Results 1 to 10 of 10

Thread: Enable Perfect Forward Secrecy in Zimbra 8+ ?

  1. #1
    dar1423 is offline Member
    Join Date
    Apr 2014
    Posts
    10
    Rep Power
    1

    Question Enable Perfect Forward Secrecy in Zimbra 8+ ?

    I want to setup Zibmra correctly for 'Perfect Forward Secrecy' support.

    I've read this

    TLS Forward Secrecy in Postfix

    this,

    Zimbra & SSL ciphers hardening

    and this,

    Ajcody-MTA-Postfix-Topics - Zimbra :: Wiki

    In the last one I read,


    The other variable/options for the "Postfix SMTP Server policy - SASL mechanism properties" you will need to know about are: forward_secrecy Require forward secrecy between sessions (breaking one session does not break earlier sessions).

    But, I still don't see or understand how to specifically enable it for Zimbra ZCS 8.0.6.

    What postconf/zmconfig/etc commands, or other edits, do I need to make to enable it?

  2. #2
    Raunaq's Avatar
    Raunaq is offline Zimbra Employee
    Join Date
    Nov 2012
    Location
    Bangalore
    Posts
    171
    Rep Power
    2

    Default

    Cheers,
    Raun
    Always ready to help.

  3. #3
    dar1423 is offline Member
    Join Date
    Apr 2014
    Posts
    10
    Rep Power
    1

    Default

    That, unfortunately, references PFS only in the use case of nginx as ReverseProxy in front of Zimbra.

    My use case is *NO* nginx -- i.e., just 'standalone' Zimbra.

    This, then, begs the question of how to specify ciphers/order on the non-nginx case, which I'd asked here:

    https://www.zimbra.com/forums/admini...-use-case.html
    Last edited by dar1423; 04-17-2014 at 04:36 PM.

  4. #4
    danielfarrelly is offline Special Member
    Join Date
    Apr 2007
    Location
    Los Gatos, CA
    Posts
    138
    Rep Power
    8

    Default

    I agree this needs to be dealt with - especially considering the enormity of the whole Heartbleed fiasco. Zimbra engineers might want to be really careful how they propose to "fix" PFS on the Zimbra platform. Stating it's a feature request for an upcoming version of Zimbra is not enough. Might I recommend upping the key size to 4096, requiring 256-bit sig all the way to the CA root cert, make all default cipher suites 256-bit variants using TLS v1.2? If you need to something less, it's up to you to reconfigure - or contact Zimbra support on how to type:

    zmprov mcf -zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (which, btw... don't do)

    I would think Zimbra as a company would see recent news of flaws in OpenSSL as an opportunity to reach out to its customers and provide a means of making sure their setup is secure - and be able to prove it.

  5. #5
    dar1423 is offline Member
    Join Date
    Apr 2014
    Posts
    10
    Rep Power
    1

  6. #6
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,262
    Rep Power
    10

    Default

    You can already do PFS with Zimbra as long as you have nginx installed, which is the recommended way to install already.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  7. #7
    danielfarrelly is offline Special Member
    Join Date
    Apr 2007
    Location
    Los Gatos, CA
    Posts
    138
    Rep Power
    8

    Default

    of course you can. just as you can use a weak cipher to connect - unless you tell it not to. perhaps i was misunderstood, but a great majority of us already know how to make our zimbra installs more secure. i was making a suggestion on how you might want to better distribute information to your users.

    dar1423 was looking for support on how to utilize PFS. he was told to check out bugzilla. i threw in my two cents thinking you might help him, and you respond with the above. seriously?

  8. #8
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,262
    Rep Power
    10

    Default

    yes, seriously. I took an hour yesterday writing up and documenting how to add nginx to his configuration so he can enable PFS. That's the solution until support for it can be added to Jetty. In any case, it is always advised to install proxy now.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  9. #9
    dar1423 is offline Member
    Join Date
    Apr 2014
    Posts
    10
    Rep Power
    1

    Default

    um, know your facts

    quanah & I had chatted in #irc. he suggested to ME to file the bug ...

  10. #10
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,262
    Rep Power
    10

    Default

    Yes, there is that too.

    I.e., if you want PFS now, you have to install nginx, period. If you don't want to use nginx, you'll have to wait until the bug I had dar1423 file is completed.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 0
    Last Post: 02-09-2010, 12:01 PM
  2. Perfect Install but still not working.
    By Khanali in forum Installation
    Replies: 16
    Last Post: 04-17-2009, 09:56 PM
  3. Perfect upgrade from 4.0.0 to 4.0.2
    By StefanD in forum Administrators
    Replies: 0
    Last Post: 09-26-2006, 02:08 PM
  4. Perfect Upgrade- thanks Zimbra
    By dillera in forum Installation
    Replies: 7
    Last Post: 04-17-2006, 03:47 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •