1

I have a Zimbra ZCS 7.1.3 server it running the OSE version. The server hosts 4 domains for email. Each of the email domains has its own SSL cert that is self generated.

Something that has sort of bugged me since the time it was installed is the way I have everything configured. When I set it up I wanted an SSL cert for each domain, as per a conversation on the Zimbra forums I was told I needed a separate IP address for EACH domain for SSL to work right.

So this left me with a configuration like so;

eth0 - 10.0.0.17/24 - mail.solignis.com eth0:0 - 10.0.0.18/24 - mail.oddablesound.com eth0:1 - 10.0.0.19/24 - mail.campbellsurvey.com eth0:2 - 10.0.0.20/24 - mail.campbellsurvey.net

Each of those IP addresses is NATed to a public IP and has basic port forwarded to it. While everything does in fact work I can help but think this is not correct.

The original reason this was though to be the correct way was because of the command you must enter to make per domain ssl certs with zimbra.

The command is, zmprov md <domain> +zimbraVirtualHostName {domain.example.com} +zimbraVirtualIPAddress {1.2.3.4}

The other way to make multiple domains to work is use an SSL with alternative names. Which I am not entirely sure how to use.

In the end all I am trying to do is make the zimbra a little less complex on the networking side.

ianc1215
  • 1,965
  • 7
  • 34
  • 55
  • possible duplicate of [SSL certificate selection based on host-header: is it possible?](http://serverfault.com/questions/126072/ssl-certificate-selection-based-on-host-header-is-it-possible) – Shane Madden Nov 22 '11 at 06:48

2 Answers2

3

You have to use either different IPs or different ports. SNI (deciding which SSL certificate based on the name the other person is trying to reach) isn't supported on enough browsers yet for name-based SSL hosting to work.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • so then the way I have it is configured correctly? An interface per domain?. Could I / How would I use SSL certs with SubjectAlternativeName(s)? Because then I would only need one cert for the whole server, right? – ianc1215 Nov 22 '11 at 03:23
  • You could do it that way, if you can get one certificate that can cover the names for all your sites. The problem is that you may have to send the certificate without knowing which name the client was trying to reach. – David Schwartz Nov 22 '11 at 03:38
  • Apparently I am doing it right as per this wiki article from Zimbra, when shown graphically it makes sense. http://wiki.zimbra.com/wiki/Multi_Domain_SSL_Certs_-_HOWTO – ianc1215 Nov 22 '11 at 03:40
1

As you mentioned in one of your comments, since you are self-generating your certificates, you could make one certificate with Subject Alternative Names which includes all your domains. I don't see any problems doing it this way.

Anjan
  • 277
  • 1
  • 2
  • 14