Zimbra – postfix transport

Instead of using the /etc/postfix/transport flat file for routing, Zimbra allows you to set this via the command line:
./zmprov cd excite.com zimbraMailTransport smtp:xmxatip.excite.com zimbraDomainType transport

In this case here, the mail domain we’re changing the MTA to is xmxatip.excite.com and the domain is excite.com so that all email to excite.com will go to xmxatip.excite.com.

What changed on the back end is that there’s an entry written to the ldap server:
# excite.com
dn: dc=excite,dc=com
zimbraMailStatus: enabled
zimbraId: 50243e3e-2435-4366-8c18-33697b15f136
dc: excite
zimbraDomainName: excite.com
zimbraDomainType: transport
zimbraMailTransport: smtp:xmxatip.excite.com
objectClass: dcObject
objectClass: organization
objectClass: zimbraDomain
o: excite.com domain

# people, excite.com
dn: ou=people,dc=excite,dc=com
ou: people
objectClass: organizationalRole
cn: people

Setup SSL for Solaris LDAP client (certutil and openssl)

http://blogs.sun.com/roller/page/baban? … _ssl_using

Directory server side

The following shows how to setup Sun Directory Server 5.2 and Solaris LDAP
client for SSL. I have tried to give openssl, certutil, PEM, DER examples (and
Directory server console at some places) to achieve the same result.


myhost.test.sun.com == fully qualified hostname of the Directory server. /var/mps/serverroot == serverroot for the Directory server. dc=sun,dc=com == Directory server already setup with this suffix # openssl is delivered in /usr/sfw/bin on Solaris 10 # Please refer to appropriate manpages for description of various command-line
options used below.


DER: a binary format PEM: base-64 encoded DER format with header and footer certutil: Default is DER. For PEM, use -a openssl: Default is PEM. For DER, use -inform DER and/or -outform DER

Create Test CA

1. openssl # The /usr/sfw/bin/CA.pl script will create a directory structure either under
the current working directory or under /etc/sfw/openssl depending upon the
version of openssl you are using. I suggest checking the value of CATOP
variable in /usr/sfw/bin/CA.pl. If you want to create CA under /CA/cacertdb : mkdir -p /CA/cacertdb; cd /CA/cacertdb Modify CATOP in /usr/sfw/bin/CA.pl to /CA/cacertdb Modify dir under [ CA_default ] in /etc/sfw/openssl/openssl.cnf to
/CA/cacertdb perl /usr/sfw/bin/CA.pl -newca # Default name for CA cert is cacert.pem 2. certutil # Create CA certificate DB mkdir -p /CA/cacertdb certutil -N -d /CA/cacertdb -P ca- # Create a self-signed CA certificate certutil -S -x -n ca-cert -s cn=CA Certificate certutil,ou=TEST,o=Sun
Microsystems Inc.,l=Menlo Park,st=CA,c=US -t CTPu -v 120 -d /CA/cacertdb -P
ca- -5
# when prompted, select (5) SSL CA and ‘y’ for critical extensions # Export the CA cert into an output file in PEM format certutil -L -d /CA/cacertdb -P ca- -n ca-cert -a > cacert.pem

Create NSS DB for Directory server

1. Console Use the Directory server console => Manage Certificates. The DB is created when
trying to use any of the certificate functions for the first time. With the new
DS6.0 directory server, the NSS DB will be created when creating the server
instance so this step won’t be necessary 2. certutil certutil -N -d /var/mps/serverroot/alias -P slapd-myhost- # Remember the password you have given

Generate Certificate Signing Request (CSR) for server cert

1. Console Use the Directory server console => Manage Certificates to generate CSR and save
it to a file 2. certutil certutil -R -s cn=myhost.test.sun.com,ou=TEST,o=Sun Microsystems
Inc.,l=Menlo Park,st=CA,c=US -o DER.csr -d /var/mps/serverroot/alias -P
3. openssl # Generate 2048-bit RSA private key openssl genrsa -out privkey.pem 2048 # OR Generate 2048-bit DSA private key openssl dsaparam -out DSAparam.pem 2048 openssl gendsa -out privkey.pem DSAparam.pem # Generate the certificate request openssl req -new -key privkey.pem -out PEM.csr # Display the content and public key from the certificate request openssl req -in PEM.csr -text -pubkey

Sign CSR using Test CA

1. certutil # Sign DER CSR certutil -C -c ca-cert -i DER.csr -o ./cert.der -v 12 -d /CA/cacertdb -P
ca- -5
# Sign PEM CSR certutil -C -c ca-cert -a -i PEM.csr -o ./cert.pem -v 12 -d /CA/cacertdb -P
ca- -5
2. openssl openssl ca -policy policy_anything -cert cacert.pem -in PEM.csr -out

Import signed certs into NSS DB

1. Console Use Manage Certificates tab to import pem certificates 2. certutil # Import PEM server cert certutil -A -a -n server-cert -i ./cert.pem -t Pu -d
/var/mps/serverroot/alias -P slapd-myhost-
# Import DER server cert certutil -A -n server-cert -i ./cert.der -t Pu -d /var/mps/serverroot/alias
-P slapd-myhost-
# Import PEM CA cert certutil -A -a -n ca-cert -i cacert.pem -t CT -d /var/mps/serverroot/alias
-P slapd-myhost-
# List the contents certutil -L -d /var/mps/serverroot/alias -P slapd-myhost- # List the contents of a specific cert certutil -L -d /var/mps/serverroot/alias -P slapd-myhost- -n server-cert 3. openssl # Import openssl certificates/keys into NSS DB. Convert cert, key and CA cert
into pkcs12 format openssl pkcs12 -export -in cert.pem -inkey privkey.pem -certfile cacert.pem
-name MY CERTIFICATE -out mycert.p12
# Import it into NSS DB pk12util -i mycert.p12 -d /var/mps/serverroot/alias -P slapd-myhost- -v

Enable SSL

1. Console. # From Configuration tab, select Encryption. # Select Enable SSL for this server # Select Use this cipher family # Select Certificate # Select Do not allow client authentication OR Allow client authentication
but NOT Require client authentication # Save and Restart the directory server from command line. You will be prompted
for Enter PIN for Internal (Software) Token # For automatic startup of SSL, add NSS DB password to the following file cd /var/mps/serverroot/alias vi slapd-myhost-pin.txt Internal (Software) Token:your-NSSDB-password-here chmod 400 slapd-myhost-pin.txt directoryserver stop directoryserver start

Run idsconfig

/usr/lib/ldap/idsconfig # Assume: Naming Base DN: dc=test,dc=sun,dc=com Domain: test.sun.com
# When prompted for Authentication Methods, choose atleast one that starts with
tls: # Choose appropriate name for the profile (say tls-profile). The default name is

Solaris Native LDAP client side

# Create NSS DB (Don’t enter password. Just hit return) certutil -N -d /var/ldap chmod 444 /var/ldap/* # Download the Test CA certificate on the client machine into a temporary
location. Ex: /var/tmp/cacert.pem # Add CA certificate to the NSS DB certutil -A -n ca-cert -i /var/tmp/cacert.pem -a -t CT -d /var/ldap # Verify that myhost is fully qualified. Else modify /etc/hosts (and if
necessary /etc/nssswitch.conf) getent hosts myhost.test.sun.com # Test with ldapsearch ldapsearch -v -h myhost.test.sun.com -p 636 -Z -P /var/ldap/cert8.db -b
dc=sun,dc=com -s base objectclass=*
# Initialize Native LDAP client using profile tls-profile. /usr/sbin/ldapclient init -a profileName=tls-profile -a
domainname=test.sun.com -a
proxyDN=cn=proxyagent,ou=profile,dc=test,dc=sun,dc=com -a proxyPassword=proxy

How to disable SSL in SunONE directory server

Problem Statement: What can happen if you delete your certificates and forget to disable
encryption on your ldap server is that your directory server will not
start the next time you go to restart it. Resolution: What can happen if you delete your certificates and forget to disable
encryption on your ldap server is that your directory server will not
start the next time you go to restart it. Here’s how it looks:
bash-2.05# ./start-slapd
Enter PIN for Internal (Software) Token:
Server not running!! Failed to start ns-slapd process. tail /logs/errors
[24/Apr/2004:12:31:48 -0700] – Sun-ONE-Directory/5.2 B2003.143.0020 (32-
bit) starting up
[24/Apr/2004:12:31:48 -0700] – WARNING<4753> – SSL – conn=-1 op=-1 msgId=-
1 – Security Initialization: Can’t find certificate (server-cert) for
family cn=RSA,cn=encryption,cn=config (error -5978 – Network file
descriptor is not connected.)
[24/Apr/2004:12:31:48 -0700] – WARNING<4754> – SSL – conn=-1 op=-1 msgId=-
1 – Security Initialization: Unable to retrieve private key for cert
server-cert of family cn=RSA,cn=encryption,cn=config (error -5978 –
Network file descriptor is not connected.)
[24/Apr/2004:12:31:48 -0700] – ERROR<4756> – SSL – conn=-1 op=-1 msgId=-1 –
None of the cipher are valid.
[24/Apr/2004:12:31:48 -0700] – DEBUG – conn=-1 op=-1 msgId=-1 – SSL
socket import or configuration failed.
[24/Apr/2004:12:31:48 -0700] – DEBUG – conn=-1 op=-1 msgId=-1 – Failed
to init daemon To fix this, open the /config/dse.ldif and change
nsslapd-security: on
nsslapd-security: off Then, restart the directory server.]]>