Results 1 to 2 of 2

Thread: Handling SSL for outbound SMTP in multi-domain environment

Hybrid View

  1. #1
    Join Date
    Feb 2008
    Rep Power

    Question Handling SSL for outbound SMTP in multi-domain environment

    I need some guidance on how to configure SSL certs in a multi-server, multi-domain environment.

    I have 1 LDAP, 1 MTA and 2 mailstore servers. The nginx proxy sits on the MTA. All the servers have ugly functional names like "," but each of the domains in Zimbra is configured with a friendly service name like "" along with a matching commercial SSL certificate.

    So for webmail, IMAP, POP, ActiveSync, etc. (anything fronted by nginx) the users can just use '' because nginx holds and serves the proper SSL certificate, and then proxies to the ugly backend server names as appropriate.

    However, nginx doesn't proxy SMTP. This means that when configuring an IMAP client, the IMAPS hostname can be "" and I get no complaint, but if the user tries that same hostname for outbound SMTP (SSL) they get a certificate error saying that the certificate name 1) doesn't match; 2) is self signed. That's because Postfix on the MTA host is serving up a self-signed cert for "".

    It seems wrong to me that the architecture is in place inside Zimbra to allow multiple domains, each with its own SSL certificate, but SMTP is somehow overlooked. What am I missing? How do others handle this? Or is my configuration just broken?

  2. #2
    Join Date
    Sep 2008
    Rep Power


    I can not comment on per-domain based SSL deployment, but we utilize centralized MTA and mail access URL for all domains hosted by Zimbra, and this decreases complexity (unless you really want to provide own server friendly names for your customers). But in overall image, your configuration seems to be correct, yet lacking understanding of Zimbra components.

    If you install MTA server(-s) as separate hosts, it gives you a benefit to be able to locate different MTAs in different geo/network locations, to gain for accessibility of the service. For better security and lesser network overhead checking existing accounts in your Zimbra stack, it would be better to deploy Zimbra LDAP slaves on these MTA servers. Keep an eye on security!

    Due to this configuration, you may balance your incoming/outgoing mail flows, if it is kind of an issues due to the volume of mails. And because MTA sits on separate server, it has separate hostname, and SSL certificate (unless you work with wildcard certs).

    My guess is, that if you'd like to offer your customers not only for webmail, etc., but for outgoing communication too, just install MTA on Mailbox server. If not, you have to provide different MTA hostname for your users, and for sure, provide separate SSL for it, if you do not feel confortable with self-signed one.

Similar Threads

  1. Multi domain SMTP authentication on sending (from server)
    By SFX Group in forum Administrators
    Replies: 0
    Last Post: 12-11-2012, 08:10 AM
  2. multi-domains: imap&smtp need xxx@domain?
    By ypong in forum Administrators
    Replies: 0
    Last Post: 09-30-2011, 08:24 AM
  3. Replies: 1
    Last Post: 03-02-2011, 02:43 AM
  4. Replies: 0
    Last Post: 12-11-2009, 02:02 AM
  5. multi domain / multi IP / SMTP HELO problem
    By fisch09 in forum Administrators
    Replies: 3
    Last Post: 04-04-2007, 05:22 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts