Setup Your Own ActiveSync Server With Zimbra and Z-Push

(Updated: June 8, 2013.  I’ve updated this post to clarify based on some questions I’ve received).

For the clueless, ActiveSync is the protocol that allows you to sync your Mail, Calendar, Contacts, and Tasks with your messaging provider.  Your two options to have an ActiveSync server is through a cloud solution (e.g Gmail, Outook.com, etc.) or running your own Exchange Server.  Licensing Exchange will set you back $708 plus $68/user.

Or, you could roll your own ActiveSync server for free using Zimbra and Z-Push… (this is more fun anyway).

Here’s how to set up https on webmail and activesync on Zimbra sharing the same IP.  You need an “mx” server that acts as a proxy to your web server.  So on your internal DNS mx.example.com/activesync.example.com should resolve to your MX server, and mail.example.com resolves to your Zimbra server.  On external DNS everything needs to resolve to your MX server, and it will handle activesync and also act as a proxy server to Zimbra’s webmail (for SNI capable browsers).

1. Install two 64-bit Ubuntu 12.04 LTS servers.  Name one MX (this is your mail relay server and ActiveSync and Webmail Proxy Server) and the other one Mail (this is your Zimbra mail server).

On the Mail Server
2. Install Zimbra on your Mail server.
Create a user and make sure you can login as a user to webmail on this server before proceeding.

On the Mail Relay Server
3. Setup LAMP on the MX…

tasksel (then select lamp)

3. Get Signed Certificates for mail.example.com and activesync.example.com

4. Enable Mod SSL and Mod Proxy

a2enmod ssl

a2enmod proxy

4. Follow the instructions here for setting up Z-Push on HTTPS: http://vwiki.co.uk/Z-Push_v2_with_Zimbra
Make sure you can connect to ActiveSync, I haven’t figured out how to get autodiscover working so you’ll have to put the servername in manually.  After you get Z-Push working with a mobile device, go on to the next step…

5. Setup SNI on Apache2 so that you can host Webmail and ActiveSync/Z-Push from the same external IP.

The idea is hopefully any browsers you use to access webmail will be new enough to support SNI so you can use Apache on the MX server to route ActiveSync and Webmail requests based on the subdomain they hit.  Z-Push is set as the default virtualhost so it will work with all mobile devices whether or not they support SNI.

Just make your /etc/apache2/sites-available/default-ssl look something like this:

<IfModule mod_ssl.c>
# you may need to set the below value to off
SSLStrictSNIVHostCheck  on
 <VirtualHost *:443>
        ServerAdmin [email protected]
        # Indexes + Directory Root.
        DirectoryIndex index.php
        DocumentRoot /var/www/z-push/
        #DocumentRoot /var/www/
        Alias /Microsoft-Server-ActiveSync /var/www/z-push/index.php

        <Directory />
               AllowOverride All
        </Directory>

        php_flag magic_quotes_gpc off
        php_flag register_globals off
        php_flag magic_quotes_runtime off
        php_flag short_open_tag on

        # Logfiles
        ErrorLog  /var/log/apache2/z-push/error.log
        CustomLog /var/log/apache2/z-push/access.log combined

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   Server Certificate:
        SSLCertificateFile /etc/apache2/ssl/activesync.example.com.crt

        #   Server Private Key:
        SSLCertificateKeyFile /etc/apache2/ssl/activesync.example.com.key

        #   Server Certificate Chain:
        SSLCertificateChainFile /etc/apache2/ssl/chain.crt

        #   Certificate Authority (CA):
        SSLCACertificateFile /etc/apache2/ssl/ca.crt

 </VirtualHost>
<VirtualHost *:443>
  DocumentRoot /var/www
  ServerName mail.example.com
  ServerAdmin [email protected]

        # Indexes + Directory RoNoneot.
DirectoryIndex index.html index.php
ProxyPreserveHost On
SSLProxyENgine On
ProxyVia full
 <proxy>
    Order deny,allow
    Allow from all
  </proxy>
# 10.0.0.2 should be the IP of your Zimbra server...
ProxyPass / https://10.0.0.2/
ProxyPassReverse / https://10.0.0.2/
        SSLEngine on

        #   Server Certificate:
        SSLCertificateFile /etc/apache2/ssl/mail.example.com.crt

        #   Server Private Key:
        SSLCertificateKeyFile /etc/apache2/ssl/mail.example.com.key

        #   Server Certificate Chain:
        SSLCertificateChainFile /etc/apache2/ssl/chain.crt

        #   Certificate Authority (CA):
        SSLCACertificateFile /etc/apache2/ssl/ca.crt

  </VirtualHost>

</IfModule>

6. Test SNI
Now, if you access https://mail.example.com it should serve up Zimbra’s webmail via proxy, and https://mx.example.com or https://activesync.example.com should provide ActiveSync via Z-Push.

12 thoughts on “Setup Your Own ActiveSync Server With Zimbra and Z-Push”

  1. Could not get the proxy to work. My zpush site opens using either zpush.mydomain.com or zimbra.mydomain.com. Zimbra already had its own webmail cert on the zimbra server, I wonder how that works with the cert that was created on the zpush server for the zimbra proxy? Seems like there are now double certs.

    Reply
  2. The cert on zpush would encrypt communication between the mobile device and the zpush server, the cert on the zimbra server would encrypt communication between zpush and zimbra, it shouldn’t double up. Do you have anything useful in your error logs?

    Reply
  3. I just tried again from outside my lan, there is no error it just sends me to my zpush activesync site, not my zimbra site. Here is my default-ssl if you don’t mind taking a look, I changed my virtualhost’s to ip’s to see if that would help, it didn’t.

    Thanks

    Reply
  4. SSlStrictSNIVHostCheck On

    ServerAdmin [email protected]
    ServerName zpush.domain.com

    # Indexes + Directory Root.
    DirectoryIndex index.php
    DocumentRoot /var/www/z-push/
    Alias /Microsoft-Server-ActiveSync /var/www/z-push/index.php

    AllowOverride None

    php_flag magic_quotes_gpc off
    php_flag register_globals off
    php_flag magic_quotes_runtime off
    php_flag short_open_tag on

    # Logfiles
    ErrorLog /var/log/z-push/error.log
    CustomLog /var/log/z-push/access.log combined

    # SSL Engine Switch:
    # Enable/Disable SSL for this virtual host.
    SSLEngine on

    # Server Certificate:
    SSLCertificateFile /etc/apache2/ssl/apache.crt

    # Server Private Key:
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key

    # Server Certificate Chain:
    # SSLCertificateChainFile /etc/apache2/ssl/ca.crt

    DocumentRoot /var/www
    ServerName zimbra.domain.com
    ServerAdmin [email protected]

    # Indexes + Directory RoNoneot.
    DirectoryIndex index.html index.php
    ProxyPreserveHost On
    SSLProxyENgine On
    ProxyVia full

    Order deny,allow
    Allow from all

    # set below to IP address of your server
    ProxyPass / https://192.168.27.108/
    ProxyPassReverse / https://192.168.27.108/
    SSLEngine on

    # Server Certificate:
    SSLCertificateFile /etc/apache2/ssl/zimbra.crt

    # Server Private Key:
    SSLCertificateKeyFile /etc/apache2/ssl/zimbra.key

    # Server Certificate Chain:
    #SSLCertificateChainFile /etc/apache2/ssl/chain.crt

    # Certificate Authority (CA):
    #SSLCACertificateFile /etc/apache2/ssl/ca.crt

    Reply
  5. Hmmm… your config looks right to me other than missing tags that the commenting system probably gobbled up. Can you verify that the OS/browser you’re using supports SNI? I know my Android device and even newer browsers on older versions of OSX and Windows don’t support SNI.

    Another thing to check is that your version of Apache2 supports SSL, I believe it has to be compiled against one of the newer versions of openssl… although it should throw an error when you start it or in the logs if that’s the case. I used Apache2 on Ubuntu 12.04 LTS.

    These are the mods I enabled with a2enmod command on the z-push server.

    # a2enmod ssl
    # a2enmod proxy

    Reply
  6. I tested using ie v 7.0.5730.13 and chrome v26.0.1410.64 m, both on windows 2003 sbs. My apache2 is builtin to recently installed ubuntu 12.04 lts. I’ll double check everything….confirmed.

    # a2enmod ssl
    # a2enmod proxy

    I can always use a vpn to connect to zimbra from my laptop for now, I’m just relieved my iphone activesync over ssl is working. But if I’m going to deploy zimbra to any of my smb’s I’ve got to figure this out or buy the zimbra network edition.

    Thanks for the help,
    Luke

    Reply

Leave a Comment