Security/Collab/88: Difference between revisions

(Created page with "{{BC|Certified}} __FORCETOC__ <div class="col-md-12 ibox-content"> = Security Settings for Zimbra Collaboration 8.8 series = {{KB|{{ZC}}|{{ZCS 8.8}}||}} {{WIP}} == Important:...")
 
mNo edit summary
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{BC|Certified}}
{{Archive}}{{BC|Certified}}
__FORCETOC__
__FORCETOC__
<div class="col-md-12 ibox-content">
<div class="col-md-12 ibox-content">
Line 10: Line 10:


Depending upon the version you are upgrading from, you should (re)visit the security related recommendations and changes noted in earlier versions of this document ([[Security/Collab]], [[Security/Collab/86]], [[Security/Collab/87]]).
Depending upon the version you are upgrading from, you should (re)visit the security related recommendations and changes noted in earlier versions of this document ([[Security/Collab]], [[Security/Collab/86]], [[Security/Collab/87]]).
=== Neutralizing Mailsploit ===
As mentioned in the [[Security Center]], to avoid [https://www.mailsploit.com/ Mailsploit] it is recommend that all sites upgrading to manually set '''zimbraPrefShortEmailAddress''' to '''FALSE'''. This is the default for new 8.8.7 installs.


== Recommended HTTP Headers ==
== Recommended HTTP Headers ==
Line 15: Line 18:


Ref: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Ref: https://www.owasp.org/index.php/List_of_useful_HTTP_headers
See: https://wiki.zimbra.com/wiki/Secopstips


=== Strict-Transport-Security (HSTS) ===
=== Strict-Transport-Security (HSTS) ===
HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server.
  zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
OR
  zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains"
=== X-XSS-Protection ===
Enables the Cross-site scripting (XSS) filter built into most recent web browsers:
  zmprov mcf +zimbraResponseHeader "X-XSS-Protection: 1; mode=block"
=== X-Content-Type-Options ===
Prevent Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type.
zmprov mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff"
=== Content-Security-Policy ===
ZCS does not contain a default Content-Security-Policy header ([https://bugzilla.zimbra.com/show_bug.cgi?id=58216 bug 58216]).  However, it is recommended to create one that meets the requirements of your site.
Useful references:
* https://www.youtube.com/watch?v=L97wtYCqfwM - Understanding CSP
* http://cspisawesome.com/ - online Content-Security-Policy generator
* http://caniuse.com/#search=ContentSecurityPolicy - check browser support


{{Article Footer|Zimbra Collaboration 8.8|02/08/2018}}
See: https://wiki.zimbra.com/wiki/Cipher_suites
[[Category: Security]]

Latest revision as of 06:31, 24 August 2023

Security Settings for Zimbra Collaboration 8.8 series

   KB 23652        Last updated on 2023-08-24  




0.00
(0 votes)


Important: Upgrading from Older ZCS Versions

Defaults may change from version to version of ZCS. However, when upgrading some settings may not be updated to the new recommended default: possibly because the settings had been customized, installer limitations/bugs, or concerns that changes may impact existing users/clients. As such, it is highly recommended that you revisit settings after upgrading to ensure that values are set as expected/desired in your environment and security settings meet your requirements.

Depending upon the version you are upgrading from, you should (re)visit the security related recommendations and changes noted in earlier versions of this document (Security/Collab, Security/Collab/86, Security/Collab/87).

Neutralizing Mailsploit

As mentioned in the Security Center, to avoid Mailsploit it is recommend that all sites upgrading to manually set zimbraPrefShortEmailAddress to FALSE. This is the default for new 8.8.7 installs.

Recommended HTTP Headers

It is recommended to set most, if not all of the following HTTP headers for most ZCS deployments. Take a little time to determine what makes the most sense in your deployment.

Ref: https://www.owasp.org/index.php/List_of_useful_HTTP_headers

See: https://wiki.zimbra.com/wiki/Secopstips

Strict-Transport-Security (HSTS)

See: https://wiki.zimbra.com/wiki/Cipher_suites

Jump to: navigation, search