Zx Mobile SSL Management
From ZeXtras Suite Wiki
|Available since ZeXtras version: 1.10|
|Latest Version: 3.0.0|
|Released on: August 7th, 2019|
|Language:||English • español • português|
Secure Mobile Synchronization through SSL/TLS
Secure Socket Layer (SSL) and Transport Security Layer (TLS) are encryption protocols that provide a secure communication channel through the internet. Both protocols encapsulate application-specific protocols and protect the data from common forms of unauthorized access such as eavesdropping, tampering and Man In The Middle attaks.
While the TLS and SSL protocols are slightly different (being the TLS protocol an "evolution" of the SSL 3.0 protocol), the term "SSL" is commonly used referring to both.
Mobile Devices and SSL/TLS
Nowadays, the vast majority of mobile devices use the SSL encryption as the default connection method.
It is therefore important to configure Zimbra to accept this type of connection not only as a matter of security but also to provide easier mobile configuration for the users.
Zimbra and SSL
Warning: SSL encryption is ALWAYS used for backend administrative traffic and the Zimbra Admin Console
In Zimbra Communication Suite the SSL capability and oprating mode are defined by the value of the zimbraMailMode server property.
There are 5 different values for the zimbraMailMode property:
- http - HTTP-only mode. Any HTTPS request is denied.
- https - HTTPS-only mode. Any HTTP request is denied.
- both - Both HTTP and HTTPS are available. The protocol for a connetction to the Zimbra Web UI is autmatically chosen according to the url prefix used (http:// or https://)
This three values require the user to direcly choose a protocol through the url prefix or mobile device configuration, while the following two automatically force a secure connection at some point:
- mixed - Mixed mode. The ligon is always carried on through a secure connection. Once the login is completed, mixed mode behaves exactly as the both mode, reverting to http if the proper prefix is used.
- redirect - The server redirects all http traffic to https, thus ignoring the http:// prefix by forcing a secure connection for the entire session.
For more info about the zimbraMailMode property and the zmtlsctl command see the official Zimbra Wiki 
Configuring your Zimbra server to accept secure connections
Zimbra's zmtlsctl command is used to set the zimbraMailMode.
After running this command, a mailboxd restart is rqeuired for the new configuration to become active.
The syntax for the command is:
Configuring your mobile device to use secure connections
While the use of SSL is usually the default, this can be changed while creating/editing the proper account on the mobile device.
On the most common devices, the SSL options can be found at:
- Apple iOS: Settings -> Mail, contacts and calendars -> [your account] -> Account
- Android: Settings -> Accounts and Sync -> [your account] -> General Settings -> Server Configuration
- Windows Phone 7: Settings -> Email and accounts -> [your account]
- RIM Blackberry OS: strictly depends on the ActiveSync client, refer to your client's user manual
- Nokia Symbian: refer to Mail for Exchange documentation, also check your device's user manual for certificate management
Note for self-signed certificate users
If your server uses a self-signed SSL certificate, make sure the "Accept all certificates" (or equivalent) option is selected on the mobile device, otherwise the device will refuse to connect displaying a certificate error.