First off, this is a method to enable you to view the contents of your Zimbra account calendar in the Google Calendar web interface. This is not for people looking to view their Google Calendar content inside the Zimbra web interface.

Assumptions

  • You do not have administrative access to your Zimbra server, you’re just a user
  • Your Zimbra installation is authenticated and requires username and password
  • You have a place to host a dynamic webpage out on the internet. This could be a colocated server, a VPS, or shared web hosting with a webserver that can serve dynamic web pages (perl, python, php, etc)
  • You have obtained a valid SSL certificate for your web server (potentially for free from StartSSL)
  • Your SSL certificate is not expired, is valid for the domain name of your website, and is issued by a trusted certificate authority (Thawte, Verisign, StartSSL, etc)

Solution

Please see the Caveats below regarding security before implementing this.

  1. Determine the url for your Zimbra installation. One way to determine the URL is to :
    • Go to your normal Zimbra web interface
    • Go to the Calendar tab
    • In the left pane right click your calendar in the “Calendars” list and select “Edit properties” in the context menu that pops up
    • In the new “Folder properties” window click the “Add share…” button
    • At the bottom of the “Share properties” in the “URL” section copy the “ICS” URL provided. Remember you’ll have to urlencode the “@” character if your username is your email address
  2. Validate that the Zimbra URL works by browsing to it in your web browser and typing in your username and password when challenged for them. Confirm that you can download an iCal file with your calendar items in it.
    • If you’re unable to get an iCal file from Zimbra, try different URL combinations or ask the administrators of the Zimbra server to help you determine what the URL should be.
  3. On your webserver create a dynamic webpage that fetches your ical from Zimbra and serves it up to the user. Here is an example in PHP.
    <?php
    header('Content-Type: text/calendar');
    $ch = curl_init('https://mail.example.com/home/user%40example.com/Calendar');
    curl_setopt($ch, CURLOPT_USERPWD, 'user@example.com:your-password-goes-here');
    curl_exec($ch);
    $info = curl_getinfo($ch);
    curl_close($ch);
    ?>
    
  4. This script will need to have your Zimbra password stored in plaintext in side of it. Consequently, it’s best to restrict read rights to the file. If the file was “/var/www/fetch-zimbra-calendar.php” then you’d want to run something like
    chown root:apache /var/www/fetch-zimbra-calendar.php && chmod 640 /var/www/fetch-zimbra-calendar.php
    
    • Note that if your username is your email address you must URL encode the “@” character to a “%40” as shown
  5. Validate that your dynamic webpage fetches your Zimbra iCal file by running it from the command line and ensuring you get back an iCal file.
    php /var/www/fetch-zimbra-calendar.php
    
  6. Come up with an obfuscated URL on your website. This URL will be what protects your calendar from being viewed by an attacker. This weak form of security is security through obscurity. (See [#Caveats] for more information on this). An example URL could be :
    https://www.example.com/ical/3NFN7zo/afbzaMPiU0sQoEoL/mJ3pZMP/De2r1hz/0Sg33qs/XyaWO/calendar.ics
    
  7. Create an alias in your webserver associating your obfuscated URL to your new dynamic web page. In an Apache httpd config this could look like :
    AliasMatch ^/ical/3NFN7zo/afbzaMPiU0sQoEoL/mJ3pZMP/De2r1hz/0Sg33qs/(.*)/calendar.ics /var/www/fetch-zimbra-calendar.php
    
    • This obfuscated URL should be protected just like your Zimbra password. One way to help protect it is to limit access to the AliasMatch line. This could be done by putting the AliasMatch line in it’s own file and using the apache include directive. If you puth the AliasMatch line in the file “/etc/httpd/conf.d/fetch-zimbra-calendar.include” you could then include it with a configuration line like
      Include /etc/httpd/conf.d/fetch-zimbra-calendar.include
      

      and protect the file by running

      chown root:root /etc/httpd/conf.d/fetch-zimbra-calendar.include && chmod 640 /etc/httpd/conf.d/fetch-zimbra-calendar.include
      
    • The reason to use AliasMatch instead of Alias is to enable easily working around potential caching on Google side while setting this up by changing the last directory in the url (e.g. from “XyaWO” to “1234”)
  8. Test your apache config and restart apache to load the new Alias
  9. Validate that the URL is working by browsing to the obfuscated URL in your web browser and confirm you’re served back an iCal file with your calendar items in it
  10. Go to Google calendar
  11. In the dropdown menu next to “Other Calendars” choose “Add by URL”
  12. Type in your obfuscated URL, making sure that if you have your email address in the URL that you URL encode the “@” sign to a “%40”

Caveats

This solution is as secure as is possible with the limitations of the Google calendar subscription system. You are vulnerable to having your entire Zimbra account compromised by an attacker if :

  • The attacker compromises your webserver as either the apache user or the root user and views the contents of your dynamic webpage which contains your plaintext Zimbra password
  • Due to a misconfiguration your webserver doesn’t interpret your dynamic webpage and instead serves the source code over the web

You are vulnerable to having your calendar viewed by an attacker if :

  • The attacker installs malware on your desktop and views your browser history or cache, finding the obfuscated URL
  • The attacker compromises your webserver and views your webserver logs which contain the obfuscated URL
  • You don’t use an SSL certificate on your webserver and serve your iCal file via HTTP and the attacker listens in on request from Google to your webserver allowing them to obtain the obfuscated URL
  • The attacker brute forces the obfuscated URL