[SOLVED] External IMAP account with self signed cert?

[dragon2611]

Hi All,

Can anyone tell me how to force zimbra to accept an Self-signed certificate for adding an external IMAP account that uses SSL?


I think that might be the reason it's refusing to connect to the external mailserver.

[mmorse]

Set zmlocalconfig -e 'data_source_trust_self_signed_certs=true' (will allow/remove error message)

ZD has ssl_allow_accept_untrusted_certs true by default which warns & prompts for accept. I fought for a similar attribute in ZCS data_source_trust_certs_override_allowed (either true from the start or even just possible since most would like a tiny warning rather than wide open or blocked case for self-signed & expired < which is also just either blocked or not even for commercial) but wasn't implemented, if you'd like to add your thoughts here: Bug 35441 - external data sources with self-signed/expired certs no longer work

The per cert method:
Get the cert.
$ openssl s_client -host secure.server.com -port 993
Paste the cert into a file and load it into cacerts. Be sure to set perms and ownership on cacerts keystore file. (as zimbra)
$ keytool -import -file /tmp/secure.server.com.crt -alias secure.server.com -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit
$ zmmailboxdctl restart

[dragon2611]

Ah thanks for that,

Have added my thoughts to that bug, the error message zimbra returns is unacceptable in my opinion as it makes about as much sense as a chocloate fireguard and just leads to confusion

It's even more of a problem as it's a user facing dialogue displaying the error.

The message doesn't even fit in the box it was trying to display it in.