Setup Your Own ActiveSync Server With Zimbra and Z-Push

Updated

(Updated: June 8, 2013.  I’ve updated this post to clarify based on some questions I’ve received).

For the clueless, ActiveSync is the protocol that allows you to sync your Mail, Calendar, Contacts, and Tasks with your messaging provider.  Your two options to have an ActiveSync server is through a cloud solution (e.g Gmail, Outook.com, etc.) or running your own Exchange Server.  Licensing Exchange will set you back $708 plus $68/user.

Or, you could roll your own ActiveSync server for free using Zimbra and Z-Push… (this is more fun anyway).

Here’s how to set up https on webmail and activesync on Zimbra sharing the same IP.  You need an “mx” server that acts as a proxy to your web server.  So on your internal DNS mx.example.com/activesync.example.com should resolve to your MX server, and mail.example.com resolves to your Zimbra server.  On external DNS everything needs to resolve to your MX server, and it will handle activesync and also act as a proxy server to Zimbra’s webmail (for SNI capable browsers).

Activesync with SNI diagram

1. Install two 64-bit Ubuntu 12.04 LTS servers.  Name one MX (this is your mail relay server and ActiveSync and Webmail Proxy Server) and the other one Mail (this is your Zimbra mail server).

On the Mail Server
2. Install Zimbra on your Mail server.
Create a user and make sure you can login as a user to webmail on this server before proceeding.

On the Mail Relay Server
3. Setup LAMP on the MX…

tasksel (then select lamp)

3. Get Signed Certificates for mail.example.com and activesync.example.com

4. Enable Mod SSL and Mod Proxy

a2enmod ssl

a2enmod proxy

4. Follow the instructions here for setting up Z-Push on HTTPS: http://vwiki.co.uk/Z-Push_v2_with_Zimbra
Make sure you can connect to ActiveSync, I haven’t figured out how to get autodiscover working so you’ll have to put the servername in manually.  After you get Z-Push working with a mobile device, go on to the next step…

5. Setup SNI on Apache2 so that you can host Webmail and ActiveSync/Z-Push from the same external IP.

The idea is hopefully any browsers you use to access webmail will be new enough to support SNI so you can use Apache on the MX server to route ActiveSync and Webmail requests based on the subdomain they hit.  Z-Push is set as the default virtualhost so it will work with all mobile devices whether or not they support SNI.

Just make your /etc/apache2/sites-available/default-ssl look something like this:

<IfModule mod_ssl.c>
# you may need to set the below value to off
SSLStrictSNIVHostCheck  on
 <VirtualHost *:443>
        ServerAdmin [email protected]
        # Indexes + Directory Root.
        DirectoryIndex index.php
        DocumentRoot /var/www/z-push/
        #DocumentRoot /var/www/
        Alias /Microsoft-Server-ActiveSync /var/www/z-push/index.php

        <Directory />
               AllowOverride All
        </Directory>

        php_flag magic_quotes_gpc off
        php_flag register_globals off
        php_flag magic_quotes_runtime off
        php_flag short_open_tag on

        # Logfiles
        ErrorLog  /var/log/apache2/z-push/error.log
        CustomLog /var/log/apache2/z-push/access.log combined

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   Server Certificate:
        SSLCertificateFile /etc/apache2/ssl/activesync.example.com.crt

        #   Server Private Key:
        SSLCertificateKeyFile /etc/apache2/ssl/activesync.example.com.key

        #   Server Certificate Chain:
        SSLCertificateChainFile /etc/apache2/ssl/chain.crt

        #   Certificate Authority (CA):
        SSLCACertificateFile /etc/apache2/ssl/ca.crt

 </VirtualHost>
<VirtualHost *:443>
  DocumentRoot /var/www
  ServerName mail.example.com
  ServerAdmin [email protected]

        # Indexes + Directory RoNoneot.
DirectoryIndex index.html index.php
ProxyPreserveHost On
SSLProxyENgine On
ProxyVia full
 <proxy>
    Order deny,allow
    Allow from all
  </proxy>
# 10.0.0.2 should be the IP of your Zimbra server...
ProxyPass / https://10.0.0.2/
ProxyPassReverse / https://10.0.0.2/
        SSLEngine on

        #   Server Certificate:
        SSLCertificateFile /etc/apache2/ssl/mail.example.com.crt

        #   Server Private Key:
        SSLCertificateKeyFile /etc/apache2/ssl/mail.example.com.key

        #   Server Certificate Chain:
        SSLCertificateChainFile /etc/apache2/ssl/chain.crt

        #   Certificate Authority (CA):
        SSLCACertificateFile /etc/apache2/ssl/ca.crt

  </VirtualHost>

</IfModule>

6. Test SNI
Now, if you access https://mail.example.com it should serve up Zimbra’s webmail via proxy, and https://mx.example.com or https://activesync.example.com should provide ActiveSync via Z-Push.