====== Zimbra Collaboration Server OSE ====== See also **[[internet:mail:zimbra:zimbra|Zimbra Collaboration Server]]** See also **[[internet:mail:zimbra:zimbra_zextras|Zimbra with Zextras Add-On]]** See also **[[https://linuxhint.com/turn-off-snap-ubuntu|Remove Snap]]** See also **[[internet:mail:zimbra:zimbra_ssl_letsencrypt|Using LetsEncrypt SSL Certificates with Zimbra]]** See also **[[internet:mail:zimbra:zimbra_migrate|Zimbra Migration]]** See also **[[http://www.sonoracomm.com/wiki/doku.php?do=search&id=zimbra|other Zimbra pages in this wiki]]** **Howto**: https://community.zextras.com/zimbra-9-by-zextras-installation/ **Community**: https://community.zextras.com/tag/zimbra-ose/ **Downloads**: https://www.zextras.com/zextras-build-based-on-zimbra-official-repository/ **Documentation**: https://docs.zextras.com/suite/html/index.html ===== Updating ===== **Update Zimbra 9 OSE**: https://community.zextras.com/how-we-solved-the-issue-of-updating-zimbra-9 **Disable the Zimbra APT repos** and install updates via the Zextras Zimbra 9 OSE Installer. Not all Zimbra patches are needed by Zimbra 9 OSE, so Zextras does not update the installer with every patch Zimbra puts out. mv /etc/apt/sources.list.d/zimbra.list /etc/apt/sources.list.d/zimbra.list.disabled Be wary of updates! **Take a snapshot** if you can before updating Zimbra. After updating with the latest Zextras Zimbra 9 OSE installer, you will likely find some issues such as 'undefined' during login and missing tabs at the top of the ZWC page. See troubleshooting below. ===== Overview ===== Make sure these things are done before installing Zimbra: - Install Ubuntu 20.04 Server - 16GB RAM - 50GB+ System Disk (/) - 30GB Temp Disk (/tmp) - Can be omitted with a much larger System Disk - 500GB Store Disk (/opt/zimbra/store) - Sized to your needs - Update the OS and install some packages - Configure **[[networking:linux:static_ip_addr|static public IP address]]** - Configure hostname - Configure ''/etc/hosts'' file - Set timezone - Disable ''systemd-resolved'' service - Configure new ''/etc/resolv.conf'' - Remove snap - Install hypervisor tools - Update the system - Reboot ===== Prerequisites ===== * The **hostname in DNS must resolve correctly** * An **MX record** must be set correctly * A **PTR (reverse lookup) record** must be set correctly * **Mount swap space** * **Mount the data disk** on ''/opt/zimbra/store'' * **Mount the backup disk/space** on ''/opt/zimbra/backup'' * **Disable ''selinux''** if you installed it * **Disable any firewall** if you installed one ===== Server Preparation ===== apt install openssh-server net-tools wget perl dnsutils hostnamectl set-hostname vim /etc/hosts #127.0.1.1 shortname nnn.nnn.nnn.nnn your.host.fqdn shortname timedatectl set-timezone America/Phoenix systemctl disable systemd-resolved.service && systemctl stop systemd-resolved.service rm -rf /etc/resolv.conf sed -i 's/#DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf cat << EOF > /etc/resolv.conf domain yourdomain.tld search yourdomain.tld nameserver 8.8.8.8 nameserver 1.1.1.1 EOF # Disable Ubuntu Auto Updates sed -i 's/^APT::Periodic::Unatt.*/APT::Periodic::Unattended-Upgrade \"0\"\;/g' /etc/apt/apt.conf.d/20auto-upgrades snap list snap remove snap-store lxd core18 core20 snap remove snapd umount /snap/core/* umount /var/snap apt purge snapd rm -rf ~/snap /snap /var/snap /var/lib/snapd apt purge --auto-remove modemmanager # Remove Ubuntu ESM nag mkdir /etc/apt/apt.conf.d/off mv /etc/apt/apt.conf.d/20apt-esm-hook.conf /etc/apt/apt.conf.d/off ===== Install Zimbra 9 OSE ===== **Zextras OSE**: https://www.zextras.com/zextras-build-based-on-zimbra-official-repository **First Steps**: https://www.zextras.com/thankyou-zextras-build-zimbra/ **Requirements**: https://www.zimbra.com/documentation/ **Forums**: https://community.zextras.com wget download.zextras.com/zcs-9.0.0_OSE_UBUNTU20_latest-zextras.tgz tar -xzvf zcs-9.0* cd zcs-9.0* ./install.sh Hit to **select the defaults**, including the hostname as domain for all items, then **create the admin password**. You can **ignore the MX record error**, until you actually want mail to flow properly. {{ :internet:mail:zimbra:zimbra_9_install.png?direct&750 |Zimbra 9 OSE Install Script}} ===== Services ===== systemctl status zimbra.service su - zimbra zmcontrol status zmcontrol stop zmcontrol start ===== SSL Certificate ===== See also **[[internet:security:ssl_cert_letsencrypt_zimbra|Using LetsEncrypt SSL Certificates with Zimbra]]** ===== Zextras ===== See also **[[internet:mail:zimbra:zimbra_zextras|Zimbra with Zextras Add-On]]** ===== Outbound Virus Scanning ===== https://wiki.zimbra.com/wiki/New_Features_ZCS_8.5#Real_time_attachment_scanning_for_outgoing_mail_sent_via_the_web_client Enable outbound virus scanning for a single server: zmprov mcf zimbraAttachmentsScanURL clam://localhost:3310/ zmprov mcf zimbraAttachmentsScanEnabled TRUE ===== Firewall ===== See also **[[networking:firewall:csf|ConfigServer Security & Firewall (CSF)]]** http://wiki.zimbra.com/wiki/Firewall_Configuration http://wiki.zimbra.com/wiki/Ports ==== CSF ==== FIXME Incomplete and possibly inaccurate Changes to ''/etc/csf/csf.conf'': TESTING = "0" RESTRICT_SYSLOG = "3" TCP_IN = "22,25,80,110,143,443,465,587,993,995,2222,7071" TCP_OUT = "25,80,113,443" UDP_IN = "123" UDP_OUT = "113,123" TCP6_IN = "22,25,80,110,143,443,465,587,993,995,2222,7071" TCP6_OUT = "25,80,113,443" UDP6_IN = "123" UDP6_OUT = "113,123" USE_CONNTRACK = "1" SYSLOG_CHECK = "600" DENY_IP_LIMIT = "1000" DENY_TEMP_IP_LIMIT = "1000" SYNFLOOD = "1" CONNLIMIT = "80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5" PORTFLOOD = "80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5" CONNLIMIT_LOGGING = "1" LF_NETBLOCK = "1" SAFECHAINUPDATE = "1" DYNDNS = "600" LF_SELECT = "1" LF_SSHD_PERM = "600" LF_FTPD_PERM = "600" LF_SMTPAUTH = "10" LF_SMTPAUTH_PERM = "600" LF_POP3D = "10" LF_POP3D_PERM = "600" LF_IMAPD = "10" LF_IMAPD_PERM = "600" LF_HTACCESS_PERM = "600" LF_MODSEC_PERM = "600" LF_BIND = "100" LF_BIND_PERM = "600" LF_SUHOSIN = "5" LF_SUHOSIN_PERM = "600" LF_CXS = "1" LF_WEBMIN = "10" LF_WEBMIN_PERM = "600" LF_APACHE_404 = "100" LF_APACHE_403 = "100" LF_DISTATTACK = "1" LF_DISTFTP = "5" LF_DISTSMTP = "5" LT_POP3D = "65" LT_IMAPD = "100" LT_SKIPPERMBLOCK = "1" CT_LIMIT = "300" Add this to the end of ''/etc/csf/csf.pignore'': vim /etc/csf/csf.pignore cmd:/usr/bin/vmstat -n -S K 30 cmd:/bin/bash /opt/zimbra/bin/zmconfigdctl start norewrite cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogger cmd:zmlogger: zmrrdfetch: server pcmd:/usr/bin/iostat -d -k.* pcmd:/usr/bin/perl -w /opt/zimbra/libexec/zmstat-.* pcmd:/opt/zimbra/libexec/logswatch --config-file=/opt/zimbra.* pcmd:/bin/sh /opt/zimbra/mariadb/bin/mysqld_safe --defaults-file=/opt.* pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Djava.net.preferIPv4Stack=true.* pcmd:/opt/zimbra/java/bin/java -Dfile.encoding=UTF-8 -server -Djava.awt.headless=true.* pcmd:/opt/zimbra/java/bin/java -client -cp /opt/zimbra/lib/jars.* pcmd:/opt/zimbra/amavisd/sbin/amavisd.* pcmd:/usr/bin/perl -T /opt/zimbra/amavisd/sbin/amavis-.* pcmd:/usr/bin/perl /opt/zimbra/libexec/swatch --config-file=/opt/zimbra/conf/swatchrc.* pcmd:/usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.* pexe:/opt/zimbra/mariadb-.*/bin/mysqld pexe:/opt/zimbra/postfix-.*/libexec/smtpd pexe:/opt/zimbra/postfix-.*/libexec/proxymap pexe:/opt/zimbra/postfix-.*/libexec/qmgr pexe:/opt/zimbra/httpd-.*/bin/rotatelogs pexe:/opt/zimbra/cyrus-sasl-.*/sbin/saslauthd pexe:/opt/zimbra/postfix-.*/libexec/pickup pexe:/opt/zimbra/postfix-.*/libexec/showq pexe:/opt/zimbra/unbound-.*/sbin/unbound pexe:/opt/zimbra/memcached-.*/bin/memcached pexe:/opt/zimbra/clamav-.*/sbin/clamd pexe:/opt/zimbra/openldap-.*/sbin/slapd pexe:/opt/zimbra/nginx-.*/sbin/nginx ---- ---- FIXME Below this point is old info. :!: **Don't change the SSH port** or do any significant tweaking or firewalling prior to installing Zimbra. ===== Installation ===== The built-in firewall is turned off **permanently** during installation. You **must** implement a firewall **after** installation of Zimbra. Disable and stop some services: systemctl stop postfix && systemctl disable postfix systemctl stop httpd && systemctl disable httpd systemctl stop firewalld && systemctl disable firewalld yum erase httpd* -y Disable selinux: sed -i 's/enforcing/disabled/g' /etc/selinux/config setenforce 0 Download and run the latest installer: mv -f zcsinstall zcsinstall.old mkdir zcsinstall && cd zcsinstall wget https://files.zimbra.com/downloads/8.7.11_GA/zcs-8.7.11_GA_1854.RHEL7_64.20170531151956.tgz tar zxvf zcs-*.tgz cd zcs-* ./install.sh FIXME I don't think the 'platform override' switch is necessary for CentOS any longer: ./install.sh --platform-override Near the end of the install you are asked if you want to change the domain name. You should read the message then answer 'Yes'. Change the domain name to just '**domain.tld**' instead of '**hostname.domain.tld**'. :!: Add the ''zimbra'' user to the ''mysyslog'' group: usermod -G mysyslog zimbra ===== Install Patches ===== Download and install the latest patch (if one exists) (as root): cd ~ rm -rf zcspatch.old && mv -f zcspatch zcspatch.old mkdir zcspatch && cd zcspatch wget https://files.zimbra.com/downloads/x.x.x_GA/zcs-patch-x.x.x_GA_xxxx.tgz tar -xzvf zcs-patch-* cd zcs-patch-* ./installPatch.sh su - zimbra zmcontrol restart ===== Force SSL (HTTPS) ===== See also **[[internet:mail:zimbra:zimbra_ssl#force_the_use_of_ssl|Zimbra SSL - Redirection and Certificates]]** ===== Troubleshooting ===== See also **[[internet:mail:zimbra:zimbra_troubleshoot|Zimbra Troubleshooting Tips]]** Probably the easiest way to avoid installation problems is to not mess with the firewall or change the SSH port before getting Zimbra tested and working. ==== zmconfigd is not running ==== Comment out the IPv6 line: vim /etc/hosts #::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 Then: systemctl start zimbra ==== Root Mail ==== :!: It didn't seem to matter what I did with ''/etc/aliases''. http://wiki.zimbra.com/index.php?title=How_to_%22fix%22_system%27s_sendmail_to_use_that_of_zimbra /usr/sbin/alternatives --install /usr/sbin/sendmail mta /opt/zimbra/postfix/sbin/sendmail 25 \ --slave /usr/bin/mailq mta-mailq /opt/zimbra/postfix/sbin/mailq \ --slave /usr/bin/newaliases mta-newaliases /opt/zimbra/postfix/sbin/newaliases \ --slave /usr/share/man/man1/mailq.1.gz mta-mailqman /opt/zimbra/postfix/man/man1/mailq.1 \ --slave /usr/share/man/man1/newaliases.1.gz mta-newaliasesman /opt/zimbra/postfix/man/man1/newaliases.1 \ --slave /usr/share/man/man8/sendmail.8.gz mta-sendmailman /opt/zimbra/postfix/man/man1/sendmail.1 \ --slave /usr/share/man/man5/aliases.5.gz mta-aliasesman /opt/zimbra/postfix/share/man/man5/aliases.5 \ --initscript zimbra /usr/sbin/alternatives --config mta If mail sent to ''root'' does not flow into the ''admin'' mailbox, check: tail -30 /var/log/mail.log You may see errors like: Nov 5 10:06:29 zimbra postfix/smtp[7400]: BCAAD18289B: to=, relay=none, delay=0.06, delays=0.01/0.04/0/0, dsn=5.4.6, status=bounced (mail for hostname.yourdomain.com loops back to myself) You can also test like this: echo foo | /usr/sbin/sendmail -f root root && tail -f /var/log/mail.log In our sample Zimbra installation, we only had one domain ''yourdomain.com'', but root's mail was aliased to "root@hostname.yourdomain.com". So we added an alias domain "hostname.yourdomain.com" and an additional mail alias to ''admin'' of "root@hostname.yourdomain.com". su - zimbra zmprov createAliasDomain hostname.yourdomain.com yourdomain.com zmprov aaa admin@yourdomain.com root@hostname.yourdomain.com ==== Changed SSH Port ==== If you change the SSH port in ''/etc/ssh/sshd_config'', you need to adjust Zimbra: zmprov ms hostname.yourdomain.com zimbraRemoteManagementPort 2222 cd /opt/zimbra/bin/ ./zmsshkeygen ./zmupdateauthkeys ==== Server Status ==== Check ''/var/log/zimbra.log'' and ''/var/log/zimbra-stats.log'': ll /var/log/zimbra* Are they empty with the actual logged detail in dated files? It appears that the ''logrotate'' configuration is broken... /usr/sbin/logrotate -d /etc/logrotate.conf Run as root: /opt/zimbra/libexec/zmsyslogsetup ==== Cron Job Errors ==== Use of uninitialized value $current_proto in string eq at /usr/lib64/perl5/Sys/Syslog.pm line 371. Use of uninitialized value $current_proto in string eq at /usr/lib64/perl5/Sys/Syslog.pm line 374. vim /usr/lib64/perl5/Sys/Syslog.pm my $current_proto = 0; ==== Dev Mode ==== https://wiki.zimbra.com/wiki/Web_Client_URL_Tricks You can append ''&dev=1'' to the ZWC URL: https://zimbra.virtualarchitects.com/?dev=1 ==== Undefined at Login ==== https://helpdesk.zextras.com/hc/en-us/requests/43047 vim /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/classes/messages/ZmMsg.properties # Add the following line splashScreenSwitch = Switch to the Standard (HTML) version :!: Clear your browser cache if necessary. ==== Drive and Team Tabs Missing ==== https://helpdesk.zextras.com/hc/en-us/requests/43045 As 'zimbra' user: zxsuite core doDeployClientZimlet && \ zxsuite team doDeployTeamZimlet && \ zxsuite auth doDeployAuthZimlet && \ zxsuite drive doDeployDriveZimlet && \ zxsuite docs doDeployDocsZimlet /opt/zimbra/bin/zmzimletctl listPriority zmzimletctl setPriority com_zextras_zextras 0 zmzimletctl setPriority com_zextras_client 1 zmzimletctl setPriority com_zextras_team_classic 2 zmzimletctl setPriority com_zextras_drive 3 zmzimletctl setPriority com_zextras_docs 4 for cos in `zmprov gac`;do zmzimletctl acl com_zextras_zextras $cos grant; done for cos in `zmprov gac`;do zmzimletctl acl com_zextras_client $cos grant; done for cos in `zmprov gac`;do zmzimletctl acl com_zextras_team_classic $cos grant; done for cos in `zmprov gac`;do zmzimletctl acl com_zextras_drive $cos grant; done for cos in `zmprov gac`;do zmzimletctl acl com_zextras_docs $cos grant; done zmprov fc zimlet && zmprov fc all :!: Clear your browser cache if necessary.