Requirements

QR Code Requirements

The QR Code Application Password feature requires the following properties to be set at domain level in order to be functional:

  • zimbraPublicServiceHostname

  • zimbraPublicServicePort

  • zimbraPublicServiceProtocol

Should one or more of the properties be unset, a notification will be delivered to the Admin reporting the affected domains and their missing properties.

2FA Requirements

In order to properly have 2FA set up, the zimbraAuthMech attribute bust be configured at domain level:

zmprov modifyDomain example.com zimbraAuthMech custom:zx

To enable 2FA it is also necessary to configure some Zimbra parameter:

  • Enter the addresses of all mailboxes and MTAs as zimbramailtrustedip, using the command zmprov as follows:

zmprov mcf +zimbramailtrustedip IP_ADDRESS/32  (1)
zmprov mcf +zimbramailtrustedip IP_SUBNET/NETMASK (2)
1 add a single IP e.g., 192.168.72.29/32
2 add a whole subnet e.g., 192.168.72.1/24
  • A trusted_ip_range must be defined for all services.

  • For all services the ip_can_change attribute must be validated on true and 2fa_policy = 1

2FA requires a specific zimbraAuthMech and this make it not compatible with other mechanism such as ldap, ad or kerberos5

SAML Requirements

Before enabling SAML login, it is necessary to modify the Zextras Backend processing, because these header attributes are required to compose the complete URL request: Protocol X and X-Port.

The files affected by this change are the templates:

  • nginx.conf.web.http.default.template

  • nginx.conf.web.http.template

  • nginx.conf.web.https.default.template

  • nginx.conf.web.https.template

In each of them, the location ^~ /zx/ code should be changed:

location ^~ /zx/
  {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-Port $server_port;
      proxy_pass ${web.upstream.zx};
  }

Installing the Zextras Auth Zimlet

To deploy the Zextras Auth Zimlet, simply run zxsuite auth doDeployAuthZimlet as the zimbra user on any mailbox server of your infrastructure.