Multiple SSL Virtual Hosts 6.0

From Zimbra :: Wiki

Jump to: navigation, search
Admin Article

Article Information

This article applies to the following ZCS versions.
  ZCS 6.0 Article  ZCS 6.0

Contents

Preface

Introduction

It may be required to provide SSL connections to the mail server for more than one virtual host. This is problematic, as TLS/SNI is not yet widely deployed. This documents one way to implement multiple server names with SSL for POP, IMAP, SMTP and Webmail services, and assumes you're familiar with SSL certificates and basic zimbra installation.

Starting Point

The starting point for this configuration is a standard zimbra installation with proxy enabled. While this is intended for a scaleable, multiserver, installation, it can be used in a single server instance as well. Doing so simplifies configuration in that you only need to configure nginx and postfix to cover all the services. Make sure your basic system is operational before continuing! I have been unable to find documentation on the local configuration management setup in 6.0, and had to resort to a hack of using permissions to keep zimbra from overwriting some of the changes on startup. That does not affect normal operation, but may prevent some of the initial setup from working properly.

nginx (pop, imap, https)

The first step is to go into /opt/zimbra/conf/nginx/includes and edit 5 files:

  • nginx.conf.mail.imap
  • nginx.conf.mail.imaps
  • nginx.conf.mail.pop3
  • nginx.conf.mail.pop3s
  • nginx.conf.mail.https

In my case, I copied them to base.domain (e.g. nginx.conf.mail.imap.zimbra.com), but you could put all your domain configurations in something like base.allssl, or just edit them in place if you're daring.

In each file, the process is pretty much the same:

  • change the listen directive to bind to the specific address associated with the domain name
  • add the ssl_certificate directives to point to the particular ssl certifcate for the domain name

That's it. Whether you put them in separate files or all in one is up to you; for simplicity here, I've run them together:

Before:

server
{
    listen                  143;
    protocol                imap;
    proxy                   on;
    sasl_service_name       "imap";
    starttls                on;
}

After:

server
{
    listen                  1.1.1.1:143;
    ssl_certificate         /opt/zimbra/conf/domain1.crt;
    ssl_certificate_key     /opt/zimbra/conf/domain1.key;
    protocol                imap;
    proxy                   on;
    sasl_service_name       "imap";
    starttls                on;
}

server
{
    listen                  1.1.1.2:143;
    ssl_certificate         /opt/zimbra/conf/domain2.crt;
    ssl_certificate_key     /opt/zimbra/conf/domain2.key;
    protocol                imap;
    proxy                   on;
    sasl_service_name       "imap";
    starttls                on;
}

The original imaps/pop3s files don't have the certificates in them because they inherit the default (/opt/zimbra/conf/nginx.{crt,key} from nginx.conf.mail. These directives will override that. The https file is the same, but the server paragraph just has a lot more in it. The exact same directive changes are needed though.

If you put them in separate files, you'll need to edit the includes appropriately in nginx.conf.mail and nginx.conf.web:

    ...
    ssl_ciphers             !SSLv2:!MD5:HIGH;

    include conf/nginx/includes/nginx.conf.mail.imap.domain1;
    include conf/nginx/includes/nginx.conf.mail.imaps.domain1;

    include conf/nginx/includes/nginx.conf.mail.pop3.domain2;
    include conf/nginx/includes/nginx.conf.mail.pop3s.domain2;
}
...
    zmroute_timeout 15000ms;

    include conf/nginx/includes/nginx.conf.web.http;
    include conf/nginx/includes/nginx.conf.web.https.domain1;
    include conf/nginx/includes/nginx.conf.web.https.domain2;
}

Finally, chown root any of the files you edited to keep zimbra from overwriting them at startup time. Surprisingly, and fortunately, it does not error in this case, allowing this process to work.

postfix (smtp)

The postfix case is a little better because you don't have to do the permissions hack --- it still uses a .in master file that you can edit and have the changes stick: just edit /opt/zimbra/postfix/conf/master.cf.in (after backing it up of course!). Instead of letting postfix bind to the port globally, you configure it to bind to a specific address and override the global certificate with a specific one:

Before:

smtp      inet  n       -       n       -       -       smtpd
submission inet n      -       n       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%

After:

# domain1 instance 
1.1.1.1:smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_tls_cert_file=/opt/zimbra/conf/domain1.crt
  -o smtpd_tls_key_file=/opt/zimbra/conf/domain1.key
1.1.1.1:submission inet n      -       n       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
        -o smtpd_tls_cert_file=/opt/zimbra/conf/domain1.crt
        -o smtpd_tls_key_file=/opt/zimbra/conf/domain1.key

# domain2 instance 
1.1.1.2:smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_tls_cert_file=/opt/zimbra/conf/domain2.crt
  -o smtpd_tls_key_file=/opt/zimbra/conf/domain2.key
1.1.1.2:submission inet n      -       n       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
        -o smtpd_tls_cert_file=/opt/zimbra/conf/domain2.crt
        -o smtpd_tls_key_file=/opt/zimbra/conf/domain2.key

(If you want to enable 465 (smtps), it's a clone of submission with -o smtpd_tls_wrappermode=yes)

Keywords: ssl , virtual hosts, proxy
Version: Release 6.0.5_GA_2213.RHEL5_64_20100203001950 CentOS5_64 FOSS edition.

Verified Against: ZCS 6.0.5 Date Created: 1/20/2011
Article ID: http://wiki.zimbra.com/index.php?title=Multiple_SSL_Virtual_Hosts_6.0 Date Modified: 01/20/2011
Personal tools