CLI zmtlsctl to set Web Server Mode: Difference between revisions

m (formatting)
mNo edit summary
Line 70: Line 70:
''' Redirect Limitations '''
''' Redirect Limitations '''


zimbraMailMode redirect only applies to Zimbra Web Client versions Advanced (AJAX), Standard HTML, and Mobile/XHTML. We will make a best effort for any of our connectors such as ZCO to as well within the limitations of the applications.
* zimbraMailMode redirect only applies to Zimbra Web Client versions Advanced (AJAX), Standard HTML, and Mobile/XHTML. We will make a best effort for any of our connectors such as ZCO to as well within the limitations of the applications.


* Many client applications will send an auth request in the initial HTTP request to the server ("blind auth"). The implications of this are that this auth request will be sent in the clear/unencrypted prior to any possible
* Many client applications will send an auth request in the initial HTTP request to the server ("blind auth"). The implications of this are that this auth request will be sent in the clear/unencrypted prior to any possible

Revision as of 18:01, 7 October 2009

zmtlsctl

This command is used to set the Web server zimbraMailMode to the different communication protocol options. All modes use SSL encryption for back-end administrative traffic & the admin console.

The webserver has to be stopped and restarted for the change to take effect. Though a full zmcontrol stop/start certainly can't hurt.

Syntax

zmtlsctl [mode]


Mode choices:

http - http only, the user would browse to http://zimbra.domain.com

https - https only, the user would browse to https://zimbra.domain.com http:// is denied.

both - A user can go to http:// or https:// and will keep that mode for their entire session.

mixed - If the user goes to http:// it will switch to https:// for the login only, then will revert to http:// for normal session traffic. If they browse to https:// then they will stay https://

redirect - Added to ZCS 5.0; Like mixed if the user goes to http:// it will switch to https:// but they will stay https:// for their entire session.

(See also Redirect_http_to_https for 4.5)


Steps to run

1.

Type zmtlsctl [mode] , press Enter.

2.

Type zmcontrol stop , press Enter.

3.

When everything is stopped, type zmcontrol start , press Enter.


Note: In you can also use tomcat stop/start/restart, but in v5 this becomes jetty (zmmailboxdctl stop/start/restart).

Afterwards (especially on older versions): Check SMTP_Auth_Problems to be sure the auth url is set correctly.

These modes will automatically use a self-signed certificate. If you want different subjectAltNames, to renew/changelength, or apply a commercial cert: Administration_Console_and_CLI_Certificate_Tools


Version specific Quirks

-On older versions there were some issues with 'both' mode; fine from 4.5.2 to 4.5.5? but new issue appeared bug 19636

-As a quick fix, when 'both' was selected, it defaulted to 'mixed' on 4.5.x? to 5.0.4 bug 5594

-As of 5.0.5+ bug 5594 is now resolved so both mode works properly.


Redirect Limitations

  • zimbraMailMode redirect only applies to Zimbra Web Client versions Advanced (AJAX), Standard HTML, and Mobile/XHTML. We will make a best effort for any of our connectors such as ZCO to as well within the limitations of the applications.
  • Many client applications will send an auth request in the initial HTTP request to the server ("blind auth"). The implications of this are that this auth request will be sent in the clear/unencrypted prior to any possible

opportunity to redirect the client app to HTTPS.

  • Redirect mode allows for the possibility of a man-in-the-middle attack, intentional/unintentional redirection to a non-valid server, or the possibility that a user will mistype the server name and not have certificate-based validity of the server.
  • In many client apps, it is impossible for the user to tell if they have been redirected (for example, ActiveSync), and therefore will continue to use HTTP even if the auth request is being sent unencrypted. (iPhone does have a bug open with apple about this).

In short, only zimbraMailMode https can ensure that no listener will be available on HTTP/port 80, that no client apps will try to auth over HTTP, and that all data exchanged with client application will be encrypted.

Jump to: navigation, search