Difference between revisions of "Security/Collab/87"

(added note on bug 101192)
(More updates for 8.7)
Line 6: Line 6:
 
{{WIP}}
 
{{WIP}}
  
== TBD / WIP ==
+
== SSLv3 Disabled ==
* [https://bugzilla.zimbra.com/show_bug.cgi?id=99564 bug 99564] Ability to set DH param file for MTA / Postfix
+
== OpenJDK SSLv3 Disabled ==
* [https://bugzilla.zimbra.com/show_bug.cgi?id=99558 bug 99558] Default to 2048 bit DH Parameters
+
* SSLv3 disabled by default in Java (ref: - http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html - also disabled in 8.7 builds)
* SSLv3 disabled by default in Java (ref: - http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html - currently disabled in our 8.7 builds as well)
 
  
== OpenSSL SSLv3 disabled ==
+
== OpenSSL SSLv3 Disabled ==
* [https://bugzilla.zimbra.com/show_bug.cgi?id=99886 bug 99886] Along with upgrading to OpenSSL 1.0.1p, ZCS now builds OpenSSL with the "no-ssl3" [https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options configure option] to completely remove/disable support for SSLv3 in OpenSSL.
+
* In 8.7, OpenSSL is upgraded to [https://bugzilla.zimbra.com/show_bug.cgi?id=103561 OpenSSL 1.0.1r] (see also [https://github.com/Zimbra/packages/tree/master/thirdparty/openssl ZCS openssl on github]). In new installs ZCS defaults to disabling SSLv3 negotiation, sites that upgrade my need to manually [https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 disable SSLv3].
  
== Proxy ==
+
Note: OpenSSL is not compiled with the '''no-ssl3''' option due to potential complications [https://bugzilla.zimbra.com/show_bug.cgi?id=102354 during upgrades] (ref: [https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options OpenSSL configure options]).
  
=== DH parameters ===
+
== DH parameters ==
Added support for the ssl_dhparam in proxy/nginxThe default DH parameter size is still 1024 bits. With the changes from [https://bugzilla.zimbra.com/show_bug.cgi?id=98852 bug 98852], it is now possible to use a custom (read stronger) key size. However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh).
+
=== OpenSSL DH Parameters ===
 +
The main components utilizing OpenSSL are LDAP, MTA, and Proxy servicesIn ZCS 8.7, the default DH Parameter uses 2048-bits (ref: [https://bugzilla.zimbra.com/show_bug.cgi?id=99558 bug 99558], [https://bugzilla.zimbra.com/show_bug.cgi?id=99564 bug 99564 - MTA/smtpd_tls_dh1024_param_file], [https://bugzilla.zimbra.com/show_bug.cgi?id=103399 Proxy/ssl_dhparam]).  The new global configuration parameter to store the PEM formatted DH parameter data is '''zimbraSSLDHParam'''.  A new utility '''zmdhparam''' can be used to create new custom DH parameters.
 +
 
 +
*  Ability to set DH param file for MTA / Postfix
 +
*  Default to 2048 bit DH Parameters
 +
 
 +
However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh).
  
 
See also:
 
See also:
Line 24: Line 29:
 
* https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
 
* https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
 
* http://www.nginxtips.com/hardening-nginx-ssl-tsl-configuration/
 
* http://www.nginxtips.com/hardening-nginx-ssl-tsl-configuration/
 +
 +
== Proxy/Nginx ==
 +
See also [[#OpenSSL DH Parameters]] above.
  
 
=== Ciphers ===
 
=== Ciphers ===
Line 44: Line 52:
  
 
=== SSL Session Cache (resumption) ===
 
=== SSL Session Cache (resumption) ===
 
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=96544 Bug 96544] added, and enabled by default the following:
 
[https://bugzilla.zimbra.com/show_bug.cgi?id=96544 Bug 96544] added, and enabled by default the following:
 
* SSL session cache size (zimbraReverseProxySSLSessionCacheSize) of 10 MB
 
* SSL session cache size (zimbraReverseProxySSLSessionCacheSize) of 10 MB
Line 51: Line 58:
 
=== zmlookup via HTTPS ===
 
=== zmlookup via HTTPS ===
 
* [https://bugzilla.zimbra.com/show_bug.cgi?id=99279 bug 99279] zmlookup now uses HTTPS instead of HTTP (internal service on port 7072 by default, but now configurable via zimbraExtensionPort [https://bugzilla.zimbra.com/show_bug.cgi?id=99392 bug 99392])
 
* [https://bugzilla.zimbra.com/show_bug.cgi?id=99279 bug 99279] zmlookup now uses HTTPS instead of HTTP (internal service on port 7072 by default, but now configurable via zimbraExtensionPort [https://bugzilla.zimbra.com/show_bug.cgi?id=99392 bug 99392])
 +
 +
=== Server Name Indication (SNI) Support ===
 +
* enhancement: https://bugzilla.zimbra.com/show_bug.cgi?id=102913 with new attribute '''zimbraReverseProxySNIEnabled''' (default FALSE)
 +
* ref: https://en.wikipedia.org/wiki/Server_Name_Indication
  
 
== Mailboxd (Jetty) ==
 
== Mailboxd (Jetty) ==
Line 68: Line 79:
 
  zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
 
  zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
  
Note: in 8.5 and 8.6 this did not work due to a regression (ref: [https://bugzilla.zimbra.com/show_bug.cgi?id=98495 bug 98495])
+
Note: in 8.5 and 8.6 (before Patch5) this did not work due to a regression (ref: [https://bugzilla.zimbra.com/show_bug.cgi?id=98495 bug 98495])
  
 
=== saslauthd now on port 7073 ===
 
=== saslauthd now on port 7073 ===

Revision as of 04:24, 9 February 2016

Security Settings for Zimbra Collaboration 8.7 series

   KB 21837        Last updated on 2016-02-9  




0.00
(0 votes)


SSLv3 Disabled

OpenJDK SSLv3 Disabled

OpenSSL SSLv3 Disabled

Note: OpenSSL is not compiled with the no-ssl3 option due to potential complications during upgrades (ref: OpenSSL configure options).

DH parameters

OpenSSL DH Parameters

The main components utilizing OpenSSL are LDAP, MTA, and Proxy services. In ZCS 8.7, the default DH Parameter uses 2048-bits (ref: bug 99558, bug 99564 - MTA/smtpd_tls_dh1024_param_file, Proxy/ssl_dhparam). The new global configuration parameter to store the PEM formatted DH parameter data is zimbraSSLDHParam. A new utility zmdhparam can be used to create new custom DH parameters.

  • Ability to set DH param file for MTA / Postfix
  • Default to 2048 bit DH Parameters

However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh).

See also:

Proxy/Nginx

See also #OpenSSL DH Parameters above.

Ciphers

Default zimbraReverseProxySSLCiphers setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96852):

zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4

HTTP Strict Transport Security (HSTS)

With bug 98938 it is now possible to set zimbraReverseProxyResponseHeaders and enable HSTS. For example:

 zmprov mcf +zimbraReverseProxyResponseHeaders 'Strict-Transport-Security: "max-age=31536000; includeSubdomains"'

See also:

SSL Session Cache (resumption)

Bug 96544 added, and enabled by default the following:

  • SSL session cache size (zimbraReverseProxySSLSessionCacheSize) of 10 MB
  • SSL session timeout (zimbraReverseProxySSLSessionTimeout) of 10 minutes

zmlookup via HTTPS

  • bug 99279 zmlookup now uses HTTPS instead of HTTP (internal service on port 7072 by default, but now configurable via zimbraExtensionPort bug 99392)

Server Name Indication (SNI) Support

Mailboxd (Jetty)

Zimlets

bug 101192 Disable links within spam (by not looking for 'objects' for Zimlets to handle inside of messages in the Junk/Spam folder)

Ciphers

Default zimbraSSLExcludeCipherSuites setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96921):

zimbraSSLExcludeCipherSuites: .*_RC4_.*

HTTP Strict Transport Security (HSTS)

The configuration key, 'zimbraResponseHeader', can be used to set the HSTS header. For example (ref: bug 84796):

zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"

Note: in 8.5 and 8.6 (before Patch5) this did not work due to a regression (ref: bug 98495)

saslauthd now on port 7073

As part of bug 97779 the saslauthd service now authenticates against a service listening on port 7073 instead of 7071. This port should be protected (firewall) and not exposed to the internet.

Multi-Domain Installation Enhancements

Enhancements to support limiting the visibility across separate domains in a ZCS installation have been implemented:

  • bug 99825 ability to restrict visibility of public shares
  • bug 100524 ability to restrict sendAs / sendOnBehalfOf
Verified Against: Zimbra Collaboration 8.7 Date Created: 04/22/2015
Article ID: https://wiki.zimbra.com/index.php?title=Security/Collab/87 Date Modified: 2016-02-09



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search