How to setup SNI in Zimbra OSE?

In this article, you will learn about the SNI setup in Zimbra. It would be important for you to set up Zimbra SNI as you can serve your users not being worried about the number of limited IPv4 addresses per domain. So let’s take a look at how you can setup SNI for your Zimbra.

To learn more about Zimbra SNI read What is SNI in Zimbra OSE?

SNI setup on Zimbra

To set up Zimbra SNI, the Zimbra proxy service must be installed and enabled on the server. If you are using a multi-server environment, you should perform these steps on the proxy server. You also need a signed certificate with a matching key and the trusted chain certificates from your certificate authority. You can bind multiple SSL certificates to one ipv4 address, for example, 1.1.1.1 => firstDomain.com and 1.1.1.1=> secondDomain.com, or even have an IPv4 address with different types of SSL Certificates, like, 2.2.2.2 => thirdDomain.com (A Comodo Wildcard SSL Certificate), 2.2.2.2 => fourthDomain.com (A free Let’s Encrypt SSL Certificate), 2.2.2.2 => fifthDomain.net (A RapidSSL Certificate).

1. Domain and IP Preparation

To pair an IPv4 address (for example, 1.1.1.1) to a domain (let’s say example.com) via a virtual hostname (say mail.example.com),

  • Add a new IPv4 address, for example, 1.1.1.1
  • Add the new domain, example.com
  • run this command as a Zimbra user
 zmprov md example.com zimbraVirtualHostName mail.example.com zimbraVirtualIPAddress 1.1.1.1

To add a new IPv4 address you can alias the new IP (associating more than one IP to a network interface device). The new IP address should be an A record for mail.example.com. If the server is on the Internet the IP address could be public and if the server is behind the firewall the IP address could be internal. If the server is behind a firewall and NAT with an external address, check if the external request for mail.example.com reaches the aliased IP address as opposed to the actual local IP of the server.

The zimbraVirtualHostName should be set to the name which will be used to access the domain (URL) and the SSL certificate is signed for the same name.

2. Certificate Preparation

We suppose you have already received your server certificate file for your domain and single or multiple chain cert files from the certification authority (CA), and have your existing private key file available on your server which was used in the Certificate Signing Request (CSR).

To summarize you should have these files

  • Server certificate file (received from CA)
  • Single or multiple chain cert files (received from CA)
  • Private key file (available in your server)

For example, let’s say you have received three two intermediate cert files (example.com.intermediate1.crt and example.com.intermediate2.crt), which with one server certificate file (example.com.crt) and one private key file (example.com.key) makes a total of four files.

  • Save all files in a directory like /tmp/example.com, so we have
ls /tmp/example.com
 example.com.key
 example.com.crt
 example.com.intermediate1.crt
 example.com.intermediate2.crt
  • Concatenate the chain intermediate files if you received more than one to have a single file, for example, example.com_ca.crt
cat example.com.intermediate1.crt example.com.intermediate2.crt >> example.com_ca.crt

3. Certificates Verification

To verify that if the server certificate and the key match and the chain cert files can complete the trust, run this command

/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/example.com/example.com.key /tmp/example.com/example.com.crt /tmp/example.com/example.com_ca.crt

the output should be similar to this if you have the proper files

 ** Verifying example.com.crt against example.com.key
 Certificate (example.com.crt) and private key (example.com.key) match.
 Valid Certificate: example.com.crt: OK

4. Certificate Implementation

  • Concatenate the chain cert file and server certificate file to have a single file, for example, example.com.bundle
 cat example.com.crt example.com_ca.crt >> example.com.bundle
  • Save the certificate and key files in the LDAP by running this command as a Zimbra user
/opt/zimbra/libexec/zmdomaincertmgr savecrt example.com example.com.bundle example.com.key
  • Deploy the certificate on the domain by running this command as a Zimbra user
/opt/zimbra/libexec/zmdomaincertmgr deploycrts

5. Proxy Modification

  • On the proxy server set the zimbraReverseProxySNIEnabled to TRUE on both the server and global configuration by
zmprov ms `zmhostname` zimbraReverseProxyGenConfigPerVirtualHostname TRUE
 zmprov mcf zimbraReverseProxyGenConfigPerVirtualHostname TRUE
  • Restart the proxy
zmproxyctl restart

6. Testing

On your server to check if the correct domain cert is provided when you access the domain either with zimbraVirtualHostName or zimbraVirtualIPAddress, by running these commands

openssl s_client -servername your.fqdn.to.be.tested -connect your-server-name-or-IP-address:port

For example,

openssl s_client -servername mail.example.com -connect example.com:443

Product marketing and technical writer at Zextras, an open-source and technology enthusiast who creates instructional and technical articles about Zextras and Zimbra.

Comments

Michele Ferron
27/04/2021 0

Hi Tamas, you can find information about Address Book synchronization to mobile devices by reading these articles:

 

funig
24/06/2021 0

Hi, I came from Japan. I apologize for my poor English. I have one domain(I say example.com), and I uses zimbra with no trouble. But I need another domain and purchased(I say example,jp). I want to use these two domain respectively. Should I treat them in the same line? In short, example.com and example.jp, Is there no distinction? which is default?which is virtual domain? My zcs-server(single installation)'s IP address=192.168.1.40(actual IP address, not virtual IP) and my router has one static global IP address. Port forwarding Global IP to 192.168.1.40 with some port numbers which ZCS requires. and I can resolve mail.example.com and mail.example.jp as 192.168.1.40 by DNS A record. My operation was below. 1) zmprov md example.com zimbraVirtualHostName mail.example.com zimbraVirtualIPAddress 192.168.1.40 2)Certificate Preparation for example.com 3)Certificates Verification for example.com 4)Certificate Implementation for example.com 5)zmprov ms `zmhostname` zimbraReverseProxyGenConfigPerVirtualHostname TRUE zmprov mcf zimbraReverseProxyGenConfigPerVirtualHostname TRUE 6)zmproxyctl restart and next, 7) zmprov md example.jp zimbraVirtualHostName mail.example.jp zimbraVirtualIPAddress 192.168.1.40 8) certificate Preparation,Verification,Implementation for example.jp That's all. Is this correct? I am just wondering that example.com is treated as virtual one though example.com is real domain. (zmprov md example.com zimbraVirtualHostName mail.example.com zimbraVirtualIPAddress 1.1.1.1) Please teach me that operation was good or not. Regards.

Post your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

What is SNI in Zimbra OSE?
Zextras Auth