Questions about migrating to a new server on a new domain

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Re: Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

L. Mark Stone wrote:
patrickwilson82 wrote:Good morning Mark,

While I'm waiting on Zimbra support to get back to me about the certs question, I was wondering if you could please answer two more questions for me that I had asked kranium since you've been following this thread:

"So basically if I point the end user's Outlook client to the public service hostname, will the proxy then know which of the two servers to check, to find that user's email?"

Also, will this method of syncing the ldap data between the two servers transfer over the any possible backdoors or vulnerabilities that my existing server may have due to compromise with it being on such an old patch?

Thanks again for your help.
Zimbra's proxy's job is to (among other things) abstract for the users the location of their mailbox. When a user browses to the PSHN:

1. Zimbra Proxy asks one of the mailbox servers in the proxy pool to paint the login screen.
2. After the user enters their username and password, the mailbox server that painted the login screen verifies the credentials via Zimbra's LDAP, and notes the mailbox server on which the user's mailbox lives. If the entered credentials are correct, the mailbox server tells Proxy on which mailbox server the user's mailbox lives.
3. Proxy says "Thanks Dude!" to the mailbox server, and then asks memcached to store the route information, i.e. the correct mailbox server, for this user's session (Proxy has short-term memory issues, so faster for Proxy ask memcached which mailbox server to talk to than to keep asking LDAP where the user's mailbox lives).
4. Proxy then talks to the mailbox server where the user's mailbox lives and says "Dude! I have an authenticated session for <user@domain.tld>! Paint his mailbox for me please!" and Proxy then proxies the user's mailbox contents and static UI elements back to the user's browser, using the PSHN to present all relevant links to the end user.

The above flows are the same for Outlook, except for the UI components of course.

As re vulnerabilities in your LDAP data, unless you have configured zimbraMtaMyNetworks to include like 0.0.0.0/0, or users' passwords to be like "Password1234", there's not much in the LDAP data that presents a security risk. The security fixes in pretty much all of the recent patches to date have been in upgrading Zimbra components, and some configuration file adjustments.

In my experience, what you miss when using older LDAP data are the changes to the default settings had you done a fresh install. But, if you do things like execute the updates in the Cipher Suites wiki, and parse the Patch Release Notes for documentation on new configuration attributes (like IMAP pagination for heavy duty IMAP users, where the defaults for some reason haven't yet changed in the installer), you will be OK. Even brand-new installations include long-deprecated LDAP and Localconfig attributes, which if present, are typically just ignored (like LC ldap_bind_url). Unless you did some very creative things on the old Zimbra server, I wouldn't normally consider this a risk.

Hope that helps,
Mark
Thank you very much! That helps quite a bit. Once Zimbra support gets back to me about my certs question, I think I'll be ready to go with this.
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Re: Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

Mark,

Zimbra Support has confirmed that I would be able to use the SAN certs from a provider such as godaddy for this scenario. They also suggedted a free site called letsencrypt, but I'm not sure I want to go that route.

Do you know if when I create the MMR, will my clients still be able to connect to the current server with the current certs? Or would that connection stop working right away?
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Questions about migrating to a new server on a new domain

Post by L. Mark Stone »

patrickwilson82 wrote:Mark,

Zimbra Support has confirmed that I would be able to use the SAN certs from a provider such as godaddy for this scenario. They also suggedted a free site called letsencrypt, but I'm not sure I want to go that route.

Do you know if when I create the MMR, will my clients still be able to connect to the current server with the current certs? Or would that connection stop working right away?
What you are more concerned about is all of the Zimbra servers trusting each other. Zimbra by default has interprocess security turned on, so all traffic between Zimbra servers is encrypted--even when the traffic takes place on a single Zimbra server. If your two LDAP servers won't trust each other, replication won't work.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Re: Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

L. Mark Stone wrote:
patrickwilson82 wrote:Mark,

Zimbra Support has confirmed that I would be able to use the SAN certs from a provider such as godaddy for this scenario. They also suggedted a free site called letsencrypt, but I'm not sure I want to go that route.

Do you know if when I create the MMR, will my clients still be able to connect to the current server with the current certs? Or would that connection stop working right away?
What you are more concerned about is all of the Zimbra servers trusting each other. Zimbra by default has interprocess security turned on, so all traffic between Zimbra servers is encrypted--even when the traffic takes place on a single Zimbra server. If your two LDAP servers won't trust each other, replication won't work.
So then the new SAN certs need to be installed on both servers for anything to work. Since the current certs recognize the public host service name, then they shopuldn't lose connection to the current server , if I'm understanding correctly.
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Re: Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

L. Mark Stone wrote:
patrickwilson82 wrote: Thank you Mark! That does answer one of my questions!
You mean about the SSL certs on the new server?

I know there are lots of folks who use LetsEncrypt successfully, Jim Dunphy's scripts really simplify things, and for a single Zimbra server it's a really good way to go.

But I personally prefer commercial SSL certs on Zimbra servers, so I don't have to worry about a 90-day renewal gone wrong. The $$ for a SAN or even a wildcard SSL cert is typically a lower cost for your employer than you taking an hour or two to (try to) get LetsEncrypt to work on the first try (with all due respect!)

https://wiki.zimbra.com/wiki/Administra ... cate_Tools is the right reference guide. FWIW I typically use the Admin Console to create the CSR, but then I use the CLI to verify and deploy the certificate.

All the best,
Mark
Mark,

I decided to go with the commercial certs. Do I need to wait to create the CSR until I have the new server up and running? When I enter the CN I'm using the old server's name, zm01.domain1.local. For the Subject Alternative Names I'm using zm01.domain1.local, zm01.domain2.org (new server), and zmail.mydomain.com (the public domain).

Invalid request:Message: invalid request: Invalid subjectAltName 'zm01.domain1.local' Error code: service.INVALID_REQUEST Method: [unknown] Details:soap:Sender"

Am I doing something wrong here? Thank you, as always.
Post Reply