Zimbra 8.7 weak cipher issue

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
ictvoordezaak
Posts: 10
Joined: Wed Apr 06, 2016 4:37 pm

Zimbra 8.7 weak cipher issue

Postby ictvoordezaak » Sat Aug 13, 2016 10:02 am

Hello all,

I have an issue with weak ciphers. After disabling all but one, my current browser, Firefox 48 is unable to connect, also my Apple Mail, iPhone etc are.

My installation runs on CentOS 6, openjdk version "1.8.0_92-zimbra", was upgraded for 8.6 GA to 8.7 and uses Letsencrypt.
The upgrade from 8.6 to 8.7 had no issues. Everything worked fine, including the existing Letsencrypt certificate.
Since SSLlabs score for my server was only a 'B', I decided to disable weak ciphers as desribed here:

https://wiki.zimbra.com/wiki/Cipher_suites

Current situation is that all but one weak ciphers are disabled, as a result I a no longer able to access the webinterface using current browsers as Firefox 48. Only Safari 8 and other applications compatible with TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 will connect.

At this point I am not sure what my next step should be in order to accomplish that at least Firefox 48 will connect. I can think of three options:

A) As stated in the WIKI article about Ciphers: "To enable strong ciphers, weak ciphers must be disabled." That can be read as "before strong ciphers kick in, ALL weak ciphers must be disabled". It this fails I risk loosing acces to my system all together.

B) Re-enable other weak ciphers. However, I don't know how to accomplish that.

C) I suppose the cipher configuration is stored in some config file. There is a complete backup for my server available, but I don't know which files are changed by the 'zmprov mcf +zimbraSSLExcludeCipherSuites' command.

Any advise is welcome!
Thanks in advance.


ictvoordezaak
Posts: 10
Joined: Wed Apr 06, 2016 4:37 pm

Re: Zimbra 8.7 weak cipher issue

Postby ictvoordezaak » Sat Aug 13, 2016 11:12 pm

I found a workaround here:
http://blog.theatticnetwork.net/2014/11 ... th-zimbra/

However, this does not solve the original problem, only bypasses it.
As soon as I uncomment the section in jetty.xml.in and restart mailbox, the original problem is back.

Also: I am completely unable to connect using IMAP. Not even plain IMAP (TCP 143) works. User authentication simply does not work.
According to the mailbox.log:
ERROR [ImapSSLServer-216] [ip=[IP removed];] imap - Error detected by SSL subsystem, dropping connection:javax.net.ssl.SSLHandshakeException: SSL handshake failed.

This is the workaround:
At this point, make sure your web GUI still works.

If it doesn’t work you can edit /opt/zimbra/jetty/etc/jetty.xml.in and comment out this block

<!-- <Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
%%zimbraSSLExcludeCipherSuitesXML%%
</Array>
</Set> -->

Then run zmmailboxdctl restart again
That will bring the web server back with no excludes on ciphers, but you can then do:

zmprov mcf -zimbraSSLExcludeCipherSuites YOURCIPHER

To remove it from the global config.

I suggest doing it one cipher at a time and a restart before doing the next one. It will make undoing it easier.

jetty.xml – running config file generated on the restart of the server
jetty.xml.in – the zimbra config used as a template to build jetty.xml <— This is the one to edit.
cs8rfe
Posts: 6
Joined: Thu Aug 18, 2016 6:20 pm

Re: Zimbra 8.7 weak cipher issue

Postby cs8rfe » Thu Aug 18, 2016 7:25 pm

I am definitively not the pro you seek, but here is what I did to increase the rating and no, I do not have an ‘A+’ rating, it is “only” an ‘A’. There are older devices I need to support… :/

If you use the proxy

Code: Select all

zmprov mcf +zimbraSSLExcludeCipherSuites <xyz>
will not change the SSLLabs rating because the excluded CipherSuites are still detected.

I used

Code: Select all

zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4'
instead.
Additional you can use

Code: Select all

zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
as well, to disable every protocol other than TLSv1.2. If you do this, you might lock out older devices. But SSLLabs is so kind to show you which OS/browser are not able to use newer TLS versions (Handshake Simulation).

I do not know which ciphers you have enabled/disabled. Could you share the commands you have used? This information would make it a bit easier to help you as we would know what you have enabled/disabled and where.


Whit the IMAP problem I cannot assist. Securing IMAP is still on my to-do list and at the moment not available from the Internet.
ictvoordezaak
Posts: 10
Joined: Wed Apr 06, 2016 4:37 pm

Re: Zimbra 8.7 weak cipher issue

Postby ictvoordezaak » Mon Aug 22, 2016 9:23 am

This is the full LDAP configuration of my server. Certain sensitive information such as certs is removed.

[zimbra@mail root]$ zmprov getAllConfig
cn: config
objectClass: organizationalRole
objectClass: zimbraGlobalConfig
zimbraAPNSProduction: TRUE
zimbraAccountExtraObjectClass: amavisAccount
zimbraAdminAccessControlMech: acl
zimbraAdminConsoleCatchAllAddressEnabled: FALSE
zimbraAdminConsoleDNSCheckEnabled: FALSE
zimbraAdminConsoleLDAPAuthEnabled: FALSE
zimbraAdminConsoleSkinEnabled: FALSE
zimbraAdminImapImportNumThreads: 20
zimbraAdminPort: 7071
zimbraAdminProxyPort: 9071
zimbraAdminURL: /zimbraAdmin
zimbraAllowNonLDHCharsInDomain: TRUE
zimbraAmavisDSPAMEnabled: FALSE
zimbraAmavisEnableDKIMVerification: TRUE
zimbraAmavisFinalSpamDestiny: D_DISCARD
zimbraAmavisLogLevel: 2
zimbraAmavisMaxServers: 10
zimbraAmavisOriginatingBypassSA: FALSE
zimbraAmavisOutboundDisclaimersOnly: FALSE
zimbraAmavisQuarantineAccount: virus-quarantine.v2mkoubs@<<mydomain>>
zimbraAmavisSALogLevel: 0
zimbraAntispamExtractionBatchDelay: 100
zimbraAntispamExtractionBatchSize: 25
zimbraAppSpecificPasswordLength: 16
zimbraArchiveEnabled: FALSE
zimbraAttachmentsBlocked: FALSE
zimbraAttachmentsIndexedTextLimit: 1048576
zimbraAttachmentsScanClass: com.zimbra.cs.scan.ClamScanner
zimbraAttachmentsScanEnabled: FALSE
zimbraAttachmentsViewInHtmlOnly: FALSE
zimbraAuthTokenKey: 0:<<removed>>
zimbraAuthTokenNotificationInterval: 60000
zimbraAuthTokenValidityValueEnabled: TRUE
zimbraAutoProvBatchSize: 20
zimbraAutoProvNotificationBody: Your account has been auto provisioned. Your email address is ${ACCOUNT_ADDRESS}.
zimbraAutoProvNotificationSubject: New account auto provisioned
zimbraAutoProvPollingInterval: 15m
zimbraAutoSubmittedNullReturnPath: TRUE
zimbraBackupAutoGroupedInterval: 1d
zimbraBackupAutoGroupedNumGroups: 7
zimbraBackupAutoGroupedThrottled: FALSE
zimbraBackupMinFreeSpace: 0
zimbraBackupMode: Standard
zimbraBackupReportEmailSubjectPrefix: ZCS Backup Report
zimbraBackupSkipBlobs: FALSE
zimbraBackupSkipHsmBlobs: FALSE
zimbraBackupSkipSearchIndex: FALSE
zimbraBackupTarget: /opt/zimbra/backup
zimbraBasicAuthRealm: Zimbra
zimbraCBPolicydAccessControlEnabled: FALSE
zimbraCBPolicydAccountingEnabled: FALSE
zimbraCBPolicydAmavisEnabled: FALSE
zimbraCBPolicydBindPort: 10031
zimbraCBPolicydBypassMode: tempfail
zimbraCBPolicydBypassTimeout: 30
zimbraCBPolicydCheckHeloEnabled: FALSE
zimbraCBPolicydCheckSPFEnabled: FALSE
zimbraCBPolicydGreylistingBlacklistMsg: Greylisting in effect, sending server blacklisted
zimbraCBPolicydGreylistingDeferMsg: Greylisting in effect, please come back later
zimbraCBPolicydGreylistingEnabled: FALSE
zimbraCBPolicydGreylistingTrainingEnabled: FALSE
zimbraCBPolicydLogLevel: 3
zimbraCBPolicydMaxRequests: 1000
zimbraCBPolicydMaxServers: 25
zimbraCBPolicydMaxSpareServers: 12
zimbraCBPolicydMinServers: 4
zimbraCBPolicydMinSpareServers: 4
zimbraCBPolicydQuotasEnabled: TRUE
zimbraCBPolicydTimeoutBusy: 120
zimbraCBPolicydTimeoutIdle: 1020
zimbraCalendarCalDavCalendarAutoScheduleEnabled: TRUE
zimbraCalendarCalDavClearTextPasswordEnabled: TRUE
zimbraCalendarCalDavDefaultCalendarId: 10
zimbraCalendarCalDavDisableFreebusy: FALSE
zimbraCalendarCalDavDisableScheduling: FALSE
zimbraCalendarCalDavUseDistinctAppointmentAndToDoCollection: FALSE
zimbraCalendarCompatibilityMode: standard
zimbraCalendarRecurrenceDailyMaxDays: 730
zimbraCalendarRecurrenceMaxInstances: 0
zimbraCalendarRecurrenceMonthlyMaxMonths: 360
zimbraCalendarRecurrenceOtherFrequencyMaxYears: 1
zimbraCalendarRecurrenceWeeklyMaxWeeks: 520
zimbraCalendarRecurrenceYearlyMaxYears: 100
zimbraCalendarResourceExtraObjectClass: amavisAccount
zimbraCertAuthorityCertSelfSigned: -----BEGIN CERTIFICATE-----
<<removed>>
-----END CERTIFICATE-----

zimbraCertAuthorityKeySelfSigned: -----BEGIN PRIVATE KEY-----
<<removed>>
-----END PRIVATE KEY-----

zimbraClamAVBindAddress: localhost
zimbraClamAVDatabaseMirror: db.us.clamav.net
zimbraClamAVListenPort: 3310
zimbraClamAVMaxThreads: 10
zimbraClamAVSafeBrowsing: no
zimbraClientTypeRegex: Android:(.*)Android(.*)
zimbraClientTypeRegex: SyncClient:(.*)\\((.*)\\)$
zimbraClientTypeRegex: Web UI:(.*)ZimbraWebClient(.*)
zimbraClientTypeRegex: ipad:(.*)iPad(.*)
zimbraClientTypeRegex: iphone:(.*)iPhone(.*)
zimbraClusterType: none
zimbraCommunityHomeURL: /integration/zimbracollaboration
zimbraCommunityUsernameMapping: uid
zimbraConfiguredServerIDForBlobDirEnabled: FALSE
zimbraContactHiddenAttributes: dn,vcardUID,vcardURL,vcardXProps,member
zimbraContactRankingTableRefreshInterval: 7d
zimbraContactSearchDecomposition: 2
zimbraConvertPoolTimeout: 60000
zimbraCsrfRefererCheckEnabled: TRUE
zimbraCsrfTokenCheckEnabled: TRUE
zimbraCsrfTokenKey: 0:<<removed>>
zimbraDNSTCPUpstream: no
zimbraDNSUseTCP: yes
zimbraDNSUseUDP: yes
zimbraDataSourceConnectTimeout: 30
zimbraDataSourceConnectionType: cleartext
zimbraDataSourceReadTimeout: 60
zimbraDatabaseSlowSqlThreshold: 2s
zimbraDefaultAnalyzerStopWords: a
zimbraDefaultAnalyzerStopWords: an
zimbraDefaultAnalyzerStopWords: and
zimbraDefaultAnalyzerStopWords: are
zimbraDefaultAnalyzerStopWords: as
zimbraDefaultAnalyzerStopWords: at
zimbraDefaultAnalyzerStopWords: be
zimbraDefaultAnalyzerStopWords: but
zimbraDefaultAnalyzerStopWords: by
zimbraDefaultAnalyzerStopWords: for
zimbraDefaultAnalyzerStopWords: if
zimbraDefaultAnalyzerStopWords: in
zimbraDefaultAnalyzerStopWords: into
zimbraDefaultAnalyzerStopWords: is
zimbraDefaultAnalyzerStopWords: it
zimbraDefaultAnalyzerStopWords: no
zimbraDefaultAnalyzerStopWords: not
zimbraDefaultAnalyzerStopWords: of
zimbraDefaultAnalyzerStopWords: on
zimbraDefaultAnalyzerStopWords: or
zimbraDefaultAnalyzerStopWords: such
zimbraDefaultAnalyzerStopWords: that
zimbraDefaultAnalyzerStopWords: the
zimbraDefaultAnalyzerStopWords: their
zimbraDefaultAnalyzerStopWords: then
zimbraDefaultAnalyzerStopWords: there
zimbraDefaultAnalyzerStopWords: these
zimbraDefaultAnalyzerStopWords: they
zimbraDefaultAnalyzerStopWords: this
zimbraDefaultAnalyzerStopWords: to
zimbraDefaultAnalyzerStopWords: was
zimbraDefaultAnalyzerStopWords: will
zimbraDefaultAnalyzerStopWords: with
zimbraDefaultDomainName: <<mydomain>>
zimbraDomainAggregateQuota: 0
zimbraDomainAggregateQuotaPolicy: ALLOWSENDRECEIVE
zimbraDomainAggregateQuotaWarnPercent: 80
zimbraDomainExtraObjectClass: amavisAccount
zimbraDomainMandatoryMailSignatureEnabled: FALSE
zimbraEmptyFolderOpTimeout: 3
zimbraExportMaxDays: 0
zimbraExtensionBindPort: 7072
zimbraExternalAccountStatusCheckInterval: 1d
zimbraExternalShareInvitationUrlExpiration: 0
zimbraFileUploadMaxSize: 50000000
zimbraFileUploadMaxSizePerFile: 2147483648
zimbraFreebusyExchangeCachedInterval: 60d
zimbraFreebusyExchangeCachedIntervalStart: 7d
zimbraFreebusyExchangeServerType: webdav
zimbraFreebusyPropagationRetryInterval: 1m
zimbraGCMUrl: https://android.googleapis.com/gcm/send
zimbraGalAlwaysIncludeLocalCalendarResources: FALSE
zimbraGalAutoCompleteLdapFilter: externalLdapAutoComplete
zimbraGalGroupIndicatorEnabled: TRUE
zimbraGalInternalSearchBase: DOMAIN
zimbraGalLdapAttrMap: (binary) userSMIMECertificate=userSMIMECertificate
zimbraGalLdapAttrMap: (certificate) userCertificate=userCertificate
zimbraGalLdapAttrMap: co=workCountry
zimbraGalLdapAttrMap: company=company
zimbraGalLdapAttrMap: description=notes
zimbraGalLdapAttrMap: displayName,cn=fullName,fullName2,fullName3,fullName4,fullName5,fullName6,fullName7,fullName8,fullName9,fullName10
zimbraGalLdapAttrMap: facsimileTelephoneNumber,fax=workFax
zimbraGalLdapAttrMap: givenName,gn=firstName
zimbraGalLdapAttrMap: homeTelephoneNumber,homePhone=homePhone
zimbraGalLdapAttrMap: initials=initials
zimbraGalLdapAttrMap: l=workCity
zimbraGalLdapAttrMap: mobileTelephoneNumber,mobile=mobilePhone
zimbraGalLdapAttrMap: msExchResourceSearchProperties=zimbraAccountCalendarUserType
zimbraGalLdapAttrMap: objectClass=objectClass
zimbraGalLdapAttrMap: ou=department
zimbraGalLdapAttrMap: pagerTelephoneNumber,pager=pager
zimbraGalLdapAttrMap: physicalDeliveryOfficeName=office
zimbraGalLdapAttrMap: postalCode=workPostalCode
zimbraGalLdapAttrMap: sn=lastName
zimbraGalLdapAttrMap: st=workState
zimbraGalLdapAttrMap: street,streetAddress=workStreet
zimbraGalLdapAttrMap: telephoneNumber=workPhone
zimbraGalLdapAttrMap: title=jobTitle
zimbraGalLdapAttrMap: whenChanged,modifyTimeStamp=modifyTimeStamp
zimbraGalLdapAttrMap: whenCreated,createTimeStamp=createTimeStamp
zimbraGalLdapAttrMap: zimbraCalResBuilding=zimbraCalResBuilding
zimbraGalLdapAttrMap: zimbraCalResCapacity,msExchResourceCapacity=zimbraCalResCapacity
zimbraGalLdapAttrMap: zimbraCalResContactEmail=zimbraCalResContactEmail
zimbraGalLdapAttrMap: zimbraCalResFloor=zimbraCalResFloor
zimbraGalLdapAttrMap: zimbraCalResLocationDisplayName=zimbraCalResLocationDisplayName
zimbraGalLdapAttrMap: zimbraCalResSite=zimbraCalResSite
zimbraGalLdapAttrMap: zimbraCalResType,msExchResourceSearchProperties=zimbraCalResType
zimbraGalLdapAttrMap: zimbraDistributionListSubscriptionPolicy=zimbraDistributionListSubscriptionPolicy
zimbraGalLdapAttrMap: zimbraDistributionListUnsubscriptionPolicy=zimbraDistributionListUnsubscriptionPolicy
zimbraGalLdapAttrMap: zimbraId=zimbraId
zimbraGalLdapAttrMap: zimbraMailDeliveryAddress,zimbraMailAlias,mail=email,email2,email3,email4,email5,email6,email7,email8,email9,email10,email11,email12,email13,email14,email15,email16
zimbraGalLdapAttrMap: zimbraMailForwardingAddress=member
zimbraGalLdapAttrMap: zimbraPhoneticCompany,ms-DS-Phonetic-Company-Name=phoneticCompany
zimbraGalLdapAttrMap: zimbraPhoneticFirstName,ms-DS-Phonetic-First-Name=phoneticFirstName
zimbraGalLdapAttrMap: zimbraPhoneticLastName,ms-DS-Phonetic-Last-Name=phoneticLastName
zimbraGalLdapFilterDef: ad:(&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(mail=*%s*))(!(msExchHideFromAddressLists=TRUE))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))
zimbraGalLdapFilterDef: adAutoComplete:(&(|(displayName=%s*)(cn=%s*)(sn=%s*)(givenName=%s*)(mail=%s*))(!(msExchHideFromAddressLists=TRUE))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))
zimbraGalLdapFilterDef: department_has:(ou=*%s*)
zimbraGalLdapFilterDef: email2_has:(mail=*%s*)
zimbraGalLdapFilterDef: email3_has:(mail=*%s*)
zimbraGalLdapFilterDef: email_has:(mail=*%s*)
zimbraGalLdapFilterDef: externalLdapAutoComplete:(|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))
zimbraGalLdapFilterDef: zimbraAccountSync:(&(|(objectclass=zimbraAccount)(objectclass=zimbraDistributionList)(objectclass=zimbraGroup))(!(objectclass=zimbraCalendarResource)))
zimbraGalLdapFilterDef: zimbraAccounts:(&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(gn=*%s*)(zimbraPhoneticFirstName=*%s*)(zimbraPhoneticLastName=*%s*)(mail=*%s*)(zimbraMailDeliveryAddress=*%s*)(zimbraMailAlias=*%s*))(|(objectclass=zimbraAccount)(objectclass=zimbraDistributionList)(objectclass=zimbraGroup))(!(objectclass=zimbraCalendarResource)))
zimbraGalLdapFilterDef: zimbraAutoComplete:(&(|(displayName=%s*)(cn=%s*)(sn=%s*)(gn=%s*)(zimbraPhoneticFirstName=%s*)(zimbraPhoneticLastName=%s*)(mail=%s*)(zimbraMailDeliveryAddress=%s*)(zimbraMailAlias=%s*))(|(objectclass=zimbraAccount)(objectclass=zimbraDistributionList)(objectclass=zimbraGroup)))
zimbraGalLdapFilterDef: zimbraGroupAutoComplete:(&(|(displayName=%s*)(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*)(zimbraMailDeliveryAddress=%s*)(zimbraMailAlias=%s*))(|(objectclass=zimbraDistributionList)(objectclass=zimbraGroup)))
zimbraGalLdapFilterDef: zimbraGroupSync:(|(objectclass=zimbraDistributionList)(objectclass=zimbraGroup))
zimbraGalLdapFilterDef: zimbraGroups:(&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(gn=*%s*)(mail=*%s*)(zimbraMailDeliveryAddress=*%s*)(zimbraMailAlias=*%s*))(|(objectclass=zimbraDistributionList)(objectclass=zimbraGroup)))
zimbraGalLdapFilterDef: zimbraResourceAutoComplete:(&(|(displayName=%s*)(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*)(zimbraMailDeliveryAddress=%s*)(zimbraMailAlias=%s*))(objectclass=zimbraCalendarResource)(zimbraAccountStatus=active))
zimbraGalLdapFilterDef: zimbraResourceSync:(&(objectclass=zimbraCalendarResource)(zimbraAccountStatus=active))
zimbraGalLdapFilterDef: zimbraResources:(&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(gn=*%s*)(mail=*%s*)(zimbraMailDeliveryAddress=*%s*)(zimbraMailAlias=*%s*))(objectclass=zimbraCalendarResource)(zimbraAccountStatus=active))
zimbraGalLdapFilterDef: zimbraSearch:(&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(gn=*%s*)(zimbraPhoneticFirstName=*%s*)(zimbraPhoneticLastName=*%s*)(mail=*%s*)(zimbraMailDeliveryAddress=*%s*)(zimbraMailAlias=*%s*))(|(objectclass=zimbraAccount)(objectclass=zimbraDistributionList)(objectclass=zimbraGroup)))
zimbraGalLdapFilterDef: zimbraSync:(&(|(objectclass=zimbraAccount)(objectclass=zimbraDistributionList)(objectclass=zimbraGroup))(!(&(objectclass=zimbraCalendarResource)(!(zimbraAccountStatus=active)))))
zimbraGalLdapFilterDef: zimbraAccountAutoComplete:(&(|(displayName=*%s*)(cn=%s*)(sn=%s*)(gn=%s*)(zimbraPhoneticFirstName=%s*)(zimbraPhoneticLastName=%s*)(mail=%s*)(zimbraMailDeliveryAddress=%s*)(zimbraMailAlias=%s*))(|(objectclass=zimbraAccount)(objectclass=zimbraDistributionList)(objectclass=zimbraGroup))(!(objectclass=zimbraCalendarResource)))
zimbraGalLdapPageSize: 1000
zimbraGalLdapValueMap: zimbraAccountCalendarUserType: Room|Equipment RESOURCE
zimbraGalLdapValueMap: zimbraCalResType: Room Location
zimbraGalMaxResults: 100
zimbraGalSyncLdapPageSize: 1000
zimbraGalSyncMaxConcurrentClients: 2
zimbraGalSyncTimestampFormat: yyyyMMddHHmmss'Z'
zimbraGalTokenizeAutoCompleteKey: and
zimbraGalTokenizeSearchKey: and
zimbraHsmAge: 30d
zimbraHsmBatchSize: 10000
zimbraHsmMovePreviousRevisions: FALSE
zimbraHsmPolicy: message,document:before:-30days
zimbraHttpCompressionEnabled: TRUE
zimbraHttpConnectorMaxIdleTimeMillis: 60000
zimbraHttpContextPathBasedThreadPoolBalancingFilterRules: /service:max=80%
zimbraHttpContextPathBasedThreadPoolBalancingFilterRules: /zimbra:max=15%
zimbraHttpContextPathBasedThreadPoolBalancingFilterRules: /zimbraAdmin:max=5%
zimbraHttpDebugHandlerEnabled: TRUE
zimbraHttpDosFilterDelayMillis: -1
zimbraHttpDosFilterMaxRequestsPerSec: 30
zimbraHttpHeaderCacheSize: 512
zimbraHttpMaxFormContentSize: 200000
zimbraHttpNumThreads: 250
zimbraHttpOutputBufferSize: 32768
zimbraHttpRequestHeaderSize: 8192
zimbraHttpResponseHeaderSize: 8192
zimbraHttpSSLNumThreads: 50
zimbraHttpThreadPoolMaxIdleTimeMillis: 10000
zimbraIPMode: ipv4
zimbraImapBindOnStartup: TRUE
zimbraImapBindPort: 7143
zimbraImapCleartextLoginEnabled: TRUE
zimbraImapDisplayMailFoldersOnly: TRUE
zimbraImapExposeVersionOnBanner: FALSE
zimbraImapInactiveSessionCacheMaxDiskSize: 10737418240
zimbraImapMaxConnections: 200
zimbraImapMaxRequestSize: 10240
zimbraImapNumThreads: 200
zimbraImapProxyBindPort: 143
zimbraImapSSLBindOnStartup: TRUE
zimbraImapSSLBindPort: 7993
zimbraImapSSLProxyBindPort: 993
zimbraImapSSLServerEnabled: TRUE
zimbraImapSaslGssapiEnabled: FALSE
zimbraImapServerEnabled: TRUE
zimbraImapShutdownGraceSeconds: 10
zimbraInternalSharingCrossDomainEnabled: TRUE
zimbraInvalidLoginFilterDelayInMinBetwnReqBeforeReinstating: 15
zimbraInvalidLoginFilterMaxFailedLogin: 10
zimbraInvalidLoginFilterMaxSizeOfFailedIpDb: 7000
zimbraInvalidLoginFilterReinstateIpTaskIntervalInMin: 5
zimbraItemActionBatchSize: 1000
zimbraLastLogonTimestampFrequency: 7d
zimbraLastPurgeMaxDuration: 30d
zimbraLdapGalSyncDisabled: FALSE
zimbraLdapGentimeFractionalSecondsEnabled: FALSE
zimbraLmtpBindOnStartup: FALSE
zimbraLmtpBindPort: 7025
zimbraLmtpExposeVersionOnBanner: FALSE
zimbraLmtpLHLORequired: TRUE
zimbraLmtpNumThreads: 20
zimbraLmtpPermanentFailureWhenOverQuota: FALSE
zimbraLmtpServerEnabled: TRUE
zimbraLmtpShutdownGraceSeconds: 10
zimbraLogHostname: mail.<<mydomain>>
zimbraLogRawLifetime: 31d
zimbraLogSummaryLifetime: 730d
zimbraLogToSyslog: FALSE
zimbraLowestSupportedAuthVersion: 1
zimbraMailClearTextPasswordEnabled: TRUE
zimbraMailContentMaxSize: 10240000
zimbraMailDiskStreamingThreshold: 1048576
zimbraMailDomainQuota: 0
zimbraMailEmptyFolderBatchSize: 1000
zimbraMailEmptyFolderBatchThreshold: 100000
zimbraMailFileDescriptorBufferSize: 4096
zimbraMailFileDescriptorCacheSize: 1000
zimbraMailKeepOutWebCrawlers: FALSE
zimbraMailPort: 80
zimbraMailProxyMaxFails: 1
zimbraMailProxyPort: 0
zimbraMailProxyReconnectTimeout: 60
zimbraMailPurgeBatchSize: 1000
zimbraMailPurgeSleepInterval: 1m
zimbraMailRedirectSetEnvelopeSender: TRUE
zimbraMailReferMode: wronghost
zimbraMailSSLClientCertMode: Disabled
zimbraMailSSLClientCertOCSPEnabled: TRUE
zimbraMailSSLClientCertPort: 9443
zimbraMailSSLClientCertPrincipalMap: SUBJECT_EMAILADDRESS=name
zimbraMailSSLClientCertPrincipalMapLdapFilterEnabled: FALSE
zimbraMailSSLPort: 0
zimbraMailSSLProxyClientCertPort: 3443
zimbraMailSSLProxyPort: 0
zimbraMailURL: /
zimbraMailUncompressedCacheMaxBytes: 1073741824
zimbraMailUncompressedCacheMaxFiles: 5000
zimbraMailUseDirectBuffers: FALSE
zimbraMailboxMoveFailedCleanupTaskInterval: 20m
zimbraMailboxMoveSkipBlobs: FALSE
zimbraMailboxMoveSkipHsmBlobs: FALSE
zimbraMailboxMoveSkipSearchIndex: FALSE
zimbraMailboxMoveTempDir: /opt/zimbra/backup/tmp/mboxmove
zimbraMailboxThrottleReapInterval: 60s
zimbraMailboxdSSLProtocols: TLSv1
zimbraMailboxdSSLProtocols: TLSv1.1
zimbraMailboxdSSLProtocols: TLSv1.2
zimbraMailboxdSSLProtocols: SSLv2Hello
zimbraMailboxdSSLRenegotiationAllowed: TRUE
zimbraMemcachedBindPort: 11211
zimbraMemcachedClientBinaryProtocolEnabled: FALSE
zimbraMemcachedClientExpirySeconds: 86400
zimbraMemcachedClientHashAlgorithm: KETAMA_HASH
zimbraMemcachedClientTimeoutMillis: 10000
zimbraMessageCacheSize: 2000
zimbraMessageChannelEnabled: FALSE
zimbraMessageChannelPort: 7285
zimbraMessageIdDedupeCacheSize: 3000
zimbraMessageIdDedupeCacheTimeout: 0
zimbraMilterBindPort: 7026
zimbraMilterMaxConnections: 20000
zimbraMilterNumThreads: 100
zimbraMilterServerEnabled: FALSE
zimbraMobileMaxMessageSize: 10240000
zimbraMobileMetadataMaxSizeEnabled: FALSE
zimbraMobileMetadataRetentionPolicy: 180:30:1
zimbraMtaAddressVerifyNegativeRefreshTime: 10m
zimbraMtaAddressVerifyPollCount: ${stress?3}${stress:5}
zimbraMtaAddressVerifyPollDelay: 3s
zimbraMtaAddressVerifyPositiveRefreshTime: 12h
zimbraMtaAliasMaps: lmdb:/etc/aliases
zimbraMtaAlwaysAddMissingHeaders: yes
zimbraMtaAntiSpamLockMethod: flock
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthPort: 7073
zimbraMtaAuthTarget: FALSE
zimbraMtaBlockedExtension: asd
zimbraMtaBlockedExtension: bat
zimbraMtaBlockedExtension: chm
zimbraMtaBlockedExtension: cmd
zimbraMtaBlockedExtension: com
zimbraMtaBlockedExtension: dll
zimbraMtaBlockedExtension: do
zimbraMtaBlockedExtension: exe
zimbraMtaBlockedExtension: hlp
zimbraMtaBlockedExtension: hta
zimbraMtaBlockedExtension: js
zimbraMtaBlockedExtension: jse
zimbraMtaBlockedExtension: lnk
zimbraMtaBlockedExtension: ocx
zimbraMtaBlockedExtension: pif
zimbraMtaBlockedExtension: reg
zimbraMtaBlockedExtension: scr
zimbraMtaBlockedExtension: shb
zimbraMtaBlockedExtension: shm
zimbraMtaBlockedExtension: shs
zimbraMtaBlockedExtension: vbe
zimbraMtaBlockedExtension: vbs
zimbraMtaBlockedExtension: vbx
zimbraMtaBlockedExtension: vxd
zimbraMtaBlockedExtension: wsf
zimbraMtaBlockedExtension: wsh
zimbraMtaBlockedExtension: xl
zimbraMtaBlockedExtensionWarnAdmin: TRUE
zimbraMtaBlockedExtensionWarnRecipient: TRUE
zimbraMtaBounceNoticeRecipient: postmaster
zimbraMtaBounceQueueLifetime: 5d
zimbraMtaBrokenSaslAuthClients: yes
zimbraMtaCanonicalMaps: proxy:ldap:/opt/zimbra/conf/ldap-canonical.cf
zimbraMtaCommandDirectory: /opt/zimbra/postfix/sbin
zimbraMtaCommonBlockedExtension: asd
zimbraMtaCommonBlockedExtension: bat
zimbraMtaCommonBlockedExtension: chm
zimbraMtaCommonBlockedExtension: cmd
zimbraMtaCommonBlockedExtension: com
zimbraMtaCommonBlockedExtension: dll
zimbraMtaCommonBlockedExtension: do
zimbraMtaCommonBlockedExtension: exe
zimbraMtaCommonBlockedExtension: hlp
zimbraMtaCommonBlockedExtension: hta
zimbraMtaCommonBlockedExtension: js
zimbraMtaCommonBlockedExtension: jse
zimbraMtaCommonBlockedExtension: lnk
zimbraMtaCommonBlockedExtension: ocx
zimbraMtaCommonBlockedExtension: pif
zimbraMtaCommonBlockedExtension: reg
zimbraMtaCommonBlockedExtension: scr
zimbraMtaCommonBlockedExtension: shb
zimbraMtaCommonBlockedExtension: shm
zimbraMtaCommonBlockedExtension: shs
zimbraMtaCommonBlockedExtension: vbe
zimbraMtaCommonBlockedExtension: vbs
zimbraMtaCommonBlockedExtension: vbx
zimbraMtaCommonBlockedExtension: vxd
zimbraMtaCommonBlockedExtension: wsf
zimbraMtaCommonBlockedExtension: wsh
zimbraMtaCommonBlockedExtension: xl
zimbraMtaDaemonDirectory: /opt/zimbra/postfix/libexec
zimbraMtaDefaultProcessLimit: 100
zimbraMtaDelayWarningTime: 0h
zimbraMtaDnsLookupsEnabled: FALSE
zimbraMtaEnableSmtpdPolicyd: FALSE
zimbraMtaHeaderChecks: pcre:/opt/zimbra/conf/postfix_header_checks
zimbraMtaHopcountLimit: 50
zimbraMtaInFlowDelay: 1s
zimbraMtaLmdbMapSize: 16777216
zimbraMtaLmtpConnectionCacheTimeLimit: 4s
zimbraMtaLmtpHostLookup: dns
zimbraMtaLmtpTlsCiphers: export
zimbraMtaLmtpTlsLoglevel: 0
zimbraMtaLmtpTlsMandatoryCiphers: medium
zimbraMtaLmtpTlsMandatoryProtocols: !SSLv2, !SSLv3
zimbraMtaLmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaLmtpTlsSecurityLevel: may
zimbraMtaMailqPath: /opt/zimbra/postfix/sbin/mailq
zimbraMtaManpageDirectory: /opt/zimbra/postfix/man
zimbraMtaMaxMessageSize: 50000000
zimbraMtaMaxUse: 100
zimbraMtaMaximalBackoffTime: 4000s
zimbraMtaMaximalQueueLifetime: 5d
zimbraMtaMilterCommandTimeout: 30s
zimbraMtaMilterConnectTimeout: 30s
zimbraMtaMilterContentTimeout: 300s
zimbraMtaMilterDefaultAction: tempfail
zimbraMtaMinimalBackoffTime: 300s
zimbraMtaMyDestination: localhost
zimbraMtaMyNetworks: 171.33.130.145/32
zimbraMtaNewaliasesPath: /opt/zimbra/postfix/sbin/newaliases
zimbraMtaNotifyClasses: resource
zimbraMtaNotifyClasses: software
zimbraMtaPolicyTimeLimit: 3600
zimbraMtaPostscreenAccessList: permit_mynetworks
zimbraMtaPostscreenBareNewlineAction: ignore
zimbraMtaPostscreenBareNewlineEnable: no
zimbraMtaPostscreenBareNewlineTTL: 30d
zimbraMtaPostscreenBlacklistAction: ignore
zimbraMtaPostscreenCacheCleanupInterval: 12h
zimbraMtaPostscreenCacheRetentionTime: 7d
zimbraMtaPostscreenCommandCountLimit: 20
zimbraMtaPostscreenDnsblAction: ignore
zimbraMtaPostscreenDnsblMaxTTL: ${postscreen_dnsbl_ttl?{$postscreen_dnsbl_ttl}:{1}}h
zimbraMtaPostscreenDnsblMinTTL: 60s
zimbraMtaPostscreenDnsblTTL: 1h
zimbraMtaPostscreenDnsblThreshold: 1
zimbraMtaPostscreenDnsblTimeout: 10s
zimbraMtaPostscreenDnsblWhitelistThreshold: 0
zimbraMtaPostscreenGreetAction: ignore
zimbraMtaPostscreenGreetTTL: 1d
zimbraMtaPostscreenNonSmtpCommandAction: drop
zimbraMtaPostscreenNonSmtpCommandEnable: no
zimbraMtaPostscreenNonSmtpCommandTTL: 30d
zimbraMtaPostscreenPipeliningAction: enforce
zimbraMtaPostscreenPipeliningEnable: no
zimbraMtaPostscreenPipeliningTTL: 30d
zimbraMtaPostscreenWatchdogTimeout: 10s
zimbraMtaPostscreenWhitelistInterfaces: static:all
zimbraMtaPropagateUnmatchedExtensions: canonical
zimbraMtaQueueDirectory: /opt/zimbra/data/postfix/spool
zimbraMtaQueueRunDelay: 300s
zimbraMtaRestriction: reject_invalid_helo_hostname
zimbraMtaRestriction: reject_non_fqdn_helo_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_unknown_client_hostname
zimbraMtaRestriction: reject_unknown_reverse_client_hostname
zimbraMtaRestriction: reject_unknown_sender_domain
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
zimbraMtaRestriction: reject_rbl_client bl.spamcop.org
zimbraMtaRestriction: reject_rbl_client db.wpbl.info
zimbraMtaRestriction: reject_rhsbl_client rhsbl.sorbs.net
zimbraMtaSaslAuthEnable: yes
zimbraMtaSaslSmtpdMechList: PLAIN
zimbraMtaSaslSmtpdMechList: LOGIN
zimbraMtaSendmailPath: /opt/zimbra/postfix/sbin/sendmail
zimbraMtaSmtpCnameOverridesServername: no
zimbraMtaSmtpDnsSupportLevel: enabled
zimbraMtaSmtpHeloName: $myhostname
zimbraMtaSmtpSaslAuthEnable: no
zimbraMtaSmtpSaslSecurityOptions: noplaintext,noanonymous
zimbraMtaSmtpTlsCiphers: export
zimbraMtaSmtpTlsDaneInsecureMXPolicy: dane
zimbraMtaSmtpTlsLoglevel: 0
zimbraMtaSmtpTlsMandatoryCiphers: medium
zimbraMtaSmtpTlsMandatoryProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpTlsSecurityLevel: may
zimbraMtaSmtpTransportRateDelay: $default_transport_rate_delay
zimbraMtaSmtpdBanner: $myhostname ESMTP $mail_name
zimbraMtaSmtpdClientAuthRateLimit: 0
zimbraMtaSmtpdClientPortLogging: no
zimbraMtaSmtpdClientRestrictions: reject_unauth_pipelining
zimbraMtaSmtpdDataRestrictions: reject_unauth_pipelining
zimbraMtaSmtpdErrorSleepTime: 1s
zimbraMtaSmtpdHardErrorLimit: 20
zimbraMtaSmtpdHeloRequired: yes
zimbraMtaSmtpdProxyTimeout: 100s
zimbraMtaSmtpdRejectUnlistedRecipient: no
zimbraMtaSmtpdRejectUnlistedSender: no
zimbraMtaSmtpdSaslAuthenticatedHeader: no
zimbraMtaSmtpdSaslSecurityOptions: noanonymous
zimbraMtaSmtpdSaslTlsSecurityOptions: $smtpd_sasl_security_options
zimbraMtaSmtpdSoftErrorLimit: 10
zimbraMtaSmtpdTlsAskCcert: no
zimbraMtaSmtpdTlsCcertVerifydepth: 9
zimbraMtaSmtpdTlsCiphers: export
zimbraMtaSmtpdTlsLoglevel: 1
zimbraMtaSmtpdTlsMandatoryCiphers: medium
zimbraMtaSmtpdTlsMandatoryProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpdTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpdTlsReceivedHeader: no
zimbraMtaSmtpdVirtualTransport: error
zimbraMtaStpdSoftErrorLimit: 10
zimbraMtaTlsAppendDefaultCA: no
zimbraMtaTlsAuthOnly: TRUE
zimbraMtaTlsSecurityLevel: may
zimbraMtaTransportMaps: proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
zimbraMtaUnverifiedRecipientDeferCode: 250
zimbraMtaVirtualAliasDomains: proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
zimbraMtaVirtualAliasExpansionLimit: 10000
zimbraMtaVirtualAliasMaps: proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
zimbraMtaVirtualMailboxDomains: proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
zimbraMtaVirtualMailboxMaps: proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
zimbraNotebookFolderCacheSize: 1024
zimbraNotebookMaxCachedTemplatesPerFolder: 256
zimbraNotebookPageCacheSize: 10240
zimbraNotifyBindPort: 7035
zimbraNotifySSLBindPort: 7036
zimbraNotifySSLServerEnabled: TRUE
zimbraNotifyServerEnabled: TRUE
zimbraOpenidConsumerStatelessModeEnabled: TRUE
zimbraPop3BindOnStartup: TRUE
zimbraPop3BindPort: 7110
zimbraPop3CleartextLoginEnabled: FALSE
zimbraPop3ExposeVersionOnBanner: FALSE
zimbraPop3MaxConnections: 200
zimbraPop3NumThreads: 100
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLBindOnStartup: TRUE
zimbraPop3SSLBindPort: 7995
zimbraPop3SSLProxyBindPort: 995
zimbraPop3SSLServerEnabled: FALSE
zimbraPop3SaslGssapiEnabled: FALSE
zimbraPop3ServerEnabled: FALSE
zimbraPop3ShutdownGraceSeconds: 10
zimbraPrevFoldersToTrackMax: 10
zimbraProduct: ZCS
zimbraPurgedConversationsQueueSize: 1000000
zimbraRedoLogArchiveDir: redolog/archive
zimbraRedoLogCrashRecoveryLookbackSec: 10
zimbraRedoLogDeleteOnRollover: TRUE
zimbraRedoLogEnabled: TRUE
zimbraRedoLogFsyncIntervalMS: 10
zimbraRedoLogLogPath: redolog/redo.log
zimbraRedoLogRolloverFileSizeKB: 1048576
zimbraRedoLogRolloverHardMaxFileSizeKB: 4194304
zimbraRedoLogRolloverMinFileAge: 60
zimbraRegexMaxAccessesWhenMatching: 1000000
zimbraRemoteManagementCommand: /opt/zimbra/libexec/zmrcd
zimbraRemoteManagementPort: 22
zimbraRemoteManagementPrivateKeyPath: /opt/zimbra/.ssh/zimbra_identity
zimbraRemoteManagementUser: zimbra
zimbraReverseProxyAcceptMutex: on
zimbraReverseProxyAdminEnabled: FALSE
zimbraReverseProxyAdminPortAttribute: zimbraAdminPort
zimbraReverseProxyAuthWaitInterval: 10s
zimbraReverseProxyAvailableLookupTargets: mail.<<mydomain>>
zimbraReverseProxyCacheEntryTTL: 1h
zimbraReverseProxyCacheFetchTimeout: 3s
zimbraReverseProxyCacheReconnectInterval: 1m
zimbraReverseProxyClientCertMode: off
zimbraReverseProxyConnectTimeout: 120000ms
zimbraReverseProxyDnsLookupInServerEnabled: TRUE
zimbraReverseProxyDomainNameAttribute: zimbraDomainName
zimbraReverseProxyDomainNameQuery: (&(zimbraVirtualIPAddress=${IPADDR})(objectClass=zimbraDomain))
zimbraReverseProxyExactServerVersionCheck: on
zimbraReverseProxyExternalRouteIncludeOriginalAuthusername: FALSE
zimbraReverseProxyGenConfigPerVirtualHostname: TRUE
zimbraReverseProxyHttpEnabled: FALSE
zimbraReverseProxyHttpPortAttribute: zimbraMailPort
zimbraReverseProxyHttpSSLPortAttribute: zimbraMailSSLPort
zimbraReverseProxyIPLoginLimit: 0
zimbraReverseProxyIPLoginLimitTime: 3600
zimbraReverseProxyImapEnabledCapability: ACL
zimbraReverseProxyImapEnabledCapability: BINARY
zimbraReverseProxyImapEnabledCapability: CATENATE
zimbraReverseProxyImapEnabledCapability: CHILDREN
zimbraReverseProxyImapEnabledCapability: CONDSTORE
zimbraReverseProxyImapEnabledCapability: ENABLE
zimbraReverseProxyImapEnabledCapability: ESEARCH
zimbraReverseProxyImapEnabledCapability: ESORT
zimbraReverseProxyImapEnabledCapability: I18NLEVEL=1
zimbraReverseProxyImapEnabledCapability: ID
zimbraReverseProxyImapEnabledCapability: IDLE
zimbraReverseProxyImapEnabledCapability: IMAP4rev1
zimbraReverseProxyImapEnabledCapability: LIST-EXTENDED
zimbraReverseProxyImapEnabledCapability: LIST-STATUS
zimbraReverseProxyImapEnabledCapability: LITERAL+
zimbraReverseProxyImapEnabledCapability: MULTIAPPEND
zimbraReverseProxyImapEnabledCapability: NAMESPACE
zimbraReverseProxyImapEnabledCapability: QRESYNC
zimbraReverseProxyImapEnabledCapability: QUOTA
zimbraReverseProxyImapEnabledCapability: RIGHTS=ektx
zimbraReverseProxyImapEnabledCapability: SASL-IR
zimbraReverseProxyImapEnabledCapability: SEARCHRES
zimbraReverseProxyImapEnabledCapability: SORT
zimbraReverseProxyImapEnabledCapability: THREAD=ORDEREDSUBJECT
zimbraReverseProxyImapEnabledCapability: UIDPLUS
zimbraReverseProxyImapEnabledCapability: UNSELECT
zimbraReverseProxyImapEnabledCapability: WITHIN
zimbraReverseProxyImapEnabledCapability: XLIST
zimbraReverseProxyImapExposeVersionOnBanner: FALSE
zimbraReverseProxyImapPortAttribute: zimbraImapBindPort
zimbraReverseProxyImapSSLPortAttribute: zimbraImapSSLBindPort
zimbraReverseProxyImapSaslGssapiEnabled: FALSE
zimbraReverseProxyImapSaslPlainEnabled: TRUE
zimbraReverseProxyImapStartTlsMode: on
zimbraReverseProxyInactivityTimeout: 1h
zimbraReverseProxyIpThrottleMsg: Login rejected from this IP
zimbraReverseProxyLogLevel: info
zimbraReverseProxyLookupTarget: FALSE
zimbraReverseProxyMailEnabled: TRUE
zimbraReverseProxyMailHostAttribute: zimbraMailHost
zimbraReverseProxyMailHostQuery: (|(zimbraMailDeliveryAddress=${USER})(zimbraMailAlias=${USER})(zimbraId=${USER}))
zimbraReverseProxyMailImapEnabled: TRUE
zimbraReverseProxyMailImapsEnabled: TRUE
zimbraReverseProxyMailPop3Enabled: TRUE
zimbraReverseProxyMailPop3sEnabled: TRUE
zimbraReverseProxyPassErrors: TRUE
zimbraReverseProxyPop3EnabledCapability: EXPIRE 31 USER
zimbraReverseProxyPop3EnabledCapability: TOP
zimbraReverseProxyPop3EnabledCapability: UIDL
zimbraReverseProxyPop3EnabledCapability: USER
zimbraReverseProxyPop3EnabledCapability: XOIP
zimbraReverseProxyPop3ExposeVersionOnBanner: FALSE
zimbraReverseProxyPop3PortAttribute: zimbraPop3BindPort
zimbraReverseProxyPop3SSLPortAttribute: zimbraPop3SSLBindPort
zimbraReverseProxyPop3SaslGssapiEnabled: FALSE
zimbraReverseProxyPop3SaslPlainEnabled: TRUE
zimbraReverseProxyPop3StartTlsMode: only
zimbraReverseProxyPortQuery: (&(zimbraServiceHostname=${MAILHOST})(objectClass=zimbraServer))
zimbraReverseProxyRouteLookupTimeout: 15s
zimbraReverseProxyRouteLookupTimeoutCache: 60s
zimbraReverseProxySNIEnabled: FALSE
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
zimbraReverseProxySSLECDHCurve: prime256v1
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLSessionCacheSize: 10m
zimbraReverseProxySSLSessionTimeout: 10m
zimbraReverseProxySSLToUpstreamEnabled: TRUE
zimbraReverseProxySendImapId: TRUE
zimbraReverseProxySendPop3Xoip: TRUE
zimbraReverseProxyUpstreamConnectTimeout: 25
zimbraReverseProxyUpstreamLoginServers: mail.<<mydomain>>
zimbraReverseProxyUpstreamPollingTimeout: 1h
zimbraReverseProxyUpstreamReadTimeout: 60s
zimbraReverseProxyUpstreamSendTimeout: 60s
zimbraReverseProxyUserLoginLimit: 0
zimbraReverseProxyUserLoginLimitTime: 3600
zimbraReverseProxyUserThrottleMsg: Login rejected for this user
zimbraReverseProxyWorkerConnections: 10240
zimbraReverseProxyWorkerProcesses: 4
zimbraReverseProxyXmppBoshEnabled: FALSE
zimbraReverseProxyXmppBoshLocalHttpBindURL: /http-bind
zimbraReverseProxyXmppBoshSSL: FALSE
zimbraReverseProxyXmppBoshTimeout: 90s
zimbraReverseProxyZmlookupCachingEnabled: TRUE
zimbraSSLDHParam:: <<removed>>
zimbraSSLExcludeCipherSuites: .*_RC4_.*
zimbraSSLIncludeCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
zimbraSaslGssapiRequiresTls: FALSE
zimbraScheduledTaskInitialRetryDelay: 5s
zimbraScheduledTaskMaxRetries: 10
zimbraScheduledTaskMaxRetryDelay: 10m
zimbraScheduledTaskNumThreads: 20
zimbraScheduledTaskRetry: TRUE
zimbraScheduledTaskRetryPolicy: exponential
zimbraShareNotificationMtaAuthRequired: FALSE
zimbraShareNotificationMtaConnectionType: CLEARTEXT
zimbraShareNotificationMtaEnabled: FALSE
zimbraSharingUpdatePublishInterval: 15m
zimbraShortTermAllEffectiveRightsCacheExpiration: 50s
zimbraShortTermAllEffectiveRightsCacheSize: 128
zimbraShortTermGranteeCacheExpiration: 50s
zimbraShortTermGranteeCacheSize: 128
zimbraSkinLogoURL: http://www.zimbra.com
zimbraSmtpHostname: localhost
zimbraSmtpPort: 25
zimbraSmtpSendAddAuthenticatedUser: FALSE
zimbraSmtpSendAddMailer: TRUE
zimbraSmtpSendAddOriginatingIP: TRUE
zimbraSmtpSendPartial: FALSE
zimbraSmtpTimeout: 60
zimbraSoapExposeVersion: FALSE
zimbraSoapRequestMaxSize: 15360000
zimbraSpamCheckEnabled: FALSE
zimbraSpamHeader: X-Spam-Flag
zimbraSpamHeaderValue: YES
zimbraSpamIsNotSpamAccount: <<removed>>@<<mydomain>>
zimbraSpamIsSpamAccount: <<removed>>@<<mydomain>>
zimbraSpamKillPercent: 75
zimbraSpamReportEnvelopeFrom: <>
zimbraSpamReportSenderHeader: X-Zimbra-Spam-Report-Sender
zimbraSpamReportTypeHam: ham
zimbraSpamReportTypeHeader: X-Zimbra-Spam-Report-Type
zimbraSpamReportTypeSpam: spam
zimbraSpamSubjectTag: ***spam***
zimbraSpamTagPercent: 33
zimbraSpamTrainingSubjectPrefix: zimbra-spam-report:
zimbraSpamTrashAlias: /Deleted Messages
zimbraSpamTrashAlias: /Deleted Items
zimbraSpellAvailableDictionary: en_US
zimbraSpnegoAuthEnabled: FALSE
zimbraStatThreadNamePrefix: AnonymousIoService
zimbraStatThreadNamePrefix: CloudRoutingReaderThread
zimbraStatThreadNamePrefix: GC
zimbraStatThreadNamePrefix: ImapSSLServer
zimbraStatThreadNamePrefix: ImapServer
zimbraStatThreadNamePrefix: LmtpServer
zimbraStatThreadNamePrefix: Pop3SSLServer
zimbraStatThreadNamePrefix: Pop3Server
zimbraStatThreadNamePrefix: ScheduledTask
zimbraStatThreadNamePrefix: SocketAcceptor
zimbraStatThreadNamePrefix: Thread
zimbraStatThreadNamePrefix: Timer
zimbraStatThreadNamePrefix: btpool
zimbraStatThreadNamePrefix: pool
zimbraStatThreadNamePrefix: qtp
zimbraTableMaintenanceGrowthFactor: 10
zimbraTableMaintenanceMaxRows: 1000000
zimbraTableMaintenanceMinRows: 10000
zimbraTableMaintenanceOperation: ANALYZE
zimbraThreadMonitorEnabled: FALSE
zimbraTwoFactorAuthHashAlgorithm: SHA1
zimbraTwoFactorAuthScratchCodeEncoding: BASE32
zimbraTwoFactorAuthSecretEncoding: BASE32
zimbraTwoFactorAuthSecretLength: 16
zimbraTwoFactorCodeLength: 6
zimbraTwoFactorScratchCodeLength: 8
zimbraTwoFactorTimeWindowLength: 30s
zimbraTwoFactorTimeWindowOffset: 1
zimbraVersionCheckInterval: 1d
zimbraVersionCheckLastAttempt: 20160815001819Z
zimbraVersionCheckLastResponse: <?xml version="1.0"?>
<versionCheck status="0">
</versionCheck>

zimbraVersionCheckLastSuccess: 20160815001819Z
zimbraVersionCheckNotificationBody: ${BEGIN_PREFIX}The following updates were found:${NEWLINE}${NEWLINE}${END_PREFIX}${BEGIN_UPDATE}${UPDATE_COUNTER}. ${IS_CRITICAL}. Version: ${UPDATE_VERSION}, URL: ${UPDATE_URL}${NEWLINE}${NEWLINE}${END_UPDATE}${BEGIN_SIGNATURE}Zimbra Updater${NEWLINE}${END_SIGNATURE}
zimbraVersionCheckNotificationEmail: <<removed>>@<<mydomain>>
zimbraVersionCheckNotificationEmailFrom: admin@<<mydomain>>
zimbraVersionCheckNotificationSubject: ${IS_CRITICAL} updates are available for your Zimbra server
zimbraVersionCheckSendNotifications: TRUE
zimbraVersionCheckServer: 7aa61d99-e409-42be-b97f-6ccca6e96c63
zimbraVersionCheckURL: https://www.zimbra.com/aus/universal/update.php
zimbraVirusBlockEncryptedArchive: TRUE
zimbraVirusCheckEnabled: FALSE
zimbraVirusDefinitionsUpdateFrequency: 2h
zimbraVirusWarnAdmin: TRUE
zimbraVirusWarnRecipient: TRUE
zimbraWebClientMaxInputBufferLength: 1024
zimbraWebClientStaySignedInDisabled: FALSE
zimbraWebClientSupportedHelps: productHelp
zimbraWebClientSupportedHelps: onlineHelp
zimbraWebClientSupportedHelps: newFeatures
zimbraWebGzipEnabled: TRUE
zimbraXMPPEnabled: TRUE
zimbraZimletDataSensitiveInMixedModeDisabled: TRUE
zimbraZimletJspEnabled: FALSE
User avatar
tonster
Zimbra Employee
Zimbra Employee
Posts: 312
Joined: Fri Feb 21, 2014 10:14 am
Location: Ypsilanti, MI
ZCS/ZD Version: Release 8.7.0_GA_1659.RHEL6_64_2016

Re: Zimbra 8.7 weak cipher issue

Postby tonster » Mon Aug 22, 2016 2:01 pm

If you're on 8.7, why are you modifying anything to do with jetty? With 8.7+ you're required to be running nginx, so any configuration changes for stuff like this should only ever be done to nginx/reverse proxy. If you've misconfigured your server to use jetty as the forward-facing webserver, then you should fix that. You cannot properly configure jetty to completely avoid the use of weak ciphers without breaking things, which is among the reasons we stopped supporting the use of jetty as the edge webserver.
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2175
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: Zimbra 8.7 weak cipher issue

Postby L. Mark Stone » Mon Aug 22, 2016 4:33 pm

tonster wrote: You cannot properly configure jetty to completely avoid the use of weak ciphers without breaking things, which is among the reasons we stopped supporting the use of jetty as the edge webserver.


Would be good to get that added somewhere in the documentation, as one of the reasons why Proxy is now required.

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
ictvoordezaak
Posts: 10
Joined: Wed Apr 06, 2016 4:37 pm

Re: Zimbra 8.7 weak cipher issue

Postby ictvoordezaak » Tue Aug 23, 2016 11:33 am

If you're on 8.7, why are you modifying anything to do with jetty? With 8.7+ you're required to be running nginx, so any configuration changes for stuff like this should only ever be done to nginx/reverse proxy. If you've misconfigured your server to use jetty as the forward-facing webserver, then you should fix that. You cannot properly configure jetty to completely avoid the use of weak ciphers without breaking things, which is among the reasons we stopped supporting the use of jetty as the edge webserver.


@tonster: from your comment I understand that there is a misconfiguration in my setup. However, this was not my decision, nor dit I set it up this way. I simply ran the installation steps according to the information Zimbra published on the website (how to upgrade etc.)
Also your comment does not provide me with any information how to solve the problem. Under the hood Zimbra is a complex system and I have no intention the just try something out.

All I know is that I followed instructions provided by Zimbra, resulting in my current situation. So, if I should use ngix instead of Jetty, please provide information on how to do that. Also I would like to know if moving from Jetty to Ngix will help to solve my SSL issues.

Thanks in advance.
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2175
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: Zimbra 8.7 weak cipher issue

Postby L. Mark Stone » Tue Aug 23, 2016 1:23 pm

ictvoordezaak wrote:
If you're on 8.7, why are you modifying anything to do with jetty? With 8.7+ you're required to be running nginx, so any configuration changes for stuff like this should only ever be done to nginx/reverse proxy. If you've misconfigured your server to use jetty as the forward-facing webserver, then you should fix that. You cannot properly configure jetty to completely avoid the use of weak ciphers without breaking things, which is among the reasons we stopped supporting the use of jetty as the edge webserver.


@tonster: from your comment I understand that there is a misconfiguration in my setup. However, this was not my decision, nor dit I set it up this way. I simply ran the installation steps according to the information Zimbra published on the website (how to upgrade etc.)
Also your comment does not provide me with any information how to solve the problem. Under the hood Zimbra is a complex system and I have no intention the just try something out.

All I know is that I followed instructions provided by Zimbra, resulting in my current situation. So, if I should use ngix instead of Jetty, please provide information on how to do that. Also I would like to know if moving from Jetty to Ngix will help to solve my SSL issues.

Thanks in advance.


I think the part you missed is that Proxy (and Memcached) is now a required component for 8.7, even on a single server setup. https://wiki.zimbra.com/wiki/Zimbra_Rel ... .0/Upgrade

So, Nginx listens on all the public-facing ports, and Jetty (the frontend for the Mailbox Service) listens on the corresponding four-digit ports.

If it were me, I'd put the Jetty configs back the way you found them, make sure Proxy/Memcached are installed and configured OK, then you can go about tightening up the ciphers on Nginx.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
ictvoordezaak
Posts: 10
Joined: Wed Apr 06, 2016 4:37 pm

Re: Zimbra 8.7 weak cipher issue

Postby ictvoordezaak » Tue Aug 23, 2016 6:07 pm

Hello Mark,

Thanks for your reply.
I suppose you refer to step 2 of the 'Single Server Upgrade Steps'.
I have followed these steps and initially the upgrade failed because no proxy was installed.
Next, as far as I know, I have correctly installed the required proxy.
After that, I ran the update script again, which finished successfully.
After the upgrade finished, everything looked fine and I continued to execute the steps in this document: https://wiki.zimbra.com/wiki/Cipher_suites
This resulted in my current situation.

Based on the replies on this forum, it looks like I did something wrong installing the proxy, but I don't know how to check and correct that.
How can I check that the proxy / memcached are installed and configured correctly?
'$ zmcontrol status' reports that proxy and memcached are installed and running.
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2175
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: Zimbra 8.7 weak cipher issue

Postby L. Mark Stone » Tue Aug 23, 2016 6:57 pm

ictvoordezaak wrote:Hello Mark,

Thanks for your reply.
I suppose you refer to step 2 of the 'Single Server Upgrade Steps'.
I have followed these steps and initially the upgrade failed because no proxy was installed.
Next, as far as I know, I have correctly installed the required proxy.
After that, I ran the update script again, which finished successfully.
After the upgrade finished, everything looked fine and I continued to execute the steps in this document: https://wiki.zimbra.com/wiki/Cipher_suites
This resulted in my current situation.

Based on the replies on this forum, it looks like I did something wrong installing the proxy, but I don't know how to check and correct that.
How can I check that the proxy / memcached are installed and configured correctly?
'$ zmcontrol status' reports that proxy and memcached are installed and running.



OK, just because the Proxy package is installed and nginx running doesn't mean it's configured correctly for use. It's like you can install Apache on a Linux server but it doesn't mean it will do SSL redirects until you configure it to do so. The Admin Guide has the instructions for configuring proxy via a command prompt. Basically, you need to have proxy listening on 80, 443, etc., and change the mailbox (jetty) service to listen on the 4-digit ports.

Second, the only attribute you should have changed in the cipher suites wiki was zimbraReverseProxySSLCiphers. The stuff up top is for Jetty, which you shouldn't change (or now which you should revert back to what it was).

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/

Return to “Administrators”

Who is online

Users browsing this forum: L. Mark Stone and 14 guests