Zimbra SSL A+ grade

Configure Strong Ciphers

# zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
# zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3

# zmprov -l mcf zimbraReverseProxySSLCiphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'

# zmproxyctl restart

Configure mailbox settings

Open file /opt/zimbra/conf/localconfig.xml and find the line mailboxd_java_options and set it like the following one.

<key name="mailboxd_java_options">
  <value>-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true</value>
</key>

Configure DH parameters

# su - zimbra
# /opt/zimbra/common/bin/openssl dhparam -out /opt/zimbra/conf/dhparam.pem.zcs 3072
# zmprov mcf zimbraSSLDHParam /opt/zimbra/conf/dhparam.pem.zcs

Set additional HTTP headers

# zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains"
# zmprov mcf +zimbraResponseHeader "X-XSS-Protection: 1; mode=block"
# zmprov mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff"
# zmprov mcf +zimbraResponseHeader "X-Robots-Tag: noindex"
# zmprov mcf zimbraMailKeepOutWebCrawlers TRUE
# zmmailboxdctl restart

Validate settings using SSL Labs on url https://www.ssllabs.com/ssltest/analyze.html

Looking to secure your email infrastructure and prevent attacks?
→ Explore our Emailing Solutions