TLS/STARTTLS Localconfig Values: Difference between revisions

No edit summary
No edit summary
Line 1: Line 1:
{{WIP}}The following are security-related localconfig values and their interaction to one another:  
The following are security-related localconfig values and their interaction to one another:  


*'''zimbra_require_interprocess_security'''. LC key, Defaults to 1 (True). This value determines if ZCS requires SSL/TLS for interprocess communications, such as LDAP and SMTP. This is often not necessary, as customer internal networks are often considered secure, and better performance can be achieved by setting this to 0 (False). Performance of internal LDAP queries and authentication is notably better when this is set to 0.
*'''zimbra_require_interprocess_security'''. LC key, Defaults to 1 (True). This value determines if ZCS requires SSL/TLS for interprocess communications, such as LDAP and SMTP. This is often not necessary, as customer internal networks are often considered secure, and better performance can be achieved by setting this to 0 (False). Performance of internal LDAP queries and authentication is notably better when this is set to 0.

Revision as of 15:32, 18 March 2011

The following are security-related localconfig values and their interaction to one another:

  • zimbra_require_interprocess_security. LC key, Defaults to 1 (True). This value determines if ZCS requires SSL/TLS for interprocess communications, such as LDAP and SMTP. This is often not necessary, as customer internal networks are often considered secure, and better performance can be achieved by setting this to 0 (False). Performance of internal LDAP queries and authentication is notably better when this is set to 0.
  • ldap_starttls_supported. Enables/disables if the LDAP server supports STARTTLS, and whether the LDAP client in the mailbox server, Postfix, and Amavis servers use TLS to communicate with the LDAP server. To disable use of starttls, set this command to 0. To enable use, change the setting to 1.
  • ldap_common_require_tls. You can set the required SSF of connections to force secured connections using the ldap_common_require_tls localconfig key. The value to provide is the minimum security strength to require for connections. In general, this will be 128, but it depends on the strength of your generated cert/keys. You can view your ldap log level at 256 level to see what current strength incoming connections are using.
Jump to: navigation, search