Difference between revisions of "TLS/STARTTLS Localconfig Values"

(added History section, reformatted, updated descriptions and headings too)
Line 2: Line 2:
 
__FORCETOC__
 
__FORCETOC__
 
<div class="col-md-12 ibox-content">
 
<div class="col-md-12 ibox-content">
=TLS/STARTTLS LocalConfig Values=
+
= TLS/STARTTLS LocalConfig Values =
{{KB|{{Unsupported}}|{{ZCS 7.0}}|{{ZCS 6.0}}|}}
+
{{KB|{{ZC}}|{{ZCS 8.0}}|{{ZCS 7.0}}|{{ZCS 6.0}}||}}
 
{{WIP}}
 
{{WIP}}
The following are security-related localconfig values and their interaction to one another. They need to be run as the ''zimbra'' user.
+
The following are security-related localconfig values. They following commands are run as the user ''zimbra''.  Restarting ZCS is required for the localconfig changes to go into effect.
  
*'''zimbra_require_interprocess_security'''. LC key, Defaults to 1 (True). This value determines if ZCS requires SSL/TLS for interprocess communications, such as LDAP and SMTP. This is often not necessary, as customer internal networks are often considered secure, and better performance can be achieved by setting this to 0 (False). Performance of internal LDAP queries and authentication is notably better when this is set to 0.
+
== zimbra_require_interprocess_security ==
 +
'''zimbra_require_interprocess_security''' - LC key, defaults to 1 (True).
  
Note: as of Zimbra 8.0.x and later, this value can safely be left to 1, as the use of the Unbound SDK in mailboxd allows secure LDAP communications to occur with efficiency. Only versions prior to ZCS8 should have this value set to 0.
+
This setting determines if ZCS requires SSL/TLS for inter-process communications, such as LDAP and SMTP. As of ZCS8, it is recommended that this is always left enabled.
 
 
ZCS8 or later, recommend to enable it:
 
  
 
  zmlocalconfig -e zimbra_require_interprocess_security=1
 
  zmlocalconfig -e zimbra_require_interprocess_security=1
  
Prior to ZCS8, may need to disable it:
+
Note: Versions prior to ZCS8 sometimes set this to 0 to work around limitation in the mechanisms that were used to talk to LDAP over TLS which could limit performance and connection fail-over.  Those issues were fixed in ZCS8.  If necessary, disable it with:
  
 
  zmlocalconfig -e zimbra_require_interprocess_security=0
 
  zmlocalconfig -e zimbra_require_interprocess_security=0
  
Additional performance tuning recommendations are available here: [[Performance_Tuning_Guidelines_for_Large_Deployments|Zimbra Performance Tuning]]
+
See also: [[Performance_Tuning_Guidelines_for_Large_Deployments|Zimbra Performance Tuning]]
  
*'''ldap_starttls_supported'''. LC key, Defaults to 1 (True). Enables/disables if the LDAP server supports STARTTLS, and whether the LDAP client in the mailbox server, Postfix, and Amavis servers use TLS to communicate with the LDAP server.  
+
== ldap_starttls_supported ==
 +
'''ldap_starttls_supported''' - LC key, defaults to 1 (True).
  
Can generally always leave this enabled:
+
Enables/disables if the LDAP server supports STARTTLS, and whether the LDAP client in the mailbox server, Postfix, and Amavis servers use TLS to communicate with the LDAP server.  It is recommended to leave this enabled:
  
 
  zmlocalconfig -e ldap_starttls_supported=1
 
  zmlocalconfig -e ldap_starttls_supported=1
  
*'''ldap_starttls_required'''. LC key, Defaults to "true". Whether starttls is required for java ldap client when it establishes connections to the Zimbra ldap server. For performance reasons, related to the more efficient use of JNDI LDAP connections when not using SSL or STARTTLS, this option should be set to "false" if the internal network is trusted, and if LDAP queries by the mailstores to the LDAP replicas are not required to be encrypted:
+
== ldap_starttls_required ==
 +
'''ldap_starttls_required''' - LC key, defaults to "true".
  
ZCS8 or later, recommend to enable it:
+
Determines if starttls is required for java LDAP clients when  connecting to the Zimbra LDAP server.  As of ZCS8, it is recommended that this is always left enabled.
  
 
  zmlocalconfig -e ldap_starttls_required=true
 
  zmlocalconfig -e ldap_starttls_required=true
  
Prior to ZCS8, may need to disable it:
+
Note: Similar to '''zimbra_require_interprocess_security''' above, if TLS is causing performance issues on older ZCS installations (before ZCS8), disable it with:
 
   
 
   
 
  zmlocalconfig -e ldap_starttls_required=false
 
  zmlocalconfig -e ldap_starttls_required=false
  
 +
== ldap_common_require_tls ==
 +
'''ldap_common_require_tls''' - LC key, defaults to "0".
 +
 +
Controls OpenLDAP's required Security Strength Factors (SSF) level, which is an indication of relative strength of protection. A SSF greater than one (>1) roughly correlates to the effective encryption key length. The value sets the minimum security strength to require for connections. In general, this will be 128, but it depends on the strength of your generated cert/keys. You can view your ldap log level at 256 level to see what current strength incoming connections are using.
  
*'''ldap_common_require_tls'''. LC key, defaults to "0". You can set the required SSF of connections to force secured connections using the ldap_common_require_tls localconfig key. The value to provide is the minimum security strength to require for connections. In general, this will be 128, but it depends on the strength of your generated cert/keys. You can view your ldap log level at 256 level to see what current strength incoming connections are using.
+
To disable it (if not still at the default):
  
To disable it (by default it is already):
+
zmlocalconfig -e ldap_common_require_tls=0
<pre>
 
zmlocalconfig -e ldap_common_require_tls=0
 
</pre>
 
  
== Related LDAP Authentication Settings ==
+
= Related LDAP Authentication Settings =
  
Also, if using external LDAP auth, check the following config option on the domain and servers. If authenticating across an insecure network, the servers and/or domains should be configured as the following:
+
When using external LDAP auth, check the following config option on the domain and servers. As a security best practice, servers and/or domains should be configured as the following:
  
<pre>
+
zmprov gs `zmhostname` zimbraAuthLdapStartTlsEnabled
zmprov gs `zmhostname` zimbraAuthLdapStartTlsEnabled
+
zimbraAuthLdapStartTlsEnabled: TRUE
zimbraAuthLdapStartTlsEnabled: TRUE
 
</pre>
 
  
If authenticating across a secure network - and if there is any significant latency in using LDAP STARTTLS for authentication - then this option can be set to FALSE:
+
In the rare event that authentication happens across a secure network '''and''' use of LDAP STARTTLS for authentication is causing performance problems, this option can be set to FALSE:
  
<pre>
+
zmprov ms `zmhostname` zimbraAuthLdapStartTlsEnabled FALSE
zmprov ms `zmhostname` zimbraAuthLdapStartTlsEnabled FALSE
 
</pre>
 
 
or
 
or
<pre>
+
zmprov md example.com zimbraAuthLdapStartTlsEnabled FALSE
zmprov md example.com zimbraAuthLdapStartTlsEnabled FALSE
+
 
</pre>
+
= History =
{{Article Footer|Zimbra Collaboration 7.0, 6.0|04/16/2014}}
+
The following bugs may be useful when looking back at how various SSL/TLS related settings have evolved in the product:
 +
* ZCS5 [https://bugzilla.zimbra.com/show_bug.cgi?id=24762 Bug 24762] zimbra_require_interprocess_security
 +
* ZCS5 [https://bugzilla.zimbra.com/show_bug.cgi?id=16601 bug 16601] ldap_starttls_supported
 +
* ZCS5 [https://bugzilla.zimbra.com/show_bug.cgi?id=29600 bug 29600] and [https://bugzilla.zimbra.com/show_bug.cgi?id=28814 bug 28814] ssl_allow_untrusted_certs and ssl_allow_mismatched_certs
 +
* ZCS6 [https://bugzilla.zimbra.com/show_bug.cgi?id=20739 bug 20739] ldap_require_tls
 +
* ZCS6 [https://bugzilla.zimbra.com/show_bug.cgi?id=20972 bug 20972] ldap_common_require_tls
 +
 
 +
{{Article Footer|Zimbra Collaboration 8.0, 7.0, 6.0|04/16/2014}}

Revision as of 18:23, 5 February 2016

TLS/STARTTLS LocalConfig Values

   KB 5766        Last updated on 2016-02-5  




0.00
(0 votes)

The following are security-related localconfig values. They following commands are run as the user zimbra. Restarting ZCS is required for the localconfig changes to go into effect.

zimbra_require_interprocess_security

zimbra_require_interprocess_security - LC key, defaults to 1 (True).

This setting determines if ZCS requires SSL/TLS for inter-process communications, such as LDAP and SMTP. As of ZCS8, it is recommended that this is always left enabled.

zmlocalconfig -e zimbra_require_interprocess_security=1

Note: Versions prior to ZCS8 sometimes set this to 0 to work around limitation in the mechanisms that were used to talk to LDAP over TLS which could limit performance and connection fail-over. Those issues were fixed in ZCS8. If necessary, disable it with:

zmlocalconfig -e zimbra_require_interprocess_security=0

See also: Zimbra Performance Tuning

ldap_starttls_supported

ldap_starttls_supported - LC key, defaults to 1 (True).

Enables/disables if the LDAP server supports STARTTLS, and whether the LDAP client in the mailbox server, Postfix, and Amavis servers use TLS to communicate with the LDAP server. It is recommended to leave this enabled:

zmlocalconfig -e ldap_starttls_supported=1

ldap_starttls_required

ldap_starttls_required - LC key, defaults to "true".

Determines if starttls is required for java LDAP clients when connecting to the Zimbra LDAP server. As of ZCS8, it is recommended that this is always left enabled.

zmlocalconfig -e ldap_starttls_required=true

Note: Similar to zimbra_require_interprocess_security above, if TLS is causing performance issues on older ZCS installations (before ZCS8), disable it with:

zmlocalconfig -e ldap_starttls_required=false

ldap_common_require_tls

ldap_common_require_tls - LC key, defaults to "0".

Controls OpenLDAP's required Security Strength Factors (SSF) level, which is an indication of relative strength of protection. A SSF greater than one (>1) roughly correlates to the effective encryption key length. The value sets the minimum security strength to require for connections. In general, this will be 128, but it depends on the strength of your generated cert/keys. You can view your ldap log level at 256 level to see what current strength incoming connections are using.

To disable it (if not still at the default):

zmlocalconfig -e ldap_common_require_tls=0

Related LDAP Authentication Settings

When using external LDAP auth, check the following config option on the domain and servers. As a security best practice, servers and/or domains should be configured as the following:

zmprov gs `zmhostname` zimbraAuthLdapStartTlsEnabled
zimbraAuthLdapStartTlsEnabled: TRUE

In the rare event that authentication happens across a secure network and use of LDAP STARTTLS for authentication is causing performance problems, this option can be set to FALSE:

zmprov ms `zmhostname` zimbraAuthLdapStartTlsEnabled FALSE

or

zmprov md example.com zimbraAuthLdapStartTlsEnabled FALSE

History

The following bugs may be useful when looking back at how various SSL/TLS related settings have evolved in the product:

Verified Against: Zimbra Collaboration 8.0, 7.0, 6.0 Date Created: 04/16/2014
Article ID: https://wiki.zimbra.com/index.php?title=TLS/STARTTLS_Localconfig_Values Date Modified: 2016-02-05



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search