TLS/STARTTLS Localconfig Values: Difference between revisions
No edit summary |
No edit summary |
||
| Line 8: | Line 8: | ||
</pre> | </pre> | ||
For performance reasons, related to the more efficient use of JNDI LDAP connections when not using SSL or STARTTLS, this option should be set to 0 if the internal network is trusted, and if LDAP queries by the mailstores to the LDAP replicas are not required to be encrypted. | For performance reasons, related to the more efficient use of JNDI LDAP connections when not using SSL or STARTTLS, this option should be set to 0 if the internal network is trusted, and if LDAP queries by the mailstores to the LDAP replicas are not required to be encrypted. Additional performance tuning recommendations are available here: [[Performance_Tuning_Guidelines_for_Large_Deployments|Zimbra Performance Tuning]] | ||
<pre> | |||
$ zmlocalconfig -e zimbra_require_interprocess_security=0 | |||
</pre> | |||
*'''ldap_starttls_supported'''. LC key, Defaults to 1 (True). Enables/disables if the LDAP server supports STARTTLS, and whether the LDAP client in the mailbox server, Postfix, and Amavis servers use TLS to communicate with the LDAP server. To disable use of starttls, set this command to 0. To enable use, change the setting to 1. | *'''ldap_starttls_supported'''. LC key, Defaults to 1 (True). Enables/disables if the LDAP server supports STARTTLS, and whether the LDAP client in the mailbox server, Postfix, and Amavis servers use TLS to communicate with the LDAP server. To disable use of starttls, set this command to 0. To enable use, change the setting to 1. | ||
| Line 21: | Line 25: | ||
ldap_starttls_required = true | ldap_starttls_required = true | ||
</pre> | </pre> | ||
*'''ldap_common_require_tls'''. LC key, defaults to "0". You can set the required SSF of connections to force secured connections using the ldap_common_require_tls localconfig key. The value to provide is the minimum security strength to require for connections. In general, this will be 128, but it depends on the strength of your generated cert/keys. You can view your ldap log level at 256 level to see what current strength incoming connections are using. | *'''ldap_common_require_tls'''. LC key, defaults to "0". You can set the required SSF of connections to force secured connections using the ldap_common_require_tls localconfig key. The value to provide is the minimum security strength to require for connections. In general, this will be 128, but it depends on the strength of your generated cert/keys. You can view your ldap log level at 256 level to see what current strength incoming connections are using. | ||
Revision as of 19:58, 2 May 2011
The following are security-related localconfig values and their interaction to one another:
- zimbra_require_interprocess_security. LC key, Defaults to 1 (True). This value determines if ZCS requires SSL/TLS for interprocess communications, such as LDAP and SMTP. This is often not necessary, as customer internal networks are often considered secure, and better performance can be achieved by setting this to 0 (False). Performance of internal LDAP queries and authentication is notably better when this is set to 0.
Default: zimbra_require_interprocess_security = 1
For performance reasons, related to the more efficient use of JNDI LDAP connections when not using SSL or STARTTLS, this option should be set to 0 if the internal network is trusted, and if LDAP queries by the mailstores to the LDAP replicas are not required to be encrypted. Additional performance tuning recommendations are available here: Zimbra Performance Tuning
$ zmlocalconfig -e zimbra_require_interprocess_security=0
- ldap_starttls_supported. LC key, Defaults to 1 (True). Enables/disables if the LDAP server supports STARTTLS, and whether the LDAP client in the mailbox server, Postfix, and Amavis servers use TLS to communicate with the LDAP server. To disable use of starttls, set this command to 0. To enable use, change the setting to 1.
ldap_starttls_supported = 1
- ldap_starttls_required. LC key, Defaults to "true". Whether starttls is required for java ldap client when it establishes connections to the Zimbra ldap server
ldap_starttls_required = true
- ldap_common_require_tls. LC key, defaults to "0". You can set the required SSF of connections to force secured connections using the ldap_common_require_tls localconfig key. The value to provide is the minimum security strength to require for connections. In general, this will be 128, but it depends on the strength of your generated cert/keys. You can view your ldap log level at 256 level to see what current strength incoming connections are using.
ldap_common_require_tls = 0
