Update Zimbra TLS cipher suites to disable Diffie-Hellmann

This blog post is outdated since Zimbra version 9.0.0.P34, 8.8.15.P41, 10.0.2 where Zimbra introduced OpenSSL FIPS. Please follow the updated steps at https://wiki.zimbra.com/wiki/Cipher_suites.

In a previous blog and wiki we have shown how to configure Zimbra with a strong TLS configuration. Since encryption is always evolving we have updated the previous blog and wiki to disable Diffie-Hellman.

If you have applied the steps from the Cipher Suites wiki before, you can run the following commands as user zimbra to apply the recent changes.

zmprov -l mcf zimbraReverseProxySSLCiphers '!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
zmproxyctl restart

postconf -e tls_medium_cipherlist='!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
postconf -e tls_preempt_cipherlist=no
zmmtactl restart

With this change we have added !DH:!EDH:!ADH: that will explicitly disable Diffie-Hellman. In some cases with some certificate providers Diffie-Hellman will already be disabled regardless of the configured cipher list. It does not hurt to configure it, but you can check your current TLS security by running a website test at internet.nl.

, ,

6 Responses to Update Zimbra TLS cipher suites to disable Diffie-Hellmann

  1. Dave December 28, 2022 at 7:48 PM #

    The first postconf line doesn’t work because the shell eats the !’s. You either need to quote it with single quotes intead of double, or put a \ in front of each !

    • Avatar photo
      Barry de Graaff January 4, 2023 at 12:14 AM #

      Thanks, for catching this typo, I updated the blog!

  2. Peter December 29, 2022 at 8:25 AM #

    Why should I explicitly disable DH but not MD5, DES, RC4, CBC, etc?

    • Avatar photo
      Barry de Graaff January 4, 2023 at 12:09 AM #

      MD5, DES, RC4, CBC, etc should be disabled when you configure Zimbra with the steps in the wiki/blog. You can validate your installation using the scanner at internet.nl.

  3. Mahdi February 8, 2023 at 9:01 PM #

    HI
    zimbra@mail:/root$ postconf -e tls_medium_cipherlist=’!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384′
    zimbra@mail:/root$ postconf -e tls_preempt_cipherlist=no
    zimbra@mail:/root$ zmmtactl restart
    Rewriting configuration files…done.
    Stopping amavisd… done.
    Stopping amavisd-mc… done.
    Starting amavisd-mc…done.
    Starting amavisd…awk: cmd. line:2: { if (($2 == 31611
    awk: cmd. line:2: ^ unexpected newline or end of string
    done.
    Stopping saslauthd…done.
    Starting saslauthd…done.

    • Avatar photo
      Barry de Graaff February 8, 2023 at 11:21 PM #

      I have re-validated the steps from the article and they work fine on
      Release 9.0.0.GA.4178.UBUNTU20.64 UBUNTU20_64 NETWORK edition, Patch 9.0.0_P29.
      Release 10.0.0.GA.4504.UBUNTU20.64 UBUNTU20_64 NETWORK edition.

      Likely your issue is unrelated to the setting of TLS ciphers, please see if someone else has similar issue in the forum https://forums.zimbra.org/

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures