Security/Collab/86

Security Settings for Zimbra Collaboration 8.6 series

   KB 21371        Last updated on 05/23/2016  




0.00
(0 votes)
Article-check.png  - This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.

Important: Upgrading from Older ZCS Versions

Defaults may change from version to version of ZCS. However, when upgrading some settings may not be updated to the new recommended default: possibly because the settings had been customized, installer limitations/bugs, or concerns that changes may impact existing users/clients. As such, it is highly recommended that you revisit settings after upgrading to ensure that values are set as expected/desired in your environment and security settings meet your requirements.

Proxy

Ciphers

The single valued zimbraReverseProxySSLCiphers attribute configures what cipher suites the nginx proxy will allow to be negotiated over SSL. This affects HTTPS when the web proxy is enabled, and POP and IMAP when the mail proxy is enabled. It is only possible to set this value in globalconfig.

The current recommended setting is (removes RC4 from the default in 8.6):

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

It can be set using the zmprov mcf command:

$ zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
$ zmproxyctl restart # on all proxies

Ciphers: Potential Impacts

  • To support some older clients, like Outlook 2011 for Mac, one would need to remove the !3DES from this setting (see: bug 97232).
  • For 8.7 !RC4 will be in the default value for zimbraReverseProxySSLCiphers and an upgrade step will update the key if the key has not been changed from the old default (ref: bug 96852)
    • Note: with the "Bar Mitzvah" attack [1], it is definitely now recommended to disable RC4 on all Zimbra ZCS versions.

Protocols

The multi-valued attribute controlling the acceptable TLS protocol versions to be used by the nginx proxy is zimbraReverseProxySSLProtocols. It can be set at both the globalconfig and server level.

The current recommend values for this attribute are:

TLSv1
TLSv1.1
TLSv1.2

The values can be modified to either add or remove a protocol:

zmprov mcf +zimbraReverseProxySSLProtocols protocol  # add a protocol at the globalconfig level
zmprov mcf -zimbraReverseProxySSLProtocols protocol  # remove a protocol at the globalconfig level

If it is desired to have the servers have different protocol level settings, this can be done by setting the values at the server level:

zmprov ms hostname +zimbraReverseProxySSLProtocols protocol  # add a protocol at the server level
zmprov ms hostname -zimbraReverseProxySSLProtocols protocol  # remove a protocol at the server level

Mailboxd (Jetty)

Ciphers

The multi-valued attributes controlling the acceptable TLS ciphers to be used by mailboxd are zimbraSSLExcludeCipherSuites and zimbraSSLIncludeCipherSuites. They can be set at the globalconfig level.

zimbraSSLExcludeCipherSuites
excluded cipher suites
zimbraSSLIncludeCipherSuites

List of included cipher suites for Jetty. If any value is set only these ciphers will be used, in effect superseding zimbraSSLExcludeCipherSuites. Controlling the cipher suite order will be handled as part of bug 96928.

Default zimbraSSLExcludeCipherSuites settings in 8.6.0 (changing defaults to be addressed in bug 96921):

SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

Recommended (*may break compatibility with clients with limited capabilities):

.*_(3DES|RC4)_.*

Ciphers: Potential Impacts

  • Excluding RC4 will likely cause problems for Windows XP users, and possibly other old clients.
  • Keeping 3DES may still be desirable for interoperability with old clients, including Outlook 2011 for Mac.

References:

Protocols

zimbraMailboxdSSLProtocols
contains a list of SSL/TLS protocols (as documented by SunJSSE Provider Protocols and used in setEnabledProtocols) to be enabled in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP)

The current recommend values for this attribute are:

TLSv1
TLSv1.1
TLSv1.2

Please note that, due to bug 99934, zimbraMailboxdSSLProtocols is not applied when NIO is disabled. This will be fixed 8.7.0.

Protocols: Potential impacts

  • Adding SSLv2Hello may be desirable for interoperability with old clients, including Outlook 2011 for Mac and Clients using Java 6 (see: bug 97332). Please note: Enabling SSLv2Hello does not mean that the server is actually allowing SSLv2, but it does mean that it allows the SSLv2Hello "introduction" before switching to TLSv1 or greater. One known downside of the SSLv2Hello is that it does not support the Server Name Indication TLS extension.

See also: http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

HTTP Strict Transport Security (HSTS) (requires at least 8.6 Patch5)

The configuration key, 'zimbraResponseHeader', can be used to set the HSTS header. For example (ref: bug 84796):

zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"

Note: in 8.5 and 8.6 (before 8.6 Patch5) setting zimbraResponseHeader does not work due to a regression identified in bug 98495

LDAP

The single-valued localconfig attributes controlling the acceptable TLS protocol versions and ciphers to be used by the OpenLDAP server are ldap_common_tlsprotocolmin and ldap_common_tlsciphersuite.

Protocols

ldap_common_tlsprotocolmin
Specifies minimum SSL/TLS protocol version that will be negotiated. To require TLS 1.x or higher, set this option to 3.(x+1), e.g., a value of 3.2 would require TLS 1.1.

Ciphers

ldap_common_tlsciphersuite

Configures what ciphers will be accepted and the preference order for OpenSSL. To check what ciphers a given spec selects in OpenSSL, use: openssl ciphers -v cipher-suite-spec

The current recommend values for these localconfig settings are:

ldap_common_tlsprotocolmin = "3.1"
ldap_common_tlsciphersuite = "MEDIUM:HIGH"

For more details see olcTLSCipherSuite and olcTLSProtocolMin in the OpenLDAP man page for slapd-config(5).

MTA

Protocols

The current recommend values for the MTA's protocol attributes are:

zimbraMtaSmtpdTlsProtocols = !SSLv2, !SSLv3
zimbraMtaLmtpTlsProtocols  = !SSLv2, !SSLv3

However, please note: bug 97186 exists to address the lack of support for controls on mandatory protocols in postfix:

zimbraMtaSmtpdTlsMandatoryProtocols (smtpd_tls_mandatory_protocols)
zimbraMtaSmtpTlsMandatoryProtocols  (smtp_tls_mandatory_protocols)
zimbraMtaLmtpTlsMandatoryProtocols  (lmtp_tls_mandatory_protocols)

Ciphers

The current recommended values for the MTA's *Ciphers attributes are (the settings represent the minimum cipher grade allowed, ref smtp_tls_ciphers):

zimbraMtaLmtpTlsCiphers = medium                # default is export
zimbraMtaLmtpTlsMandatoryCiphers = medium
zimbraMtaSmtpTlsCiphers = medium                # default is export
zimbraMtaSmtpTlsMandatoryCiphers = medium
zimbraMtaSmtpdTlsCiphers = medium               # default is export
zimbraMtaSmtpdTlsMandatoryCiphers = medium

For more details on Postfix TLS settings see http://www.postfix.org/TLS_README.html and http://www.postfix.org/postconf.5.html

Note, one may argue that using 'medium' over 'export' for the *TlsCiphers settings is reasonable or even preferable since TLS is optional in that case. However, in the light of FREAK (https://freakattack.com/) and Logjam (https://weakdh.org/) attacks, it may also be argued that using ciphers lower than 'medium' is now potentially providing an illusion of security. With this in mind, our current recommendation is to avoid both 'export' and 'low' ciphers with the hope that these ciphers age out quickly.

Addendum

CVE-2016-2107

See bug 104130, comment #19 for a discussion on a possible workaround for the padding oracle in AES-NI CBC MAC check (CVE-2016-2107), if that issue impacts your operating environment.

Notes from 8.5 (Jetty)

The following changes from 8.5 may also be of interest:

  • bug 85697 Disable Zimlet JSP by default
    • New config variable, zimbraZimletJspEnabled (default FALSE), controls whether or not JSP compilation/use is supported by the /zimlet webapp.
  • bug 89054 Support specifying list of SSL ciphers for mailboxd
    • New config variable, zimbraSSLIncludeCipherSuites (default empty)
  • bug 83547 CSRF protections
    • New config variable, zimbraCsrfTokenCheckEnabled (default TRUE)
    • New config variable, zimbraCsrfRefererCheckEnabled (default TRUE)

Further Research and Reading

Verified Against: Zimbra Collaboration 8.6 Date Created: 12/12/2014
Article ID: https://wiki.zimbra.com/index.php?title=Security/Collab/86 Date Modified: 05/23/2016



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search