Difference between revisions of "Security/Collab/87"

(Proxy: add note on zimbraReverseProxyResponseHeaders)
(HTTP Strict Transport Security (HSTS): note regression bug 98495)
Line 50: Line 50:
  
 
  zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
 
  zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
 +
 +
Note: in 8.5 and 8.6 this did not work due to a regression (ref: [https://bugzilla.zimbra.com/show_bug.cgi?id=98495 bug 98495])
  
 
=== saslauthd now on port 7073 ===
 
=== saslauthd now on port 7073 ===

Revision as of 19:12, 12 May 2015

Admin Article

Article Information

This article applies to the following ZCS versions.

  ZCS 8.7 Article  ZCS 8.7


Security Settings for Zimbra Collaboration 8.7 series

Proxy

DH parameters

Added support for the ssl_dhparam in proxy/nginx. The default DH parameter size is still 1024 bits. With the changes from bug 98852, it is now possible to use a custom (read stronger) key size. However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh).

See also:

Ciphers

Default zimbraReverseProxySSLCiphers setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96852):

zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4

HTTP Strict Transport Security (HSTS)

With bug 98938 it is now possible to set zimbraReverseProxyResponseHeaders and enable HSTS. For example:

 zmprov mcf +zimbraReverseProxyResponseHeaders 'Strict-Transport-Security: "max-age=31536000; includeSubdomains"'

See also:

Mailboxd (Jetty)

Ciphers

Default zimbraSSLExcludeCipherSuites setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96921):

zimbraSSLExcludeCipherSuites: .*_RC4_.*

HTTP Strict Transport Security (HSTS)

The configuration key, 'zimbraResponseHeader', can be used to set the HSTS header. For example (ref: bug 84796):

zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"

Note: in 8.5 and 8.6 this did not work due to a regression (ref: bug 98495)

saslauthd now on port 7073

As part of bug 97779 the saslauthd service now authenticates against a service listening on port 7073 instead of 7071. This port should be protected (firewall) and not exposed to the internet.

  • TODO: update public/private ports documentation
Verified Against: Zimbra Collaboration 8.7 Date Created: 04/22/2015
Article ID: https://wiki.zimbra.com/index.php?title=Security/Collab/87 Date Modified: 2015-05-12



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search