TLS/STARTTLS Localconfig Values

Revision as of 15:09, 1 May 2011 by Thom (talk | contribs)

The following are security-related localconfig values and their interaction to one another:

  • zimbra_require_interprocess_security. LC key, Defaults to 1 (True). This value determines if ZCS requires SSL/TLS for interprocess communications, such as LDAP and SMTP. This is often not necessary, as customer internal networks are often considered secure, and better performance can be achieved by setting this to 0 (False). Performance of internal LDAP queries and authentication is notably better when this is set to 0.
zimbra_require_interprocess_security = 1
  • ldap_starttls_supported. LC key, Defaults to 1 (True). Enables/disables if the LDAP server supports STARTTLS, and whether the LDAP client in the mailbox server, Postfix, and Amavis servers use TLS to communicate with the LDAP server. To disable use of starttls, set this command to 0. To enable use, change the setting to 1.
ldap_starttls_supported = 1
  • ldap_starttls_required. LC key, Defaults to "true". Whether starttls is required for java ldap client when it establishes connections to the Zimbra ldap server
ldap_starttls_required = true
  • ldap_common_require_tls. LC key, defaults to "0". You can set the required SSF of connections to force secured connections using the ldap_common_require_tls localconfig key. The value to provide is the minimum security strength to require for connections. In general, this will be 128, but it depends on the strength of your generated cert/keys. You can view your ldap log level at 256 level to see what current strength incoming connections are using.
ldap_common_require_tls = 0
Jump to: navigation, search