[Users] New 8.7.5 Securemail Zimlet

Thu May 17 09:33:19 CEST 2018

Ahh, AFAIK you do not have to concatenate them.

Instead you can add all required intermediates to the store,
you need to restart zimbra for the changes to be loaded.

I do not use S/MIME so I cannot give the exact example, but
for trusting a CA using intermediates I do:

wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -O lets.pem
 /opt/zimbra/common/bin/keytool -import -alias letsenc-ca -keystore /opt/zimbra/common/etc/java/cacerts -storepass changeit -file /root/lets.pem

So the trick there is to get the proper .pem from you CA and import that into
the keystore.

You can also create a new keystore and put that in
smime_truststore variable.

You write you cannot add a cert to the store, do you not have root access?

Kind regards, 

Barry de Graaff
Zeta Alliance 
Co-founder & Developer
zetalliance.org | github.com/Zimbra-Community

+31 617 220 227 | skype: barrydegraaff.tk
Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0

----- Original Message -----
From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr>
To: "Barry de Graaff" <info at barrydegraaff.tk>
Cc: "users" <users at lists.zetalliance.org>
Sent: Thursday, May 17, 2018 9:26:18 AM
Subject: Re: [Users] New 8.7.5 Securemail Zimlet

Hi Barry,

I have no idea.

Actually, Zimbra provides a keystore for smime certs validation. But 
it's empty from any trusty external CA.

[zimbra at test-zimbra ~]$ zmlocalconfig | grep -E 'keystore|smime'
imapd_keystore = /opt/zimbra/conf/imapd.keystore
imapd_keystore_password = *
mailboxd_keystore = /opt/zimbra/mailboxd/etc/keystore
mailboxd_keystore_base = ${zimbra_home}/conf/keystore.base
mailboxd_keystore_base_password = *
mailboxd_keystore_password = *
smime_truststore = ${mailboxd_truststore}
smime_truststore_password = *

[zimbra at test-zimbra ~]$ keytool -list -keystore 
/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts -storepass changeit

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 183 entries

tmp/rhel7_64/rdjz3bwn1d/eq0xx_t6fv.der, Feb 12, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 
85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
tmp/rhel7_64/rdjz3bwn1d/gpzzm9h5_7.der, Feb 12, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 
8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58
tmp/rhel7_64/rdjz3bwn1d/csuq6zjk4u.der, Feb 12, 2016, trustedCertEntry,
...
Certificate fingerprint (SHA1): 
AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA
my_ca, Mar 21, 2018, trustedCertEntry,
...
Certificate fingerprint (SHA1): 
D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
tmp/rhel7_64/rdjz3bwn1d/ja63m4kjkn.der, Feb 12, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 
48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D
tmp/rhel7_64/rdjz3bwn1d/0wpwao5qj3.der, Feb 12, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): 
28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8
tmp/rhel7_64/rdjz3bwn1d/8afyoy3e6h.der, Feb 12, 2016, trustedCertEntry,
etc.

But no Comodo, Verisign, etc...

I added all the certs from 
https://support.comodo.com/index.php?/Knowledgebase/List/Index/71 to the 
keystore. But verification still fails when uploading personal certs.

Prabhat Kumar on comment 3 of bugzilla report says "Need to add 
intermediate as well of the s/mime certificate."
Which I did, but still no success.

It seems to me that I should first build a cert by concatenating some 
root and intermediate certs. But which certs in what order I have no 
idea :-/

Regards,
Frédéric.

Le 17/05/2018 à 09:04, Barry de Graaff a écrit :
> Is this an open-source component, especially the server side part?
>
> If so you can look in there an see if you can use a different keystore.
>
> Kind regards,
>
> Barry de Graaff
> Zeta Alliance
> Co-founder & Developer
> zetalliance.org | github.com/Zimbra-Community
>
> +31 617 220 227 | skype: barrydegraaff.tk
> Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
>
> ----- Original Message -----
> From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr>
> To: "users" <users at lists.zetalliance.org>
> Sent: Thursday, May 17, 2018 8:32:16 AM
> Subject: [Users] New 8.7.5 Securemail Zimlet
>
> Hi,
>
> Has anyone succeded in using the new 8.7.5 securemail Zimlet
> (com_zimbra_securemail)?
>
> Personnal certificates uploads fail unless you disable the certificate
> verification check or add the root CA to Zimbra keystore which I can't
> do. This has been explained here :
> https://bugzilla.zimbra.com/show_bug.cgi?id=107887
> Problem is that Zimbra does not provide any external CA keystore to
> validate personnal certificates.
>
> There is no documentation and Zimbra support is as usual of no help.
>
> Regards,
>