Huu Phan | Blog Linux operating system | Linux operating system -Blog Huu Phan | www.huuphan.com
huuphan.com. Powered by Blogger.

zimbra Qualys A+

How to zimbra A+ in the Qualys SSL Labs Security Test. To help system zimbra security hardening. Let's go labs. in my post,i use zimbra account ( su - zimbra) 
zimbra Qualys A+







Zimbra without Proxy ( zimbra mailbox+zimbra ldap+zimbra MTA)

Tune the cipher list ( you to check zimbraSSLExcludeCipherSuites before run command)
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA
Restart the mailbox service
zmmailboxdctl restart
To configure Strict Transport Security (HSTS)
vim /opt/zimbra/jetty/etc/jetty.xml.in
Add the following
<Call name="addRule">
           <Arg>
              <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                 <Set name="pattern">*</Set>
                 <Set name="name">Strict-Transport-Security</Set>
                 <Set name="value">max-age=15768000; includeSubDomains</Set>
              </New>
           </Arg>
        </Call>

Zimbra using Proxy (zimbra mailbox+zimbra proxy+zimbra MTA+zimbra ldap)

To create a new 2048 key
openssl dhparam -out /opt/zimbra/conf/dhparam.pem 2048
Edit the following two files
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
Add a ssl_dhparam entry before the include
ssl_verify_client ${ssl.clientcertmode.default};
ssl_verify_depth ${ssl.clientcertdepth.default};
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
include                 ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
Tune the cipher list
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
Restart the proxy
zmproxyctl restart
To configure Strict Transport Security (HSTS)
Edit files
vim /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
vim /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
add the following in the server { ... } section:
add_header Strict-Transport-Security "max-age=31536000";
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
To restart the proxy
zmproxyctl restart
Test zimbra Qualys A+ online
https://www.ssllabs.com/ssltest/analyze.html

Thanks for reading zimbra Qualys A+ My blog Zimbra Mail Server,linux,bash script,centos,linux command I hope this is useful.

post new :

Huu Phan | Blog Linux operating system | Huu Phan ~ Zimbra Mail Server,linux,bash script,centos,linux command | www.huuphan.com