Zimbra Mail Server CentOS firewall settings

On CentOS 7 server with firewalld running, used following command to open ports used by Zimbra Mail Server.

See Zimbra, firewall-cmd

Zimbra redirect webmail http to https

After Zimbra mail server installed, webmail work on url

https://SERVER-HOSTNAME-HERE/

If you access webmail with out HTTPS, it won’t work.

To set HTTP to redirect to HTTPS, login to server as root, switch to user zimbra

Run

Wait few minutes, HTTP link will redirect to HTTPS.

You need to wait few minutes before it can start working on HTTPS port, no restart required.

Now netstat shows nginx runs on port 80

See Zimbra

Zimbra SSL install

Install SSL Certificate on Zimbra mail server

To install SSL certificate for Zimbra Mail Server, login to server, switch to user zimbra

Now create file commercial.key, paste your Private key.

In commercial.crt, paste your SSL certificate.

Create commercial_ca.crt with content of your ca-bundle file.

Verify SSL cerificate

Zimbra SSL

If SSL verified sucessfully, you can install it with command

Zimbra SSL install

To make SSL active, you need to restart Zimbra mail server with command

DMARC

DMARC is used to protect your email from email spoofing. DMARC use SPF and DKIM record to validate your email.

DMARC is a TXT record added in your domain DNS.

DMARC record look like

p=POLICY_HERE

This specifies what to do with incoming email that fails DMARC.

Valid options are none, quarantine and reject.

p=none – used for monitoring. If DMARC fails, remote mail server will sent a mail to “rua” or “ruf” tags specified in DMARC record.

p=quarantine – tell recipient mail server to put message in SPAM folder if DMARC fail.

p=reject – reject mail if DMARC fail.

rf=afrf – Specify type of report you will get.

Configure postfix to relay mails using Gmail

Install postfix

Create file

Add

Save and exit editor. Run

Edit postfix configuration file

Find and remove

At end of the file, add

Restart postfix

Now all mails will be forwarded using gmail.

Test Email Delivery

Install mailutils

To sent test email, run

Check mail log

See postfix

zimbra

Zimbra Unable to validate certificate chain

On installing SSL on Zimbra mail server, i get following error

This was due to SSL cert chain. The ca-bundle file they provided did not work with Zimbra. This is due to some issue with the order in witch CA Certificate files are placed. Here is zimba documentaion related to this issue

https://wiki.zimbra.com/wiki/Fix_depth_lookup:unable_to_get_issuer_certificate

I checked with SSL provider, they initially provided a combined SSL certificate, that have cert file + ca certificate. I tried to install it, but it did not work.

After showing SSL support the screenshot of the SSL install page, they provided me with 3 differnt files.

zimbra

In the zimbra SSL install, you have option to add more intermediate CA by clicking “Add Intermediate CA” link.

The provided files are

I tried to install it using UI, but it failed with some error related to RemoteManager and port 22.

To install on Command line, first you need to login as user zimbra

I copied all files provided by SSL provider to the server. Change to SSL folder

Edited the file

Pasted the SSL certificate content to this file. commercial.key file have the private key, this get auto generated during the CSR generation process.

Now i tried mixing those 3 files (CA certs) to create commerical_ca.crt, but it failed to work

After few try, mixing ca certificate in following order got it work.

Now installed SSL with

Now rebooted the server, after reboot SSL worked.