CLI zmtlsctl to set Web Server Mode: Difference between revisions

(→‎Syntax: adding no wiki tags to example URLs)
No edit summary
 
(12 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{BC|Certified}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=CLI zmtlsctl to set the Web Server Mode=
{{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}
{{WIP}}
=zmtlsctl=
=zmtlsctl=
This command is used to set the Web server zimbraMailMode to the different communication protocol options.
This command is used to set the Web server zimbraMailMode to the different communication protocol options.
All modes use SSL encryption for back-end administrative traffic & the admin console.
All modes use SSL encryption for back-end administrative traffic & the admin console.
The webserver has to be stopped and restarted for the change to take effect. Though a full zmcontrol stop/start certainly can't hurt.
The webserver has to be stopped and restarted for the change to take effect. Though a full zmcontrol stop/start certainly can't hurt.


'''Note: If you are using Zimbra Proxy (nginx) please refer to the next article - [https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy]'''
==Syntax==
==Syntax==


Line 12: Line 16:




Mode choices:
==Mode Choices==


*'''http''' - http only, the user would browse to <nowiki>http://zimbra.domain.com</nowiki>
*'''http''' - http only, the user would browse to <nowiki>http://zimbra.domain.com</nowiki>
Line 22: Line 26:
*'''mixed''' - If the user goes to http:// it will switch to https:// ''for the login only'', then will revert to http:// for normal session traffic. If they browse to https:// then they will stay https://
*'''mixed''' - If the user goes to http:// it will switch to https:// ''for the login only'', then will revert to http:// for normal session traffic. If they browse to https:// then they will stay https://


*'''redirect''' - Added to ZCS 5.0; Like mixed if the user goes to http:// it will switch to https:// but they will ''stay'' https:// for their entire session.
*'''redirect''' - Like mixed if the user goes to http:// it will switch to https:// but they will ''stay'' https:// for their entire session.


(See also [[Redirect_http_to_https]] for 4.5)
'''''Note:''' Redirect mode is not available for ZCS 4.5 and earlier.  (See [[Redirect_http_to_https]] for information about redirect for ZCS 4.5.)''


=Steps to run=
=Steps to run=
Line 32: Line 36:
#When everything is stopped, type '''zmcontrol start''' and press Enter.
#When everything is stopped, type '''zmcontrol start''' and press Enter.


'''''Note:''' You can also use Jetty to stop/start/restart, using zmmailboxdctl.  In ZCS 4.5, use Tomcat instead.


'''''Note:''' In ZCS 4.5 you can also use tomcat stop/start/restart, but in ZCS 5.0 and later this becomes jetty (zmmailboxdctl stop/start/restart).''
Afterwards (especially on older versions of ZCS), check [[SMTP_Auth_Problems]] to be sure the auth url is set correctly.
 
Afterwards (especially on older versions): Check [[SMTP_Auth_Problems]] to be sure the auth url is set correctly.


These modes will automatically use a self-signed certificate. If you want different subjectAltNames, to renew/changelength, or apply a commercial cert: [[Administration_Console_and_CLI_Certificate_Tools]]
These modes will automatically use a self-signed certificate. If you want different subjectAltNames, to renew/changelength, or apply a commercial cert, see [[Administration_Console_and_CLI_Certificate_Tools]]


=Version-specific Quirks=
=Version-specific Quirks=
Line 51: Line 54:
* zimbraMailMode redirect only applies to Zimbra Web Client versions Advanced (AJAX), Standard HTML, and Mobile/XHTML. We will make a best effort for any of our connectors such as ZCO to as well within the limitations of the applications.
* zimbraMailMode redirect only applies to Zimbra Web Client versions Advanced (AJAX), Standard HTML, and Mobile/XHTML. We will make a best effort for any of our connectors such as ZCO to as well within the limitations of the applications.


* Many client applications will send an auth request in the initial HTTP request to the server ("blind auth"). The implications of this are that this auth request will be sent in the clear/unencrypted prior to any possible
* Many client applications will send an auth request in the initial HTTP request to the server ("blind auth"). The implications of this are that this auth request will be sent in the clear/unencrypted prior to any possible opportunity to redirect the client app to HTTPS.  
opportunity to redirect the client app to HTTPS.  


* Redirect mode allows for the possibility of a man-in-the-middle attack, intentional/unintentional redirection to a non-valid server, or the possibility that a user will mistype the server name and not have certificate-based validity of the server.
* Redirect mode allows for the possibility of a man-in-the-middle attack, intentional/unintentional redirection to a non-valid server, or the possibility that a user will mistype the server name and not have certificate-based validity of the server.
Line 58: Line 60:
* In many client apps, it is impossible for the user to tell if they have been redirected (for example, ActiveSync), and therefore will continue to use HTTP even if the auth request is being sent unencrypted. (iPhone does have a bug open with apple about this).
* In many client apps, it is impossible for the user to tell if they have been redirected (for example, ActiveSync), and therefore will continue to use HTTP even if the auth request is being sent unencrypted. (iPhone does have a bug open with apple about this).


In short, only zimbraMailMode https can ensure that no listener will be available on HTTP/port 80, that no client apps will try to auth over HTTP, and that all data exchanged with client application will be encrypted.
:In short, only zimbraMailMode https can ensure that no listener will be available on HTTP/port 80, that no client apps will try to auth over HTTP, and that all data exchanged with client application will be encrypted.


{{Article Footer|unknown|5/3/2006}}
{{Article Footer|unknown|5/3/2006}}


[[Category:Command Line Interface]]
[[Category:Command Line Interface]]
[[Category:ZCS 8.6]]
[[Category:ZCS 8.5]]
[[Category:ZCS 8.0]]
[[Category:ZCS 7.0]]

Latest revision as of 10:48, 10 March 2016

CLI zmtlsctl to set the Web Server Mode

   KB 1494        Last updated on 2016-03-10  




0.00
(0 votes)

zmtlsctl

This command is used to set the Web server zimbraMailMode to the different communication protocol options. All modes use SSL encryption for back-end administrative traffic & the admin console. The webserver has to be stopped and restarted for the change to take effect. Though a full zmcontrol stop/start certainly can't hurt.

Note: If you are using Zimbra Proxy (nginx) please refer to the next article - https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy

Syntax

zmtlsctl [mode]


Mode Choices

  • http - http only, the user would browse to http://zimbra.domain.com
  • https - https only, the user would browse to https://zimbra.domain.com http:// is denied.
  • both - A user can go to http:// or https:// and will keep that mode for their entire session.
  • mixed - If the user goes to http:// it will switch to https:// for the login only, then will revert to http:// for normal session traffic. If they browse to https:// then they will stay https://
  • redirect - Like mixed if the user goes to http:// it will switch to https:// but they will stay https:// for their entire session.

Note: Redirect mode is not available for ZCS 4.5 and earlier. (See Redirect_http_to_https for information about redirect for ZCS 4.5.)

Steps to run

  1. Type zmtlsctl [mode] and press Enter.
  2. Type zmcontrol stop and press Enter.
  3. When everything is stopped, type zmcontrol start and press Enter.

Note: You can also use Jetty to stop/start/restart, using zmmailboxdctl. In ZCS 4.5, use Tomcat instead.

Afterwards (especially on older versions of ZCS), check SMTP_Auth_Problems to be sure the auth url is set correctly.

These modes will automatically use a self-signed certificate. If you want different subjectAltNames, to renew/changelength, or apply a commercial cert, see Administration_Console_and_CLI_Certificate_Tools

Version-specific Quirks

  • On older versions there were some issues with 'both' mode; fine from 4.5.2 to 4.5.5? but new issue appeared bug 19636
  • As a quick fix, when 'both' was selected, it defaulted to 'mixed' on 4.5.x? to 5.0.4 bug 5594
  • As of 5.0.5+ bug 5594 is now resolved so both mode works properly.

Redirect Limitations

  • zimbraMailMode redirect only applies to Zimbra Web Client versions Advanced (AJAX), Standard HTML, and Mobile/XHTML. We will make a best effort for any of our connectors such as ZCO to as well within the limitations of the applications.
  • Many client applications will send an auth request in the initial HTTP request to the server ("blind auth"). The implications of this are that this auth request will be sent in the clear/unencrypted prior to any possible opportunity to redirect the client app to HTTPS.
  • Redirect mode allows for the possibility of a man-in-the-middle attack, intentional/unintentional redirection to a non-valid server, or the possibility that a user will mistype the server name and not have certificate-based validity of the server.
  • In many client apps, it is impossible for the user to tell if they have been redirected (for example, ActiveSync), and therefore will continue to use HTTP even if the auth request is being sent unencrypted. (iPhone does have a bug open with apple about this).
In short, only zimbraMailMode https can ensure that no listener will be available on HTTP/port 80, that no client apps will try to auth over HTTP, and that all data exchanged with client application will be encrypted.
Verified Against: unknown Date Created: 5/3/2006
Article ID: https://wiki.zimbra.com/index.php?title=CLI_zmtlsctl_to_set_Web_Server_Mode Date Modified: 2016-03-10



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search