Signing of mails (X.509) using the Zimbra Connector for Outlook 2007 doesn’t work

[aeapra]

We cannot send mails signed with a X.509 certificate using the Zimbra Connector for Outlook 2007.

We have the following setup: The authentication is done through a third party directory service, and we are using the attribute “uid” (first letter of given name + last name, e.g. “jpublic” for “John Public“) for authentication. The Zimbra accounts are also named jpublic (resulting in jpublic@company.com). We’ve then created several aliases for a user, e.g. john.public@company.com that are used for external communications.

Using IMAP or POP it’s not a problem to send a signed mail from john.public@company.com (the mail address the certificate is issued to). But some of our users are using the Outlook Connector, and although the Connector is configured to use the mail address john.public@company.com Outlook/the Connector tries to find a certificate for jpublic@company.com (which doesn’t exist because in external communications we do not want to reveal our UIDs).
In the end Outlook/the Connector refuses to send signed mails from john.public@company.com, because it only looks for certificates issued to jpublic@company.com. I think this is a problem of the Zimbra connector because it is possible to send signed mails from Outlook when using IMAP or POP3.
Do you have any suggestions how to solve this problem?

Best regards,
Karsten Reineck

[aeapra]

I've just found the "Zimbra Connector for Outlook" forum.
@Admins: Feel free to move my post. Thanks.

[UserOfZ]

We cannot send mails signed with a X.509 certificate using the Zimbra Connector for Outlook 2007.

We have the following setup: The authentication is done through a third party directory service, and we are using the attribute “uid” (first letter of given name + last name, e.g. “jpublic” for “John Public“) for authentication. The Zimbra accounts are also named jpublic (resulting in jpublic@company.com). We’ve then created several aliases for a user, e.g. john.public@company.com that are used for external communications.

Using IMAP or POP it’s not a problem to send a signed mail from john.public@company.com (the mail address the certificate is issued to). But some of our users are using the Outlook Connector, and although the Connector is configured to use the mail address john.public@company.com Outlook/the Connector tries to find a certificate for jpublic@company.com (which doesn’t exist because in external communications we do not want to reveal our UIDs).
In the end Outlook/the Connector refuses to send signed mails from john.public@company.com, because it only looks for certificates issued to jpublic@company.com. I think this is a problem of the Zimbra connector because it is possible to send signed mails from Outlook when using IMAP or POP3.
Do you have any suggestions how to solve this problem?

Best regards,
Karsten Reineck

Hi,

I have the same problem in my company. Are there any solutions available, today?

[fsiegel]

What is the exact error you get?

[aeapra]

Not working:
- X.509 certificate issued to givenname.surname@company.com (unchangeable)
- Zimbra account: surname@company.com
- Zimbra alias givenname.surname@company.com for account surname@company.com
--> You cannot use the certificate with the Outlook Connector, as it ALWAYS searches for a certificate issued to surname@company.com (=the Zimbra account) even if you configured the connector with givenname.surname@company.com

My (obvious) solution:
- Delete alias givenname.surname@company.com
- Rename account surname@company.com to givenname.surname@company.com
- Create new alias surname@company.com for account givenname.surname@company.com
- Uninstall Outlook Connector
- Reinstall Outlook Connector
…repeat for all accounts. The first 3 steps can be automated, the last 2 steps require some work but luckily we don’t have that much Outlook users.

[UserOfZ]

What is the exact error you get?

Please see the error messages attached (Outlook 2007 and Outlook 2010).

My (obvious) solution:
- Delete alias givenname.surname@company.com
- Rename account surname@company.com to givenname.surname@company.com
- Create new alias surname@company.com for account givenname.surname@company.com
- Uninstall Outlook Connector
- Reinstall Outlook Connector
…repeat for all accounts. The first 3 steps can be automated, the last 2 steps require some work but luckily we don’t have that much Outlook users.

This workaround does not work for us. Because we are using an external LDAP-Auth. So we can not change the primary account name.

[aeapra]

This workaround does not work for us. Because we are using an external LDAP-Auth. So we can not change the primary account name.

We do so too. But you can change the ldap filter in the authentication section to not use the UID but any other attribute.
E.g. if you'd like Zimbra to query for the "mail" attribute and have to domains "mydomain1.com" and "mydomain2.com" then it would look like this:

(|(mail=%u@mydomain1.com)(mail=%u@mydomain2.com))