This blog post is outdated since Zimbra version 9.0.0.P34, 8.8.15.P41, 10.0.2 where Zimbra introduced OpenSSL FIPS. Please follow the updated steps at https://wiki.zimbra.com/wiki/Cipher_suites.
In a previous blog and wiki we have shown how to configure Zimbra with a strong TLS configuration. Since encryption is always evolving we have updated the previous blog and wiki to disable Diffie-Hellman.
If you have applied the steps from the Cipher Suites wiki before, you can run the following commands as user zimbra to apply the recent changes.
zmprov -l mcf zimbraReverseProxySSLCiphers '!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384' zmproxyctl restart postconf -e tls_medium_cipherlist='!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384' postconf -e tls_preempt_cipherlist=no zmmtactl restart
With this change we have added !DH:!EDH:!ADH: that will explicitly disable Diffie-Hellman. In some cases with some certificate providers Diffie-Hellman will already be disabled regardless of the configured cipher list. It does not hurt to configure it, but you can check your current TLS security by running a website test at internet.nl.
The first postconf line doesn’t work because the shell eats the !’s. You either need to quote it with single quotes intead of double, or put a \ in front of each !
Thanks, for catching this typo, I updated the blog!
Why should I explicitly disable DH but not MD5, DES, RC4, CBC, etc?
MD5, DES, RC4, CBC, etc should be disabled when you configure Zimbra with the steps in the wiki/blog. You can validate your installation using the scanner at internet.nl.
HI
zimbra@mail:/root$ postconf -e tls_medium_cipherlist=’!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384′
zimbra@mail:/root$ postconf -e tls_preempt_cipherlist=no
zimbra@mail:/root$ zmmtactl restart
Rewriting configuration files…done.
Stopping amavisd… done.
Stopping amavisd-mc… done.
Starting amavisd-mc…done.
Starting amavisd…awk: cmd. line:2: { if (($2 == 31611
awk: cmd. line:2: ^ unexpected newline or end of string
done.
Stopping saslauthd…done.
Starting saslauthd…done.
I have re-validated the steps from the article and they work fine on
Release 9.0.0.GA.4178.UBUNTU20.64 UBUNTU20_64 NETWORK edition, Patch 9.0.0_P29.
Release 10.0.0.GA.4504.UBUNTU20.64 UBUNTU20_64 NETWORK edition.
Likely your issue is unrelated to the setting of TLS ciphers, please see if someone else has similar issue in the forum https://forums.zimbra.org/