Zimbra without Proxy ( zimbra mailbox+zimbra ldap+zimbra MTA)
Tune the cipher list ( you to check zimbraSSLExcludeCipherSuites before run command)
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHARestart the mailbox service
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA
zmmailboxdctl restartTo configure Strict Transport Security (HSTS)
vim /opt/zimbra/jetty/etc/jetty.xml.inAdd the following
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">Strict-Transport-Security</Set>
<Set name="value">max-age=15768000; includeSubDomains</Set>
</New>
</Arg>
</Call>
Zimbra using Proxy (zimbra mailbox+zimbra proxy+zimbra MTA+zimbra ldap)
To create a new 2048 key
openssl dhparam -out /opt/zimbra/conf/dhparam.pem 2048Edit the following two files
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.templateAdd a ssl_dhparam entry before the include
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
ssl_verify_client ${ssl.clientcertmode.default};Tune the cipher list
ssl_verify_depth ${ssl.clientcertdepth.default};
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
include ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'Restart the proxy
zmproxyctl restartTo configure Strict Transport Security (HSTS)
Edit files
vim /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.templateadd the following in the server { ... } section:
vim /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
add_header Strict-Transport-Security "max-age=31536000";To restart the proxy
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
zmproxyctl restartTest zimbra Qualys A+ online
https://www.ssllabs.com/ssltest/analyze.html
Thanks for reading zimbra Qualys A+ My blog Zimbra Mail Server,linux,bash script,centos,linux command I hope this is useful.
