[Users] New 8.7.5 Securemail Zimlet

Frédéric Nass frederic.nass at univ-lorraine.fr
Thu May 17 10:06:40 CEST 2018


Thanks for all these informations Barry. I have root access and I could add certs to the keystore but verification still fails when uploading my personnal cert in Zimbra preferences (because the verification against all Comodo certs that I add to the keystore still fails). 

I used "zmcertmgr addcacert /tmp/comodo.crt" that uses keytool to import certificate to the keystore. It must be equivalent to "keytool -import -alias xxxxxxx -keystore /opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts -storepass changeit -file /tmp/comodo.crt" 

Frédéric. 

----- Le 17 Mai 18, à 9:33, Barry de Graaff <info at barrydegraaff.tk> a écrit : 

> Ahh, AFAIK you do not have to concatenate them.

> Instead you can add all required intermediates to the store,
> you need to restart zimbra for the changes to be loaded.

> I do not use S/MIME so I cannot give the exact example, but
> for trusting a CA using intermediates I do:

> wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -O
> lets.pem
> /opt/zimbra/common/bin/keytool -import -alias letsenc-ca -keystore
> /opt/zimbra/common/etc/java/cacerts -storepass changeit -file /root/lets.pem

> So the trick there is to get the proper .pem from you CA and import that into
> the keystore.

> You can also create a new keystore and put that in
> smime_truststore variable.

> You write you cannot add a cert to the store, do you not have root access?

> Kind regards,

> Barry de Graaff
> Zeta Alliance
> Co-founder & Developer
> zetalliance.org | github.com/Zimbra-Community

> +31 617 220 227 | skype: barrydegraaff.tk
> Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0

> ----- Original Message -----
> From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr>
> To: "Barry de Graaff" <info at barrydegraaff.tk>
> Cc: "users" <users at lists.zetalliance.org>
> Sent: Thursday, May 17, 2018 9:26:18 AM
> Subject: Re: [Users] New 8.7.5 Securemail Zimlet

> Hi Barry,

> I have no idea.

> Actually, Zimbra provides a keystore for smime certs validation. But
> it's empty from any trusty external CA.

> [zimbra at test-zimbra ~]$ zmlocalconfig | grep -E 'keystore|smime'
> imapd_keystore = /opt/zimbra/conf/imapd.keystore
> imapd_keystore_password = *
> mailboxd_keystore = /opt/zimbra/mailboxd/etc/keystore
> mailboxd_keystore_base = ${zimbra_home}/conf/keystore.base
> mailboxd_keystore_base_password = *
> mailboxd_keystore_password = *
> smime_truststore = ${mailboxd_truststore}
> smime_truststore_password = *

> [zimbra at test-zimbra ~]$ keytool -list -keystore
> /opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts -storepass changeit

> Keystore type: JKS
> Keystore provider: SUN

> Your keystore contains 183 entries

> tmp/rhel7_64/rdjz3bwn1d/eq0xx_t6fv.der, Feb 12, 2016, trustedCertEntry,
> Certificate fingerprint (SHA1):
> 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
> tmp/rhel7_64/rdjz3bwn1d/gpzzm9h5_7.der, Feb 12, 2016, trustedCertEntry,
> Certificate fingerprint (SHA1):
> 8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58
> tmp/rhel7_64/rdjz3bwn1d/csuq6zjk4u.der, Feb 12, 2016, trustedCertEntry,
> ...
> Certificate fingerprint (SHA1):
> AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA
> my_ca, Mar 21, 2018, trustedCertEntry,
> ...
> Certificate fingerprint (SHA1):
> D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
> tmp/rhel7_64/rdjz3bwn1d/ja63m4kjkn.der, Feb 12, 2016, trustedCertEntry,
> Certificate fingerprint (SHA1):
> 48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D
> tmp/rhel7_64/rdjz3bwn1d/0wpwao5qj3.der, Feb 12, 2016, trustedCertEntry,
> Certificate fingerprint (SHA1):
> 28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8
> tmp/rhel7_64/rdjz3bwn1d/8afyoy3e6h.der, Feb 12, 2016, trustedCertEntry,
> etc.

> But no Comodo, Verisign, etc...

> I added all the certs from
> https://support.comodo.com/index.php?/Knowledgebase/List/Index/71 to the
> keystore. But verification still fails when uploading personal certs.

> Prabhat Kumar on comment 3 of bugzilla report says "Need to add
> intermediate as well of the s/mime certificate."
> Which I did, but still no success.

> It seems to me that I should first build a cert by concatenating some
> root and intermediate certs. But which certs in what order I have no
> idea :-/

> Regards,
> Frédéric.

> Le 17/05/2018 à 09:04, Barry de Graaff a écrit :
> > Is this an open-source component, especially the server side part?

> > If so you can look in there an see if you can use a different keystore.

> > Kind regards,

> > Barry de Graaff
> > Zeta Alliance
> > Co-founder & Developer
> > zetalliance.org | github.com/Zimbra-Community

> > +31 617 220 227 | skype: barrydegraaff.tk
> > Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0

> > ----- Original Message -----
> > From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr>
> > To: "users" <users at lists.zetalliance.org>
> > Sent: Thursday, May 17, 2018 8:32:16 AM
> > Subject: [Users] New 8.7.5 Securemail Zimlet

> > Hi,

> > Has anyone succeded in using the new 8.7.5 securemail Zimlet
> > (com_zimbra_securemail)?

> > Personnal certificates uploads fail unless you disable the certificate
> > verification check or add the root CA to Zimbra keystore which I can't
> > do. This has been explained here :
> > https://bugzilla.zimbra.com/show_bug.cgi?id=107887
> > Problem is that Zimbra does not provide any external CA keystore to
> > validate personnal certificates.

> > There is no documentation and Zimbra support is as usual of no help.

> > Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20180517/b89438dc/attachment.html>


More information about the Users mailing list