Difference between revisions of "Security/Collab/87"

(HSTS)
Line 49: Line 49:
  
 
  zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
 
  zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
 +
 +
=== saslauthd now on port 7073 ===
 +
As part of [https://bugzilla.zimbra.com/show_bug.cgi?id=97779 bug 97779] the saslauthd service now authenticates against a service listening on port 7073 instead of 7071.  This port should be protected (firewall) and not exposed to the internet.
 +
* TODO: update public/private ports documentation
  
 
{{Article Footer|Zimbra Collaboration 8.7|04/22/2015}}
 
{{Article Footer|Zimbra Collaboration 8.7|04/22/2015}}

Revision as of 18:01, 11 May 2015

Admin Article

Article Information

This article applies to the following ZCS versions.

  ZCS 8.7 Article  ZCS 8.7


Security Settings for Zimbra Collaboration 8.7 series

Proxy

DH parameters

Added support for the ssl_dhparam in proxy/nginx. The default DH parameter size is still 1024 bits. With the changes from bug 98852, it is now possible to use a custom (read stronger) key size. However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh).

See also:

Ciphers

Default zimbraReverseProxySSLCiphers setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96852):

zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4

HTTP Strict Transport Security (HSTS)

WIP: bug 98938

See also:

Mailboxd (Jetty)

Ciphers

Default zimbraSSLExcludeCipherSuites setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96921):

zimbraSSLExcludeCipherSuites: .*_RC4_.*

HTTP Strict Transport Security (HSTS)

The configuration key, 'zimbraResponseHeader', can be used to set the HSTS header. For example (ref: bug 84796):

zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"

saslauthd now on port 7073

As part of bug 97779 the saslauthd service now authenticates against a service listening on port 7073 instead of 7071. This port should be protected (firewall) and not exposed to the internet.

  • TODO: update public/private ports documentation
Verified Against: Zimbra Collaboration 8.7 Date Created: 04/22/2015
Article ID: https://wiki.zimbra.com/index.php?title=Security/Collab/87 Date Modified: 2015-05-11



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search