[SOLVED] Change hostname to dns name

[todd_dsm]

During the install Zimbra picks up the hostname and uses that for everything. I would prefer that Zimbra use the DNS name 'mail' but Im not sure how to affect this change without breaking Zimbra. I searched everything I think but the hostname appears only in these places:

Code:

Global
$ zmprov getAllConfig | grep -i hostname
zimbraBackupReportEmailRecipients: admin@hostname.domain.com
zimbraBackupReportEmailSender: admin@hostname.domain.com
zimbraChangePasswordURL: https://hostname.domain.com/h/changepass
zimbraLogHostname: hostname.domain.com

COS
zmprov gac -v | grep -i host
zimbraMailHostPool: 8bcba67b-11d0-4bd5-b70a-9ec7e96003d6

SERVER
zmprov gas -v | grep -i hostname
# name hostname.domain.com
cn: hostname.domain.com
zimbraBackupReportEmailRecipients: admin@hostname.domain.com
zimbraBackupReportEmailSender: admin@hostname.domain.com
zimbraMtaAuthHost: hostname.domain.com
zimbraMtaAuthURL: https://hostname.domain.com:443/service/soap/
zimbraServiceHostname: hostname.domain.com
zimbraSmtpHostname: hostname.domain.com
zimbraSpellCheckURL: http://hostname.domain.com:7780/aspell.php
zimbraSshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAACBALXPeAfqEHRae47BK1d9epKVYyyuVG1qi3M/eHY4i2K95KifsHBYovyB4LuvvlFhNkSMFFc1Uj2ukmBVrD7uDHpn4W01hdPb0ajk0/OdWrGttAMmOdjIG6XcLViiVp9KdV9jNbxv+LbZ2B+ZLuSRBQ9rC61TGBbziLuZZ/1FR0QnAAAAFQDZVMoTiq+HhSHIzwaP048wUDO/kQAAAIAbvexo0OCGv+daN4mvCubyg4I5vYGkKQSnSN0oWsVN8N7x8EbgX8aW3jkK92cgRn4f3FbXkuaX7pxlrgB/nQjl77KFvvFLsOng2A1z6TucbA4+644QkEvQmmma253V1R24nvEv5h0zIGJNl1X9enUIHSZlkcBjqOC32Ck6k/kBHQAAAIEAi/VWlDgdr1PRNT8+INmIj6dt6+hpdgqvUYhQLD7Fk2Y4mtC5K4TWiDySV+b+ar63Sm0IjNG0KiWYAJwYLH01zBPw0iMjAQ0X7m2hXZKuj4pMQlvFdZ9+PDsayUn/7Rm86JuEBfQ+DP8KDQvvRmEIY4eDmWQ9lgVkQtJhZOrvqRU= hostname.domain.com

SERVER
zmprov gas -v | grep -i host
zimbraMailReferMode: wronghost
zimbraMtaAuthHost: hostname.domain.com
zimbraMtaMyDestination: localhost
zimbraServiceHostname: hostname.domain.com
zimbraSmtpHostname: hostname.domain.com

Q1: Generally, how do I get a fully functional, non-broken Zimbra install changed from hostname.domain.com --> mail.domain.com ?

Q2: Which of these attributes are necessary to change? 1, some, all?

Q3: If you change the zimbraSshPublicKey do I need to re-gen a new one with the new name?

Thanks in advance,
todd_dsm

Don't forget to Vote for this RFE:
RFE: A place To Display the contents of 'My Documents'
Reasoning: It's new, bold, and cool.

[phoenix]

Use zmprov with RenameDomain, check this article: Zmprov - Zimbra :: Wiki Obviously it's advisable to take a backup first.

[todd_dsm]

Im not sure where you're going with RenameDomain. I want to rename the hostname. ;-)

Thanks in advance,
todd_dsm

Don't forget to Vote for this RFE:
RFE: A place To Display the contents of 'My Documents'
Reasoning: It's new, bold, and cool.

[phoenix]

Then use the following command: ZmSetServerName - Zimbra :: Wiki That command changes the hostname but I'd suggest it's the domain name that need changing not the hostname. You want the Zimbra hostname to be the same as the FQDN of your server and the domain name to be domain.com - take your pick but I think you're tyring to change the wrong thing by changing the hostname.

[todd_dsm]

It appears that I'm lacking relevant specifics. Let me cure that. I'm using the Zimbra/Samba walk-through.

What I would prefer is separation of church and state. I would prefer that:
1) All mail related services (webmail/IMAP) be accessible via the dns name: mail.example.tld

2) All ldap communication be accessible via the hostname: hostname.example.tld

3) The certificate allows, and is functional for both.
===
I've attempted to use zmsetservername mail.example.tld but this breaks ldap; the uri needs to be hostname.example.tld

Sorry about the confusion.

[ArcaneMagus]

So basically you have for some reason set your server's FQDN to hostname.example.tld, but you want all access to the server to be via mail.example.tld?

Just leave everything the way it is, and in DNS set the A record for mail.example.tld to the same IP address. You might also want to set a virtual host on the zimbra server to mail.example.tld.

Zimbra doesn't really care what hostname people use to access the server, the only part where it matters is the login screen where if users are not accessing via the FQDN they would need to enter their account name as "account@example.tld", however if you set a virtual host on the users domain to the address they are accessing the server by, then the server will know to add the "@example.tld" part for them.

[todd_dsm]

So basically you have for some reason set your server's FQDN to hostname.example.tld, but you want all access to the server to be via mail.example.tld?

NO, I would prefer, like any other mail server, that mail services be accessible from a dns name, in this case I prefer: mail.example.tld - not so crazy.

And that all internal services, such as ldap, communicate via the hostname; eg: uri ldap://hostname.example.tld - also not so crazy.

Just leave everything the way it is, and in DNS set the A record for mail.example.tld to the same IP address. You might also want to set a virtual host on the zimbra server to mail.example.tld.

These are the relevant bits of the 'Internal View' dns map. This has been in place while I've been testing.

Code:

# cat /var/named/chroot/var/named/example.tld.zone
$TTL 1H
@       SOA     hostname          root.example.tld. (
                                        42              ; serial
                                        3H              ; refresh
                                        1H              ; retry
                                        1W              ; expiry
                                        1H )            ; minimum

                   NS           hostname
                IN NS           hostname
                IN MX   5       mail
                IN A            10.0.0.14
hostname        IN A            10.0.0.14
mail            IN A            10.0.0.14

I will test the virtual host next. As you've suggested.

Zimbra doesn't really care what hostname people use to access the server, the only part where it matters is the login screen where if users are not accessing via the FQDN they would need to enter their account name as "account@example.tld", however if you set a virtual host on the users domain to the address they are accessing the server by, then the server will know to add the "@example.tld" part for them.

Well, this is true, Zimbra doesn't really care what hostname people use to access the server, but the client does care. If you use Thunderbird to test this, it asks you if you would like to accept the certificate. I always answer Yes / Permanently. Moments later, Thunderbird displays a message to the user:
Security Error: Domain Name Mismatch
You have attempted to establish a connection with mail.example.tld. However, the security certificate belongs to hostname.example.tld...

This message will display at intervals. I'm not sure how often exactly but let's just call it ever 10 minutes - it's incredibly annoying.

I understand this makes it a compound problem but, first things first. I'll test the virtual host, if the only way to achieve this, it just seems a bit convoluted.


Thanks in advance,
todd_dsm

Don't forget to Vote for this RFE:
RFE: A place To Display the contents of 'My Documents'
Reasoning: It's new, bold, and cool.

[ArcaneMagus]

Ah so your root problem is that Thunderbird thinks your certificate is invalid because it is for a different hostname, yet you have said "The certificate allows, and is functional for both."

So which is it? The certificate works for both host names, or the certificate doesn't work for both host names? As far as I know you would need a wildcard ssl certificate for that to work properly.

Depending on your user base size, you could look into installing Remember Mismatched Domains, but getting the wildcard ssl cert working would probably work better for you.

[todd_dsm]

Sorry if I wasn't clear on some of these points...

Ah so your root problem is that Thunderbird thinks your certificate is invalid because it is for a different hostname,

No, again, there is no way to get Zimbra to install with hostname/dns name separation by default. Or, it's not fully supported (because of the certs). That is the root problem. If I were to just name the host 'mail' this would be a non-issue. Except that my ldap uri would also be a publicly known dns name. I'd prefer more anonymity than that. (obscurity = security)

yet you have said "The certificate allows, and is functional for both." So which is it? The certificate works for both host names, or the certificate doesn't work for both host names?

"3) The certificate allows, and is functional for both." is a requirement, not a reality.

Depending on your user base size, you could look into installing Remember Mismatched Domains,

I'd prefer not to patch every desktop when it should be possible to realize a central solution.

As far as I know you would need a wildcard ssl certificate for that to work properly....getting the wildcard ssl cert working would probably work better...

A wildcard ssl certificate is a good idea but it didn't work for me. I tried a number of different ways to gen a cert that would work. The method that finally worked was going into the Admin UI and re-installing a new cert that had a "Subject Alternative Name".

The only problem with this is that (4) I need to produce it from the command line. Here are the steps I took: (the hashes are comments/output)

Code:

# Generate a new Certificate Authority (CA). 
/opt/zimbra/bin/zmcertmgr createca -new
# ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
# ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
# ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.

# Generate a certificate signed by the CA that expires in 365 days. 
/opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subject "/C=US/ST=IA/L=Des Moines/O=PTEST/OU=OFFICE/CN=hostname.domain.com" -subjectAltNames "mail.domain.com"
# Validation days: 365
# Subject: /C=US/ST=IA/L=DSM/O=PTEST/OU=OFFICE/CN=*.domain.com
# ** Creating /opt/zimbra/conf/zmssl.cnf...done
# ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20091111221244
# ** Generating a server csr for download self -new
# ** Creating /opt/zimbra/conf/zmssl.cnf...done
# ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20091111221244
# ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
# ** Saving server config key zimbraSSLPrivateKey...done.
# ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

# Deploy the certificate
/opt/zimbra/bin/zmcertmgr deploycrt self
# ** Saving server config key zimbraSSLCertificate...done.
# ** Saving server config key zimbraSSLPrivateKey...done.
# ** Installing mta certificate and key...done.
# ** Installing slapd certificate and key...done.
# ** Installing proxy certificate and key...done.
# ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
# ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
# ** Installing CA to /opt/zimbra/conf/ca...done.

$ zmcontrol stop; zmcontrol start; zmcontrol status (restart was successful) 

# Verify the certificate was deployed to all the services
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
# ::service mta::
# notBefore=Nov 10 01:44:55 2009 GMT
# notAfter=Nov 10 01:44:55 2010 GMT
# subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# SubjectAltName=
# ::service proxy::
# notBefore=Nov 10 01:44:55 2009 GMT
# notAfter=Nov 10 01:44:55 2010 GMT
# subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# SubjectAltName=
# ::service mailboxd::
# notBefore=Nov 10 01:44:55 2009 GMT
# notAfter=Nov 10 01:44:55 2010 GMT
# subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# SubjectAltName=
# ::service ldap::
# notBefore=Nov 10 01:44:55 2009 GMT
# notAfter=Nov 10 01:44:55 2010 GMT
# subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# SubjectAltName=

No matter what I do the SubjectAltName= is always blank if I do this from the command line.
---
Side bar: the fact that this is a standard setup and I've got to jump through so many hoops makes me wonder if I'm not doing something wrong more fundamentally.
---
Anyway, I know I write a bit terse so I'd like to say thank you for taking an interest. I sure don't mean to sound rude brother ;-)


Don't forget to Vote for this RFE:
RFE: A place To Display the contents of 'My Documents'
Reasoning: It's new, bold, and cool.

[todd_dsm]

I must have boogered up my test environment. I re-tested the wild-card certificate and it works just fine.

Code:

# ./inst_new-cert.sh
###
###       005726: Start ./inst_new-cert.sh script
###

### ./inst_new-cert.sh:005726:12: Generating a new Certificate Authority... ###
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.

### ./inst_new-cert.sh:005727:18: Generating a new wild-card certificate for 365 days... ###
Validation days: 365
Subject: /C=US/ST=IA/L=Des Moines/O=TEST/OU=OFFICE/CN=*.domain.com
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20091116005728
** Generating a server csr for download self -new
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20091116005728
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.

### ./inst_new-cert.sh:005733:24: Deploying New Certificate... ###
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.

### ./inst_new-cert.sh:005745:30: This is the New Certificate... ###
::service mta::
notBefore=Nov 16 06:57:33 2009 GMT
notAfter=Nov 16 06:57:33 2010 GMT
subject= /C=US/ST=IA/O=TEST/OU=OFFICE/CN=*.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=hostname.domain.com
SubjectAltName=
::service proxy::
notBefore=Nov 16 06:57:33 2009 GMT
notAfter=Nov 16 06:57:33 2010 GMT
subject= /C=US/ST=IA/O=TEST/OU=OFFICE/CN=*.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=hostname.domain.com
SubjectAltName=
::service mailboxd::
notBefore=Nov 16 06:57:33 2009 GMT
notAfter=Nov 16 06:57:33 2010 GMT
subject= /C=US/ST=IA/O=TEST/OU=OFFICE/CN=*.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=hostname.domain.com
SubjectAltName=
::service ldap::
notBefore=Nov 16 06:57:33 2009 GMT
notAfter=Nov 16 06:57:33 2010 GMT
subject= /C=US/ST=IA/O=TEST/OU=OFFICE/CN=*.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=hostname.domain.com
SubjectAltName=
###
###       005747: Finish ./inst_new-cert.sh script
###

Thanks again,
todd_dsm

Don't forget to Vote for this RFE:
RFE: A place To Display the contents of 'My Documents'
Reasoning: It's new, bold, and cool.