Zimbra Collaboration Suite 7.0
Zimbra Collaboration Suite 7.0
Administrator's Guide
Open Source Edition

Appendix A Command-Line Utilities > zmtlsctl

This command is used to set the Web server zimbraMailMode to the communication protocol options: HTTP, HTTPS, Mixed, Both and Redirect.
HTTPS. HTTPS only, the user would browse to https:/zimbra.domain.com. http:// is denied.
Mixed If the user goes to http:// it will switch to https:// for the login only, then will revert to http:// for normal session traffic. If the user browses to https://, then the user will stay https://
Both A user can go to http:// or https:// and will keep that mode for the entire session.
Redirect Like mixed if the user goes to http:// it will switch to https:// but they will stay https:// for their entire session.
All modes use SSL encryption for back-end administrative traffic.
Important: Only zimbraMailMode HTTPS can ensure that no listener will be available on HTTP/port 80, that no client application will try to auth over HTTP, and that all data exchanged with the client application will be encrypted.
Mailboxd has to be stopped and restarted for the change to take effect.
If you switch to HTTPS, you use the self-signed certificate generated during ZCS installation, in /opt/zimbra/ssl/zimbra/server/server.crt.
zmtlsctl [mode]
mode = http, https, mixed, both, redirect
Steps to run
Type zmtlsctl [mode] and press enter.
Type zmmailboxdctl stop and press enter.
When mailboxd is stopped, type zmmailboxdctl start and press enter.
Limitations When Using Redirect
Many client applications send an auth request in the initial HTTP request to the Server (“blind auth”). The implications of this are that this auth request is sent in the clear/unencrypted prior to any possible opportunity to redirect the client application to HTTPS.
Redirect mode allows for the possibility of a man-in-the-middle attack, international/unintentional redirection to a non-valid server, or the possibility that a user will mis type the server name and not have certificate-based validity of the server.
In many client applications, it is impossible for users to tell if they have been redirected (for example, ActiveSync), and therefore the users continue to use HTTP even if the auth request is being sent unencrypted.