In this article, you will learn about the SNI setup in Zimbra. It would be important for you to set up Zimbra SNI as you can serve your users not being worried about the number of limited IPv4 addresses per domain. So let’s take a look at how you can setup SNI for your Zimbra.
To learn more about Zimbra SNI read What is SNI in Zimbra OSE?
SNI setup on Zimbra
To set up Zimbra SNI, the Zimbra proxy service must be installed and enabled on the server. If you are using a multi-server environment, you should perform these steps on the proxy server. You also need a signed certificate with a matching key and the trusted chain certificates from your certificate authority. You can bind multiple SSL certificates to one ipv4 address, for example,
188.8.131.52 => firstDomain.com and
184.108.40.206=> secondDomain.com, or even have an IPv4 address with different types of SSL Certificates, like,
220.127.116.11 => thirdDomain.com (A Comodo Wildcard SSL Certificate),
18.104.22.168 => fourthDomain.com (A free Let’s Encrypt SSL Certificate),
22.214.171.124 => fifthDomain.net (A RapidSSL Certificate).
1. Domain and IP Preparation
To pair an IPv4 address (for example, 126.96.36.199) to a domain (let’s say example.com) via a virtual hostname (say mail.example.com),
- Add a new IPv4 address, for example, 188.8.131.52
- Add the new domain, example.com
- run this command as a Zimbra user
zmprov md example.com zimbraVirtualHostName mail.example.com zimbraVirtualIPAddress 184.108.40.206
To add a new IPv4 address you can alias the new IP (associating more than one IP to a network interface device). The new IP address should be an A record for mail.example.com. If the server is on the Internet the IP address could be public and if the server is behind the firewall the IP address could be internal. If the server is behind a firewall and NAT with an external address, check if the external request for mail.example.com reaches the aliased IP address as opposed to the actual local IP of the server.
The zimbraVirtualHostName should be set to the name which will be used to access the domain (URL) and the SSL certificate is signed for the same name.
2. Certificate Preparation
We suppose you have already received your server certificate file for your domain and single or multiple chain cert files from the certification authority (CA), and have your existing private key file available on your server which was used in the Certificate Signing Request (CSR).
To summarize you should have these files
- Server certificate file (received from CA)
- Single or multiple chain cert files (received from CA)
- Private key file (available in your server)
For example, let’s say you have received three two intermediate cert files (
example.com.intermediate2.crt), which with one server certificate file (
example.com.crt) and one private key file (
example.com.key) makes a total of four files.
- Save all files in a directory like /tmp/example.com, so we have
ls /tmp/example.com example.com.key example.com.crt example.com.intermediate1.crt example.com.intermediate2.crt
- Concatenate the chain intermediate files if you received more than one to have a single file, for example,
cat example.com.intermediate1.crt example.com.intermediate2.crt >> example.com_ca.crt
3. Certificates Verification
To verify that if the server certificate and the key match and the chain cert files can complete the trust, run this command
/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/example.com/example.com.key /tmp/example.com/example.com.crt /tmp/example.com/example.com_ca.crt
the output should be similar to this if you have the proper files
** Verifying example.com.crt against example.com.key Certificate (example.com.crt) and private key (example.com.key) match. Valid Certificate: example.com.crt: OK
4. Certificate Implementation
- Concatenate the chain cert file and server certificate file to have a single file, for example,
cat example.com.crt example.com_ca.crt >> example.com.bundle
- Save the certificate and key files in the LDAP by running this command as a Zimbra user
/opt/zimbra/libexec/zmdomaincertmgr savecrt example.com example.com.bundle example.com.key
- Deploy the certificate on the domain by running this command as a Zimbra user
5. Proxy Modification
- On the proxy server set the
zimbraReverseProxySNIEnabledto TRUE on both the server and global configuration by
zmprov ms `zmhostname` zimbraReverseProxyGenConfigPerVirtualHostname TRUE zmprov mcf zimbraReverseProxyGenConfigPerVirtualHostname TRUE
- Restart the proxy
On your server to check if the correct domain cert is provided when you access the domain either with zimbraVirtualHostName or zimbraVirtualIPAddress, by running these commands
openssl s_client -servername your.fqdn.to.be.tested -connect your-server-name-or-IP-address:port
openssl s_client -servername mail.example.com -connect example.com:443