SecureConfiguration: Difference between revisions

Line 12: Line 12:
Most secure is to only allow secure methods of accessing the system; however, be careful in making these changes, as all processes need to be configured to connect only to upstream encrypted listeners.
Most secure is to only allow secure methods of accessing the system; however, be careful in making these changes, as all processes need to be configured to connect only to upstream encrypted listeners.


1. Configure the proxy to only offer encrypted protocols
1. Configure the proxy to offer only encrypted HTTPS protocols (run this on every proxy):


zmprov gs `zmhostname` zimbraReverseProxyMailMode
  zmprov ms `zmhostname` zimbraReverseProxyMailMode https
  zmprov ms `zmhostname` zimbraReverseProxyMailMode https


2. Require Proxy to connect to upstream via SSL
2. Configure the mailstore to offer only encrypted HTTPS procotol:


zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https
3. Require Proxy to connect to upstream via SSL
zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
  zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE
  zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE



Revision as of 21:27, 28 June 2014

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.0 Article ZCS 8.0


Best-Practice Recommendations for a Secure Zimbra Configuration

The following recommendations are provided to ensure a best-practice security configuration. This includes the following:

  • Require encrypted logins
  • Requiring secure interprocess communications

Services

Most secure is to only allow secure methods of accessing the system; however, be careful in making these changes, as all processes need to be configured to connect only to upstream encrypted listeners.

1. Configure the proxy to offer only encrypted HTTPS protocols (run this on every proxy):

zmprov gs `zmhostname` zimbraReverseProxyMailMode
zmprov ms `zmhostname` zimbraReverseProxyMailMode https

2. Configure the mailstore to offer only encrypted HTTPS procotol:

zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https

3. Require Proxy to connect to upstream via SSL

zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE

Encrypted Logins

1. HTTPS

zmprov gs `zmhostname` zimbraMailClearTextPasswordEnabled
zmprov ms `zmhostname` zimbraMailClearTextPasswordEnabled FALSE

2. IMAP4-SSL

zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled
zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE
zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode
zimbraReverseProxyImapStartTlsMode: only

3. POP3-SSL

zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled
zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE

zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode
zimbraReverseProxyPop3StartTlsMode: only

Secure Interprocess Communication

1. Make sure LDAP is supporting STARTTLS - should be set to "1":

zmlocalconfig ldap_starttls_supported

2. Require interprocess security - should be set to 1:

zmlocalconfig zimbra_require_interprocess_security

3. Require secure LDAP from mailboxd - should be set to "true":

zmlocalconfig ldap_starttls_required

References: see also TLS/STARTTLS_Localconfig_Values



Verified Against: ZCS 8.0 Date Created: 06/28/2014
Article ID: https://wiki.zimbra.com/index.php?title=SecureConfiguration Date Modified: 2014-06-28



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search