<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p>Me again. :-)</p>
<p>My concern is now to be able to backup and restore any user
personnal certs in case a user has accidentaly removed his/her
certs from Zimbra and lost his/her .p12 file (which could result
in for ever encrypted messages).<br>
</p>
Apparently, the certs are just blobs on the filesystem and their
mysql entries are of type 8 (document):<br>
<br>
[zimbra@test-z1 ~]$ mysql -e "select * from mboxgroup64.mail_item
where mailbox_id=2264 and type='8' and metadata LIKE '%algorithm%'
\G"<br>
<br>
*************************** 1. row ***************************<br>
mailbox_id: 2264<br>
id: 322<br>
type: 8<br>
parent_id: NULL<br>
folder_id: 260<br>
prev_folders: NULL<br>
index_id: 0<br>
imap_id: 322<br>
date: 1526633127<br>
size: 1356<br>
locator: < path_to_file ><br>
blob_digest: A6OKuOahXwEucedwefILfEr2r8ITP16AZ3sK4W0fg60=<br>
unread: NULL<br>
flags: 0<br>
tags: 0<br>
tag_names: NULL<br>
sender: < <a class="moz-txt-link-abbreviated" href="mailto:email@domaine.com">email@domaine.com</a> ><br>
recipients: NULL<br>
subject: certificat_personnel_comodo_2018.pem<br>
name: certificat_personnel_comodo_2018.pem<br>
metadata: d2:cr30:< <a class="moz-txt-link-abbreviated" href="mailto:email@domaine.com">email@domaine.com</a>
>2:ct24:application/octet-stream2:de36:certificat_personnel_comodo_2018.pem3:dee5:false1:f0:2:lti0e5:mdveri2e2:ua45:ZimbraWebClient
- FF59
(Linux)/8.7.11_GA_18541:vi10e14:xd.pubCertInfo465:d9:algorithm13:SHA256withRSA5:alias23:�s
comodo ca limited id12:emailAddress30:< <a class="moz-txt-link-abbreviated" href="mailto:email@domaine.com">email@domaine.com</a>
>7:endDate13:15579647990004:ib_c2:GB5:ib_cn52:COMODO RSA Client
Authentication and Secure Email CA4:ib_l7:Salford4:ib_o17:COMODO CA
Limited5:ib_st18:Greater Manchester15:it_emailAddress30:<
<a class="moz-txt-link-abbreviated" href="mailto:email@domaine.com">email@domaine.com</a> >16:san_rfc822Name.030:< <a class="moz-txt-link-abbreviated" href="mailto:email@domaine.com">email@domaine.com</a>
>8:serialNo39:2746440112074918991892955858491277091199:startDate13:15263424000001:vi10eee<br>
mod_metadata: 404<br>
change_date: 1526633127<br>
mod_content: 404<br>
uuid: b9674406-ec48-45d8-8c6e-dc9473b2c843<br>
*************************** 2. row ***************************<br>
mailbox_id: 2264<br>
id: 323<br>
type: 8<br>
parent_id: 322<br>
folder_id: 260<br>
prev_folders: NULL<br>
index_id: 0<br>
imap_id: 323<br>
date: 1526633127<br>
size: 1668<br>
locator: < path_to_file ><br>
blob_digest: S15jzK3gGj+D,3MfrWnQ5o24LsiV4RmIHqol6teK0X8=<br>
unread: NULL<br>
flags: 0<br>
tags: 0<br>
tag_names: NULL<br>
sender: < <a class="moz-txt-link-abbreviated" href="mailto:email@domaine.com">email@domaine.com</a> ><br>
recipients: NULL<br>
subject: certificat_personnel_comodo_2018.key<br>
name: certificat_personnel_comodo_2018.key<br>
metadata: d2:cr30:< <a class="moz-txt-link-abbreviated" href="mailto:email@domaine.com">email@domaine.com</a>
>2:ct24:application/octet-stream2:de36:certificat_personnel_comodo_2018.key3:dee5:false1:f4:
...2:lti0e5:mdveri2e2:ua45:ZimbraWebClient - FF59
(Linux)/8.7.11_GA_18541:vi10e17:xd.privateKeyInfo44:d9:algorithm3:RSA9:keyFormat6:PKCS#81:vi10eee<br>
mod_metadata: 405<br>
change_date: 1526633127<br>
mod_content: 405<br>
uuid: 72f15062-adf6-4db3-9f78-789a34aa8cc9<br>
<br>
So from backups, admins can stil get the 2 files (a .key file and
.pem file). But they're binary files and I have no idea how to get
them back to -----BEGIN CERTIFICATE----- and -----END
CERTIFICATE----- then back to .p12 so I can get them back in Zimbra
from ZWC.<br>
We could still inject mysql entries and get the blobs back on
filesystem but I'd like something more ready to use.<br>
<br>
Any idea?<br>
<br>
Regards,<br>
Frédéric.<br>
<br>
PS : If I can get all this done, I'll try to sum it up so we can
finally use S/MIME in Zimbra.<br>
<br>
<div class="moz-cite-prefix">Le 17/05/2018 à 17:54, Frédéric Nass a
écrit :<br>
</div>
<blockquote type="cite"
cite="mid:52d915b2-be63-3576-2340-81ee7ec98faa@univ-lorraine.fr">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p>The only thing that annoys me is that, apparently, the public
key of a received signed message should be automatically added
to the sender contact (as stated here <a
class="moz-txt-link-freetext"
href="https://www.zimbra.com/email-server-software/email-encryption/"
moz-do-not-send="true">https://www.zimbra.com/email-server-software/email-encryption/</a>)
but this does not work with the latest Zimlet. This requires the
sender and recipient to first exchange their public certificate
and add them to each other's contacts to start encrypting
emails.<br>
</p>
<p>Can't remember if this auto add feature ever worked with the
previous Java Zimlet. If anyone has a clue...</p>
<p>Regards,<br>
Frédéric.<br>
</p>
<div class="moz-cite-prefix">Le 17/05/2018 à 17:27, Frédéric Nass
a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:f92b243f-8bba-41e5-4e4e-cf44515a0907@univ-lorraine.fr">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<p>Hi folks,<br>
</p>
<p>I finally found the right certificate to add to Zimbra
keystore : <a class="moz-txt-link-freetext"
href="http://crt.comodoca.com/COMODORSAClientAuthenticationandSecureEmailCA.crt"
moz-do-not-send="true">http://crt.comodoca.com/COMODORSAClientAuthenticationandSecureEmailCA.crt</a></p>
<p>Thanks to Stefan and his advice on using
cert-chain-resolver.sh from <a class="moz-txt-link-freetext"
href="https://github.com/zakjan/cert-chain-resolver"
moz-do-not-send="true">https://github.com/zakjan/cert-chain-resolver</a>,
I could get the right root and intermediate CA certs that
Zimbra needed (out of my personal cert file):<br>
</p>
<p>What you need to do is:<br>
</p>
<p>- export personnal certificate from firefox to create .p12
file<br>
- converted the certificate to PEM with:<br>
openssl pkcs12 -in myPersonalCert.p12 -out
myPersonnalCert.pem -nodes <br>
- use cert-chain-resolver.sh to create chain: <br>
cert-chain-resolver.sh -o comodo-root-and-intermediate.pem
my-personnal-cert.pem<br>
- comodo-root-and-intermediate.pem should contain root and
intermediate CA certificates. Keep root cert only and add it
to Zimbra:<br>
zmcertmgr addcacert /tmp/comodo-root.crt</p>
<p>No need to restart mailboxd and you can keep
zimbraSmimeOCSPEnabled to TRUE.<br>
</p>
Regards,<br>
Frédéric.<br>
<br>
<div class="moz-cite-prefix">Le 17/05/2018 à 10:21, Frédéric
Nass a écrit :<br>
</div>
<blockquote type="cite"
cite="mid:1810623954.131197.1526545272208.JavaMail.zimbra@univ-lorraine.fr">
<div style="font-family: arial, helvetica, sans-serif;
font-size: 12pt; color: #000000">
<div>Hi Stefan,<br>
</div>
<div><br data-mce-bogus="1">
</div>
<div>Here is what I did :<br data-mce-bogus="1">
</div>
<div><br data-mce-bogus="1">
</div>
<div>- Enable securemail zimlet in Zimbra preferences<br
data-mce-bogus="1">
</div>
<div>- Generate a comodo personnal cert from here: <a
class="moz-txt-link-freetext"
href="https://secure.comodo.com/products/frontpage?area=SecureEmailCertificate"
moz-do-not-send="true">https://secure.comodo.com/products/frontpage?area=SecureEmailCertificate</a><br
data-mce-bogus="1">
</div>
<div>- Download / Install my personal cert in Firefox.
Export my personal cert from Firefox keystore to file.<br
data-mce-bogus="1">
</div>
<div>- Upload my personal cert in Zimbra Preferences /
Secure Email. <strong>Verification fail</strong><br
data-mce-bogus="1">
</div>
<div>- Search Google for Comodo root and intermediate certs
which led me here: <a class="moz-txt-link-freetext"
href="https://support.comodo.com/index.php?/Knowledgebase/Article/View/320/17/can-i-download-your-intermediate-and-root-certificates"
moz-do-not-send="true">https://support.comodo.com/index.php?/Knowledgebase/Article/View/320/17/can-i-download-your-intermediate-and-root-certificates</a><br>
</div>
<div>and here : <a class="moz-txt-link-freetext"
href="https://support.comodo.com/index.php?/comodo/Knowledgebase/List/Index/75/instantsslenterprisesslintranetssl"
moz-do-not-send="true">https://support.comodo.com/index.php?/comodo/Knowledgebase/List/Index/75/instantsslenterprisesslintranetssl</a><br
data-mce-bogus="1">
</div>
<div>and there : <a class="moz-txt-link-freetext"
href="https://support.comodo.com/index.php?/Knowledgebase/List/Index/71"
moz-do-not-send="true">https://support.comodo.com/index.php?/Knowledgebase/List/Index/71</a><br
data-mce-bogus="1">
</div>
<div>- I downloaded and added all root and intermediate #1
and #2 certs<br data-mce-bogus="1">
</div>
<div>- I added those certs to the keystore and check with
keytool that they were correctly imported in the keystore<br>
- I restarted mailboxd<br data-mce-bogus="1">
</div>
<div>- Upload my personal cert again in Zimbra Preferences /
Secure Email. <strong>Still fails</strong></div>
<div data-marker="__SIG_PRE__"><br data-mce-bogus="1">
</div>
<div data-marker="__SIG_PRE__">I have also tried to cat
comodorsaaddtrustca.crt
comodosha256clientauthenticationandsecureemailca.crt >
ca_cert_and_chain.crt then /opt/zimbra/bin/zmcertmgr
addcacert /tmp/COMODO/ca_cert_and_chain.crt<br>
</div>
<div data-marker="__SIG_PRE__"><strong>Still fails</strong>.<br
data-mce-bogus="1">
</div>
<div data-marker="__SIG_PRE__"><br data-mce-bogus="1">
</div>
<div data-marker="__SIG_PRE__">Regards,<br
data-mce-bogus="1">
</div>
<div data-marker="__SIG_PRE__"><br>
Frédéric.<br>
</div>
<br>
<span id="zwchr" data-marker="__DIVIDER__">----- Le 17 Mai
18, à 10:09, Stefan Sänger <a
class="moz-txt-link-rfc2396E"
href="mailto:stefan.saenger@gr13.net"
moz-do-not-send="true"><stefan.saenger@gr13.net></a>
a écrit :<br>
</span>
<div data-marker="__QUOTED_TEXT__">
<blockquote style="border-left:2px solid
#1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;">Hi
Frederic,<br>
<br>
are you importing only the root certificate or the
complete chain <br>
(without your personal certificate) ?<br>
<br>
<br>
best regards,<br>
<br>
Stefan<br>
<br>
Am 17.05.2018 um 10:06 schrieb Frédéric Nass:<br>
> <br>
> Thanks for all these informations Barry. I have
root access and I could <br>
> add certs to the keystore but verification still
fails when uploading my <br>
> personnal cert in Zimbra preferences (because the
verification against <br>
> all Comodo certs that I add to the keystore still
fails).<br>
> <br>
> I used "zmcertmgr addcacert /tmp/comodo.crt" that
uses keytool to import <br>
> certificate to the keystore. It must be equivalent
to "keytool -import <br>
> -alias xxxxxxx -keystore <br>
>
/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts
-storepass <br>
> changeit -file /tmp/comodo.crt"<br>
> <br>
> Frédéric.<br>
> <br>
> <br>
> ----- Le 17 Mai 18, à 9:33, Barry de Graaff <a
class="moz-txt-link-rfc2396E"
href="mailto:info@barrydegraaff.tk"
moz-do-not-send="true"><info@barrydegraaff.tk></a>
a <br>
> écrit :<br>
> <br>
> Ahh, AFAIK you do not have to concatenate them.<br>
> <br>
> Instead you can add all required intermediates
to the store,<br>
> you need to restart zimbra for the changes to
be loaded.<br>
> <br>
> I do not use S/MIME so I cannot give the exact
example, but<br>
> for trusting a CA using intermediates I do:<br>
> <br>
> wget<br>
> <a class="moz-txt-link-freetext"
href="https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt"
moz-do-not-send="true">https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt</a><br>
> -O lets.pem<br>
> /opt/zimbra/common/bin/keytool -import -alias
letsenc-ca -keystore<br>
> /opt/zimbra/common/etc/java/cacerts -storepass
changeit -file<br>
> /root/lets.pem<br>
> <br>
> So the trick there is to get the proper .pem
from you CA and import<br>
> that into<br>
> the keystore.<br>
> <br>
> You can also create a new keystore and put that
in<br>
> smime_truststore variable.<br>
> <br>
> You write you cannot add a cert to the store,
do you not have root<br>
> access?<br>
> <br>
> <br>
> Kind regards,<br>
> <br>
> Barry de Graaff<br>
> Zeta Alliance<br>
> Co-founder & Developer<br>
> zetalliance.org | github.com/Zimbra-Community<br>
> <br>
> +31 617 220 227 | skype: barrydegraaff.tk<br>
> Fingerprint:
97f4694a1d9aedad012533db725ddd156d36a2d0<br>
> <br>
> ----- Original Message -----<br>
> From: "Frédéric Nass" <a
class="moz-txt-link-rfc2396E"
href="mailto:frederic.nass@univ-lorraine.fr"
moz-do-not-send="true"><frederic.nass@univ-lorraine.fr></a><br>
> To: "Barry de Graaff" <a
class="moz-txt-link-rfc2396E"
href="mailto:info@barrydegraaff.tk"
moz-do-not-send="true"><info@barrydegraaff.tk></a><br>
> Cc: "users" <a class="moz-txt-link-rfc2396E"
href="mailto:users@lists.zetalliance.org"
moz-do-not-send="true"><users@lists.zetalliance.org></a><br>
> Sent: Thursday, May 17, 2018 9:26:18 AM<br>
> Subject: Re: [Users] New 8.7.5 Securemail
Zimlet<br>
> <br>
> Hi Barry,<br>
> <br>
> I have no idea.<br>
> <br>
> Actually, Zimbra provides a keystore for smime
certs validation. But<br>
> it's empty from any trusty external CA.<br>
> <br>
> [zimbra@test-zimbra ~]$ zmlocalconfig | grep -E
'keystore|smime'<br>
> imapd_keystore =
/opt/zimbra/conf/imapd.keystore<br>
> imapd_keystore_password = *<br>
> mailboxd_keystore =
/opt/zimbra/mailboxd/etc/keystore<br>
> mailboxd_keystore_base =
${zimbra_home}/conf/keystore.base<br>
> mailboxd_keystore_base_password = *<br>
> mailboxd_keystore_password = *<br>
> smime_truststore = ${mailboxd_truststore}<br>
> smime_truststore_password = *<br>
> <br>
> [zimbra@test-zimbra ~]$ keytool -list -keystore<br>
>
/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts
-storepass<br>
> changeit<br>
> <br>
> Keystore type: JKS<br>
> Keystore provider: SUN<br>
> <br>
> Your keystore contains 183 entries<br>
> <br>
> tmp/rhel7_64/rdjz3bwn1d/eq0xx_t6fv.der, Feb 12,
2016, trustedCertEntry,<br>
> Certificate fingerprint (SHA1):<br>
>
85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F<br>
> tmp/rhel7_64/rdjz3bwn1d/gpzzm9h5_7.der, Feb 12,
2016, trustedCertEntry,<br>
> Certificate fingerprint (SHA1):<br>
>
8C:96:BA:EB:DD:2B:07:07:48:EE:30:32:66:A0:F3:98:6E:7C:AE:58<br>
> tmp/rhel7_64/rdjz3bwn1d/csuq6zjk4u.der, Feb 12,
2016, trustedCertEntry,<br>
> ...<br>
> Certificate fingerprint (SHA1):<br>
>
AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA<br>
> my_ca, Mar 21, 2018, trustedCertEntry,<br>
> ...<br>
> Certificate fingerprint (SHA1):<br>
>
D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49<br>
> tmp/rhel7_64/rdjz3bwn1d/ja63m4kjkn.der, Feb 12,
2016, trustedCertEntry,<br>
> Certificate fingerprint (SHA1):<br>
>
48:12:BD:92:3C:A8:C4:39:06:E7:30:6D:27:96:E6:A4:CF:22:2E:7D<br>
> tmp/rhel7_64/rdjz3bwn1d/0wpwao5qj3.der, Feb 12,
2016, trustedCertEntry,<br>
> Certificate fingerprint (SHA1):<br>
>
28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8<br>
> tmp/rhel7_64/rdjz3bwn1d/8afyoy3e6h.der, Feb 12,
2016, trustedCertEntry,<br>
> etc.<br>
> <br>
> But no Comodo, Verisign, etc...<br>
> <br>
> I added all the certs from<br>
> <a class="moz-txt-link-freetext"
href="https://support.comodo.com/index.php?/Knowledgebase/List/Index/71"
moz-do-not-send="true">https://support.comodo.com/index.php?/Knowledgebase/List/Index/71</a>
to<br>
> the<br>
> keystore. But verification still fails when
uploading personal certs.<br>
> <br>
> Prabhat Kumar on comment 3 of bugzilla report
says "Need to add<br>
> intermediate as well of the s/mime
certificate."<br>
> Which I did, but still no success.<br>
> <br>
> It seems to me that I should first build a cert
by concatenating some<br>
> root and intermediate certs. But which certs in
what order I have no<br>
> idea :-/<br>
> <br>
> Regards,<br>
> Frédéric.<br>
> <br>
> <br>
> Le 17/05/2018 à 09:04, Barry de Graaff a
écrit :<br>
> > Is this an open-source component,
especially the server side part?<br>
> ><br>
> > If so you can look in there an see if you
can use a different<br>
> keystore.<br>
> ><br>
> > Kind regards,<br>
> ><br>
> > Barry de Graaff<br>
> > Zeta Alliance<br>
> > Co-founder & Developer<br>
> > zetalliance.org |
github.com/Zimbra-Community<br>
> ><br>
> > +31 617 220 227 | skype: barrydegraaff.tk<br>
> > Fingerprint:
97f4694a1d9aedad012533db725ddd156d36a2d0<br>
> ><br>
> > ----- Original Message -----<br>
> > From: "Frédéric Nass" <a
class="moz-txt-link-rfc2396E"
href="mailto:frederic.nass@univ-lorraine.fr"
moz-do-not-send="true"><frederic.nass@univ-lorraine.fr></a><br>
> > To: "users" <a
class="moz-txt-link-rfc2396E"
href="mailto:users@lists.zetalliance.org"
moz-do-not-send="true"><users@lists.zetalliance.org></a><br>
> > Sent: Thursday, May 17, 2018 8:32:16 AM<br>
> > Subject: [Users] New 8.7.5 Securemail
Zimlet<br>
> ><br>
> > Hi,<br>
> ><br>
> > Has anyone succeded in using the new
8.7.5 securemail Zimlet<br>
> > (com_zimbra_securemail)?<br>
> ><br>
> > Personnal certificates uploads fail
unless you disable the<br>
> certificate<br>
> > verification check or add the root CA to
Zimbra keystore which I<br>
> can't<br>
> > do. This has been explained here :<br>
> > <a class="moz-txt-link-freetext"
href="https://bugzilla.zimbra.com/show_bug.cgi?id=107887"
moz-do-not-send="true">https://bugzilla.zimbra.com/show_bug.cgi?id=107887</a><br>
> > Problem is that Zimbra does not provide
any external CA keystore to<br>
> > validate personnal certificates.<br>
> ><br>
> > There is no documentation and Zimbra
support is as usual of no help.<br>
> ><br>
> > Regards,<br>
> ><br>
><br>
</blockquote>
</div>
</div>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>