zimbra@le-test:~$ fuente ~/bin/zmshutil; zmsetvarsnzimbra@le-test:~$ zmhostnamenle-test.zimbra.technzimbra@le-test:~$ nombre de host --fqdnnle-test.zimbra.tech

#!/bin/bashnecho "Estableciendo la configuración de seguridad óptima"nrm -Rf /tmp/provfilenZIMBRAIP=$(netstat -tulpn | grep slapd | awk '{imprimir $4}' | awk -F ':' '{imprimir $1}')nncat >> /tmp/provfile << EOFnmcf zimbraPublicServiceProtocol httpsnmcf zimbraPublicServicePuerto 443nmcf zimbraPublicServiceHostname $HOSTNAMEnmcf zimbraReverseProxySSLProtocolos TLSv1.2nmcf +zimbraReverseProxySSLProtocolos TLSv1.3nmcf zimbraReverseProxySSLCiphers '!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM- SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'nmcf +zimbraResponseHeader "Estricto-Transporte-Seguridad: max-age=31536000; includeSubDomains"nmcf +zimbraResponseHeader "X-Content-Type-Options: nosniff"nmcf +zimbraResponseHeader "X-Robots-Etiqueta: noindex"nmcf +zimbraResponseHeader "Política de referencia: sin referencia"nmcf zimbraMailKeepOutWebCrawlers VERDADEROnmcf zimbraSmtpSendAddMailer FALSOnmcf zimbraSSLDHParam /etc/ffdhe4096.pemnmcf zimbraMtaSmtpdTlsCiphers medionmcf zimbraMtaSmtpdTlsMandatoryCiphers medionmcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2'nmcf zimbraMtaTlsSecurityLevel puedenms $HOSTNAME zimbraPop3CleartextLoginEnabled FALSOnms $HOSTNAME zimbraImapCleartextLoginEnabled FALSOnmcf zimbraLastLogonTimestampFrecuencia 1snmc default zimbraPrefShortEmailAddress FALSOnmcf +zimbraMailTrustedIP 127.0.0.1nmcf +zimbraMailTrustedIP $ZIMBRAIPnfin de semanannsed -i 's/-server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2/-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client. protocolos=TLSv1.2,TLSv1.3/g' /opt/zimbra/conf/localconfig.xmlnwget https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem -O /etc/ffdhe4096.pemnnsu - zimbra -c '/opt/zimbra/bin/postconf -e fast_flush_domains=""'nsu - zimbra -c '/opt/zimbra/bin/postconf -e smtpd_etrn_restrictions=rechazar'nsu - zimbra -c '/opt/zimbra/bin/postconf -e disabled_vrfy_command=yes'nsu -zimbra -c '/opt/zimbra/bin/postconf -e tls_medium_cipherlist="!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE- ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256- GCM-SHA384"'nsu - zimbra -c '/opt/zimbra/bin/postconf -e tls_preempt_cipherlist=no'nnsu - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_common_tlsprotocolmin="3.3"'nsu - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_common_tlsciphersuite="ALTO"'nsu - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_starttls_supported=1'nsu - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e zimbra_require_interprocess_security=1'nsu - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_starttls_required=true'nnsu - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e alias_login_enabled=false'nsu - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e zimbra_same_site_cookie="Estricta"'nnsu -zimbra -c '/opt/zimbra/bin/zmprov < /tmp/provfile'nn#https://wiki.zimbra.com/wiki/Enabling_Admin_Console_Proxynsu -zimbra -c "/opt/zimbra/libexec/zmproxyconfig -e -w -C -H $NOMBRE DEL HOST"nnsu - zimbra -c '/opt/zimbra/bin/zmcontrol reiniciar'

chmod +x /usr/local/sbin/secops-zimbran/usr/local/sbin/secops-zimbra