Zimbra

From vwiki
Jump to navigation Jump to search
This page is now depreciated, and is no longer being updated.
The page was becoming too large - all content from this page, and newer updates, can be found via the Category page link below.

This page and its contents will not be deleted.

See Zimbra

Installation

The notes below are for the situation of installing a Zimbra server in a split-DNS scenario. Split DNS is required where you have a Zimbra server on an internal (private address range) network. Zimbra needs to be able to resolve its own MX DNS record, therefore if your server is known publicly by one IP address, but in fact has an internal address (and the public IP is NAT'ed to the internal IP) you'll need to use split DNS. The method below uses a DNS server installed locally on the Zimbra server, however you can also use a DNS server on your local network, if you have one available.

DNS Records

Firstly, you need to own a public domain name, then get your ISP to create two DNS records...

  1. MX record - Mail Exchanger (MX) record
    • EG sandfordit.com [MX] -> mail.sandfordit.com
    • sandfordit.com is the domain you own, and mail is hostname of your email server (can be anything you like)
  2. A record - Standard DNS record
    • EG mail.sandfordit.com [A] -> 158.25.34.124
    • 158.25.34.124 is the static IP address assigned by your ISP. You'll need to set-up a NAT on your router (often oddly called a virtual server in domestic routers) to map incoming mail on TCP 25 to your email server's actual address (EG 158.25.34.124:25 -> 192.168.1.150:25 ).

Note, instead of an A record you can use a CNAME record if you prefer, though obviously the CNAME record will still need to point to a valid A record. Using a CNAME might be preferable, if for example you've multiple services running from a single public IP, that you might want to split out in the future to run on separate IP's, at which point you can replace the CNAME records with A records.

OS DNS Setup

In order to get round the fact that your exchange server won't have the same IP (or name even) on the public internet as it will on your internal network, a DNS server is installed on the exchange server to provide MX record resolution. Procedure assumes DNS (Bind) is already installed.

Terminology...

  • Private = Home or internal network IP address and network name (eg 192.168.1.150 and mail.home.int)
  • Public = Global internet, ISP assigned IP address and registered domain name (eg 158.25.34.124 and mail.sandfordit.com)

Firstly, add the IP('s) of the DNS servers you use for resolution on your other machines to your local DNS server's list of forwarders (so that your exchange server forwards DNS resolution requests for unknown names to your normal DNS servers), edit /etc/bind/named.conf.options

options {
        directory "/var/cache/bind";
        query-source address * port 53;

        forwarders {
                192.168.1.1; 158.25.30.10;
        };

        auth-nxdomain no;    # conform to RFC1035
};

Edit /etc/resolv.conf to force the server to use its local DNS server for resolution

nameserver 127.0.0.1

Restart bind using /etc/init.d/bind9 restart and check you can resolve external addresses properly.

Now create the internal zone that will eventually contain the local MX record for your exchange server, append the following to /etc/bind/named.conf.local , using your publicly registered domain name

zone "sandfordit.com"  {
    type master;
    file "/etc/bind/db.sandfordit.com";
};

Lastly create the database file for you DNS domain /etc/bind/db.sandfordit.com, using your publicly registered domain name and private (internal) IP address for your exchange server...

;
; BIND data file for sandfordit.com
;
$TTL    604800
@       IN      SOA     mail.sandfordit.com. admin.sandfordit.com. (
                         070725         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      mail
        IN      MX      10 mail
        IN      A       192.168.1.150
mail    IN      A       192.168.1.150

Zimba Install

Reference http://wiki.zimbra.com/index.php?title=Ubuntu_8.04_LTS_Server_%28Hardy_Heron%29_Install_Guide

  1. Copy the install to the server
    • EG pscp zcs-6.0.5_GA_2213.UBUNTU8.20100202225756.tgz simons@mail:zcs-6.0.5_GA_2213.UBUNTU8.20100202225756.tgz
  2. Uncompress the package
    • tar -xzf zcs-6.0.5_GA_2213.UBUNTU8.20100202225756.tgz
  3. Start the install
    • ./install.sh
    • The install will fail due to missing packages!
  4. Install the missing prerequisite packages
    • EG apt-get install libpcre3 libgmp3c2 libstdc++5 sysstat
  5. Restart the install
  6. Part-way through the install will complain about your domain not having a DNS record, change the domain to your publicly registered domain (without server hostname, so sandfordit.com rather than mail.sandfordit.com
  7. At the end of the install, address the unconfigured item (ie an admin password)

Once the install is completed, login to administer the exchange server using https://mail:7071

To enforce https for Zimbra Desktop clients use the following commands (requires a restart to take effect)...

su - zimbra
zmtlsctl https

High CPU Workaround

Zimbra seems to have some real issues with constant high CPU spikes every minute, to limit reduce the logging retention and failed process checking.

su - zimbra
zmlocalconfig -e zmmtaconfig_interval=6000
zmprov mcf zimbraLogRawLifetime 7d
zmprov mcf zimbraLogSummaryLifetime 30d
/opt/zimbra/libexec/zmlogprocess

crontab -e
*/60 * * * * /opt/zimbra/libexec/zmstatuslog 
  • zmlocalconfig -e zmmtaconfig_interval=6000
    • Increase service failure watchdog interval to 6000 secs

Above seems to help, but doesn't fix things...! Additionally, to disable the logging process, maybe (uncomplete)

su - zimbra
hostname                # Gives your server's hostname
zmprov ms <hostname> -zimbraServiceEnabled logger

Zimbra Appliance

Installation

Download a copy of the (OVA format) appliance from http://www.zimbra.com/downloads/zca-downloads.html or just get a copy of the download URL to delay downloading until deployment, plus get a license if you want to run for more than 60 days (10 user license is free). The appliance needs to be run on VMware vSphere.

The appliance is just over 2GB in size (though the disk in 18GB if thick provisioned and can be deployed as...

  • Trial - 1 vCPU, 2 GB RAM
    • Not officially suitable for production, but fine for the free 10-user license
  • Midsize - 2 vCPU, 4GB RAM
    • Production use up to 500 users
  • Large - 2 vCPU, 8 GB RAM
    • Production use up to 1000 users

To deploy

  1. In the VI Client, go to File | Deploy OVF Template...
  2. Locate the downloaded OVA file or paste in the URL, click Open and then Next
  3. Check the OVF Template Details and click Next
  4. Accept the End User License Agreement and click Next
  5. Enter a suitable VM name, and change the destination location as required, and click Next
  6. Select the appropriate Deployment Configuration, and click Next
  7. Select the appropriate Host / Cluster, and click Next
  8. Update the Resource Pool config as required, and click Next
  9. Select a Datastore and click Next
  10. Select a Disk Format of your preference and click Next
  11. Select a network to connect the VM to (IP address settings can be applied later), and then click Next
  12. Leave the IP Address Allocation as Fixed, and then click Next
  13. In the Properties step, proceed as follows and then click Next
    • 0. Configuration Password - Enter a password note that it won't be obscured
    • 1. Server Name - Enter the network hostname for your server (not FQDN - eg mailserver)
    • 2. Administrative Account - Enter your admin email address and password note that the password won't be obscured
    • Networking Properties - Enter an IP address
  14. Confirm the config is correct, then click Next

Post-Install

License

You may get a warning to say that your license is not activated, in which case log in as the zimbra user to your server, check you've got the correct license loaded, then activate it (your server needs to be able to reach the Zimbra license portal)

zimbra@mail:~$ zmlicense -p
[License]
AccountsLimit=10
ArchivingAccountsLimit=0
AttachmentConversionEnabled=true
AttachmentIndexingAccountsLimit=10
BackupEnabled=true
CrossMailboxSearchEnabled=false
HierarchicalStorageManagementEnabled=false
ISyncAccountsLimit=0
InstallType=regular
IssuedOn=<removed>
IssuedToEmail=<removed>
IssuedToName=<removed>
LicenseId=<removed>
MAPIConnectorAccountsLimit=0
MobileSyncAccountsLimit=10
MobileSyncEnabled=true
ResellerName=
SMIMEAccountsLimit=0
ValidFrom=<removed>
ValidUntil=<removed>

zimbra@mail:~$ zmlicense -c
license not activated for 7.0.0_GA_3077

zimbra@mail:~$ zmlicense -a

zimbra@mail:~$ zmlicense -c
license is OK

Maintenance

Backup

Basic manual backup

  1. SU to Zimbra admin
    • su - zimbra
  2. Stop Zimbra services
    • zmcontrol stop
  3. Exit Zimbra user and create copy of directory
    • EG cp -rp /opt/zimbra /home/simons/zimbra_backup_100301
  4. Once completed, go back to zimbra user and start
    • su - zimbra
    • zmcontrol start


More elaborate scripted version

  1. Check the size of the /opt/zimbra dir, this will be replicated to a sync directory, from which the actual backup is taken, and check available free space
    • du -hs /opt/zimbra
    • df -h
  2. Un-gzip and upload the config file to somewhere convenient
  3. Edit required config params at start of script
  4. Run the script to install (as root), allow creation of required folders and install of required utils
    • ./zmbak_v.0.8.sh --INSTALL
  5. Perform a first full run to check everything works alight and to create the first full backup
    • ./zmbak_v.0.8.sh -f

To restore, see http://www.zimbra.com/forums/administrators/15275-solved-yet-another-backup-script-community-version-24.html

I've modified the above script, to suit my own purposes. I've added an FTP option so that completed backup's are copied off to a remote FTP server (the copy isn't encrypted so should only be used within a private/secure network - Zimbra FOSS Full Backup

Upgrade

Use the same package to upgrade the software as used for a brand new install (there is no separate upgrade package). The important part of any upgrade IS NOT how to get your system upgraded, it IS how you're going to recover if it all goes horribly wrong.

  1. Isolate the server from the internet (so new mails can't received following the pre-upgrade backup)
  2. Stop the mail server running
    • su - zimbra
    • zmcontrol stop
  3. Backup the server 1st
    • If hosted on an ESX, probably most easily achieved by starting a snapshot (remember to delete the snapshot after a few days if no probs are encountered)
    • Also copy off any existing local backup (so that a new full backup can be started following the upgrade)
  4. Copy the install to the server
    • EG pscp zcs-6.0.6_GA_2324.UBUNTU8.20100406144520.tgz simons@mail:zcs-6.0.6_GA_2324.UBUNTU8.20100406144520.tgz
  5. Uncompress the package
    • tar -xzf zcs-6.0.6_GA_2324.UBUNTU8.20100406144520.tgz
  6. Start the upgrade using the install script
    • ./install.sh
  7. The script should detect an existing installation and upgrade it, do not install additional components, but do confirm the upgrade.
  8. Once completed, test thoroughly
  9. Perform a full local backup
  10. Reconnect to network

Patch

Sometimes patch packages are supplied for minor upgrades between specific versions. Take the same backup precautions as for a normal upgrade. The actual application of the patch varies slightly from an upgrade...

  1. Copy the patch package to the server
    • EG pscp zcs-patch-6.0.6_GA_2332.tgz simons@mail:zcs-patch-6.0.6_GA_2332.tgz
  2. Uncompress the package
    • tar -xzf zcs-patch-6.0.6_GA_2332.tgz
  3. Start the patch upgrade using the install script
    • ./installPatch.sh
  4. Restart the software to apply changes
    • su - zimbra
    • zmcontrol stop
    • zmcontrol start

Procedures

Install Commercial Certificate

  1. Create a Certificate Signing Request (CSR) - can be done via the GUI admin console, but doesn't always work properly
    1. Logged into the server as root...
    2. Generate CSR, EG /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=GB/L=London/O=SandfordIT Limited/CN=mail.sandfordit.com"
      • /C - Country
      • /ST - Region / county (optional)
      • /L - City
      • /O - Organisation / company name
      • /OU - Department (optional)
      • /CN - Server FQDN
  2. Display and copy CSR key
    • more /opt/zimbra/ssl/zimbra/commercial/commercial.csr
  3. Upload CSR to certificate authority
  4. Install received keys via GUI and restart server

Migrate Commercial Certificate To New Server

This is essentially an updated version of the old procedure that can be found here - http://wiki.zimbra.com/wiki/Transfer_SSL_certificates_between_servers for ZCS v7.

  1. On your old server make a copy of the SSL folder
    • EG cp -r /opt/zimbra/ssl /home/user/sslbk
  2. Delete any back folders from within your copy so that only a zimbra folder exists
    • EG rm -rf /home/user/sslbk/zimbra.*
  3. Compress the folder into a file
    • EG tar cvzf sslbk.tgz /sslbk/
  4. Copy the file to your new server
    • EG pscp user@oldmail.domain.com:/home/user/sslbk.tgz c:\temp\sslbk.tgz
    • EG pscp c:\temp\sslbk.tgz user@newmail.domain.com:/home/user/
  5. Backup the SSL folder
    • mv /opt/zimbra/ssl/ /opt/zimbra/ssl_old
  6. Uncompress file copied from old server
    • tar -xvf /home/user/sslbk.tgz
  7. Copy the folder into place and rename
    • cp -r sslbk/ /opt/zimbra/ssl
    • mv /opt/zimbra/sslbk/ /opt/zimbra/ssl
  8. Deploy the certificate
    • EG /opt/zimbra/bin/zmcertmgr deploycrt comm /home/user/sslbk/zimbra/commercial/commercial.crt /home/user/sslbk/zimbra/commercial/commercial_ca.crt
  9. Restart Zimbra
    • su - zimbra
    • zmcontrol restart
  10. If services don't start properly, force java to accept your certificate
    • EG /opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /sslbk/zimbra/commercial/commercial.crt

Change Hostname

This is based on the article found here - http://wiki.zimbra.com/wiki/ZmSetServerName. I've used this procedure for Zimbra v7 FOSS installations on Ubuntu 8 32-bit and 10 64-bit (LTS).

This procedure requires downtime, and because zimbra services need to be up to complete the change, if you can stop new mail being received by the server (by disabling through a firewall for example) do so. If you have to fall back to your backup, any mail received during the backup will be lost.

  1. Ensure that new DNS records are already set-up and working.
    • EG dig domain.com mx
  2. Create a backup of your entire installation (if running as a VMware VM, take a snapshot as well)
    1. Stop Zimbra (as zimbra user)
      • zmcontrol stop
    2. Create copy (as root)
      • mkdir /backup/opt
      • mkdir /backup/opt/zimbra
      • cp -r /opt/zimbra/ /backup/opt/zimbra/
    3. Start Zimbra (as zimbra user)
      • zmcontrol start
  3. Perform rename to Zimbra installation
    • EG /opt/zimbra/libexec/zmsetservername -n mailsvr.domain.com
  4. Perform rename to operating system
    1. Update the following files
      • /etc/hosts
      • /etc/hostname
    2. Set the hostname (not FQDN)
      • hostname <servername>
  5. Reboot the server
    • shutdown -r now

Once your server is back up, run through the following to check everything is in working order...

  1. zmcontrol status
  2. zmprov gacf | grep oldhostname
  3. zmprov gs `zmhostname` | grep oldhostname
  4. zmlocalconfig | grep oldhostname
  5. Plus I'd tail the /var/log/zombra.log while sending and receiving a few test emails to make sure everything is running sweetly.

Any probs, refer to the Zimbra doc at the start of this for things to investigate.

Install Zimlet

Zimlets only work when accessing via the web client, they are not usable from the full-fat Zimbra client.

  1. Copy the Zimlet to the server
    • EG pscp com_zimbra_tasksreminder.zip simons@mail:com_zimbra_tasksreminder.zip
  2. Move the file to the /opt/zimbra/zimlets directory
  3. Deploy the Zimlet
    • EG zmzimletctl deploy com_zimbra_tasksreminder.zip

Signature Length Increase

The maximum length of an email signature is limited to 10240 by default, to increase...

  1. Update appropriate CoS/user pref...
    1. In server admin console
    2. Either update the
      1. User
        • Addresses > Accounts > <user>
      2. Or CoS
        • Configuration > Class of Service > <CoS>
    3. Go to Preferences > Mail Options > Composing mail
    4. Change Maximum length of mail signature value (eg 20480)
  2. Update Zimbra Desktop
    1. Delete, then re-add the account and allow to resync fully

LDAP Config Item Check/Modify

  • To check config
    • EG zmprov gcf zimbraMailPurgeSleepInterval
  • To modify config
    • EG zmprov mcf zimbraMailPurgeSleepInterval 1m

Message Filters

  • To verify email account filters setup
    • EG zmmailbox -z -m simon gfrl

Message Sizes

To see the current max IMAP request size...

  • zmlocalconfig | grep -i imap_max_request_size

To increase the size, to say 20MB...

  • zmlocalconfig -e imap_max_request_size=20480

Its also worth being aware of the following settings, which are altered through the admin console...

  • In Global Settings | General Information...
    • Maximum size of an uploaded file for Briefcase, Email messages, Calendar appointments and Tasks (KB)
      • zimbraFileUploadMaxSize
  • In Global Settings | MTA...
    • Maximum message size (KB)
      • zimbraMtaMaxMessageSize

And there's also an additional setting, zimbraMailContentMaxSize, which also appears to affect the maximum size of attachments. To see what you're set to currently use...

  • zmprov getConfig zimbraMailContentMaxSize

and so update to say 20 MB, use...

  • zmprov modifyConfig zimbraMailContentMaxSize 20480000

Troubleshooting

Account Export Incomplete

When trying to export an entire (or partial) account's data (either via the web or Zimbra clients, or through a /zmmailbox -z -m "user@domain.com" getRestURL -o user.tgz "//?fmt=tgz"), the export can occasionally be incomplete, this can be due to two reasons (maybe more)...

  • Large account / export time-out
  • Invalid tags
    • This is essentially down to some database corruption.
    • To confirm that its the issue, tail your /opt/zimbra/log/mailbox.log file when creating an export and look out for the following errors (tag 68 is the problem tag ID in this example)
      • Code:mail.NO_SUCH_TAG Arg:(itemId, IID, "68")
      • java.io.IOException: data error: java.io.IOException: tag error: com.zimbra.cs.mailbox.MailServiceException$NoSuchItemException: no such tag: 68
    • To resolve...
      1. Confirm that the account doesn't have the tag
        • zmmailbox -z -m "user@domain.com" gat
      2. Get the user to create enough dummy tags to reach the problem ID number
      3. Reattempt the export - it may fail again, but on a higher tag ID (repeat the above until it succeeds)
      4. Delete the dummy tags, and retest

The above is based on info gleamed from http://www.zimbra.com/forums/administrators/48724-no_such_tag-while-exporting.html

Documentation Links