[Users] New 8.7.5 Securemail Zimlet
Frédéric Nass
frederic.nass at univ-lorraine.fr
Fri May 18 15:48:46 CEST 2018
Hi,
Me again. :-)
My concern is now to be able to backup and restore any user personnal
certs in case a user has accidentaly removed his/her certs from Zimbra
and lost his/her .p12 file (which could result in for ever encrypted
messages).
Apparently, the certs are just blobs on the filesystem and their mysql
entries are of type 8 (document):
[zimbra at test-z1 ~]$ mysql -e "select * from mboxgroup64.mail_item where
mailbox_id=2264 and type='8' and metadata LIKE '%algorithm%' \G"
*************************** 1. row ***************************
mailbox_id: 2264
id: 322
type: 8
parent_id: NULL
folder_id: 260
prev_folders: NULL
index_id: 0
imap_id: 322
date: 1526633127
size: 1356
locator: < path_to_file >
blob_digest: A6OKuOahXwEucedwefILfEr2r8ITP16AZ3sK4W0fg60=
unread: NULL
flags: 0
tags: 0
tag_names: NULL
sender: < email at domaine.com >
recipients: NULL
subject: certificat_personnel_comodo_2018.pem
name: certificat_personnel_comodo_2018.pem
metadata: d2:cr30:< email at domaine.com
>2:ct24:application/octet-stream2:de36:certificat_personnel_comodo_2018.pem3:dee5:false1:f0:2:lti0e5:mdveri2e2:ua45:ZimbraWebClient - FF59 (Linux)/8.7.11_GA_18541:vi10e14:xd.pubCertInfo465:d9:algorithm13:SHA256withRSA5:alias23:�s comodo ca limited id12:emailAddress30:< email at domaine.com >7:endDate13:15579647990004:ib_c2:GB5:ib_cn52:COMODO RSA Client Authentication and Secure Email CA4:ib_l7:Salford4:ib_o17:COMODO CA Limited5:ib_st18:Greater Manchester15:it_emailAddress30:< email at domaine.com >16:san_rfc822Name.030:< email at domaine.com >8:serialNo39:2746440112074918991892955858491277091199:startDate13:15263424000001:vi10eee
mod_metadata: 404
change_date: 1526633127
mod_content: 404
uuid: b9674406-ec48-45d8-8c6e-dc9473b2c843
*************************** 2. row ***************************
mailbox_id: 2264
id: 323
type: 8
parent_id: 322
folder_id: 260
prev_folders: NULL
index_id: 0
imap_id: 323
date: 1526633127
size: 1668
locator: < path_to_file >
blob_digest: S15jzK3gGj+D,3MfrWnQ5o24LsiV4RmIHqol6teK0X8=
unread: NULL
flags: 0
tags: 0
tag_names: NULL
sender: < email at domaine.com >
recipients: NULL
subject: certificat_personnel_comodo_2018.key
name: certificat_personnel_comodo_2018.key
metadata: d2:cr30:< email at domaine.com
>2:ct24:application/octet-stream2:de36:certificat_personnel_comodo_2018.key3:dee5:false1:f4: ...2:lti0e5:mdveri2e2:ua45:ZimbraWebClient - FF59 (Linux)/8.7.11_GA_18541:vi10e17:xd.privateKeyInfo44:d9:algorithm3:RSA9:keyFormat6:PKCS#81:vi10eee
mod_metadata: 405
change_date: 1526633127
mod_content: 405
uuid: 72f15062-adf6-4db3-9f78-789a34aa8cc9
So from backups, admins can stil get the 2 files (a .key file and .pem
file). But they're binary files and I have no idea how to get them back
to -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- then back
to .p12 so I can get them back in Zimbra from ZWC.
We could still inject mysql entries and get the blobs back on filesystem
but I'd like something more ready to use.
Any idea?
Regards,
Frédéric.
PS : If I can get all this done, I'll try to sum it up so we can finally
use S/MIME in Zimbra.
Le 17/05/2018 à 17:54, Frédéric Nass a écrit :
>
> The only thing that annoys me is that, apparently, the public key of a
> received signed message should be automatically added to the sender
> contact (as stated here
> https://www.zimbra.com/email-server-software/email-encryption/) but
> this does not work with the latest Zimlet. This requires the sender
> and recipient to first exchange their public certificate and add them
> to each other's contacts to start encrypting emails.
>
> Can't remember if this auto add feature ever worked with the previous
> Java Zimlet. If anyone has a clue...
>
> Regards,
> Frédéric.
>
> Le 17/05/2018 à 17:27, Frédéric Nass a écrit :
>>
>> Hi folks,
>>
>> I finally found the right certificate to add to Zimbra keystore :
>> http://crt.comodoca.com/COMODORSAClientAuthenticationandSecureEmailCA.crt
>>
>> Thanks to Stefan and his advice on using cert-chain-resolver.sh from
>> https://github.com/zakjan/cert-chain-resolver, I could get the right
>> root and intermediate CA certs that Zimbra needed (out of my personal
>> cert file):
>>
>> What you need to do is:
>>
>> - export personnal certificate from firefox to create .p12 file
>> - converted the certificate to PEM with:
>> openssl pkcs12 -in myPersonalCert.p12 -out myPersonnalCert.pem -nodes
>> - use cert-chain-resolver.sh to create chain:
>> cert-chain-resolver.sh -o comodo-root-and-intermediate.pem
>> my-personnal-cert.pem
>> - comodo-root-and-intermediate.pem should contain root and
>> intermediate CA certificates. Keep root cert only and add it to Zimbra:
>> zmcertmgr addcacert /tmp/comodo-root.crt
>>
>> No need to restart mailboxd and you can keep zimbraSmimeOCSPEnabled
>> to TRUE.
>>
>> Regards,
>> Frédéric.
>>
>> Le 17/05/2018 à 10:21, Frédéric Nass a écrit :
>>> Hi Stefan,
>>>
>>> Here is what I did :
>>>
>>> - Enable securemail zimlet in Zimbra preferences
>>> - Generate a comodo personnal cert from here:
>>> https://secure.comodo.com/products/frontpage?area=SecureEmailCertificate
>>> - Download / Install my personal cert in Firefox. Export my personal
>>> cert from Firefox keystore to file.
>>> - Upload my personal cert in Zimbra Preferences / Secure Email.
>>> *Verification fail*
>>> - Search Google for Comodo root and intermediate certs which led me
>>> here:
>>> https://support.comodo.com/index.php?/Knowledgebase/Article/View/320/17/can-i-download-your-intermediate-and-root-certificates
>>> and here :
>>> https://support.comodo.com/index.php?/comodo/Knowledgebase/List/Index/75/instantsslenterprisesslintranetssl
>>> and there :
>>> https://support.comodo.com/index.php?/Knowledgebase/List/Index/71
>>> - I downloaded and added all root and intermediate #1 and #2 certs
>>> - I added those certs to the keystore and check with keytool that
>>> they were correctly imported in the keystore
>>> - I restarted mailboxd
>>> - Upload my personal cert again in Zimbra Preferences / Secure
>>> Email. *Still fails*
>>>
>>> I have also tried to cat comodorsaaddtrustca.crt
>>> comodosha256clientauthenticationandsecureemailca.crt >
>>> ca_cert_and_chain.crt then /opt/zimbra/bin/zmcertmgr addcacert
>>> /tmp/COMODO/ca_cert_and_chain.crt
>>> *Still fails*.
>>>
>>> Regards,
>>>
>>> Frédéric.
>>>
>>> ----- Le 17 Mai 18, à 10:09, Stefan Sänger <stefan.saenger at gr13.net>
>>> a écrit :
>>>
>>> Hi Frederic,
>>>
>>> are you importing only the root certificate or the complete chain
>>> (without your personal certificate) ?
>>>
>>>
>>> best regards,
>>>
>>> Stefan
>>>
>>> Am 17.05.2018 um 10:06 schrieb Frédéric Nass:
>>> >
>>> > Thanks for all these informations Barry. I have root access
>>> and I could
>>> > add certs to the keystore but verification still fails when
>>> uploading my
>>> > personnal cert in Zimbra preferences (because the verification
>>> against
>>> > all Comodo certs that I add to the keystore still fails).
>>> >
>>> > I used "zmcertmgr addcacert /tmp/comodo.crt" that uses keytool
>>> to import
>>> > certificate to the keystore. It must be equivalent to "keytool
>>> -import
>>> > -alias xxxxxxx -keystore
>>> > /opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts
>>> -storepass
>>> > changeit -file /tmp/comodo.crt"
>>> >
>>> > Frédéric.
>>> >
>>> >
>>> > ----- Le 17 Mai 18, à 9:33, Barry de Graaff
>>> <info at barrydegraaff.tk> a
>>> > écrit :
>>> >
>>> > Ahh, AFAIK you do not have to concatenate them.
>>> >
>>> > Instead you can add all required intermediates to the store,
>>> > you need to restart zimbra for the changes to be loaded.
>>> >
>>> > I do not use S/MIME so I cannot give the exact example, but
>>> > for trusting a CA using intermediates I do:
>>> >
>>> > wget
>>> > https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
>>> > -O lets.pem
>>> > /opt/zimbra/common/bin/keytool -import -alias letsenc-ca
>>> -keystore
>>> > /opt/zimbra/common/etc/java/cacerts -storepass changeit -file
>>> > /root/lets.pem
>>> >
>>> > So the trick there is to get the proper .pem from you CA
>>> and import
>>> > that into
>>> > the keystore.
>>> >
>>> > You can also create a new keystore and put that in
>>> > smime_truststore variable.
>>> >
>>> > You write you cannot add a cert to the store, do you not
>>> have root
>>> > access?
>>> >
>>> >
>>> > Kind regards,
>>> >
>>> > Barry de Graaff
>>> > Zeta Alliance
>>> > Co-founder & Developer
>>> > zetalliance.org | github.com/Zimbra-Community
>>> >
>>> > +31 617 220 227 | skype: barrydegraaff.tk
>>> > Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
>>> >
>>> > ----- Original Message -----
>>> > From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr>
>>> > To: "Barry de Graaff" <info at barrydegraaff.tk>
>>> > Cc: "users" <users at lists.zetalliance.org>
>>> > Sent: Thursday, May 17, 2018 9:26:18 AM
>>> > Subject: Re: [Users] New 8.7.5 Securemail Zimlet
>>> >
>>> > Hi Barry,
>>> >
>>> > I have no idea.
>>> >
>>> > Actually, Zimbra provides a keystore for smime certs
>>> validation. But
>>> > it's empty from any trusty external CA.
>>> >
>>> > [zimbra at test-zimbra ~]$ zmlocalconfig | grep -E
>>> 'keystore|smime'
>>> > imapd_keystore = /opt/zimbra/conf/imapd.keystore
>>> > imapd_keystore_password = *
>>> > mailboxd_keystore = /opt/zimbra/mailboxd/etc/keystore
>>> > mailboxd_keystore_base = ${zimbra_home}/conf/keystore.base
>>> > mailboxd_keystore_base_password = *
>>> > mailboxd_keystore_password = *
>>> > smime_truststore = ${mailboxd_truststore}
>>> > smime_truststore_password = *
>>> >
>>> > [zimbra at test-zimbra ~]$ keytool -list -keystore
>>> > /opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts
>>> -storepass
>>> > changeit
>>> >
>>> > Keystore type: JKS
>>> > Keystore provider: SUN
>>> >
>>> > Your keystore contains 183 entries
>>> >
>>> > tmp/rhel7_64/rdjz3bwn1d/eq0xx_t6fv.der, Feb 12, 2016,
>>> trustedCertEntry,
>>> > Certificate fingerprint (SHA1):
>>> > 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
>>> > tmp/rhel7_64/rdjz3bwn1d/gpzzm9h5_7.der, Feb 12, 2016,
>>> trustedCertEntry,
>>> > Certificate fingerprint (SHA1):
>>> > 8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58
>>> > tmp/rhel7_64/rdjz3bwn1d/csuq6zjk4u.der, Feb 12, 2016,
>>> trustedCertEntry,
>>> > ...
>>> > Certificate fingerprint (SHA1):
>>> > AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA
>>> > my_ca, Mar 21, 2018, trustedCertEntry,
>>> > ...
>>> > Certificate fingerprint (SHA1):
>>> > D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
>>> > tmp/rhel7_64/rdjz3bwn1d/ja63m4kjkn.der, Feb 12, 2016,
>>> trustedCertEntry,
>>> > Certificate fingerprint (SHA1):
>>> > 48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D
>>> > tmp/rhel7_64/rdjz3bwn1d/0wpwao5qj3.der, Feb 12, 2016,
>>> trustedCertEntry,
>>> > Certificate fingerprint (SHA1):
>>> > 28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8
>>> > tmp/rhel7_64/rdjz3bwn1d/8afyoy3e6h.der, Feb 12, 2016,
>>> trustedCertEntry,
>>> > etc.
>>> >
>>> > But no Comodo, Verisign, etc...
>>> >
>>> > I added all the certs from
>>> >
>>> https://support.comodo.com/index.php?/Knowledgebase/List/Index/71 to
>>> > the
>>> > keystore. But verification still fails when uploading
>>> personal certs.
>>> >
>>> > Prabhat Kumar on comment 3 of bugzilla report says "Need
>>> to add
>>> > intermediate as well of the s/mime certificate."
>>> > Which I did, but still no success.
>>> >
>>> > It seems to me that I should first build a cert by
>>> concatenating some
>>> > root and intermediate certs. But which certs in what order
>>> I have no
>>> > idea :-/
>>> >
>>> > Regards,
>>> > Frédéric.
>>> >
>>> >
>>> > Le 17/05/2018 à 09:04, Barry de Graaff a écrit :
>>> > > Is this an open-source component, especially the server
>>> side part?
>>> > >
>>> > > If so you can look in there an see if you can use a
>>> different
>>> > keystore.
>>> > >
>>> > > Kind regards,
>>> > >
>>> > > Barry de Graaff
>>> > > Zeta Alliance
>>> > > Co-founder & Developer
>>> > > zetalliance.org | github.com/Zimbra-Community
>>> > >
>>> > > +31 617 220 227 | skype: barrydegraaff.tk
>>> > > Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0
>>> > >
>>> > > ----- Original Message -----
>>> > > From: "Frédéric Nass" <frederic.nass at univ-lorraine.fr>
>>> > > To: "users" <users at lists.zetalliance.org>
>>> > > Sent: Thursday, May 17, 2018 8:32:16 AM
>>> > > Subject: [Users] New 8.7.5 Securemail Zimlet
>>> > >
>>> > > Hi,
>>> > >
>>> > > Has anyone succeded in using the new 8.7.5 securemail
>>> Zimlet
>>> > > (com_zimbra_securemail)?
>>> > >
>>> > > Personnal certificates uploads fail unless you disable the
>>> > certificate
>>> > > verification check or add the root CA to Zimbra
>>> keystore which I
>>> > can't
>>> > > do. This has been explained here :
>>> > > https://bugzilla.zimbra.com/show_bug.cgi?id=107887
>>> > > Problem is that Zimbra does not provide any external CA
>>> keystore to
>>> > > validate personnal certificates.
>>> > >
>>> > > There is no documentation and Zimbra support is as
>>> usual of no help.
>>> > >
>>> > > Regards,
>>> > >
>>> >
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20180518/5802f9bf/attachment.html>
More information about the Users
mailing list