Can't Send mail via Outlook After Installing Certificate [ 8.6.0 ]

Mesut K · Post by **Mesut K** » Fri Apr 10, 2015 7:36 am

Hello,

I have upgraded Zimbra from 8.5 to 8.6 and installed new SSL Certificate ( StartCOM's ). The problem is, whenever I install the certificate, even though its successfully installed, I can't send mail from outlook for some reason.
How I am istalling the certificate is below;
Phase 1:
kullanici@sunucu:/$ sudo openssl rsa -in mailSunucuKey.key -out yeniMailsunucuKey.key
kullanici@sunucu:/tmp$ wget https://www.startssl.com/certs/ca.pem
kullanici@sunucu:/tmp$ wget https://www.startssl.com/certs/sub.class1.server.ca.pem
kullanici@sunucu:/tmp$ cat ca.pem sub.class1.server.ca.pem > ca_tumlesik.crt

Phase 2:

kullanici@sunucu:/$ sudo cp mailSunucu.crt /tmp/ssl.crt
kullanici@sunucu:/$ sudo cp yeniMailsunucuKey.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
kullanici@sunucu:/$ cd /opt/zimbra/bin
kullanici@sunucu:/opt/zimbra/bin/$ sudo ./zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_tumlesik.crt
kullanici@sunucu:/$ sudo /opt/zimbra/java/bin/keytool -import -alias mailSunuckullanicitifikasi -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/ssl/zimbra/commercial/commercial.crt

Phase 3:
kullanici@sunucu:/$ sudo -i
root@sunucu:/# su zimbra
zimbra@sunucu:/$ zmcontrol stop
zimbra@sunucu:/$ zmcontrol start

But I get an error about encryption in Outlook;

If I use self-signed certificate, everything seems OKAY. But when I use other certificate, I can send/receive email from webmail, receive email from outlook but couldn't send. Am I missing something in installation phase?

Thanks in advance

cayaraa · Post by **cayaraa** » Fri Apr 10, 2015 7:59 am

Some older versions of outlook (particularly outlook on OSX) don't support sending via TLS and want to use SSL. Zimbra 8.6 disabled all SSL and uses TLS only (which everyone is doing). You might need to enable SSLv2Hello so that the initial connection can be started with SSL but then uses TLS:

https://wiki.zimbra.com/wiki/Security/C ... al_impacts

Mesut K · Post by **Mesut K** » Fri Apr 10, 2015 8:05 am

Hello,

Thanks for the answer. I have tried on several outlook versions up to newest to 2006. The thing is, everything is got back to normal when I use self-signed cert without changing anything on outlook or settings. I will be checking SSLv2Hello and will tell the result.

cayaraa · Post by **cayaraa** » Fri Apr 10, 2015 8:17 am

Hmm...are your new certs sha256 and the self signed ones sha1? We're using sha256 and I don't think we've had any issues with the few unsupported outlook clients we have but I know we've had serveral other (not zimbra/mail) server/client issues with sha256 certs.

Mesut K · Post by **Mesut K** » Fri Apr 10, 2015 8:40 am

Hello, here you could check the details of the certificate

I also tested sending mail on phones and several other programs if it is a version issue. But it is same on all. By the way, unfortunately SSLv2Hello doesnt seem to work.

cayaraa · Post by **cayaraa** » Fri Apr 10, 2015 9:12 am

ah...then there is probably something else going on. Have you made sure that postfix is coming up correctly on your zimbra server? Can you access the ports?

telnet zimbrahost.domain.com 25

telnet zimbrahost.domain.com 465

To check the cert on those ports:

openssl s_client -connect zimbrahost.domain.com:465 -tls1

openssl s_client -connect zimbrahost.domain.com:25 -starttls smtp

Mesut K · Post by **Mesut K** » Fri Apr 10, 2015 9:32 am

telnet zimbrahost.domain.com 25 --- SUCCESS
telnet zimbrahost.domain.com 465 --- SUCCESS

openssl s_client -connect zimbrahost.domain.com:465 -tls1 ----- sucess (connected(000000003)) .....text.....
openssl s_client -connect zimbrahost.domain.com:25 -starttls smtp ----- success(connected(00000003)) .....text......

*EDIT*

I fixed the issue of adding certificate with different method; (It looks the exact same of mine but this one worked for some reason..)
Works on 8.6 for StartSSL certificates, ( should update this page: http://wiki.zimbra.com/wiki/Installing_ ... _zmcertmgr )
Credit goes to: Benjamin Wiedmann (http://wied.it)
# TODO fix paths first!!!
wget https://www.startssl.com/certs/ca.pem -O /tmp/startcom-ca.pem
wget https://www.startssl.com/certs/sub.class1.server.ca.pem -O /tmp/startcom-sub.class1.server.ca.pem
cat /tmp/startcom-ca.pem /tmp/startcom-sub.class1.server.ca.pem > /tmp/ca_bundle.crt
cp /path/to/your/cert/yourcert.crt /tmp/ssl.crt
cp /path/to/your/cert/yourcert.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
cd /opt/zimbra/bin
./zmcertmgr deploycrt comm /tmp/ssl.crt /tmp/ca_bundle.crt
/opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /opt/zimbra/ssl/zimbra/commercial/commercial.crt
rm /tmp/ssl.crt
rm /tmp/ca_bundle.crt
sudo -u zimbra /opt/zimbra/bin/zmcontrol restart