Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: Certificates for multiple domains

  1. #11
    cmilfo is offline Junior Member
    Join Date
    Apr 2007
    Posts
    8
    Rep Power
    8

    Default

    Can someone reply in regards to mrfileio's inquiry? We're currently testing ZCS (testing with ZCS Network 4.5.4) for use with ~10 domains. At least 4 of these domains require SSL access.

    Quote Originally Posted by mrfileio View Post
    So unless I'm mistaken, with all of the beautiful support for multiple domains (translated customers for an ASP-type hosting provider), support for multiple SSL certificates per one Zimbra instance is not available, correct?
    Along the same lines, can multiple certificates be used with IMAP and SMTP?

    (We're looking to migrate from a Postfix/Cyrus/DSPAM/SquirrelMail solution.)

    Thank you,
    Casey

  2. #12
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,373
    Rep Power
    10

    Default

    Quote Originally Posted by cmilfo View Post
    Can someone reply in regards to mrfileio's inquiry? We're currently testing ZCS (testing with ZCS Network 4.5.4) for use with ~10 domains. At least 4 of these domains require SSL access.
    Casey,

    In our experience this is not possible.

    There may be a way to do it, but we haven't found one. We are running NE 4.5.3 on SLES9 and have had requests from several customers for their own SSL cert, so they can go to "webmail.theirdomain.com" instead of going to ourzimbraserver.ourdomain.com.

    The issue is that an SSL cert needs a unique IP address, but each Zimbra server only has one. Further, a wildcard cert only handles subdomains, and so won't work for your customers (nor ours).

    On some of our other non-Zimbra Apache servers, we just bind multiple IP addresses to the NIC and put each virtual host on a separate IP.

    There seems to be no facility within Zimbra presently to do that.

    I'm about to open an enhancement request on the support portal for this.

    Probably not what you wanted to hear, but there you are. It's still a great product and has been rock-solid for us, but this does seem like a surprising feature gap (at least to me!).

    All the best,
    Mark

  3. #13
    cmilfo is offline Junior Member
    Join Date
    Apr 2007
    Posts
    8
    Rep Power
    8

    Default

    Well, that's not exactly what I wanted to hear, but I guessed as much. Anytime I've tried to run multiple SSL sites off a single web server, I've always had some sort of road block (certs not matching site, needing a wildcard cert, not enough IP addresses, not all sites using SSL, you name it).

    We like ZCS a lot, so we're moving forward without the individual certificates. Here's my work around. I'm using a single commercial site. To get each domain to be able to use its own URL, I'm creating a web page with a 100% iframe that points to the mail server. Since the single domain has a valid certificate, they get no warning, and it appears they are going to their own URL. Here's the page I'm using:

    <html>
    <head>
    <script type='text/javascript'>
    </script>
    </head>
    <body style='margin: 0px;'>
    <iframe style='border: 0px; width: 100%; height: 100%;' scrolling='no' src='https://mail.mailserver.com'></iframe>
    </body>
    </html>
    Drop this in a index.html in a 'mail' folder, and the users can hit http://www.theirdomain.com/mail to get to their ZCS mail. The only catches are that they have to use their full email address to log in (e.g., user@theirdomain.com), I can't customize the login screen (I'm still able to customize the theme to the domain once the user is logged in), and it doesn't LOOK like it's secure (I'll just have to assure them otherwise).

    If anyone sees an issue with this approach, let me know!

    Casey

  4. #14
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,373
    Rep Power
    10

    Default

    What happens if you try:

    <iframe style='border: 0px; width: 100%; height: 100%;' scrolling='no' src='https://mail.mailserver.com/?skin=mycustomskin'></iframe>

    Where 'mycustomskin' is the name of the custom theme you have created. That should get you the pre-login screen with the desired theme.

    Note the Zimbra licensing requirements re branding; they are different for the Network and Open Source editions.

    Mark

  5. #15
    cmilfo is offline Junior Member
    Join Date
    Apr 2007
    Posts
    8
    Rep Power
    8

    Default

    That works great. Thank you.

    In regards to the rebranding, we're using the 60 day evaluation while we test. We're planning to purchase the Network Professional Edition.

  6. #16
    cmilfo is offline Junior Member
    Join Date
    Apr 2007
    Posts
    8
    Rep Power
    8

    Default

    I chose to post this question here since it's related to the thread. I hope some folks see this an reply.

    A few posts up I received a response from LMStone suggesting I add skin=domainskin to customize the user's login for my iframe solution. (The iframe solution allows me to use SSL without getting the nasty IE7 warning for cert not matching the domain.) This works great, and I've been able to customize the logins for all the domains I will be hosting. (And yes, I will be running a licensed version once we're finished with testing.)

    What other variables can I set through this method? Is there a way to set the login domain so the users do not have to type user@domain to login? I tried a few variations of domain= to no avail.

    Thank you, much.

    Casey

  7. #17
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    http://wiki.zimbra.com/index.php?tit...icate_Problems

    If you want the common name show up in the CA rather than 'Zimbra Collaboration Suite' because you have several zimbra servers. Please Note: I probably have unnecessary steps in this section here, but this is what I did to get it working for me. vi /opt/zimbra/conf/zmssl.cnf.in
    [change section to appear as below]
    0.organizationName = Zimbra
    0.organizationName_default = Zimbra
    # we can do this but it is not needed normally :-)
    #1.organizationName = Second Organization Name (eg, company)
    #1.organizationName_default = World Wide Web Pty Ltd
    organizationalUnitName = Zimbra
    organizationalUnitName_default = Zimbra
    commonName = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>
    commonName_max = 64
    commonName_default = <put your hostname here -- @@HOSTNAME@@ doesn't seem to work>

    Create the CA certificate (as zimbra)

    zmcreateca
    • (OPTIONAL) If you did the Optional step to make the CN the hostname for the CA, the output should be like the following:
    ...
    Signature ok
    subject=/C=US/ST=N/A/L=N/A/O=Zimbra/OU=Zimbra/CN=<your hostname>
    Getting Private key
    unable to write 'random state'

    Install server ca files
    • After creating the ca, it appears that zmcreateca doesn't copy the new ca.key and ca.pem to /opt/zimbra/conf/ca, so do it manually (as zimbra):
    cp /opt/zimbra/ssl/ssl/ca/ca.key /opt/zimbra/conf/ca/ca.key
    cp /opt/zimbra/ssl/ssl/ca/ca.pem /opt/zimbra/conf/ca/ca.pem
    Create the server certificate (as zimbra)

    zmcreatecert
    If you wish to have several names on the certificate, supply them as arguments
    zmcreatecert mail.mydomain.com webmail.mydomain.com webmail.yourdomain.com

    Install the server certificate files (as zimbra)

    zmcertinstall mailbox /opt/zimbra/ssl/ssl/server/tomcat.crt
    zmcertinstall mta /opt/zimbra/ssl/ssl/server/server.crt /opt/zimbra/ssl/ssl/server/server.key

  8. #18
    riegersteve is offline Senior Member
    Join Date
    Sep 2005
    Location
    Los Angeles
    Posts
    51
    Rep Power
    9

    Default

    Quote Originally Posted by DanCody View Post
    I tried this as well and it didn't seem to work, I'm still getting errors when going to foo.bar.edu:

    "You have attempted to establish a connection with 'foo.bar.edu' however the certificate presented belongs to 'zimbra.bar.edu'." etc..

    Anyone have this working for multi hostname machines?

    Dan
    get a root cert
    expensive but works for as many subdomains as you can handle

  9. #19
    sugiggs is offline Loyal Member
    Join Date
    Sep 2009
    Posts
    99
    Rep Power
    5

    Default

    Bump 2007 post...

    any solution??

    I need multiple domains support for HTTPS, SMTPS, IMAPS

  10. #20
    ewilen's Avatar
    ewilen is offline Moderator
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    You need a multiple domain certificate aka a cert that supports subject alternative names. GoDaddy calls them UCC. Comodo has another name for them.

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Advanced MTA Configuration - multiple domains
    By keyhman in forum Installation
    Replies: 6
    Last Post: 04-20-2012, 02:23 AM
  2. Sending mails to domains without use of DNS server
    By generic31 in forum Administrators
    Replies: 5
    Last Post: 08-08-2011, 03:17 AM
  3. Same user and aliases on multiple domains
    By wiscalico in forum Administrators
    Replies: 1
    Last Post: 08-01-2007, 02:37 AM
  4. Replies: 3
    Last Post: 06-07-2007, 07:19 AM
  5. Virtual Domains Breaking Themes
    By jhoelz in forum Administrators
    Replies: 0
    Last Post: 03-14-2007, 05:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •