Difference between revisions of "Security/Collab/87"
m |
|||
(29 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | {{ | + | {{BC|Certified}} |
− | {{ZC}} | + | __FORCETOC__ |
− | + | <div class="col-md-12 ibox-content"> | |
− | + | = Security Settings for Zimbra Collaboration 8.7 series = | |
− | + | {{KB|{{ZC}}|{{ZCS 8.7}}||}} | |
− | + | ||
− | + | == Important: Upgrading from Older ZCS Versions == | |
+ | Defaults may change from version to version of ZCS. However, when upgrading some settings may not be updated to the new recommended default: possibly because the settings had been customized, installer limitations/bugs, or concerns that changes may impact existing users/clients. As such, it is '''highly recommended''' that you revisit settings after upgrading to ensure that values are set as expected/desired in your environment and security settings meet your requirements. | ||
+ | |||
+ | == Recommended HTTP Headers == | ||
+ | It is recommended to set most, if not all of the following HTTP headers for most ZCS deployments. Take a little time to determine what makes the most sense in your deployment. | ||
+ | |||
+ | Ref: https://www.owasp.org/index.php/List_of_useful_HTTP_headers | ||
+ | |||
+ | === Strict-Transport-Security (HSTS) === | ||
+ | HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server. | ||
+ | |||
+ | zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000" | ||
+ | OR | ||
+ | zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains" | ||
+ | |||
+ | === X-XSS-Protection === | ||
+ | Enables the Cross-site scripting (XSS) filter built into most recent web browsers: | ||
+ | |||
+ | zmprov mcf +zimbraResponseHeader "X-XSS-Protection: 1; mode=block" | ||
+ | |||
+ | === X-Content-Type-Options === | ||
+ | Prevent Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. | ||
+ | |||
+ | zmprov mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff" | ||
+ | |||
+ | === Content-Security-Policy === | ||
+ | ZCS does not contain a default Content-Security-Policy header ([https://bugzilla.zimbra.com/show_bug.cgi?id=58216 bug 58216]). However, it is recommended to create one that meets the requirements of your site. | ||
+ | |||
+ | Useful references: | ||
+ | * https://www.youtube.com/watch?v=L97wtYCqfwM - Understanding CSP | ||
+ | * http://cspisawesome.com/ - online Content-Security-Policy generator | ||
+ | * http://caniuse.com/#search=ContentSecurityPolicy - check browser support | ||
+ | |||
+ | == SSLv3 Disabled == | ||
+ | == OpenJDK SSLv3 Disabled == | ||
+ | * SSLv3 disabled by default in Java (ref: - http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html - also disabled in 8.7 builds) | ||
+ | |||
+ | == OpenSSL SSLv3 Disabled == | ||
+ | * In 8.7, OpenSSL is upgraded to the 1.0.2 series (see also [https://github.com/Zimbra/packages/tree/master/thirdparty/openssl ZCS openssl on github]). In new installs ZCS defaults to disabling SSLv3 negotiation, sites that upgrade my need to manually [https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 disable SSLv3]. | ||
+ | |||
+ | Note: OpenSSL is not compiled with the '''no-ssl3''' option due to potential complications [https://bugzilla.zimbra.com/show_bug.cgi?id=102354 during upgrades] (ref: [https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options OpenSSL configure options]). | ||
− | = | + | == DH parameters == |
+ | === OpenSSL DH Parameters === | ||
+ | The main components utilizing OpenSSL are LDAP, MTA, and Proxy services. In ZCS 8.7, the default DH Parameter uses 2048-bits (ref: [https://bugzilla.zimbra.com/show_bug.cgi?id=99558 99558] [https://bugzilla.zimbra.com/show_bug.cgi?id=103803 103803], [https://bugzilla.zimbra.com/show_bug.cgi?id=100443 100443 LDAP/TLSDHParamFile], [https://bugzilla.zimbra.com/show_bug.cgi?id=99564 99564: MTA/smtpd_tls_dh1024_param_file], [https://bugzilla.zimbra.com/show_bug.cgi?id=103399 103399: Proxy/ssl_dhparam]). The new global configuration parameter to store the PEM formatted DH parameter data is '''zimbraSSLDHParam'''. A new utility '''zmdhparam''' can be used to create new custom DH parameters. | ||
− | + | * Ability to set DH parameters for LDAP / MTA / Proxy | |
+ | * Default to 2048 bit DH Parameters | ||
− | + | However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh). | |
− | |||
See also: | See also: | ||
− | |||
* https://www.openssl.org/docs/apps/dhparam.html | * https://www.openssl.org/docs/apps/dhparam.html | ||
* https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange | * https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange | ||
− | * http://www. | + | * http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam |
+ | * http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file | ||
+ | |||
+ | == Proxy/Nginx == | ||
+ | See also [[#OpenSSL DH Parameters]] above. | ||
=== Ciphers === | === Ciphers === | ||
Line 27: | Line 72: | ||
=== HTTP Strict Transport Security (HSTS) === | === HTTP Strict Transport Security (HSTS) === | ||
− | + | With [https://bugzilla.zimbra.com/show_bug.cgi?id=98938 bug 98938] it is now possible to set '''zimbraReverseProxyResponseHeaders''' and enable HSTS. For example: | |
+ | zmprov mcf +zimbraReverseProxyResponseHeaders 'Strict-Transport-Security: "max-age=31536000; includeSubdomains"' | ||
See also: | See also: | ||
Line 36: | Line 82: | ||
* https://tools.ietf.org/html/rfc6797 | * https://tools.ietf.org/html/rfc6797 | ||
* http://caniuse.com/#feat=stricttransportsecurity | * http://caniuse.com/#feat=stricttransportsecurity | ||
+ | |||
+ | === SSL Session Cache (resumption) === | ||
+ | [https://bugzilla.zimbra.com/show_bug.cgi?id=96544 Bug 96544] added, and enabled by default the following: | ||
+ | * SSL session cache size (zimbraReverseProxySSLSessionCacheSize) of 10 MB | ||
+ | * SSL session timeout (zimbraReverseProxySSLSessionTimeout) of 10 minutes | ||
+ | |||
+ | === zmlookup via HTTPS === | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=99279 bug 99279] zmlookup now uses HTTPS instead of HTTP (internal service on port 7072 by default, but now configurable via zimbraExtensionPort [https://bugzilla.zimbra.com/show_bug.cgi?id=99392 bug 99392]) | ||
+ | |||
+ | === HTTPS Server Name Indication (SNI) Support === | ||
+ | * enhancement: https://bugzilla.zimbra.com/show_bug.cgi?id=102913 with new attribute '''zimbraReverseProxySNIEnabled''' (default FALSE) | ||
+ | * ref: https://en.wikipedia.org/wiki/Server_Name_Indication | ||
+ | * Note: IMAPS/POP3S is not implemented (ref: [https://bugzilla.zimbra.com/show_bug.cgi?id=103362 bug 103362]) | ||
== Mailboxd (Jetty) == | == Mailboxd (Jetty) == | ||
+ | |||
+ | === Zimlets === | ||
+ | [https://bugzilla.zimbra.com/show_bug.cgi?id=101192 bug 101192] Disable links within spam (by not looking for 'objects' for Zimlets to handle inside of messages in the Junk/Spam folder) | ||
=== Ciphers === | === Ciphers === | ||
Line 49: | Line 111: | ||
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000" | zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000" | ||
+ | |||
+ | Note: in 8.5 and 8.6 (before Patch5) this did not work due to a regression (ref: [https://bugzilla.zimbra.com/show_bug.cgi?id=98495 bug 98495]) | ||
=== saslauthd now on port 7073 === | === saslauthd now on port 7073 === | ||
As part of [https://bugzilla.zimbra.com/show_bug.cgi?id=97779 bug 97779] the saslauthd service now authenticates against a service listening on port 7073 instead of 7071. This port should be protected (firewall) and not exposed to the internet. | As part of [https://bugzilla.zimbra.com/show_bug.cgi?id=97779 bug 97779] the saslauthd service now authenticates against a service listening on port 7073 instead of 7071. This port should be protected (firewall) and not exposed to the internet. | ||
− | * | + | |
+ | === Multi-Domain Installation Enhancements === | ||
+ | Enhancements to support limiting the visibility across separate domains in a ZCS installation have been implemented: | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=99825 bug 99825] ability to restrict visibility of public shares | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=100524 bug 100524] ability to restrict sendAs / sendOnBehalfOf | ||
+ | |||
+ | = 3rd Party Packages of Interest = | ||
+ | See https://github.com/Zimbra/packages/blob/master/versions.def for latest | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=104803 104803] OpenSSL 1.0.2h | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=104718 104718] OpenJDK 1.8.0u92-b14 | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=105078 105078] Postfix 3.1.1 | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=105076 105076] PHP 5.6.22 | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=102316 102316] libpng 1.6.19 | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=105075 105075] MariaDB 10.1.14 | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=103588 103588] Rsync 3.1.2 | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=105073 105073] ClamAV 0.99.2 | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=102319 102319] Nginx 1.7.1+patches ([https://bugzilla.zimbra.com/show_bug.cgi?id=103578 103578], [https://bugzilla.zimbra.com/show_bug.cgi?id=104452 104452], [https://bugzilla.zimbra.com/show_bug.cgi?id=105162 105162]) | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=105090 105090] Unbound 1.5.9 | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=102227 102227] commons-collection 3.2.2 | ||
{{Article Footer|Zimbra Collaboration 8.7|04/22/2015}} | {{Article Footer|Zimbra Collaboration 8.7|04/22/2015}} | ||
+ | [[Category: Security]] |
Latest revision as of 21:38, 8 February 2018
Contents
Security Settings for Zimbra Collaboration 8.7 series
Important: Upgrading from Older ZCS Versions
Defaults may change from version to version of ZCS. However, when upgrading some settings may not be updated to the new recommended default: possibly because the settings had been customized, installer limitations/bugs, or concerns that changes may impact existing users/clients. As such, it is highly recommended that you revisit settings after upgrading to ensure that values are set as expected/desired in your environment and security settings meet your requirements.
Recommended HTTP Headers
It is recommended to set most, if not all of the following HTTP headers for most ZCS deployments. Take a little time to determine what makes the most sense in your deployment.
Ref: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Strict-Transport-Security (HSTS)
HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server.
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000" OR zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains"
X-XSS-Protection
Enables the Cross-site scripting (XSS) filter built into most recent web browsers:
zmprov mcf +zimbraResponseHeader "X-XSS-Protection: 1; mode=block"
X-Content-Type-Options
Prevent Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type.
zmprov mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff"
Content-Security-Policy
ZCS does not contain a default Content-Security-Policy header (bug 58216). However, it is recommended to create one that meets the requirements of your site.
Useful references:
- https://www.youtube.com/watch?v=L97wtYCqfwM - Understanding CSP
- http://cspisawesome.com/ - online Content-Security-Policy generator
- http://caniuse.com/#search=ContentSecurityPolicy - check browser support
SSLv3 Disabled
OpenJDK SSLv3 Disabled
- SSLv3 disabled by default in Java (ref: - http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html - also disabled in 8.7 builds)
OpenSSL SSLv3 Disabled
- In 8.7, OpenSSL is upgraded to the 1.0.2 series (see also ZCS openssl on github). In new installs ZCS defaults to disabling SSLv3 negotiation, sites that upgrade my need to manually disable SSLv3.
Note: OpenSSL is not compiled with the no-ssl3 option due to potential complications during upgrades (ref: OpenSSL configure options).
DH parameters
OpenSSL DH Parameters
The main components utilizing OpenSSL are LDAP, MTA, and Proxy services. In ZCS 8.7, the default DH Parameter uses 2048-bits (ref: 99558 103803, 100443 LDAP/TLSDHParamFile, 99564: MTA/smtpd_tls_dh1024_param_file, 103399: Proxy/ssl_dhparam). The new global configuration parameter to store the PEM formatted DH parameter data is zimbraSSLDHParam. A new utility zmdhparam can be used to create new custom DH parameters.
- Ability to set DH parameters for LDAP / MTA / Proxy
- Default to 2048 bit DH Parameters
However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh).
See also:
- https://www.openssl.org/docs/apps/dhparam.html
- https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
- http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
- http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file
Proxy/Nginx
See also #OpenSSL DH Parameters above.
Ciphers
Default zimbraReverseProxySSLCiphers setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96852):
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4
HTTP Strict Transport Security (HSTS)
With bug 98938 it is now possible to set zimbraReverseProxyResponseHeaders and enable HSTS. For example:
zmprov mcf +zimbraReverseProxyResponseHeaders 'Strict-Transport-Security: "max-age=31536000; includeSubdomains"'
See also:
- http://www.nginxtips.com/hsts-nginx/
- http://nginx.org/en/docs/http/ngx_http_headers_module.html
- https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
- https://tools.ietf.org/html/rfc6797
- http://caniuse.com/#feat=stricttransportsecurity
SSL Session Cache (resumption)
Bug 96544 added, and enabled by default the following:
- SSL session cache size (zimbraReverseProxySSLSessionCacheSize) of 10 MB
- SSL session timeout (zimbraReverseProxySSLSessionTimeout) of 10 minutes
zmlookup via HTTPS
- bug 99279 zmlookup now uses HTTPS instead of HTTP (internal service on port 7072 by default, but now configurable via zimbraExtensionPort bug 99392)
HTTPS Server Name Indication (SNI) Support
- enhancement: https://bugzilla.zimbra.com/show_bug.cgi?id=102913 with new attribute zimbraReverseProxySNIEnabled (default FALSE)
- ref: https://en.wikipedia.org/wiki/Server_Name_Indication
- Note: IMAPS/POP3S is not implemented (ref: bug 103362)
Mailboxd (Jetty)
Zimlets
bug 101192 Disable links within spam (by not looking for 'objects' for Zimlets to handle inside of messages in the Junk/Spam folder)
Ciphers
Default zimbraSSLExcludeCipherSuites setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96921):
zimbraSSLExcludeCipherSuites: .*_RC4_.*
HTTP Strict Transport Security (HSTS)
The configuration key, 'zimbraResponseHeader', can be used to set the HSTS header. For example (ref: bug 84796):
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
Note: in 8.5 and 8.6 (before Patch5) this did not work due to a regression (ref: bug 98495)
saslauthd now on port 7073
As part of bug 97779 the saslauthd service now authenticates against a service listening on port 7073 instead of 7071. This port should be protected (firewall) and not exposed to the internet.
Multi-Domain Installation Enhancements
Enhancements to support limiting the visibility across separate domains in a ZCS installation have been implemented:
- bug 99825 ability to restrict visibility of public shares
- bug 100524 ability to restrict sendAs / sendOnBehalfOf
3rd Party Packages of Interest
See https://github.com/Zimbra/packages/blob/master/versions.def for latest
- 104803 OpenSSL 1.0.2h
- 104718 OpenJDK 1.8.0u92-b14
- 105078 Postfix 3.1.1
- 105076 PHP 5.6.22
- 102316 libpng 1.6.19
- 105075 MariaDB 10.1.14
- 103588 Rsync 3.1.2
- 105073 ClamAV 0.99.2
- 102319 Nginx 1.7.1+patches (103578, 104452, 105162)
- 105090 Unbound 1.5.9
- 102227 commons-collection 3.2.2