TLS/STARTTLS LocalConfig Values

KB 5766	Last updated on 2015-07-13	Last updated by Jorge de la Cruz	0.00 (0 votes)	Verified in: ZCS 7.0 ZCS 6.0
- This article is a Community contribution and may include unsupported customizations.

KB 5766	Last updated on 2015-07-13
0.00 (0 votes)
- This article is a Community contribution and may include unsupported customizations.

The following are security-related localconfig values and their interaction to one another. They need to be run as the zimbra user.

• zimbra_require_interprocess_security. LC key, Defaults to 1 (True). This value determines if ZCS requires SSL/TLS for interprocess communications, such as LDAP and SMTP. This is often not necessary, as customer internal networks are often considered secure, and better performance can be achieved by setting this to 0 (False). Performance of internal LDAP queries and authentication is notably better when this is set to 0.

Note: as of Zimbra 8.0.x and later, this value can safely be left to 1, as the use of the Unbound SDK in mailboxd allows secure LDAP communications to occur with efficiency. Only versions prior to ZCS8 should have this value set to 0.

ZCS8 or later, recommend to enable it:

zmlocalconfig -e zimbra_require_interprocess_security=1

Prior to ZCS8, may need to disable it:

zmlocalconfig -e zimbra_require_interprocess_security=0

Additional performance tuning recommendations are available here: Zimbra Performance Tuning

• ldap_starttls_supported. LC key, Defaults to 1 (True). Enables/disables if the LDAP server supports STARTTLS, and whether the LDAP client in the mailbox server, Postfix, and Amavis servers use TLS to communicate with the LDAP server.

Can generally always leave this enabled:

zmlocalconfig -e ldap_starttls_supported=1

• ldap_starttls_required. LC key, Defaults to "true". Whether starttls is required for java ldap client when it establishes connections to the Zimbra ldap server. For performance reasons, related to the more efficient use of JNDI LDAP connections when not using SSL or STARTTLS, this option should be set to "false" if the internal network is trusted, and if LDAP queries by the mailstores to the LDAP replicas are not required to be encrypted:

ZCS8 or later, recommend to enable it:

zmlocalconfig -e ldap_starttls_required=true

Prior to ZCS8, may need to disable it:

zmlocalconfig -e ldap_starttls_required=false

• ldap_common_require_tls. LC key, defaults to "0". You can set the required SSF of connections to force secured connections using the ldap_common_require_tls localconfig key. The value to provide is the minimum security strength to require for connections. In general, this will be 128, but it depends on the strength of your generated cert/keys. You can view your ldap log level at 256 level to see what current strength incoming connections are using.

To disable it (by default it is already):

zmlocalconfig -e ldap_common_require_tls=0

Related LDAP Authentication Settings

Also, if using external LDAP auth, check the following config option on the domain and servers. If authenticating across an insecure network, the servers and/or domains should be configured as the following:

zmprov gs `zmhostname` zimbraAuthLdapStartTlsEnabled
zimbraAuthLdapStartTlsEnabled: TRUE

If authenticating across a secure network - and if there is any significant latency in using LDAP STARTTLS for authentication - then this option can be set to FALSE:

zmprov ms `zmhostname` zimbraAuthLdapStartTlsEnabled FALSE

or

zmprov md example.com zimbraAuthLdapStartTlsEnabled FALSE