Zimbra

Lebha · #1 (**permalink**) 09-17-2009, 07:07 AM

Hello,

I have simple question, albeit one that has not been asked before: how do i configure all services that require authentication, i.e. move user credentials along the wire, to use SSL?

I have already disabled clear text login to IMAP and ZWC, but how to allow e.g. webdav access via https only? What about other services that might allow clear text logins?

ProTip · #2 (**permalink**) 09-17-2009, 07:21 AM

You can disallow clear text logins to pop and imap under the global settings section of your administration console. For webmail, try 'zmtlsctl redirect'.

Lebha · #3 (**permalink**) 09-18-2009, 12:18 AM

Quote:

Originally Posted by ProTip

You can disallow clear text logins to pop and imap under the global settings section of your administration console. For webmail, try 'zmtlsctl redirect'.

Exactly these steps I have already taken, as I tried to indicate in my original post. But my question was, what about the rest? WebDAV? LDAP? What else might there lurk that I don't even know about?

veronica · #4 (**permalink**) 09-19-2009, 09:34 AM

The services like POP/IMAP/HTTP talk on public hence would make sense doing SSL.

To enable SSl on LDAP change :-
zmlocalconfig -e ldap_starttls_supported = 0 ( default is 1 )

For enabling LDAPS following needs to be changed:-

zmlocalconfig -e ldap_master_url = ldaps://ldapserver:636
zmlocalconfig -e ldap_url = ldaps://replicaserver:636
zmlocalconfig -e ldap_starttls_supported = 0
zmlocalconfig -e ldap_port = 636

Lebha · #5 (**permalink**) 09-20-2009, 11:44 PM

Quote:

Originally Posted by veronica

zmlocalconfig -e ldap_master_url = ldaps://ldapserver:636
zmlocalconfig -e ldap_url = ldaps://replicaserver:636
zmlocalconfig -e ldap_starttls_supported = 0
zmlocalconfig -e ldap_port = 636

Thank you for the LDAP settings! Only remaining service I'm worried about is WebDAV. Does anybody know how to configure WebDAV to use SSL only?

veronica · #6 (**permalink**) 09-21-2009, 06:50 AM

Did you try using : -

https://<mailboxserver>/dav/<email>

Dirk · #7 (**permalink**) 09-21-2009, 07:26 AM

If you lock out the insecure ports at the firewall, you should be set. Our install only allows connections from the outside world on port 25 and 443, everything else is blocked.

LDAP connections are only happening on the LAN and may or may not be secure, but that's currently a lower priority for me. Are you trying to ensure encryption of all traffic both internally and externally?

cayaraa · #8 (**permalink**) 09-21-2009, 07:35 AM

I haven't looked at it yet but you might want to see if setting zimbraCalendarCalDavClearTextPasswordEnabled to false does it.

$ zmprov gcf zimbraCalendarCalDavClearTextPasswordEnabled
$ zmprov mcf zimbraCalendarCalDavClearTextPasswordEnabled false

Zimbra

Downloads

Product Information

Toolbox

Why Join?