Results 1 to 5 of 5

Thread: Open Source web client access multiple Zimbra servers

  1. #1
    rcken is offline Starter Member
    Join Date
    Feb 2010
    Posts
    2
    Rep Power
    5

    Default Open Source web client access multiple Zimbra servers

    I've got a problem that I hope other Admins out there can help me with. I have several Zimbra open source servers that I manage. When I set up the web client to access accounts I have no problems setting up multiple email sources outside of Zimbra. And I can set up the web client to pull from different Zimbra accounts on the same server (same domain). The problem comes in when I try to setup the web client to access email on a different Zimbra server for a different domain. I go to the Preferences and Accounts and click "Add External Account". It doesn't matter whether I set it Pop3 or IMAP I still get an error. It's hard for me to capture the error because I can't copy and paste the text from the error message, but I'll try and type it in here. The error reads:

    Error: d2:CN19:mail.infintiyok.com1:O26:Zimbra Collaboration Suite2:OU26:Zimbra Collaboration Suite6:accept4:true5:alias30:mail.infinityok.com:1 3410717674:fromi1341071775000e4: host19:mail.infinityok.com2:io26:Zimbra Collaboration Suite3:iou26:Zimbra Collaboration Suite3:md532:9f5ABE13C90CD3E2C1B372A2E7241348:mism atch5:false1:s10:12410717674:sha140:B5C171FA3F3CCA B#*F20BDABBE2AD44E34C2F002:toi1656431775000ee

    Both Zimbra servers are Open Source versionm 7.2.0

    I would like to get this working because I have to check mail from both Zimbra servers and it would be much easier to check it in one web mail interface and not have to do it on two separate computers. Also, I know that I could do this with the Zimbra Desktop client, but that's really not an option because I am not always checking my mail on the same machine. So I have to use the Web Client for getting my mail.

    I appreciate any help from the community I can get on this issue.

    Ken

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,504
    Rep Power
    57

    Default

    Quote Originally Posted by rcken View Post
    I would like to get this working because I have to check mail from both Zimbra servers and it would be much easier to check it in one web mail interface and not have to do it on two separate computers. Also, I know that I could do this with the Zimbra Desktop client, but that's really not an option because I am not always checking my mail on the same machine. So I have to use the Web Client for getting my mail.
    Why don't you take the easy route and use Zimbra Desktop?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    rcken is offline Starter Member
    Join Date
    Feb 2010
    Posts
    2
    Rep Power
    5

    Default

    Quote Originally Posted by phoenix View Post
    Why don't you take the easy route and use Zimbra Desktop?
    As I said in my original post, I am not always accessing my email on the same computer. Desktop would tie me to one system that it's installed on. I access my mail from many different places throughout the week, and the easiest way for me to do that is by using the Web Client to access my mail.

    Ken

  4. #4
    j2b
    j2b is offline Special Member
    Join Date
    Sep 2008
    Location
    Latvia
    Posts
    141
    Rep Power
    6

    Default

    It seems to be a problem with SSL negotiation, if this is used on servers. There were issues quite some time ago with problems accessing Dreamhost and other ISP servers too. At least part of your error message defines mismatch of hash keys, where one is in md5 format, the other - in sha1 format. One of SSL certs is encrypted in wrong (not incorrect, but not widely used) format. Sorry, I can not give you more specific directions, as it was so long ago, that I do not remember, nor have my notes with me.

  5. #5
    j2b
    j2b is offline Special Member
    Join Date
    Sep 2008
    Location
    Latvia
    Posts
    141
    Rep Power
    6

    Default

    Oddly enough, but I just stepped over the same problem, and had to recover my notes The problem of such an error lies in fact, that server, you're trying to connect (attach remote datastore with IMAP via Zimbra Web client) is using misconfigured or self signed SSL certificate. There are many discussion threads in this forum regarding solution to the problem, as well as touching several parts of zimbra zmlocalconfig parameters, and no clearance on strict steps to solve this.

    I solved this issue (at least in my case, regarding SELF SIGNED SSL CERTIFICATE), but some ellaboration on this would be appreciated. And to be honest, from terms of future management perspective, life of both parties would be much easier, if target system (that, FROM which you are trying to fetch IMAP mails from - further in this comment referenced as "Target system") deploy commercial certificate. It really does not cost too much these days, to get rid of remembering to recover issue in future, when admins of this Target system change or renew their self signed cert again.

    Short answer: you have to download SSL certificate from Target system to your mailbox temporary place (say /tmp) into file. And after, using keytool, import this certificate into cacerts file. Then restart mailbox.

    STEP BY STEP

    All tasks are done on your mailbox server, as we have to say to it to trust this external certificate. I did as a Zimbra user, but had to temporary change permissions of particular file.

    As Zimbra user:
    1.
    $ cd /tmp

    .. Get a certificate ..
    2. $ openssl s_client -host remote.server.com -port 993

    3. copy ceritficate part of CLI output
    Find a part like this and copy, including START & END lines without any whitespace or not needed characters. You MUST NOT COPY "Server certificate" part, it's just for reference, what to look for in output! You are interested ONLY in green text part!!!

    Server certificate
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----


    4. paste this into file in your temporary folder (nano is text editor, but you may use your preferred)
    $ nano /tmp/remote.server.com.crt
    Ctrl+v
    Ctrl+x, y, Enter


    --------------> !! here I change user to root

    As root user:
    5.
    Temporary change permissions and ownership of "cacerts" file
    # chown zimbra:zimbra /opt/zimbra/java/jre/lib/security/cacerts
    # chmod u+w /opt/zimbra/java/jre/lib/security/cacerts


    --------------> !! change back to zimbra user

    As zimbra user:
    6.
    Import your created /tmp/remote.server.com.crt into cacerts using keytool (obviously, change remote.server.com to your actual server name)

    /tmp$ keytool -import -file /tmp/remote.server.com.crt -alias remote.server.com -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

    DO NOT MISS - There is last question on this command, before deployment, apparently respond appropriately:
    Trust this certificate? [no]: yes

    --------------> !! cahange to root user

    As root user:
    7.
    change back cacert permissions
    # chown root:root /opt/zimbra/java/jre/lib/security/cacerts
    # chmod u-w /opt/zimbra/java/jre/lib/security/cacerts


    --------------> !! change back to zimbra user

    As zimbra user:
    8.
    restart mailbox service
    $ zmcontrol restart (note - it probably would be ok with $ zmmailboxdctl restart, but I decided to get full clean restart of ZCS, which takes longer, thus introducing longer disruption of services).


    That's it. Check adding of External account again. Apparently, some CLI gurus might optimize some parts, but that is welcome. Our life would get easier

    Now, why to encourage Target system operators to deploy commercial cert? Because, besides other benefits, if they change something in their system, or renew their self signed cert, you will have to remember this, find out these notes, and redo it again and again, still experiencing additional errors and lack of online information meanwhile. Is this worth it?

    Now, the tricky part, what I didn't get a proof is discussions regarding the following zmlocalconfig options:
    - data_source_trust_self_signed_certs (defaults to false)
    - ssl_allow_untrusted_certs (defaults to false)
    - javamail_imap_enable_starttls (defaults to true)

    In my case, adding certificate to cacert didn't require any changes to above options, thus leaving defaults.

    Some sky clearing would be appreciated, on how these configuration booleans interact with all this. There were some discussions, where it was enough to change data_source_trust_self_signed_certs to true, but that one particular settings didn't change any behaviour at all.

    To be honest, I really do not think, that javamail_imap_enable_starttls has actually to do something with error, if it's connected to trusting of self signed cert. This might be connected with other type of errors regarding IMAP connection.

    To get your server current settings of above commands, use syntax (as Zimbra user): $ zmlocalconfig | grep {config-option}, for example:
    $ zmlocalconfig | grep data_source_trust_self_signed_certs

    To modify settings, just add -e switch to zmlocalconfig command, e.g. to set example from false to true:
    $ zmlocalconfig -e data_source_trust_self_signed_certs=true

    !!! Mind no spaces between ..._certs=true parts - all in one line

    Hopes this helps for future reference. Here are references, I was using for this post to keep track on and understand different outcomes/necessities:
    - 5.0.13 breaks external IMAP SSL account
    - [SOLVED] Problem with external Accounts and SSL
    - [SOLVED] External IMAP account with self signed cert?
    - External IMAP account forces TLS when I don't want it
    - Fail to add external account from Zimbra5_NE server in my new Zimbra6_OSS
    - http://www.sslshopper.com/article-mo...-commands.html
    - Keystore password
    - http://wiki.zimbra.com/wiki/Preexist...for_Zimbra_6.0
    - http://blog.spanger.org/?p=1168
    - Zimbra on Debian - keytool issues
    Last edited by j2b; 12-14-2012 at 01:46 PM. Reason: Appended references, corrected Step 3

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Need to access Zimbra 5.0.8 Open source
    By Sbhingarkar in forum Users
    Replies: 0
    Last Post: 09-10-2008, 08:56 PM
  2. Installing ZCS Open source on two servers
    By rajeshkodali in forum Installation
    Replies: 5
    Last Post: 04-14-2008, 08:21 PM
  3. Replies: 3
    Last Post: 01-11-2007, 12:17 PM
  4. Replies: 2
    Last Post: 11-11-2006, 09:20 PM
  5. m2 open source installation does not include servers
    By mcgaffin in forum Installation
    Replies: 5
    Last Post: 11-17-2005, 09:26 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •