Mozilla Obervatory vs. Zimbra — security problems revealed

Whether you are a current user, former user, a Zimbra employee, or anyone with experience using any of our products, we welcome your feedback. Please include a specific product name and version when relevant.
User avatar
ExTechOp
Posts: 16
Joined: Wed Jan 25, 2017 2:17 pm

Mozilla Obervatory vs. Zimbra — security problems revealed

Postby ExTechOp » Fri Jan 27, 2017 8:20 am

The Mozilla Observatory gives our Zimbra installation a C rating, mainly because of missing security headers. Can we expect to have these security problems (some fairly important, some not so, but all should be easy to implement) corrected in the next Zimbra release?

  • Content Security Policy -25 Content Security Policy (CSP) header not implemented
  • Cookies -5 Cookies set without using the Secure flag, but transmission over HTTP prevented by HSTS
  • X-Content-Type-Options -5 X-Content-Type-Options header not implemented
  • X-XSS-Protection -10 X-XSS-Protection header not implemented
  • Content-Security-Policy Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
  • Public-Key-Pins HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
  • X-XSS-Protection X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
  • X-Content-Type-Options X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".


phoenix
Ambassador
Ambassador
Posts: 25154
Joined: Fri Sep 12, 2014 9:56 pm

Re: Mozilla Obervatory vs. Zimbra — security problems revealed

Postby phoenix » Fri Jan 27, 2017 10:51 am

ExTechOp wrote:The Mozilla Observatory gives our Zimbra installation a C rating, mainly because of missing security headers. Can we expect to have these security problems (some fairly important, some not so, but all should be easy to implement) corrected in the next Zimbra release?
You've posted this in the ZImbra Desktop forum, is that the product you're talking about or is it ZCS?

These are only Community forums not official Zimbra Support, if you want to report a problem of any sort within ZCS you should file a report in bugzilla or if you're an NE customer the raise a support case.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
User avatar
ExTechOp
Posts: 16
Joined: Wed Jan 25, 2017 2:17 pm

Re: Mozilla Obervatory vs. Zimbra — security problems revealed

Postby ExTechOp » Fri Jan 27, 2017 2:28 pm

phoenix wrote:You've posted this in the ZImbra Desktop forum, is that the product you're talking about or is it ZCS?
Pardon me, I was aiming at "General Questions" and hit Zimbra Desktop :oops:
phoenix
Ambassador
Ambassador
Posts: 25154
Joined: Fri Sep 12, 2014 9:56 pm

Re: Mozilla Obervatory vs. Zimbra — security problems revealed

Postby phoenix » Fri Jan 27, 2017 2:45 pm

ExTechOp wrote:
phoenix wrote:You've posted this in the ZImbra Desktop forum, is that the product you're talking about or is it ZCS?
Pardon me, I was aiming at "General Questions" and hit Zimbra Desktop :oops:
That's OK but don't post duplicates, I'll move this to the correct forum and remove the other post. As I mentioned earlier, bugzilla or if you're a customer then Zimbra support would be the best place to post your concerns, these are only Community Support forums not official Zimbra Support.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
User avatar
ExTechOp
Posts: 16
Joined: Wed Jan 25, 2017 2:17 pm

Re: Mozilla Obervatory vs. Zimbra — security problems revealed

Postby ExTechOp » Fri Jan 27, 2017 3:17 pm

ExTechOp wrote:Pardon me, I was aiming at "General Questions" and hit Zimbra Desktop :oops:
Feel free to delete this chain, I've re-asked this question in the appropriate forum.
User avatar
jorgedlcruz
Zimbra Employee
Zimbra Employee
Posts: 2694
Joined: Thu May 22, 2014 4:47 pm

Re: Mozilla Obervatory vs. Zimbra — security problems revealed

Postby jorgedlcruz » Fri Jan 27, 2017 11:46 pm

Which Zimbra Collaboration version are you using?

Best regards
Jorge de la Cruz https://jorgedelacruz.es
Technical Marketing Manager at Zimbra/Synacor https://www.zimbra.com/
User avatar
ExTechOp
Posts: 16
Joined: Wed Jan 25, 2017 2:17 pm

Re: Mozilla Obervatory vs. Zimbra — security problems revealed

Postby ExTechOp » Thu Feb 02, 2017 10:20 am

jorgedlcruz wrote:Which Zimbra Collaboration version are you using?

The web client gives me version Zimbra 8.7.0_GA_1659 (build 20160628192634)

I could insert here a snide remark that there isn't much collaboration left once Zimbra Talk was made into a separate service, but I won't ;)
User avatar
ExTechOp
Posts: 16
Joined: Wed Jan 25, 2017 2:17 pm

Re: Mozilla Obervatory vs. Zimbra — security problems revealed

Postby ExTechOp » Wed Mar 01, 2017 11:41 am

ExTechOp wrote:
jorgedlcruz wrote:Which Zimbra Collaboration version are you using?

The web client gives me version Zimbra 8.7.0_GA_1659 (build 20160628192634)

We've since upgraded to Zimbra 8.7.3_GA_1750 (build 20170215042321).

Any word on this?
User avatar
ExTechOp
Posts: 16
Joined: Wed Jan 25, 2017 2:17 pm

Re: Mozilla Obervatory vs. Zimbra — security problems revealed

Postby ExTechOp » Wed Mar 01, 2017 1:27 pm

ExTechOp wrote:We've since upgraded to Zimbra 8.7.3_GA_1750 (build 20170215042321).

Currently, we get a security rating of B (70/100) from Observatory by tweaking the ciphers and adding the following extra response headers:

Code: Select all

$ zmprov gcf zimbraResponseHeader
zimbraResponseHeader: Strict-Transport-Security: max-age=31536000
zimbraResponseHeader: X-XSS-Protection: 1; mode=block
zimbraResponseHeader: X-Content-Type-Options: nosniff

Will try to keep you posted on what else we add. It'd be nice for Zimbra to deliver all this ready-made :roll:
User avatar
ExTechOp
Posts: 16
Joined: Wed Jan 25, 2017 2:17 pm

Re: Mozilla Obervatory vs. Zimbra — security problems revealed

Postby ExTechOp » Fri Mar 03, 2017 1:33 pm

ExTechOp wrote:Currently, we get a security rating of B (70/100) from Observatory by tweaking the ciphers and adding the following extra response headers:

Code: Select all

$ zmprov gcf zimbraResponseHeader
zimbraResponseHeader: Strict-Transport-Security: max-age=31536000
zimbraResponseHeader: X-XSS-Protection: 1; mode=block
zimbraResponseHeader: X-Content-Type-Options: nosniff

Will try to keep you posted on what else we add. It'd be nice for Zimbra to deliver all this ready-made :roll:

Here's what we did with tls and ciphers to get a good rating with the SSL-based tests but still keep older Androids and Apple products working:

Code: Select all

$ zmprov gcf zimbraMtaSmtpdTlsProtocols
zimbraMtaSmtpdTlsProtocols: !SSLv2
$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_RC4_128_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_RC4_128_MD5
zimbraSSLExcludeCipherSuites: SSL_FORTEZZA_KEA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: SSL_DH_anon_WITH_RC4_128_MD5
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: TLS_DH_anon_WITH_RC4_128_MD5
zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_DSS_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDH_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDHE_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDH_anon_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_3DES_EDE_CBC_SHA
$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!MEDIUM:!LOW:!DES:!MD5:!PSK:!RC4

Return to “General Zimbra Feedback”

Who is online

Users browsing this forum: No registered users and 2 guests