Securing Zimbra with STunnel is an easy way to keep your login, email, etc. secure when on a untrusted wireless network. This is slightly complicated by the fact that Zimbra sets the protocol (http/https) in the URL in some of the redirects causing protocol errors.
Overview:
1. Installing STunnel for Windows
Download and install the latest Windows binaries at: http://www.stunnel.org/download/binaries.html Once installed, edit the stunnel.conf file in C:\Program Files\stunnel. I commented out the imaps, ssmtp etc since I won't be using those, here is the service-level config I entered:
[securezimbra]
accept = 10443
connect = 10.0.0.1:80
TIMEOUTclose = 0
2. Creating a certificate
I used OpenSSL on Mac OS X to create my certificate but you should be able to do use the same command on any computer that has OpenSSL. Here is the command-line I used:
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout stunnel.pem
I entered past all the prompts to use defaults, except for the common name where I used the DNS name I will use on the client. Copy the stunnel.pem file to C:\Program Files\stunnel. Open the stunnel.pem file in notepad, save as certificate.cer and remove the RSA Private key from the file. This CER file is what you will install in your client to encrypt web traffic and verify you are connecting to your STunnel server. Install and start the STunnel service.
3.Installing the certificate in firefox.
Open Firefox preferences, go to Advanced, then Encryption. Click the view certificates button, Authorities tab, Import Button. Choose the certificate.cer file.Trust the CA to identify web sites.
4. Workarounds for Firefox
Open Firefox and visit https://securebrianbit.dyndns.org:10443/ where securebrianbit.dyndns.org is the common name you entered when you created the certificate and 10443 is the port you entered in the config under accept =. You should see the Zimbra login screen without any warnings about security. After you click the login button you will see an error about Connection Interrupted. Just change http to https and you should be able to login. I use a bookmark on the toolbar that I click after login.
5. Installing the certifcate on an iPhone/iPod Touch
You will need to download the iPhone Configuration Utility for Mac OS X :
http://support.apple.com/downloads/iPhone_Configuration_Utility_1_1_for_Mac_OS_X
or for Windows:
http://www.apple.com/downloads/macosx/apple/application_updates/iphoneconfigurationutility11forwindows.html
I don't understand why but unlike the cer file we created for Firefox, the PKCS12 file needs both the private key and certificate. It won't create the file unless the private key is present. I used OpenSSL on Mac OS X to create my PKCS12 client certificate. It will prompt for an export password and then create the PKCS12 file. Here is the command-line I used:
openssl pkcs12 -export -in stunnel.pem -out stunnel.p12
You will then open iPhone Configuration Utility, click Configuration Profiles and the new button. Name the profile and enter an identifier. Click on the Credentials tab and click the configure button. Find and open the
stunnel.p12 file in the Add Credential window.