| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | | 
11-05-2009, 09:15 AM
| | |  [SOLVED] Change hostname to dns name
During the install Zimbra picks up the hostname and uses that for everything. I would prefer that Zimbra use the DNS name 'mail' but Im not sure how to affect this change without breaking Zimbra. I searched everything I think but the hostname appears only in these places: Code: Global
$ zmprov getAllConfig | grep -i hostname
zimbraBackupReportEmailRecipients: admin@hostname.domain.com
zimbraBackupReportEmailSender: admin@hostname.domain.com
zimbraChangePasswordURL: https://hostname.domain.com/h/changepass
zimbraLogHostname: hostname.domain.com
COS
zmprov gac -v | grep -i host
zimbraMailHostPool: 8bcba67b-11d0-4bd5-b70a-9ec7e96003d6
SERVER
zmprov gas -v | grep -i hostname
# name hostname.domain.com
cn: hostname.domain.com
zimbraBackupReportEmailRecipients: admin@hostname.domain.com
zimbraBackupReportEmailSender: admin@hostname.domain.com
zimbraMtaAuthHost: hostname.domain.com
zimbraMtaAuthURL: https://hostname.domain.com:443/service/soap/
zimbraServiceHostname: hostname.domain.com
zimbraSmtpHostname: hostname.domain.com
zimbraSpellCheckURL: http://hostname.domain.com:7780/aspell.php
zimbraSshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAACBALXPeAfqEHRae47BK1d9epKVYyyuVG1qi3M/eHY4i2K95KifsHBYovyB4LuvvlFhNkSMFFc1Uj2ukmBVrD7uDHpn4W01hdPb0ajk0/OdWrGttAMmOdjIG6XcLViiVp9KdV9jNbxv+LbZ2B+ZLuSRBQ9rC61TGBbziLuZZ/1FR0QnAAAAFQDZVMoTiq+HhSHIzwaP048wUDO/kQAAAIAbvexo0OCGv+daN4mvCubyg4I5vYGkKQSnSN0oWsVN8N7x8EbgX8aW3jkK92cgRn4f3FbXkuaX7pxlrgB/nQjl77KFvvFLsOng2A1z6TucbA4+644QkEvQmmma253V1R24nvEv5h0zIGJNl1X9enUIHSZlkcBjqOC32Ck6k/kBHQAAAIEAi/VWlDgdr1PRNT8+INmIj6dt6+hpdgqvUYhQLD7Fk2Y4mtC5K4TWiDySV+b+ar63Sm0IjNG0KiWYAJwYLH01zBPw0iMjAQ0X7m2hXZKuj4pMQlvFdZ9+PDsayUn/7Rm86JuEBfQ+DP8KDQvvRmEIY4eDmWQ9lgVkQtJhZOrvqRU= hostname.domain.com
SERVER
zmprov gas -v | grep -i host
zimbraMailReferMode: wronghost
zimbraMtaAuthHost: hostname.domain.com
zimbraMtaMyDestination: localhost
zimbraServiceHostname: hostname.domain.com
zimbraSmtpHostname: hostname.domain.com Q1: Generally, how do I get a fully functional, non-broken Zimbra install changed from hostname.domain.com --> mail.domain.com ?
Q2: Which of these attributes are necessary to change? 1, some, all?
Q3: If you change the zimbraSshPublicKey do I need to re-gen a new one with the new name?
Thanks in advance, todd_dsm
Don't forget to Vote for this RFE: RFE: A place To Display the contents of 'My Documents' Reasoning: It's new, bold, and cool.
Last edited by todd_dsm; 10-08-2010 at 09:37 AM..
|
11-05-2009, 09:24 AM
| | Zimbra Consultant & Moderator | |
Posts: 20,312
| |
Use zmprov with RenameDomain, check this article: Zmprov - Zimbra :: Wiki Obviously it's advisable to take a backup first.
__________________
Regards
Bill
|
11-05-2009, 12:26 PM
| | Zimbra Consultant & Moderator | |
Posts: 20,312
| |
Then use the following command: ZmSetServerName - Zimbra :: Wiki That command changes the hostname but I'd suggest it's the domain name that need changing not the hostname. You want the Zimbra hostname to be the same as the FQDN of your server and the domain name to be domain.com - take your pick but I think you're tyring to change the wrong thing by changing the hostname.
__________________
Regards
Bill
Last edited by phoenix; 11-05-2009 at 12:31 PM..
|
11-10-2009, 11:22 PM
| | | More precisely...
It appears that I'm lacking relevant specifics. Let me cure that. I'm using the Zimbra/Samba walk-through.
What I would prefer is separation of church and state. I would prefer that:
1) All mail related services (webmail/IMAP) be accessible via the dns name: mail.example.tld
2) All ldap communication be accessible via the hostname: hostname.example.tld
3) The certificate allows, and is functional for both.
===
I've attempted to use zmsetservername mail.example.tld but this breaks ldap; the uri needs to be hostname.example.tld
Sorry about the confusion. |
11-11-2009, 12:46 PM
| | |
So basically you have for some reason set your server's FQDN to hostname.example.tld, but you want all access to the server to be via mail.example.tld?
Just leave everything the way it is, and in DNS set the A record for mail.example.tld to the same IP address. You might also want to set a virtual host on the zimbra server to mail.example.tld.
Zimbra doesn't really care what hostname people use to access the server, the only part where it matters is the login screen where if users are not accessing via the FQDN they would need to enter their account name as "account@example.tld", however if you set a virtual host on the users domain to the address they are accessing the server by, then the server will know to add the "@example.tld" part for them. |
11-12-2009, 09:16 AM
| | | Let me refine...
Quote:
Originally Posted by ArcaneMagus  So basically you have for some reason set your server's FQDN to hostname.example.tld, but you want all access to the server to be via mail.example.tld? | NO, I would prefer, like any other mail server, that mail services be accessible from a dns name, in this case I prefer: mail.example.tld - not so crazy.
And that all internal services, such as ldap, communicate via the hostname; eg: uri ldap://hostname.example.tld - also not so crazy. Quote:
Originally Posted by ArcaneMagus Just leave everything the way it is, and in DNS set the A record for mail.example.tld to the same IP address. You might also want to set a virtual host on the zimbra server to mail.example.tld. | These are the relevant bits of the 'Internal View' dns map. This has been in place while I've been testing. Code: # cat /var/named/chroot/var/named/example.tld.zone
$TTL 1H
@ SOA hostname root.example.tld. (
42 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1H ) ; minimum
NS hostname
IN NS hostname
IN MX 5 mail
IN A 10.0.0.14
hostname IN A 10.0.0.14
mail IN A 10.0.0.14 I will test the virtual host next. As you've suggested. Quote:
Originally Posted by ArcaneMagus Zimbra doesn't really care what hostname people use to access the server, the only part where it matters is the login screen where if users are not accessing via the FQDN they would need to enter their account name as "account@example.tld", however if you set a virtual host on the users domain to the address they are accessing the server by, then the server will know to add the "@example.tld" part for them. | Well, this is true, Zimbra doesn't really care what hostname people use to access the server, but the client does care. If you use Thunderbird to test this, it asks you if you would like to accept the certificate. I always answer Yes / Permanently. Moments later, Thunderbird displays a message to the user: Security Error: Domain Name Mismatch
You have attempted to establish a connection with mail.example.tld. However, the security certificate belongs to hostname.example.tld...
This message will display at intervals. I'm not sure how often exactly but let's just call it ever 10 minutes - it's incredibly annoying.
I understand this makes it a compound problem but, first things first. I'll test the virtual host, if the only way to achieve this, it just seems a bit convoluted.
Thanks in advance, todd_dsm
Don't forget to Vote for this RFE: RFE: A place To Display the contents of 'My Documents' Reasoning: It's new, bold, and cool.
Last edited by todd_dsm; 10-08-2010 at 09:38 AM..
|
11-12-2009, 10:59 AM
| | |
Ah so your root problem is that Thunderbird thinks your certificate is invalid because it is for a different hostname, yet you have said "The certificate allows, and is functional for both."
So which is it? The certificate works for both host names, or the certificate doesn't work for both host names? As far as I know you would need a wildcard ssl certificate for that to work properly.
Depending on your user base size, you could look into installing Remember Mismatched Domains, but getting the wildcard ssl cert working would probably work better for you. |
11-12-2009, 05:00 PM
| | | Whittling down...
Sorry if I wasn't clear on some of these points... Quote:
Originally Posted by ArcaneMagus Ah so your root problem is that Thunderbird thinks your certificate is invalid because it is for a different hostname, | No, again, there is no way to get Zimbra to install with hostname/dns name separation by default. Or, it's not fully supported (because of the certs). That is the root problem. If I were to just name the host 'mail' this would be a non-issue. Except that my ldap uri would also be a publicly known dns name. I'd prefer more anonymity than that. (obscurity = security) Quote:
Originally Posted by ArcaneMagus yet you have said "The certificate allows, and is functional for both." So which is it? The certificate works for both host names, or the certificate doesn't work for both host names? | "3) The certificate allows, and is functional for both." is a requirement, not a reality. Quote:
Originally Posted by ArcaneMagus | I'd prefer not to patch every desktop when it should be possible to realize a central solution. Quote:
Originally Posted by ArcaneMagus As far as I know you would need a wildcard ssl certificate for that to work properly....getting the wildcard ssl cert working would probably work better... | A wildcard ssl certificate is a good idea but it didn't work for me. I tried a number of different ways to gen a cert that would work. The method that finally worked was going into the Admin UI and re-installing a new cert that had a "Subject Alternative Name".
The only problem with this is that (4) I need to produce it from the command line. Here are the steps I took: (the hashes are comments/output) Code: # Generate a new Certificate Authority (CA).
/opt/zimbra/bin/zmcertmgr createca -new
# ** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
# ** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
# ** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
# Generate a certificate signed by the CA that expires in 365 days.
/opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -subject "/C=US/ST=IA/L=Des Moines/O=PTEST/OU=OFFICE/CN=hostname.domain.com" -subjectAltNames "mail.domain.com"
# Validation days: 365
# Subject: /C=US/ST=IA/L=DSM/O=PTEST/OU=OFFICE/CN=*.domain.com
# ** Creating /opt/zimbra/conf/zmssl.cnf...done
# ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20091111221244
# ** Generating a server csr for download self -new
# ** Creating /opt/zimbra/conf/zmssl.cnf...done
# ** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20091111221244
# ** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
# ** Saving server config key zimbraSSLPrivateKey...done.
# ** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
# Deploy the certificate
/opt/zimbra/bin/zmcertmgr deploycrt self
# ** Saving server config key zimbraSSLCertificate...done.
# ** Saving server config key zimbraSSLPrivateKey...done.
# ** Installing mta certificate and key...done.
# ** Installing slapd certificate and key...done.
# ** Installing proxy certificate and key...done.
# ** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
# ** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
# ** Installing CA to /opt/zimbra/conf/ca...done.
$ zmcontrol stop; zmcontrol start; zmcontrol status (restart was successful)
# Verify the certificate was deployed to all the services
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
# ::service mta::
# notBefore=Nov 10 01:44:55 2009 GMT
# notAfter=Nov 10 01:44:55 2010 GMT
# subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# SubjectAltName=
# ::service proxy::
# notBefore=Nov 10 01:44:55 2009 GMT
# notAfter=Nov 10 01:44:55 2010 GMT
# subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# SubjectAltName=
# ::service mailboxd::
# notBefore=Nov 10 01:44:55 2009 GMT
# notAfter=Nov 10 01:44:55 2010 GMT
# subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# SubjectAltName=
# ::service ldap::
# notBefore=Nov 10 01:44:55 2009 GMT
# notAfter=Nov 10 01:44:55 2010 GMT
# subject= /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=mail.domain.com
# SubjectAltName= No matter what I do the SubjectAltName= is always blank if I do this from the command line.
---
Side bar: the fact that this is a standard setup and I've got to jump through so many hoops makes me wonder if I'm not doing something wrong more fundamentally.
---
Anyway, I know I write a bit terse so I'd like to say thank you for taking an interest. I sure don't mean to sound rude brother ;-)
Don't forget to Vote for this RFE: RFE: A place To Display the contents of 'My Documents' Reasoning: It's new, bold, and cool.
Last edited by todd_dsm; 10-08-2010 at 09:38 AM..
|
11-15-2009, 11:59 PM
| | | Apologies
I must have boogered up my test environment. I re-tested the wild-card certificate and it works just fine. Code: # ./inst_new-cert.sh
###
### 005726: Start ./inst_new-cert.sh script
###
### ./inst_new-cert.sh:005726:12: Generating a new Certificate Authority... ###
** Creating /opt/zimbra/ssl/zimbra/ca/zmssl.cnf...done
** Creating CA private key /opt/zimbra/ssl/zimbra/ca/ca.key...done.
** Creating CA cert /opt/zimbra/ssl/zimbra/ca/ca.pem...done.
### ./inst_new-cert.sh:005727:18: Generating a new wild-card certificate for 365 days... ###
Validation days: 365
Subject: /C=US/ST=IA/L=Des Moines/O=TEST/OU=OFFICE/CN=*.domain.com
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20091116005728
** Generating a server csr for download self -new
** Creating /opt/zimbra/conf/zmssl.cnf...done
** Backup /opt/zimbra/ssl/zimbra to /opt/zimbra/ssl/zimbra.20091116005728
** Creating server cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Signing cert request /opt/zimbra/ssl/zimbra/server/server.csr...done.
### ./inst_new-cert.sh:005733:24: Deploying New Certificate... ###
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.
** Installing CA to /opt/zimbra/conf/ca...done.
### ./inst_new-cert.sh:005745:30: This is the New Certificate... ###
::service mta::
notBefore=Nov 16 06:57:33 2009 GMT
notAfter=Nov 16 06:57:33 2010 GMT
subject= /C=US/ST=IA/O=TEST/OU=OFFICE/CN=*.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=hostname.domain.com
SubjectAltName=
::service proxy::
notBefore=Nov 16 06:57:33 2009 GMT
notAfter=Nov 16 06:57:33 2010 GMT
subject= /C=US/ST=IA/O=TEST/OU=OFFICE/CN=*.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=hostname.domain.com
SubjectAltName=
::service mailboxd::
notBefore=Nov 16 06:57:33 2009 GMT
notAfter=Nov 16 06:57:33 2010 GMT
subject= /C=US/ST=IA/O=TEST/OU=OFFICE/CN=*.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=hostname.domain.com
SubjectAltName=
::service ldap::
notBefore=Nov 16 06:57:33 2009 GMT
notAfter=Nov 16 06:57:33 2010 GMT
subject= /C=US/ST=IA/O=TEST/OU=OFFICE/CN=*.domain.com
issuer= /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=hostname.domain.com
SubjectAltName=
###
### 005747: Finish ./inst_new-cert.sh script
### Thanks again, todd_dsm
Don't forget to Vote for this RFE: RFE: A place To Display the contents of 'My Documents' Reasoning: It's new, bold, and cool.
Last edited by todd_dsm; 10-08-2010 at 09:40 AM..
| | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
