[Users] New 8.7.5 Securemail Zimlet
Frédéric Nass
frederic.nass at univ-lorraine.fr
Tue Jun 5 08:36:07 CEST 2018
Hi,
Apparently, the new 8.7.5 securemail Zimlet (com_zimbra_securemail) only
supports using one private/public certificate bundle per user.
You just can't add more than one in Zimbra Preferences. My concern is if
a user had messages signed with his public key associated with private
key #1 and then he changes CA certs provider.
He would then get a private key #2 delivered by the CA along with a new
public key. But by swapping old certs to new ones in Zimbra Preferences,
he wouldn't access his old encrypted messages anymore.
Am I right to think that this requires Zimbra to handle serveral
certificates on a per user basis, and ask Zimbra to add this feature to
the Zimlet ?
Best regards everyone,
Frédéric.
Le 17/05/2018 à 17:54, Frédéric Nass a écrit :
>
> The only thing that annoys me is that, apparently, the public key of a
> received signed message should be automatically added to the sender
> contact (as stated here
> https://www.zimbra.com/email-server-software/email-encryption/) but
> this does not work with the latest Zimlet. This requires the sender
> and recipient to first exchange their public certificate and add them
> to each other's contacts to start encrypting emails.
>
> Can't remember if this auto add feature ever worked with the previous
> Java Zimlet. If anyone has a clue...
>
> Regards,
> Frédéric.
>
> Le 17/05/2018 à 17:27, Frédéric Nass a écrit :
>>
>> Hi folks,
>>
>> I finally found the right certificate to add to Zimbra keystore :
>> http://crt.comodoca.com/COMODORSAClientAuthenticationandSecureEmailCA.crt
>>
>> Thanks to Stefan and his advice on using cert-chain-resolver.sh from
>> https://github.com/zakjan/cert-chain-resolver, I could get the right
>> root and intermediate CA certs that Zimbra needed (out of my personal
>> cert file):
>>
>> What you need to do is:
>>
>> - export personnal certificate from firefox to create .p12 file
>> - converted the certificate to PEM with:
>> openssl pkcs12 -in myPersonalCert.p12 -out myPersonnalCert.pem -nodes
>> - use cert-chain-resolver.sh to create chain:
>> cert-chain-resolver.sh -o comodo-root-and-intermediate.pem
>> my-personnal-cert.pem
>> - comodo-root-and-intermediate.pem should contain root and
>> intermediate CA certificates. Keep root cert only and add it to Zimbra:
>> zmcertmgr addcacert /tmp/comodo-root.crt
>>
>> No need to restart mailboxd and you can keep zimbraSmimeOCSPEnabled
>> to TRUE.
>>
>> Regards,
>> Frédéric.
>>
>> Le 17/05/2018 à 10:21, Frédéric Nass a écrit :
>>> Hi Stefan,
>>>
>>> Here is what I did :
>>>
>>> - Enable securemail zimlet in Zimbra preferences
>>> - Generate a comodo personnal cert from here:
>>> https://secure.comodo.com/products/frontpage?area=SecureEmailCertificate
>>> - Download / Install my personal cert in Firefox. Export my personal
>>> cert from Firefox keystore to file.
>>> - Upload my personal cert in Zimbra Preferences / Secure Email.
>>> *Verification fail*
>>> - Search Google for Comodo root and intermediate certs which led me
>>> here:
>>> https://support.comodo.com/index.php?/Knowledgebase/Article/View/320/17/can-i-download-your-intermediate-and-root-certificates
>>> and here :
>>> https://support.comodo.com/index.php?/comodo/Knowledgebase/List/Index/75/instantsslenterprisesslintranetssl
>>> and there :
>>> https://support.comodo.com/index.php?/Knowledgebase/List/Index/71
>>> - I downloaded and added all root and intermediate #1 and #2 certs
>>> - I added those certs to the keystore and check with keytool that
>>> they were correctly imported in the keystore
>>> - I restarted mailboxd
>>> - Upload my personal cert again in Zimbra Preferences / Secure
>>> Email. *Still fails*
>>>
>>> I have also tried to cat comodorsaaddtrustca.crt
>>> comodosha256clientauthenticationandsecureemailca.crt >
>>> ca_cert_and_chain.crt then /opt/zimbra/bin/zmcertmgr addcacert
>>> /tmp/COMODO/ca_cert_and_chain.crt
>>> *Still fails*.
>>>
>>> Regards,
>>>
>>> Frédéric.
>>>
>>> ----- Le 17 Mai 18, à 10:09, Stefan Sänger <stefan.saenger at gr13.net>
>>> a écrit :
>>>
>>> Hi Frederic,
>>>
>>> are you importing only the root certificate or the complete chain
>>> (without your personal certificate) ?
>>>
>>>
>>> best regards,
>>>
>>> Stefan
>>>
>>> Am 17.05.2018 um 10:06 schrieb Frédéric Nass:
>>> >
>>> > Thanks for all these informations Barry. I have root access
>>> and I could
>>> > add certs to the keystore but verification still fails when
>>> uploading my
>>> > personnal cert in Zimbra preferences (because the verification
>>> against
>>> > all Comodo certs that I add to the keystore still fails).
>>> >
>>> > I used "zmcertmgr addcacert /tmp/comodo.crt" that uses keytool
>>> to import
>>> > certificate to the keystore. It must be equivalent to "keytool
>>> -import
>>> > -alias xxxxxxx -keystore
>>> > /opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts
>>> -storepass
>>> > changeit -file /tmp/comodo.crt"
>>> >
>>> > Frédéric.
>>> >
>>> >
>>> > ----- Le 17 Mai 18, à 9:33, Barry de Graaff
>>> <info at barrydegraaff.tk> a
>>> > écrit :
>>> >
>>> > Ahh, AFAIK you do not have to concatenate them.
>>> >
>>> > Instead you can add all required intermediates to the store,
>>> > you need to restart zimbra for the changes to be loaded.
>>> >
>>> > I do not use S/MIME so I cannot give the exact example, but
>>> > for trusting a CA using intermediates I do:
>>> >
>>> > wget
>>> > https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
>>> > -O lets.pem
>>> > /opt/zimbra/common/bin/keytool -import -alias letsenc-ca
>>> -keystore
>>> > /opt/zimbra/common/etc/java/cacerts -storepass changeit -file
>>> > /root/lets.pem
>>> >
>>> > So the trick there is to get the proper .pem from you CA
>>> and import
>>> > that into
>>> > the keystore.
>>> >
>>> > You can also create a new keystore and put that in
>>> > smime_truststore variable.
>>> >
>>> > You write you cannot add a cert to the store, do you not
>>> have root
>>> > access?
>>> >
>>> >
>>> > Kind regards,
>>> >
>>> > Barry de Graaff
>>> > Zeta Alliance
>>> > Co-founder & Developer
>>> > zetalliance.org | github.com/Zimbra-Community
>>> >
>>> > +31 617 220 227 | skype: barrydegraaff.tk
>>> > Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
>>> >
>>> > ----- Original Message -----
>>> > From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr>
>>> > To: "Barry de Graaff" <info at barrydegraaff.tk>
>>> > Cc: "users" <users at lists.zetalliance.org>
>>> > Sent: Thursday, May 17, 2018 9:26:18 AM
>>> > Subject: Re: [Users] New 8.7.5 Securemail Zimlet
>>> >
>>> > Hi Barry,
>>> >
>>> > I have no idea.
>>> >
>>> > Actually, Zimbra provides a keystore for smime certs
>>> validation. But
>>> > it's empty from any trusty external CA.
>>> >
>>> > [zimbra at test-zimbra ~]$ zmlocalconfig | grep -E
>>> 'keystore|smime'
>>> > imapd_keystore = /opt/zimbra/conf/imapd.keystore
>>> > imapd_keystore_password = *
>>> > mailboxd_keystore = /opt/zimbra/mailboxd/etc/keystore
>>> > mailboxd_keystore_base = ${zimbra_home}/conf/keystore.base
>>> > mailboxd_keystore_base_password = *
>>> > mailboxd_keystore_password = *
>>> > smime_truststore = ${mailboxd_truststore}
>>> > smime_truststore_password = *
>>> >
>>> > [zimbra at test-zimbra ~]$ keytool -list -keystore
>>> > /opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts
>>> -storepass
>>> > changeit
>>> >
>>> > Keystore type: JKS
>>> > Keystore provider: SUN
>>> >
>>> > Your keystore contains 183 entries
>>> >
>>> > tmp/rhel7_64/rdjz3bwn1d/eq0xx_t6fv.der, Feb 12, 2016,
>>> trustedCertEntry,
>>> > Certificate fingerprint (SHA1):
>>> > 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
>>> > tmp/rhel7_64/rdjz3bwn1d/gpzzm9h5_7.der, Feb 12, 2016,
>>> trustedCertEntry,
>>> > Certificate fingerprint (SHA1):
>>> > 8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58
>>> > tmp/rhel7_64/rdjz3bwn1d/csuq6zjk4u.der, Feb 12, 2016,
>>> trustedCertEntry,
>>> > ...
>>> > Certificate fingerprint (SHA1):
>>> > AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA
>>> > my_ca, Mar 21, 2018, trustedCertEntry,
>>> > ...
>>> > Certificate fingerprint (SHA1):
>>> > D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
>>> > tmp/rhel7_64/rdjz3bwn1d/ja63m4kjkn.der, Feb 12, 2016,
>>> trustedCertEntry,
>>> > Certificate fingerprint (SHA1):
>>> > 48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D
>>> > tmp/rhel7_64/rdjz3bwn1d/0wpwao5qj3.der, Feb 12, 2016,
>>> trustedCertEntry,
>>> > Certificate fingerprint (SHA1):
>>> > 28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8
>>> > tmp/rhel7_64/rdjz3bwn1d/8afyoy3e6h.der, Feb 12, 2016,
>>> trustedCertEntry,
>>> > etc.
>>> >
>>> > But no Comodo, Verisign, etc...
>>> >
>>> > I added all the certs from
>>> >
>>> https://support.comodo.com/index.php?/Knowledgebase/List/Index/71 to
>>> > the
>>> > keystore. But verification still fails when uploading
>>> personal certs.
>>> >
>>> > Prabhat Kumar on comment 3 of bugzilla report says "Need
>>> to add
>>> > intermediate as well of the s/mime certificate."
>>> > Which I did, but still no success.
>>> >
>>> > It seems to me that I should first build a cert by
>>> concatenating some
>>> > root and intermediate certs. But which certs in what order
>>> I have no
>>> > idea :-/
>>> >
>>> > Regards,
>>> > Frédéric.
>>> >
>>> >
>>> > Le 17/05/2018 à 09:04, Barry de Graaff a écrit :
>>> > > Is this an open-source component, especially the server
>>> side part?
>>> > >
>>> > > If so you can look in there an see if you can use a
>>> different
>>> > keystore.
>>> > >
>>> > > Kind regards,
>>> > >
>>> > > Barry de Graaff
>>> > > Zeta Alliance
>>> > > Co-founder & Developer
>>> > > zetalliance.org | github.com/Zimbra-Community
>>> > >
>>> > > +31 617 220 227 | skype: barrydegraaff.tk
>>> > > Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
>>> > >
>>> > > ----- Original Message -----
>>> > > From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr>
>>> > > To: "users" <users at lists.zetalliance.org>
>>> > > Sent: Thursday, May 17, 2018 8:32:16 AM
>>> > > Subject: [Users] New 8.7.5 Securemail Zimlet
>>> > >
>>> > > Hi,
>>> > >
>>> > > Has anyone succeded in using the new 8.7.5 securemail
>>> Zimlet
>>> > > (com_zimbra_securemail)?
>>> > >
>>> > > Personnal certificates uploads fail unless you disable the
>>> > certificate
>>> > > verification check or add the root CA to Zimbra
>>> keystore which I
>>> > can't
>>> > > do. This has been explained here :
>>> > > https://bugzilla.zimbra.com/show_bug.cgi?id=107887
>>> > > Problem is that Zimbra does not provide any external CA
>>> keystore to
>>> > > validate personnal certificates.
>>> > >
>>> > > There is no documentation and Zimbra support is as
>>> usual of no help.
>>> > >
>>> > > Regards,
>>> > >
>>> >
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20180605/8fd89625/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3607 bytes
Desc: Signature cryptographique S/MIME
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20180605/8fd89625/attachment.p7s>
More information about the Users
mailing list