In this article, you will learn about the SNI setup in Zimbra. It would be important for you to set up Zimbra SNI as you can serve your users not being worried about the number of limited IPv4 addresses per domain. So let’s take a look at how you can set up SNI for your Zimbra.

To learn more about Zimbra SNI read What is SNI in Zimbra OSE?

Setting Up SNI on Zimbra

To set up Zimbra SNI, the Zimbra proxy service must be installed and enabled on the server. If you are using a multi-server environment, you should perform these steps on the proxy server. You also need a signed certificate with a matching key and the trusted chain certificates from your certificate authority. You can bind multiple SSL certificates to one ipv4 address, for example, 1.1.1.1 => firstDomain.com and 1.1.1.1=> secondDomain.com, or even have an IPv4 address with different types of SSL Certificates, like, 2.2.2.2 => thirdDomain.com (A Comodo Wildcard SSL Certificate), 2.2.2.2 => fourthDomain.com (A free Let’s Encrypt SSL Certificate), 2.2.2.2 => fifthDomain.net (A RapidSSL Certificate).

1. Domain and IP Preparation

To pair an IPv4 address (for example, 1.1.1.1) to a domain (let’s say example.com) via a virtual hostname (say mail.example.com),

• Add a new IPv4 address, for example, 1.1.1.1
• Add the new domain, example.com
• run this command as a Zimbra user

 zmprov md example.com zimbraVirtualHostName mail.example.com zimbraVirtualIPAddress 1.1.1.1

To add a new IPv4 address you can alias the new IP (associating more than one IP to a network interface device). The new IP address should be an A record for mail.example.com. If the server is on the Internet the IP address could be public and if the server is behind the firewall the IP address could be internal. If the server is behind a firewall and NAT with an external address, check if the external request for mail.example.com reaches the aliased IP address as opposed to the actual local IP of the server.

The zimbraVirtualHostName should be set to the name which will be used to access the domain (URL) and the SSL certificate is signed for the same name.

2. Certificate Preparation

We suppose you have already received your server certificate file for your domain and single or multiple chain cert files from the certification authority (CA), and have your existing private key file available on your server which was used in the Certificate Signing Request (CSR).

To summarize you should have these files

• Server certificate file (received from CA)
• Single or multiple chain cert files (received from CA)
• Private key file (available in your server)

For example, let’s say you have received three two intermediate cert files (example.com.intermediate1.crt and example.com.intermediate2.crt), which with one server certificate file (example.com.crt) and one private key file (example.com.key) makes a total of four files.

• Save all files in a directory like /tmp/example.com, so we have

ls /tmp/example.com
 example.com.key
 example.com.crt
 example.com.intermediate1.crt
 example.com.intermediate2.crt

• Concatenate the chain intermediate files if you received more than one to have a single file, for example, example.com_ca.crt

cat example.com.intermediate1.crt example.com.intermediate2.crt >> example.com_ca.crt

3. Certificates Verification

To verify that if the server certificate and the key match and the chain cert files can complete the trust, run this command

/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/example.com/example.com.key /tmp/example.com/example.com.crt /tmp/example.com/example.com_ca.crt

the output should be similar to this if you have the proper files

 ** Verifying example.com.crt against example.com.key
 Certificate (example.com.crt) and private key (example.com.key) match.
 Valid Certificate: example.com.crt: OK

4. Certificate Implementation

• Concatenate the chain cert file and server certificate file to have a single file, for example, example.com.bundle

 cat example.com.crt example.com_ca.crt >> example.com.bundle

• Save the certificate and key files in the LDAP by running this command as a Zimbra user

/opt/zimbra/libexec/zmdomaincertmgr savecrt example.com example.com.bundle example.com.key

• Deploy the certificate on the domain by running this command as a Zimbra user

/opt/zimbra/libexec/zmdomaincertmgr deploycrts

5. Proxy Modification

• On the proxy server set the zimbraReverseProxySNIEnabled to TRUE on both the server and global configuration by

zmprov ms `zmhostname` zimbraReverseProxyGenConfigPerVirtualHostname TRUE
 zmprov mcf zimbraReverseProxyGenConfigPerVirtualHostname TRUE

• Restart the proxy

zmproxyctl restart

6. Testing

On your server to check if the correct domain cert is provided when you access the domain either with zimbraVirtualHostName or zimbraVirtualIPAddress, by running these commands

openssl s_client -servername your.fqdn.to.be.tested -connect your-server-name-or-IP-address:port

For example,

openssl s_client -servername mail.example.com -connect example.com:443