(Updated: June 8, 2013. I’ve updated this post to clarify based on some questions I’ve received).
For the clueless, ActiveSync is the protocol that allows you to sync your Mail, Calendar, Contacts, and Tasks with your messaging provider. Your two options to have an ActiveSync server is through a cloud solution (e.g Gmail, Outook.com, etc.) or running your own Exchange Server. Licensing Exchange will set you back $708 plus $68/user.
Or, you could roll your own ActiveSync server for free using Zimbra and Z-Push… (this is more fun anyway).
Here’s how to set up https on webmail and activesync on Zimbra sharing the same IP. You need an “mx” server that acts as a proxy to your web server. So on your internal DNS mx.example.com/activesync.example.com should resolve to your MX server, and mail.example.com resolves to your Zimbra server. On external DNS everything needs to resolve to your MX server, and it will handle activesync and also act as a proxy server to Zimbra’s webmail (for SNI capable browsers).
1. Install two 64-bit Ubuntu 12.04 LTS servers. Name one MX (this is your mail relay server and ActiveSync and Webmail Proxy Server) and the other one Mail (this is your Zimbra mail server).
On the Mail Server
2. Install Zimbra on your Mail server.
Create a user and make sure you can login as a user to webmail on this server before proceeding.
On the Mail Relay Server
3. Setup LAMP on the MX…
tasksel (then select lamp)
3. Get Signed Certificates for mail.example.com and activesync.example.com
4. Enable Mod SSL and Mod Proxy
a2enmod ssl
a2enmod proxy
4. Follow the instructions here for setting up Z-Push on HTTPS: http://vwiki.co.uk/Z-Push_v2_with_Zimbra
Make sure you can connect to ActiveSync, I haven’t figured out how to get autodiscover working so you’ll have to put the servername in manually. After you get Z-Push working with a mobile device, go on to the next step…
5. Setup SNI on Apache2 so that you can host Webmail and ActiveSync/Z-Push from the same external IP.
The idea is hopefully any browsers you use to access webmail will be new enough to support SNI so you can use Apache on the MX server to route ActiveSync and Webmail requests based on the subdomain they hit. Z-Push is set as the default virtualhost so it will work with all mobile devices whether or not they support SNI.
Just make your /etc/apache2/sites-available/default-ssl look something like this:
<IfModule mod_ssl.c> # you may need to set the below value to off SSLStrictSNIVHostCheck on <VirtualHost *:443> ServerAdmin [email protected] # Indexes + Directory Root. DirectoryIndex index.php DocumentRoot /var/www/z-push/ #DocumentRoot /var/www/ Alias /Microsoft-Server-ActiveSync /var/www/z-push/index.php <Directory /> AllowOverride All </Directory> php_flag magic_quotes_gpc off php_flag register_globals off php_flag magic_quotes_runtime off php_flag short_open_tag on # Logfiles ErrorLog /var/log/apache2/z-push/error.log CustomLog /var/log/apache2/z-push/access.log combined # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # Server Certificate: SSLCertificateFile /etc/apache2/ssl/activesync.example.com.crt # Server Private Key: SSLCertificateKeyFile /etc/apache2/ssl/activesync.example.com.key # Server Certificate Chain: SSLCertificateChainFile /etc/apache2/ssl/chain.crt # Certificate Authority (CA): SSLCACertificateFile /etc/apache2/ssl/ca.crt </VirtualHost> <VirtualHost *:443> DocumentRoot /var/www ServerName mail.example.com ServerAdmin [email protected] # Indexes + Directory RoNoneot. DirectoryIndex index.html index.php ProxyPreserveHost On SSLProxyENgine On ProxyVia full <proxy> Order deny,allow Allow from all </proxy> # 10.0.0.2 should be the IP of your Zimbra server... ProxyPass / https://10.0.0.2/ ProxyPassReverse / https://10.0.0.2/ SSLEngine on # Server Certificate: SSLCertificateFile /etc/apache2/ssl/mail.example.com.crt # Server Private Key: SSLCertificateKeyFile /etc/apache2/ssl/mail.example.com.key # Server Certificate Chain: SSLCertificateChainFile /etc/apache2/ssl/chain.crt # Certificate Authority (CA): SSLCACertificateFile /etc/apache2/ssl/ca.crt </VirtualHost> </IfModule>
6. Test SNI
Now, if you access https://mail.example.com it should serve up Zimbra’s webmail via proxy, and https://mx.example.com or https://activesync.example.com should provide ActiveSync via Z-Push.
You know, if you post on Facebook, more people would benefit from your knowledge.
You know, if you posted on Facebook, more people would benefit from your knowledge.
You know, if you posted on Facebook, more people would benefit from your knowledge.
Could not get the proxy to work. My zpush site opens using either zpush.mydomain.com or zimbra.mydomain.com. Zimbra already had its own webmail cert on the zimbra server, I wonder how that works with the cert that was created on the zpush server for the zimbra proxy? Seems like there are now double certs.
The cert on zpush would encrypt communication between the mobile device and the zpush server, the cert on the zimbra server would encrypt communication between zpush and zimbra, it shouldn’t double up. Do you have anything useful in your error logs?
I just tried again from outside my lan, there is no error it just sends me to my zpush activesync site, not my zimbra site. Here is my default-ssl if you don’t mind taking a look, I changed my virtualhost’s to ip’s to see if that would help, it didn’t.
Thanks
SSlStrictSNIVHostCheck On
ServerAdmin [email protected]
ServerName zpush.domain.com
# Indexes + Directory Root.
DirectoryIndex index.php
DocumentRoot /var/www/z-push/
Alias /Microsoft-Server-ActiveSync /var/www/z-push/index.php
AllowOverride None
php_flag magic_quotes_gpc off
php_flag register_globals off
php_flag magic_quotes_runtime off
php_flag short_open_tag on
# Logfiles
ErrorLog /var/log/z-push/error.log
CustomLog /var/log/z-push/access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Server Certificate:
SSLCertificateFile /etc/apache2/ssl/apache.crt
# Server Private Key:
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
# Server Certificate Chain:
# SSLCertificateChainFile /etc/apache2/ssl/ca.crt
DocumentRoot /var/www
ServerName zimbra.domain.com
ServerAdmin [email protected]
# Indexes + Directory RoNoneot.
DirectoryIndex index.html index.php
ProxyPreserveHost On
SSLProxyENgine On
ProxyVia full
Order deny,allow
Allow from all
# set below to IP address of your server
ProxyPass / https://192.168.27.108/
ProxyPassReverse / https://192.168.27.108/
SSLEngine on
# Server Certificate:
SSLCertificateFile /etc/apache2/ssl/zimbra.crt
# Server Private Key:
SSLCertificateKeyFile /etc/apache2/ssl/zimbra.key
# Server Certificate Chain:
#SSLCertificateChainFile /etc/apache2/ssl/chain.crt
# Certificate Authority (CA):
#SSLCACertificateFile /etc/apache2/ssl/ca.crt
Hmmm… your config looks right to me other than missing tags that the commenting system probably gobbled up. Can you verify that the OS/browser you’re using supports SNI? I know my Android device and even newer browsers on older versions of OSX and Windows don’t support SNI.
Another thing to check is that your version of Apache2 supports SSL, I believe it has to be compiled against one of the newer versions of openssl… although it should throw an error when you start it or in the logs if that’s the case. I used Apache2 on Ubuntu 12.04 LTS.
These are the mods I enabled with a2enmod command on the z-push server.
# a2enmod ssl
# a2enmod proxy
I tested using ie v 7.0.5730.13 and chrome v26.0.1410.64 m, both on windows 2003 sbs. My apache2 is builtin to recently installed ubuntu 12.04 lts. I’ll double check everything….confirmed.
# a2enmod ssl
# a2enmod proxy
I can always use a vpn to connect to zimbra from my laptop for now, I’m just relieved my iphone activesync over ssl is working. But if I’m going to deploy zimbra to any of my smb’s I’ve got to figure this out or buy the zimbra network edition.
Thanks for the help,
Luke
According to this page:
http://blogs.iis.net/yaminij/archive/2012/06/25/sni-server-name-indication-readiness-tool-draft.aspx SNI is not compatible with Windows 2003, so that may be your issue.
I had the same problem but “a2enmod proxy_http” fixed it.
This is also another way of doing.
http://forums.zimbra.com/mobility/64061-how-run-z-push-zimbra-jetty-proof-concept.html