QR Code Requirements

The QR Code Application Password feature requires the following properties to be set at domain level in order to be functional:

  • zimbraPublicServiceHostname

  • zimbraPublicServicePort

  • zimbraPublicServiceProtocol

Should one or more of the properties be unset, a notification will be delivered to the Admin reporting the affected domains and their missing properties.

2FA Requirements

In order to properly have 2FA set up, the zimbraAuthMech attribute bust be configured at domain level:

zmprov modifyDomain zimbraAuthMech custom:zx

To enable 2FA it is also necessary to:

  • Enter the addresses of all mailbox and MTAs as 'ZimbraMailTrustedIp'

  • A 'trusted ip range' must be defined for all services

  • For all services the 'ipcanchange' attribute must be validated on 'true' and 'trustedDevice = 1'

2FA requires a specific zimbraAuthMech and this make it not compatible with other mechanism such as ldap, ad or kerberos5

SAML Requirements

Before enabling SAML login, it is necessary to modify the Zextras Backend processing, because these header attributes are required to compose the complete URL request: Protocol X and X-Port.

The files affected by this change are the templates:

  • nginx.conf.web.http.default.template

  • nginx.conf.web.http.template

  • nginx.conf.web.https.default.template

  • nginx.conf.web.https.template

In each of them, the location ^~ /zx/ code should be changed:

location ^~ /zx/
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Port $server_port;
      proxy_pass ${web.upstream.zx};

Installing the Zextras Auth Zimlet

To deploy the Zextras Auth Zimlet, simply run zxsuite auth doDeployAuthZimlet as the zimbra user on any mailbox server of your infrastructure.