Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » mail » zimbra » zimbra_ose
Trace: zimbra_ose
internet:mail:zimbra:zimbra_ose

Table of Contents

Zimbra Collaboration Server OSE

See also Zimbra Collaboration Server

See also Zimbra with Zextras Add-On

See also Remove Snap

See also Using LetsEncrypt SSL Certificates with Zimbra

See also Zimbra Migration

See also other Zimbra pages in this wiki

Howto: https://community.zextras.com/zimbra-9-by-zextras-installation/

Community: https://community.zextras.com/tag/zimbra-ose/

Downloads: https://www.zextras.com/zextras-build-based-on-zimbra-official-repository/

Documentation: https://docs.zextras.com/suite/html/index.html

Updating

Update Zimbra 9 OSE: https://community.zextras.com/how-we-solved-the-issue-of-updating-zimbra-9

Disable the Zimbra APT repos and install updates via the Zextras Zimbra 9 OSE Installer. Not all Zimbra patches are needed by Zimbra 9 OSE, so Zextras does not update the installer with every patch Zimbra puts out. 
mv /etc/apt/sources.list.d/zimbra.list /etc/apt/sources.list.d/zimbra.list.disabled
Be wary of updates! Take a snapshot if you can before updating Zimbra.
After updating with the latest Zextras Zimbra 9 OSE installer, you will likely find some issues such as 'undefined' during login and missing tabs at the top of the ZWC page. See troubleshooting below.

Overview

Make sure these things are done before installing Zimbra:

  1. Install Ubuntu 20.04 Server
    1. 16GB RAM
    2. 50GB+ System Disk (/)
    3. 30GB Temp Disk (/tmp)
      1. Can be omitted with a much larger System Disk
    4. 500GB Store Disk (/opt/zimbra/store)
      1. Sized to your needs
  2. Update the OS and install some packages
  3. Configure static public IP address
  4. Configure hostname
  5. Configure /etc/hosts file
  6. Set timezone
  7. Disable systemd-resolved service
  8. Configure new /etc/resolv.conf
  9. Remove snap
  10. Install hypervisor tools
  11. Update the system
  12. Reboot

Prerequisites

  • The hostname in DNS must resolve correctly
  • An MX record must be set correctly
  • A PTR (reverse lookup) record must be set correctly
  • Mount swap space
  • Mount the data disk on /opt/zimbra/store
  • Mount the backup disk/space on /opt/zimbra/backup
  • Disable selinux if you installed it
  • Disable any firewall if you installed one

Server Preparation

apt install openssh-server net-tools wget perl dnsutils
hostnamectl set-hostname <your.host.fqdn>

vim /etc/hosts

#127.0.1.1 shortname
nnn.nnn.nnn.nnn your.host.fqdn shortname

timedatectl set-timezone America/Phoenix

systemctl disable systemd-resolved.service && systemctl stop systemd-resolved.service
rm -rf /etc/resolv.conf
sed -i 's/#DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf

cat << EOF > /etc/resolv.conf
domain yourdomain.tld
search yourdomain.tld
nameserver 8.8.8.8
nameserver 1.1.1.1
EOF

# Disable Ubuntu Auto Updates
sed -i 's/^APT::Periodic::Unatt.*/APT::Periodic::Unattended-Upgrade \"0\"\;/g' /etc/apt/apt.conf.d/20auto-upgrades

snap list
snap remove snap-store lxd core18 core20
snap remove snapd
umount /snap/core/*
umount /var/snap
apt purge snapd
rm -rf ~/snap /snap /var/snap /var/lib/snapd

apt purge --auto-remove modemmanager

# Remove Ubuntu ESM nag
mkdir /etc/apt/apt.conf.d/off
mv /etc/apt/apt.conf.d/20apt-esm-hook.conf /etc/apt/apt.conf.d/off

Install Zimbra 9 OSE

Zextras OSE: https://www.zextras.com/zextras-build-based-on-zimbra-official-repository

First Steps: https://www.zextras.com/thankyou-zextras-build-zimbra/

Requirements: https://www.zimbra.com/documentation/

Forums: https://community.zextras.com 

wget download.zextras.com/zcs-9.0.0_OSE_UBUNTU20_latest-zextras.tgz
tar -xzvf zcs-9.0*
cd zcs-9.0*
./install.sh
Hit <enter> to select the defaults, including the hostname as domain for all items, then create the admin password. You can ignore the MX record error, until you actually want mail to flow properly.

Zimbra 9 OSE Install Script

Services

systemctl status zimbra.service
su - zimbra
zmcontrol status
zmcontrol stop
zmcontrol start

SSL Certificate

See also Using LetsEncrypt SSL Certificates with Zimbra

Zextras

See also Zimbra with Zextras Add-On

Outbound Virus Scanning

https://wiki.zimbra.com/wiki/New_Features_ZCS_8.5#Real_time_attachment_scanning_for_outgoing_mail_sent_via_the_web_client

Enable outbound virus scanning for a single server: 

zmprov mcf zimbraAttachmentsScanURL clam://localhost:3310/
zmprov mcf zimbraAttachmentsScanEnabled TRUE

Firewall

See also ConfigServer Security & Firewall (CSF)

http://wiki.zimbra.com/wiki/Firewall_Configuration

http://wiki.zimbra.com/wiki/Ports

CSF

FIXME Incomplete and possibly inaccurate

Changes to /etc/csf/csf.conf: 

TESTING = "0"
RESTRICT_SYSLOG = "3"
TCP_IN = "22,25,80,110,143,443,465,587,993,995,2222,7071"
TCP_OUT = "25,80,113,443"
UDP_IN = "123"
UDP_OUT = "113,123"
TCP6_IN = "22,25,80,110,143,443,465,587,993,995,2222,7071"
TCP6_OUT = "25,80,113,443"
UDP6_IN = "123"
UDP6_OUT = "113,123"
USE_CONNTRACK = "1"
SYSLOG_CHECK = "600"
DENY_IP_LIMIT = "1000"
DENY_TEMP_IP_LIMIT = "1000"
SYNFLOOD = "1"
CONNLIMIT = "80;30,110;5,143;5,443;30,465;5,587;5,993;5,995;5"
PORTFLOOD = "80;tcp;20;5,110;tcp;20;5,143;tcp;20;5,443;tcp;20;5,465;tcp;20;5,587;tcp;20;5,993;tcp;20;5,995;tcp;20;5"
CONNLIMIT_LOGGING = "1"
LF_NETBLOCK = "1"
SAFECHAINUPDATE = "1"
DYNDNS = "600"
LF_SELECT = "1"
LF_SSHD_PERM = "600"
LF_FTPD_PERM = "600"
LF_SMTPAUTH = "10"
LF_SMTPAUTH_PERM = "600"
LF_POP3D = "10"
LF_POP3D_PERM = "600"
LF_IMAPD = "10"
LF_IMAPD_PERM = "600"
LF_HTACCESS_PERM = "600"
LF_MODSEC_PERM = "600"
LF_BIND = "100"
LF_BIND_PERM = "600"
LF_SUHOSIN = "5"
LF_SUHOSIN_PERM = "600"
LF_CXS = "1"
LF_WEBMIN = "10"
LF_WEBMIN_PERM = "600"
LF_APACHE_404 = "100"
LF_APACHE_403 = "100"
LF_DISTATTACK = "1"
LF_DISTFTP = "5"
LF_DISTSMTP = "5"
LT_POP3D = "65"
LT_IMAPD = "100"
LT_SKIPPERMBLOCK = "1"
CT_LIMIT = "300"

Add this to the end of /etc/csf/csf.pignore: 

vim /etc/csf/csf.pignore
cmd:/usr/bin/vmstat -n -S K 30
cmd:/bin/bash /opt/zimbra/bin/zmconfigdctl start norewrite
cmd:/usr/bin/perl /opt/zimbra/libexec/zmlogger
cmd:zmlogger: zmrrdfetch: server

pcmd:/usr/bin/iostat -d -k.*
pcmd:/usr/bin/perl -w /opt/zimbra/libexec/zmstat-.*
pcmd:/opt/zimbra/libexec/logswatch --config-file=/opt/zimbra.*
pcmd:/bin/sh /opt/zimbra/mariadb/bin/mysqld_safe --defaults-file=/opt.*
pcmd:/opt/zimbra/java/bin/java -client -Xmx256m -Djava.net.preferIPv4Stack=true.*
pcmd:/opt/zimbra/java/bin/java -Dfile.encoding=UTF-8 -server -Djava.awt.headless=true.*
pcmd:/opt/zimbra/java/bin/java -client -cp /opt/zimbra/lib/jars.*
pcmd:/opt/zimbra/amavisd/sbin/amavisd.*
pcmd:/usr/bin/perl -T /opt/zimbra/amavisd/sbin/amavis-.*
pcmd:/usr/bin/perl /opt/zimbra/libexec/swatch --config-file=/opt/zimbra/conf/swatchrc.*
pcmd:/usr/bin/perl /opt/zimbra/data/tmp/.swatch_script.*

pexe:/opt/zimbra/mariadb-.*/bin/mysqld
pexe:/opt/zimbra/postfix-.*/libexec/smtpd
pexe:/opt/zimbra/postfix-.*/libexec/proxymap
pexe:/opt/zimbra/postfix-.*/libexec/qmgr
pexe:/opt/zimbra/httpd-.*/bin/rotatelogs
pexe:/opt/zimbra/cyrus-sasl-.*/sbin/saslauthd
pexe:/opt/zimbra/postfix-.*/libexec/pickup
pexe:/opt/zimbra/postfix-.*/libexec/showq
pexe:/opt/zimbra/unbound-.*/sbin/unbound
pexe:/opt/zimbra/memcached-.*/bin/memcached
pexe:/opt/zimbra/clamav-.*/sbin/clamd
pexe:/opt/zimbra/openldap-.*/sbin/slapd
pexe:/opt/zimbra/nginx-.*/sbin/nginx

FIXME Below this point is old info.

:!: Don't change the SSH port or do any significant tweaking or firewalling prior to installing Zimbra.

Installation

The built-in firewall is turned off permanently during installation. You must implement a firewall after installation of Zimbra.

Disable and stop some services: 

systemctl stop postfix && systemctl disable postfix
systemctl stop httpd && systemctl disable httpd
systemctl stop firewalld && systemctl disable firewalld
yum erase httpd* -y

Disable selinux: 

sed -i 's/enforcing/disabled/g' /etc/selinux/config

setenforce 0

Download and run the latest installer: 

mv -f zcsinstall zcsinstall.old
mkdir zcsinstall && cd zcsinstall
wget https://files.zimbra.com/downloads/8.7.11_GA/zcs-8.7.11_GA_1854.RHEL7_64.20170531151956.tgz
tar zxvf zcs-*.tgz
cd zcs-*
./install.sh

FIXME I don't think the 'platform override' switch is necessary for CentOS any longer: 

./install.sh --platform-override
Near the end of the install you are asked if you want to change the domain name. You should read the message then answer 'Yes'. Change the domain name to just 'domain.tld' instead of 'hostname.domain.tld'.

:!: Add the zimbra user to the mysyslog group: 

usermod -G mysyslog zimbra

Install Patches

Download and install the latest patch (if one exists) (as root): 

cd ~
rm -rf zcspatch.old && mv -f zcspatch zcspatch.old
mkdir zcspatch && cd zcspatch
wget https://files.zimbra.com/downloads/x.x.x_GA/zcs-patch-x.x.x_GA_xxxx.tgz
tar -xzvf zcs-patch-*
cd zcs-patch-*
./installPatch.sh
su - zimbra
zmcontrol restart

Force SSL (HTTPS)

See also Zimbra SSL - Redirection and Certificates

Troubleshooting

See also Zimbra Troubleshooting Tips

Probably the easiest way to avoid installation problems is to not mess with the firewall or change the SSH port before getting Zimbra tested and working.

zmconfigd is not running

Comment out the IPv6 line: 

vim /etc/hosts

#::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

Then: 

systemctl start zimbra

Root Mail

:!: It didn't seem to matter what I did with /etc/aliases.

http://wiki.zimbra.com/index.php?title=How_to_%22fix%22_system%27s_sendmail_to_use_that_of_zimbra 

/usr/sbin/alternatives --install /usr/sbin/sendmail mta /opt/zimbra/postfix/sbin/sendmail 25 \
    --slave /usr/bin/mailq mta-mailq /opt/zimbra/postfix/sbin/mailq \
    --slave /usr/bin/newaliases mta-newaliases /opt/zimbra/postfix/sbin/newaliases \
    --slave /usr/share/man/man1/mailq.1.gz mta-mailqman /opt/zimbra/postfix/man/man1/mailq.1 \
    --slave /usr/share/man/man1/newaliases.1.gz mta-newaliasesman /opt/zimbra/postfix/man/man1/newaliases.1 \
    --slave /usr/share/man/man8/sendmail.8.gz mta-sendmailman /opt/zimbra/postfix/man/man1/sendmail.1 \
    --slave /usr/share/man/man5/aliases.5.gz mta-aliasesman /opt/zimbra/postfix/share/man/man5/aliases.5 \
    --initscript zimbra
/usr/sbin/alternatives --config mta

If mail sent to root does not flow into the admin mailbox, check: 

tail -30 /var/log/mail.log

You may see errors like: 

Nov  5 10:06:29 zimbra postfix/smtp[7400]: BCAAD18289B: to=<root@hostname.yourdomain.com>, relay=none, delay=0.06, delays=0.01/0.04/0/0, dsn=5.4.6, status=bounced (mail for hostname.yourdomain.com loops back to myself)

You can also test like this: 

echo foo | /usr/sbin/sendmail -f root root && tail -f /var/log/mail.log
In our sample Zimbra installation, we only had one domain yourdomain.com, but root's mail was aliased to “root@hostname.yourdomain.com”. So we added an alias domain “hostname.yourdomain.com” and an additional mail alias to admin of “root@hostname.yourdomain.com”. 
su - zimbra
zmprov createAliasDomain hostname.yourdomain.com yourdomain.com
zmprov aaa admin@yourdomain.com root@hostname.yourdomain.com

Changed SSH Port

If you change the SSH port in /etc/ssh/sshd_config, you need to adjust Zimbra: 

zmprov ms hostname.yourdomain.com zimbraRemoteManagementPort 2222
cd /opt/zimbra/bin/
./zmsshkeygen
./zmupdateauthkeys

Server Status

Check /var/log/zimbra.log and /var/log/zimbra-stats.log: 

ll /var/log/zimbra*

Are they empty with the actual logged detail in dated files? It appears that the logrotate configuration is broken… 

/usr/sbin/logrotate -d /etc/logrotate.conf

Run as root: 

/opt/zimbra/libexec/zmsyslogsetup

Cron Job Errors

Use of uninitialized value $current_proto in string eq at /usr/lib64/perl5/Sys/Syslog.pm line 371.
Use of uninitialized value $current_proto in string eq at /usr/lib64/perl5/Sys/Syslog.pm line 374.
vim /usr/lib64/perl5/Sys/Syslog.pm

my $current_proto = 0;

Dev Mode

https://wiki.zimbra.com/wiki/Web_Client_URL_Tricks

You can append &dev=1 to the ZWC URL:

https://zimbra.virtualarchitects.com/?dev=1

Undefined at Login

https://helpdesk.zextras.com/hc/en-us/requests/43047 

vim /opt/zimbra/jetty_base/webapps/zimbra/WEB-INF/classes/messages/ZmMsg.properties

# Add the following line

splashScreenSwitch = <a href='javascript:switchToStandardClient()'>Switch to the Standard (HTML) version</a>

:!: Clear your browser cache if necessary.

Drive and Team Tabs Missing

https://helpdesk.zextras.com/hc/en-us/requests/43045

As 'zimbra' user: 

zxsuite core doDeployClientZimlet && \
zxsuite team doDeployTeamZimlet && \
zxsuite auth doDeployAuthZimlet && \
zxsuite drive doDeployDriveZimlet && \
zxsuite docs doDeployDocsZimlet

/opt/zimbra/bin/zmzimletctl listPriority

zmzimletctl setPriority com_zextras_zextras 0
zmzimletctl setPriority com_zextras_client 1
zmzimletctl setPriority com_zextras_team_classic 2
zmzimletctl setPriority com_zextras_drive 3
zmzimletctl setPriority com_zextras_docs 4

for cos in `zmprov gac`;do zmzimletctl acl com_zextras_zextras $cos grant; done
for cos in `zmprov gac`;do zmzimletctl acl com_zextras_client $cos grant; done
for cos in `zmprov gac`;do zmzimletctl acl com_zextras_team_classic $cos grant; done
for cos in `zmprov gac`;do zmzimletctl acl com_zextras_drive $cos grant; done
for cos in `zmprov gac`;do zmzimletctl acl com_zextras_docs $cos grant; done

zmprov fc zimlet && zmprov fc all

:!: Clear your browser cache if necessary.

internet/mail/zimbra/zimbra_ose.txt · Last modified: 2024/01/13 12:12 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki