Difference between revisions of "Zimbra Setups"
Jump to navigation
Jump to search
(36 intermediate revisions by the same user not shown) | |||
Line 28: | Line 28: | ||
tar zxpvf zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz | tar zxpvf zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz | ||
cd zcs-8.8.10_GA_3039.RHEL7_64.20180928094617 | cd zcs-8.8.10_GA_3039.RHEL7_64.20180928094617 | ||
+ | |||
+ | systemctl stop postfix | ||
+ | systemctl disable postfix | ||
+ | yum remove postfix | ||
./install.sh | ./install.sh | ||
Line 53: | Line 57: | ||
# On New Server | # On New Server | ||
# Install Same version of ZCS | # Install Same version of ZCS | ||
− | rsync -avH | + | rsync -avH [[/cdn-cgi/l/email-protection|[email protected]]]:/home/rhouser/*.t*z --progress --human-readable /home/rhouser |
tar -xzvf zimbkp29Aug2021-17-39.tar.gz | tar -xzvf zimbkp29Aug2021-17-39.tar.gz | ||
mv /opt/zimbra /home | mv /opt/zimbra /home | ||
Line 69: | Line 73: | ||
zmlocalconfig -e ldap_common_require_tls=0 | zmlocalconfig -e ldap_common_require_tls=0 | ||
zmcontrol restart | zmcontrol restart | ||
− | |||
− | |||
#Validate LDAP Configuration | #Validate LDAP Configuration | ||
su - zimbra | su - zimbra | ||
zmcontrol stop | zmcontrol stop | ||
zmlocalconfig -s ldap_root_password | zmlocalconfig -s ldap_root_password | ||
− | /opt/zimbra/ | + | /opt/zimbra/common/sbin/slappasswd -s Y0uRP4S5w0Rd |
#sample output - {SSHA}SXzTa82PbLST97854mZOp746PBLA2378 | #sample output - {SSHA}SXzTa82PbLST97854mZOp746PBLA2378 | ||
cd /opt/zimbra/data/ldap/config/cn=config | cd /opt/zimbra/data/ldap/config/cn=config | ||
Line 82: | Line 84: | ||
# to olcRootPw: {SSHA}SXzTa82PbLST97854mZOp746PBLA2378 | # to olcRootPw: {SSHA}SXzTa82PbLST97854mZOp746PBLA2378 | ||
zmcontrol start | zmcontrol start | ||
+ | https://wiki.zimbra.com/wiki/Zimbra_services_asking_for_password_-_sudoers_issue | ||
+ | |||
# or reboot PC | # or reboot PC | ||
+ | # and re-run zcs install | ||
+ | ./install.sh | ||
+ | /opt/zimbra/libexec/zmsetup.pl # to redo configurations | ||
# Enable TLS Connections after install if they were disabled | # Enable TLS Connections after install if they were disabled | ||
su - zimbra | su - zimbra | ||
Line 90: | Line 97: | ||
zmlocalconfig -e ldap_common_require_tls=1 | zmlocalconfig -e ldap_common_require_tls=1 | ||
zmcontrol restart | zmcontrol restart | ||
+ | |||
+ | ==Install Letsencrypt Cert Zimbra == | ||
+ | <syntaxhighlight lang="shell" line start="1"> | ||
+ | sudo certbot --version | ||
+ | sudo su - zimbra -c "zmproxyctl stop" | ||
+ | sudo su - zimbra -c "zmmailboxdctl stop" | ||
+ | export EMAIL="[email protected]" | ||
+ | sudo certbot delete #DELETE EXISTING CERT IF DOING RENEWAL | ||
+ | sudo certbot delete --cert-name mail.rhomicom.com #DELETE SPECIFIC CERT IF DOING RENEWAL | ||
+ | certbot certonly --standalone -d mail.rhomicom.com --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring | ||
+ | ls -lh /etc/letsencrypt/live/mail.rhomicom.com/ | ||
+ | |||
+ | sudo mkdir /opt/zimbra/ssl/letsencrypt #NOT NEEDED IN RENEWAL | ||
+ | |||
+ | CERTPATH=/etc/letsencrypt/live/mail.rhomicom.com | ||
+ | sudo \cp -rf $CERTPATH/* /opt/zimbra/ssl/letsencrypt/ | ||
+ | ls /opt/zimbra/ssl/letsencrypt/ | ||
+ | cat $CERTPATH/chain.pem | sudo tee /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem | ||
+ | cat /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem | ||
+ | |||
+ | #ADD THE LETSENCRYPT CERT | ||
+ | sudo tee -a /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem<<EOF | ||
+ | -----BEGIN CERTIFICATE----- | ||
+ | MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ | ||
+ | MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT | ||
+ | DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow | ||
+ | PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD | ||
+ | Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB | ||
+ | AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O | ||
+ | rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq | ||
+ | OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b | ||
+ | xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw | ||
+ | 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD | ||
+ | aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV | ||
+ | HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG | ||
+ | SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 | ||
+ | ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr | ||
+ | AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz | ||
+ | R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 | ||
+ | JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo | ||
+ | Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ | ||
+ | -----END CERTIFICATE----- | ||
+ | EOF | ||
+ | |||
+ | cat /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem | ||
+ | sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/ | ||
+ | ls -lha /opt/zimbra/ssl/letsencrypt/ | ||
+ | sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/ | ||
+ | sudo chown -R zimbra:zimbra /etc/letsencrypt/ | ||
+ | cd /opt/zimbra/ssl/letsencrypt | ||
+ | ls -halt | ||
+ | ln -sf /etc/letsencrypt/live/mail.rhomicom.com/cert.pem cert.pem | ||
+ | ln -sf /etc/letsencrypt/live/mail.rhomicom.com/chain.pem chain.pem | ||
+ | ln -sf /etc/letsencrypt/live/mail.rhomicom.com/fullchain.pem fullchain.pem | ||
+ | ln -sf /etc/letsencrypt/live/mail.rhomicom.com/privkey.pem privkey.pem | ||
+ | ls -halt | ||
+ | cat cert.pem | ||
+ | sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/ | ||
+ | #sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' | ||
+ | #sudo cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%.m%.d-%H.%M") | ||
+ | #sudo cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key | ||
+ | #sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key | ||
+ | #sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' | ||
+ | |||
+ | ## NEW METHOD ## | ||
+ | cp /etc/letsencrypt/live/mail.rhomicom.com/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key | ||
+ | chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key | ||
+ | wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem --no-check-certificate | ||
+ | wget -O /tmp/R3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem --no-check-certificate | ||
+ | cat /tmp/R3.pem > /etc/letsencrypt/archive/mail.rhomicom.com/chain1.pem | ||
+ | cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/archive/mail.rhomicom.com/chain1.pem | ||
+ | |||
+ | sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/mail.rhomicom.com/cert.pem /etc/letsencrypt/live/mail.rhomicom.com/chain.pem' | ||
+ | sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/mail.rhomicom.com/cert.pem /etc/letsencrypt/live/mail.rhomicom.com/chain.pem' | ||
+ | |||
+ | sudo su - zimbra -c "zmcontrol restart" | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | ==SSH Errors on Zimbra Monitor Message Queue== | ||
+ | <syntaxhighlight lang="shell" line="1"> | ||
+ | #Regenerating Keys | ||
+ | #To regenerate the ssh keys, on all hosts (as the zimbra user): | ||
+ | zmsshkeygen | ||
+ | #To deploy the keys, on all hosts (as the zimbra user): | ||
+ | zmupdateauthkeys | ||
+ | #Verifying sshd configuration | ||
+ | #The authentication method assumes that sshd on the mta is running on port 22, and that RSA Authentication is enabled. You can test the ssh command with: | ||
+ | ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no [email protected] | ||
+ | #You should NOT be prompted for a password; if you are, recreate the ssh keys and retry the test. | ||
+ | #If you're not running sshd on port 22, modify the zimbraRemoteManagementPort attribute on the server: | ||
+ | zmprov ms MAIL.DOMAIN.COM zimbraRemoteManagementPort 2222 | ||
+ | #Verify in /etc/sshd_config (or /etc/ssh/sshd_config) that the zimbra user is an allow user | ||
+ | #AllowUsers admin zimbra | ||
+ | </syntaxhighlight> | ||
+ | ==Other Zimbra Know-hows== | ||
+ | <syntaxhighlight lang="shell" line="1"> | ||
+ | #Redirect http to https | ||
+ | su - zimbra | ||
+ | zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect | ||
+ | zmproxyctl restart | ||
+ | |||
+ | su zimbra | ||
+ | zmprov ms mail.rhomicom.lan zimbraMailMode redirect | ||
+ | zmprov ms mail.rhomicom.lan zimbraReverseProxyMailMode redirect\ | ||
+ | su - zimbra -c "postqueue -p" | ||
+ | su - zimbra -c "/opt/zimbra/postfix/sbin/postqueue -f" | ||
+ | #Disable dnscache | ||
+ | # zmcontrol status | ||
+ | # zmprov ms `zmhostname` -zimbraServiceEnabled dnscache | ||
+ | # zmprov ms `zmhostname` -zimbraServiceInstalled dnscache | ||
+ | # zmcontrol status | ||
+ | |||
+ | postconf -e smtp_sasl_security_options=noanonymous | ||
+ | zmprov ms mail.rhomicom.com zimbraMtaSmtpSaslSecurityOptions noanonymous | ||
+ | |||
+ | postconf -e 'smtpd_recipient_limit = 60' | ||
+ | postconf -e 'smtpd_recipient_overshoot_limit = 100' | ||
+ | postfix reload | ||
+ | zmprov modifyConfig zimbraFileUploadMaxSize 25600000 | ||
+ | zmprov modifyConfig zimbraMailContentMaxSize 25600000 | ||
+ | zmprov modifyConfig zimbraMtaMaxMessageSize 25600000 | ||
+ | postfix reload | ||
+ | |||
+ | zmprov mcf zimbraMtaMaxMessageSize 52428800 | ||
+ | zmprov mcf zimbraFileUploadMaxSize 52428800 | ||
+ | zmprov mcf zimbraMailContentMaxSize 104857600 | ||
+ | postfix reload | ||
+ | |||
+ | postconf | grep smtpd_recipient_limit | ||
+ | postconf | grep smtpd_recipient_overshoot_limit | ||
+ | |||
+ | /opt/zimbra/libexec/zmfixperms | ||
+ | /opt/zimbra/libexec/zmfixperms --verbose --extended | ||
+ | |||
+ | zmprov ms `zmhostname` zimbraMtaLmtpHostLookup native | ||
+ | zmprov mcf zimbraMtaLmtpHostLookup native | ||
+ | zmmtactl restart | ||
+ | |||
+ | </syntaxhighlight> | ||
+ | ==Zimbra Network Settings== | ||
+ | <syntaxhighlight lang="shell" line="1"> | ||
+ | systemctl enable --now named | ||
+ | vi /etc/sysconfig/network-scripts/ifcfg-eth0 | ||
+ | yum install bind bind-utils -y | ||
+ | ip a show eth0 | ||
+ | nano /etc/resolv.conf | ||
+ | chattr +i /etc/resolv.conf | ||
+ | ## reverse this using $ chattr -i /etc/resolv.conf | ||
+ | sudo systemctl restart NetworkManager.service | ||
+ | /etc/init.d/network restart | ||
+ | firewall-cmd --add-service=dns --permanent | ||
+ | firewall-cmd --reload | ||
+ | |||
+ | |||
+ | sudo vim /etc/NetworkManager/NetworkManager.conf | ||
+ | # [main] | ||
+ | dnz=none | ||
+ | nmcli connection modify "System eth0" ipv4.dns 127.0.0.1 | ||
+ | nmcli connection down "System eth0"; nmcli connection up "System eth0" | ||
+ | # On Debian $ vi /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate | ||
+ | # On CentOS $ vi /etc/dhclient-enter-hooks | ||
+ | |||
+ | Append following code: | ||
+ | |||
+ | #!/bin/sh | ||
+ | make_resolv_conf(){ | ||
+ | : | ||
+ | } | ||
+ | Save and close the file. Set permissions using the chmod command: | ||
+ | # On Debian $ chmod +x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate | ||
+ | # On CentOS $ chmod +x /etc/dhclient-enter-hooks | ||
+ | </syntaxhighlight> | ||
+ | ==Sample Named.conf== | ||
+ | <syntaxhighlight lang="shell" line="1"> | ||
+ | options { | ||
+ | listen-on port 53 { 127.0.0.1; any;172.26.1.3;}; | ||
+ | listen-on-v6 port 53 { ::1; }; | ||
+ | directory "/var/named"; | ||
+ | dump-file "/var/named/data/cache_dump.db"; | ||
+ | statistics-file "/var/named/data/named_stats.txt"; | ||
+ | memstatistics-file "/var/named/data/named_mem_stats.txt"; | ||
+ | recursing-file "/var/named/data/named.recursing"; | ||
+ | secroots-file "/var/named/data/named.secroots"; | ||
+ | allow-query { localhost; any; 127.0.0.1; 172.26.1.3;}; | ||
+ | |||
+ | forwarders { | ||
+ | 8.8.8.8; | ||
+ | 8.8.4.4; | ||
+ | 172.26.15.6; | ||
+ | }; | ||
+ | |||
+ | /* | ||
+ | - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. | ||
+ | - If you are building a RECURSIVE (caching) DNS server, you need to enable | ||
+ | recursion. | ||
+ | - If your recursive DNS server has a public IP address, you MUST enable access | ||
+ | control to limit queries to your legitimate users. Failing to do so will | ||
+ | cause your server to become part of large scale DNS amplification | ||
+ | attacks. Implementing BCP38 within your network would greatly | ||
+ | reduce such attack surface | ||
+ | */ | ||
+ | recursion yes; | ||
+ | |||
+ | dnssec-enable yes; | ||
+ | dnssec-validation auto; | ||
+ | |||
+ | /* Path to ISC DLV key */ | ||
+ | bindkeys-file "/etc/named.root.key"; | ||
+ | |||
+ | managed-keys-directory "/var/named/dynamic"; | ||
+ | |||
+ | pid-file "/run/named/named.pid"; | ||
+ | session-keyfile "/run/named/session.key"; | ||
+ | }; | ||
+ | |||
+ | logging { | ||
+ | channel default_debug { | ||
+ | file "data/named.run"; | ||
+ | severity dynamic; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | zone "rhomicom.com" IN { | ||
+ | type master; | ||
+ | file "rhomicom.com.zone"; | ||
+ | allow-update { none; }; | ||
+ | }; | ||
+ | |||
+ | zone "." IN { | ||
+ | type hint; | ||
+ | file "named.ca"; | ||
+ | }; | ||
+ | |||
+ | include "/etc/named.rfc1912.zones"; | ||
+ | include "/etc/named.root.key"; | ||
+ | |||
+ | </syntaxhighlight> | ||
+ | == nano /var/named/rhomicom.com.zone== | ||
+ | <syntaxhighlight lang="shell" line="1"> | ||
+ | $TTL 604800 | ||
+ | @ IN SOA mail.rhomicom.com. admin.rhomicom.com. ( | ||
+ | 030512 ; Serial | ||
+ | 604800 ; Refresh | ||
+ | 86400 ; Retry | ||
+ | 2419200 ; Expire | ||
+ | 604800 ); Minimum TTL | ||
+ | ; | ||
+ | @ IN NS mail | ||
+ | IN MX 0 mail | ||
+ | IN A 127.0.0.1 | ||
+ | mail IN A 127.0.0.1 | ||
+ | |||
+ | </syntaxhighlight> |
Latest revision as of 00:22, 3 September 2023
adduser rhouser
passwd rhouser
yum update -y ; reboot
yum -y install which openssh openssh-server openssh-clients openssl-libs nano rsync unzip net-tools NetworkManager-tui sysstat perl-core libaio nmap-ncat libstdc++.so.6 wget tar bind-utils -y
yum install psmisc
#Install and configure firewall-cmd
hostnamectl set-hostname "mail.rhomicom.com"
exec bash
# nano /etc/hosts
# 192.168.0.108 mail.rhomicom.com mail
echo 'mail.rhomicom.com' > /etc/hostname
echo '127.0.0.1 mail.rhomicom.com mail' >> /etc/hosts
hostname mail.rhomicom.com
hostname --fqdn
# Do all DNS settings and MX records on Domain Registrar's DNS
dig -t A mail.rhomicom.com
dig -t MX rhomicom.com
#Install Let'sencrypt CentOS7
yum install epel-release
yum install certbot
wget https://files.zimbra.com/downloads/8.8.10_GA/zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz --no-check-certificate
tar zxpvf zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz
cd zcs-8.8.10_GA_3039.RHEL7_64.20180928094617
systemctl stop postfix
systemctl disable postfix
yum remove postfix
./install.sh
#Answer Y to all options
# Answer Yes to Create Domain
# enter domain rhomicom.com
# enter MX mail.rhomicom.com
# Unconfigured Modules, Choose 7
# Choose 4 to set admin password
# choose r to go back
# choose a to apply all settings
# Wait for system to complete configuration and login
su - zimbra -c "zmcontrol start"
su - zimbra -c "zmcontrol stop"
su - zimbra -c "zmcontrol status"
su - zimbra -c "zmcontrol restart"
Uninstall
cd /root/zimbra/zcs-8.8.10_GA_3039.RHEL7_64.20180928094617 zcs-8.8.10_GA_3039.RHEL7_64.20180928094617]# ./install.sh -u
Move from Old to New Server
# On Old Server tar -czvf zimbkp29Aug2021-17-39.tar.gz /opt/zimbra/ # On New Server # Install Same version of ZCS rsync -avH [email protected]:/home/rhouser/*.t*z --progress --human-readable /home/rhouser tar -xzvf zimbkp29Aug2021-17-39.tar.gz mv /opt/zimbra /home mv opt/zimbra /opt /opt/zimbra/libexec/zmfixperms -e -v # as root postfix check #temporarily switch to self-signed cert to avoid some SSL/TLS errors /opt/zimbra/bin/zmcertmgr createcrt -new -days 3650 /opt/zimbra/bin/zmcertmgr deploycrt self # Alternatively you may disable TLS Connections temporarily su - zimbra zmlocalconfig -e ssl_allow_untrusted_certs=true zmlocalconfig -e ldap_starttls_supported=0 zmlocalconfig -e ldap_starttls_required=false zmlocalconfig -e ldap_common_require_tls=0 zmcontrol restart #Validate LDAP Configuration su - zimbra zmcontrol stop zmlocalconfig -s ldap_root_password /opt/zimbra/common/sbin/slappasswd -s Y0uRP4S5w0Rd #sample output - {SSHA}SXzTa82PbLST97854mZOp746PBLA2378 cd /opt/zimbra/data/ldap/config/cn=config vi olcDatabase={0}config.ldif #CHange olcRootPW:: e1NTSEE112123gblVeVJ2UjU3UE1512312366jjkj128080as2bDQ5eVgxNXhWSlFPUWhTQmxhQ1d4L1RaNWdsdVRsWWJyRXJDcTA4V0Y0YVRYOE5ma23451wR3A1QytBZUZocEZ1 # to olcRootPw: {SSHA}SXzTa82PbLST97854mZOp746PBLA2378 zmcontrol start https://wiki.zimbra.com/wiki/Zimbra_services_asking_for_password_-_sudoers_issue
# or reboot PC # and re-run zcs install ./install.sh /opt/zimbra/libexec/zmsetup.pl # to redo configurations # Enable TLS Connections after install if they were disabled su - zimbra zmlocalconfig -e ssl_allow_untrusted_certs=true zmlocalconfig -e ldap_starttls_supported=1 zmlocalconfig -e ldap_starttls_required=true zmlocalconfig -e ldap_common_require_tls=1 zmcontrol restart
Install Letsencrypt Cert Zimbra
sudo certbot --version
sudo su - zimbra -c "zmproxyctl stop"
sudo su - zimbra -c "zmmailboxdctl stop"
export EMAIL="[email protected]"
sudo certbot delete #DELETE EXISTING CERT IF DOING RENEWAL
sudo certbot delete --cert-name mail.rhomicom.com #DELETE SPECIFIC CERT IF DOING RENEWAL
certbot certonly --standalone -d mail.rhomicom.com --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring
ls -lh /etc/letsencrypt/live/mail.rhomicom.com/
sudo mkdir /opt/zimbra/ssl/letsencrypt #NOT NEEDED IN RENEWAL
CERTPATH=/etc/letsencrypt/live/mail.rhomicom.com
sudo \cp -rf $CERTPATH/* /opt/zimbra/ssl/letsencrypt/
ls /opt/zimbra/ssl/letsencrypt/
cat $CERTPATH/chain.pem | sudo tee /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
cat /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
#ADD THE LETSENCRYPT CERT
sudo tee -a /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem<<EOF
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
EOF
cat /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
ls -lha /opt/zimbra/ssl/letsencrypt/
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
sudo chown -R zimbra:zimbra /etc/letsencrypt/
cd /opt/zimbra/ssl/letsencrypt
ls -halt
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/cert.pem cert.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/chain.pem chain.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/fullchain.pem fullchain.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/privkey.pem privkey.pem
ls -halt
cat cert.pem
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
#sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
#sudo cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%.m%.d-%H.%M")
#sudo cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
#sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
#sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
## NEW METHOD ##
cp /etc/letsencrypt/live/mail.rhomicom.com/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem --no-check-certificate
wget -O /tmp/R3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem --no-check-certificate
cat /tmp/R3.pem > /etc/letsencrypt/archive/mail.rhomicom.com/chain1.pem
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/archive/mail.rhomicom.com/chain1.pem
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /etc/letsencrypt/live/mail.rhomicom.com/cert.pem /etc/letsencrypt/live/mail.rhomicom.com/chain.pem'
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/mail.rhomicom.com/cert.pem /etc/letsencrypt/live/mail.rhomicom.com/chain.pem'
sudo su - zimbra -c "zmcontrol restart"
SSH Errors on Zimbra Monitor Message Queue
#Regenerating Keys
#To regenerate the ssh keys, on all hosts (as the zimbra user):
zmsshkeygen
#To deploy the keys, on all hosts (as the zimbra user):
zmupdateauthkeys
#Verifying sshd configuration
#The authentication method assumes that sshd on the mta is running on port 22, and that RSA Authentication is enabled. You can test the ssh command with:
ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no [email protected]
#You should NOT be prompted for a password; if you are, recreate the ssh keys and retry the test.
#If you're not running sshd on port 22, modify the zimbraRemoteManagementPort attribute on the server:
zmprov ms MAIL.DOMAIN.COM zimbraRemoteManagementPort 2222
#Verify in /etc/sshd_config (or /etc/ssh/sshd_config) that the zimbra user is an allow user
#AllowUsers admin zimbra
Other Zimbra Know-hows
#Redirect http to https
su - zimbra
zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
zmproxyctl restart
su zimbra
zmprov ms mail.rhomicom.lan zimbraMailMode redirect
zmprov ms mail.rhomicom.lan zimbraReverseProxyMailMode redirect\
su - zimbra -c "postqueue -p"
su - zimbra -c "/opt/zimbra/postfix/sbin/postqueue -f"
#Disable dnscache
# zmcontrol status
# zmprov ms `zmhostname` -zimbraServiceEnabled dnscache
# zmprov ms `zmhostname` -zimbraServiceInstalled dnscache
# zmcontrol status
postconf -e smtp_sasl_security_options=noanonymous
zmprov ms mail.rhomicom.com zimbraMtaSmtpSaslSecurityOptions noanonymous
postconf -e 'smtpd_recipient_limit = 60'
postconf -e 'smtpd_recipient_overshoot_limit = 100'
postfix reload
zmprov modifyConfig zimbraFileUploadMaxSize 25600000
zmprov modifyConfig zimbraMailContentMaxSize 25600000
zmprov modifyConfig zimbraMtaMaxMessageSize 25600000
postfix reload
zmprov mcf zimbraMtaMaxMessageSize 52428800
zmprov mcf zimbraFileUploadMaxSize 52428800
zmprov mcf zimbraMailContentMaxSize 104857600
postfix reload
postconf | grep smtpd_recipient_limit
postconf | grep smtpd_recipient_overshoot_limit
/opt/zimbra/libexec/zmfixperms
/opt/zimbra/libexec/zmfixperms --verbose --extended
zmprov ms `zmhostname` zimbraMtaLmtpHostLookup native
zmprov mcf zimbraMtaLmtpHostLookup native
zmmtactl restart
Zimbra Network Settings
systemctl enable --now named
vi /etc/sysconfig/network-scripts/ifcfg-eth0
yum install bind bind-utils -y
ip a show eth0
nano /etc/resolv.conf
chattr +i /etc/resolv.conf
## reverse this using $ chattr -i /etc/resolv.conf
sudo systemctl restart NetworkManager.service
/etc/init.d/network restart
firewall-cmd --add-service=dns --permanent
firewall-cmd --reload
sudo vim /etc/NetworkManager/NetworkManager.conf
# [main]
dnz=none
nmcli connection modify "System eth0" ipv4.dns 127.0.0.1
nmcli connection down "System eth0"; nmcli connection up "System eth0"
# On Debian $ vi /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
# On CentOS $ vi /etc/dhclient-enter-hooks
Append following code:
#!/bin/sh
make_resolv_conf(){
:
}
Save and close the file. Set permissions using the chmod command:
# On Debian $ chmod +x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
# On CentOS $ chmod +x /etc/dhclient-enter-hooks
Sample Named.conf
options {
listen-on port 53 { 127.0.0.1; any;172.26.1.3;};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; any; 127.0.0.1; 172.26.1.3;};
forwarders {
8.8.8.8;
8.8.4.4;
172.26.15.6;
};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "rhomicom.com" IN {
type master;
file "rhomicom.com.zone";
allow-update { none; };
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
nano /var/named/rhomicom.com.zone
$TTL 604800
@ IN SOA mail.rhomicom.com. admin.rhomicom.com. (
030512 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ); Minimum TTL
;
@ IN NS mail
IN MX 0 mail
IN A 127.0.0.1
mail IN A 127.0.0.1