SecureConfiguration
Article Information |
---|
This article applies to the following ZCS versions. |
Best-Practice Recommendations for a Secure Zimbra Configuration
The following recommendations are provided to ensure a best-practice security configuration. This includes the following:
- Run services only on secure channels
- Require encrypted logins
- Requiring secure interprocess communications
- Use end-to-end encryption with S/MIME
SSL Certificates
1. Be sure to have properly configure SSL Certificates
References: see these pages:
2. If possible, use only Commercial CA-Signed Certs
Services
Most secure is to only allow secure methods of accessing the system; however, be careful in making these changes, as all processes need to be configured to connect only to upstream encrypted listeners.
1. Configure the proxy to offer only encrypted HTTPS protocols (run this on every proxy):
zmprov gs `zmhostname` zimbraReverseProxyMailMode zmprov ms `zmhostname` zimbraReverseProxyMailMode https
2. Configure the mailstore to offer only encrypted HTTPS procotol:
zmprov gs `zmhostname` zimbraMailMode zmprov ms `zmhostname` zimbraMailMode https
3. Require Proxy to connect to upstream via SSL
zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE
Encrypted Logins
1. HTTPS
zmprov gs `zmhostname` zimbraMailClearTextPasswordEnabled zmprov ms `zmhostname` zimbraMailClearTextPasswordEnabled FALSE
2. IMAP4-SSL
zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE
zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode zimbraReverseProxyImapStartTlsMode: only
3. POP3-SSL
zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode zimbraReverseProxyPop3StartTlsMode: only
Secure Interprocess Communication
1. Make sure LDAP is supporting STARTTLS - should be set to "1":
zmlocalconfig ldap_starttls_supported zmlocalconfig -e ldap_starttls_supported=1
2. Require interprocess security - should be set to 1:
zmlocalconfig zimbra_require_interprocess_security zmlocalconfig -e zimbra_require_interprocess_security=1
3. Require secure LDAP from mailboxd - should be set to "true":
zmlocalconfig ldap_starttls_required zmlocalconfig -e ldap_starttls_required=true
References: see also TLS/STARTTLS_Localconfig_Values
SMTP
1. Disallow plaintext SMTP AUTH logins
zmlocalconfig -e postfix_smtpd_tls_auth_only=yes postconf -e smtpd_tls_auth_only=yes
2. Use opportunistic outbound STARTLS
zmlocalconfig postfix_smtp_tls_security_level
If not already, set to use "may". Note that it is not usually possible to use "encrypt" here, as you cannot require remote MTAs to use encryption:
zmlocalconfig -e postfix_smtp_tls_security_level=may
3. Use opportunistic inbound STARTTLS
zmprov gs `zmhostname` zimbraMtaTlsSecurityLevel
If not already, set to use "may". Note that it is not usually possible to use "encrypt" here, as you cannot require remote MTAs to use encryption:
mprov ms `zmhostname` zimbraMtaTlsSecurityLevel may
4. Restart postfix
zmmtactl restart
== End-to-End Encryption
1. Use S/MIME
Reference: see SMIME_Certificates
Firewall
1. Configure your firewall to allow *only* required ports:
Reference: see Ports
2. Restrict external ssh to use two-factor authentication.
The Google Authenticator is one option for this: http://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/