Multiple SSL Virtual Hosts 6.0: Difference between revisions

(Replaced content with "For configuring SSL certificates per domain with Zimbra, please follow this [http://wiki.zimbra.com/wiki/SSL_certificates_per_domain guide].")
Line 1: Line 1:
{{Article Infobox|{{admin}}||{{ZCS 6.0}}|}}= Preface =
For configuring SSL certificates per domain with Zimbra, please follow this [http://wiki.zimbra.com/wiki/SSL_certificates_per_domain guide].
 
= Introduction =
It may be required to provide SSL connections to the mail server for more than one virtual host.  This is problematic, as [http://en.wikipedia.org/wiki/Server_Name_Indication TLS/SNI] is not yet widely deployed.  This documents one way to implement multiple server names with SSL for POP, IMAP, SMTP and Webmail services, and assumes you're familiar with SSL certificates and basic zimbra installation.
 
= Starting Point =
The starting point for this configuration is a standard zimbra installation ''with'' proxy enabled.  While this is intended for a scaleable, multiserver, installation, it can be used in a single server instance as well.  Doing so simplifies configuration in that you only need to configure nginx and postfix to cover all the services.  '''''Make sure your basic system is operational before continuing!'''''  I have been unable to find documentation on the local configuration management setup in 6.0, and had to resort to a hack of using permissions to keep zimbra from overwriting some of the changes on startup.  That does not affect normal operation, but may prevent some of the initial setup from working properly.
 
= nginx (pop, imap, https) =
The first step is to go into <tt>/opt/zimbra/conf/nginx/includes</tt> and edit 5 files:
 
* nginx.conf.mail.imap
* nginx.conf.mail.imaps
* nginx.conf.mail.pop3
* nginx.conf.mail.pop3s
* nginx.conf.mail.https
 
In my case, I copied them to ''base.domain'' (e.g. <tt>nginx.conf.mail.imap.zimbra.com</tt>), but you could put all your domain configurations in something like ''base.allssl'', or just edit them in place if you're daring.
 
In each file, the process is pretty much the same:
 
* change the <tt>listen</tt> directive to bind to the specific address associated with the domain name
* add the <tt>ssl_certificate</tt> directives to point to the particular ssl certifcate for the domain name
 
That's it.  Whether you put them in separate files or all in one is up to you; for simplicity here, I've run them together:
 
Before:
 
<pre>
server
{
    listen                  143;
    protocol                imap;
    proxy                  on;
    sasl_service_name      "imap";
    starttls                on;
}
</pre>
 
After:
 
<pre>
server
{
    listen                  1.1.1.1:143;
    ssl_certificate        /opt/zimbra/conf/domain1.crt;
    ssl_certificate_key    /opt/zimbra/conf/domain1.key;
    protocol                imap;
    proxy                  on;
    sasl_service_name      "imap";
    starttls                on;
}
 
server
{
    listen                  1.1.1.2:143;
    ssl_certificate        /opt/zimbra/conf/domain2.crt;
    ssl_certificate_key    /opt/zimbra/conf/domain2.key;
    protocol                imap;
    proxy                  on;
    sasl_service_name      "imap";
    starttls                on;
}
</pre>
 
The original imaps/pop3s files don't have the certificates in them because they inherit the default (<tt>/opt/zimbra/conf/nginx.{crt,key}</tt> from <tt>nginx.conf.mail</tt>.  These directives will override that.  The https file is the same, but the <tt>server</tt> paragraph just has a lot more in it.  The exact same directive changes are needed though.
 
If you put them in separate files, you'll need to edit the includes appropriately in <tt>nginx.conf.mail</tt> and <tt>nginx.conf.web</tt>:
 
<pre>
    ...
    ssl_ciphers            !SSLv2:!MD5:HIGH;
 
    include conf/nginx/includes/nginx.conf.mail.imap.domain1;
    include conf/nginx/includes/nginx.conf.mail.imaps.domain1;
 
    include conf/nginx/includes/nginx.conf.mail.pop3.domain2;
    include conf/nginx/includes/nginx.conf.mail.pop3s.domain2;
}
</pre>
 
<pre>
...
    zmroute_timeout 15000ms;
 
    include conf/nginx/includes/nginx.conf.web.http;
    include conf/nginx/includes/nginx.conf.web.https.domain1;
    include conf/nginx/includes/nginx.conf.web.https.domain2;
}
</pre>
 
Finally, <tt>chown root</tt> any of the files you edited to keep zimbra from overwriting them at startup time.  Surprisingly, and fortunately, it does not error in this case, allowing this process to work.
 
= postfix (smtp) =
The postfix case is a little better because you don't have to do the permissions hack --- it still uses a .in master file that you can edit and have the changes stick: just edit <tt>/opt/zimbra/postfix/conf/master.cf.in</tt> (after backing it up of course!).  Instead of letting postfix bind to the port globally, you configure it to bind to a specific address and override the global certificate with a specific one:
 
Before:
 
<pre>
smtp      inet  n      -      n      -      -      smtpd
submission inet n      -      n      -      -      smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
</pre>
 
After:
 
<pre>
# domain1 instance
1.1.1.1:smtp      inet  n      -      n      -      -      smtpd
  -o smtpd_tls_cert_file=/opt/zimbra/conf/domain1.crt
  -o smtpd_tls_key_file=/opt/zimbra/conf/domain1.key
1.1.1.1:submission inet n      -      n      -      -      smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
        -o smtpd_tls_cert_file=/opt/zimbra/conf/domain1.crt
        -o smtpd_tls_key_file=/opt/zimbra/conf/domain1.key
 
# domain2 instance
1.1.1.2:smtp      inet  n      -      n      -      -      smtpd
  -o smtpd_tls_cert_file=/opt/zimbra/conf/domain2.crt
  -o smtpd_tls_key_file=/opt/zimbra/conf/domain2.key
1.1.1.2:submission inet n      -      n      -      -      smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
        -o smtpd_tls_cert_file=/opt/zimbra/conf/domain2.crt
        -o smtpd_tls_key_file=/opt/zimbra/conf/domain2.key
</pre>
 
(If you want to enable 465 (smtps), it's a clone of <tt>submission</tt> with <tt>-o smtpd_tls_wrappermode=yes</tt>)
 
Keywords: ''ssl , virtual hosts'', proxy'' <br>
Version: Release 6.0.5_GA_2213.RHEL5_64_20100203001950 CentOS5_64 FOSS edition.
 
{{Article Footer|ZCS 6.0.5|1/20/2011}}
 
[[Category: Virtual Hosting]]
[[Category: SSL/TLS]]
[[Category: ZCS 5.0]]

Revision as of 11:44, 17 October 2014

For configuring SSL certificates per domain with Zimbra, please follow this guide.

Jump to: navigation, search