Created Samstag 05 September 2020
Zimbra 8.7+
Preparation
# apt update
# apt full-upgrade
Make certain that the MX and the corresponding A record point to the new Zimbra server.
# dig mx <mail domain name> (e.g. domain.com)
# dig a <mail server service name> (e.g. mail.domain.com) -> Does not to be the same as the host name.
Disable ufw:
# ufw disable
Zimbra installation
Download Zimbra package:
# wget <URL to zimbra package> (Zimbra Download page)
Save package needed for backup restore.
# tar xzvf /root/<zimbra package>
# cd <zcs dir.>
# ./install.sh61mb0
Enter Y for the ldap, logger, mta, dns-cache, snmp, store, apache, spell, memcached and proxy (not necessary) packages.
MY NOTE: Do not install dns-cache if systemd-resolved is installed.
Change domain name? [Yes] yes (Note: This changes the mail domain NOT the FQDN of the server)
Create domain: <mail domain name> (e.g. domain.com)
Main menu
4
Type passwort <Enter>
r
<Enter>
[/opt/zimbra/config.7101] <Enter>
y
Optional YES to notify Zimbra about the installation
press return ro exit
As zimbra: zmcontrol status
-> All services should run
Connect to Zimbra webmail: https://<IP address> or https://<mail host name>
Connect to Zimbra management: https:<IP address>:7071/ or https://<mail host name>:7071///
Configure firewall
# nano /etc/ufw/applications.d/zimbra
[Zimbra]
title=Zimbra Collaboration Server
description=Open source server for email, contacts, calendar, and more.
ports=25,636,443,465,587,993,7071/tcp|514/udp
# ufw allow zimbra
OPTIONALLY: Workaround - DNS resolution problem
Variant 1
If ping <some DNS name> not resolve -> Temporary failure in name resolution execute the following:
Remove systemd-resolved IP:
zimbra$ zmprov ms `zmhostname` -zimbraDNSMasterIP 127.0.0.53
Add my DNS server:
zimbra$ zmprov ms `zmhostname` +zimbraDNSMasterIP <DNS server 1>
zimbra$ zmprov ms `zmhostname` +zimbraDNSMasterIP <DNS server 2>
Check result:
zmprov getServer `zmhostname` | grep DNSMasterIP
Restart unbound/zimbra dns cache (OPTIONAL):
zimbra$ zmdnscachectl reload
Variant 2
Uninstall Zimbra DNS-Cache.
Configure mail domains
Connect to Zimbra mgmt.
Create local domain
This is to make certain that it's possible to login when a Virtual Host is set for one domain or AD authentication makes toubles..
Go to Configure - Domains
Click @New and enter the following in the wizard:
General information:
Add root alias to default admin account. -> Enables forwarding of local mails to root without. The .forward has no effect.
Configure <host name FQDN> domain
Go to Configure - Domains
Double click and enter the following in the wizard:
General information:
Inbound SMTP host name: <mail domain name>
OPTIONALLY Active Directory authentication
(Src)
Select domain and choose Configure Authentication from the property menu. Enter the following in the wizard:
Authentication Mode:
AD Server: <AD Server>, <port>, Disable Use SSL
Bind DN: <Bind DN>
OPTIONALLY Configure mail relay
(Src, Orig)
This is necessary if you use dynamic DNS. With a changing IP address anti-SPAM system could put your server on a blacklist.
Set Relay MTA for external delivery for all MTAs:
zimbra$ zmprov mcf zimbraMtaRelayHost <MTA external 1>:<MTA external 1 port>
To check settings use the command getConfig short gcf without value. E.g.:
zimbra$ zmprov gcf zimbraMtaRelayHost
Disable MTA DNS lookup for all MTAs:
zimbra$ zmprov mcf zimbraMtaSmtpDnsSupportLevel disabled
Set server name, user name and password
zimbra$ echo <MTA external 1> <relay user name>:<relay password> > /opt/zimbra/conf/relay_password
Create a postfix lookup table:
zimbra$ postmap /opt/zimbra/conf/relay_password
To test that the lookup table is correct, the following should return username:password:
zimbra$ postmap -q <MTA external 1> /opt/zimbra/conf/relay_password
Configure postfix to use the new password map:
zimbra$ zmprov mcf zimbraMtaSmtpSaslPasswordMaps lmdb:/opt/zimbra/conf/relay_password
Configure postfix to use SSL authentication:
zimbra$ zmprov mcf zimbraMtaSmtpSaslAuthEnable yes
Configure postfix to use the outgoing servername rather than the canonical server name:
zimbra$ zmprov mcf zimbraMtaSmtpCnameOverridesServername no
Enable TLS:
zimbra$ zmprov mcf zimbraMtaSmtpTlsSecurityLevel may
Enable plain text password:
zimbra$ zmprov mcf zimbraMtaSmtpSaslSecurityOptions noanonymous
-> Postfix reloads configuration after 2min (Zimbra >8.5) else:
zimbra$ postfix reload
Set only for MTA of one server
Replace mcf/gcf with ms `zmhostname`/gs `zmhostname` or ms <host name FQDN>/gs <host name FQDN>.
E.g.
zimbra$ zmprov ms server.domain.com zimbraMtaRelayHost mailrelay.example.com
Security
DKIM
(Orig)
zimbra$ /opt/zimbra/libexec/zmdkimkeyutil -a -d <mail domain name> [-s <DKIM selector>]
-> If you not specifiy a selector zimbra will create one in form of an UUID.
Create DNS TXT record in internal and/or external DNS.
e.g. <DKIM selector>._domainkey TXT v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA....wIDAQAB
Reload DNS. Verify DNS record:
zimbra$ dig -t txt <SELECTOR>._domainkey.<DOMAIN> <NAMESERVER>
-> Windows Server DNS: See this article if not the whole key is show
Verify that public key matches private key:
zimbra$ /opt/zimbra/opendkim/sbin/opendkim-testkey -d <mail domain name> -s <DKIM selector> -x /opt/zimbra/conf/opendkim.conf
Validate DKIM in mails with Online validator.
Output Zimbra DKIM settings:
zimbra$ /opt/zimbra/libexec/zmdkimkeyutil -q -d <mail domain name>
DMARC
Create a report <DMARC email address>.
Create DNS TXT entry in internal and external DNS.
_dmarc TXT v=DMARC1\; p=none\; rua=mailto:<DMARC email address>
e.g. _dmarc TXT v=DMARC1\; p=none\; rua=mailto:dmarc@example.com
Verify result with Online service.
Commercial certificate as LE
Acme configuration
Follow the following (The acme.sh deploy modul script misses copying the key file)(Orig) to configure acme to install a certificate:
Install the acme.sh client.
Prepare acme.sh installation for use with zimbra user:
Add zimbra user to acme.sh group:
acme.sh:x:1001:zimbra
Set letsencrypt CA and ISRG Root X1 as CA chain via acme.sh user:
$ acme.sh --set-default-ca --server letsencrypt
$ acme.sh --set-default-chain --preferred-chain ISRG --server letsencrypt
Create a deploy hook script /opt/acme.sh/deploy
#!/bin/bash
# Zimbra Assumptions:
# 1) acme.sh is installed as Zimbra
# 2) see: https://wiki.zimbra.com/wiki/index.php?curid=2441
######## Public functions #####################
#domain keyfile certfile cafile fullchain
zimbra_deploy() {
_cdomain="$1"
_ckey="$2"
_ccert="$3"
_cca="$4"
_cfullchain="$5"
_debug _cdomain "$_cdomain"
_debug _ckey "$_ckey"
_debug _ccert "$_ccert"
_debug _cca "$_cca"
_debug _cfullchain "$_cfullchain"
# Zimbra's javastore still needs ISRG Root X1 to verify on some versions
_isrgrootx1="$(dirname "$_cca")/ISRG_Root_X1.cer"
_debug _isrgrootx1 "$_isrgrootx1"
# grab it if we don't have it
if [ ! -f "$_isrgrootx1" ]; then
_debug No "$_isrgrootx1"
wget -q "https://letsencrypt.org/certs/isrgrootx1.pem.txt" -O "$_isrgrootx1" || return 1
fi
# append Intermediate
cat "$_cca" "$_isrgrootx1" > "$(dirname "$_cca")/${_cdomain}.chained.cer"
_debug "Zimbra certificates verification starting."
/opt/zimbra/bin/zmcertmgr verifycrt comm "$_ckey" "$_ccert" "$(dirname "$_cca")/${_cdomain}.chained.cer" || return 1
_debug "Zimbra certificates verification done."
#if it verifies we can deploy it
_debug "Zimbra certificates installation starting."
/opt/zimbra/bin/zmcertmgr deploycrt comm "$_ccert" "$(dirname "$_cca")/${_cdomain}.chained.cer" || return 1
_debug "EUREKA. Zimbra certificates installation done."
return 0
}
Change to zimbra user su - zimbra.
Deploy and save config:
zimbra$ /opt/acme.sh/acme.sh --home /opt/acme.sh --deploy -d mail.graemi.ch --deploy-hook zimbra [--debug 2]
Create crontab for certificate renewal:
zimbra$ crontab -e
Put the following after # ZIMBRAEND in th crontab:
# ZIMBRAEND -- DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART
0 0 * * * "/opt/acme.sh"/acme.sh --cron --home "/opt/acme.sh" --config-home "/etc/acme.sh" --force-color > /dev/null
Zimbra configuration
Change the LDAP access to SSL (Orig):
zimbra$ zmlocalconfig -e ldap_master_url=ldaps://<host name FQDN>:636
zimbra$ zmlocalconfig -e ldap_url=ldaps://<host name FQDN>:636
zimbra$ zmlocalconfig -e ldap_starttls_supported=0
zimbra$ zmlocalconfig -e ldap_port=636
zimbra$ zmcontrol restart
Global configuration
Connect to Zimbra mgmt.
Browse to Configure - Global Settings - ...
Things not mentioned here are not changed.
Class of Service
...
Servers
Double the click server.
General information
Description: <Server description>
LMTP advertised: <mail server service name>
Global Settings
MTA
- Check after relay configuration @todo
OPTIONALLY
Maximium message size: <message size>
Hostname in greeting: enabled
Sender's domain: enabled
POP3
Enable POP3 service: disabled
Advanced
Company identifier in puplic share prompts: <company name>
Proxy
Enable web proxy: disabled
Additional configuration
Disable HTTP for web client
zimbra$ zmtlsctl HTTPS
zimbra$ zmmailboxdctl stop
When mailboxd is stopped, type:
zimbra$ zmmailboxdctl start
Change SMTP banner
Check banner:
zimbra$ zmprov gcf zimbraMtaSmtpdBanner
Default (8.8.15): "$myhostname ESMTP $mail_name"
Change banner:
zimbra$ zmprov mcf zimbraMtaSmtpdBanner "<External mail server FQDN> ESMTP"
Accounts
Admin
OPTIONALLY
Forward all mails to user account with no local copy and a specific mail address to filter there.
Custom
Add additional administrative accounts.
Add user accounts.
Misc
Exclude squashfs snap mounts
See here solution 2.
Backup
Zimbra local - Scripts
Create directory hierarchy as root:
<backup root>
/Weekly
/tmp
Install the following:
# apt install dar
# apt install sharutils
# apt install bsd-mailx
Optional:
# apt install cifs-util
or execute backup script with install option
# zmbak.sh --INSTALL
Add the following to crontab:
# crontab -e
# Create FULL Zimbra backup on every monday at 01:00
0 1 * * 1 /bin/bash /root/scripts/zmbak.sh -f > /var/log/zim_backup.log 2>&1
# Create FULL Zimbra backup on every tuesday to sunday at 01:00
0 1 * * 2-7 /bin/bash /root/scripts/zmbak.sh -d > /var/log/zim_backup.log 2>&1
UrBackup - Zimbra
See here.