CLI zmtlsctl to set Web Server Mode
CLI zmtlsctl to set the Web Server Mode
zmtlsctl
This command is used to set the Web server zimbraMailMode to the different communication protocol options. All modes use SSL encryption for back-end administrative traffic & the admin console. The webserver has to be stopped and restarted for the change to take effect. Though a full zmcontrol stop/start certainly can't hurt.
Note: If you are using Zimbra Proxy (nginx) please refer to the next article - https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy
Syntax
zmtlsctl [mode]
Mode Choices
- http - http only, the user would browse to http://zimbra.domain.com
- https - https only, the user would browse to https://zimbra.domain.com http:// is denied.
- both - A user can go to http:// or https:// and will keep that mode for their entire session.
- mixed - If the user goes to http:// it will switch to https:// for the login only, then will revert to http:// for normal session traffic. If they browse to https:// then they will stay https://
- redirect - Like mixed if the user goes to http:// it will switch to https:// but they will stay https:// for their entire session.
Note: Redirect mode is not available for ZCS 4.5 and earlier. (See Redirect_http_to_https for information about redirect for ZCS 4.5.)
Steps to run
- Type zmtlsctl [mode] and press Enter.
- Type zmcontrol stop and press Enter.
- When everything is stopped, type zmcontrol start and press Enter.
Note: You can also use Jetty to stop/start/restart, using zmmailboxdctl. In ZCS 4.5, use Tomcat instead.
Afterwards (especially on older versions of ZCS), check SMTP_Auth_Problems to be sure the auth url is set correctly.
These modes will automatically use a self-signed certificate. If you want different subjectAltNames, to renew/changelength, or apply a commercial cert, see Administration_Console_and_CLI_Certificate_Tools
Version-specific Quirks
- On older versions there were some issues with 'both' mode; fine from 4.5.2 to 4.5.5? but new issue appeared bug 19636
- As a quick fix, when 'both' was selected, it defaulted to 'mixed' on 4.5.x? to 5.0.4 bug 5594
- As of 5.0.5+ bug 5594 is now resolved so both mode works properly.
Redirect Limitations
- zimbraMailMode redirect only applies to Zimbra Web Client versions Advanced (AJAX), Standard HTML, and Mobile/XHTML. We will make a best effort for any of our connectors such as ZCO to as well within the limitations of the applications.
- Many client applications will send an auth request in the initial HTTP request to the server ("blind auth"). The implications of this are that this auth request will be sent in the clear/unencrypted prior to any possible opportunity to redirect the client app to HTTPS.
- Redirect mode allows for the possibility of a man-in-the-middle attack, intentional/unintentional redirection to a non-valid server, or the possibility that a user will mistype the server name and not have certificate-based validity of the server.
- In many client apps, it is impossible for the user to tell if they have been redirected (for example, ActiveSync), and therefore will continue to use HTTP even if the auth request is being sent unencrypted. (iPhone does have a bug open with apple about this).
- In short, only zimbraMailMode https can ensure that no listener will be available on HTTP/port 80, that no client apps will try to auth over HTTP, and that all data exchanged with client application will be encrypted.