Procedures (Zimbra)

Basic Manual Mackup

Useful just before you perform an upgrade or some other potentially disastrous change (be aware that if your server is still accessible to users or can receive incoming email from the internet, any interim changes will be lost if you roll back)

1. SU to Zimbra admin
   • su - zimbra
2. Stop Zimbra services
   • zmcontrol stop
3. Exit Zimbra user and create copy of directory
   • EG cp -rp /opt/zimbra /home/simons/zimbra_backup_20100301
4. Once completed, go back to zimbra user and start
   • su - zimbra
   • zmcontrol start

Full Scripted Backup

• For more info see - http://www.zimbra.com/forums/administrators/15275-solved-yet-another-backup-script-community-version.html
  • Script is downloadable from - http://www.osoffice.de/downloads/viewcategory-7.html
  • Or see my modified version at Zimbra FOSS Full Backup

This method performs a full (offline) backup of your whole Zimbra installation, an user data only online backup can also be achieved, see Zimbra FOSS User Backup

1. Check the size of the /opt/zimbra dir, this will be replicated to a sync directory, from which the actual backup is taken, and check available free space
   • du -hs /opt/zimbra
   • df -h
2. Un-gzip and upload the config file to somewhere convenient
3. Edit required config params at start of script
4. Run the script to install (as root), allow creation of required folders and install of required utils
   • ./zmbak_v.0.8.sh --INSTALL
5. Perform a first full run to check everything works alight and to create the first full backup
   • ./zmbak_v.0.8.sh -f

To restore, see http://www.zimbra.com/forums/administrators/15275-solved-yet-another-backup-script-community-version-24.html

I've modified the above script, to suit my own purposes. I've added an FTP option so that completed backup's are copied off to a remote FTP server (the copy isn't encrypted so should only be used within a private/secure network - Zimbra FOSS Full Backup

Upgrade

• See also: Upgrade Zimbra FOSS v7 to v8

Get the appropriate version from http://www.zimbra.com/downloads/os-downloads.html

Use the same package to upgrade the software as used for a brand new install (there is no separate upgrade package). The important part of any upgrade IS NOT how to get your system upgraded, it IS how you're going to recover if it all goes horribly wrong.

1. Isolate the server from the internet (so new mails can't received following the pre-upgrade backup)
2. Stop the mail server running
   • su - zimbra
   • zmcontrol stop
3. Backup the server 1st
   • If hosted on an ESX, probably most easily achieved by starting a snapshot (remember to delete the snapshot after a few days if no probs are encountered)
   • Also copy off any existing local backup (so that a new full backup can be started following the upgrade)
4. Copy the install to the server
   • EG pscp zcs-6.0.6_GA_2324.UBUNTU8.20100406144520.tgz simons@mail:zcs-6.0.6_GA_2324.UBUNTU8.20100406144520.tgz
5. Uncompress the package
   • tar -xzf zcs-6.0.6_GA_2324.UBUNTU8.20100406144520.tgz
6. Start the upgrade using the install script
   • ./install.sh
7. The script should detect an existing installation and upgrade it, do not install additional components, but do confirm the upgrade.
8. Once completed, test thoroughly
9. Perform a full local backup
10. Reconnect to network

Patch

Sometimes patch packages are supplied for minor upgrades between specific versions. Take the same backup precautions as for a normal upgrade. The actual application of the patch varies slightly from an upgrade...

1. Copy the patch package to the server
   • EG pscp zcs-patch-6.0.6_GA_2332.tgz simons@mail:zcs-patch-6.0.6_GA_2332.tgz
2. Uncompress the package
   • tar -xzf zcs-patch-6.0.6_GA_2332.tgz
3. Start the patch upgrade using the install script
   • ./installPatch.sh
4. Restart the software to apply changes
   • su - zimbra
   • zmcontrol stop
   • zmcontrol start

Install Commercial Certificate

1. Create a Certificate Signing Request (CSR) - can be done via the GUI admin console, but doesn't always work properly
   1. Logged into the server as root...
   2. Generate CSR, EG /opt/zimbra/bin/zmcertmgr createcsr comm -new -keysize 2048 -subject "/C=GB/L=London/O=SandfordIT Limited/CN=mail.sandfordit.com"
      • /C - Country
      • /ST - Region / county (optional)
      • /L - City
      • /O - Organisation / company name
      • /OU - Department (optional)
      • /CN - Server FQDN
2. Display and copy CSR key
   • more /opt/zimbra/ssl/zimbra/commercial/commercial.csr
3. Upload CSR to certificate authority
4. Install received certificates via GUI and restart server

If you are unable to install the new certificates via the admin console, then do the following

1. Copy the CA and server certificates onto the server (to a temp location)
   • If you have CA and one or more intermeadiary certificates, these need to be concatenated so that you have one CA cert, and one server cert
     • EG cat /tmp/ca.crt /tmp/ca_inter1.crt /tmp/ca_inter2.crt > /tmp/ca_chain.crt
2. Verify the server certificate
   • EG /opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/server.crt /tmp/ca_chain.crt
3. Deploy the server certificate
   • EG /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/server.crt /tmp/ca_chain.crt
4. Restart the server

For more info see http://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools#zmcertmgr

Migrate Commercial Certificate To New Server

This is essentially an updated version of the old procedure that can be found here - http://wiki.zimbra.com/wiki/Transfer_SSL_certificates_between_servers for ZCS v7.

1. On your old server make a copy of the SSL folder
   • EG cp -r /opt/zimbra/ssl /home/user/sslbk
2. Delete any back folders from within your copy so that only a zimbra folder exists
   • EG rm -rf /home/user/sslbk/zimbra.*
3. Compress the folder into a file
   • EG tar cvzf sslbk.tgz /sslbk/
4. Copy the file to your new server
   • EG pscp user@oldmail.domain.com:/home/user/sslbk.tgz c:\temp\sslbk.tgz
   • EG pscp c:\temp\sslbk.tgz user@newmail.domain.com:/home/user/
5. Backup the SSL folder
   • mv /opt/zimbra/ssl/ /opt/zimbra/ssl_old
6. Uncompress file copied from old server
   • tar -xvf /home/user/sslbk.tgz
7. Copy the folder into place and rename
   • cp -r sslbk/ /opt/zimbra/ssl
   • mv /opt/zimbra/sslbk/ /opt/zimbra/ssl
8. Deploy the certificate
   • EG /opt/zimbra/bin/zmcertmgr deploycrt comm /home/user/sslbk/zimbra/commercial/commercial.crt /home/user/sslbk/zimbra/commercial/commercial_ca.crt
9. Restart Zimbra
   • su - zimbra
   • zmcontrol restart
10. If services don't start properly, force java to accept your certificate
    • EG /opt/zimbra/java/bin/keytool -import -alias new -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit -file /sslbk/zimbra/commercial/commercial.crt

This is based on the article found here - http://wiki.zimbra.com/wiki/ZmSetServerName. I've used this procedure for Zimbra v7 FOSS installations on Ubuntu 8 32-bit and 10 64-bit (LTS).

This procedure requires downtime, and because zimbra services need to be up to complete the change, if you can stop new mail being received by the server (by disabling through a firewall for example) do so. If you have to fall back to your backup, any mail received during the backup will be lost.

1. Ensure that new DNS records are already set-up and working.
   • EG dig domain.com mx
2. Create a backup of your entire installation (if running as a VMware VM, take a snapshot as well)
   1. Stop Zimbra (as zimbra user)
      • zmcontrol stop
   2. Create copy (as root)
      • mkdir /backup/opt
      • mkdir /backup/opt/zimbra
      • cp -r /opt/zimbra/ /backup/opt/zimbra/
   3. Start Zimbra (as zimbra user)
      • zmcontrol start
3. Perform rename to Zimbra installation
   • EG /opt/zimbra/libexec/zmsetservername -n mailsvr.domain.com
4. Perform rename to operating system
   1. Update the following files
      • /etc/hosts
      • /etc/hostname
   2. Set the hostname (not FQDN)
      • hostname <servername>
5. Reboot the server
   • shutdown -r now

Once your server is back up, run through the following to check everything is in working order...

1. zmcontrol status
2. zmprov gacf | grep oldhostname
3. zmprov gs `zmhostname` | grep oldhostname
4. zmlocalconfig | grep oldhostname
5. Plus I'd tail the /var/log/zombra.log while sending and receiving a few test emails to make sure everything is running sweetly.

Any probs, refer to the Zimbra doc at the start of this for things to investigate.

Install Zimlet

Zimlets only work when accessing via the web client, they are not usable from the full-fat Zimbra desktop client.

1. Copy the Zimlet to the server
   • EG pscp com_zimbra_tasksreminder.zip simons@mail:com_zimbra_tasksreminder.zip
2. Move the file to the /opt/zimbra/zimlets directory
3. Deploy the Zimlet
   • EG zmzimletctl deploy com_zimbra_tasksreminder.zip

Signature Length Increase

The maximum length of an email signature is limited to 10240 by default, to increase...

1. Update appropriate CoS/user pref...
   1. In server admin console
   2. Either update the
      1. User
         • Addresses > Accounts > <user>
      2. Or CoS
         • Configuration > Class of Service > <CoS>
   3. Go to Preferences > Mail Options > Composing mail
   4. Change Maximum length of mail signature value (eg 20480)
2. Update Zimbra Desktop
   1. Delete, then re-add the account and allow to resync fully

Maximum Message Sizes

To see the current max IMAP request size...

• zmlocalconfig | grep -i imap_max_request_size

To increase the size, to say 20MB...

• zmlocalconfig -e imap_max_request_size=20480

Its also worth being aware of the following settings, which are altered through the admin console...

• In Global Settings | General Information...
  • Maximum size of an uploaded file for Briefcase, Email messages, Calendar appointments and Tasks (KB)
    • zimbraFileUploadMaxSize
• In Global Settings | MTA...
  • Maximum message size (KB)
    • zimbraMtaMaxMessageSize

And there's also an additional setting, zimbraMailContentMaxSize, which also appears to affect the maximum size of attachments. To see what you're set to currently use...

• zmprov getConfig zimbraMailContentMaxSize

and so update to say 20 MB, use...

• zmprov modifyConfig zimbraMailContentMaxSize 20480000

Mailbox Purge Interval

Mailbox purging carries on continuously in the background. The process pauses/sleeps between each mailbox by a user defined interval (default is 1 minute). What's purged is defined in the Class of Service (COS) for a particular mailbox - see the Email Retention Policy on the Advanced tab in the admin console (it can be overridden for individual mailboxes in the Advanced tab of the account config).

To check the current setting (replace host.domain.com as appropriate)...

zmprov gacf | grep zimbraMailPurgeSleepInterval
zmprov gs host.domain.com | grep zimbraMailPurgeSleepInterval

To set (I tend to set the interval so that all mailboxes get purged in a day)...

zmprov mcf zimbraMailPurgeSleepInterval 1h

To see purging activity see the mailbox logs, eg

grep 'purge' /opt/zimbra/log/mailbox.log
zgrep 'purge' /opt/zimbra/log/mailbox.log.2012-08-05.gz

Enable Spam BlockList

In order for you to be able to add a public blocklist it first needs known by SpamAssassin. SpamAssassin's config can be found in /opt/zimbra/conf/spamassassin/, to check for a particular DNS Blocklist, zen.spamhaus.org for example, use

• grep zen.spamhaus.org /opt/zimbra/conf/spamassassin/20_dnsbl_tests.cf

1. Login as the Zimbra user
   • su - zimbra
2. Check existing restrictions
   • zmprov gacf | grep zimbraMtaRestriction
3. Add new restriction (for example zen.spamhaus.org)
   • zmprov mcf +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org"
4. Check restriction has been added
   • zmprov gacf | grep zimbraMtaRestriction

Hosts rejected by the blocklist will be listed in the "Daily mail report", for example...

message reject detail
---------------------
  RCPT
    blocked using zen.spamhaus.org (total: 5)
           1   speakezy.com.au
           1   v4.ngi.it
           1   draw.datemail.us
           1   born.seriesmail.us
           1   wood.seriesmail.us

Enable DKIM

DKIM allows for the signing of certain fields of an email (for example the From: field, allowing the recipient to trust that the email is from whoever it purports to be and not from a spammer). This is achieved by adding a DKIM signature to an email, which can be cross referenced with a public key provided in DNS for the sending domain.

DKIM is not available in versions prior to Zimbra v8 !

For more info on DKIM see...

• http://www.dkim.org/
• http://www.wikipedia.org/wiki/DomainKeys_Identified_Mail

For fuller, Zimbra specfifc instructions see...

• http://wiki.zimbra.com/wiki/Configuring_for_DKIM_Signing

To set-up

1. Create the DKIM keys on your Zimbra server for your domain
   1. Log into your Zimbra server as the Zimbra user
   2. Run DKIM key utility
      • EG /opt/zimbra/libexec/zmdkimkeyutil -a -d domain.com (replace domain.com with your domain)
2. Add the public key generated into your DNS as a TXT (text) record (the field names will be vary dependant on your provider's DNS managment interface)
   • EG: Label/Name/Entry: 5E56FFDC-11F6-11E2-9862-DA8801AF17E6._domainkey
   • EG: Data/Target: v=DKIM1;=rsa; p=MIGfMA0GCSqGSIb3...<etc - your key will be longer!>
3. Confirm the DNS entry is correct
   • EG dig -t txt 5E56FFDC-11F6-11E2-9862-DA8801AF17E6._domainkey.domain.com