[Users] Certificate by domain work for 443 but not 993

Tony Publiski tonster at tonster.com
Fri Jul 16 22:55:00 CEST 2021 

You're correct, it's unsupported at this time for imaps/pop3s, and really I do not believe there is effort being made to change that. You would need to hack the nginx configurations to make it work, and you'd need to continually do that to make it work for upgrades so it's non-trivial to work-around it.

https://bugzilla.zimbra.com/show_bug.cgi?id=107293
https://bugzilla.zimbra.com/show_bug.cgi?id=103362

Tony

----- Original Message -----
From: "Anahuac" <anahuac at anahuac.eu>
To: "users" <users at lists.zetalliance.org>
Sent: Friday, July 16, 2021 4:41:01 PM
Subject: [Users] Certificate by domain work for 443 but not 993


Hello guys,

I was setting up Let's Encrypt certificates by domain to a customer and realized that it works perfectly to access the webmail using a browser, but not when I try to use a e-mail client.
I followed all instructions from https://wiki.zimbra.com/wiki/SSL_certificates_per_domain like I have done thousand of times but then HTTPS work right but IMAP doesn't.

So I setup a tests environment, doing it all from the scratch and I can't figure it out:

- zimbraVirtualHostname : check
- let's encrypt generated and deployed : check
- access that domain on the browser : check 
- access that domain on 993 : certificate error

I can see all the right confs in nginx.conf.mail.imaps like this:


server
{
    server_name         mail.testes.mailtester.com.br;
    #listen              993 ipv6only=off ssl;
    listen            993 ssl;
    #listen            993 ssl;
    protocol            imap;
    proxy               on;
    timeout             60;
    proxy_timeout       2100;
    ssl_certificate     /opt/zimbra/conf/domaincerts/testes.mailtester.com.br.crt;
    ssl_certificate_key /opt/zimbra/conf/domaincerts/testes.mailtester.com.br.key;
    sasl_service_name   "imap";
}

but when I test the certificate ir returns the default from the main domain, what causes the error.

You might like to test it yours selves

This returns the right CN:

openssl s_client -connect mail.testes.mailtester.com.br:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep CN

But when I change 443 by 993 it doesn't:

openssl s_client -connect webmail.testes.mailtester.com.br:993 </dev/null 2>/dev/null | openssl x509 -noout -text | grep CN

On this second one CN is the main server name, what means it's returning the default certificate and not the virtualhost one.

I'll love to hear your thoughts about it =)

Thanks






-- 
Anahuac de Paula Gil

"É agitando que se transforma a vida, o homem, a sociedade, o mundo".
Francisco Julião

Anahuac - anahuac.eu
Telegram: @anahuac

More information about the Users mailing list