Zimbra SkillZ: Using Zimbra with Strong TLS Configuration – Get an A+, No Weak Cyphers

Hello Zimbra Customers, Partners & Friends,

Transport Layer Security (TLS) encrypts data sent over the Internet to
ensure that eavesdroppers and hackers are unable to see what you
transmit which is particularly useful for private and sensitive
information such as passwords, credit card numbers, and personal
correspondence. (further reading:
https://www.internetsociety.org/deploy360/tls/basics)

In this article you will learn how to configure Zimbra to use only
strong encryption ciphers for TLS.

Generate ssl_ciphers for use with zimbraReverseProxySSLCiphers

Since encryption is always evolving it is recommended to use Mozilla SSL
Config generator that you can find at https://ssl-config.mozilla.org/

Select Intermediate and Nginx (Zimbra proxy is based on Nginx) at
the time of writing this article this will select nginx 1.17.7 and
OpenSSL 1.1.1d. The tool also reports the oldest supported clients that
work with this configuration: Firefox 27, Android 4.4.2, Chrome 31,
Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari
9.

From the generated config file copy the value from ssl_ciphers:

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

Configuring Zimbra Proxy Nginx

Configure Zimbra to use the above ciphers, and enable TLSv1.2 and
TLSv1.3 like this:

zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3

zmprov -l mcf zimbraReverseProxySSLCiphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'

zmproxyctl restart

Configuring Zimbra Mailbox

Also configure Zimbra mailbox to allow the use of TLSv1.3. Open in a
text editor /opt/zimbra/conf/localconfig.xml find the line
mailboxd_java_options and set TLSv1.2,TLSv1.3 in https.protocols
and jdk.tls.client.protocols. Example result:

<key name="mailboxd_java_options">
  <value>-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true</value>
</key>

Then restart mailbox, or reboot your server:

zmmailboxdctl restart

Configure additional HTTP headers

The following headers will:

  • Enable HTTP Strict Transport Security (HSTS)

  • Disable search indexing of your server by Google et al.

zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains"
zmprov mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff"
zmprov mcf +zimbraResponseHeader "X-Robots-Tag: noindex"
zmprov mcf zimbraMailKeepOutWebCrawlers TRUE
zmmailboxdctl restart

DH parameters

Use pre-defined DHE groups as recommended by
IETF RFC 7919.

Further reading:

wget https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem -O /etc/ffdhe4096.pem
su - zimbra
zmprov mcf zimbraSSLDHParam /etc/ffdhe4096.pem

Reboot the server.

Configuring Zimbra MTA Postfix

Postix traffic is not routed through Zimbra proxy. Below commands show
how to configure Zimbra MTA to use only strong TLS ciphers. In 2021 not
all mail servers on the Internet support encryption. For maximum
compatibility it is still recommended to use Opportunistic TLS. So
that you can receive email via unencrypted transmissions. However you
can set zimbraMtaTlsSecurityLevel to encrypt to force the use of TLS.
This will result in mail delivery issues.

To test the current state of the MTA run from the MTA:

nmap --script ssl-enum-ciphers -p 25 your-mta-server.example.com

The last line of output with Zimbra default config: least strength: F

openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_1

Then the following configuration will remove weak ciphers and disable
some Postfix options that are considered unsecure.

Find the current list of ciphers for Postfix via:

Configure it in Zimbra using:

zmprov mcf zimbraMtaSmtpdTlsCiphers medium
zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers  medium
zmprov mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2'
zmprov mcf zimbraMtaTlsSecurityLevel may
postconf -e fast_flush_domains=""
postconf -e smtpd_etrn_restrictions=reject
postconf -e disable_vrfy_command=yes
postconf -e tls_medium_cipherlist="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
postconf -e tls_preempt_cipherlist=no

zmprov gs `zmhostname` zimbraMtaTlsAuthOnly
zmprov ms `zmhostname` zimbraMtaTlsAuthOnly TRUE # if not already (this is default)
zmmtactl restart

IT IS VERY IMPORTANT tls_medium_cipherlist IS SET, setting just medium
or high in zimbraMtaSmtpdTlsCiphers/zimbraMtaSmtpdTlsMandatoryCiphers
will not work!!

Above config was tested with email from Gmail (uses tls), Ubuntu 20
Postfix (uses tls), from Zimbra itself (uses lmtp) and
http://ismyemailworking.com/ (uses plain text) and this all works.

Run again to verify your set-up:

nmap --script ssl-enum-ciphers -p 25 your-mta-server.example.com

The last line of output with Zimbra new config: least strength: A

It seems TLS v1.3 is either not enabled or not tested via nmap, but you
can verify that like so:

openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_3

openssl s_client -starttls smtp -showcerts -connect your-mta-server.example.com:25 -servername your-mta-server.example.com -tls1_1

Please note that you can best run nmap/openssl commands on your MTA
server to avoid firewall and network blocking issues of port 25.

Configuring Zimbra LDAP OpenLDAP

Zimbra stores passwords in LDAP and is not proxied via Zimbra proxy. To
find your current TLS protocols and ciphers you can run nmap, but you
will need a recent version of nmap.

nmap --script ssl-enum-ciphers -p 389 your-ldap-server.example.com

Check and see if TLSv1.0 and TLSv1.1 are enabled (default) and what the
least strength cipher is for TLSv1.2 and above (default: A).

To force the use of TLS >= v1.2 with strong Ciphers run the following:

zmlocalconfig -e ldap_common_tlsprotocolmin="3.3"
zmlocalconfig -e ldap_common_tlsciphersuite="HIGH"

In addition require TLS for LDAP (disable unencrypted LDAP) via:

zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e zimbra_require_interprocess_security=1
zmlocalconfig -e ldap_starttls_required=true

For this change it is recommended to restart Zimbra using
zmcontrol restart.

Configuring POP3

It is recommended you disable the use of POP3 via a host firewall, in
case you want to use POP3 anyway, disable the unencrypted sending of
username and password and force the use of encryption with the following
command:

zmprov ms `zmhostname` zimbraPop3CleartextLoginEnabled FALSE

Verify that TLS is required for POP3 via Zimbra Proxy, the setting
should be only which is default.

zmprov gs `zmhostname` zimbraReverseProxyPop3StartTlsMode
zimbraReverseProxyPop3StartTlsMode: only

With the above setting the Zimbra POP3 implementation requires the
client to issue the STLS command. This command will switch from
cleartext to encrypted communications.

If the STLS command is not issued, any command the client sends such as
AUTH or USER to Zimbra will result in an error and the client will not
try authentication. This means the password is not send without
encryption. In addition email contents and attachments are also
transmitted using encrypted communication.

False positives in OpenVAS and warnings in email clients such as Thunderbird

Email clients and vulnerability scanner can send some commands in plain
text to Zimbra, such as CAPA (to list capabilities) and Zimbra will
respond to these without encryption. This will make vulnerability
scanners such as OpenVAS believe POP3 is enabled for unencrypted
connections. This is however not the case. The false positive will look
like this:

The remote host is running a POP3 daemon that allows cleartext logins over unencrypted connections.

For the same reason you can add your Zimbra account with POP3 to
Thunderbird (and other clients) and select Connection security: none
this will trigger a warning, saying your credentials will be transmitted
without encryption. In reality the communication between the client and
Zimbra will halt because of errors before authentication unless TLS is
used.

This has been verified by using Wireshark.

Configuring IMAP

It is recommended you disable the use of IMAP via a host firewall, in
case you want to use IMAP anyway, very that you have the following
settings, that are the default and disable the unencrypted sending of
username and password and force the use of encryption with the following
command:

zmprov gs `zmhostname` zimbraImapCleartextLoginEnabled
zmprov ms `zmhostname` zimbraImapCleartextLoginEnabled FALSE # if not already

Verify that TLS is required for IMAP via Zimbra Proxy, the setting
should be only which is default.

zmprov gs `zmhostname` zimbraReverseProxyImapStartTlsMode
zimbraReverseProxyImapStartTlsMode: only

Configuring Admin UI

It is not recommended to expose the Admin UI to the Internet. Instead
administrators should access Admin UI via a VPN. In any case you will
need to make sure to proxy the Admin UI via Zimbra Proxy to make sure it
uses the best TLS configuration. This means you should access Admin UI
via the proxied port 9071, and deny access to port 7071 via a firewall.
To enable this you should run as user Zimbra:

/opt/zimbra/libexec/zmproxyconfig -e -w -C -H `zmhostname`
zmproxyctl restart

Validate your settings online using SSL Labs

Go to https://www.ssllabs.com/ssltest/analyze.html and enter the the
domain name of your Zimbra server. If you followed the steps in this
article you should receive an A+ score and there should be no mention of
weak ciphers in the report. This article was written in September 2021.
In the report take a look at the client devices listed under
Handshake Simulation these will give you an idea of the devices your
users can use to connect to your Zimbra server. Also validate there are
no weak ciphers listed under Cipher Suites.

, ,

No comments yet.

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures