SecureConfiguration

Revision as of 21:25, 28 June 2014 by Thom (talk | contribs)

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.0 Article ZCS 8.0


Best-Practice Recommendations for a Secure Zimbra Configuration

The following recommendations are provided to ensure a best-practice security configuration. This includes the following:

  • Require encrypted logins
  • Requiring secure interprocess communications

Services

Most secure is to only allow secure methods of accessing the system; however, be careful in making these changes, as all processes need to be configured to connect only to upstream encrypted listeners.

1. Configure the proxy to only offer encrypted protocols

zmprov ms `zmhostname` zimbraReverseProxyMailMode https

2. Require Proxy to connect to upstream via SSL

zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE
zimbraReverseProxyImapStartTlsMode


Encrypted Logins

1. HTTPS

zmprov gs `zmhostname` zimbraMailClearTextPasswordEnabled
zmprov ms `zmhostname` zimbraMailClearTextPasswordEnabled FALSE

2. IMAP4-SSL

zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled
zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE
zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode
zimbraReverseProxyImapStartTlsMode: only

3. POP3-SSL

zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled
zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE

zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode
zimbraReverseProxyPop3StartTlsMode: only

Secure Interprocess Communication

1. Make sure LDAP is supporting STARTTLS - should be set to "1":

zmlocalconfig ldap_starttls_supported

2. Require interprocess security - should be set to 1:

zmlocalconfig zimbra_require_interprocess_security

3. Require secure LDAP from mailboxd - should be set to "true":

zmlocalconfig ldap_starttls_required

References: see also TLS/STARTTLS_Localconfig_Values



Verified Against: ZCS 8.0 Date Created: 06/28/2014
Article ID: https://wiki.zimbra.com/index.php?title=SecureConfiguration Date Modified: 2014-06-28



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search