Results 1 to 6 of 6

Thread: NGINX TLS certificates

  1. #1
    Join Date
    Oct 2008
    Posts
    17
    Rep Power
    7

    Default NGINX TLS certificates

    I'm using nginx for proxying pop/pops & imap/imaps. It has been configured with certificates for the ssl interfaces and everything works fine for SSL & non-SSL.

    The issue I'm having is that for tls I can't configure nginx to use the pop certificate for pop and imap certificate for imap.

    It can be seen in the mail configuration file for TLS it is only possible for the ssl_certificate to be referenced to one file and not separate files:


    Code:
        $ egrep -i 'SSL|TLS' nginx.conf.mail
        # on whether cleartext login is available (see description for starttls)
        # For example, if starttls is set to only, then SASL PLAIN is not
        # available outside of TLS/SSL
        # TLS configuration
        ssl_prefer_server_ciphers   on;
        ssl_certificate             /opt/zimbra/conf/nginx.crt;
        ssl_certificate_key         /opt/zimbra/conf/nginx.key;
    Ideally I would expect something similar to below, but I can't work out how I could do it and if it is even possible.

    Code:
    ssl_certificate_pop             /opt/zimbra/conf/nginx.crt_pop;
    ssl_certificate_key_pop         /opt/zimbra/conf/nginx.key_pop;
    ssl_certificate_imap             /opt/zimbra/conf/nginx.crt_imap;
    ssl_certificate_key_imap      /opt/zimbra/conf/nginx.key_imap;

  2. #2
    Join Date
    Sep 2008
    Posts
    10
    Rep Power
    7

    Default

    hi,

    why do you want to split the certificates? you should use a *.yourdomain.com certificate.

    Cheers
    Markus

  3. #3
    Join Date
    Oct 2008
    Posts
    17
    Rep Power
    7

    Default

    yes, that is an option but security has stipulated that we can't have a global certificate such as:

    *.domain.com

    we have been delievered certifcates such as:

    pop.domain.com
    imap.domain.com

  4. #4
    Join Date
    Jan 2008
    Posts
    658
    Rep Power
    8

    Default

    I'm not sure if there's a built-in way, but you could just edit the nginx.conf.mail.imaps and nginx.conf.mail.pops files and specify your certificates there. Of course, that won't hold during an upgrade, but that would be one way of doing it.. Just comment out the ssl references before the includes inside the file posted and include them in the server section of the respective services config files.

  5. #5
    Join Date
    Oct 2008
    Posts
    17
    Rep Power
    7

    Default

    Thanks for the reply, that is what I thought as well, and that is what we have done for pop/imap SSL, but this file is only used for SSL and not TLS. Afaik TLS is configured in the file "nginx.conf.mail"

    Code:
    # POP3S proxy configuration
    #
    server
    {
        listen              995;
        protocol            pop3;
        proxy               on;
        ssl                 on;
               ssl_certificate             /opt/zimbra/conf/pop3.crt;
               ssl_certificate_key         /opt/zimbra/conf/pop.key;
        sasl_service_name   "pop";
    }

  6. #6
    Join Date
    Jan 2008
    Posts
    658
    Rep Power
    8

    Default

    Hmm.. I'm not familiar with TLS configuration in nginx, but I would think the principle would be the same.. Can you just move that configuration to the individual services files?

Similar Threads

  1. Server-to-server TLS howto?
    By JohnR in forum Installation
    Replies: 1
    Last Post: 10-09-2008, 09:30 AM
  2. [SOLVED] Firefox 3 + Zimbra 5 - TLS Interop issue
    By irvingpop in forum Administrators
    Replies: 21
    Last Post: 07-22-2008, 11:53 PM
  3. TLS Password question
    By 3RiversTechAdmin in forum Administrators
    Replies: 1
    Last Post: 12-07-2006, 03:42 PM
  4. Supporting SPA and TLS for SMTP relaying
    By pbwebguy in forum Installation
    Replies: 1
    Last Post: 05-18-2006, 08:59 AM
  5. tls auth only?
    By rmvg in forum Administrators
    Replies: 16
    Last Post: 10-23-2005, 09:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •