Multiple SSL Virtual Hosts 6.0: Difference between revisions

No edit summary
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Article Infobox|{{admin}}||{{ZCS 6.0}}|}}= Preface =
For HTTP, POP3, and IMAP, please see the [[SSL certificates per domain]] guide.


= Introduction =
= postfix (SMTP) =
It may be required to provide SSL connections to the mail server for more than one virtual host.  This is problematic, as [http://en.wikipedia.org/wiki/Server_Name_Indication TLS/SNI] is not yet widely deployed.  This documents one way to implement multiple server names with SSL for POP, IMAP, SMTP and Webmail services, and assumes you're familiar with SSL certificates and basic zimbra installation.
For postfix we use a .in master file that you can edit and have the changes stick: just edit <tt>/opt/zimbra/postfix/conf/master.cf.in</tt> (after backing it up of course!).  Instead of letting postfix bind to the port globally, you configure it to bind to a specific address and override the global certificate with a specific one:
 
= Starting Point =
The starting point for this configuration is a standard zimbra installation ''with'' proxy enabled.  While this is intended for a scaleable, multiserver, installation, it can be used in a single server instance as well.  Doing so simplifies configuration in that you only need to configure nginx and postfix to cover all the services.  '''''Make sure your basic system is operational before continuing!'''''  I have been unable to find documentation on the local configuration management setup in 6.0, and had to resort to a hack of using permissions to keep zimbra from overwriting some of the changes on startup.  That does not affect normal operation, but may prevent some of the initial setup from working properly.
 
= nginx (pop, imap, https) =
The first step is to go into <tt>/opt/zimbra/conf/nginx/includes</tt> and edit 5 files:
 
* nginx.conf.mail.imap
* nginx.conf.mail.imaps
* nginx.conf.mail.pop3
* nginx.conf.mail.pop3s
* nginx.conf.mail.https
 
In my case, I copied them to ''base.domain'' (e.g. <tt>nginx.conf.mail.imap.zimbra.com</tt>), but you could put all your domain configurations in something like ''base.allssl'', or just edit them in place if you're daring.
 
In each file, the process is pretty much the same:
 
* change the <tt>listen</tt> directive to bind to the specific address associated with the domain name
* add the <tt>ssl_certificate</tt> directives to point to the particular ssl certifcate for the domain name
 
That's it.  Whether you put them in separate files or all in one is up to you; for simplicity here, I've run them together:
 
Before:
 
<pre>
server
{
    listen                  143;
    protocol                imap;
    proxy                  on;
    sasl_service_name      "imap";
    starttls                on;
}
</pre>
 
After:
 
<pre>
server
{
    listen                  1.1.1.1:143;
    ssl_certificate        /opt/zimbra/conf/domain1.crt;
    ssl_certificate_key    /opt/zimbra/conf/domain1.key;
    protocol                imap;
    proxy                  on;
    sasl_service_name      "imap";
    starttls                on;
}
 
server
{
    listen                  1.1.1.2:143;
    ssl_certificate        /opt/zimbra/conf/domain2.crt;
    ssl_certificate_key    /opt/zimbra/conf/domain2.key;
    protocol                imap;
    proxy                  on;
    sasl_service_name      "imap";
    starttls                on;
}
</pre>
 
The original imaps/pop3s files don't have the certificates in them because they inherit the default (<tt>/opt/zimbra/conf/nginx.{crt,key}</tt> from <tt>nginx.conf.mail</tt>.  These directives will override that.  The https file is the same, but the <tt>server</tt> paragraph just has a lot more in it.  The exact same directive changes are needed though.
 
If you put them in separate files, you'll need to edit the includes appropriately in <tt>nginx.conf.mail</tt> and <tt>nginx.conf.web</tt>:
 
<pre>
    ...
    ssl_ciphers            !SSLv2:!MD5:HIGH;
 
    include conf/nginx/includes/nginx.conf.mail.imap.domain1;
    include conf/nginx/includes/nginx.conf.mail.imaps.domain1;
 
    include conf/nginx/includes/nginx.conf.mail.pop3.domain2;
    include conf/nginx/includes/nginx.conf.mail.pop3s.domain2;
}
</pre>
 
<pre>
...
    zmroute_timeout 15000ms;
 
    include conf/nginx/includes/nginx.conf.web.http;
    include conf/nginx/includes/nginx.conf.web.https.domain1;
    include conf/nginx/includes/nginx.conf.web.https.domain2;
}
</pre>
 
Finally, <tt>chown root</tt> any of the files you edited to keep zimbra from overwriting them at startup time.  Surprisingly, and fortunately, it does not error in this case, allowing this process to work.
 
= postfix (smtp) =
The postfix case is a little better because you don't have to do the permissions hack --- it still uses a .in master file that you can edit and have the changes stick: just edit <tt>/opt/zimbra/postfix/conf/master.cf.in</tt> (after backing it up of course!).  Instead of letting bind to the port globally, you configure it to bind to a specific address and override the global certificate with a specific one:


Before:
Before:
Line 134: Line 43:
</pre>
</pre>


(If you want to enable 465(smtps), it's a clone of the <tt>submission</tt> with <tt>-o smtpd_tls_wrappermode=yes</tt>)
(If you want to enable 465 (smtps), it's a clone of <tt>submission</tt> with <tt>-o smtpd_tls_wrappermode=yes</tt>)


Keywords: ''ssl , virtual hosts'', proxy''
Keywords: ''ssl, virtual hosts'' <br>
Version: Release 6.0.5_GA_2213.RHEL5_64_20100203001950 CentOS5_64 FOSS edition.


{{Article Footer|ZCS 6.0.x|1/20/2011}}
{{Article Footer|ZCS 6.0.5|1/20/2011}}


[[Category: Virtual Hosting]]
[[Category: Virtual Hosting]]
[[Category: SSL/TLS]]
[[Category: SSL/TLS]]
[[Category: ZCS 5.0]]
[[Category: ZCS 6.0]]

Latest revision as of 23:37, 26 January 2015

For HTTP, POP3, and IMAP, please see the SSL certificates per domain guide.

postfix (SMTP)

For postfix we use a .in master file that you can edit and have the changes stick: just edit /opt/zimbra/postfix/conf/master.cf.in (after backing it up of course!). Instead of letting postfix bind to the port globally, you configure it to bind to a specific address and override the global certificate with a specific one:

Before:

smtp      inet  n       -       n       -       -       smtpd
submission inet n      -       n       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%

After:

# domain1 instance 
1.1.1.1:smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_tls_cert_file=/opt/zimbra/conf/domain1.crt
  -o smtpd_tls_key_file=/opt/zimbra/conf/domain1.key
1.1.1.1:submission inet n      -       n       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
        -o smtpd_tls_cert_file=/opt/zimbra/conf/domain1.crt
        -o smtpd_tls_key_file=/opt/zimbra/conf/domain1.key

# domain2 instance 
1.1.1.2:smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_tls_cert_file=/opt/zimbra/conf/domain2.crt
  -o smtpd_tls_key_file=/opt/zimbra/conf/domain2.key
1.1.1.2:submission inet n      -       n       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
        -o smtpd_tls_cert_file=/opt/zimbra/conf/domain2.crt
        -o smtpd_tls_key_file=/opt/zimbra/conf/domain2.key

(If you want to enable 465 (smtps), it's a clone of submission with -o smtpd_tls_wrappermode=yes)

Keywords: ssl, virtual hosts
Version: Release 6.0.5_GA_2213.RHEL5_64_20100203001950 CentOS5_64 FOSS edition.

Verified Against: ZCS 6.0.5 Date Created: 1/20/2011
Article ID: https://wiki.zimbra.com/index.php?title=Multiple_SSL_Virtual_Hosts_6.0 Date Modified: 2015-01-26



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search