How To Setup SNI In Zimbra OSE?

Alert! This article is written for Zimbra OSE users. As of December 2023, Synacor will no longer be providing support for Zimbra OSE. You might want to consider trying out Carbonio Community Edition – Zextras’s free and open-source email and collaboration platform.

For additional guidance, check out our community articles detailing the process of migrating from your current platform to Carbonio CE.

In this article, you will learn about the SNI setup in Zimbra. It would be important for you to set up Zimbra SNI as you can serve your users not being worried about the number of limited IPv4 addresses per domain. So let’s take a look at how you can set up SNI for your Zimbra.

To learn more about Zimbra SNI read What is SNI in Zimbra OSE?

Setting Up SNI on Zimbra

To set up Zimbra SNI, the Zimbra proxy service must be installed and enabled on the server. If you are using a multi-server environment, you should perform these steps on the proxy server. You also need a signed certificate with a matching key and the trusted chain certificates from your certificate authority. You can bind multiple SSL certificates to one ipv4 address, for example, => and>, or even have an IPv4 address with different types of SSL Certificates, like, => (A Comodo Wildcard SSL Certificate), => (A free Let’s Encrypt SSL Certificate), => (A RapidSSL Certificate).

1. Domain and IP Preparation

To pair an IPv4 address (for example, to a domain (let’s say via a virtual hostname (say,

  • Add a new IPv4 address, for example,
  • Add the new domain,
  • run this command as a Zimbra user
 zmprov md zimbraVirtualHostName zimbraVirtualIPAddress

To add a new IPv4 address you can alias the new IP (associating more than one IP to a network interface device). The new IP address should be an A record for If the server is on the Internet the IP address could be public and if the server is behind the firewall the IP address could be internal. If the server is behind a firewall and NAT with an external address, check if the external request for reaches the aliased IP address as opposed to the actual local IP of the server.

The zimbraVirtualHostName should be set to the name which will be used to access the domain (URL) and the SSL certificate is signed for the same name.

2. Certificate Preparation

We suppose you have already received your server certificate file for your domain and single or multiple chain cert files from the certification authority (CA), and have your existing private key file available on your server which was used in the Certificate Signing Request (CSR).

To summarize you should have these files

  • Server certificate file (received from CA)
  • Single or multiple chain cert files (received from CA)
  • Private key file (available in your server)

For example, let’s say you have received three two intermediate cert files ( and, which with one server certificate file ( and one private key file ( makes a total of four files.

  • Save all files in a directory like /tmp/, so we have
ls /tmp/
  • Concatenate the chain intermediate files if you received more than one to have a single file, for example, example.com_ca.crt
cat >> example.com_ca.crt

3. Certificates Verification

To verify that if the server certificate and the key match and the chain cert files can complete the trust, run this command

/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/ /tmp/ /tmp/

the output should be similar to this if you have the proper files

 ** Verifying against
 Certificate ( and private key ( match.
 Valid Certificate: OK

4. Certificate Implementation

  • Concatenate the chain cert file and server certificate file to have a single file, for example,
 cat example.com_ca.crt >>
  • Save the certificate and key files in the LDAP by running this command as a Zimbra user
/opt/zimbra/libexec/zmdomaincertmgr savecrt
  • Deploy the certificate on the domain by running this command as a Zimbra user
/opt/zimbra/libexec/zmdomaincertmgr deploycrts

5. Proxy Modification

  • On the proxy server set the zimbraReverseProxySNIEnabled to TRUE on both the server and global configuration by
zmprov ms `zmhostname` zimbraReverseProxyGenConfigPerVirtualHostname TRUE
 zmprov mcf zimbraReverseProxyGenConfigPerVirtualHostname TRUE
  • Restart the proxy
zmproxyctl restart

6. Testing

On your server to check if the correct domain cert is provided when you access the domain either with zimbraVirtualHostName or zimbraVirtualIPAddress, by running these commands

openssl s_client -servername -connect your-server-name-or-IP-address:port

For example,

openssl s_client -servername -connect
Download Zextras Suite for Zimbra OSE


Michele Ferron

Hi Tamas, you can find information about Address Book synchronization to mobile devices by reading these articles:



Hi, I came from Japan. I apologize for my poor English. I have one domain(I say, and I uses zimbra with no trouble. But I need another domain and purchased(I say example,jp). I want to use these two domain respectively. Should I treat them in the same line? In short, and, Is there no distinction? which is default?which is virtual domain? My zcs-server(single installation)'s IP address= IP address, not virtual IP) and my router has one static global IP address. Port forwarding Global IP to with some port numbers which ZCS requires. and I can resolve and as by DNS A record. My operation was below. 1) zmprov md zimbraVirtualHostName zimbraVirtualIPAddress 2)Certificate Preparation for 3)Certificates Verification for 4)Certificate Implementation for 5)zmprov ms `zmhostname` zimbraReverseProxyGenConfigPerVirtualHostname TRUE zmprov mcf zimbraReverseProxyGenConfigPerVirtualHostname TRUE 6)zmproxyctl restart and next, 7) zmprov md zimbraVirtualHostName zimbraVirtualIPAddress 8) certificate Preparation,Verification,Implementation for That's all. Is this correct? I am just wondering that is treated as virtual one though is real domain. (zmprov md zimbraVirtualHostName zimbraVirtualIPAddress Please teach me that operation was good or not. Regards.

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

What is SNI in Zimbra OSE? | Zimbra
Zextras Auth | Zimbra