====== Zimbra Collaboration Server OSE ======
See also **[[internet:mail:zimbra:zimbra|Zimbra Collaboration Server]]**
See also **[[internet:mail:zimbra:zimbra_zextras|Zimbra with Zextras Add-On]]**
See also **[[https://linuxhint.com/turn-off-snap-ubuntu|Remove Snap]]**
See also **[[internet:mail:zimbra:zimbra_ssl_letsencrypt|Using LetsEncrypt SSL Certificates with Zimbra]]**
See also **[[internet:mail:zimbra:zimbra_migrate|Zimbra Migration]]**
See also **[[http://www.sonoracomm.com/wiki/doku.php?do=search&id=zimbra|other Zimbra pages in this wiki]]**
**Howto**: https://community.zextras.com/zimbra-9-by-zextras-installation/
**Community**: https://community.zextras.com/tag/zimbra-ose/
**Downloads**: https://www.zextras.com/zextras-build-based-on-zimbra-official-repository/
**Documentation**: https://docs.zextras.com/suite/html/index.html
===== Updating =====
**Update Zimbra 9 OSE**: https://community.zextras.com/how-we-solved-the-issue-of-updating-zimbra-9
**Disable the Zimbra APT repos** and install updates via the Zextras Zimbra 9 OSE Installer. Not all Zimbra patches are needed by Zimbra 9 OSE, so Zextras does not update the installer with every patch Zimbra puts out.
mv /etc/apt/sources.list.d/zimbra.list /etc/apt/sources.list.d/zimbra.list.disabled
Be wary of updates! **Take a snapshot** if you can before updating Zimbra.
After updating with the latest Zextras Zimbra 9 OSE installer, you will likely find some issues such as 'undefined' during login and missing tabs at the top of the ZWC page. See troubleshooting below.
===== Overview =====
Make sure these things are done before installing Zimbra:
- Install Ubuntu 20.04 Server
- 16GB RAM
- 50GB+ System Disk (/)
- 30GB Temp Disk (/tmp)
- Can be omitted with a much larger System Disk
- 500GB Store Disk (/opt/zimbra/store)
- Sized to your needs
- Update the OS and install some packages
- Configure **[[networking:linux:static_ip_addr|static public IP address]]**
- Configure hostname
- Configure ''/etc/hosts'' file
- Set timezone
- Disable ''systemd-resolved'' service
- Configure new ''/etc/resolv.conf''
- Remove snap
- Install hypervisor tools
- Update the system
- Reboot
===== Prerequisites =====
* The **hostname in DNS must resolve correctly**
* An **MX record** must be set correctly
* A **PTR (reverse lookup) record** must be set correctly
* **Mount swap space**
* **Mount the data disk** on ''/opt/zimbra/store''
* **Mount the backup disk/space** on ''/opt/zimbra/backup''
* **Disable ''selinux''** if you installed it
* **Disable any firewall** if you installed one
===== Server Preparation =====
apt install openssh-server net-tools wget perl dnsutils
hostnamectl set-hostname
vim /etc/hosts
#127.0.1.1 shortname
nnn.nnn.nnn.nnn your.host.fqdn shortname
timedatectl set-timezone America/Phoenix
systemctl disable systemd-resolved.service && systemctl stop systemd-resolved.service
rm -rf /etc/resolv.conf
sed -i 's/#DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf
cat << EOF > /etc/resolv.conf
domain yourdomain.tld
search yourdomain.tld
nameserver 8.8.8.8
nameserver 1.1.1.1
EOF
# Disable Ubuntu Auto Updates
sed -i 's/^APT::Periodic::Unatt.*/APT::Periodic::Unattended-Upgrade \"0\"\;/g' /etc/apt/apt.conf.d/20auto-upgrades
snap list
snap remove snap-store lxd core18 core20
snap remove snapd
umount /snap/core/*
umount /var/snap
apt purge snapd
rm -rf ~/snap /snap /var/snap /var/lib/snapd
apt purge --auto-remove modemmanager
# Remove Ubuntu ESM nag
mkdir /etc/apt/apt.conf.d/off
mv /etc/apt/apt.conf.d/20apt-esm-hook.conf /etc/apt/apt.conf.d/off
===== Install Zimbra 9 OSE =====
**Zextras OSE**: https://www.zextras.com/zextras-build-based-on-zimbra-official-repository
**First Steps**: https://www.zextras.com/thankyou-zextras-build-zimbra/
**Requirements**: https://www.zimbra.com/documentation/
**Forums**: https://community.zextras.com
wget download.zextras.com/zcs-9.0.0_OSE_UBUNTU20_latest-zextras.tgz
tar -xzvf zcs-9.0*
cd zcs-9.0*
./install.sh
Hit to **select the defaults**, including the hostname as domain for all items, then **create the admin password**. You can **ignore the MX record error**, until you actually want mail to flow properly.
{{ :internet:mail:zimbra:zimbra_9_install.png?direct&750 |Zimbra 9 OSE Install Script}}
===== Services =====
systemctl status zimbra.service
su - zimbra
zmcontrol status
zmcontrol stop
zmcontrol start
===== SSL Certificate =====
See also **[[internet:security:ssl_cert_letsencrypt_zimbra|Using LetsEncrypt SSL Certificates with Zimbra]]**
===== Zextras =====
See also **[[internet:mail:zimbra:zimbra_zextras|Zimbra with Zextras Add-On]]**
===== Outbound Virus Scanning =====
https://wiki.zimbra.com/wiki/New_Features_ZCS_8.5#Real_time_attachment_scanning_for_outgoing_mail_sent_via_the_web_client
Enable outbound virus scanning for a single server:
zmprov mcf zimbraAttachmentsScanURL clam://localhost:3310/
zmprov mcf zimbraAttachmentsScanEnabled TRUE
===== Firewall =====
See also **[[networking:firewall:csf|ConfigServer Security & Firewall (CSF)]]**
http://wiki.zimbra.com/wiki/Firewall_Configuration
http://wiki.zimbra.com/wiki/Ports
==== CSF ====
FIXME Incomplete and possibly inaccurate
Changes to ''/etc/csf/csf.conf'':
TESTING = "0"
RESTRICT_SYSLOG = "3"
TCP_IN = "22,25,80,110,143,443,465,587,993,995,2222,7071"
TCP_OUT = "25,80,113,443"
UDP_IN = "123"
UDP_OUT = "113,123"
TCP6_IN = "22,25,80,110,143,443,465,587,993,995,2222,7071"
TCP6_OUT = "25,80,113,443"
UDP6_IN = "123"
UDP6_OUT = "113,123"
USE_CONNTRACK = "1"
SYSLOG_CHECK = "600"
DENY_IP_LIMIT = "1000"
DENY_TEMP_IP_LIMIT = "1000"
SYNFLOOD = "1"
CONNLIMIT = "80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5"
PORTFLOOD = "80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5"
CONNLIMIT_LOGGING = "1"
LF_NETBLOCK = "1"
SAFECHAINUPDATE = "1"
DYNDNS = "600"
LF_SELECT = "1"
LF_SSHD_PERM = "600"
LF_FTPD_PERM = "600"
LF_SMTPAUTH = "10"
LF_SMTPAUTH_PERM = "600"
LF_POP3D = "10"
LF_POP3D_PERM = "600"
LF_IMAPD = "10"
LF_IMAPD_PERM = "600"
LF_HTACCESS_PERM = "600"
LF_MODSEC_PERM = "600"
LF_BIND = "100"
LF_BIND_PERM = "600"
LF_SUHOSIN = "5"
LF_SUHOSIN_PERM = "600"
LF_CXS = "1"
LF_WEBMIN = "10"
LF_WEBMIN_PERM = "600"
LF_APACHE_404 = "100"
LF_APACHE_403 = "100"
LF_DISTATTACK = "1"
LF_DISTFTP = "5"
LF_DISTSMTP = "5"
LT_POP3D = "65"
LT_IMAPD = "100"
LT_SKIPPERMBLOCK = "1"
CT_LIMIT = "300"
Add this to the end of ''/etc/csf/csf.pignore'':
vim /etc/csf/csf.pignore
cmd:/usr/bin/vmstat -n -S K 30
cmd:/bin/bash /opt/zimbra/bin/zmconfigdctl start norewrite
cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogger
cmd:zmlogger: zmrrdfetch: server
pcmd:/usr/bin/iostat -d -k.*
pcmd:/usr/bin/perl -w /opt/zimbra/libexec/zmstat-.*
pcmd:/opt/zimbra/libexec/logswatch --config-file=/opt/zimbra.*
pcmd:/bin/sh /opt/zimbra/mariadb/bin/mysqld_safe --defaults-file=/opt.*
pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Djava.net.preferIPv4Stack=true.*
pcmd:/opt/zimbra/java/bin/java -Dfile.encoding=UTF-8 -server -Djava.awt.headless=true.*
pcmd:/opt/zimbra/java/bin/java -client -cp /opt/zimbra/lib/jars.*
pcmd:/opt/zimbra/amavisd/sbin/amavisd.*
pcmd:/usr/bin/perl -T /opt/zimbra/amavisd/sbin/amavis-.*
pcmd:/usr/bin/perl /opt/zimbra/libexec/swatch --config-file=/opt/zimbra/conf/swatchrc.*
pcmd:/usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.*
pexe:/opt/zimbra/mariadb-.*/bin/mysqld
pexe:/opt/zimbra/postfix-.*/libexec/smtpd
pexe:/opt/zimbra/postfix-.*/libexec/proxymap
pexe:/opt/zimbra/postfix-.*/libexec/qmgr
pexe:/opt/zimbra/httpd-.*/bin/rotatelogs
pexe:/opt/zimbra/cyrus-sasl-.*/sbin/saslauthd
pexe:/opt/zimbra/postfix-.*/libexec/pickup
pexe:/opt/zimbra/postfix-.*/libexec/showq
pexe:/opt/zimbra/unbound-.*/sbin/unbound
pexe:/opt/zimbra/memcached-.*/bin/memcached
pexe:/opt/zimbra/clamav-.*/sbin/clamd
pexe:/opt/zimbra/openldap-.*/sbin/slapd
pexe:/opt/zimbra/nginx-.*/sbin/nginx
----
----
FIXME Below this point is old info.
:!: **Don't change the SSH port** or do any significant tweaking or firewalling prior to installing Zimbra.
===== Installation =====
The built-in firewall is turned off **permanently** during installation. You **must** implement a firewall **after** installation of Zimbra.
Disable and stop some services:
systemctl stop postfix && systemctl disable postfix
systemctl stop httpd && systemctl disable httpd
systemctl stop firewalld && systemctl disable firewalld
yum erase httpd* -y
Disable selinux:
sed -i 's/enforcing/disabled/g' /etc/selinux/config
setenforce 0
Download and run the latest installer:
mv -f zcsinstall zcsinstall.old
mkdir zcsinstall && cd zcsinstall
wget https://files.zimbra.com/downloads/8.7.11_GA/zcs-8.7.11_GA_1854.RHEL7_64.20170531151956.tgz
tar zxvf zcs-*.tgz
cd zcs-*
./install.sh
FIXME I don't think the 'platform override' switch is necessary for CentOS any longer:
./install.sh --platform-override
Near the end of the install you are asked if you want to change the domain name. You should read the message then answer 'Yes'. Change the domain name to just '**domain.tld**' instead of '**hostname.domain.tld**'.
:!: Add the ''zimbra'' user to the ''mysyslog'' group:
usermod -G mysyslog zimbra
===== Install Patches =====
Download and install the latest patch (if one exists) (as root):
cd ~
rm -rf zcspatch.old && mv -f zcspatch zcspatch.old
mkdir zcspatch && cd zcspatch
wget https://files.zimbra.com/downloads/x.x.x_GA/zcs-patch-x.x.x_GA_xxxx.tgz
tar -xzvf zcs-patch-*
cd zcs-patch-*
./installPatch.sh
su - zimbra
zmcontrol restart
===== Force SSL (HTTPS) =====
See also **[[internet:mail:zimbra:zimbra_ssl#force_the_use_of_ssl|Zimbra SSL - Redirection and Certificates]]**
===== Troubleshooting =====
See also **[[internet:mail:zimbra:zimbra_troubleshoot|Zimbra Troubleshooting Tips]]**
Probably the easiest way to avoid installation problems is to not mess with the firewall or change the SSH port before getting Zimbra tested and working.
==== zmconfigd is not running ====
Comment out the IPv6 line:
vim /etc/hosts
#::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
Then:
systemctl start zimbra
==== Root Mail ====
:!: It didn't seem to matter what I did with ''/etc/aliases''.
http://wiki.zimbra.com/index.php?title=How_to_%22fix%22_system%27s_sendmail_to_use_that_of_zimbra
/usr/sbin/alternatives --install /usr/sbin/sendmail mta /opt/zimbra/postfix/sbin/sendmail 25 \
--slave /usr/bin/mailq mta-mailq /opt/zimbra/postfix/sbin/mailq \
--slave /usr/bin/newaliases mta-newaliases /opt/zimbra/postfix/sbin/newaliases \
--slave /usr/share/man/man1/mailq.1.gz mta-mailqman /opt/zimbra/postfix/man/man1/mailq.1 \
--slave /usr/share/man/man1/newaliases.1.gz mta-newaliasesman /opt/zimbra/postfix/man/man1/newaliases.1 \
--slave /usr/share/man/man8/sendmail.8.gz mta-sendmailman /opt/zimbra/postfix/man/man1/sendmail.1 \
--slave /usr/share/man/man5/aliases.5.gz mta-aliasesman /opt/zimbra/postfix/share/man/man5/aliases.5 \
--initscript zimbra
/usr/sbin/alternatives --config mta
If mail sent to ''root'' does not flow into the ''admin'' mailbox, check:
tail -30 /var/log/mail.log
You may see errors like:
Nov 5 10:06:29 zimbra postfix/smtp[7400]: BCAAD18289B: to=, relay=none, delay=0.06, delays=0.01/0.04/0/0, dsn=5.4.6, status=bounced (mail for hostname.yourdomain.com loops back to myself)
You can also test like this:
echo foo | /usr/sbin/sendmail -f root root && tail -f /var/log/mail.log
In our sample Zimbra installation, we only had one domain ''yourdomain.com'', but root's mail was aliased to "root@hostname.yourdomain.com". So we added an alias domain "hostname.yourdomain.com" and an additional mail alias to ''admin'' of "root@hostname.yourdomain.com".
su - zimbra
zmprov createAliasDomain hostname.yourdomain.com yourdomain.com
zmprov aaa admin@yourdomain.com root@hostname.yourdomain.com
==== Changed SSH Port ====
If you change the SSH port in ''/etc/ssh/sshd_config'', you need to adjust Zimbra:
zmprov ms hostname.yourdomain.com zimbraRemoteManagementPort 2222
cd /opt/zimbra/bin/
./zmsshkeygen
./zmupdateauthkeys
==== Server Status ====
Check ''/var/log/zimbra.log'' and ''/var/log/zimbra-stats.log'':
ll /var/log/zimbra*
Are they empty with the actual logged detail in dated files? It appears that the ''logrotate'' configuration is broken...
/usr/sbin/logrotate -d /etc/logrotate.conf
Run as root:
/opt/zimbra/libexec/zmsyslogsetup
==== Cron Job Errors ====
Use of uninitialized value $current_proto in string eq at /usr/lib64/perl5/Sys/Syslog.pm line 371.
Use of uninitialized value $current_proto in string eq at /usr/lib64/perl5/Sys/Syslog.pm line 374.
vim /usr/lib64/perl5/Sys/Syslog.pm
my $current_proto = 0;
==== Dev Mode ====
https://wiki.zimbra.com/wiki/Web_Client_URL_Tricks
You can append ''&dev=1'' to the ZWC URL:
https://zimbra.virtualarchitects.com/?dev=1
==== Undefined at Login ====
https://helpdesk.zextras.com/hc/en-us/requests/43047
vim /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/classes/messages/ZmMsg.properties
# Add the following line
splashScreenSwitch = Switch to the Standard (HTML) version
:!: Clear your browser cache if necessary.
==== Drive and Team Tabs Missing ====
https://helpdesk.zextras.com/hc/en-us/requests/43045
As 'zimbra' user:
zxsuite core doDeployClientZimlet && \
zxsuite team doDeployTeamZimlet && \
zxsuite auth doDeployAuthZimlet && \
zxsuite drive doDeployDriveZimlet && \
zxsuite docs doDeployDocsZimlet
/opt/zimbra/bin/zmzimletctl listPriority
zmzimletctl setPriority com_zextras_zextras 0
zmzimletctl setPriority com_zextras_client 1
zmzimletctl setPriority com_zextras_team_classic 2
zmzimletctl setPriority com_zextras_drive 3
zmzimletctl setPriority com_zextras_docs 4
for cos in `zmprov gac`;do zmzimletctl acl com_zextras_zextras $cos grant; done
for cos in `zmprov gac`;do zmzimletctl acl com_zextras_client $cos grant; done
for cos in `zmprov gac`;do zmzimletctl acl com_zextras_team_classic $cos grant; done
for cos in `zmprov gac`;do zmzimletctl acl com_zextras_drive $cos grant; done
for cos in `zmprov gac`;do zmzimletctl acl com_zextras_docs $cos grant; done
zmprov fc zimlet && zmprov fc all
:!: Clear your browser cache if necessary.