Difference between revisions of "Security/Collab/87"
(→TBD / WIP: - made note about SSLv3 being disabled in upstream Java) |
(added note on multidomain sharing related enhancements) |
||
Line 69: | Line 69: | ||
=== saslauthd now on port 7073 === | === saslauthd now on port 7073 === | ||
As part of [https://bugzilla.zimbra.com/show_bug.cgi?id=97779 bug 97779] the saslauthd service now authenticates against a service listening on port 7073 instead of 7071. This port should be protected (firewall) and not exposed to the internet. | As part of [https://bugzilla.zimbra.com/show_bug.cgi?id=97779 bug 97779] the saslauthd service now authenticates against a service listening on port 7073 instead of 7071. This port should be protected (firewall) and not exposed to the internet. | ||
− | * | + | |
+ | === Multi-Domain Installation Enhancements === | ||
+ | Enhancements to support limiting the visibility across separate domains in a ZCS installation have been implemented: | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=99825 bug 99825] ability to restrict visibility of public shares | ||
+ | * [https://bugzilla.zimbra.com/show_bug.cgi?id=100524 bug 100524] ability to restrict sendAs / sendOnBehalfOf | ||
{{Article Footer|Zimbra Collaboration 8.7|04/22/2015}} | {{Article Footer|Zimbra Collaboration 8.7|04/22/2015}} | ||
[[Category: Security]] | [[Category: Security]] |
Revision as of 13:18, 11 August 2015
Contents
Security Settings for Zimbra Collaboration 8.7 series
TBD / WIP
- bug 99564 Ability to set DH param file for MTA / Postfix
- bug 99558 Default to 2048 bit DH Parameters
- SSLv3 disabled by default in Java (ref: - http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html - currently disabled in our 8.7 builds as well)
OpenSSL SSLv3 disabled
- bug 99886 Along with upgrading to OpenSSL 1.0.1p, ZCS now builds OpenSSL with the "no-ssl3" configure option to completely remove/disable support for SSLv3 in OpenSSL.
Proxy
DH parameters
Added support for the ssl_dhparam in proxy/nginx. The default DH parameter size is still 1024 bits. With the changes from bug 98852, it is now possible to use a custom (read stronger) key size. However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh).
See also:
- http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
- https://www.openssl.org/docs/apps/dhparam.html
- https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
- http://www.nginxtips.com/hardening-nginx-ssl-tsl-configuration/
Ciphers
Default zimbraReverseProxySSLCiphers setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96852):
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4
HTTP Strict Transport Security (HSTS)
With bug 98938 it is now possible to set zimbraReverseProxyResponseHeaders and enable HSTS. For example:
zmprov mcf +zimbraReverseProxyResponseHeaders 'Strict-Transport-Security: "max-age=31536000; includeSubdomains"'
See also:
- http://www.nginxtips.com/hsts-nginx/
- http://nginx.org/en/docs/http/ngx_http_headers_module.html
- https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
- https://tools.ietf.org/html/rfc6797
- http://caniuse.com/#feat=stricttransportsecurity
SSL Session Cache (resumption)
Bug 96544 added, and enabled by default the following:
- SSL session cache size (zimbraReverseProxySSLSessionCacheSize) of 10 MB
- SSL session timeout (zimbraReverseProxySSLSessionTimeout) of 10 minutes
zmlookup via HTTPS
- bug 99279 zmlookup now uses HTTPS instead of HTTP (internal service on port 7072 by default, but now configurable via zimbraExtensionPort bug 99392)
Mailboxd (Jetty)
Ciphers
Default zimbraSSLExcludeCipherSuites setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96921):
zimbraSSLExcludeCipherSuites: .*_RC4_.*
HTTP Strict Transport Security (HSTS)
The configuration key, 'zimbraResponseHeader', can be used to set the HSTS header. For example (ref: bug 84796):
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
Note: in 8.5 and 8.6 this did not work due to a regression (ref: bug 98495)
saslauthd now on port 7073
As part of bug 97779 the saslauthd service now authenticates against a service listening on port 7073 instead of 7071. This port should be protected (firewall) and not exposed to the internet.
Multi-Domain Installation Enhancements
Enhancements to support limiting the visibility across separate domains in a ZCS installation have been implemented:
- bug 99825 ability to restrict visibility of public shares
- bug 100524 ability to restrict sendAs / sendOnBehalfOf