Zimbra SkillZ: Using Zimbra with Strong TLS Configuration – Get an A+, No Weak Cyphers

Hello Zimbra Customers, Partners & Friends,

Transport Layer Security (TLS) encrypts data sent over the internet to ensure that eavesdroppers and hackers can’t see what you transmit. This is particularly useful for private and sensitive information such as passwords, credit card numbers and personal correspondence. To learn more about TLS, https://www.internetsociety.org/deploy360/tls/basics

This blog shows you how to configure Zimbra to use only strong encryption ciphers for TLS.

Generate ssl_ciphers for use with zimbraReverseProxySSLCiphers

Since encryption is always evolving, we recommend that you use Mozilla SSL Config generator available here: https://ssl-config.mozilla.org/

Select Intermediate and Nginx (Zimbra proxy is based on Nginx). As of this blog post, this will select nginx 1.17.7 and OpenSSL 1.1.1d. The tool also reports the oldest supported clients that work with this configuration: Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9.

From the generated config file copy the value from ssl_ciphers:

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

 

Configuring Zimbra

Configure Zimbra to use the above ciphers, and enable TLSv1.2 and TLSv1.3 like this:

zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3

zmprov -l mcf zimbraReverseProxySSLCiphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'

zmproxyctl restart

 

Also configure the Zimbra mailbox to allow the use of TLSv1.3. In a text editor, open /opt/zimbra/conf/localconfig.xml find the line mailboxd_java_options and set TLSv1.2,TLSv1.3 in https.protocols and jdk.tls.client.protocols.

Example result:

<key name="mailboxd_java_options">
  <value>-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true</value>
</key>

 

Then restart mailbox, or reboot your server:

zmmailboxdctl restart

 

Generate DH parameters

Generating DH parameter improves key exchange and mitigates against Logjam attack. Run as Zimbra user. Further reading: https://weakdh.org/

su - zimbra
/opt/zimbra/common/bin/openssl dhparam -out /opt/zimbra/conf/dhparam.pem.zcs 3072
zmprov mcf zimbraSSLDHParam /opt/zimbra/conf/dhparam.pem.zcs

Reboot the server.

Configure additional HTTP headers

The following headers will:

  • Enable HTTP Strict Transport Security (HSTS)
  • Disable search indexing of your server by Google et al
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains"
zmprov mcf +zimbraResponseHeader "X-XSS-Protection: 1; mode=block"
zmprov mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff"
zmprov mcf +zimbraResponseHeader "X-Robots-Tag: noindex"
zmprov mcf zimbraMailKeepOutWebCrawlers TRUE
zmmailboxdctl restart

 

Validate your settings online using SSL Labs

Go to https://www.ssllabs.com/ssltest/analyze.html and enter the domain name of your Zimbra server. If you followed the steps above, you should receive an A+ score and there shouldn’t be any mention of weak ciphers in the report. In the report take a look at the client devices listed under Handshake Simulation for an idea of the devices your users can use to connect to your Zimbra server. Also validate there are no weak ciphers listed under Cipher Suites.

Thanks,

Your Zimbra Team

, ,

No comments yet.

Leave a Reply