Tag: Zimbra

How to block a domain in Zimbra
To block all emails from a specific domain in Zimbra, run the following commands as user zimbra (su – zimbra).
```
zmprov md yourdomain.com +amavisBlacklistSender bad-domain.com
zmamavisdctl restart
```
To block a specific email address, run
```
zmprov md yourdomain.com +amavisBlacklistSender [email protected]
zmamavisdctl restart
```
How to unblock

If you have blocked a domain or email address and want to unblock, you can use
```
-amavisBlacklistSender
```
Example
```
zmprov md yourdomain.com -amavisBlacklistSender bad-domain.com
zmamavisdctl restart
```
Back to zimbra
April 11, 2024

How to disable Zimbra dnscache service

When you are using the Zimbra mail server behind NAT with Split DNS, you need to disable dnscache service.

To view all enabled/installed services, run

zmprov gs `zmhostname` zimbraServiceEnabled zimbraServiceInstalled

Example

zimbra@mail:~$ zmprov gs `zmhostname` zimbraServiceEnabled zimbraServiceInstalled
# name mail.serverok.in
zimbraServiceEnabled: amavis
zimbraServiceEnabled: antivirus
zimbraServiceEnabled: antispam
zimbraServiceEnabled: opendkim
zimbraServiceEnabled: logger
zimbraServiceEnabled: ldap
zimbraServiceEnabled: mta
zimbraServiceEnabled: dnscache
zimbraServiceEnabled: memcached
zimbraServiceEnabled: snmp
zimbraServiceEnabled: stats
zimbraServiceEnabled: proxy
zimbraServiceEnabled: service
zimbraServiceEnabled: zimbra
zimbraServiceEnabled: zimbraAdmin
zimbraServiceEnabled: zimlet
zimbraServiceEnabled: mailbox
zimbraServiceEnabled: spell
zimbraServiceInstalled: amavis
zimbraServiceInstalled: antivirus
zimbraServiceInstalled: antispam
zimbraServiceInstalled: opendkim
zimbraServiceInstalled: logger
zimbraServiceInstalled: ldap
zimbraServiceInstalled: mta
zimbraServiceInstalled: dnscache
zimbraServiceInstalled: snmp
zimbraServiceInstalled: stats
zimbraServiceInstalled: memcached
zimbraServiceInstalled: proxy
zimbraServiceInstalled: mailbox
zimbraServiceInstalled: spell

zimbra@mail:~$

To disable dnscache service, run

zmprov ms `zmhostname` -zimbraServiceEnabled dnscache
zmprov ms `zmhostname` -zimbraServiceInstalled dnscache

Stop dnscache service

zmdnscachectl stop

Stop zimbra

zmcontrol stop

Start Zimbra

zmcontrol start

Back to Zimbra

August 8, 2022

How to Zimbra Split DNS with dnsmasq
When you install Zimbra on a server behind NAT, your public IP is not configured in the server, instead, it gets routed to the server using NAT gateway. Zimbra wants the IP address of your MX record present in the server.

To solve this problem, we can use Split DNS. When you check the IP of the MX record from the server, it resolves to the internal IP address of the server. For everyone else, the MX record resolves to the public IP Address of the server.

IMPORTANT: Do not install Zimbra dnscache (unbound) as it listens on port 53, which will cause conflict with Split DNS.

Disable systemd-resolved

On Ubuntu, local DNS resolving is done by systemd-resolved, you need it disabled.
```
systemctl disable systemd-resolved.service
systemctl stop systemd-resolved
rm -f /etc/resolv.conf
tee /etc/resolv.conf << END
nameserver 127.0.0.1
END
```
Install dnsmasq

Install dnsmasq with command
```
apt install dnsmasq -y
```
Configure dnsmasq

Edit file
```
vi /etc/dnsmasq.conf
```
Add
```
server=8.8.8.8
server=1.1.1.1
domain=aei.gt
mx-host=yourdomain.com,mail.yourdomain.com,5
listen-address=127.0.0.1
```
Restart dnsmasq
```
systemctl restart dnsmasq
```
Edit /etc/hosts file
```
vi /etc/hosts
```
Add
```
YOUR_LOCAL_IP  mail.yourdomain.com mail
```
Edit /etc/resolv.conf
```
vi  /etc/resolv.conf
```
Add
```
nameserver 127.0.0.1
```
Remove any other name server entry, do all DNS requests go to dnsmasq.

At this point, if you do a nslookup/dig for MX record, you should see your internal IP address.

Back to Zimbra
August 8, 2022
How to find Zimbra version
To find the Zimbra version, log in to the server using SSH, then run the following commands.

Switch to the user “zimbra”
```
su - zimbra
```
Run the command zmcontrol -v, which will display the version of Zimbra you are using.
```
zmcontrol -v
```
Example
```
[zimbra@correo ~]$ zmcontrol -v    
Release 8.8.15_GA_3829.RHEL7_64_20190718141144 RHEL7_64 FOSS edition, Patch 8.8.15_P23.
[zimbra@correo ~]$ 
```
Using Zimbra Admin

Login to the Zimbra Admin area at
```
https://your-domain-here:7071/zimbraAdmin/
```
On the Dashboard, you will see the Zimbra version displayed. On the right top side, you will see the “Help” menu. Click on it, then select “About Zimbra”, this will show a popup with the Zimbra version and the build and release date.

See Zimbra
July 5, 2021

Zimbra webmail not working on port 80/443

On Zimbra mail server, webmail stopped working on Port 80/443. Admin interface worked properly on url https://hostname:7071/. There is no errors displayed under monitor tab of Zimbra Admin.

To fix, run

su - zimbra
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled FALSE
zmprov ms `zmhostname` zimbraMailMode both
zmprov ms `zmhostname` zimbraReverseProxyMailMode both
./libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x both -H `zmhostname`
zmcontrol restart

After running this, netstat -lntp start showing nginx running on port 80 and 443

root@zim:~# netstat -lntp | egrep "80|443"
tcp        0      0 127.0.0.1:10663         0.0.0.0:*               LISTEN      10980/zmlogger: zmr
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      11354/nginx.conf
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      11098/java      
tcp        0      0 116.203.102.86:8080     0.0.0.0:*               LISTEN      11098/java      
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      11354/nginx.conf
tcp6       0      0 :::7780                 :::*                    LISTEN      11707/httpd     
root@zim:~#

September 6, 2019

Zimbra Mail Server CentOS firewall settings

On CentOS 7 server with firewalld running, used following command to open ports used by Zimbra Mail Server.

firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --zone=public --permanent --add-service=ssh
firewall-cmd --zone=public --permanent --add-port=110/tcp
firewall-cmd --zone=public --permanent --add-port=11211/tcp
firewall-cmd --zone=public --permanent --add-port=143/tcp
firewall-cmd --zone=public --permanent --add-port=25/tcp
firewall-cmd --zone=public --permanent --add-port=443/tcp
firewall-cmd --zone=public --permanent --add-port=465/tcp
firewall-cmd --zone=public --permanent --add-port=5222/tcp
firewall-cmd --zone=public --permanent --add-port=5269/tcp
firewall-cmd --zone=public --permanent --add-port=587/tcp
firewall-cmd --zone=public --permanent --add-port=7025/tcp
firewall-cmd --zone=public --permanent --add-port=7071/tcp
firewall-cmd --zone=public --permanent --add-port=7072/tcp
firewall-cmd --zone=public --permanent --add-port=7073/tcp
firewall-cmd --zone=public --permanent --add-port=7110/tcp
firewall-cmd --zone=public --permanent --add-port=7143/tcp
firewall-cmd --zone=public --permanent --add-port=7993/tcp
firewall-cmd --zone=public --permanent --add-port=7995/tcp
firewall-cmd --zone=public --permanent --add-port=8443/tcp
firewall-cmd --zone=public --permanent --add-port=993/tcp
firewall-cmd --zone=public --permanent --add-port=995/tcp
firewall-cmd --reload

See Zimbra, firewall-cmd

August 9, 2019

Zimbra redirect webmail http to https

After Zimbra mail server installed, webmail work on url

https://SERVER-HOSTNAME-HERE/

If you access webmail with out HTTPS, it won’t work.

To set HTTP to redirect to HTTPS, login to server as root, switch to user zimbra

su - zimbra

Run

zmprov ms SERVER_HOSTNAME_HERE zimbraReverseProxyMailMode redirect

Wait few minutes, HTTP link will redirect to HTTPS.

[root@correo ~]# netstat -lntp | grep 80                                                                                                                                                                    
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      22891/java                                                                                                                  
tcp6       0      0 :::7780                 :::*                    LISTEN      24005/httpd                                                                                                                 
[root@correo ~]# su - zimbra                                                                                                                                                                                
Last login: Thu Aug  8 21:33:52 CST 2019 on pts/0                                                                                                                                                           
[zimbra@correo ~]$ zmprov ms correo.net.gt zimbraReverseProxyMailMode redirect                                                                                                                              
[zimbra@correo ~]$

You need to wait few minutes before it can start working on HTTPS port, no restart required.

Now netstat shows nginx runs on port 80

[root@correo ~]# netstat -lntp| grep 80
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      90391/nginx: master 
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN      22891/java          
tcp6       0      0 :::7780                 :::*                    LISTEN      24005/httpd         
[root@correo ~]#

See Zimbra

August 9, 2019

Install SSL Certificate on Zimbra mail server

To install SSL certificate for Zimbra Mail Server, login to server, switch to user zimbra

su - zimbra

Now create file commercial.key, paste your Private key.

vi /opt/zimbra/ssl/zimbra/commercial/commercial.key

In commercial.crt, paste your SSL certificate.

vi /opt/zimbra/ssl/zimbra/commercial/commercial.crt

Create commercial_ca.crt with content of your ca-bundle file.

vi /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

Verify SSL cerificate

/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key  /opt/zimbra/ssl/zimbra/commercial/commercial.crt

If SSL verified sucessfully, you can install it with command

/opt/zimbra/bin/zmcertmgr deploycrt comm  /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

To make SSL active, you need to restart Zimbra mail server with command

zmcontrol restart

August 9, 2019

Zimbra Unable to validate certificate chain

On installing SSL on the Zimbra mail server, i get the following error

zimbra@zim:~/boby$ /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key  /opt/zimbra/boby/zim_simplecloud_co_za.crt
** Verifying '/opt/zimbra/boby/zim_simplecloud_co_za.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/opt/zimbra/boby/zim_simplecloud_co_za.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/opt/zimbra/boby/zim_simplecloud_co_za.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
ERROR: Unable to validate certificate chain: /opt/zimbra/boby/zim_simplecloud_co_za.crt: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
error 2 at 2 depth lookup:unable to get issuer certificate
zimbra@zim:~/boby$

This was due to SSL cert chain. The ca-bundle file they provided did not work with Zimbra. This is due to some issue with the order in which CA Certificate files are placed. Here is Zimba documentation related to this issue

https://wiki.zimbra.com/wiki/Fix_depth_lookup:unable_to_get_issuer_certificate

I checked with SSL provider, and they initially provided a combined SSL certificate, that has cert file + ca certificate. I tried to install it, but it did not work.

After showing SSL support the screenshot of the SSL install page, they provided me with 3 different files.

In the zimbra SSL install, you have option to add more intermediate CA by clicking “Add Intermediate CA” link.

The provided files are

root.ca
intermediate1.ca-bundle
intermediate2.ca-bundle

I tried to install it using UI, but it failed with some errors related to RemoteManager and port 22.

To install on Command line, first you need to login as user zimbra

su - zimbra

I copied all files provided by SSL provider to the server. Change to SSL folder

cd /opt/zimbra/ssl/zimbra/commercial/

Edited the file

vi commercial.crt

Pasted the SSL certificate content to this file. commercial.key file have the private key, this get auto generated during the CSR generation process.

Now i tried mixing those 3 files (CA certs) to create commerical_ca.crt, but it failed to work

zimbra@zim:~/ssl/zimbra/commercial$ cat  ~/boby/root.crt ~/boby/intermediate1.ca-bundle > /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
zimbra@zim:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
** Verifying 'commercial.crt' against 'commercial.key'
Certificate 'commercial.crt' and private key 'commercial.key' match.
** Verifying 'commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
ERROR: Unable to validate certificate chain: Error loading file /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
140015104063128:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:815:
140015104063128:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:by_file.c:259:
zimbra@zim:~/ssl/zimbra/commercial$

After few try, mixing ca certificate in the following order got it work.

zimbra@zim:~/ssl/zimbra/commercial$ cat   ~/boby/intermediate1.ca-bundle  ~/boby/intermediate2.ca-bundle ~/boby/root.crt > /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
zimbra@zim:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt
** Verifying 'commercial.crt' against 'commercial.key'
Certificate 'commercial.crt' and private key 'commercial.key' match.
** Verifying 'commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
Valid certificate chain: commercial.crt: OK
zimbra@zim:~/ssl/zimbra/commercial$

Now installed SSL with

zimbra@zim:~/ssl/zimbra/commercial$ /opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
** Fixing newlines in 'commercial_ca.crt'
** Verifying 'commercial.crt' against '/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate 'commercial.crt' and private key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying 'commercial.crt' against 'commercial_ca.crt'
Valid certificate chain: commercial.crt: OK
** Copying 'commercial.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
'commercial.crt' and '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' are identical (not copied) at /opt/zimbra/bin/zmcertmgr line 1278.
** Copying 'commercial_ca.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt'
'commercial_ca.crt' and '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' are identical (not copied) at /opt/zimbra/bin/zmcertmgr line 1278.
** Appending ca chain 'commercial_ca.crt' to '/opt/zimbra/ssl/zimbra/commercial/commercial.crt'
** Importing cert '/opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt' as 'zcs-user-commercial_ca' into cacerts '/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts'
** NOTE: restart mailboxd to use the imported certificate.
** Saving config key 'zimbraSSLCertificate' via zmprov modifyServer zim.simplecloud.co.za...ok
** Saving config key 'zimbraSSLPrivateKey' via zmprov modifyServer zim.simplecloud.co.za...ok
** Installing imapd certificate '/opt/zimbra/conf/imapd.crt' and key '/opt/zimbra/conf/imapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/imapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/imapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/conf/imapd.keystore'
** Installing ldap certificate '/opt/zimbra/conf/slapd.crt' and key '/opt/zimbra/conf/slapd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/slapd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/slapd.key'
** Creating file '/opt/zimbra/ssl/zimbra/jetty.pkcs12'
** Creating keystore '/opt/zimbra/mailboxd/etc/keystore'
** Installing mta certificate '/opt/zimbra/conf/smtpd.crt' and key '/opt/zimbra/conf/smtpd.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/smtpd.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/smtpd.key'
** Installing proxy certificate '/opt/zimbra/conf/nginx.crt' and key '/opt/zimbra/conf/nginx.key'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.crt' to '/opt/zimbra/conf/nginx.crt'
** Copying '/opt/zimbra/ssl/zimbra/commercial/commercial.key' to '/opt/zimbra/conf/nginx.key'
** NOTE: restart services to use the new certificates.
** Cleaning up 3 files from '/opt/zimbra/conf/ca'
** Removing /opt/zimbra/conf/ca/ca.key
** Removing /opt/zimbra/conf/ca/ca.pem
** Removing /opt/zimbra/conf/ca/44fca4b1.0
** Copying CA to /opt/zimbra/conf/ca
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.key' to '/opt/zimbra/conf/ca/ca.key'
** Copying '/opt/zimbra/ssl/zimbra/ca/ca.pem' to '/opt/zimbra/conf/ca/ca.pem'
** Creating CA hash symlink '44fca4b1.0' -> 'ca.pem'
** Creating /opt/zimbra/conf/ca/commercial_ca_1.crt
** Creating CA hash symlink '65ff7287.0' -> 'commercial_ca_1.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_2.crt
** Creating CA hash symlink 'fc5a8f99.0' -> 'commercial_ca_2.crt'
** Creating /opt/zimbra/conf/ca/commercial_ca_3.crt
** Creating CA hash symlink '157753a5.0' -> 'commercial_ca_3.crt'
zimbra@zim:~/ssl/zimbra/commercial$

Now rebooted the server, and after reboot SSL worked.

March 19, 2019

Install Open Source Zimbra Mail Server
To install Zimbra, Download the latest version of “Zimbra Collaboration Open Source” form

https://www.zimbra.com/downloads/

At the time of this post, the latest version is 8.8.15 GA Release.

System Requirments

Zimbra recommends 8 GB of RAM. For detailed system requirements, see Zimbra System Requirements

I have installed it on servers with 4 GB RAM without any problem. If you are installing on a server with 4 GB RAM, make sure you add swap in cause you run out of RAM.
```
dd if=/dev/zero of=/swapfile bs=1M count=4096
mkswap /swapfile
chmod 0600 /swapfile
swapon /swapfile
echo "/swapfile swap swap defaults 0 0" >> /etc/fstab
```
Set Hostname

Zimbra needs you to set the proper hostname for your server.
```
hostnamectl set-hostname mail.yourdomain.com
```
First, add an A record for your hostname and point it to your server IP.

Now edit /etc/hosts and add an entry like
```
IP_ADDR  mail.yourdomain.com mail
```
Where mail.yourdomain.com is your FQDN.

Set MX Record

During installation Zimbra checks for MX records, so make sure you set MX record for your domain, point it to the server where you install Zimbra.

Install Zimbra on Ubuntu 20.04

Download the latest version of Zimbra from

https://www.zimbra.com/downloads/zimbra-collaboration-open-source/

To install Zimbra, run
```
cd /usr/local/src
wget https://files.zimbra.com/downloads/8.8.15_GA/zcs-8.8.15_GA_4179.UBUNTU20_64.20211118033954.tgz
tar xvf zcs-8.8.15_GA_4179.UBUNTU20_64.20211118033954.tgz
cd zcs-8.8.15_GA_4179.UBUNTU20_64.20211118033954
./install.sh
```
It will ask some questions. For most questions, you can just press enter as that is the default option (Y).

Once install is done, you will be asked to set an admin password.

After the installation is done, you will be able to login to the Zimbra Admin area at
```
https://mail.yourdomain.com:7071/zimbraAdmin/
```
Webmail available at
```
https://mail.yourdomain.com
```
Zimbra
April 8, 2018

zmcontrol CLI for Zimbra Mail Server

zmcontrol is CLI tool for managing Zimbra Mail Server.

To use, zmcontrol, you need to become user zimbra.

su - zimbra
zmcontrol status

To stop zimbraAdmin, run

zmcontrol stop zimbraAdmin

Example

[zimbra@mail ~]$ zmcontrol stop zimbraAdmin
Host mail.serverok.in
	Stopping zmconfigd...Done.
	Stopping zimlet webapp...Done.
	Stopping zimbraAdmin webapp...Done.
	Stopping zimbra webapp...Done.
	Stopping service webapp...Done.
	Stopping stats...Done.
	Stopping mta...Done.
	Stopping spell...Done.
	Stopping snmp...Done.
	Stopping cbpolicyd...Done.
	Stopping archiving...Done.
	Stopping opendkim...Done.
	Stopping amavis...Done.
	Stopping antivirus...Done.
	Stopping antispam...Done.
	Stopping proxy...Done.
	Stopping memcached...Done.
	Stopping mailbox...Done.
	Stopping logger...Done.
	Stopping dnscache...Done.
	Stopping ldap...Done.
[zimbra@mail ~]$

Zimbra

February 22, 2018

Zimbra
Login to Zimbra Admin at

https://YOUR_SERVER_IP:7071/zimbraAdmin/

Login to webmail at

https://YOUR_SERVER_IP/

Installation Tips

1) Make sure no postfix pre installed.

2) Set SELinux off

3) Make sure you can ping to hostname, also MX record set for hostname

4) Turn firewall off during installation or open required ports.

Re Run configuration
```
/opt/zimbra/libexec/zmsetup.pl
```
Start Zimbra Server
```
zmcontrol start
```
Location of postfix. If you run command as user zimbra, then this folder is in your path. If running as root, you need to specify full path.
```
/opt/zimbra/common/sbin/postqueue
```
February 22, 2018

Tag: Zimbra

How to unblock

Disable systemd-resolved

Install dnsmasq

Configure dnsmasq

Using Zimbra Admin

Set Hostname

Set MX Record

Install Zimbra on Ubuntu 20.04