Page 1 of 1

Nginx fail to match virtual server name for imap and pop3

Posted: Thu Aug 02, 2018 9:22 pm
by tnisoft
I have configured a single zimbra server with multi domains and ssl certificates.
I following this guide https://wiki.zimbra.com/wiki/Multiple_S ... ation_(SNI)_for_HTTPS and all seems good except nginx on imap and pop3 reverse proxy functionality.
Proxy offers always the certificate of the first server block in "nginx.conf.mail.imap" and "nginx.conf.mail.pop3" files. I try manually edit the files and reload nginx moving other block on the head of file and so this is used.
The configuration of nginx is correct, all domains is present with right server_name directive and also the same configuration work for web mail. Nginx redirect correctly from example.com:80 to example.com:443 and offer the correct certificate for each domain.
Enabling debug for nginx I don't see any error, only a warning about user directive.
zimbra version:

Code: Select all

$ zmcontrol -v
Release 8.8.9_GA_2055.RHEL6_64_20180703080917 RHEL6_64 FOSS edition, Patch 8.8.9_P1.

Is a known bug of nginx or something else?
Any help is appreciated

Re: Nginx fail to match virtual server name for imap and pop3

Posted: Thu Aug 02, 2018 9:48 pm
by L. Mark Stone
The top line of that wiki article you quoted comprises:

Note: This feature will not enable SSL Certificate for IMAP/POP or smtps connections. RFE #103362

So it looks like SNI is working as advertised, though I agree it would be nice if SNI supported IMAP connections as well.

Mark

Re: Nginx fail to match virtual server name for imap and pop3

Posted: Thu Aug 02, 2018 10:33 pm
by tnisoft
Thanks Mark, I haven't read that :(
So is not possible in any way to have this feature on single server with single ip, maybe with one ip for each domain?
Why is made nginx conf by domain if it's unusable?
To share with external proxy?

Re: Nginx fail to match virtual server name for imap and pop3

Posted: Thu Aug 02, 2018 10:43 pm
by L. Mark Stone
tnisoft wrote:Thanks Mark, I haven't read that :(
So is not possible in any way to have this feature on single server with single ip, maybe with one ip for each domain?
Why is made nginx conf by domain if it's unusable?
To share with external proxy?


Those are all good questions and I regret I don't have the answers!

All the best,
Mark

Re: Nginx fail to match virtual server name for imap and pop3

Posted: Fri Aug 03, 2018 6:31 am
by stefaniu.criste
tnisoft wrote:.....
So is not possible in any way to have this feature on single server with single ip, maybe with one ip for each domain?
....



You can use a compromise solution, at the other end of the issue chain.
Suppose you have the main server hostname as zimbra.domain.tld and a few other domains running on it: mail.domain1.tld, mail.domain2.tld, mail.domain3.tld.

While you can issue separate certificates for webmail access by using the command /opt/zimbra/libexec/zmdomaincertmgr,
the POP3s and IMAPs services will use the "main" server certificate, managed by command /opt/zimbra/libexec/zmcertmgr

Solution is to issue and validate the certificate with multiple hostnames (SAM) that will be valid for all of them.
Letsencrypt allows you to do this, at the price of some manual work.

sample command (issued as root)

Code: Select all

./certbot-auto certonly -d zimbra.domain.tld,\
mail.domain1.tld, webmail.domain1.tld,\
mail.domain2.tld, webmail.domain2.tld,\
mail.domain3.tld, webmail.domain3.tld\
--standalone -m your@ddress.tld

Re: Nginx fail to match virtual server name for imap and pop3

Posted: Sat Aug 04, 2018 11:00 am
by tnisoft
Thank you for your excellent suggestions stefaniu.criste, I will try.