A partner has requested a script to implement the Security tips and TLS
settings documented at https://wiki.zimbra.com/wiki/Cipher_suites and
https://wiki.zimbra.com/wiki/Secopstips . At Zimbra we love scripts!
This article shows a script that configures Zimbra with strong TLS and
security settings.
Prerequisites
You have set up a correct hostname and DNS, to check, run the following
as user zimbra and verify zmhostname is the same as
hostname --fqdn:
zimbra@le-test:~$ source ~/bin/zmshutil; zmsetvars zimbra@le-test:~$ zmhostname le-test.zimbra.tech zimbra@le-test:~$ hostname --fqdn le-test.zimbra.tech
This script example works on a single server Zimbra installation, if you
run a multi-server set-up you need to split up the script based on your
deployment.
Creating the script
Create a file /usr/local/sbin/secops-zimbra with the following
content:
#!/bin/bash WHO=`whoami` if [ $WHO != "zimbra" ] then echo echo "Execute this scipt as user zimbra (\"su - zimbra\")" echo exit 1 fi source ~/bin/zmshutil; zmsetvars echo "Setting optimal security settings" rm -Rf /tmp/provfile cat >> /tmp/provfile << EOF mcf zimbraPublicServiceProtocol https mcf zimbraPublicServicePort 443 mcf zimbraPublicServiceHostname $HOSTNAME mcf zimbraReverseProxySSLProtocols TLSv1.2 mcf +zimbraReverseProxySSLProtocols TLSv1.3 mcf zimbraReverseProxySSLCiphers "" mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains" mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff" mcf +zimbraResponseHeader "X-Robots-Tag: noindex" mcf +zimbraResponseHeader "Referrer-Policy: no-referrer" mcf zimbraMailKeepOutWebCrawlers TRUE mcf zimbraSmtpSendAddMailer FALSE mcf zimbraSSLDHParam /opt/zimbra/conf/ffdhe4096.pem mcf zimbraMtaSmtpdTlsCiphers medium mcf zimbraMtaSmtpdTlsMandatoryCiphers medium mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2' mcf zimbraMtaTlsSecurityLevel may ms $HOSTNAME zimbraPop3CleartextLoginEnabled FALSE ms $HOSTNAME zimbraImapCleartextLoginEnabled FALSE mcf zimbraLastLogonTimestampFrequency 1s mc default zimbraPrefShortEmailAddress FALSE mc default zimbraFeatureTwoFactorAuthAvailable TRUE ms $HOSTNAME zimbraFileUploadMaxSize 80000000 ms $HOSTNAME zimbraMailContentMaxSize 80000000 mcf zimbraMtaMaxMessageSize 80000000 mcf zimbraFileUploadMaxSize 80000000 mcf zimbraMailContentMaxSize 80000000 EOF sed -i 's/-server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2/-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3/g' /opt/zimbra/conf/localconfig.xml wget -q https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem -O /opt/zimbra/conf/ffdhe4096.pem /opt/zimbra/bin/postconf -e fast_flush_domains="" /opt/zimbra/bin/postconf -e smtpd_etrn_restrictions=reject /opt/zimbra/bin/postconf -e disable_vrfy_command=yes /opt/zimbra/bin/postconf -e tls_medium_cipherlist=$(/opt/zimbra/common/bin/openssl ciphers) /opt/zimbra/bin/postconf -e tls_preempt_cipherlist=no /opt/zimbra/bin/zmlocalconfig -e ldap_common_tlsprotocolmin="3.3" /opt/zimbra/bin/zmlocalconfig -e ldap_common_tlsciphersuite="HIGH" /opt/zimbra/bin/zmlocalconfig -e ldap_starttls_supported=1 /opt/zimbra/bin/zmlocalconfig -e zimbra_require_interprocess_security=1 /opt/zimbra/bin/zmlocalconfig -e ldap_starttls_required=true /opt/zimbra/bin/zmlocalconfig -e alias_login_enabled=false /opt/zimbra/bin/zmlocalconfig -e zimbra_same_site_cookie="Strict" /opt/zimbra/bin/zmprov < /tmp/provfile /opt/zimbra/bin/zmzimletctl undeploy com_zimbra_clientuploader rm -Rf /opt/zimbra/lib/ext/com_zimbra_clientuploader
Running the script
Before running scripts make sure you have a working back-up and test
scripts in a test environment first. You can run this script as root
like this:
su - zimbra chmod +x /usr/local/sbin/secops-zimbra /usr/local/sbin/secops-zimbra
Check for changes
This script is copied from here, you can check periodically for updates:
- https://github.com/Zimbra/zinstaller/blob/main/zinstaller#L549
No comments yet.