Procedures (Zimbra): Difference between revisions
(→Install Commercial Certificate: Added CLI procedure) |
m (→Enable Spam BlockList: Added example output in daily mail) |
||
(One intermediate revision by the same user not shown) | |||
Line 221: | Line 221: | ||
grep 'purge' /opt/zimbra/log/mailbox.log | grep 'purge' /opt/zimbra/log/mailbox.log | ||
zgrep 'purge' /opt/zimbra/log/mailbox.log.2012-08-05.gz | zgrep 'purge' /opt/zimbra/log/mailbox.log.2012-08-05.gz | ||
=== Enable Spam BlockList === | |||
In order for you to be able to add a public blocklist it first needs known by SpamAssassin. SpamAssassin's config can be found in <code>/opt/zimbra/conf/spamassassin/</code>, to check for a particular DNS Blocklist, ''zen.spamhaus.org'' for example, use | |||
* <code>grep zen.spamhaus.org /opt/zimbra/conf/spamassassin/20_dnsbl_tests.cf</code> | |||
# Login as the Zimbra user | |||
#* <code> su - zimbra </code> | |||
# Check existing restrictions | |||
#* <code> zmprov gacf | grep zimbraMtaRestriction </code> | |||
# Add new restriction (for example ''zen.spamhaus.org'') | |||
#* <code> zmprov mcf +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org" </code> | |||
# Check restriction has been added | |||
#* <code> zmprov gacf | grep zimbraMtaRestriction </code> | |||
Hosts rejected by the blocklist will be listed in the "Daily mail report", for example... | |||
<pre> | |||
message reject detail | |||
--------------------- | |||
RCPT | |||
blocked using zen.spamhaus.org (total: 5) | |||
1 speakezy.com.au | |||
1 v4.ngi.it | |||
1 draw.datemail.us | |||
1 born.seriesmail.us | |||
1 wood.seriesmail.us | |||
</pre> | |||
=== Enable DKIM === | === Enable DKIM === |
Latest revision as of 08:02, 31 July 2013
Backup
Basic Manual Mackup
Useful just before you perform an upgrade or some other potentially disastrous change (be aware that if your server is still accessible to users or can receive incoming email from the internet, any interim changes will be lost if you roll back)
- SU to Zimbra admin
su - zimbra
- Stop Zimbra services
zmcontrol stop
- Exit Zimbra user and create copy of directory
- EG
cp -rp /opt/zimbra /home/simons/zimbra_backup_20100301
- EG
- Once completed, go back to zimbra user and start
su - zimbra
zmcontrol start
Full Scripted Backup
- For more info see - http://www.zimbra.com/forums/administrators/15275-solved-yet-another-backup-script-community-version.html
- Script is downloadable from - http://www.osoffice.de/downloads/viewcategory-7.html
- Or see my modified version at Zimbra FOSS Full Backup
This method performs a full (offline) backup of your whole Zimbra installation, an user data only online backup can also be achieved, see Zimbra FOSS User Backup
- Check the size of the
/opt/zimbra
dir, this will be replicated to a sync directory, from which the actual backup is taken, and check available free spacedu -hs /opt/zimbra
df -h
- Un-gzip and upload the config file to somewhere convenient
- Edit required config params at start of script
- Run the script to install (as root), allow creation of required folders and install of required utils
./zmbak_v.0.8.sh --INSTALL
- Perform a first full run to check everything works alight and to create the first full backup
./zmbak_v.0.8.sh -f
To restore, see http://www.zimbra.com/forums/administrators/15275-solved-yet-another-backup-script-community-version-24.html
I've modified the above script, to suit my own purposes. I've added an FTP option so that completed backup's are copied off to a remote FTP server (the copy isn't encrypted so should only be used within a private/secure network - Zimbra FOSS Full Backup
Software Updates
Upgrade
- See also: Upgrade Zimbra FOSS v7 to v8
Get the appropriate version from http://www.zimbra.com/downloads/os-downloads.html
Use the same package to upgrade the software as used for a brand new install (there is no separate upgrade package). The important part of any upgrade IS NOT how to get your system upgraded, it IS how you're going to recover if it all goes horribly wrong.
- Isolate the server from the internet (so new mails can't received following the pre-upgrade backup)
- Stop the mail server running
su - zimbra
zmcontrol stop
- Backup the server 1st
- If hosted on an ESX, probably most easily achieved by starting a snapshot (remember to delete the snapshot after a few days if no probs are encountered)
- Also copy off any existing local backup (so that a new full backup can be started following the upgrade)
- Copy the install to the server
- EG
pscp zcs-6.0.6_GA_2324.UBUNTU8.20100406144520.tgz simons@mail:zcs-6.0.6_GA_2324.UBUNTU8.20100406144520.tgz
- EG
- Uncompress the package
tar -xzf zcs-6.0.6_GA_2324.UBUNTU8.20100406144520.tgz
- Start the upgrade using the install script
./install.sh
- The script should detect an existing installation and upgrade it, do not install additional components, but do confirm the upgrade.
- Once completed, test thoroughly
- Perform a full local backup
- Reconnect to network
Patch
Sometimes patch packages are supplied for minor upgrades between specific versions. Take the same backup precautions as for a normal upgrade. The actual application of the patch varies slightly from an upgrade...
- Copy the patch package to the server
- EG
pscp zcs-patch-6.0.6_GA_2332.tgz simons@mail:zcs-patch-6.0.6_GA_2332.tgz
- EG
- Uncompress the package
tar -xzf zcs-patch-6.0.6_GA_2332.tgz
- Start the patch upgrade using the install script
./installPatch.sh
- Restart the software to apply changes
su - zimbra
zmcontrol stop
zmcontrol start
Certificates
Install Commercial Certificate
- Create a Certificate Signing Request (CSR) - can be done via the GUI admin console, but doesn't always work properly
- Logged into the server as root...
- Generate CSR, EG
/opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=GB/L=London/O=SandfordIT Limited/CN=mail.sandfordit.com"
- /C - Country
- /ST - Region / county (optional)
- /L - City
- /O - Organisation / company name
- /OU - Department (optional)
- /CN - Server FQDN
- Display and copy CSR key
more /opt/zimbra/ssl/zimbra/commercial/commercial.csr
- Upload CSR to certificate authority
- Install received certificates via GUI and restart server
If you are unable to install the new certificates via the admin console, then do the following
- Copy the CA and server certificates onto the server (to a temp location)
- If you have CA and one or more intermeadiary certificates, these need to be concatenated so that you have one CA cert, and one server cert
- EG
cat /tmp/ca.crt /tmp/ca_inter1.crt /tmp/ca_inter2.crt > /tmp/ca_chain.crt
- EG
- If you have CA and one or more intermeadiary certificates, these need to be concatenated so that you have one CA cert, and one server cert
- Verify the server certificate
- EG
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/server.crt /tmp/ca_chain.crt
- EG
- Deploy the server certificate
- EG
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/server.crt /tmp/ca_chain.crt
- EG
- Restart the server
For more info see http://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools#zmcertmgr
Migrate Commercial Certificate To New Server
This is essentially an updated version of the old procedure that can be found here - http://wiki.zimbra.com/wiki/Transfer_SSL_certificates_between_servers for ZCS v7.
- On your old server make a copy of the SSL folder
- EG
cp -r /opt/zimbra/ssl /home/user/sslbk
- EG
- Delete any back folders from within your copy so that only a zimbra folder exists
- EG
rm -rf /home/user/sslbk/zimbra.*
- EG
- Compress the folder into a file
- EG
tar cvzf sslbk.tgz /sslbk/
- EG
- Copy the file to your new server
- EG
pscp user@oldmail.domain.com:/home/user/sslbk.tgz c:\temp\sslbk.tgz
- EG
pscp c:\temp\sslbk.tgz user@newmail.domain.com:/home/user/
- EG
- Backup the SSL folder
mv /opt/zimbra/ssl/ /opt/zimbra/ssl_old
- Uncompress file copied from old server
tar -xvf /home/user/sslbk.tgz
- Copy the folder into place and rename
cp -r sslbk/ /opt/zimbra/ssl
mv /opt/zimbra/sslbk/ /opt/zimbra/ssl
- Deploy the certificate
- EG
/opt/zimbra/bin/zmcertmgr deploycrt comm /home/user/sslbk/zimbra/commercial/commercial.crt /home/user/sslbk/zimbra/commercial/commercial_ca.crt
- EG
- Restart Zimbra
su - zimbra
zmcontrol restart
- If services don't start properly, force java to accept your certificate
- EG
/opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /sslbk/zimbra/commercial/commercial.crt
- EG
Change Server Hostname
This is based on the article found here - http://wiki.zimbra.com/wiki/ZmSetServerName. I've used this procedure for Zimbra v7 FOSS installations on Ubuntu 8 32-bit and 10 64-bit (LTS).
This procedure requires downtime, and because zimbra services need to be up to complete the change, if you can stop new mail being received by the server (by disabling through a firewall for example) do so. If you have to fall back to your backup, any mail received during the backup will be lost.
- Ensure that new DNS records are already set-up and working.
- EG
dig domain.com mx
- EG
- Create a backup of your entire installation (if running as a VMware VM, take a snapshot as well)
- Stop Zimbra (as zimbra user)
zmcontrol stop
- Create copy (as root)
mkdir /backup/opt
mkdir /backup/opt/zimbra
cp -r /opt/zimbra/ /backup/opt/zimbra/
- Start Zimbra (as zimbra user)
zmcontrol start
- Stop Zimbra (as zimbra user)
- Perform rename to Zimbra installation
- EG
/opt/zimbra/libexec/zmsetservername -n mailsvr.domain.com
- EG
- Perform rename to operating system
- Update the following files
/etc/hosts
/etc/hostname
- Set the hostname (not FQDN)
hostname <servername>
- Update the following files
- Reboot the server
shutdown -r now
Once your server is back up, run through the following to check everything is in working order...
zmcontrol status
zmprov gacf | grep oldhostname
zmprov gs `zmhostname` | grep oldhostname
zmlocalconfig | grep oldhostname
- Plus I'd tail the
/var/log/zombra.log
while sending and receiving a few test emails to make sure everything is running sweetly.
Any probs, refer to the Zimbra doc at the start of this for things to investigate.
Configuration Changes
Install Zimlet
Zimlets only work when accessing via the web client, they are not usable from the full-fat Zimbra desktop client.
- Copy the Zimlet to the server
- EG
pscp com_zimbra_tasksreminder.zip simons@mail:com_zimbra_tasksreminder.zip
- EG
- Move the file to the
/opt/zimbra/zimlets
directory - Deploy the Zimlet
- EG
zmzimletctl deploy com_zimbra_tasksreminder.zip
- EG
Signature Length Increase
The maximum length of an email signature is limited to 10240 by default, to increase...
- Update appropriate CoS/user pref...
- In server admin console
- Either update the
- User
- Addresses > Accounts > <user>
- Or CoS
- Configuration > Class of Service > <CoS>
- User
- Go to Preferences > Mail Options > Composing mail
- Change Maximum length of mail signature value (eg 20480)
- Update Zimbra Desktop
- Delete, then re-add the account and allow to resync fully
Maximum Message Sizes
To see the current max IMAP request size...
zmlocalconfig | grep -i imap_max_request_size
To increase the size, to say 20MB...
zmlocalconfig -e imap_max_request_size=20480
Its also worth being aware of the following settings, which are altered through the admin console...
- In Global Settings | General Information...
- Maximum size of an uploaded file for Briefcase, Email messages, Calendar appointments and Tasks (KB)
zimbraFileUploadMaxSize
- Maximum size of an uploaded file for Briefcase, Email messages, Calendar appointments and Tasks (KB)
- In Global Settings | MTA...
- Maximum message size (KB)
zimbraMtaMaxMessageSize
- Maximum message size (KB)
And there's also an additional setting, zimbraMailContentMaxSize
, which also appears to affect the maximum size of attachments. To see what you're set to currently use...
zmprov getConfig zimbraMailContentMaxSize
and so update to say 20 MB, use...
zmprov modifyConfig zimbraMailContentMaxSize 20480000
Mailbox Purge Interval
Mailbox purging carries on continuously in the background. The process pauses/sleeps between each mailbox by a user defined interval (default is 1 minute). What's purged is defined in the Class of Service (COS) for a particular mailbox - see the Email Retention Policy on the Advanced tab in the admin console (it can be overridden for individual mailboxes in the Advanced tab of the account config).
To check the current setting (replace host.domain.com
as appropriate)...
zmprov gacf | grep zimbraMailPurgeSleepInterval zmprov gs host.domain.com | grep zimbraMailPurgeSleepInterval
To set (I tend to set the interval so that all mailboxes get purged in a day)...
zmprov mcf zimbraMailPurgeSleepInterval 1h
To see purging activity see the mailbox logs, eg
grep 'purge' /opt/zimbra/log/mailbox.log zgrep 'purge' /opt/zimbra/log/mailbox.log.2012-08-05.gz
Enable Spam BlockList
In order for you to be able to add a public blocklist it first needs known by SpamAssassin. SpamAssassin's config can be found in /opt/zimbra/conf/spamassassin/
, to check for a particular DNS Blocklist, zen.spamhaus.org for example, use
grep zen.spamhaus.org /opt/zimbra/conf/spamassassin/20_dnsbl_tests.cf
- Login as the Zimbra user
su - zimbra
- Check existing restrictions
zmprov gacf | grep zimbraMtaRestriction
- Add new restriction (for example zen.spamhaus.org)
zmprov mcf +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org"
- Check restriction has been added
zmprov gacf | grep zimbraMtaRestriction
Hosts rejected by the blocklist will be listed in the "Daily mail report", for example...
message reject detail --------------------- RCPT blocked using zen.spamhaus.org (total: 5) 1 speakezy.com.au 1 v4.ngi.it 1 draw.datemail.us 1 born.seriesmail.us 1 wood.seriesmail.us
Enable DKIM
DKIM allows for the signing of certain fields of an email (for example the From: field, allowing the recipient to trust that the email is from whoever it purports to be and not from a spammer). This is achieved by adding a DKIM signature to an email, which can be cross referenced with a public key provided in DNS for the sending domain.
DKIM is not available in versions prior to Zimbra v8 !
For more info on DKIM see...
For fuller, Zimbra specfifc instructions see...
To set-up
- Create the DKIM keys on your Zimbra server for your domain
- Log into your Zimbra server as the Zimbra user
- Run DKIM key utility
- EG
/opt/zimbra/libexec/zmdkimkeyutil -a -d domain.com
(replacedomain.com
with your domain)
- EG
- Add the public key generated into your DNS as a TXT (text) record (the field names will be vary dependant on your provider's DNS managment interface)
- EG: Label/Name/Entry:
5E56FFDC-11F6-11E2-9862-DA8801AF17E6._domainkey
- EG: Data/Target:
v=DKIM1;=rsa; p=MIGfMA0GCSqGSIb3...<etc - your key will be longer!>
- EG: Label/Name/Entry:
- Confirm the DNS entry is correct
- EG
dig -t txt 5E56FFDC-11F6-11E2-9862-DA8801AF17E6._domainkey.domain.com
- EG