adduser rhouser
passwd rhouser
yum update -y ; reboot
yum -y install which openssh openssh-server openssh-clients openssl-libs nano rsync unzip net-tools NetworkManager-tui sysstat perl-core libaio nmap-ncat libstdc++.so.6 wget tar bind-utils -y
yum install psmisc
#Install and configure firewall-cmd
hostnamectl set-hostname "mail.rhomicom.com"
exec bash
# nano /etc/hosts
# 192.168.0.108 mail.rhomicom.com mail
echo 'mail.rhomicom.com' > /etc/hostname
echo '127.0.0.1 mail.rhomicom.com mail' >> /etc/hosts
hostname mail.rhomicom.com
hostname --fqdn
# Do all DNS settings and MX records on Domain Registrar's DNS
dig -t A mail.rhomicom.com
dig -t MX rhomicom.com
#Install Let'sencrypt CentOS7
yum install epel-release
yum install certbot
wget https://files.zimbra.com/downloads/8.8.10_GA/zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz --no-check-certificate
tar zxpvf zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz
cd zcs-8.8.10_GA_3039.RHEL7_64.20180928094617
./install.sh
#Answer Y to all options
# Answer Yes to Create Domain
# enter domain rhomicom.com
# enter MX mail.rhomicom.com
# Unconfigured Modules, Choose 7
# Choose 4 to set admin password
# choose r to go back
# choose a to apply all settings
# Wait for system to complete configuration and login
su - zimbra -c "zmcontrol start"
su - zimbra -c "zmcontrol stop"
su - zimbra -c "zmcontrol status"
su - zimbra -c "zmcontrol restart"
Uninstall
cd /root/zimbra/zcs-8.8.10_GA_3039.RHEL7_64.20180928094617
zcs-8.8.10_GA_3039.RHEL7_64.20180928094617]# ./install.sh -u
Move from Old to New Server
# On Old Server
tar -czvf zimbkp29Aug2021-17-39.tar.gz /opt/zimbra/
# On New Server
# Install Same version of ZCS
rsync -avH [email protected]:/home/rhouser/*.t*z --progress --human-readable /home/rhouser
tar -xzvf zimbkp29Aug2021-17-39.tar.gz
mv /opt/zimbra /home
mv opt/zimbra /opt
/opt/zimbra/libexec/zmfixperms -e -v # as root
postfix check
#temporarily switch to self-signed cert to avoid some SSL/TLS errors
/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
/opt/zimbra/bin/zmcertmgr deploycrt self
# Alternatively you may disable TLS Connections temporarily
su - zimbra
zmlocalconfig -e ssl_allow_untrusted_certs=true
zmlocalconfig -e ldap_starttls_supported=0
zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_common_require_tls=0
zmcontrol restart
#Validate LDAP Configuration
su - zimbra
zmcontrol stop
zmlocalconfig -s ldap_root_password
/opt/zimbra/common/sbin/slappasswd -s Y0uRP4S5w0Rd
#sample output - {SSHA}SXzTa82PbLST97854mZOp746PBLA2378
cd /opt/zimbra/data/ldap/config/cn=config
vi olcDatabase={0}config.ldif
#CHange olcRootPW:: e1NTSEE112123gblVeVJ2UjU3UE1512312366jjkj128080as2bDQ5eVgxNXhWSlFPUWhTQmxhQ1d4L1RaNWdsdVRsWWJyRXJDcTA4V0Y0YVRYOE5ma23451wR3A1QytBZUZocEZ1
# to olcRootPw: {SSHA}SXzTa82PbLST97854mZOp746PBLA2378
zmcontrol start
# or reboot PC
# and re-run zcs install
./install.sh
/opt/zimbra/libexec/zmsetup.pl # to redo configurations
# Enable TLS Connections after install if they were disabled
su - zimbra
zmlocalconfig -e ssl_allow_untrusted_certs=true
zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e ldap_starttls_required=true
zmlocalconfig -e ldap_common_require_tls=1
zmcontrol restart
Install Letsencrypt Cert Zimbra
sudo certbot --version
sudo su - zimbra -c "zmproxyctl stop"
sudo su - zimbra -c "zmmailboxdctl stop"
export EMAIL="[email protected]"
certbot certonly --standalone -d mail.rhomicom.com --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring
ls -lh /etc/letsencrypt/live/mail.rhomicom.com/
sudo mkdir /opt/zimbra/ssl/letsencrypt #NOT NEEDED IN RENEWAL
CERTPATH=/etc/letsencrypt/live/mail.rhomicom.com
sudo \cp -rf $CERTPATH/* /opt/zimbra/ssl/letsencrypt/
ls /opt/zimbra/ssl/letsencrypt/
cat $CERTPATH/chain.pem | sudo tee /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
cat /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
#ADD THE LETSENCRYPT CERT
sudo tee -a /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem<<EOF
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
EOF
cat /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
ls -lha /opt/zimbra/ssl/letsencrypt/
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
sudo chown -R zimbra:zimbra /etc/letsencrypt/
cd /opt/zimbra/ssl/letsencrypt
ls -halt
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/cert.pem cert.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/chain.pem chain.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/fullchain.pem fullchain.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/privkey.pem privkey.pem
ls -halt
cat cert.pem
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
sudo cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%.m%.d-%H.%M")
sudo cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
sudo su - zimbra -c "zmcontrol restart"
SSH Errors on Zimbra Monitor Message Queue
#Regenerating Keys
#To regenerate the ssh keys, on all hosts (as the zimbra user):
zmsshkeygen
#To deploy the keys, on all hosts (as the zimbra user):
zmupdateauthkeys
#Verifying sshd configuration
#The authentication method assumes that sshd on the mta is running on port 22, and that RSA Authentication is enabled. You can test the ssh command with:
ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no [email protected]
#You should NOT be prompted for a password; if you are, recreate the ssh keys and retry the test.
#If you're not running sshd on port 22, modify the zimbraRemoteManagementPort attribute on the server:
zmprov ms MAIL.DOMAIN.COM zimbraRemoteManagementPort 2222
#Verify in /etc/sshd_config (or /etc/ssh/sshd_config) that the zimbra user is an allow user
#AllowUsers admin zimbra
Other Zimbra Know-hows
#Redirect http to https
su - zimbra
zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
zmproxyctl restart
su - zimbra -c "postqueue -p"
postconf -e smtp_sasl_security_options=noanonymous
zmprov ms mail.rhomicom.com zimbraMtaSmtpSaslSecurityOptions noanonymous
postconf -e 'smtpd_recipient_limit = 60'
postconf -e 'smtpd_recipient_overshoot_limit = 100'
postfix reload
zmprov modifyConfig zimbraFileUploadMaxSize 25600000
zmprov modifyConfig zimbraMailContentMaxSize 25600000
zmprov modifyConfig zimbraMtaMaxMessageSize 25600000
postfix reload
zmprov mcf zimbraMtaMaxMessageSize 52428800
zmprov mcf zimbraFileUploadMaxSize 52428800
zmprov mcf zimbraMailContentMaxSize 104857600
postfix reload
postconf | grep smtpd_recipient_limit
postconf | grep smtpd_recipient_overshoot_limit
Zimbra Network Settings
systemctl enable --now named
vi /etc/sysconfig/network-scripts/ifcfg-eth0
yum install bind bind-utils -y
ip a show eth0
nano /etc/resolv.conf
chattr +i /etc/resolv.conf
## reverse this using $ chattr -i /etc/resolv.conf
sudo systemctl restart NetworkManager.service
/etc/init.d/network restart
firewall-cmd --add-service=dns --permanent
firewall-cmd --reload
sudo vim /etc/NetworkManager/NetworkManager.conf
# [main]
dnz=none
nmcli connection modify "System eth0" ipv4.dns 127.0.0.1
nmcli connection down "System eth0"; nmcli connection up "System eth0"
# On Debian $ vi /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
# On CentOS $ vi /etc/dhclient-enter-hooks
Append following code:
#!/bin/sh
make_resolv_conf(){
:
}
Save and close the file. Set permissions using the chmod command:
# On Debian $ chmod +x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate
# On CentOS $ chmod +x /etc/dhclient-enter-hooks
Sample Named.conf
options {
listen-on port 53 { 127.0.0.1; any;172.26.1.3;};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; any; 127.0.0.1; 172.26.1.3;};
forwarders {
8.8.8.8;
8.8.4.4;
172.26.15.6;
};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "rhomicom.com" IN {
type master;
file "rhomicom.com.zone";
allow-update { none; };
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
nano /var/named/rhomicom.com.zone
$TTL 604800
@ IN SOA mail.rhomicom.com. admin.rhomicom.com. (
030512 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ); Minimum TTL
;
@ IN NS mail
IN MX 0 mail
IN A 127.0.0.1
mail IN A 127.0.0.1