Qualys A+ Rating with Zimbra

Over the last few months there has been multiple exploits in various SSL libraries, to the point where pretty much every site on the internet has had to tweak something.

I recently embarked on making sure my company were Qualys SSL test A+ Rated (https://www.ssllabs.com/ssltest/analyze.html) to all internal and external sites. I’m slowly getting there, but the latest one has been a pain, Zimbra our mail server.

We are running the latest version of Zimbra network edition (at the time of writing 8.5.1). And there wasn’t much info out there on it. Essentially, it’s a Jetty server with a lot of customised stuff for Zimbra

So, to get A+ rated, I made 2 changes:

1) Removed a bucket of old ciphers
2) Added a header to force HSTS long expiry

su zimbra
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA
zmmailboxdctl restart

At this point, make sure your web GUI still works.

If it doesn’t work you can edit /opt/zimbra/jetty/etc/jetty.xml.in and comment out this block

<!--        <Set name="ExcludeCipherSuites">
            <Array type="java.lang.String">
        </Set> -->

Then run zmmailboxdctl restart again
That will bring the web server back with no excludes on ciphers, but you can then do:

zmprov mcf -zimbraSSLExcludeCipherSuites YOURCIPHER

To remove it from the global config.

I suggest doing it one cipher at a time and a restart before doing the next one. It will make undoing it easier.

jetty.xml – running config file generated on the restart of the server
jetty.xml.in – the zimbra config used as a template to build jetty.xml <— This is the one to edit.


So that will get you an A rating, to get an A+ rating, you will need HSTS

Edit /opt/zimbra/jetty/etc/jetty.xml.in and find this stanza:

        <Call name="addRule">
        <New class="org.eclipse.jetty.rewrite.handler.RewritePatternRule">
            <Set name="pattern">/Microsoft-Server-ActiveSync/*</Set>
            <Set name="replacement">/service/extension/zimbrasync</Set>


Directly above this stanza, add:

        <Call name="addRule">
              <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                 <Set name="pattern">*</Set>
                 <Set name="name">Strict-Transport-Security</Set>
                 <Set name="value">max-age=15768000; includeSubDomains</Set>

And restart the mailbox server with

zmmailboxdctl restart

And Viola! You should have an A+ rating

Good luck!

“A+” image is copyright to SSL labs and reproduced through a screenshot. I make no claim to ownership

Leave a Reply

Your email address will not be published.

Blue Captcha Image