Lub zog ntawm encryption yog ib qho tseem ceeb tshaj plaws ntsuas thaum siv cov ntaub ntawv xov xwm rau kev lag luam, vim hais tias txhua txhua hnub lawv koom nrog kev hloov pauv ntawm cov ntaub ntawv tsis pub lwm tus paub. Ib qho kev lees paub feem ntau ntawm kev ntsuas qhov zoo ntawm kev sib txuas SSL yog kev sim ywj pheej los ntawm Qualys SSL Labs. Txij li qhov kev xeem no tuaj yeem khiav tau los ntawm leej twg, nws tseem ceeb tshwj xeeb tshaj yog rau SaaS cov chaw muab kev pabcuam kom tau txais cov qhab nia siab tshaj plaws ntawm qhov kev xeem no. Tsis tsuas yog SaaS cov chaw muab kev pabcuam, tab sis kuj tseem muaj cov lag luam zoo tib yam saib xyuas qhov zoo ntawm SSL kev sib txuas. Rau lawv, qhov kev sim no yog lub sijhawm zoo los txheeb xyuas qhov muaj peev xwm tsis zoo thiab kaw tag nrho cov kev tsis sib haum xeeb rau cybercriminals ua ntej.
Zimbra OSE tso cai rau ob hom ntawv pov thawj SSL. Thawj yog daim ntawv pov thawj tus kheej kos npe uas tau muab ntxiv thaum lub sijhawm teeb tsa. Daim ntawv pov thawj no pub dawb thiab tsis muaj sijhawm txwv, ua rau nws zoo tagnrho rau kev sim Zimbra OSE lossis siv nws tshwj xeeb hauv lub network sab hauv. Txawm li cas los xij, thaum nkag mus rau hauv tus neeg siv lub vev xaib, cov neeg siv yuav pom cov lus ceeb toom los ntawm qhov browser tias daim ntawv pov thawj no tsis ntseeg, thiab koj tus neeg rau zaub mov yuav ua tsis tiav qhov kev xeem los ntawm Qualys SSL Labs.
Qhov thib ob yog daim ntawv pov thawj SSL kev lag luam kos npe los ntawm cov ntawv pov thawj txoj cai. Cov ntawv pov thawj zoo li no tau yooj yim lees txais los ntawm browsers thiab feem ntau yog siv rau kev lag luam siv Zimbra OSE. Tam sim ntawd tom qab kev teeb tsa kom raug ntawm daim ntawv pov thawj kev lag luam, Zimbra OSE 8.8.15 qhia tau tus qhab nia A hauv kev xeem los ntawm Qualys SSL Labs. Qhov no yog qhov txiaj ntsig zoo, tab sis peb lub hom phiaj yog ua kom tiav qhov txiaj ntsig A +.
Yuav kom ua tiav cov qhab nia siab tshaj plaws hauv kev xeem los ntawm Qualys SSL Labs thaum siv Zimbra Collaboration Suite Open-Source Edition, koj yuav tsum ua tiav ntau cov kauj ruam:
1. Txhim kho qhov tsis sib xws ntawm Diffie-Hellman raws tu qauv
Los ntawm lub neej ntawd, tag nrho Zimbra OSE 8.8.15 cov khoom siv uas siv OpenSSL muaj Diffie-Hellman raws tu qauv teeb tsa rau 2048 khoom. Hauv txoj ntsiab cai, qhov no ntau dua kom tau txais A + qhab nia hauv kev xeem los ntawm Qualys SSL Labs. Txawm li cas los xij, yog tias koj hloov kho dua tshiab los ntawm cov laus dua, cov chaw yuav qis dua. Yog li ntawd, nws raug pom zoo tias tom qab kev hloov kho tiav, khiav cov lus txib zmdhparam teeb -new 2048, uas yuav ua rau kom tsis txhob muaj cov txheej txheem ntawm Diffie-Hellman raws tu qauv rau 2048 khoom, thiab yog tias xav tau, siv tib cov lus txib, koj tuaj yeem nce ntxiv. tus nqi ntawm cov tsis mus rau 3072 los yog 4096 khoom, uas nyob rau hauv ib tes yuav ua rau ib tug zuj zus tiam lub sij hawm, tab sis ntawm qhov tod tes, yuav muaj txiaj ntsig zoo rau qib kev ruaj ntseg ntawm kev xa ntawv.
2. Nrog rau cov npe pom zoo siv cov ciphers
Los ntawm lub neej ntawd, Zimbra Collaborataion Suite Open-Source Edition txhawb nqa ntau yam muaj zog thiab tsis muaj zog ciphers, uas encrypt cov ntaub ntawv hla dhau kev sib txuas ruaj ntseg. Txawm li cas los xij, kev siv cov ciphers tsis muaj zog yog qhov tsis zoo thaum kuaj xyuas kev ruaj ntseg ntawm kev sib txuas SSL. Txhawm rau zam qhov no, koj yuav tsum teeb tsa cov npe ntawm cov ntawv ciphers siv.
Txhawm rau ua qhov no, siv cov lus txib zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
Cov lus txib no tam sim ntawd suav nrog cov txheej txheem ciphers pom zoo thiab ua tsaug rau nws, cov lus txib tuaj yeem suav nrog cov ciphers txhim khu kev qha hauv daim ntawv thiab tshem tawm cov tsis ntseeg siab. Tam sim no txhua yam uas tseem tshuav yog rov pib dua cov npe rov qab siv lub zmproxyctl restart hais kom ua. Tom qab rov pib dua, cov kev hloov pauv yuav siv tau.
Yog tias daim ntawv teev npe no tsis haum rau koj rau ib qho lossis lwm qhov, koj tuaj yeem tshem tawm ntau tus lej tsis muaj zog los ntawm nws siv cov lus txib zmprov mcf +zimbraSSLExcludeCipherSuites. Yog li, piv txwv li, cov lus txib zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA, uas yuav tshem tawm tag nrho kev siv RC4 ciphers. Ib yam yuav ua tau nrog AES thiab 3DES ciphers.
3. Qhib HSTS
Cov txheej txheem ua haujlwm kom yuam kev sib txuas encryption thiab TLS kev sib kho rov qab los kuj tseem yuav tsum ua kom tau qhab nia zoo meej hauv Qualys SSL Labs xeem. Txhawm rau pab lawv koj yuav tsum nkag mus rau qhov hais kom ua zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000". Cov lus txib no yuav ntxiv qhov tsim nyog header rau kev teeb tsa, thiab rau qhov chaw tshiab kom muaj txiaj ntsig koj yuav tsum rov pib Zimbra OSE siv cov lus txib zmcontrol rov pib dua.
Twb tau nyob rau theem no, qhov kev sim los ntawm Qualys SSL Labs yuav qhia qhov ntsuas A +, tab sis yog tias koj xav tau ntxiv kev txhim kho kev ruaj ntseg ntawm koj lub server, muaj ntau yam kev ntsuas koj tuaj yeem ua.
Piv txwv li, koj tuaj yeem ua kom yuam kev encryption ntawm cov txheej txheem kev sib txuas, thiab koj tuaj yeem ua kom yuam kev encryption thaum txuas rau Zimbra OSE cov kev pabcuam. Txhawm rau txheeb xyuas kev sib txuas ntawm kev sib txuas, nkag mus rau cov lus txib hauv qab no:
zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e zimbra_require_interprocess_security=1
zmlocalconfig -e ldap_starttls_required=trueTxhawm rau ua kom yuam encryption koj yuav tsum nkag mus:
zmprov gs `zmhostname` zimbraReverseProxyMailMode
zmprov ms `zmhostname` zimbraReverseProxyMailMode https
zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https
zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUEUa tsaug rau cov lus txib no, tag nrho cov kev sib txuas mus rau lub npe servers thiab mail servers yuav raug encrypted, thiab tag nrho cov kev sib txuas no yuav raug tso npe.
Yog li, ua raws li peb cov lus pom zoo, koj tuaj yeem tsis tsuas yog ua tiav cov qhab nia siab tshaj plaws hauv SSL kev sib txuas kev nyab xeeb kev xeem, tab sis kuj tseem ua kom muaj kev ruaj ntseg ntawm tag nrho Zimbra OSE infrastructure.
Rau tag nrho cov lus nug ntsig txog Zextras Suite, koj tuaj yeem tiv tauj Tus Neeg Sawv Cev ntawm Zextras Ekaterina Triandafilidi los ntawm e-mail [email tiv thaiv]
Tau qhov twg los: www.hab.com