Zimbra

cmilfo · #11 (**permalink**) 04-30-2007, 10:24 AM

Can someone reply in regards to mrfileio's inquiry? We're currently testing ZCS (testing with ZCS Network 4.5.4) for use with ~10 domains. At least 4 of these domains require SSL access.

Quote:

Originally Posted by mrfileio

So unless I'm mistaken, with all of the beautiful support for multiple domains (translated customers for an ASP-type hosting provider), support for multiple SSL certificates per one Zimbra instance is not available, correct?

Along the same lines, can multiple certificates be used with IMAP and SMTP?

(We're looking to migrate from a Postfix/Cyrus/DSPAM/SquirrelMail solution.)

Thank you,
Casey

LMStone · #12 (**permalink**) 05-01-2007, 11:21 AM

Quote:

Originally Posted by cmilfo

Can someone reply in regards to mrfileio's inquiry? We're currently testing ZCS (testing with ZCS Network 4.5.4) for use with ~10 domains. At least 4 of these domains require SSL access.

Casey,

In our experience this is not possible.

There may be a way to do it, but we haven't found one. We are running NE 4.5.3 on SLES9 and have had requests from several customers for their own SSL cert, so they can go to "webmail.theirdomain.com" instead of going to ourzimbraserver.ourdomain.com.

The issue is that an SSL cert needs a unique IP address, but each Zimbra server only has one. Further, a wildcard cert only handles subdomains, and so won't work for your customers (nor ours).

On some of our other non-Zimbra Apache servers, we just bind multiple IP addresses to the NIC and put each virtual host on a separate IP.

There seems to be no facility within Zimbra presently to do that.

I'm about to open an enhancement request on the support portal for this.

Probably not what you wanted to hear, but there you are. It's still a great product and has been rock-solid for us, but this does seem like a surprising feature gap (at least to me!).

All the best,
Mark

cmilfo · #13 (**permalink**) 05-01-2007, 02:08 PM

Well, that's not exactly what I wanted to hear, but I guessed as much. Anytime I've tried to run multiple SSL sites off a single web server, I've always had some sort of road block (certs not matching site, needing a wildcard cert, not enough IP addresses, not all sites using SSL, you name it).

We like ZCS a lot, so we're moving forward without the individual certificates. Here's my work around. I'm using a single commercial site. To get each domain to be able to use its own URL, I'm creating a web page with a 100% iframe that points to the mail server. Since the single domain has a valid certificate, they get no warning, and it appears they are going to their own URL. Here's the page I'm using:

Quote:

Drop this in a index.html in a 'mail' folder, and the users can hit http://www.theirdomain.com/mail to get to their ZCS mail. The only catches are that they have to use their full email address to log in (e.g., user@theirdomain.com), I can't customize the login screen (I'm still able to customize the theme to the domain once the user is logged in), and it doesn't LOOK like it's secure (I'll just have to assure them otherwise).

If anyone sees an issue with this approach, let me know!

Casey

LMStone · #14 (**permalink**) 05-02-2007, 01:29 PM

What happens if you try:

<iframe style='border: 0px; width: 100%; height: 100%;' scrolling='no' src='https://mail.mailserver.com/?skin=mycustomskin'></iframe>

Where 'mycustomskin' is the name of the custom theme you have created. That should get you the pre-login screen with the desired theme.

Note the Zimbra licensing requirements re branding; they are different for the Network and Open Source editions.

Mark

cmilfo · #15 (**permalink**) 05-02-2007, 03:38 PM

That works great. Thank you.

In regards to the rebranding, we're using the 60 day evaluation while we test. We're planning to purchase the Network Professional Edition.

cmilfo · #16 (**permalink**) 05-15-2007, 09:22 AM

I chose to post this question here since it's related to the thread. I hope some folks see this an reply.

A few posts up I received a response from LMStone suggesting I add skin=domainskin to customize the user's login for my iframe solution. (The iframe solution allows me to use SSL without getting the nasty IE7 warning for cert not matching the domain.) This works great, and I've been able to customize the logins for all the domains I will be hosting. (And yes, I will be running a licensed version once we're finished with testing.)

What other variables can I set through this method? Is there a way to set the login domain so the users do not have to type user@domain to login? I tried a few variations of domain= to no avail.

Thank you, much.

Casey

mmorse · #17 (**permalink**) 05-15-2007, 09:46 AM

http://wiki.zimbra.com/index.php?tit...icate_Problems

Quote:

If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me. vi /opt/zimbra/conf/zmssl.cnf.in
[change section to appear as below]
0.organizationName = Zimbra
0.organizationName_default = Zimbra
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Zimbra
organizationalUnitName_default = Zimbra
commonName = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>
commonName_max = 64
commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>

Create the CA certificate (as zimbra)

zmcreateca

(OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:

...
Signature ok
subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname>
Getting Private key
unable to write 'random state'

Install server ca files

After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):

cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
Create the server certificate (as zimbra)

zmcreatecert
If you wish to have several names on the certificate, supply them as arguments
zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com

Install the server certificate files (as zimbra)

zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key

riegersteve · #18 (**permalink**) 05-15-2007, 04:06 PM

Quote:

Originally Posted by DanCody

I tried this as well and it didn't seem to work, I'm still getting errors when going to foo.bar.edu:

"You have attempted to establish a connection with 'foo.bar.edu' however the certificate presented belongs to 'zimbra.bar.edu'." etc..

Anyone have this working for multi hostname machines?

Dan

get a root cert
expensive but works for as many subdomains as you can handle