CLI zmtlsctl to set Web Server Mode: Difference between revisions

mNo edit summary
No edit summary
 
(39 intermediate revisions by 4 users not shown)
Line 1: Line 1:
==<font size="4" color="#00007f" face="Arial"> ''' zmtlsctl ''' </font>==
{{BC|Certified}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=CLI zmtlsctl to set the Web Server Mode=
{{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}
{{WIP}}
=zmtlsctl=
This command is used to set the Web server zimbraMailMode to the different communication protocol options.
All modes use SSL encryption for back-end administrative traffic & the admin console.
The webserver has to be stopped and restarted for the change to take effect. Though a full zmcontrol stop/start certainly can't hurt.


<font size="3" color="#000000" face="Arial"> This command is used to set the Web server zimbraMailMode to the different communication protocol options.
'''Note: If you are using Zimbra Proxy (nginx) please refer to the next article - [https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy]'''
All modes use SSL encryption for back-end administrative traffic & the admin console.</font>
==Syntax==


<font size="3" color="#000000" face="Arial"> The webserver has to be stopped and restarted for the change to take effect. Though a full zmcontrol stop/start certainly can't hurt. </font>
'''zmtlsctl [mode]'''


===<font size="3" color="#00007f" face="Arial"> ''' Syntax ''' </font>===


<font size="3" color="#000000" face=""Times New Roman""> '''  zmtlsctl [mode]  ''' </font>
==Mode Choices==


<font size="3" color="#000000" face="Arial"> mode choices:  
*'''http''' - http only, the user would browse to <nowiki>http://zimbra.domain.com</nowiki>


'''http''' - http only, the user would browse to http://zimbra.domain.com
*'''https''' - https only, the user would browse to <nowiki>https://zimbra.domain.com</nowiki>  http:// is denied.


'''https''' - https only, the user would browse to https://zimbra.domain.com They may or may not get a 302 redirect if they visit http://
*'''both''' - A user can go to http:// or https:// and will ''keep that mode'' for their entire session.


'''mixed''' - If the user goes to http:// it will redirect to https:// ''for the login only'', then will revert to http:// for normal session traffic. If they browse to https:// then they will stay https://
*'''mixed''' - If the user goes to http:// it will switch to https:// ''for the login only'', then will revert to http:// for normal session traffic. If they browse to https:// then they will stay https://


'''both''' - A user can go to http:// or https:// and will ''keep that mode'' for their entire session
*'''redirect''' - Like mixed if the user goes to http:// it will switch to https:// but they will ''stay'' https:// for their entire session


-Few quirks with this mode when using a version prior to 4.5.2
'''''Note:''' Redirect mode is not available for ZCS 4.5 and earlier. (See [[Redirect_http_to_https]] for information about redirect for ZCS 4.5.)''


-On other versions when 'both' is selected, it defaults to 'mixed'
=Steps to run=


Beginning with ZCS 5.0:
#Type  '''zmtlsctl [mode]''' and press Enter.
#Type '''zmcontrol stop''' and press Enter.
#When everything is stopped, type '''zmcontrol start''' and press Enter.


'''redirect''' - like mixed, if the user goes to http:// it will redirect to https:// but they will STAY https:// for their entire session.
'''''Note:''' You can also use Jetty to stop/start/restart, using zmmailboxdctl.  In ZCS 4.5, use Tomcat instead.


</font>
Afterwards (especially on older versions of ZCS), check [[SMTP_Auth_Problems]] to be sure the auth url is set correctly.


=====<font size="3" color="#00007f" face="Arial"> ''' Steps to run ''' </font>=====
These modes will automatically use a self-signed certificate. If you want different subjectAltNames, to renew/changelength, or apply a commercial cert, see [[Administration_Console_and_CLI_Certificate_Tools]]


{|
=Version-specific Quirks=
|- valign="baseline"
| width="18.3264" |
<font size="2" color="#000000" face="Arial"> '''1. ''' </font>
| <font size="3" color="#000000" face="Arial"> Type  <font size="3" color="#000000" face=""Times New Roman""> '''zmtlsctl [mode]''' </font>, press '''Enter.'''</font>
|}


{|
*On older versions there were some issues with 'both' mode; fine from 4.5.2 to 4.5.5? but new issue appeared [http://bugzilla.zimbra.com/show_bug.cgi?id=19636 bug 19636]
|- valign="baseline"
| width="18.3264" |
<font size="2" color="#000000" face="Arial"> '''2. ''' </font>
| <font size="3" color="#000000" face=""Times New Roman""> '''  '''<font size="3" face="Arial">Type</font>''' zmcontrol stop <font size="3" face="Arial">, </font>'''<font size="3" face="Arial">press</font>''' <font size="3" color="#000000" face="Arial"> Enter. </font> ''' </font>
|}


{|
*As a quick fix, when 'both' was selected, it defaulted to 'mixed' on 4.5.x? to 5.0.4 [http://bugzilla.zimbra.com/show_bug.cgi?id=5594 bug 5594]
|- valign="baseline"
| width="18.3264" |
<font size="2" color="#000000" face="Arial"> '''3. ''' </font>
| <font size="3" color="#000000" face=""Times New Roman"">  <font size="3" face="Arial">after everything stops, type</font>''' zmcontrol start <font size="3" face="Arial">, </font>'''<font size="3" face="Arial">press</font>''' <font size="3" color="#000000" face="Arial"> Enter. </font> ''' </font>


*As of 5.0.5+ [http://bugzilla.zimbra.com/show_bug.cgi?id=5594 bug 5594] is now resolved so both mode works properly.


<font size="3" color="#000000" face="Arial">Note: In you can also use tomcat stop/start, but in v5 this becomes jetty.</font>
=Redirect Limitations=
</font>


* zimbraMailMode redirect only applies to Zimbra Web Client versions Advanced (AJAX), Standard HTML, and Mobile/XHTML. We will make a best effort for any of our connectors such as ZCO to as well within the limitations of the applications.


* Many client applications will send an auth request in the initial HTTP request to the server ("blind auth"). The implications of this are that this auth request will be sent in the clear/unencrypted prior to any possible opportunity to redirect the client app to HTTPS.


<font size="3" color="#000000" face="Arial">Also: Immediately check http://wiki.zimbra.com/index.php?title=SMTP_Auth_Problems to be sure everything's set correctly. </font>
* Redirect mode allows for the possibility of a man-in-the-middle attack, intentional/unintentional redirection to a non-valid server, or the possibility that a user will mistype the server name and not have certificate-based validity of the server.
 
* In many client apps, it is impossible for the user to tell if they have been redirected (for example, ActiveSync), and therefore will continue to use HTTP even if the auth request is being sent unencrypted. (iPhone does have a bug open with apple about this).
 
:In short, only zimbraMailMode https can ensure that no listener will be available on HTTP/port 80, that no client apps will try to auth over HTTP, and that all data exchanged with client application will be encrypted.
 
{{Article Footer|unknown|5/3/2006}}


[[Category:Command Line Interface]]
[[Category:Command Line Interface]]
[[Category:ZCS 8.6]]
[[Category:ZCS 8.5]]
[[Category:ZCS 8.0]]
[[Category:ZCS 7.0]]

Latest revision as of 10:48, 10 March 2016

CLI zmtlsctl to set the Web Server Mode

   KB 1494        Last updated on 2016-03-10  




0.00
(0 votes)

zmtlsctl

This command is used to set the Web server zimbraMailMode to the different communication protocol options. All modes use SSL encryption for back-end administrative traffic & the admin console. The webserver has to be stopped and restarted for the change to take effect. Though a full zmcontrol stop/start certainly can't hurt.

Note: If you are using Zimbra Proxy (nginx) please refer to the next article - https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy

Syntax

zmtlsctl [mode]


Mode Choices

  • http - http only, the user would browse to http://zimbra.domain.com
  • https - https only, the user would browse to https://zimbra.domain.com http:// is denied.
  • both - A user can go to http:// or https:// and will keep that mode for their entire session.
  • mixed - If the user goes to http:// it will switch to https:// for the login only, then will revert to http:// for normal session traffic. If they browse to https:// then they will stay https://
  • redirect - Like mixed if the user goes to http:// it will switch to https:// but they will stay https:// for their entire session.

Note: Redirect mode is not available for ZCS 4.5 and earlier. (See Redirect_http_to_https for information about redirect for ZCS 4.5.)

Steps to run

  1. Type zmtlsctl [mode] and press Enter.
  2. Type zmcontrol stop and press Enter.
  3. When everything is stopped, type zmcontrol start and press Enter.

Note: You can also use Jetty to stop/start/restart, using zmmailboxdctl. In ZCS 4.5, use Tomcat instead.

Afterwards (especially on older versions of ZCS), check SMTP_Auth_Problems to be sure the auth url is set correctly.

These modes will automatically use a self-signed certificate. If you want different subjectAltNames, to renew/changelength, or apply a commercial cert, see Administration_Console_and_CLI_Certificate_Tools

Version-specific Quirks

  • On older versions there were some issues with 'both' mode; fine from 4.5.2 to 4.5.5? but new issue appeared bug 19636
  • As a quick fix, when 'both' was selected, it defaulted to 'mixed' on 4.5.x? to 5.0.4 bug 5594
  • As of 5.0.5+ bug 5594 is now resolved so both mode works properly.

Redirect Limitations

  • zimbraMailMode redirect only applies to Zimbra Web Client versions Advanced (AJAX), Standard HTML, and Mobile/XHTML. We will make a best effort for any of our connectors such as ZCO to as well within the limitations of the applications.
  • Many client applications will send an auth request in the initial HTTP request to the server ("blind auth"). The implications of this are that this auth request will be sent in the clear/unencrypted prior to any possible opportunity to redirect the client app to HTTPS.
  • Redirect mode allows for the possibility of a man-in-the-middle attack, intentional/unintentional redirection to a non-valid server, or the possibility that a user will mistype the server name and not have certificate-based validity of the server.
  • In many client apps, it is impossible for the user to tell if they have been redirected (for example, ActiveSync), and therefore will continue to use HTTP even if the auth request is being sent unencrypted. (iPhone does have a bug open with apple about this).
In short, only zimbraMailMode https can ensure that no listener will be available on HTTP/port 80, that no client apps will try to auth over HTTP, and that all data exchanged with client application will be encrypted.
Verified Against: unknown Date Created: 5/3/2006
Article ID: https://wiki.zimbra.com/index.php?title=CLI_zmtlsctl_to_set_Web_Server_Mode Date Modified: 2016-03-10



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search