Difference between revisions of "Security/Collab/87"
(→HSTS) |
|||
| Line 49: | Line 49: | ||
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000" | zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000" | ||
| + | |||
| + | === saslauthd now on port 7073 === | ||
| + | As part of [https://bugzilla.zimbra.com/show_bug.cgi?id=97779 bug 97779] the saslauthd service now authenticates against a service listening on port 7073 instead of 7071. This port should be protected (firewall) and not exposed to the internet. | ||
| + | * TODO: update public/private ports documentation | ||
{{Article Footer|Zimbra Collaboration 8.7|04/22/2015}} | {{Article Footer|Zimbra Collaboration 8.7|04/22/2015}} | ||
Revision as of 18:01, 11 May 2015
- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only. Article Information |
|---|
| This article applies to the following ZCS versions.
|
Security Settings for Zimbra Collaboration 8.7 series
Proxy
DH parameters
Added support for the ssl_dhparam in proxy/nginx. The default DH parameter size is still 1024 bits. With the changes from bug 98852, it is now possible to use a custom (read stronger) key size. However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh).
See also:
- http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
- https://www.openssl.org/docs/apps/dhparam.html
- https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
- http://www.nginxtips.com/hardening-nginx-ssl-tsl-configuration/
Ciphers
Default zimbraReverseProxySSLCiphers setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96852):
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4
HTTP Strict Transport Security (HSTS)
WIP: bug 98938
See also:
- http://www.nginxtips.com/hsts-nginx/
- http://nginx.org/en/docs/http/ngx_http_headers_module.html
- https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
- https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
- https://tools.ietf.org/html/rfc6797
- http://caniuse.com/#feat=stricttransportsecurity
Mailboxd (Jetty)
Ciphers
Default zimbraSSLExcludeCipherSuites setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96921):
zimbraSSLExcludeCipherSuites: .*_RC4_.*
HTTP Strict Transport Security (HSTS)
The configuration key, 'zimbraResponseHeader', can be used to set the HSTS header. For example (ref: bug 84796):
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
saslauthd now on port 7073
As part of bug 97779 the saslauthd service now authenticates against a service listening on port 7073 instead of 7071. This port should be protected (firewall) and not exposed to the internet.
- TODO: update public/private ports documentation
