A partner has requested a script to implement the Security tips and TLS
settings documented at https://wiki.zimbra.com/wiki/Cipher_suites and
https://wiki.zimbra.com/wiki/Secopstips . At Zimbra we love scripts!
This article shows a script that configures Zimbra with strong TLS and
security settings.
Prerequisites
You have set up a correct hostname and DNS, to check, run the following
as user zimbra
and verify zmhostname
is the same as
hostname --fqdn
:
zimbra@le-test:~$ source ~/bin/zmshutil; zmsetvars zimbra@le-test:~$ zmhostname le-test.zimbra.tech zimbra@le-test:~$ hostname --fqdn le-test.zimbra.tech
This script example works on a single server Zimbra installation, if you
run a multi-server set-up you need to split up the script based on your
deployment.
Creating the script
Create a file /usr/local/sbin/secops-zimbra
with the following
content:
#!/bin/bash echo "Setting optimal security settings" rm -Rf /tmp/provfile ZIMBRAIP=$(netstat -tulpn | grep slapd | awk '{print $4}' | awk -F ':' '{print $1}') cat >> /tmp/provfile << EOF mcf zimbraPublicServiceProtocol https mcf zimbraPublicServicePort 443 mcf zimbraPublicServiceHostname $HOSTNAME mcf zimbraReverseProxySSLProtocols TLSv1.2 mcf +zimbraReverseProxySSLProtocols TLSv1.3 mcf zimbraReverseProxySSLCiphers '!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384' mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains" mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff" mcf +zimbraResponseHeader "X-Robots-Tag: noindex" mcf +zimbraResponseHeader "Referrer-Policy: no-referrer" mcf zimbraMailKeepOutWebCrawlers TRUE mcf zimbraSmtpSendAddMailer FALSE mcf zimbraSSLDHParam /etc/ffdhe4096.pem mcf zimbraMtaSmtpdTlsCiphers medium mcf zimbraMtaSmtpdTlsMandatoryCiphers medium mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2' mcf zimbraMtaTlsSecurityLevel may ms $HOSTNAME zimbraPop3CleartextLoginEnabled FALSE ms $HOSTNAME zimbraImapCleartextLoginEnabled FALSE mcf zimbraLastLogonTimestampFrequency 1s mc default zimbraPrefShortEmailAddress FALSE mcf +zimbraMailTrustedIP 127.0.0.1 mcf +zimbraMailTrustedIP $ZIMBRAIP EOF sed -i 's/-server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2/-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3/g' /opt/zimbra/conf/localconfig.xml wget https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem -O /etc/ffdhe4096.pem su - zimbra -c '/opt/zimbra/bin/postconf -e fast_flush_domains=""' su - zimbra -c '/opt/zimbra/bin/postconf -e smtpd_etrn_restrictions=reject' su - zimbra -c '/opt/zimbra/bin/postconf -e disable_vrfy_command=yes' su - zimbra -c '/opt/zimbra/bin/postconf -e tls_medium_cipherlist="!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"' su - zimbra -c '/opt/zimbra/bin/postconf -e tls_preempt_cipherlist=no' su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_common_tlsprotocolmin="3.3"' su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_common_tlsciphersuite="HIGH"' su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_starttls_supported=1' su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e zimbra_require_interprocess_security=1' su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_starttls_required=true' su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e alias_login_enabled=false' su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e zimbra_same_site_cookie="Strict"' su - zimbra -c '/opt/zimbra/bin/zmprov < /tmp/provfile' #https://wiki.zimbra.com/wiki/Enabling_Admin_Console_Proxy su - zimbra -c "/opt/zimbra/libexec/zmproxyconfig -e -w -C -H $HOSTNAME" su - zimbra -c '/opt/zimbra/bin/zmcontrol restart'
Running the script
Before running scripts make sure you have a working back-up and test
scripts in a test environment first. You can run this script as root
like this:
chmod +x /usr/local/sbin/secops-zimbra /usr/local/sbin/secops-zimbra
Check for changes
This script is copied from here, you can check periodically for updates:
– https://github.com/Zimbra/zinstaller/blob/main/zinstaller#L516
No comments yet.