall == | |||
* Configure your firewall to allow '''only''' required [[Ports]]. | |||
* Restrict SSH and admin access via a VPN or known IP addresses only. | |||
* Configure SSH to use [https://en.wikipedia.org/wiki/Two-factor_authentication two factor authentication]. References: | |||
** https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-two-factor-authentication | |||
** https://sysconfig.org.uk/two-factor-authentication-with-ssh.html | |||
== SSL Certificates == | |||
1. Be sure to have properly configure SSL Certificates. Follow these references: | |||
* [[Administration_Console_and_CLI_Certificate_Tools]] | |||
* [[SSL_certificates_per_domain]] | |||
2. If possible, use only Commercial CA-Signed Certs | |||
== Secure Interprocess Communication == | |||
1. Make sure LDAP is supporting STARTTLS - should be set to "1": | |||
zmlocalconfig ldap_starttls_supported | |||
zmlocalconfig -e ldap_starttls_supported=1 | |||
2. Require interprocess security - should be set to 1: | |||
zmlocalconfig zimbra_require_interprocess_security | |||
zmlocalconfig -e zimbra_require_interprocess_security=1 | |||
3. Require secure LDAP from mailboxd - should be set to "true": | |||
zmlocalconfig ldap_starttls_required | |||
zmlocalconfig -e ldap_starttls_required=true | |||
References: [[TLS/STARTTLS_Localconfig_Values]] | |||
== Services == | == Services == | ||
Line 12: | Line 54: | ||
Most secure is to only allow secure methods of accessing the system; however, be careful in making these changes, as all processes need to be configured to connect only to upstream encrypted listeners. | Most secure is to only allow secure methods of accessing the system; however, be careful in making these changes, as all processes need to be configured to connect only to upstream encrypted listeners. | ||
1. Configure the proxy to only | 1. Configure the proxy to offer only encrypted HTTPS protocols (run this on every proxy): | ||
zmprov gs `zmhostname` zimbraReverseProxyMailMode | |||
zmprov ms `zmhostname` zimbraReverseProxyMailMode https | zmprov ms `zmhostname` zimbraReverseProxyMailMode https | ||
2. Require Proxy to connect to upstream via SSL | Note: it is possible to use "redirect" here, which will redirect HTTP requests to HTTPS using a "302 Redirect" response code. Please note, however, that some clients (such as ActiveSync devices) will not honor a 302 Redirect, and may try to pass unencrypted login information. It is recommended to use only https here for highest security. | ||
2. Configure the mailstore to offer only encrypted HTTPS procotol: | |||
zmprov gs `zmhostname` zimbraMailMode | |||
zmprov ms `zmhostname` zimbraMailMode https | |||
3. Require Proxy to connect to upstream via SSL | |||
zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled | |||
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE | zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE | ||
== Encrypted | == Encrypted Authentication == | ||
All authentication must be done over TLS/SSL. Restart services after making these changes. | |||
=== HTTP === | |||
zmprov gs `zmhostname` zimbraMailClearTextPasswordEnabled | zmprov gs `zmhostname` zimbraMailClearTextPasswordEnabled | ||
zmprov ms `zmhostname` zimbraMailClearTextPasswordEnabled FALSE | zmprov ms `zmhostname` zimbraMailClearTextPasswordEnabled FALSE # if not already | ||
=== IMAP4 === | |||
zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled | zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled | ||
zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE | zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE # if not already | ||
zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode | zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode | ||
zimbraReverseProxyImapStartTlsMode: only | zimbraReverseProxyImapStartTlsMode: only | ||
=== POP3 === | |||
zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled | zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled | ||
zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE | zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE # if not already | ||
zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode | zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode | ||
zimbraReverseProxyPop3StartTlsMode: only | zimbraReverseProxyPop3StartTlsMode: only | ||
== | === SMTP === | ||
zmprov gs `zmhostname` zimbraMtaTlsAuthOnly | |||
zmprov ms `zmhostname` zimbraMtaTlsAuthOnly TRUE # if not already | |||
Use opportunistic outbound STARTTLS. If not already, set to use "may". Note that it is not usually possible to use "encrypt" here, as you cannot require remote MTAs to use encryption: | |||
zmlocalconfig postfix_smtp_tls_security_level | |||
zmlocalconfig -e postfix_smtp_tls_security_level=may # if not already | |||
Use opportunistic inbound STARTTLS. If not already, set to use "may". Note that it is not usually possible to use "encrypt" here, as you cannot require remote MTAs to use encryption: | |||
zmprov gs `zmhostname` zimbraMtaTlsSecurityLevel | |||
zmprov ms `zmhostname` zimbraMtaTlsSecurityLevel may | |||
== External LDAP Authentication == | |||
When using external LDAP authentication, check the following settings on domains and servers and ensure TLS is used during auth: | |||
zmprov gs `zmhostname` zimbraAuthLdapStartTlsEnabled | |||
zimbraAuthLdapStartTlsEnabled: TRUE | |||
== End-to-End Encryption == | |||
1. Use [[SMIME_Certificates|S/MIME]] | |||
2. As an Open Source alternative, use the [https://www.zimbra.org/extend/items/view/zimbra-openpgp-zimlet Zimbra OpenPGP Zimlet] by Barry de Graaff | |||
3. Use a 3rd party client like [https://www.mozilla.org/en-US/thunderbird/ Thunderbird] with [https://www.enigmail.net/ Enigmail]. | |||
== Undesirable Content == | |||
Avoid letting undesirable content into the ZCS platform altogether by: | |||
# Setting/Tuning [[Anti-spam Strategies]] | |||
# Consider also setting '''zimbraMtaBlockedExtension''' to reject email with specific types of attachments. For example (using bash expansion for brevity): | |||
# add/remove file name extensions as makes sense in your environment | |||
zmprov "+zimbraMtaBlockedExtension "{bat,cmd,docm,exe,js,lnk,ocx,rar,vbs,vbx} | |||
# optionally, warn the recipient about the blocked message | |||
zimbraVirusWarnRecipient TRUE | |||
---------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------- |
Latest revision as of 08:47, 6 January 2022
Best-Practice Recommendations for a Secure Zimbra Configuration
Please also read: https://wiki.zimbra.com/wiki/Cipher_suites
The following recommendations are provided to ensure a best-practice security configuration. This includes the following:
- Run services only on secure channels
- Require encrypted logins
- Requiring secure interprocess communications
- Use end-to-end encryption with S/MIME
Firewall
- Configure your firewall to allow only required Ports.
- Restrict SSH and admin access via a VPN or known IP addresses only.
- Configure SSH to use two factor authentication. References:
SSL Certificates
1. Be sure to have properly configure SSL Certificates. Follow these references:
2. If possible, use only Commercial CA-Signed Certs
Secure Interprocess Communication
1. Make sure LDAP is supporting STARTTLS - should be set to "1":
zmlocalconfig ldap_starttls_supported zmlocalconfig -e ldap_starttls_supported=1
2. Require interprocess security - should be set to 1:
zmlocalconfig zimbra_require_interprocess_security zmlocalconfig -e zimbra_require_interprocess_security=1
3. Require secure LDAP from mailboxd - should be set to "true":
zmlocalconfig ldap_starttls_required zmlocalconfig -e ldap_starttls_required=true
References: TLS/STARTTLS_Localconfig_Values
Services
Most secure is to only allow secure methods of accessing the system; however, be careful in making these changes, as all processes need to be configured to connect only to upstream encrypted listeners.
1. Configure the proxy to offer only encrypted HTTPS protocols (run this on every proxy):
zmprov gs `zmhostname` zimbraReverseProxyMailMode zmprov ms `zmhostname` zimbraReverseProxyMailMode https
Note: it is possible to use "redirect" here, which will redirect HTTP requests to HTTPS using a "302 Redirect" response code. Please note, however, that some clients (such as ActiveSync devices) will not honor a 302 Redirect, and may try to pass unencrypted login information. It is recommended to use only https here for highest security.
2. Configure the mailstore to offer only encrypted HTTPS procotol:
zmprov gs `zmhostname` zimbraMailMode zmprov ms `zmhostname` zimbraMailMode https
3. Require Proxy to connect to upstream via SSL
zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE
Encrypted Authentication
All authentication must be done over TLS/SSL. Restart services after making these changes.
HTTP
zmprov gs `zmhostname` zimbraMailClearTextPasswordEnabled zmprov ms `zmhostname` zimbraMailClearTextPasswordEnabled FALSE # if not already
IMAP4
zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE # if not already
zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode zimbraReverseProxyImapStartTlsMode: only
POP3
zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE # if not already
zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode zimbraReverseProxyPop3StartTlsMode: only
SMTP
zmprov gs `zmhostname` zimbraMtaTlsAuthOnly zmprov ms `zmhostname` zimbraMtaTlsAuthOnly TRUE # if not already
Use opportunistic outbound STARTTLS. If not already, set to use "may". Note that it is not usually possible to use "encrypt" here, as you cannot require remote MTAs to use encryption:
zmlocalconfig postfix_smtp_tls_security_level zmlocalconfig -e postfix_smtp_tls_security_level=may # if not already
Use opportunistic inbound STARTTLS. If not already, set to use "may". Note that it is not usually possible to use "encrypt" here, as you cannot require remote MTAs to use encryption:
zmprov gs `zmhostname` zimbraMtaTlsSecurityLevel zmprov ms `zmhostname` zimbraMtaTlsSecurityLevel may
External LDAP Authentication
When using external LDAP authentication, check the following settings on domains and servers and ensure TLS is used during auth:
zmprov gs `zmhostname` zimbraAuthLdapStartTlsEnabled zimbraAuthLdapStartTlsEnabled: TRUE
End-to-End Encryption
1. Use S/MIME
2. As an Open Source alternative, use the Zimbra OpenPGP Zimlet by Barry de Graaff
3. Use a 3rd party client like Thunderbird with Enigmail.
Undesirable Content
Avoid letting undesirable content into the ZCS platform altogether by:
- Setting/Tuning Anti-spam Strategies
- Consider also setting zimbraMtaBlockedExtension to reject email with specific types of attachments. For example (using bash expansion for brevity):
# add/remove file name extensions as makes sense in your environment zmprov "+zimbraMtaBlockedExtension "{bat,cmd,docm,exe,js,lnk,ocx,rar,vbs,vbx} # optionally, warn the recipient about the blocked message zimbraVirusWarnRecipient TRUE