Difference between revisions of "Zimbra Setups"
Jump to navigation
Jump to search
| Line 207: | Line 207: | ||
# On Debian $ chmod +x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate | # On Debian $ chmod +x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate | ||
# On CentOS $ chmod +x /etc/dhclient-enter-hooks | # On CentOS $ chmod +x /etc/dhclient-enter-hooks | ||
| + | </syntaxhighlight> | ||
| + | ==Sample Named.conf== | ||
| + | <syntaxhighlight lang="shell" line="1"> | ||
| + | options { | ||
| + | listen-on port 53 { 127.0.0.1; any;172.26.10.172;}; | ||
| + | listen-on-v6 port 53 { ::1; }; | ||
| + | directory "/var/named"; | ||
| + | dump-file "/var/named/data/cache_dump.db"; | ||
| + | statistics-file "/var/named/data/named_stats.txt"; | ||
| + | memstatistics-file "/var/named/data/named_mem_stats.txt"; | ||
| + | recursing-file "/var/named/data/named.recursing"; | ||
| + | secroots-file "/var/named/data/named.secroots"; | ||
| + | allow-query { localhost; any; 127.0.0.1; 172.26.10.172;}; | ||
| + | |||
| + | forwarders { | ||
| + | 8.8.8.8; | ||
| + | 8.8.4.4; | ||
| + | 172.26.0.2; | ||
| + | }; | ||
| + | |||
| + | /* | ||
| + | - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. | ||
| + | - If you are building a RECURSIVE (caching) DNS server, you need to enable | ||
| + | recursion. | ||
| + | - If your recursive DNS server has a public IP address, you MUST enable access | ||
| + | control to limit queries to your legitimate users. Failing to do so will | ||
| + | cause your server to become part of large scale DNS amplification | ||
| + | attacks. Implementing BCP38 within your network would greatly | ||
| + | reduce such attack surface | ||
| + | */ | ||
| + | recursion yes; | ||
| + | |||
| + | dnssec-enable yes; | ||
| + | dnssec-validation auto; | ||
| + | |||
| + | /* Path to ISC DLV key */ | ||
| + | bindkeys-file "/etc/named.root.key"; | ||
| + | |||
| + | managed-keys-directory "/var/named/dynamic"; | ||
| + | |||
| + | pid-file "/run/named/named.pid"; | ||
| + | session-keyfile "/run/named/session.key"; | ||
| + | }; | ||
| + | |||
| + | logging { | ||
| + | channel default_debug { | ||
| + | file "data/named.run"; | ||
| + | severity dynamic; | ||
| + | }; | ||
| + | }; | ||
| + | |||
| + | zone "rhomicom.com" IN { | ||
| + | type master; | ||
| + | file "rhomicom.com.zone"; | ||
| + | allow-update { none; }; | ||
| + | }; | ||
| + | |||
| + | zone "." IN { | ||
| + | type hint; | ||
| + | file "named.ca"; | ||
| + | }; | ||
| + | |||
| + | include "/etc/named.rfc1912.zones"; | ||
| + | include "/etc/named.root.key"; | ||
| + | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 13:54, 30 August 2021
adduser rhouser
passwd rhouser
yum update -y ; reboot
yum -y install which openssh openssh-server openssh-clients openssl-libs nano rsync unzip net-tools NetworkManager-tui sysstat perl-core libaio nmap-ncat libstdc++.so.6 wget tar bind-utils -y
yum install psmisc
#Install and configure firewall-cmd
hostnamectl set-hostname "mail.rhomicom.com"
exec bash
# nano /etc/hosts
# 192.168.0.108 mail.rhomicom.com mail
echo 'mail.rhomicom.com' > /etc/hostname
echo '127.0.0.1 mail.rhomicom.com mail' >> /etc/hosts
hostname mail.rhomicom.com
hostname --fqdn
# Do all DNS settings and MX records on Domain Registrar's DNS
dig -t A mail.rhomicom.com
dig -t MX rhomicom.com
#Install Let'sencrypt CentOS7
yum install epel-release
yum install certbot
wget https://files.zimbra.com/downloads/8.8.10_GA/zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz --no-check-certificate
tar zxpvf zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz
cd zcs-8.8.10_GA_3039.RHEL7_64.20180928094617
./install.sh
#Answer Y to all options
# Answer Yes to Create Domain
# enter domain rhomicom.com
# enter MX mail.rhomicom.com
# Unconfigured Modules, Choose 7
# Choose 4 to set admin password
# choose r to go back
# choose a to apply all settings
# Wait for system to complete configuration and login
su - zimbra -c "zmcontrol start"
su - zimbra -c "zmcontrol stop"
su - zimbra -c "zmcontrol status"
su - zimbra -c "zmcontrol restart"Uninstall
cd /root/zimbra/zcs-8.8.10_GA_3039.RHEL7_64.20180928094617 zcs-8.8.10_GA_3039.RHEL7_64.20180928094617]# ./install.sh -u
Move from Old to New Server
# On Old Server tar -czvf zimbkp29Aug2021-17-39.tar.gz /opt/zimbra/ # On New Server # Install Same version of ZCS rsync -avH [email protected]:/home/rhouser/*.t*z --progress --human-readable /home/rhouser tar -xzvf zimbkp29Aug2021-17-39.tar.gz mv /opt/zimbra /home mv opt/zimbra /opt /opt/zimbra/libexec/zmfixperms -e -v # as root postfix check #temporarily switch to self-signed cert to avoid some SSL/TLS errors /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 /opt/zimbra/bin/zmcertmgr deploycrt self # Alternatively you may disable TLS Connections temporarily su - zimbra zmlocalconfig -e ssl_allow_untrusted_certs=true zmlocalconfig -e ldap_starttls_supported=0 zmlocalconfig -e ldap_starttls_required=false zmlocalconfig -e ldap_common_require_tls=0 zmcontrol restart #Validate LDAP Configuration su - zimbra zmcontrol stop zmlocalconfig -s ldap_root_password /opt/zimbra/common/sbin/slappasswd -s Y0uRP4S5w0Rd #sample output - {SSHA}SXzTa82PbLST97854mZOp746PBLA2378 cd /opt/zimbra/data/ldap/config/cn=config vi olcDatabase={0}config.ldif #CHange olcRootPW:: e1NTSEE112123gblVeVJ2UjU3UE1512312366jjkj128080as2bDQ5eVgxNXhWSlFPUWhTQmxhQ1d4L1RaNWdsdVRsWWJyRXJDcTA4V0Y0YVRYOE5ma23451wR3A1QytBZUZocEZ1 # to olcRootPw: {SSHA}SXzTa82PbLST97854mZOp746PBLA2378 zmcontrol start # or reboot PC # and re-run zcs install ./install.sh # Enable TLS Connections after install if they were disabled su - zimbra zmlocalconfig -e ssl_allow_untrusted_certs=true zmlocalconfig -e ldap_starttls_supported=1 zmlocalconfig -e ldap_starttls_required=true zmlocalconfig -e ldap_common_require_tls=1 zmcontrol restart
Install Letsencrypt Cert Zimbra
sudo certbot --version
sudo su - zimbra -c "zmproxyctl stop"
sudo su - zimbra -c "zmmailboxdctl stop"
export EMAIL="[email protected]"
certbot certonly --standalone -d mail.rhomicom.com --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring
ls -lh /etc/letsencrypt/live/mail.rhomicom.com/
sudo mkdir /opt/zimbra/ssl/letsencrypt #NOT NEEDED IN RENEWAL
CERTPATH=/etc/letsencrypt/live/mail.rhomicom.com
sudo \cp -rf $CERTPATH/* /opt/zimbra/ssl/letsencrypt/
ls /opt/zimbra/ssl/letsencrypt/
cat $CERTPATH/chain.pem | sudo tee /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
cat /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
#ADD THE LETSENCRYPT CERT
sudo tee -a /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem<<EOF
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
EOF
cat /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
ls -lha /opt/zimbra/ssl/letsencrypt/
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
sudo chown -R zimbra:zimbra /etc/letsencrypt/
cd /opt/zimbra/ssl/letsencrypt
ls -halt
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/cert.pem cert.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/chain.pem chain.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/fullchain.pem fullchain.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/privkey.pem privkey.pem
ls -halt
cat cert.pem
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
sudo cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%.m%.d-%H.%M")
sudo cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
sudo su - zimbra -c "zmcontrol restart"SSH Errors on Zimbra Monitor Message Queue
#Regenerating Keys
#To regenerate the ssh keys, on all hosts (as the zimbra user):
zmsshkeygen
#To deploy the keys, on all hosts (as the zimbra user):
zmupdateauthkeys
#Verifying sshd configuration
#The authentication method assumes that sshd on the mta is running on port 22, and that RSA Authentication is enabled. You can test the ssh command with:
ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no [email protected]
#You should NOT be prompted for a password; if you are, recreate the ssh keys and retry the test.
#If you're not running sshd on port 22, modify the zimbraRemoteManagementPort attribute on the server:
zmprov ms MAIL.DOMAIN.COM zimbraRemoteManagementPort 2222
#Verify in /etc/sshd_config (or /etc/ssh/sshd_config) that the zimbra user is an allow user
#AllowUsers admin zimbraOther Zimbra Know-hows
#Redirect http to https su - zimbra zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect zmproxyctl restart su - zimbra -c "postqueue -p"
Zimbra Network Settings
systemctl enable --now named
vi /etc/sysconfig/network-scripts/ifcfg-eth0
yum install bind bind-utils -y
ip a show eth0
nano /etc/resolv.conf
chattr +i /etc/resolv.conf ## reverse this using -> chattr -i /etc/resolv.conf
sudo systemctl restart NetworkManager.service
/etc/init.d/network restart
firewall-cmd --add-service=dns --permanent
firewall-cmd --reload
sudo vim /etc/NetworkManager/NetworkManager.conf
# [main]
dnz=none
nmcli connection modify "System eth0" ipv4.dns 127.0.0.1
nmcli connection down "System eth0"; nmcli connection up "System eth0"
# On Debian $ vi /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
# On CentOS $ vi /etc/dhclient-enter-hooks
Append following code:
#!/bin/sh
make_resolv_conf(){
:
}
Save and close the file. Set permissions using the chmod command:
# On Debian $ chmod +x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
# On CentOS $ chmod +x /etc/dhclient-enter-hooksSample Named.conf
options {
listen-on port 53 { 127.0.0.1; any;172.26.10.172;};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; any; 127.0.0.1; 172.26.10.172;};
forwarders {
8.8.8.8;
8.8.4.4;
172.26.0.2;
};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "rhomicom.com" IN {
type master;
file "rhomicom.com.zone";
allow-update { none; };
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";