Difference between revisions of "Security/Collab/87"

(HTTP Strict Transport Security (HSTS): note regression bug 98495)
Line 37: Line 37:
* https://tools.ietf.org/html/rfc6797
* https://tools.ietf.org/html/rfc6797
* http://caniuse.com/#feat=stricttransportsecurity
* http://caniuse.com/#feat=stricttransportsecurity
=== zmlookup via HTTPS ===
* [https://bugzilla.zimbra.com/show_bug.cgi?id=99279 bug 99279] zmlookup (port 7072, internal service) now uses HTTPS instead of HTTP
== Mailboxd (Jetty) ==
== Mailboxd (Jetty) ==

Revision as of 23:56, 14 May 2015

Admin Article

Article Information

This article applies to the following ZCS versions.

  ZCS 8.7 Article  ZCS 8.7

Security Settings for Zimbra Collaboration 8.7 series


DH parameters

Added support for the ssl_dhparam in proxy/nginx. The default DH parameter size is still 1024 bits. With the changes from bug 98852, it is now possible to use a custom (read stronger) key size. However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh).

See also:


Default zimbraReverseProxySSLCiphers setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96852):


HTTP Strict Transport Security (HSTS)

With bug 98938 it is now possible to set zimbraReverseProxyResponseHeaders and enable HSTS. For example:

 zmprov mcf +zimbraReverseProxyResponseHeaders 'Strict-Transport-Security: "max-age=31536000; includeSubdomains"'

See also:

zmlookup via HTTPS

  • bug 99279 zmlookup (port 7072, internal service) now uses HTTPS instead of HTTP

Mailboxd (Jetty)


Default zimbraSSLExcludeCipherSuites setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96921):

zimbraSSLExcludeCipherSuites: .*_RC4_.*

HTTP Strict Transport Security (HSTS)

The configuration key, 'zimbraResponseHeader', can be used to set the HSTS header. For example (ref: bug 84796):

zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"

Note: in 8.5 and 8.6 this did not work due to a regression (ref: bug 98495)

saslauthd now on port 7073

As part of bug 97779 the saslauthd service now authenticates against a service listening on port 7073 instead of 7071. This port should be protected (firewall) and not exposed to the internet.

  • TODO: update public/private ports documentation
Verified Against: Zimbra Collaboration 8.7 Date Created: 04/22/2015
Article ID: https://wiki.zimbra.com/index.php?title=Security/Collab/87 Date Modified: 2015-05-14

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search