Zimbra : Outbound smtp TLS encryption

Zimbra is an excellent email and collaboration server. There are some area’s where there is room for improvement and that is around encryption. It supports inbound SMTP encryption by default (using smtpd process). However it does not enable outbound opportunistic encryption. For many users that is a bug as they want to send email which can’t be read over the wire. At this point in time a growing number of servers support inbound and outbound TLS so getting on board can only help reduce the amount of visible email over the wire.

This quick how to has been written assuming that you have inbound SMTPd TLS enabled so the keys are already in place. The default is that it will use a self-signed certificate which is created when you first install the server. You can also buy certificates and install them as per any other email server. See the web gui certificates section.

    1. Login with SSH and ensure that you are the zimbra user.
    2. Firstly we will use the postconf tool to test that all your settings work before we lock them in for good.
    3. Setup the Keys. The default location is /opt/zimbra/conf/smtpd.key and smtp.crt

postconf -e smtp_tls_key_file = /opt/zimbra/conf/smtpd.key
postconf -e smtp_tls_cert_file = /opt/zimbra/conf/smtpd.crt

    1. Next we setup the server to opportunistically use TLS

postconf -e smtp_use_tls = yes
postconf -e smtp_tls_security_level = may

    1. Now that postfix is setup temporarily we need to restart the postfix process to ensure that the changes have taken.

postfix stop ; postfix start

    1. Now we want to check the log files to ensure that email is still working and there are no errors. While the following command is running send an email.

tail -f /var/log/zimbra.log | grep -v smtpd | grep -i tls

    1. When an email is sent to gmail you should see the following in the log file.

JunĀ  4 00:36:17 <HOSTNAME> postfix/smtp[20776]: setting up TLS connection to gmail-smtp-in.l.google.com[]:25
JunĀ  4 00:36:17 <HOSTNAME> postfix/smtp[20776]: Trusted TLS connection established to gmail-smtp-in.l.google.com[]:25: TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)

    1. That means that is should work. If you don’t see any logs then you either don’t have TLS working or the emails can’t be sent. (try the tail command above up to the first | character (no grep statements). Confirm that there are no errors.
    2. Now that you have confirmed it all works the changes need to be written permanently to the zimbra configuration so they don’t get overwritten.

zmlocalconfig -e smtp_tls_key_file=/opt/zimbra/conf/smtpd.key
zmlocalconfig -e smtp_tls_cert_file=/opt/zimbra/conf/smtpd.crt
zmlocalconfig -e smtp_use_tls=yes
zmlocalconfig -e smtp_tls_security_level=may

    1. The config should now be written. To confirm that it won’t be overwritten try the following

zmmtactl restart

  1. Confirm the emails are still flowing.. You should now have TLS up and running on Zimbra 7+

Tags: , , , ,