NGINX TLS certificates

[jfone]

I'm using nginx for proxying pop/pops & imap/imaps. It has been configured with certificates for the ssl interfaces and everything works fine for SSL & non-SSL.

The issue I'm having is that for tls I can't configure nginx to use the pop certificate for pop and imap certificate for imap.

It can be seen in the mail configuration file for TLS it is only possible for the ssl_certificate to be referenced to one file and not separate files:

Code:

    $ egrep -i 'SSL|TLS' nginx.conf.mail
    # on whether cleartext login is available (see description for starttls)
    # For example, if starttls is set to only, then SASL PLAIN is not
    # available outside of TLS/SSL
    # TLS configuration
    ssl_prefer_server_ciphers   on;
    ssl_certificate             /opt/zimbra/conf/nginx.crt;
    ssl_certificate_key         /opt/zimbra/conf/nginx.key;

Ideally I would expect something similar to below, but I can't work out how I could do it and if it is even possible.

Code:

ssl_certificate_pop             /opt/zimbra/conf/nginx.crt_pop;
ssl_certificate_key_pop         /opt/zimbra/conf/nginx.key_pop;
ssl_certificate_imap             /opt/zimbra/conf/nginx.crt_imap;
ssl_certificate_key_imap      /opt/zimbra/conf/nginx.key_imap;

[markusvl]

hi,

why do you want to split the certificates? you should use a *.yourdomain.com certificate.

Cheers
Markus

[jfone]

yes, that is an option but security has stipulated that we can't have a global certificate such as:

*.domain.com

we have been delievered certifcates such as:

pop.domain.com
imap.domain.com

[y@w]

I'm not sure if there's a built-in way, but you could just edit the nginx.conf.mail.imaps and nginx.conf.mail.pops files and specify your certificates there. Of course, that won't hold during an upgrade, but that would be one way of doing it.. Just comment out the ssl references before the includes inside the file posted and include them in the server section of the respective services config files.

[jfone]

Thanks for the reply, that is what I thought as well, and that is what we have done for pop/imap SSL, but this file is only used for SSL and not TLS. Afaik TLS is configured in the file "nginx.conf.mail"

Code:

# POP3S proxy configuration
#
server
{
    listen              995;
    protocol            pop3;
    proxy               on;
    ssl                 on;
           ssl_certificate             /opt/zimbra/conf/pop3.crt;
           ssl_certificate_key         /opt/zimbra/conf/pop.key;
    sasl_service_name   "pop";
}

[y@w]

Hmm.. I'm not familiar with TLS configuration in nginx, but I would think the principle would be the same.. Can you just move that configuration to the individual services files?