ProHoster > Blog > Utongi > Kuvandudza SSL yekubatanidza kuchengetedza marongero muZimbra Collaboration Suite Open-Source Edition

Kuvandudza SSL yekubatanidza kuchengetedza marongero muZimbra Collaboration Suite Open-Source Edition

Simba rekunyorera nderimwe rezviratidzo zvakakosha kana uchishandisa masisitimu eruzivo kune bhizinesi, nekuti zuva rega rega ivo vanobatanidzwa mukuendesa huwandu hukuru hweruzivo rwakavanzika. Nzira inogamuchirwa kazhinji yekuongorora kunaka kwekubatana kweSSL bvunzo yakazvimirira kubva kuQualys SSL Labs. Sezvo bvunzo iyi inogona kuitwa nemunhu wese, zvakanyanya kukosha kuti SaaS vanopa kuti vawane chepamusoro-soro chibodzwa pabvunzo iyi. Kwete chete SaaS vanopa, asiwo mabhizinesi akajairwa ane hanya nezvemhando yeSSL yekubatanidza. Kwavari, bvunzo iyi mukana wakanakisa wekuona zvinogona kukanganisa uye kuvhara maburi ese ecybercriminal pamberi.

Kuvandudza SSL yekubatanidza kuchengetedza marongero muZimbra Collaboration Suite Open-Source Edition
Zimbra OSE inobvumira marudzi maviri eSSL zvitupa. Chekutanga chitupa chega-chakasaina chinowedzerwa otomatiki panguva yekuiswa. Ichi chitupa chemahara uye hachina muganho wenguva, zvichiita kuti ive yakakodzera yekuyedza Zimbra OSE kana kuishandisa chete mukati metiweki yemukati. Nekudaro, kana uchipinda muwebhu mutengi, vashandisi vanoona yambiro kubva kubrowser kuti chitupa ichi hachina kuvimbika, uye sevha yako ichakundikana bvunzo kubva kuQualys SSL Labs.

Chechipiri chitupa cheSSL chekutengesa chakasainwa nechiremera chechitupa. Zvitupa zvakadaro zvinogamuchirwa zviri nyore nemabhurawuza uye anowanzo shandiswa pakushambadzira kweZimbra OSE. Pakarepo mushure mekuiswa kwayo kwechitupa chekutengesa, Zimbra OSE 8.8.15 inoratidza A chibodzwa muyedzo kubva kuQualys SSL Labs. Uyu mubairo wakanaka, asi chinangwa chedu ndechekuwana mhedzisiro yeA +.

Kuvandudza SSL yekubatanidza kuchengetedza marongero muZimbra Collaboration Suite Open-Source Edition

Kuvandudza SSL yekubatanidza kuchengetedza marongero muZimbra Collaboration Suite Open-Source Edition

Kuti uwane iyo yakakwira mamakisi muyedzo kubva kuQualys SSL Labs paunenge uchishandisa Zimbra Collaboration Suite Open-Source Edition, unofanirwa kuzadzisa akati wandei matanho:

1. Kuwedzera zviyero zveDiffie-Hellman protocol

By default, ese Zimbra OSE 8.8.15 zvikamu zvinoshandisa OpenSSL zvine Diffie-Hellman protocol marongero akaiswa ku2048 bits. Mumusimboti, izvi zvinopfuura zvakakwana kuti uwane A + mamakisi muyedzo kubva kuQualys SSL Labs. Nekudaro, kana iwe uri kusimudzira kubva kune ekare mavhezheni, marongero anogona kunge akaderera. Saka, zvinokurudzirwa kuti mushure mekugadzirisa kwapera, shandisa murairo zmdhparam set -new 2048, iyo inowedzera mitemo yeDiffie-Hellman protocol kune inogamuchirwa 2048 bits, uye kana uchida, uchishandisa murairo mumwe chete, unogona kuwedzera. kukosha kweiyo parameters kune 3072 kana 4096 bits, iyo kune rumwe rutivi ichaita kuti iwedzere nguva yechizvarwa, asi kune rumwe rutivi ichava nemigumisiro yakanaka pazinga rekuchengetedza revhavha ye mail.

2. Kusanganisira runyoro rwakakurudzirwa rwemacipher anoshandiswa

Nekutadza, Zimbra Collaborataion Suite Open-Source Edition inotsigira huwandu hwakasiyana hwakasimba uye husina kusimba ciphers, iyo encrypt data inopfuura pamusoro pekubatana kwakachengeteka. Nekudaro, kushandiswa kweasina kusimba ciphers idambudziko rakakura kana uchitarisa kuchengetedzeka kwekubatana kweSSL. Kuti udzivise izvi, unofanirwa kugadzirisa runyorwa rwema ciphers anoshandiswa.

Kuti uite izvi, shandisa murairo zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'

Uyu murairo pakarepo unosanganisira seti yeanokurudzirwa ciphers uye nekuda kwairi, iwo murairo unogona pakarepo kusanganisira akavimbika ciphers mune iyo rondedzero uye kusabvisa asina kuvimbika. Zvino chasara kutangazve reverse proxy node uchishandisa zmproxyctl restart command. Mushure mekugadzirisazve, shanduko dzakaitwa dzichatanga kushanda.

Kana runyoro urwu rusingakodzeri iwe nekuda kwechikonzero chimwe kana chimwe, unogona kubvisa akati wandei asina kusimba ciphers kubva pairi uchishandisa rairo. zmprov mcf +zimbraSSLExcludeCipherSuites. Saka, semuenzaniso, murairo zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA, iyo ichabvisa zvachose kushandiswa kweRC4 ciphers. Zvimwe chete zvinogona kuitwa neAES uye 3DES ciphers.

3. Gonesa HSTS

Maitiro akagoneswa ekumanikidza kubatanidza encryption uye TLS sesheni kudzoreredza inodiwa zvakare kuti uwane yakakwana mamakisi muQualys SSL Labs bvunzo. Kuti uvagonese unofanirwa kuisa murairo zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000". Uyu murairo uchawedzera iyo inodiwa musoro kune iyo gadziriso, uye kuti marongero matsva aite iwe unofanirwa kutangazve Zimbra OSE uchishandisa rairo. zmcontrol restart.

Pari zvino, bvunzo kubva kuQualys SSL Labs icharatidza A + chiyero, asi kana iwe uchida kuwedzera kuvandudza kuchengetedzeka kweserver yako, pane akati wandei mamwe matanho aungatora.

Kuvandudza SSL yekubatanidza kuchengetedza marongero muZimbra Collaboration Suite Open-Source Edition

Semuenzaniso, unogona kugonesa kumanikidza encryption ye-inter-process yekubatanidza, uye iwe unogona zvakare kugonesa kumanikidza encryption paunenge uchibatanidza kuZimbra OSE masevhisi. Kuti utarise mainterprocess connections, isa mirairo inotevera:

zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e zimbra_require_interprocess_security=1
zmlocalconfig -e ldap_starttls_required=true

Kuti ugone kugonesa encryption yakamanikidzwa iwe unofanirwa kupinda:

zmprov gs `zmhostname` zimbraReverseProxyMailMode
zmprov ms `zmhostname` zimbraReverseProxyMailMode https

zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https

zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE

Nekuda kwemirairo iyi, zvese zvinongedzo kumaseva eproxy nemasevha eemail zvichavharwa, uye zvese izvi zvinongedzo zvinozoitwa proxy.

Kuvandudza SSL yekubatanidza kuchengetedza marongero muZimbra Collaboration Suite Open-Source Edition

Nekudaro, uchitevera kurudziro yedu, haugone kungowana zvibodzwa zvepamusoro muSSL yekubatanidza chengetedzo bvunzo, asi zvakare zvakanyanya kuwedzera kuchengetedzeka kwese Zimbra OSE zvivakwa.

Pamibvunzo yese ine chekuita neZextras Suite, unogona kubata Zextras Representative Ekaterina Triandafilidi neemail. [email inodzivirirwa]

Source: www.habr.com

Voeg