Zimbra Mail Server Configuration (Manual?)

Hi Folks,

I run Zimbra, which is a mail server among other things, on CEntOS. I have one server, but it serves two domains, so I need a certificate for both/each domain. I expect SAN to completely address this aspect, although I've installed a server identification certificate on this server before, and it only worked for one of the domains. I never understood why, but I'm happy to conclude that Windows Server Certificate Authority configured the certificate. The installation and configuration process is opaque and tedious. I seek Zimbra configuration advice to the extent that it is available.

I haven't yet investigated how to do any of this with Let's Encrypt, but I have been warned about rate limits, I am understandably cautious about frivolous and erroneous steps. Zimbra runs both Apache and nginx, so I expect there to be complications in installing a signed certificate.

Domains:
o mail.tclc.org
o mail.tryx.org

My web server is:
o Apache: 2.4.38
o nginx: 1.7.1

The operating system my web server runs on is (include version):
o CEntOS 7

I can login to a root shell on my machine (yes or no, or I don't know):
o Yes

I'm using a control panel to manage my site:
o No

The version of my client is ...
o I haven't gotten this far yet. I expect that what I am doing is unusual and I fear the rate limiting governors. I suspect that I am going to have to do this manually.

Thanks for the help,

Chris.

1 Like

Information about the rate limits can be found here:

If you just keep thinking straight, everything should be fine (for example, if you actually get a certificate issued, but the next step in the process doesn't work, don't get a new certificate to try the "next step" again and again, but use the already issued certificate for that.. Just think straight..)

Furthermore, if you're still in a testing state, you'd want to use the Staging Environment first and if everything seems to work, you'll switch over to the production environment for a real certificate:

Another thing: it seems your port 80 is filtered. I'm getting time outs for a connection through HTTP, while I'm getting the expected "certificate not trusted" through HTTPS. Let's Encrypt needs an open port 80 for the http-01 challenges. Some more reading material:

(Actually, almost everything in the https://letsencrypt.org/docs/ should be read :wink: )

By the way: it looks like nginx is answering on port 443. So you'd need to configure your nginx with the certificate (TLS). I assume nginx works as a reverse proxy for Apache?

It also seems Zimbra has a How To online for Let's Encrypt: https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate However, personally I think that guide is totally outdated! It says "Last updated 2020-05-20" on the top, but it uses very ancient methods! It uses the letsencrypt-auto script, where the old name "letsencrypt" for the software program was changed to "certbot" EONS ago... It also uses git clone for getting just the script.. No, that guide is horrible, don't use it.

2 Likes

This guide seems pretty straight forward, including automated renewal:

It uses apt-get and the Ubuntu PPA for installing certbot, but that's not applicable for CentOS. You can use the official certbot site for guidance on how to install certbot for CentOS: https://certbot.eff.org/lets-encrypt/centosrhel7-other

I would strongly suggest to try the snapd version, as that's probably the future way to install and maintain certbot by the development team. However, as you can see, it's also possible to use yum.

I have no experience with the certbot-zimbra script (which seems to be some kind of wrapper script around certbot to install the certificate in the right place for Zimbra?) used in that guide though. YMMV.

2 Likes

Hi Osiris,

Thanks for the quick and supportive response. I may have asked the wrong question. And you have answered a question I didn't ask, but I should have.

First: The right question. I seek to identify my mail server to corresponding peer servers, as well as my web server for the users to access the mail archive. Does this additional purpose (SMTP, SMTP-AUTH, SUBMISSION) change the certificate from the assumed purpose (HTTP, HTTPS)? Do I have to do anything special to create this certificate?

I am trying the command line:
certbot certonly -d mail.tclc.org -d mail.tryx.org --standalone --webroot

If I run from /root/certs, will the standalone server drop the certificates there?

Filtered Port 80: "netstat -n | grep 80" shows me that nothing is listening on port 80, so port 80 is free for "certbot ... --standalone" to use.

The Zimbra "Installing a Let's Encrypt SSL Certificate" is pretty bad from the "Let's Encrypt" point of view because they are not current, which means the instructions are simply wrong, but I can understand what they are saying with respect to Zimbra, and that part is accurate; their "Let's Encrypt" instructions and not so good, but I have you guys for that part.

I have run certbot once, and of course it failed the challenges, but I know how to diagnose and debug that. So far, this all seems simple, clear, and self-explanatory. Do I risk rate limit restrictions at this point?

Thanks for the help,

Chris.

Is probably not going to work well if your mail server is already HTTP enabled.

Requires one additional parameter (per domain): -w
[and the corresponding directory path]

No, unless told otherwise, certbot will always put certs in the cert named subfolder of: /etc/letsencrypt/live/

I also run a zimbra mail server and had to do it before any documentation was available.
In a simplified view, here is what I do every 60ish days:

/opt/zimbra/bin/zmcertmgr verifycrt comm private.key public.key
cp private.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm public.key CA.key
zmcontrol restart

That is done after obtaining the cert and the CA.key file I use is:

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK
ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
DTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0NlowSjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxl
dCdzIEVuY3J5cHQxIzAhBgNVBAMTGkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4
S0EFq6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8SMx+yk13
EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0Z8h/pZq4UmEUEz9l6YKH
y9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWAa6xK8xuQSXgvopZPKiAlKQTGdMDQMc2P
MTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQAB
o4IBfTCCAXkwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEE
czBxMDIGCCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNvbTA7
BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9kc3Ryb290Y2F4My5w
N2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAwVAYDVR0gBE0wSzAIBgZngQwBAgEw
PwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcCARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNy
eXB0Lm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9P
VENBWDNDUkwuY3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJouM2VcGfl96S8
TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/wApIvJSwtmVi4MFU5aMqrSDE
6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwuX4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPM
TZ+sOPAveyxindmjkW8lGy+QsRlGPfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M
+X+Q7UNKEkROb3N6KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

According to the how-to's I've read, Zimbra doesn't have anything running on port 80 by default.

Doesn't look that hard to script, right?

Let's Encrypt certificates can be used for securing any TLS service. Not only HTTPS, but also SMTP, IMAP, POP3.

That command cannot be correct. Both --standalone as --webroot are options for selecting an authentication plugin, where only one is allowed. Or at least, only one will be selected. Perhaps certbot chooses the first one? Or the last? I don't know actually. Both authentication plugins work very differently though.

That should be true, if the standalone plugin would actually be used. See above about selecting two authentication plugins.

Strictly speaking "yes", for example, there is a Failed Validation limit of 5 failures per account, per hostname, per hour. Rate limits pertaining certificates will only apply once you actually get a certificate issued. But to be safe, you can use the --dry-run (which won't save anything to disk, but should notify you if a challenge was succesful) or --staging (which will save fake test certificates to disk).

That seems to be true (now - not sure about when I started using it)

Yes, very scriptable.

Hi Osiris and rg305,

I have successfully installed certificates on mail.tclc.org and identified him as "mail.tclc.org" and "mail.tryx.org". This is outstanding! I did not bump into any rate limits. I could not have done it -- or at least I could not have done it anywhere nearly as conveniently -- without the reference to the SysLint article. That was spectacular!

Osiris: for the SysLint article alone, you deserve a beer. If you're ever near Sacramento, contact me. My domain is tryx.org and I am cjm.

rg305: It turns out that the instructions from the SysLint article also describe a cron job that updates the certificates. It may be simpler than your current technique. I don't know how well it behaves, meaning alerting me to what it is planning and then what it is doing, but if I can gauge by the Install/Config/Deploy script, it will work brilliantly.

Thanks for the help,

Chris.

2 Likes

I can't agree more; "my techniques" were created while fighting off dinosaurs.

Glad to here:

  • there is a "real" guide out there to follow now
  • that you got this going without a hitch

But about that beer... you know you could always send him a virtual one - lol

Cheers from Miami :beers: (for everyone)