TLS/STARTTLS Localconfig Values: Difference between revisions

TLS/STARTTLS LocalConfig Values

The following are security-related localconfig values and their interaction to one another:

• zimbra_require_interprocess_security. LC key, Defaults to 1 (True). This value determines if ZCS requires SSL/TLS for interprocess communications, such as LDAP and SMTP. This is often not necessary, as customer internal networks are often considered secure, and better performance can be achieved by setting this to 0 (False). Performance of internal LDAP queries and authentication is notably better when this is set to 0.

Default:

zimbra_require_interprocess_security = 1

For performance reasons, related to the more efficient use of JNDI LDAP connections when not using SSL or STARTTLS, this option should be set to 0 if the internal network is trusted, and if LDAP queries by the mailstores to the LDAP replicas are not required to be encrypted. Additional performance tuning recommendations are available here: Zimbra Performance Tuning

$ zmlocalconfig -e zimbra_require_interprocess_security=0

• ldap_starttls_supported. LC key, Defaults to 1 (True). Enables/disables if the LDAP server supports STARTTLS, and whether the LDAP client in the mailbox server, Postfix, and Amavis servers use TLS to communicate with the LDAP server. To disable use of starttls, set this command to 0. To enable use, change the setting to 1.

Default:

ldap_starttls_supported = 1

• ldap_starttls_required. LC key, Defaults to "true". Whether starttls is required for java ldap client when it establishes connections to the Zimbra ldap server

Default:

ldap_starttls_required = true

For performance reasons, related to the more efficient use of JNDI LDAP connections when not using SSL or STARTTLS, this option should be set to "false" if the internal network is trusted, and if LDAP queries by the mailstores to the LDAP replicas are not required to be encrypted:

$ zmlocalconfig -e ldap_starttls_required=false

• ldap_common_require_tls. LC key, defaults to "0". You can set the required SSF of connections to force secured connections using the ldap_common_require_tls localconfig key. The value to provide is the minimum security strength to require for connections. In general, this will be 128, but it depends on the strength of your generated cert/keys. You can view your ldap log level at 256 level to see what current strength incoming connections are using.

Default:

ldap_common_require_tls = 0

Related LDAP Authentication Settings

Also, if using external LDAP auth, check the following config option on the domain and servers. If authenticating across an insecure network, the servers and/or domains should be configured as the following:

$ zmprov gs `zmhostname` zimbraAuthLdapStartTlsEnabled
zimbraAuthLdapStartTlsEnabled: TRUE

If authenticating across a secure network - and if there is any significant latency in using LDAP STARTTLS for authentication - then this option can be set to FALSE:

$ zmprov ms `zmhostname` zimbraAuthLdapStartTlsEnabled FALSE
or
$ zmprov md example.com zimbraAuthLdapStartTlsEnabled FALSE