Hello,
I have upgraded Zimbra from 8.5 to 8.6 and installed new SSL Certificate ( StartCOM's ). The problem is, whenever I install the certificate, even though its successfully installed, I can't send mail from outlook for some reason.
How I am istalling the certificate is below;
Phase 1:
kullanici@sunucu:/$ sudo openssl rsa -in mailSunucuKey.key -out yeniMailsunucuKey.key
kullanici@sunucu:/tmp$ wget https://www.startssl.com/certs/ca.pem
kullanici@sunucu:/tmp$ wget https://www.startssl.com/certs/sub.class1.server.ca.pem
kullanici@sunucu:/tmp$ cat ca.pem sub.class1.server.ca.pem > ca_tumlesik.crt
Phase 2:
kullanici@sunucu:/$ sudo cp mailSunucu.crt /tmp/ssl.crt
kullanici@sunucu:/$ sudo cp yeniMailsunucuKey.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
kullanici@sunucu:/$ cd /opt/zimbra/bin
kullanici@sunucu:/opt/zimbra/bin/$ sudo ./zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_tumlesik.crt
kullanici@sunucu:/$ sudo /opt/zimbra/java/bin/keytool -import -alias mailSunuckullanicitifikasi -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/ssl/zimbra/commercial/commercial.crt
Phase 3:
kullanici@sunucu:/$ sudo -i
root@sunucu:/# su zimbra
zimbra@sunucu:/$ zmcontrol stop
zimbra@sunucu:/$ zmcontrol start
But I get an error about encryption in Outlook;
If I use self-signed certificate, everything seems OKAY. But when I use other certificate, I can send/receive email from webmail, receive email from outlook but couldn't send. Am I missing something in installation phase?
Thanks in advance
Can't Send mail via Outlook After Installing Certificate [ 8.6.0 ]
- cayaraa
- Outstanding Member
- Posts: 341
- Joined: Sat Sep 13, 2014 12:33 am
- ZCS/ZD Version: ZCS 8 NE & ZCS 8 FOSS
Can't Send mail via Outlook After Installing Certificate [ 8.6.0 ]
Some older versions of outlook (particularly outlook on OSX) don't support sending via TLS and want to use SSL. Zimbra 8.6 disabled all SSL and uses TLS only (which everyone is doing). You might need to enable SSLv2Hello so that the initial connection can be started with SSL but then uses TLS:
https://wiki.zimbra.com/wiki/Security/C ... al_impacts
https://wiki.zimbra.com/wiki/Security/C ... al_impacts
Can't Send mail via Outlook After Installing Certificate [ 8.6.0 ]
Hello,
Thanks for the answer. I have tried on several outlook versions up to newest to 2006. The thing is, everything is got back to normal when I use self-signed cert without changing anything on outlook or settings. I will be checking SSLv2Hello and will tell the result.
Thanks for the answer. I have tried on several outlook versions up to newest to 2006. The thing is, everything is got back to normal when I use self-signed cert without changing anything on outlook or settings. I will be checking SSLv2Hello and will tell the result.
- cayaraa
- Outstanding Member
- Posts: 341
- Joined: Sat Sep 13, 2014 12:33 am
- ZCS/ZD Version: ZCS 8 NE & ZCS 8 FOSS
Can't Send mail via Outlook After Installing Certificate [ 8.6.0 ]
Hmm...are your new certs sha256 and the self signed ones sha1? We're using sha256 and I don't think we've had any issues with the few unsupported outlook clients we have but I know we've had serveral other (not zimbra/mail) server/client issues with sha256 certs.
Can't Send mail via Outlook After Installing Certificate [ 8.6.0 ]
Hello, here you could check the details of the certificate
I also tested sending mail on phones and several other programs if it is a version issue. But it is same on all. By the way, unfortunately SSLv2Hello doesnt seem to work.
I also tested sending mail on phones and several other programs if it is a version issue. But it is same on all. By the way, unfortunately SSLv2Hello doesnt seem to work.
- cayaraa
- Outstanding Member
- Posts: 341
- Joined: Sat Sep 13, 2014 12:33 am
- ZCS/ZD Version: ZCS 8 NE & ZCS 8 FOSS
Can't Send mail via Outlook After Installing Certificate [ 8.6.0 ]
ah...then there is probably something else going on. Have you made sure that postfix is coming up correctly on your zimbra server? Can you access the ports?
telnet zimbrahost.domain.com 25
telnet zimbrahost.domain.com 465
To check the cert on those ports:
openssl s_client -connect zimbrahost.domain.com:465 -tls1
openssl s_client -connect zimbrahost.domain.com:25 -starttls smtp
telnet zimbrahost.domain.com 25
telnet zimbrahost.domain.com 465
To check the cert on those ports:
openssl s_client -connect zimbrahost.domain.com:465 -tls1
openssl s_client -connect zimbrahost.domain.com:25 -starttls smtp
Can't Send mail via Outlook After Installing Certificate [ 8.6.0 ]
telnet zimbrahost.domain.com 25 --- SUCCESS
telnet zimbrahost.domain.com 465 --- SUCCESS
openssl s_client -connect zimbrahost.domain.com:465 -tls1 ----- sucess (connected(000000003)) .....text.....
openssl s_client -connect zimbrahost.domain.com:25 -starttls smtp ----- success(connected(00000003)) .....text......
*EDIT*
I fixed the issue of adding certificate with different method; (It looks the exact same of mine but this one worked for some reason..)
Works on 8.6 for StartSSL certificates, ( should update this page: http://wiki.zimbra.com/wiki/Installing_ ... _zmcertmgr )
Credit goes to: Benjamin Wiedmann (http://wied.it)
# TODO fix paths first!!!
wget https://www.startssl.com/certs/ca.pem -O /tmp/startcom-ca.pem
wget https://www.startssl.com/certs/sub.class1.server.ca.pem -O /tmp/startcom-sub.class1.server.ca.pem
cat /tmp/startcom-ca.pem /tmp/startcom-sub.class1.server.ca.pem > /tmp/ca_bundle.crt
cp /path/to/your/cert/yourcert.crt /tmp/ssl.crt
cp /path/to/your/cert/yourcert.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
cd /opt/zimbra/bin
./zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt
/opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/ssl/zimbra/commercial/commercial.crt
rm /tmp/ssl.crt
rm /tmp/ca_bundle.crt
sudo -u zimbra /opt/zimbra/bin/zmcontrol restart
telnet zimbrahost.domain.com 465 --- SUCCESS
openssl s_client -connect zimbrahost.domain.com:465 -tls1 ----- sucess (connected(000000003)) .....text.....
openssl s_client -connect zimbrahost.domain.com:25 -starttls smtp ----- success(connected(00000003)) .....text......
*EDIT*
I fixed the issue of adding certificate with different method; (It looks the exact same of mine but this one worked for some reason..)
Works on 8.6 for StartSSL certificates, ( should update this page: http://wiki.zimbra.com/wiki/Installing_ ... _zmcertmgr )
Credit goes to: Benjamin Wiedmann (http://wied.it)
# TODO fix paths first!!!
wget https://www.startssl.com/certs/ca.pem -O /tmp/startcom-ca.pem
wget https://www.startssl.com/certs/sub.class1.server.ca.pem -O /tmp/startcom-sub.class1.server.ca.pem
cat /tmp/startcom-ca.pem /tmp/startcom-sub.class1.server.ca.pem > /tmp/ca_bundle.crt
cp /path/to/your/cert/yourcert.crt /tmp/ssl.crt
cp /path/to/your/cert/yourcert.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
cd /opt/zimbra/bin
./zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt
/opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/ssl/zimbra/commercial/commercial.crt
rm /tmp/ssl.crt
rm /tmp/ca_bundle.crt
sudo -u zimbra /opt/zimbra/bin/zmcontrol restart