[Users] Certificate by domain work for 443 but not 993

Anahuac anahuac at anahuac.eu
Fri Jul 16 23:01:08 CEST 2021 

Oh!!!!!

I'm happy for not being just me getting crazy about it =)

Thanks Tony

regards


----- Mensagem original -----
> De: "Tony Publiski" <tonster at tonster.com>
> Para: "anahuac" <anahuac at anahuac.eu>
> Cc: "users" <users at lists.zetalliance.org>
> Enviadas: Sexta-feira, 16 de julho de 2021 17:55:00
> Assunto: Re: [Users] Certificate by domain work for 443 but not 993

> You're correct, it's unsupported at this time for imaps/pop3s, and really I do
> not believe there is effort being made to change that. You would need to hack
> the nginx configurations to make it work, and you'd need to continually do that
> to make it work for upgrades so it's non-trivial to work-around it.
> 
> https://bugzilla.zimbra.com/show_bug.cgi?id=107293
> https://bugzilla.zimbra.com/show_bug.cgi?id=103362
> 
> Tony
> 
> ----- Original Message -----
> From: "Anahuac" <anahuac at anahuac.eu>
> To: "users" <users at lists.zetalliance.org>
> Sent: Friday, July 16, 2021 4:41:01 PM
> Subject: [Users] Certificate by domain work for 443 but not 993
> 
> 
> Hello guys,
> 
> I was setting up Let's Encrypt certificates by domain to a customer and realized
> that it works perfectly to access the webmail using a browser, but not when I
> try to use a e-mail client.
> I followed all instructions from
> https://wiki.zimbra.com/wiki/SSL_certificates_per_domain like I have done
> thousand of times but then HTTPS work right but IMAP doesn't.
> 
> So I setup a tests environment, doing it all from the scratch and I can't figure
> it out:
> 
> - zimbraVirtualHostname : check
> - let's encrypt generated and deployed : check
> - access that domain on the browser : check
> - access that domain on 993 : certificate error
> 
> I can see all the right confs in nginx.conf.mail.imaps like this:
> 
> 
> server
> {
>    server_name         mail.testes.mailtester.com.br;
>    #listen              993 ipv6only=off ssl;
>    listen            993 ssl;
>    #listen            993 ssl;
>    protocol            imap;
>    proxy               on;
>    timeout             60;
>    proxy_timeout       2100;
>    ssl_certificate     /opt/zimbra/conf/domaincerts/testes.mailtester.com.br.crt;
>    ssl_certificate_key /opt/zimbra/conf/domaincerts/testes.mailtester.com.br.key;
>    sasl_service_name   "imap";
> }
> 
> but when I test the certificate ir returns the default from the main domain,
> what causes the error.
> 
> You might like to test it yours selves
> 
> This returns the right CN:
> 
> openssl s_client -connect mail.testes.mailtester.com.br:443 </dev/null
> 2>/dev/null | openssl x509 -noout -text | grep CN
> 
> But when I change 443 by 993 it doesn't:
> 
> openssl s_client -connect webmail.testes.mailtester.com.br:993 </dev/null
> 2>/dev/null | openssl x509 -noout -text | grep CN
> 
> On this second one CN is the main server name, what means it's returning the
> default certificate and not the virtualhost one.
> 
> I'll love to hear your thoughts about it =)
> 
> Thanks
> 
> 
> 
> 
> 
> 
> --
> Anahuac de Paula Gil
> 
> "É agitando que se transforma a vida, o homem, a sociedade, o mundo".
> Francisco Julião
> 
> Anahuac - anahuac.eu
> Telegram: @anahuac

More information about the Users mailing list