Difference between revisions of "Multiple SSL Virtual Hosts 6.0"

(Starting Point)
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Article Infobox|{{admin}}||{{ZCS 6.0}}|}}= Preface =
+
For HTTP, POP3, and IMAP, please see the [[SSL certificates per domain]] guide.
  
= Introduction =
+
= postfix (SMTP) =
It may be required to provide SSL connections to the mail server for more than one virtual host.  This is problematic, as [http://en.wikipedia.org/wiki/Server_Name_Indication TLS/SNI] is not yet widely deployedThis documents one way to implement multiple server names with SSL for POP, IMAP, SMTP and Webmail services, and assumes you're familiar with SSL certificates and basic zimbra installation.
+
For postfix we use a .in master file that you can edit and have the changes stick: just edit <tt>/opt/zimbra/postfix/conf/master.cf.in</tt> (after backing it up of course!)Instead of letting postfix bind to the port globally, you configure it to bind to a specific address and override the global certificate with a specific one:
  
= Starting Point =
+
Before:
The starting point for this configuration is a standard zimbra installation ''with'' proxy enabled.  While this is intended for a scaleable, multiserver, installation, it can be used in a single server instance as well.  Doing so simplifies configuration in that you only need to configure nginx and postfix to cover all the services.  '''''Make sure your basic system is operational before continuing!'''''  I have been unable to find documentation on the local configuration management setup in 6.0, and had to resort to a hack of using permissions to keep zimbra from overwriting some of the changes on startup.  That does not affect normal operation, but may prevent some of the initial setup from working properly.
 
  
= nginx (pop, imap, https) =
+
<pre>
 +
smtp      inet  n      -      n      -      -      smtpd
 +
submission inet n      -      n      -      -      smtpd
 +
        -o smtpd_etrn_restrictions=reject
 +
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
 +
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 +
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
 +
</pre>
  
= postfix (smtp) =
+
After:
  
Keywords: ''ssl , virtual hosts'', proxy''
+
<pre>
 +
# domain1 instance
 +
1.1.1.1:smtp      inet  n      -      n      -      -      smtpd
 +
  -o smtpd_tls_cert_file=/opt/zimbra/conf/domain1.crt
 +
  -o smtpd_tls_key_file=/opt/zimbra/conf/domain1.key
 +
1.1.1.1:submission inet n      -      n      -      -      smtpd
 +
        -o smtpd_etrn_restrictions=reject
 +
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
 +
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 +
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
 +
        -o smtpd_tls_cert_file=/opt/zimbra/conf/domain1.crt
 +
        -o smtpd_tls_key_file=/opt/zimbra/conf/domain1.key
  
{{Article Footer|ZCS 6.0.x|1/20/2011}}
+
# domain2 instance
 +
1.1.1.2:smtp      inet  n      -      n      -      -      smtpd
 +
  -o smtpd_tls_cert_file=/opt/zimbra/conf/domain2.crt
 +
  -o smtpd_tls_key_file=/opt/zimbra/conf/domain2.key
 +
1.1.1.2:submission inet n      -      n      -      -      smtpd
 +
        -o smtpd_etrn_restrictions=reject
 +
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
 +
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 +
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
 +
        -o smtpd_tls_cert_file=/opt/zimbra/conf/domain2.crt
 +
        -o smtpd_tls_key_file=/opt/zimbra/conf/domain2.key
 +
</pre>
 +
 
 +
(If you want to enable 465 (smtps), it's a clone of <tt>submission</tt> with <tt>-o smtpd_tls_wrappermode=yes</tt>)
 +
 
 +
Keywords: ''ssl, virtual hosts'' <br>
 +
Version: Release 6.0.5_GA_2213.RHEL5_64_20100203001950 CentOS5_64 FOSS edition.
 +
 
 +
{{Article Footer|ZCS 6.0.5|1/20/2011}}
  
 
[[Category: Virtual Hosting]]
 
[[Category: Virtual Hosting]]
 
[[Category: SSL/TLS]]
 
[[Category: SSL/TLS]]
[[Category: ZCS 5.0]]
+
[[Category: ZCS 6.0]]

Latest revision as of 23:37, 26 January 2015

For HTTP, POP3, and IMAP, please see the SSL certificates per domain guide.

postfix (SMTP)

For postfix we use a .in master file that you can edit and have the changes stick: just edit /opt/zimbra/postfix/conf/master.cf.in (after backing it up of course!). Instead of letting postfix bind to the port globally, you configure it to bind to a specific address and override the global certificate with a specific one:

Before: 

smtp      inet  n       -       n       -       -       smtpd
submission inet n      -       n       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%

After: 

# domain1 instance 
1.1.1.1:smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_tls_cert_file=/opt/zimbra/conf/domain1.crt
  -o smtpd_tls_key_file=/opt/zimbra/conf/domain1.key
1.1.1.1:submission inet n      -       n       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
        -o smtpd_tls_cert_file=/opt/zimbra/conf/domain1.crt
        -o smtpd_tls_key_file=/opt/zimbra/conf/domain1.key

# domain2 instance 
1.1.1.2:smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_tls_cert_file=/opt/zimbra/conf/domain2.crt
  -o smtpd_tls_key_file=/opt/zimbra/conf/domain2.key
1.1.1.2:submission inet n      -       n       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
        -o smtpd_tls_cert_file=/opt/zimbra/conf/domain2.crt
        -o smtpd_tls_key_file=/opt/zimbra/conf/domain2.key

(If you want to enable 465 (smtps), it's a clone of submission with -o smtpd_tls_wrappermode=yes)

Keywords: ssl, virtual hosts
Version: Release 6.0.5_GA_2213.RHEL5_64_20100203001950 CentOS5_64 FOSS edition.

Verified Against: ZCS 6.0.5 Date Created: 1/20/2011
Article ID: https://wiki.zimbra.com/index.php?title=Multiple_SSL_Virtual_Hosts_6.0 Date Modified: 2015-01-26



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Other help Resources

User Help Page »
Official Forums »
Zimbra Documentation Page »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Retrieved from "https://wiki.zimbra.com/index.php?title=Multiple_SSL_Virtual_Hosts_6.0&oldid=56772"
Jump to: navigation, search