SecureConfiguration
- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only. Article Information |
|---|
| This article applies to the following ZCS versions. |
Best-Practice Recommendations for a Secure Zimbra Configuration
The following recommendations are provided to ensure a best-practice security configuration. This includes the following:
- Require encrypted logins
- Requiring secure interprocess communications
Services
Most secure is to only allow secure methods of accessing the system; however, be careful in making these changes, as all processes need to be configured to connect only to upstream encrypted listeners.
1. Configure the proxy to only offer encrypted protocols
zmprov ms `zmhostname` zimbraReverseProxyMailMode https
2. Require Proxy to connect to upstream via SSL
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE
zimbraReverseProxyImapStartTlsMode
Encrypted Logins
1. HTTPS
zmprov gs `zmhostname` zimbraMailClearTextPasswordEnabled zmprov ms `zmhostname` zimbraMailClearTextPasswordEnabled FALSE
2. IMAP4-SSL
zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE
zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode zimbraReverseProxyImapStartTlsMode: only
3. POP3-SSL
zmprov gs `zmhostname` zimbraPop3CleartextLoginEnabled zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode zimbraReverseProxyPop3StartTlsMode: only
Secure Interprocess Communication
1. Make sure LDAP is supporting STARTTLS - should be set to "1":
zmlocalconfig ldap_starttls_supported
2. Require interprocess security - should be set to 1:
zmlocalconfig zimbra_require_interprocess_security
3. Require secure LDAP from mailboxd - should be set to "true":
zmlocalconfig ldap_starttls_required
References: see also TLS/STARTTLS_Localconfig_Values
