Difference between revisions of "Zimbra Setups"

From Rhomicom Wiki
Jump to navigation Jump to search
 
(54 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
<syntaxhighlight lang="shell" line="1">
 
<syntaxhighlight lang="shell" line="1">
 +
adduser rhouser
 +
passwd rhouser
 +
 
  yum update -y ; reboot
 
  yum update -y ; reboot
 
  yum -y install which openssh openssh-server openssh-clients openssl-libs nano rsync unzip net-tools NetworkManager-tui sysstat perl-core libaio nmap-ncat libstdc++.so.6 wget tar bind-utils -y  
 
  yum -y install which openssh openssh-server openssh-clients openssl-libs nano rsync unzip net-tools NetworkManager-tui sysstat perl-core libaio nmap-ncat libstdc++.so.6 wget tar bind-utils -y  
 +
yum install psmisc
 +
#Install and configure firewall-cmd
 
  hostnamectl set-hostname "mail.rhomicom.com"
 
  hostnamectl set-hostname "mail.rhomicom.com"
 
  exec bash
 
  exec bash
nano /etc/hosts
+
# nano /etc/hosts
 
# 192.168.0.108 mail.rhomicom.com mail
 
# 192.168.0.108 mail.rhomicom.com mail
  
 +
echo 'mail.rhomicom.com' > /etc/hostname
 +
echo '127.0.0.1 mail.rhomicom.com mail' >> /etc/hosts
 +
hostname mail.rhomicom.com
 +
hostname --fqdn
 +
 +
# Do all DNS settings and MX records on Domain Registrar's DNS
 
dig -t A mail.rhomicom.com
 
dig -t A mail.rhomicom.com
 
dig -t MX rhomicom.com
 
dig -t MX rhomicom.com
 +
 +
#Install Let'sencrypt CentOS7
 +
yum install epel-release
 +
yum install certbot
 +
 
wget https://files.zimbra.com/downloads/8.8.10_GA/zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz --no-check-certificate
 
wget https://files.zimbra.com/downloads/8.8.10_GA/zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz --no-check-certificate
 +
tar zxpvf zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz
 +
cd zcs-8.8.10_GA_3039.RHEL7_64.20180928094617
 +
 +
systemctl stop postfix
 +
systemctl disable postfix
 +
yum remove postfix
 +
 +
./install.sh
 +
#Answer Y to all options
 +
# Answer Yes to Create Domain
 +
# enter domain rhomicom.com
 +
# enter MX mail.rhomicom.com
 +
# Unconfigured Modules, Choose 7
 +
# Choose 4 to set admin password
 +
# choose r to go back
 +
# choose a to apply all settings
 +
# Wait for system to complete configuration and login
 +
su - zimbra -c "zmcontrol start"
 +
su - zimbra -c "zmcontrol stop"
 +
su - zimbra -c "zmcontrol status"
 +
su - zimbra -c "zmcontrol restart"
 +
 +
</syntaxhighlight>
 +
==Uninstall==
 +
  cd /root/zimbra/zcs-8.8.10_GA_3039.RHEL7_64.20180928094617
 +
  zcs-8.8.10_GA_3039.RHEL7_64.20180928094617]# ./install.sh -u
 +
==Move from Old to New Server==
 +
  # On Old Server
 +
  tar -czvf zimbkp29Aug2021-17-39.tar.gz /opt/zimbra/
 +
  # On New Server
 +
  # Install Same version of ZCS
 +
  rsync -avH [[/cdn-cgi/l/email-protection|[email protected]]]:/home/rhouser/*.t*z --progress --human-readable /home/rhouser
 +
  tar -xzvf zimbkp29Aug2021-17-39.tar.gz
 +
  mv /opt/zimbra /home
 +
  mv opt/zimbra /opt
 +
  /opt/zimbra/libexec/zmfixperms -e -v  # as root
 +
  postfix check
 +
  #temporarily switch to self-signed cert to avoid some SSL/TLS errors
 +
  /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
 +
  /opt/zimbra/bin/zmcertmgr deploycrt self
 +
  # Alternatively you may disable TLS Connections temporarily
 +
  su - zimbra
 +
  zmlocalconfig -e ssl_allow_untrusted_certs=true
 +
  zmlocalconfig -e ldap_starttls_supported=0
 +
  zmlocalconfig -e ldap_starttls_required=false
 +
  zmlocalconfig -e ldap_common_require_tls=0
 +
  zmcontrol restart
 +
  #Validate LDAP Configuration
 +
  su - zimbra
 +
  zmcontrol stop
 +
  zmlocalconfig -s ldap_root_password
 +
  /opt/zimbra/common/sbin/slappasswd -s Y0uRP4S5w0Rd
 +
  #sample output - {SSHA}SXzTa82PbLST97854mZOp746PBLA2378
 +
  cd /opt/zimbra/data/ldap/config/cn=config
 +
  vi olcDatabase={0}config.ldif
 +
  #CHange olcRootPW:: e1NTSEE112123gblVeVJ2UjU3UE1512312366jjkj128080as2bDQ5eVgxNXhWSlFPUWhTQmxhQ1d4L1RaNWdsdVRsWWJyRXJDcTA4V0Y0YVRYOE5ma23451wR3A1QytBZUZocEZ1
 +
  # to  olcRootPw: {SSHA}SXzTa82PbLST97854mZOp746PBLA2378
 +
  zmcontrol start
 +
  https://wiki.zimbra.com/wiki/Zimbra_services_asking_for_password_-_sudoers_issue
 +
 +
  # or reboot PC
 +
  # and re-run zcs install
 +
  ./install.sh
 +
  /opt/zimbra/libexec/zmsetup.pl # to redo configurations
 +
# Enable TLS Connections after install if they were disabled
 +
su - zimbra
 +
zmlocalconfig -e ssl_allow_untrusted_certs=true
 +
zmlocalconfig -e ldap_starttls_supported=1
 +
zmlocalconfig -e ldap_starttls_required=true
 +
zmlocalconfig -e ldap_common_require_tls=1
 +
zmcontrol restart
 +
 +
==Install Letsencrypt Cert Zimbra ==
 +
<syntaxhighlight lang="shell" line start="1">
 +
sudo certbot --version
 +
sudo su - zimbra -c "zmproxyctl stop"
 +
sudo su - zimbra -c "zmmailboxdctl stop"
 +
export EMAIL="[email protected]"
 +
sudo certbot delete #DELETE EXISTING CERT IF DOING RENEWAL
 +
sudo certbot delete --cert-name mail.rhomicom.com #DELETE SPECIFIC CERT IF DOING RENEWAL
 +
certbot certonly --standalone  -d mail.rhomicom.com  --preferred-challenges http  --agree-tos  -n  -m $EMAIL  --keep-until-expiring
 +
ls -lh /etc/letsencrypt/live/mail.rhomicom.com/
 +
 +
sudo mkdir /opt/zimbra/ssl/letsencrypt  #NOT NEEDED IN RENEWAL
 +
 +
CERTPATH=/etc/letsencrypt/live/mail.rhomicom.com
 +
sudo \cp -rf $CERTPATH/* /opt/zimbra/ssl/letsencrypt/
 +
ls /opt/zimbra/ssl/letsencrypt/
 +
cat $CERTPATH/chain.pem | sudo tee /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
 +
cat /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
 +
 +
#ADD THE LETSENCRYPT CERT
 +
sudo tee -a /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem<<EOF
 +
-----BEGIN CERTIFICATE-----
 +
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
 +
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
 +
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
 +
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
 +
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
 +
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
 +
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
 +
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
 +
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
 +
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
 +
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
 +
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
 +
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
 +
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
 +
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
 +
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
 +
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
 +
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
 +
-----END CERTIFICATE-----
 +
EOF
 +
 +
cat /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
 +
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
 +
ls -lha /opt/zimbra/ssl/letsencrypt/
 +
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
 +
sudo chown -R zimbra:zimbra /etc/letsencrypt/
 +
cd /opt/zimbra/ssl/letsencrypt
 +
ls -halt
 +
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/cert.pem cert.pem
 +
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/chain.pem chain.pem
 +
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/fullchain.pem fullchain.pem
 +
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/privkey.pem privkey.pem
 +
ls -halt
 +
cat cert.pem
 +
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
 +
#sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
 +
#sudo cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%.m%.d-%H.%M")
 +
#sudo cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
 +
#sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
 +
#sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
 +
 +
## NEW METHOD ##
 +
cp /etc/letsencrypt/live/mail.rhomicom.com/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
 +
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
 +
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem --no-check-certificate
 +
wget -O /tmp/R3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem --no-check-certificate
 +
cat /tmp/R3.pem > /etc/letsencrypt/archive/mail.rhomicom.com/chain1.pem
 +
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/archive/mail.rhomicom.com/chain1.pem
 +
 +
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/mail.rhomicom.com/cert.pem /etc/letsencrypt/live/mail.rhomicom.com/chain.pem'
 +
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/mail.rhomicom.com/cert.pem /etc/letsencrypt/live/mail.rhomicom.com/chain.pem'
 +
 +
sudo su - zimbra -c "zmcontrol restart"
 +
</syntaxhighlight>
 +
 +
==SSH Errors on Zimbra Monitor Message Queue==
 +
<syntaxhighlight lang="shell" line="1">
 +
#Regenerating Keys
 +
#To regenerate the ssh keys, on all hosts (as the zimbra user):
 +
zmsshkeygen
 +
#To deploy the keys, on all hosts (as the zimbra user):
 +
zmupdateauthkeys
 +
#Verifying sshd configuration
 +
#The authentication method assumes that sshd on the mta is running on port 22, and that RSA Authentication is enabled. You can test the ssh command with:
 +
ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no [email protected]
 +
#You should NOT be prompted for a password; if you are, recreate the ssh keys and retry the test.
 +
#If you're not running sshd on port 22, modify the zimbraRemoteManagementPort attribute on the server:
 +
zmprov ms MAIL.DOMAIN.COM zimbraRemoteManagementPort 2222
 +
#Verify in /etc/sshd_config (or /etc/ssh/sshd_config) that the zimbra user is an allow user
 +
#AllowUsers admin zimbra
 +
</syntaxhighlight>
 +
==Other Zimbra Know-hows==
 +
<syntaxhighlight lang="shell" line="1">
 +
  #Redirect http to https
 +
  su - zimbra
 +
  zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
 +
  zmproxyctl restart
 +
 +
  su zimbra
 +
  zmprov ms mail.rhomicom.lan zimbraMailMode redirect
 +
  zmprov ms mail.rhomicom.lan zimbraReverseProxyMailMode redirect\
 +
  su - zimbra -c "postqueue -p"
 +
  su - zimbra -c "/opt/zimbra/postfix/sbin/postqueue -f"
 +
#Disable dnscache
 +
# zmcontrol status
 +
# zmprov ms `zmhostname` -zimbraServiceEnabled dnscache
 +
# zmprov ms `zmhostname` -zimbraServiceInstalled dnscache
 +
# zmcontrol status
 +
 +
postconf -e smtp_sasl_security_options=noanonymous
 +
zmprov ms mail.rhomicom.com zimbraMtaSmtpSaslSecurityOptions noanonymous
 +
 +
postconf -e 'smtpd_recipient_limit = 60'
 +
postconf -e 'smtpd_recipient_overshoot_limit = 100'
 +
postfix reload
 +
zmprov modifyConfig zimbraFileUploadMaxSize 25600000
 +
zmprov modifyConfig zimbraMailContentMaxSize 25600000
 +
zmprov modifyConfig zimbraMtaMaxMessageSize 25600000
 +
postfix reload
 +
 +
zmprov mcf zimbraMtaMaxMessageSize 52428800
 +
zmprov mcf zimbraFileUploadMaxSize 52428800
 +
zmprov mcf zimbraMailContentMaxSize 104857600
 +
postfix reload
 +
 +
postconf | grep smtpd_recipient_limit
 +
postconf | grep smtpd_recipient_overshoot_limit
 +
 +
/opt/zimbra/libexec/zmfixperms
 +
/opt/zimbra/libexec/zmfixperms --verbose --extended
 +
 +
zmprov ms `zmhostname` zimbraMtaLmtpHostLookup native
 +
zmprov mcf zimbraMtaLmtpHostLookup native
 +
zmmtactl restart
 +
 +
</syntaxhighlight>
 +
==Zimbra Network Settings==
 +
<syntaxhighlight lang="shell" line="1">
 +
  systemctl enable --now named
 +
  vi /etc/sysconfig/network-scripts/ifcfg-eth0
 +
  yum install bind bind-utils -y
 +
  ip a show eth0
 +
  nano /etc/resolv.conf
 +
  chattr +i /etc/resolv.conf
 +
  ## reverse this using $ chattr -i /etc/resolv.conf
 +
  sudo systemctl restart NetworkManager.service
 +
  /etc/init.d/network restart
 +
  firewall-cmd --add-service=dns --permanent
 +
  firewall-cmd --reload
 +
 +
 +
  sudo vim /etc/NetworkManager/NetworkManager.conf
 +
  # [main]
 +
  dnz=none
 +
  nmcli connection modify "System eth0" ipv4.dns 127.0.0.1
 +
  nmcli connection down "System eth0"; nmcli connection up "System eth0"
 +
  # On Debian $ vi /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
 +
  # On CentOS $ vi /etc/dhclient-enter-hooks
 +
 +
  Append following code:
 +
 +
  #!/bin/sh
 +
  make_resolv_conf(){
 +
:
 +
  }
 +
  Save and close the file. Set permissions using the chmod command:
 +
  # On Debian $ chmod +x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
 +
  # On CentOS $ chmod +x /etc/dhclient-enter-hooks
 +
</syntaxhighlight>
 +
==Sample Named.conf==
 +
<syntaxhighlight lang="shell" line="1">
 +
options {
 +
        listen-on port 53 { 127.0.0.1; any;172.26.1.3;};
 +
        listen-on-v6 port 53 { ::1; };
 +
        directory      "/var/named";
 +
        dump-file      "/var/named/data/cache_dump.db";
 +
        statistics-file "/var/named/data/named_stats.txt";
 +
        memstatistics-file "/var/named/data/named_mem_stats.txt";
 +
        recursing-file  "/var/named/data/named.recursing";
 +
        secroots-file  "/var/named/data/named.secroots";
 +
        allow-query    { localhost; any; 127.0.0.1; 172.26.1.3;};
 +
 +
        forwarders {
 +
                8.8.8.8;
 +
                8.8.4.4;
 +
                172.26.15.6;
 +
        };
 +
 +
        /*
 +
        - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
 +
        - If you are building a RECURSIVE (caching) DNS server, you need to enable
 +
          recursion.
 +
        - If your recursive DNS server has a public IP address, you MUST enable access
 +
          control to limit queries to your legitimate users. Failing to do so will
 +
          cause your server to become part of large scale DNS amplification
 +
          attacks. Implementing BCP38 within your network would greatly
 +
          reduce such attack surface
 +
        */
 +
        recursion yes;
 +
 +
        dnssec-enable yes;
 +
        dnssec-validation auto;
 +
 +
        /* Path to ISC DLV key */
 +
        bindkeys-file "/etc/named.root.key";
 +
 +
        managed-keys-directory "/var/named/dynamic";
 +
 +
        pid-file "/run/named/named.pid";
 +
        session-keyfile "/run/named/session.key";
 +
};
 +
 +
logging {
 +
        channel default_debug {
 +
                file "data/named.run";
 +
                severity dynamic;
 +
        };
 +
};
 +
 +
zone "rhomicom.com" IN {
 +
                type master;
 +
                file "rhomicom.com.zone";
 +
                allow-update { none; };
 +
        };
 +
 +
zone "." IN {
 +
        type hint;
 +
        file "named.ca";
 +
};
 +
 +
include "/etc/named.rfc1912.zones";
 +
include "/etc/named.root.key";
 +
 +
</syntaxhighlight>
 +
== nano /var/named/rhomicom.com.zone==
 +
<syntaxhighlight lang="shell" line="1">
 +
$TTL    604800
 +
@      IN      SOA    mail.rhomicom.com. admin.rhomicom.com.        (
 +
030512  ; Serial
 +
604800  ; Refresh
 +
86400  ; Retry
 +
2419200 ; Expire
 +
604800 ); Minimum TTL
 +
;
 +
@                IN      NS              mail
 +
IN                MX      0                mail
 +
IN                A                        127.0.0.1
 +
mail              IN      A                127.0.0.1
  
 
</syntaxhighlight>
 
</syntaxhighlight>

Latest revision as of 00:22, 3 September 2023

 adduser rhouser
 passwd rhouser
 
 yum update -y ; reboot
 yum -y install which openssh openssh-server openssh-clients openssl-libs nano rsync unzip net-tools NetworkManager-tui sysstat perl-core libaio nmap-ncat libstdc++.so.6 wget tar bind-utils -y 
 yum install psmisc 
 #Install and configure firewall-cmd
 hostnamectl set-hostname "mail.rhomicom.com"
 exec bash
# nano /etc/hosts
# 192.168.0.108 mail.rhomicom.com mail

echo 'mail.rhomicom.com' > /etc/hostname
echo '127.0.0.1 mail.rhomicom.com mail' >> /etc/hosts
hostname mail.rhomicom.com
hostname --fqdn

# Do all DNS settings and MX records on Domain Registrar's DNS
dig -t A mail.rhomicom.com
dig -t MX rhomicom.com

#Install Let'sencrypt CentOS7
yum install epel-release
yum install certbot

wget https://files.zimbra.com/downloads/8.8.10_GA/zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz --no-check-certificate
tar zxpvf zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz
cd zcs-8.8.10_GA_3039.RHEL7_64.20180928094617

systemctl stop postfix
systemctl disable postfix
yum remove postfix

./install.sh
#Answer Y to all options
# Answer Yes to Create Domain 
# enter domain rhomicom.com
# enter MX mail.rhomicom.com
# Unconfigured Modules, Choose 7
# Choose 4 to set admin password
# choose r to go back
# choose a to apply all settings
# Wait for system to complete configuration and login
su - zimbra -c "zmcontrol start"
su - zimbra -c "zmcontrol stop"
su - zimbra -c "zmcontrol status"
su - zimbra -c "zmcontrol restart"

Uninstall

 cd /root/zimbra/zcs-8.8.10_GA_3039.RHEL7_64.20180928094617
 zcs-8.8.10_GA_3039.RHEL7_64.20180928094617]# ./install.sh -u

Move from Old to New Server

 # On Old Server
 tar -czvf zimbkp29Aug2021-17-39.tar.gz /opt/zimbra/
 # On New Server
 # Install Same version of ZCS
 rsync -avH [email protected]:/home/rhouser/*.t*z --progress --human-readable /home/rhouser
 tar -xzvf zimbkp29Aug2021-17-39.tar.gz
 mv /opt/zimbra /home
 mv opt/zimbra /opt
 /opt/zimbra/libexec/zmfixperms -e -v  # as root
 postfix check
 #temporarily switch to self-signed cert to avoid some SSL/TLS errors
 /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
 /opt/zimbra/bin/zmcertmgr deploycrt self
 # Alternatively you may disable TLS Connections temporarily
 su - zimbra 
 zmlocalconfig -e ssl_allow_untrusted_certs=true 
 zmlocalconfig -e ldap_starttls_supported=0
 zmlocalconfig -e ldap_starttls_required=false
 zmlocalconfig -e ldap_common_require_tls=0
 zmcontrol restart
 #Validate LDAP Configuration
  su - zimbra
  zmcontrol stop
  zmlocalconfig -s ldap_root_password
  /opt/zimbra/common/sbin/slappasswd -s Y0uRP4S5w0Rd
  #sample output - {SSHA}SXzTa82PbLST97854mZOp746PBLA2378
  cd /opt/zimbra/data/ldap/config/cn=config
  vi olcDatabase={0}config.ldif
  #CHange olcRootPW:: e1NTSEE112123gblVeVJ2UjU3UE1512312366jjkj128080as2bDQ5eVgxNXhWSlFPUWhTQmxhQ1d4L1RaNWdsdVRsWWJyRXJDcTA4V0Y0YVRYOE5ma23451wR3A1QytBZUZocEZ1
  # to  olcRootPw: {SSHA}SXzTa82PbLST97854mZOp746PBLA2378
  zmcontrol start
  https://wiki.zimbra.com/wiki/Zimbra_services_asking_for_password_-_sudoers_issue
  # or reboot PC
  # and re-run zcs install
  ./install.sh
  /opt/zimbra/libexec/zmsetup.pl # to redo configurations
# Enable TLS Connections after install if they were disabled
su - zimbra 
zmlocalconfig -e ssl_allow_untrusted_certs=true 
zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e ldap_starttls_required=true
zmlocalconfig -e ldap_common_require_tls=1
zmcontrol restart

Install Letsencrypt Cert Zimbra

sudo certbot --version
sudo su - zimbra -c "zmproxyctl stop"
sudo su - zimbra -c "zmmailboxdctl stop"
export EMAIL="[email protected]"
sudo certbot delete #DELETE EXISTING CERT IF DOING RENEWAL
sudo certbot delete --cert-name mail.rhomicom.com #DELETE SPECIFIC CERT IF DOING RENEWAL
certbot certonly --standalone   -d mail.rhomicom.com   --preferred-challenges http   --agree-tos   -n   -m $EMAIL   --keep-until-expiring
ls -lh /etc/letsencrypt/live/mail.rhomicom.com/

sudo mkdir /opt/zimbra/ssl/letsencrypt  #NOT NEEDED IN RENEWAL

CERTPATH=/etc/letsencrypt/live/mail.rhomicom.com
sudo \cp -rf $CERTPATH/* /opt/zimbra/ssl/letsencrypt/
ls /opt/zimbra/ssl/letsencrypt/
cat $CERTPATH/chain.pem | sudo tee /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
cat /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem

#ADD THE LETSENCRYPT CERT
sudo tee -a /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem<<EOF
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
EOF

cat /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
ls -lha /opt/zimbra/ssl/letsencrypt/
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
sudo chown -R zimbra:zimbra /etc/letsencrypt/
cd /opt/zimbra/ssl/letsencrypt
ls -halt
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/cert.pem cert.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/chain.pem chain.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/fullchain.pem fullchain.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/privkey.pem privkey.pem
ls -halt
cat cert.pem
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
#sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
#sudo cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%.m%.d-%H.%M")
#sudo cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
#sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
#sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'

## NEW METHOD ##
cp /etc/letsencrypt/live/mail.rhomicom.com/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem --no-check-certificate
wget -O /tmp/R3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem --no-check-certificate
cat /tmp/R3.pem > /etc/letsencrypt/archive/mail.rhomicom.com/chain1.pem
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/archive/mail.rhomicom.com/chain1.pem

sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/mail.rhomicom.com/cert.pem /etc/letsencrypt/live/mail.rhomicom.com/chain.pem'
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/mail.rhomicom.com/cert.pem /etc/letsencrypt/live/mail.rhomicom.com/chain.pem'

sudo su - zimbra -c "zmcontrol restart"

SSH Errors on Zimbra Monitor Message Queue

#Regenerating Keys
#To regenerate the ssh keys, on all hosts (as the zimbra user):
 zmsshkeygen
#To deploy the keys, on all hosts (as the zimbra user):
 zmupdateauthkeys
#Verifying sshd configuration
#The authentication method assumes that sshd on the mta is running on port 22, and that RSA Authentication is enabled. You can test the ssh command with:
 ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no [email protected]
#You should NOT be prompted for a password; if you are, recreate the ssh keys and retry the test.
#If you're not running sshd on port 22, modify the zimbraRemoteManagementPort attribute on the server:
zmprov ms MAIL.DOMAIN.COM zimbraRemoteManagementPort 2222
#Verify in /etc/sshd_config (or /etc/ssh/sshd_config) that the zimbra user is an allow user
#AllowUsers admin zimbra

Other Zimbra Know-hows

  #Redirect http to https
  su - zimbra
  zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
  zmproxyctl restart

   su zimbra
   zmprov ms mail.rhomicom.lan zimbraMailMode redirect
   zmprov ms mail.rhomicom.lan zimbraReverseProxyMailMode redirect\
  su - zimbra -c "postqueue -p"
  su - zimbra -c "/opt/zimbra/postfix/sbin/postqueue -f"
#Disable dnscache
# zmcontrol status
# zmprov ms `zmhostname` -zimbraServiceEnabled dnscache
# zmprov ms `zmhostname` -zimbraServiceInstalled dnscache
# zmcontrol status

postconf -e smtp_sasl_security_options=noanonymous
zmprov ms mail.rhomicom.com zimbraMtaSmtpSaslSecurityOptions noanonymous

postconf -e 'smtpd_recipient_limit = 60'
postconf -e 'smtpd_recipient_overshoot_limit = 100'
postfix reload
zmprov modifyConfig zimbraFileUploadMaxSize 25600000
zmprov modifyConfig zimbraMailContentMaxSize 25600000
zmprov modifyConfig zimbraMtaMaxMessageSize 25600000
postfix reload

zmprov mcf zimbraMtaMaxMessageSize 52428800
zmprov mcf zimbraFileUploadMaxSize 52428800
zmprov mcf zimbraMailContentMaxSize 104857600
postfix reload

postconf | grep smtpd_recipient_limit
postconf | grep smtpd_recipient_overshoot_limit

/opt/zimbra/libexec/zmfixperms
/opt/zimbra/libexec/zmfixperms --verbose --extended

 zmprov ms `zmhostname` zimbraMtaLmtpHostLookup native
 zmprov mcf zimbraMtaLmtpHostLookup native
 zmmtactl restart

Zimbra Network Settings

  systemctl enable --now named
  vi /etc/sysconfig/network-scripts/ifcfg-eth0
  yum install bind bind-utils -y
  ip a show eth0
  nano /etc/resolv.conf
  chattr +i /etc/resolv.conf 
  ## reverse this using $ chattr -i /etc/resolv.conf
  sudo systemctl restart NetworkManager.service
  /etc/init.d/network restart
  firewall-cmd --add-service=dns --permanent
  firewall-cmd --reload


  sudo vim /etc/NetworkManager/NetworkManager.conf
  # [main]
  dnz=none
  nmcli connection modify "System eth0" ipv4.dns 127.0.0.1
  nmcli connection down "System eth0"; nmcli connection up "System eth0"
  # On Debian $ vi /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
  # On CentOS $ vi /etc/dhclient-enter-hooks

  Append following code:

  #!/bin/sh
  make_resolv_conf(){
	:
  }
  Save and close the file. Set permissions using the chmod command:
  # On Debian $ chmod +x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
  # On CentOS $ chmod +x /etc/dhclient-enter-hooks

Sample Named.conf

options {
        listen-on port 53 { 127.0.0.1; any;172.26.1.3;};
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { localhost; any; 127.0.0.1; 172.26.1.3;};

        forwarders {
                8.8.8.8;
                8.8.4.4;
                172.26.15.6;
        };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "rhomicom.com" IN {
                type master;
                file "rhomicom.com.zone";
                allow-update { none; };
        };

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

nano /var/named/rhomicom.com.zone

$TTL    604800
@       IN      SOA     mail.rhomicom.com. admin.rhomicom.com.        (
030512  ; Serial
604800  ; Refresh
86400   ; Retry
2419200 ; Expire
604800 ); Minimum TTL
;
@                 IN       NS               mail
IN                MX       0                mail
IN                A                         127.0.0.1
mail              IN       A                127.0.0.1