Difference between revisions of "Security/Collab/86"

(Cipher suite settings)
(Protocol version settings)
Line 16: Line 16:
 
=== Protocol version settings ===
 
=== Protocol version settings ===
  
The multi-valued attribute controlling the acceptable TLS protocol versions to be used by the nginx proxy is '''zimbraReverseProxySSLProtocols'''
+
The multi-valued attribute controlling the acceptable TLS protocol versions to be used by the nginx proxy is '''zimbraReverseProxySSLProtocols'''.  It can be set at both the globalconfig and server level.
  
 
The current recommend values for this attribute are:
 
The current recommend values for this attribute are:
Line 27: Line 27:
 
The values can be modified to either add or remove a protocl:
 
The values can be modified to either add or remove a protocl:
  
To add a protocol:
+
To add a protocol at the globalconfig level:
 
<code>
 
<code>
 
zmprov mcf zimbraReverseProxySSLProtocols +protocol
 
zmprov mcf zimbraReverseProxySSLProtocols +protocol
 
</code>
 
</code>
  
To remove a protocol:
+
To remove a protocol at the globalconfig value:
 
<code>
 
<code>
 
zmprov mcf zimbraReverseProxySSLProtocols -protocol
 
zmprov mcf zimbraReverseProxySSLProtocols -protocol
 +
</code>
 +
 +
If it is desired to have the servers have different protocol level settings, this can be done by setting the values at the server level.
 +
 +
To add a protocol at the server level:
 +
<code>
 +
zmprov ms hostname zimbraReverseProxySSLProtocols +protocol
 +
</code>
 +
 +
To remove a protocol at the server level:
 +
<code>
 +
zmprov ms hostname zimbraReverseProxySSLProtocols -protocol
 
</code>
 
</code>
  

Revision as of 00:59, 13 December 2014

Security Settings for Zimbra Collaboration 8.6 series

Proxy settings

Cipher suite settings

The single valued zimbraReverseProxySSLCiphers attribute configures what cipher suites the nginx proxy will allow to be negotiated over SSL. This affects HTTPS when the web proxy is enabled, and POP and IMAP when the mail proxy is enabled. It is only possible to set this value in globalconfig.

The current recommended setting is:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4

It can be set using the zmprov mcf command

Protocol version settings

The multi-valued attribute controlling the acceptable TLS protocol versions to be used by the nginx proxy is zimbraReverseProxySSLProtocols. It can be set at both the globalconfig and server level.

The current recommend values for this attribute are:

TLSv1
TLSv1.1
TLSv1.2
 

The values can be modified to either add or remove a protocl:

To add a protocol at the globalconfig level: zmprov mcf zimbraReverseProxySSLProtocols +protocol

To remove a protocol at the globalconfig value: zmprov mcf zimbraReverseProxySSLProtocols -protocol

If it is desired to have the servers have different protocol level settings, this can be done by setting the values at the server level.

To add a protocol at the server level: zmprov ms hostname zimbraReverseProxySSLProtocols +protocol

To remove a protocol at the server level: zmprov ms hostname zimbraReverseProxySSLProtocols -protocol

Jetty settings

LDAP settings

MTA settings

Jump to: navigation, search