Optimizing Zimbra security and TLS settings via a script

A partner has requested a script to implement the Security tips and TLS
settings documented at https://wiki.zimbra.com/wiki/Cipher_suites and
https://wiki.zimbra.com/wiki/Secopstips . At Zimbra we love scripts!
This article shows a script that configures Zimbra with strong TLS and
security settings.

Prerequisites

You have set up a correct hostname and DNS, to check, run the following
as user zimbra and verify zmhostname is the same as
hostname --fqdn:

zimbra@le-test:~$ source ~/bin/zmshutil; zmsetvars
zimbra@le-test:~$ zmhostname
le-test.zimbra.tech
zimbra@le-test:~$ hostname --fqdn
le-test.zimbra.tech

This script example works on a single server Zimbra installation, if you
run a multi-server set-up you need to split up the script based on your
deployment.

Creating the script

Create a file /usr/local/sbin/secops-zimbra with the following
content:

#!/bin/bash
echo "Setting optimal security settings"
rm -Rf /tmp/provfile
ZIMBRAIP=$(netstat -tulpn | grep slapd | awk '{print $4}' | awk -F ':' '{print $1}')

cat >> /tmp/provfile << EOF
mcf zimbraPublicServiceProtocol https
mcf zimbraPublicServicePort 443
mcf zimbraPublicServiceHostname $HOSTNAME
mcf zimbraReverseProxySSLProtocols TLSv1.2
mcf +zimbraReverseProxySSLProtocols TLSv1.3
mcf zimbraReverseProxySSLCiphers '!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains"
mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff"
mcf +zimbraResponseHeader "X-Robots-Tag: noindex"
mcf +zimbraResponseHeader "Referrer-Policy: no-referrer"
mcf zimbraMailKeepOutWebCrawlers TRUE
mcf zimbraSmtpSendAddMailer FALSE
mcf zimbraSSLDHParam /etc/ffdhe4096.pem
mcf zimbraMtaSmtpdTlsCiphers medium
mcf zimbraMtaSmtpdTlsMandatoryCiphers  medium
mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2'
mcf zimbraMtaTlsSecurityLevel may
ms $HOSTNAME zimbraPop3CleartextLoginEnabled FALSE
ms $HOSTNAME zimbraImapCleartextLoginEnabled FALSE
mcf zimbraLastLogonTimestampFrequency 1s
mc default zimbraPrefShortEmailAddress FALSE
mcf +zimbraMailTrustedIP 127.0.0.1
mcf +zimbraMailTrustedIP $ZIMBRAIP
EOF

sed -i 's/-server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2/-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3/g' /opt/zimbra/conf/localconfig.xml
wget https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem -O /etc/ffdhe4096.pem

su - zimbra -c '/opt/zimbra/bin/postconf -e fast_flush_domains=""'
su - zimbra -c '/opt/zimbra/bin/postconf -e smtpd_etrn_restrictions=reject'
su - zimbra -c '/opt/zimbra/bin/postconf -e disable_vrfy_command=yes'
su - zimbra -c '/opt/zimbra/bin/postconf -e tls_medium_cipherlist="!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"'
su - zimbra -c '/opt/zimbra/bin/postconf -e tls_preempt_cipherlist=no'

su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_common_tlsprotocolmin="3.3"'
su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_common_tlsciphersuite="HIGH"'
su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_starttls_supported=1'
su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e zimbra_require_interprocess_security=1'
su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_starttls_required=true'

su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e alias_login_enabled=false'
su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e zimbra_same_site_cookie="Strict"'

su - zimbra -c '/opt/zimbra/bin/zmprov < /tmp/provfile'

#https://wiki.zimbra.com/wiki/Enabling_Admin_Console_Proxy
su - zimbra -c "/opt/zimbra/libexec/zmproxyconfig -e -w -C -H $HOSTNAME"

su - zimbra -c '/opt/zimbra/bin/zmcontrol restart'

Running the script

Before running scripts make sure you have a working back-up and test
scripts in a test environment first. You can run this script as root
like this:

chmod +x /usr/local/sbin/secops-zimbra
/usr/local/sbin/secops-zimbra

Check for changes

This script is copied from here, you can check periodically for updates:
https://github.com/Zimbra/zinstaller/blob/main/zinstaller#L516

, ,

No comments yet.

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures