Questions about migrating to a new server on a new domain

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Questions about migrating to a new server on a new domain

Post by L. Mark Stone »

patrickwilson82 wrote: Thank you Mark! That does answer one of my questions!
You mean about the SSL certs on the new server?

I know there are lots of folks who use LetsEncrypt successfully, Jim Dunphy's scripts really simplify things, and for a single Zimbra server it's a really good way to go.

But I personally prefer commercial SSL certs on Zimbra servers, so I don't have to worry about a 90-day renewal gone wrong. The $$ for a SAN or even a wildcard SSL cert is typically a lower cost for your employer than you taking an hour or two to (try to) get LetsEncrypt to work on the first try (with all due respect!)

https://wiki.zimbra.com/wiki/Administra ... cate_Tools is the right reference guide. FWIW I typically use the Admin Console to create the CSR, but then I use the CLI to verify and deploy the certificate.

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Re: Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

Mark,

So if I’m following the steps in that wiki, would I just deploy new certs for just the new server on single server mode, or do I have to deploy multi-server certs, to include replacing the certs on the existing old server?
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Questions about migrating to a new server on a new domain

Post by L. Mark Stone »

patrickwilson82 wrote:Mark,

So if I’m following the steps in that wiki, would I just deploy new certs for just the new server on single server mode, or do I have to deploy multi-server certs, to include replacing the certs on the existing old server?
Ah, OK, I get it now... Sorry, I didn't recall you were gluing together the old and new servers in the same LDAP realm.

Yes, you'll need a SAN or wildcard cert covering all of your Zimbra servers to ensure they all trust each other.

When you generate a new CSR find the new /opt/zimbra/ssl/zimbra/commercial/commercial.key file. This is the new Private Key file, and you'll need to copy it to that location on all of the servers. You don't need to copy the csr file to any of the other servers. Then you can do the CLI stuff on each server to deploy the new SSL server and intermediate/root certificates. GoDaddy is by far in my experience the easiest/fastest to deploy FWIW, because you don't have to go hunting for other certs n the chain; the bundle file they give you (what the wiki calls commercial_ca.crt or chain_ca.crt) contains everything you need.

Is your existing cert a wildcard cert? If so, it's straightforward (not necessarily intuitive though!) to deploy that cert on your new server.
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Re: Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

L. Mark Stone wrote:
patrickwilson82 wrote:Mark,

So if I’m following the steps in that wiki, would I just deploy new certs for just the new server on single server mode, or do I have to deploy multi-server certs, to include replacing the certs on the existing old server?
Ah, OK, I get it now... Sorry, I didn't recall you were gluing together the old and new servers in the same LDAP realm.

Yes, you'll need a SAN or wildcard cert covering all of your Zimbra servers to ensure they all trust each other.

When you generate a new CSR find the new /opt/zimbra/ssl/zimbra/commercial/commercial.key file. This is the new Private Key file, and you'll need to copy it to that location on all of the servers. You don't need to copy the csr file to any of the other servers. Then you can do the CLI stuff on each server to deploy the new SSL server and intermediate/root certificates. GoDaddy is by far in my experience the easiest/fastest to deploy FWIW, because you don't have to go hunting for other certs n the chain; the bundle file they give you (what the wiki calls commercial_ca.crt or chain_ca.crt) contains everything you need.

Is your existing cert a wildcard cert? If so, it's straightforward (not necessarily intuitive though!) to deploy that cert on your new server.
I’m not sure what you mean by wildcard cert? It points specifically towards my current server address. I assume then that the new cert, (not sure what address it would point to for multi-server) would then need to deployed to all clients, even the one’s whose mailboxes are still on the old server?
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Questions about migrating to a new server on a new domain

Post by L. Mark Stone »

patrickwilson82 wrote:
L. Mark Stone wrote:
patrickwilson82 wrote:Mark,

So if I’m following the steps in that wiki, would I just deploy new certs for just the new server on single server mode, or do I have to deploy multi-server certs, to include replacing the certs on the existing old server?
Ah, OK, I get it now... Sorry, I didn't recall you were gluing together the old and new servers in the same LDAP realm.

Yes, you'll need a SAN or wildcard cert covering all of your Zimbra servers to ensure they all trust each other.

When you generate a new CSR find the new /opt/zimbra/ssl/zimbra/commercial/commercial.key file. This is the new Private Key file, and you'll need to copy it to that location on all of the servers. You don't need to copy the csr file to any of the other servers. Then you can do the CLI stuff on each server to deploy the new SSL server and intermediate/root certificates. GoDaddy is by far in my experience the easiest/fastest to deploy FWIW, because you don't have to go hunting for other certs n the chain; the bundle file they give you (what the wiki calls commercial_ca.crt or chain_ca.crt) contains everything you need.

Is your existing cert a wildcard cert? If so, it's straightforward (not necessarily intuitive though!) to deploy that cert on your new server.
I’m not sure what you mean by wildcard cert? It points specifically towards my current server address. I assume then that the new cert, (not sure what address it would point to for multi-server) would then need to deployed to all clients, even the one’s whose mailboxes are still on the old server?
OK, apologies if I am telling you things you already know...

A typical SSL certificate covers a single FQDN, like "webmail.mycompany.com"

A SAN certificate covers multiple FQDNS, like "webmail.mycompany.com", "proxy.mycompany.com", "ldap2.mycompany.com", "mbox5.mycompany.com", "www.mycompany.com". The cost is based on how many FQDNS you want to include in the certificate. The FQDNS need not be on the same domain.

A wildcard certificate cover "*.mycompany.com" and can be used for an unlimited number of hosts on the domain -- but not hosts on a subdomain. IOW, with a *.mycompany.com" wildcard cert, you could use it on a server with the fqdn "bleeping.mycompany.com", but you couldn't use it on a server with the fqdn "bleeping.computer.mycompany.com".

Typically, wildcard certs are cheaper after ~20 hosts are to be covered. Some companies don't want/allow wildcard SSL certificates, because if the private key is compromised, they have to replace SSL certificates on every host using the wildcard cert.

Basically, you are installing these certs at the server level. (Per-mailbox certs are for like SMIME.)

S'OK?
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Re: Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

L. Mark Stone wrote:
patrickwilson82 wrote:
L. Mark Stone wrote:
Ah, OK, I get it now... Sorry, I didn't recall you were gluing together the old and new servers in the same LDAP realm.

Yes, you'll need a SAN or wildcard cert covering all of your Zimbra servers to ensure they all trust each other.

When you generate a new CSR find the new /opt/zimbra/ssl/zimbra/commercial/commercial.key file. This is the new Private Key file, and you'll need to copy it to that location on all of the servers. You don't need to copy the csr file to any of the other servers. Then you can do the CLI stuff on each server to deploy the new SSL server and intermediate/root certificates. GoDaddy is by far in my experience the easiest/fastest to deploy FWIW, because you don't have to go hunting for other certs n the chain; the bundle file they give you (what the wiki calls commercial_ca.crt or chain_ca.crt) contains everything you need.

Is your existing cert a wildcard cert? If so, it's straightforward (not necessarily intuitive though!) to deploy that cert on your new server.
I’m not sure what you mean by wildcard cert? It points specifically towards my current server address. I assume then that the new cert, (not sure what address it would point to for multi-server) would then need to deployed to all clients, even the one’s whose mailboxes are still on the old server?
OK, apologies if I am telling you things you already know...

A typical SSL certificate covers a single FQDN, like "webmail.mycompany.com"

A SAN certificate covers multiple FQDNS, like "webmail.mycompany.com", "proxy.mycompany.com", "ldap2.mycompany.com", "mbox5.mycompany.com", "www.mycompany.com". The cost is based on how many FQDNS you want to include in the certificate. The FQDNS need not be on the same domain.

A wildcard certificate cover "*.mycompany.com" and can be used for an unlimited number of hosts on the domain -- but not hosts on a subdomain. IOW, with a *.mycompany.com" wildcard cert, you could use it on a server with the fqdn "bleeping.mycompany.com", but you couldn't use it on a server with the fqdn "bleeping.computer.mycompany.com".

Typically, wildcard certs are cheaper after ~20 hosts are to be covered. Some companies don't want/allow wildcard SSL certificates, because if the private key is compromised, they have to replace SSL certificates on every host using the wildcard cert.

Basically, you are installing these certs at the server level. (Per-mailbox certs are for like SMIME.)

S'OK?
So it sounds like, since these two server will live on different domains while I transition, then I need to look at getting a SAN certificate, if I'm understanding you correctly. How will this effect what I'm currently using on the clients? cacert.der and a rootca.p7b cert installed on every client.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Questions about migrating to a new server on a new domain

Post by L. Mark Stone »

OK, so first, I'm confused why you keep bringing up client certificates. Let's stick to server certs for the moment...

If you have two Zimbra servers on two different domains, e.g. server1.mydomain.com and server2.anotherdomain.com, in theory you should be able to use a SAN cert with both FQDNs, but I have never tested this. I would open a Support Case to have Zimbra confirm.

What I have tested is where the first and second servers each have a commercial SSL cert for their own fqdn. In that case, each Zimbra server won't trust the other server, and you'll need to turn off secure interprocess communication.

S'OK?
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Re: Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

L. Mark Stone wrote:OK, so first, I'm confused why you keep bringing up client certificates. Let's stick to server certs for the moment...

If you have two Zimbra servers on two different domains, e.g. server1.mydomain.com and server2.anotherdomain.com, in theory you should be able to use a SAN cert with both FQDNs, but I have never tested this. I would open a Support Case to have Zimbra confirm.

What I have tested is where the first and second servers each have a commercial SSL cert for their own fqdn. In that case, each Zimbra server won't trust the other server, and you'll need to turn off secure interprocess communication.

S'OK?
I will open a case with them for that question. Thank you.
patrickwilson82
Advanced member
Advanced member
Posts: 134
Joined: Tue Mar 13, 2018 5:37 pm
ZCS/ZD Version: 8.8.15

Re: Questions about migrating to a new server on a new domain

Post by patrickwilson82 »

Good morning Mark,

While I'm waiting on Zimbra support to get back to me about the certs question, I was wondering if you could please answer two more questions for me that I had asked kranium since you've been following this thread:

"So basically if I point the end user's Outlook client to the public service hostname, will the proxy then know which of the two servers to check, to find that user's email?"

Also, will this method of syncing the ldap data between the two servers transfer over the any possible backdoors or vulnerabilities that my existing server may have due to compromise with it being on such an old patch?

Thanks again for your help.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Questions about migrating to a new server on a new domain

Post by L. Mark Stone »

patrickwilson82 wrote:Good morning Mark,

While I'm waiting on Zimbra support to get back to me about the certs question, I was wondering if you could please answer two more questions for me that I had asked kranium since you've been following this thread:

"So basically if I point the end user's Outlook client to the public service hostname, will the proxy then know which of the two servers to check, to find that user's email?"

Also, will this method of syncing the ldap data between the two servers transfer over the any possible backdoors or vulnerabilities that my existing server may have due to compromise with it being on such an old patch?

Thanks again for your help.
Zimbra's proxy's job is to (among other things) abstract for the users the location of their mailbox. When a user browses to the PSHN:

1. Zimbra Proxy asks one of the mailbox servers in the proxy pool to paint the login screen.
2. After the user enters their username and password, the mailbox server that painted the login screen verifies the credentials via Zimbra's LDAP, and notes the mailbox server on which the user's mailbox lives. If the entered credentials are correct, the mailbox server tells Proxy on which mailbox server the user's mailbox lives.
3. Proxy says "Thanks Dude!" to the mailbox server, and then asks memcached to store the route information, i.e. the correct mailbox server, for this user's session (Proxy has short-term memory issues, so faster for Proxy ask memcached which mailbox server to talk to than to keep asking LDAP where the user's mailbox lives).
4. Proxy then talks to the mailbox server where the user's mailbox lives and says "Dude! I have an authenticated session for <user@domain.tld>! Paint his mailbox for me please!" and Proxy then proxies the user's mailbox contents and static UI elements back to the user's browser, using the PSHN to present all relevant links to the end user.

The above flows are the same for Outlook, except for the UI components of course.

As re vulnerabilities in your LDAP data, unless you have configured zimbraMtaMyNetworks to include like 0.0.0.0/0, or users' passwords to be like "Password1234", there's not much in the LDAP data that presents a security risk. The security fixes in pretty much all of the recent patches to date have been in upgrading Zimbra components, and some configuration file adjustments.

In my experience, what you miss when using older LDAP data are the changes to the default settings had you done a fresh install. But, if you do things like execute the updates in the Cipher Suites wiki, and parse the Patch Release Notes for documentation on new configuration attributes (like IMAP pagination for heavy duty IMAP users, where the defaults for some reason haven't yet changed in the installer), you will be OK. Even brand-new installations include long-deprecated LDAP and Localconfig attributes, which if present, are typically just ignored (like LC ldap_bind_url). Unless you did some very creative things on the old Zimbra server, I wouldn't normally consider this a risk.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Post Reply