TLS/STARTTLS Localconfig Values
TLS/STARTTLS LocalConfig Values
The following are security-related localconfig values. They following commands are run as the user zimbra. Restarting ZCS is required for the localconfig changes to go into effect.
zimbra_require_interprocess_security - LC key, defaults to 1 (True).
This setting determines if ZCS requires SSL/TLS for inter-process communications, such as LDAP and SMTP. As of ZCS8, it is recommended that this is always left enabled.
zmlocalconfig -e zimbra_require_interprocess_security=1
Note: Versions prior to ZCS8 sometimes set this to 0 to work around limitation in the mechanisms that were used to talk to LDAP over TLS which could limit performance and connection fail-over. Those issues were fixed in ZCS8. If necessary, disable it with:
zmlocalconfig -e zimbra_require_interprocess_security=0
See also: Zimbra Performance Tuning
ldap_starttls_supported - LC key, defaults to 1 (True).
Enables/disables if the LDAP server supports STARTTLS, and whether the LDAP client in the mailbox server, Postfix, and Amavis servers use TLS to communicate with the LDAP server. It is recommended to leave this enabled:
zmlocalconfig -e ldap_starttls_supported=1
ldap_starttls_required - LC key, defaults to "true".
Determines if starttls is required for java LDAP clients when connecting to the Zimbra LDAP server. As of ZCS8, it is recommended that this is always left enabled.
zmlocalconfig -e ldap_starttls_required=true
Note: Similar to zimbra_require_interprocess_security above, if TLS is causing performance issues on older ZCS installations (before ZCS8), disable it with:
zmlocalconfig -e ldap_starttls_required=false
ldap_common_require_tls - LC key, defaults to "0".
Controls OpenLDAP's required Security Strength Factors (SSF) level, which is an indication of relative strength of protection. A SSF greater than one (>1) roughly correlates to the effective encryption key length. The value sets the minimum security strength to require for connections. In general, this will be 128, but it depends on the strength of your generated cert/keys. You can view your ldap log level at 256 level to see what current strength incoming connections are using.
To disable it (if not still at the default):
zmlocalconfig -e ldap_common_require_tls=0
Related LDAP Authentication Settings
When using external LDAP auth, check the following config option on the domain and servers. As a security best practice, servers and/or domains should be configured as the following:
zmprov gs `zmhostname` zimbraAuthLdapStartTlsEnabled zimbraAuthLdapStartTlsEnabled: TRUE
In the rare event that authentication happens across a secure network and use of LDAP STARTTLS for authentication is causing performance problems, this option can be set to FALSE:
zmprov ms `zmhostname` zimbraAuthLdapStartTlsEnabled FALSE
zmprov md example.com zimbraAuthLdapStartTlsEnabled FALSE
The following bugs may be useful when looking back at how various SSL/TLS related settings have evolved in the product:
- ZCS5 Bug 24762 zimbra_require_interprocess_security
- ZCS5 bug 16601 ldap_starttls_supported
- ZCS5 bug 29600 and bug 28814 ssl_allow_untrusted_certs and ssl_allow_mismatched_certs
- ZCS6 bug 20739 ldap_require_tls
- ZCS6 bug 20972 ldap_common_require_tls