Zimbra Mail Server Configuration (Manual?)

Hi Folks,

I run Zimbra, which is a mail server among other things, on CEntOS. I have one server, but it serves two domains, so I need a certificate for both/each domain. I expect SAN to completely address this aspect, although I've installed a server identification certificate on this server before, and it only worked for one of the domains. I never understood why, but I'm happy to conclude that Windows Server Certificate Authority configured the certificate. The installation and configuration process is opaque and tedious. I seek Zimbra configuration advice to the extent that it is available.

I haven't yet investigated how to do any of this with Let's Encrypt, but I have been warned about rate limits, I am understandably cautious about frivolous and erroneous steps. Zimbra runs both Apache and nginx, so I expect there to be complications in installing a signed certificate.

o mail.tclc.org
o mail.tryx.org

My web server is:
o Apache: 2.4.38
o nginx: 1.7.1

The operating system my web server runs on is (include version):
o CEntOS 7

I can login to a root shell on my machine (yes or no, or I don't know):
o Yes

I'm using a control panel to manage my site:
o No

The version of my client is ...
o I haven't gotten this far yet. I expect that what I am doing is unusual and I fear the rate limiting governors. I suspect that I am going to have to do this manually.

Thanks for the help,


1 Like

Information about the rate limits can be found here:

If you just keep thinking straight, everything should be fine (for example, if you actually get a certificate issued, but the next step in the process doesn't work, don't get a new certificate to try the "next step" again and again, but use the already issued certificate for that.. Just think straight..)

Furthermore, if you're still in a testing state, you'd want to use the Staging Environment first and if everything seems to work, you'll switch over to the production environment for a real certificate:

Another thing: it seems your port 80 is filtered. I'm getting time outs for a connection through HTTP, while I'm getting the expected "certificate not trusted" through HTTPS. Let's Encrypt needs an open port 80 for the http-01 challenges. Some more reading material:

(Actually, almost everything in the https://letsencrypt.org/docs/ should be read :wink: )

By the way: it looks like nginx is answering on port 443. So you'd need to configure your nginx with the certificate (TLS). I assume nginx works as a reverse proxy for Apache?

It also seems Zimbra has a How To online for Let's Encrypt: https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate However, personally I think that guide is totally outdated! It says "Last updated 2020-05-20" on the top, but it uses very ancient methods! It uses the letsencrypt-auto script, where the old name "letsencrypt" for the software program was changed to "certbot" EONS ago... It also uses git clone for getting just the script.. No, that guide is horrible, don't use it.


This guide seems pretty straight forward, including automated renewal:

It uses apt-get and the Ubuntu PPA for installing certbot, but that's not applicable for CentOS. You can use the official certbot site for guidance on how to install certbot for CentOS: https://certbot.eff.org/lets-encrypt/centosrhel7-other

I would strongly suggest to try the snapd version, as that's probably the future way to install and maintain certbot by the development team. However, as you can see, it's also possible to use yum.

I have no experience with the certbot-zimbra script (which seems to be some kind of wrapper script around certbot to install the certificate in the right place for Zimbra?) used in that guide though. YMMV.


Hi Osiris,

Thanks for the quick and supportive response. I may have asked the wrong question. And you have answered a question I didn't ask, but I should have.

First: The right question. I seek to identify my mail server to corresponding peer servers, as well as my web server for the users to access the mail archive. Does this additional purpose (SMTP, SMTP-AUTH, SUBMISSION) change the certificate from the assumed purpose (HTTP, HTTPS)? Do I have to do anything special to create this certificate?

I am trying the command line:
certbot certonly -d mail.tclc.org -d mail.tryx.org --standalone --webroot

If I run from /root/certs, will the standalone server drop the certificates there?

Filtered Port 80: "netstat -n | grep 80" shows me that nothing is listening on port 80, so port 80 is free for "certbot ... --standalone" to use.

The Zimbra "Installing a Let's Encrypt SSL Certificate" is pretty bad from the "Let's Encrypt" point of view because they are not current, which means the instructions are simply wrong, but I can understand what they are saying with respect to Zimbra, and that part is accurate; their "Let's Encrypt" instructions and not so good, but I have you guys for that part.

I have run certbot once, and of course it failed the challenges, but I know how to diagnose and debug that. So far, this all seems simple, clear, and self-explanatory. Do I risk rate limit restrictions at this point?

Thanks for the help,


Is probably not going to work well if your mail server is already HTTP enabled.

Requires one additional parameter (per domain): -w
[and the corresponding directory path]

No, unless told otherwise, certbot will always put certs in the cert named subfolder of: /etc/letsencrypt/live/

I also run a zimbra mail server and had to do it before any documentation was available.
In a simplified view, here is what I do every 60ish days:

/opt/zimbra/bin/zmcertmgr verifycrt comm private.key public.key
cp private.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
/opt/zimbra/bin/zmcertmgr deploycrt comm public.key CA.key
zmcontrol restart

That is done after obtaining the cert and the CA.key file I use is:


According to the how-to's I've read, Zimbra doesn't have anything running on port 80 by default.

Doesn't look that hard to script, right?

Let's Encrypt certificates can be used for securing any TLS service. Not only HTTPS, but also SMTP, IMAP, POP3.

That command cannot be correct. Both --standalone as --webroot are options for selecting an authentication plugin, where only one is allowed. Or at least, only one will be selected. Perhaps certbot chooses the first one? Or the last? I don't know actually. Both authentication plugins work very differently though.

That should be true, if the standalone plugin would actually be used. See above about selecting two authentication plugins.

Strictly speaking "yes", for example, there is a Failed Validation limit of 5 failures per account, per hostname, per hour. Rate limits pertaining certificates will only apply once you actually get a certificate issued. But to be safe, you can use the --dry-run (which won't save anything to disk, but should notify you if a challenge was succesful) or --staging (which will save fake test certificates to disk).

That seems to be true (now - not sure about when I started using it)

Yes, very scriptable.

Hi Osiris and rg305,

I have successfully installed certificates on mail.tclc.org and identified him as "mail.tclc.org" and "mail.tryx.org". This is outstanding! I did not bump into any rate limits. I could not have done it -- or at least I could not have done it anywhere nearly as conveniently -- without the reference to the SysLint article. That was spectacular!

Osiris: for the SysLint article alone, you deserve a beer. If you're ever near Sacramento, contact me. My domain is tryx.org and I am cjm.

rg305: It turns out that the instructions from the SysLint article also describe a cron job that updates the certificates. It may be simpler than your current technique. I don't know how well it behaves, meaning alerting me to what it is planning and then what it is doing, but if I can gauge by the Install/Config/Deploy script, it will work brilliantly.

Thanks for the help,



I can't agree more; "my techniques" were created while fighting off dinosaurs.

Glad to here:

  • there is a "real" guide out there to follow now
  • that you got this going without a hitch

But about that beer... you know you could always send him a virtual one - lol

Cheers from Miami :beers: (for everyone)