Zimbra : Blog

Did you know? Zimbra HTTP Strict Transport Security (HSTS)

Barry de Graaff — Wed, 18 Jan 2023 09:19:56 +0000

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS.

What does HSTS do for improving security?

You have HSTS configured on Zimbra and have configured a correct TLS certificate. One of your users is on the road an connects to a public wifi hotspot where all traffic is redirected to a rogue website. The rogue website will not have the correct TLS certificate for your Zimbra server domain. As a result HSTS will prevent the user from connecting to the rogue website. The browser will display a full page warning saying there is a TLS issue and that HSTS will prevent the user from connecting.

As a result the user cannot send credentials to the rogue website, and a man-in-the-middle attacks is avoided.

To enable HSTS run the following commands as the user zimbra:

zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains"
zmmailboxdctl restart

References/Further reading

The post Did you know? Zimbra HTTP Strict Transport Security (HSTS) appeared first on Zimbra : Blog.

Protecting Zimbra with Sucuri web application firewall

Barry de Graaff — Wed, 11 Jan 2023 12:58:21 +0000

You can enhance the security of your Zimbra servers by using a web application firewall (WAF). By using a web application firewall you can add the following protections to Zimbra:

Geo blocking, geo fencing
Blocking or allow IP addresses
Emergency DDoS protection
Block anonymous proxies
Block top three attack countries
Manage HTTP Security Headers
Limited blocking of URL paths

While Zimbra offers DoSFilter, it’s configuration is command line based and not very easy to understand.

Prerequisites

To get started with a web application firewall, you need to first install Zimbra and set it up the usual way. You can use the Zimbra automated installer if you want to get started quickly.

For the Zimbra hostname you cannot use (registered) trademarks, including Sucuri. As those are not allowed to be added to the Sucuri service.

Eventually the web interface of Zimbra will only be accessible via the web application firewall and for that you will need to change the DNS. But for the initial installation you can set-up the DNS as follows (assuming your domain is zimbra.tech):

$ORIGIN zimbra.tech.
@        MX      100 wafmail.zimbra.tech.
@        TXT   "v=spf1 a mx -all"
_dmarc   TXT   "v=DMARC1; p=reject; fo=1"
@        CAA     0 issue "letsencrypt.org"
@        CAA     0 issue "godaddy.com"

waftest  A   [your zimbra server ip]
wafmail  A   [your zimbra server ip]

Please note the CAA records, Let’s Encrypt is used by the Zimbra automated installer, and GoDaddy is used by Sucuri.

You can install Zimbra using:

wget https://raw.githubusercontent.com/Zimbra/zinstaller/master/zinstaller -O /root/zinstaller
chmod +x /root/zinstaller
/root/zinstaller -p put-a-password-here -n waftest -t 'Europe/London' -a n --letsencrypt y zimbra.tech

If you want to use the web application firewall using a different hostname as configured in Zimbra you should consider the setting of zimbraReverseProxyStrictServerNameEnabled. Please leave this enable (true) if you have no issues.

zmprov mcf zimbraReverseProxyStrictServerNameEnabled false

Setting up Sucuri

Create an account for a 30-day trial at https://sucuri.net/website-firewall-a/free-trial/ the costs of Sucuri basic is $10/month at the time of writing this article. Once you have set-up your account you can add Zimbra is shown in these screenshots:

Sucuri will then ask you to change your DNS so that the Zimbra web interface can be proxied via the web application firewall. This means you change the DNS as follows:

$ORIGIN zimbra.tech.
@        MX      100 wafmail.zimbra.tech.
@        TXT   "v=spf1 a mx -all"
_dmarc   TXT   "v=DMARC1; p=reject; fo=1"
@        CAA     0 issue "letsencrypt.org"
@        CAA     0 issue "godaddy.com"

waftest  A   [IP ADDRESS PROVIDED BY SUCURI]
wafmail  A   [your zimbra server ip]

Then you can refresh the page on the Sucuri dashboard to see the service is activated:

You should now be able to visit your Zimbra server via the web application firewall. Hopefully Sucuri has requested a new TLS certificate and you should have no issues. If needed you can upload TLS certificates to Sucuri via the dashboard.

Setting up a Firewall on Zimbra

To make sure no one can bypass the web application firewall you should set-up a host firewall on Zimbra. If you installed Zimbra with the automated installer you can find your firewall settings by running
iptables -L -n --line-numbers as root:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
2    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02 state NEW
3    DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:143
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
8    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:465
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9071
13   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
14   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
15   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
16   ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 state NEW,RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 0 state RELATED,ESTABLISHED

Chain InstanceServices (0 references)
num  target     prot opt source               destination

As you can see port 443 is allowed in line 9, you can remove line 9 by running below command. Please verify your port 443 setting is indeed on line 9:

iptables -D INPUT 9

Then you can allow only the IP’s of Sucuri with the following commands:

iptables -I INPUT 6 -m state --state NEW -p tcp --dport 443 -s 192.88.134.0/23 -j ACCEPT
iptables -I INPUT 6 -m state --state NEW -p tcp --dport 443 -s 185.93.228.0/22 -j ACCEPT
iptables -I INPUT 6 -m state --state NEW -p tcp --dport 443 -s 66.248.200.0/22 -j ACCEPT
iptables -I INPUT 6 -m state --state NEW -p tcp --dport 443 -s 208.109.0.0/22 -j ACCEPT
netfilter-persistent save

You Zimbra server should now be protected by Sucuri

Zimbra 9 known-issues

For Zimbra 9 in some cases you will have to add the following to the Allow URL Paths setting in Sucuri:

^/service/soap

How to use Sucuri

The Sucuri dashboard is self explanatory. You can block countries from accessing your Zimbra server as shown in this screenshot:

You can also enable some of the advanced protection mechanisms:

You can also block single IP’s for known offenders:

Sucuri can block access to certain URL’s with the Block URL Paths feature. This could be a nice feature to mitigate zero-day security vulnerabilities. However the feature is very limited in what it sees as a match and is practically not usable.

Now that I use Sucury do I need to install Zimbra patches?

YES, Sucuri does not mitigate Zimbra security issues, even if it may be used to mitigate a security issue as a stop-gap measure, it is not a replacement of security fixes provided by patching.

A note on logging

In Zimbra you will see some changes in /opt/zimbra/log/audit.log and /opt/zimbra/log/audit.log, specifically in audit.log in case of a login attempt by admin@zimbra.tech, specifically the oip= value:

2022-11-01 09:58:26,438 INFO  [qtp758013696-432://localhost:8080/service/soap/BatchRequest] [name=admin@zimbra.tech;oip=[IP OF CLIENT], [IP OF SUCURI];ua=zclient/10.0.0_GA_4452;soapId=60a7ee51;] security - cmd=Auth; account=admin@zimbra.tech; protocol=soap

Similar for mailbox.log:

2022-11-01 11:48:04,540 INFO  [qtp1279309678-242:https://waftest.zimbra.tech/service/soap/BatchRequest] [name=admin@zimbra.tech;mid=2;oip=[IP OF CLIENT], [IP OF SUCURI];oproto=https;port=37866;ua=ZimbraXWebClient - GC107 (Linux)/10.0.0_GA_4452;soapId=635e8982;] soap - (batch) SearchRequest elapsed=30

However the Zimbra proxy (nginx based) logs such as /opt/zimbra/log/nginx.access.log they will not contain the IP of the client any longer:

[IP OF SUCURI]:14420 - - [01/Nov/2022:09:58:31 +0100]  "GET https://waftest.zimbra.tech/modern/index.js.map HTTP/1.1" 404 1327 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36" "[zimbra internal ip's]"

You can use the real-time logging in Sucuri as a replacement of the Zimbra Proxy log.

A note on fail2ban

If you are using fail2ban as described on the wiki you will want to disable the zimbra-webmail jail or update the filter filter.d/zimbra-webmail.conf to match the correct IP with the Securi set-up.

A note on Zimbra DosFilter

While some of the functionality between Zimbra’s Dosfilter overlap with Sucuri, you should use both and not disable Zimbra Dosfilter. Because Zimbra Dosfilter has the capability to suspend connections to IP’s for repeated failed logins. Repeated failed logins show up in /opt/zimbra/log/mailbox.log as follows:

2022-11-01 15:56:43,386 INFO  [qtp1279309678-23://localhost:8080/service/soap/BatchRequest] [] misc - Access from IP [CLIENT_IP], [SUCURI_IP] suspended, for repeated failed login.
2022-11-01 15:56:43,387 WARN  [qtp1279309678-106:https://waftest.zimbra.tech/] [] webclient - system failure: error while proxying request to target server: Service Unavailable
com.zimbra.common.service.ServiceException: system failure: error while proxying request to target server: Service Unavailable

Please note that even though the Securi IP address is listed in the log, the ban only applies to the IP of the client. Which means that Sucuri (and your other clients) are not blocked by Dosfilter. This also means that if someone is using 1 IP to try passwords on admin@zimbra.tech and is suspended, admin@zimbra.tech can still log-in using a different IP.

For more information on Zimbra Dosfilter see: https://wiki.zimbra.com/wiki/DoSFilter

The post Protecting Zimbra with Sucuri web application firewall appeared first on Zimbra : Blog.

How to write to log files from a Zimbra Extension

Barry de Graaff — Wed, 04 Jan 2023 12:04:14 +0000

In MyTest.java you can find some examples of how to write to the Zimbra log files. The most common ones are:




ZimbraLog.extensions.info("this is an info message that will show up in /opt/zimbra/log/mailbox.log");
ZimbraLog.extensions.error("this is an error message that will show up in /opt/zimbra/log/mailbox.log");



To see the logging in action run a tail on the log file as user root and

visit the extension page in your browser

https://testserver.example.com/service/extension/mytest:



tail -f /opt/zimbra/log/mailbox.log



The log will look as follows:



2022-10-26 11:12:25,174 INFO  [qtp48914743-18:https://zimbra10.barrydegraaff.nl/service/extension/mytest] [] extensions - this is an info message that will show up in /opt/zimbra/log/mailbox.log
2022-10-26 11:12:25,174 ERROR [qtp48914743-18:https://zimbra10.barrydegraaff.nl/service/extension/mytest] [] extensions - this is an error message that will show up in /opt/zimbra/log/mailbox.log



This is an example of a log message that contains variables:



 ZimbraLog.extensions.info("Some error happened : %s for : %s", Long.toString(a), e.getMessage());



It will show in the log as follows:



2022-10-26 11:12:25,174 INFO  [qtp48914743-18:https://zimbra10.barrydegraaff.nl/service/extension/mytest] [] extensions - Some error happened : 24567 for : / by zero



Different log levels exist to keep the size of the logging manageable in

a production environment. You can use the debug log level to

troubleshoot problems and/or log extensive amounts of data. By default

the log level in Zimbra is set so that INFO and ERROR level messages are

stored in the log and debug level messages are not stored.


To enable the storing of debug level messages for extensions append to

/opt/zimbra/conf/log4j.properties.in and

/opt/zimbra/conf/log4j.properties the following:



logger.extensions.name = zimbra.extensions
logger.extensions.level = debug
logger.extensions.additivity = false
logger.extensions.appenderRef.LOGFILE.ref = mailboxFile



You will have to restart Zimbra using:



sudo su zimbra -
zmmailboxdctl restart



You can now use the following:



ZimbraLog.extensions.debug("this is a debug message that will show up in /opt/zimbra/log/mailbox.log if debug logging level is set for extensions");



This will show up in the /opt/zimbra/log/mailbox.log like this:



2022-10-26 11:12:25,174 DEBUG [qtp48914743-18:https://zimbra10.barrydegraaff.nl/service/extension/mytest] [] extensions - this is a debug message that will show up in /opt/zimbra/log/mailbox.log if debug logging level is set for extensions



Other means of logging that you should avoid if possible:



System.out.println("This logs to /opt/zimbra/log/zmmailboxd.out, avoid using this");



This will literally only print the text of the message, but no date/time

stamp. So it can be used at development time, but in production it will

be hard to correlate the error message with other events logged by

Zimbra.


printStackTrace() is very useful in diagnosing exceptions during

development time. Most of the exception you should deal with properly in

your code and that should avoid the need for calling printStackTrace() a

lot in production. So use it wisely. An example:



long a = 24567;
long b = 0;
try {
    long c = (a / b) * 100; //Cannot divide by zero
} catch (Exception e) {
    //printStackTrace() logs to /opt/zimbra/log/zmmailboxd.out, avoid using this
    e.printStackTrace();
}



This will log around 80 lines of Java stack trace to

/opt/zimbra/log/zmmailboxd.out it looks like this:



java.lang.ArithmeticException: / by zero
    at com.example.mytest.Mytest.doGet(Mytest.java:74)
    at com.zimbra.cs.extension.ExtensionDispatcherServlet.service(ExtensionDispatcherServlet.java:111)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
    at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1631)
   ...


The post How to write to log files from a Zimbra Extension appeared first on Zimbra : Blog.



Did you know? Zimbra Postscreen provides additional protection against mail server overload
Barry de Graaff — Wed, 28 Dec 2022 13:11:07 +0000
In Zimbra you can optionally enable Postscreen as an additional Anti-SPAM strategy. Postscreen will offer additional protection against mail server overload. One postscreen process handles multiple inbound SMTP connections and decides which clients may talk to a Post-fix SMTP server process.


By keeping spambots away, postscreen leaves more SMTP server processes available for legitimate clients and delays the onset of server overload conditions.
Configuring
To configure Postscreen you first need to create an account at Spamhaus and obtain a DQS query key. Then you can configure Postscreen as follows, replace your-dqs-key-here with your actual Spamhaus DQS key:
zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks
zmprov mcf zimbraMtaPostscreenBareNewlineAction ignore
zmprov mcf zimbraMtaPostscreenBareNewlineEnable no
zmprov mcf zimbraMtaPostscreenBareNewlineTTL 30d
zmprov mcf zimbraMtaPostscreenBlacklistAction ignore
zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h
zmprov mcf zimbraMtaPostscreenCacheRetentionTime 7d
zmprov mcf zimbraMtaPostscreenCommandCountLimit 20
zmprov mcf zimbraMtaPostscreenDnsblAction enforce
zmprov mcf zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2*7' zimbraMtaPostscreenDnsblSites 'your-dqs-key-here.zen.dq.spamhaus.net=127.0.0.[10;11]*8' zimbraMtaPostscreenDnsblSites 'your-dqs-key-here.zen.dq.spamhaus.net=127.0.0.[4..7]*6' zimbraMtaPostscreenDnsblSites 'your-dqs-key-here.zen.dq.spamhaus.net=127.0.0.3*4' zimbraMtaPostscreenDnsblSites 'your-dqs-key-here.zen.dq.spamhaus.net=127.0.0.2*3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].0*-2' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].1*-3' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].2*-4' zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].3*-5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.2*5' zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.[10;11;12]*4' zimbraMtaPostscreenDnsblSites 'wl.mailspike.net=127.0.0.[18;19;20]*-2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.10*8' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.5*6' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.7*3' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.8*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.6*2' zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.9*2'
zmprov mcf zimbraMtaPostscreenDnsblTTL 5m
zmprov mcf zimbraMtaPostscreenDnsblThreshold 8
zmprov mcf zimbraMtaPostscreenDnsblTimeout 10s
zmprov mcf zimbraMtaPostscreenDnsblWhitelistThreshold 0
zmprov mcf zimbraMtaPostscreenGreetAction enforce
zmprov mcf zimbraMtaPostscreenGreetTTL 1d
zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop
zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable no
zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 30d
zmprov mcf zimbraMtaPostscreenPipeliningAction enforce
zmprov mcf zimbraMtaPostscreenPipeliningEnable no
zmprov mcf zimbraMtaPostscreenPipeliningTTL 30d
zmprov mcf zimbraMtaPostscreenWatchdogTimeout 10s
zmprov mcf zimbraMtaPostscreenWhitelistInterfaces static:all
zmprov mcf zimbraMtaPostscreenDnsblReplyMap lmdb:/opt/zimbra/conf/dnsbl-reply
Next you have to create a file /opt/zimbra/conf/dnsbl-reply  with the following content:
'your-key-here'.sbl.dq.spamhaus.net sbl.spamhaus.org
'your-key-here'.xbl.dq.spamhaus.net xbl.spamhaus.org
'your-key-here'.pbl.dq.spamhaus.net pbl.spamhaus.org
'your-key-here'.zen.dq.spamhaus.net zen.spamhaus.org
'your-key-here'.dbl.dq.spamhaus.net dbl.spamhaus.org
'your-key-here'.zrd.dq.spamhaus.net zrd.spamhaus.org
Don’t forget to run postmap /opt/zimbra/conf/dnsbl-reply command. Please note that the syntax for /opt/zimbra/conf/dnsbl-reply is not the same as/opt/zimbra/conf/dnsbl-reply-map used in https://wiki.zimbra.com/wiki/Anti-spam.
Restart the MTA to load the changes, as user Zimbra:
zmmtactl restart
For the latest configuration on Spamhaus go to your Spamhaus Portal click Products -> DQS in the top menu, then click the Manual tab and refer to section 3.1.2 Configuring Postfix.
Further reading

https://www.zimbra.com/business-email-collaboration/secure-email-features/email-security-postscreen/
https://wiki.zimbra.com/wiki/Zimbra_Collaboration_Postscreen
https://blog.zimbra.com/2017/09/reduce-incoming-spam-overall-mta-overload-using-postscreen/
https://www.postfix.org/POSTSCREEN_README.html#enable

 
 
The post Did you know? Zimbra Postscreen provides additional protection against mail server overload appeared first on Zimbra : Blog.



Did you Know? Zimbra Desktop Auto-Archive feature and more
Carlos Pineda — Wed, 21 Dec 2022 15:41:50 +0000
Do you check your emails when you are traveling? Do you have intermittent internet access?
Zimbra Desktop provides a seamless way to access your Zimbra content when connectivity is limited. It’s an app that you install on your computer (Windows or Mac) so you can read your emails, reply or forward an email, compose new ones, and check your calendar. Zimbra syncs automatically and delivers any new email in/out of your mailbox as soon as your device goes online.
Zimbra Desktop has all the same functionality as Zimbra’s Modern UI.
Running out of storage quota on your mailbox?
You may free up space on your mailbox by moving some of the emails to the local storage. The emails moved to local storage will be accessible via the Zimbra Desktop app.
Archiving regularly helps free space on your mail servers.
Can I archive my old emails automatically?
Yes, the Auto-Archive feature in Zimbra Desktop help you move old emails from the mail server storage to the Local Storage. This feature is set to auto-archive emails older than 30-days, but you can adjust this to any time you want.
How do I enable the Auto-Archive feature?
Follow these steps to enable it:

Go to Settings.
In General → Storage, select the Enable
By default, mails older than 30 days will be archived. If you need to change the days, update Auto-archive emails older than textbox field.
Click Save.
Zimbra Desktop App needs to be restarted to start the archiving of messages.


How do I know if my emails are being auto-archived?
Once the Auto-Archive feature is enabled, Zimbra Desktop App must be restarted to start the auto-archiving process. Depending upon the data to be archived, the process may take some time. The mails matching the auto-archive criteria will be moved from Inbox to Local Folders.
Can I send emails securely with Zimbra Desktop?
Yes, Zimbra Desktop app supports S/MIME functionality. You can send Signed or Signed and Encrypted emails to other users.
How to change the Zimbra Server URL in Zimbra Desktop App
When the Zimbra Desktop App is opened for the first time, user will have to provide the Zimbra Server URL to connect to the Zimbra server.
If the user needs to change the Zimbra Server URL in the future, user must change it in the following file:

Windows : C:\Users\[USER-NAME]\AppData\Roaming\@zimbra\electron-app\server_prefs.json
Mac : /Users/[USER-NAME]/Library/Application Support/@zimbra/electron-app/server_prefs.json

The post Did you Know? Zimbra Desktop Auto-Archive feature and more appeared first on Zimbra : Blog.



Update Zimbra TLS cipher suites to disable Diffie-Hellmann
Barry de Graaff — Tue, 20 Dec 2022 13:42:31 +0000
In a previous blog and wiki we have shown how to configure Zimbra with a strong TLS configuration. Since encryption is always evolving we have updated the previous blog and wiki to disable Diffie-Hellman.
If you have applied the steps from the Cipher Suites wiki before, you can run the following commands as user zimbra to apply the recent changes.
zmprov -l mcf zimbraReverseProxySSLCiphers '!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
zmproxyctl restart

postconf -e tls_medium_cipherlist='!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
postconf -e tls_preempt_cipherlist=no
zmmtactl restart
With this change we have added !DH:!EDH:!ADH: that will explicitly disable Diffie-Hellman. In some cases with some certificate providers Diffie-Hellman will already be disabled regardless of the configured cipher list. It does not hurt to configure it, but you can check your current TLS security by running a website test at internet.nl.
The post Update Zimbra TLS cipher suites to disable Diffie-Hellmann appeared first on Zimbra : Blog.



Email Security Protect your email account and data
Barry de Graaff — Wed, 14 Dec 2022 14:35:32 +0000
Identity theft, fraudulent use of your credit card, ransomware… cybercrime is always evolving. There are some simple things you can do to protect your email data and accounts. How can you protect yourself from the most common and real threats like:

Identity and credit card information theft
Theft of proprietary data
Precise phishing attacks
Ransomware
Malicious attachments
Being hacked

We have written the end-user oriented email security checklist to help you raise awareness for (email) account security.

The post Email Security Protect your email account and data appeared first on Zimbra : Blog.



NEW! Zimbra Patches: 9.0.0 Patch 29 + 8.8.15 Patch 36
Barry de Graaff — Wed, 07 Dec 2022 15:17:21 +0000
Hello Zimbra Friends, Customers & Partners,
Zimbra 9.0.0 Kepler Patch 29 and 8.8.15 James Prescott Joule Patch 36 are here.
This patch fixes 2 issues that where introduced with Kepler 9.0.0-Patch-28 & 8815 Joule-Patch-35 Patch.

In the previous patch ClamAV was upgraded to the latest upstream version, unfortunately this broke attachment scanning, this new patch restores the attachment scanning functionality. Should you have disabled attachment scanning you can re-enable it by running:

zmprov ms `zmhostname` zimbraAttachmentsScanEnabled TRUE
zmcontrol restart

In the previous patch spell and convertd services failed to start on mailstore nodes in a multi node setup. This has been fixed by recompiling Apache with existing PCRE library.

Please refer to the release notes for the patch installation on Red Hat and Ubuntu platforms.
Release Notes:

Zimbra 9.0.0 Patch-29
Zimbra 8.8.15 Patch-36

Note: Additional configuration for further hardening your Zimbra setup can be found on the Zimbra Support Portal. It is recommended that all customers consider these additional steps. If someone had applied this configuration previously, then after upgrading to this patch, they will have to re-apply the same configuration.
Please refer Zimbra Releases for latest releases and Zimbra Security Center for security updates.
Thanks,

Your Zimbra Team
The post NEW! Zimbra Patches: 9.0.0 Patch 29 + 8.8.15 Patch 36 appeared first on Zimbra : Blog.



Zimbra Now Works with Thales’ SafeNet Trusted Access
Barry de Graaff — Wed, 07 Dec 2022 13:40:11 +0000
Hello Zimbra Customers, Partners & Friends,

We’re happy to announce that Zimbra now works with Thales’ SafeNet Trusted Access (STA) to provide single sign-on (SSO), policy configuration and multi-factor authentication (MFA). This makes it easy to meet compliance mandates such as GDPR and PCI DSS by letting you decide who has access to Zimbra and how their identity is verified. Thales’ SSO Application Catalog.
Enable SSO for Users Accessing Zimbra through SafeNet Trusted Access (STA)
Configuring STA for Zimbra is a 3-step process:

Setup STA
Setup Zimbra
Verify authentication

Prerequisites:

Zimbra up and running
Download the Identity Provider (IdP) certificate from the SafeNet Trusted Access console and save the certificate in your machine local directory
Configure SSL certificate and Domain on the Zimbra server

Click here for the steps to activate Zimbra in STA.
Thanks,

Your Zimbra Team
The post Zimbra Now Works with Thales’ SafeNet Trusted Access appeared first on Zimbra : Blog.



How to use DOMPurify in your Zimlet for XSS sanitizing
Barry de Graaff — Wed, 30 Nov 2022 13:38:23 +0000


Cross-Site Scripting (XSS) attacks are a type of injection attack, in which malicious scripts are injected into otherwise benign and trusted websites. In case you are developing a Zimlet you should not trust any form of user input. If you integrate 3rd party services via your Zimlet, you probably also want to sanitize any data you receive from that 3rd party application.


Zimbra Modern UI includes DOMPurify that you can use in your Zimlet for your XSS sanitizing needs. Here is a basic example:



//Load components from Zimbra
import { createElement } from "preact";
import dompurify from 'dompurify';

//Create function by Zimbra convention
export default function Zimlet(context) {
    const { plugins } = context;
    const exports = {};

    exports.init = function init() {
        let clean = dompurify.sanitize('hello there');
        console.log(clean); //prints: hello there
        clean = dompurify.sanitize('');
        console.log(clean);//prints: 
    };

    return exports;
}



Further reading:



https://github.com/cure53/DOMPurify
https://wiki.zimbra.com/wiki/DevelopersGuide



The post How to use DOMPurify in your Zimlet for XSS sanitizing appeared first on Zimbra : Blog.