The current versions of Zimbra come pretty secure out of the box, and Zimbra is being very good about releasing Security Fixes on a timely basis as part of their near-biweekly Patch process. Some customers however demand a higher level of security.

One such customer wanted to force Zimbra not to use TLS1.0 and TLS1.1.  TLS1.0 is nearly 20 years old, and all of the browser manufacturers have announced they are removing TLS1.0 and TLS1.1 support in the first half of 2020.  You can read the announcements from Firefox, Apple, Google and Microsoft at the links given.  TLS1.0 presently is not acceptable for PCI-DSS.

Internally, Zimbra’s mailbox server’s Java options use TLS 1.0, 1.1 and 1.2, and Zimbra Support have told us this cannot be turned off.  But Zimbra now requires proxy, so there is no need to expose the mailbox service to the public Internet anyway.

Consequently, all we need to do to up our game is to turn off Zimbra Proxy’s willingness to accept incoming connections using TLS1.0 and TLS1.1.  And that’s easy to do by running:

$ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1

$ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1.1

$ zmproxyctl restart
Now when you run a test at Qualys SSL Labs you should be able to have your Protocol Support score at 100% as part of your A+ overall score.
Hope that helps,

L. Mark Stone
Mission Critical Email
12 November 2018

The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone personally. The contents of this site are not intended as advice for any purpose and are subject to change without notice. Mission Critical Email makes no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.