Difference between revisions of "SecureConfiguration"

(End-to-End Encryption)
m
Line 63: Line 63:
 
  zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled
 
  zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled
 
  zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE
 
  zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE
+
 
 
  zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode
 
  zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode
 
  zimbraReverseProxyPop3StartTlsMode: only
 
  zimbraReverseProxyPop3StartTlsMode: only
Line 135: Line 135:
  
 
The Google Authenticator is one option for this: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/
 
The Google Authenticator is one option for this: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/
 
  
 
----------------------------------------------------------------------------------------------------------------------------
 
----------------------------------------------------------------------------------------------------------------------------

Revision as of 14:54, 5 February 2016

Best-Practice Recommendations for a Secure Zimbra Configuration

   KB 21032        Last updated on 2016-02-5  




0.00
(0 votes)


The following recommendations are provided to ensure a best-practice security configuration. This includes the following:

  • Run services only on secure channels
  • Require encrypted logins
  • Requiring secure interprocess communications
  • Use end-to-end encryption with S/MIME

SSL Certificates

1. Be sure to have properly configure SSL Certificates

References: see these pages:

2. If possible, use only Commercial CA-Signed Certs

Services

Most secure is to only allow secure methods of accessing the system; however, be careful in making these changes, as all processes need to be configured to connect only to upstream encrypted listeners.

1. Configure the proxy to offer only encrypted HTTPS protocols (run this on every proxy):

zmprov gs `zmhostname` zimbraReverseProxyMailMode
zmprov ms `zmhostname` zimbraReverseProxyMailMode https

Note: it is possible to use "redirect" here, which will redirect HTTP requests to HTTPS using a "302 Redirect" response code. Please note, however, that some clients (such as ActiveSync devices) will not honor a 302 Redirect, and may try to pass unencrypted login information. It is recommended to use only https here for highest security.

2. Configure the mailstore to offer only encrypted HTTPS procotol:

zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https

3. Require Proxy to connect to upstream via SSL

zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE

Encrypted Logins

1. HTTPS

zmprov gs `zmhostname` zimbraMailClearTextPasswordEnabled
zmprov ms `zmhostname` zimbraMailClearTextPasswordEnabled FALSE

2. IMAP4-SSL

zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled
zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE
zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode
zimbraReverseProxyImapStartTlsMode: only

3. POP3-SSL

zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled
zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE
zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode
zimbraReverseProxyPop3StartTlsMode: only

Secure Interprocess Communication

1. Make sure LDAP is supporting STARTTLS - should be set to "1":

zmlocalconfig ldap_starttls_supported
zmlocalconfig -e ldap_starttls_supported=1

2. Require interprocess security - should be set to 1:

zmlocalconfig zimbra_require_interprocess_security
zmlocalconfig -e zimbra_require_interprocess_security=1

3. Require secure LDAP from mailboxd - should be set to "true":

zmlocalconfig ldap_starttls_required
zmlocalconfig -e ldap_starttls_required=true

References: see also TLS/STARTTLS_Localconfig_Values

SMTP

1. Disallow plaintext SMTP AUTH logins

zmprov gs `zmhostname` zimbraMtaTlsAuthOnly

If not already, set to "TRUE":

zmprov ms `zmhostname` zimbraMtaTlsAuthOnly TRUE

2. Use opportunistic outbound STARTLS

zmlocalconfig postfix_smtp_tls_security_level

If not already, set to use "may". Note that it is not usually possible to use "encrypt" here, as you cannot require remote MTAs to use encryption:

 zmlocalconfig -e postfix_smtp_tls_security_level=may

3. Use opportunistic inbound STARTTLS

zmprov gs `zmhostname` zimbraMtaTlsSecurityLevel

If not already, set to use "may". Note that it is not usually possible to use "encrypt" here, as you cannot require remote MTAs to use encryption:

 zmprov ms `zmhostname` zimbraMtaTlsSecurityLevel may

4. Restart the postfix MTA

 zmmtactl restart

End-to-End Encryption

1. Use S/MIME

Reference: see SMIME_Certificates

2. As an Open Source alternative, you can use as well the OpenPGP Zimlet, by Barry de Graaff

Zimbra OpenPGP Zimlet

Firewall

1. Configure your firewall to allow *only* required ports:

Reference: see Ports

2. Restrict external ssh to use two-factor authentication.

The Google Authenticator is one option for this: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/


Verified Against: ZCS 8.0 Date Created: 06/28/2014
Article ID: https://wiki.zimbra.com/index.php?title=SecureConfiguration Date Modified: 2016-02-05



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search