Difference between revisions of "Zimbra Setups"
Jump to navigation
Jump to search
| Line 152: | Line 152: | ||
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' | sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem' | ||
sudo su - zimbra -c "zmcontrol restart" | sudo su - zimbra -c "zmcontrol restart" | ||
| + | </syntaxhighlight> | ||
| + | ==SSH Errors on Zimbra Monitor Message Queue== | ||
| + | <syntaxhighlight lang="shell" line="1"> | ||
| + | Regenerating Keys | ||
| + | To regenerate the ssh keys, on all hosts (as the zimbra user): | ||
| + | |||
| + | zmsshkeygen | ||
| + | To deploy the keys, on all hosts (as the zimbra user): | ||
| + | |||
| + | zmupdateauthkeys | ||
| + | Verifying sshd configuration | ||
| + | The authentication method assumes that sshd on the mta is running on port 22, and that RSA Authentication is enabled. You can test the ssh command with: | ||
| + | |||
| + | ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM | ||
| + | (Swap MAIL.DOMAIN.COM for your hostname, as it appears in the error). | ||
| + | |||
| + | You should NOT be prompted for a password; if you are, recreate the ssh keys and retry the test. | ||
| + | |||
| + | If you're not running sshd on port 22, modify the zimbraRemoteManagementPort attribute on the server: | ||
| + | |||
| + | zmprov ms MAIL.DOMAIN.COM zimbraRemoteManagementPort 2222 | ||
| + | Verify in /etc/sshd_config (or /etc/ssh/sshd_config) that the zimbra user is an allow user | ||
| + | |||
| + | AllowUsers admin zimbra | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 20:16, 29 August 2021
adduser rhouser
passwd rhouser
yum update -y ; reboot
yum -y install which openssh openssh-server openssh-clients openssl-libs nano rsync unzip net-tools NetworkManager-tui sysstat perl-core libaio nmap-ncat libstdc++.so.6 wget tar bind-utils -y
yum install psmisc
#Install and configure firewall-cmd
hostnamectl set-hostname "mail.rhomicom.com"
exec bash
# nano /etc/hosts
# 192.168.0.108 mail.rhomicom.com mail
echo 'mail.rhomicom.com' > /etc/hostname
echo '127.0.0.1 mail.rhomicom.com mail' >> /etc/hosts
hostname mail.rhomicom.com
hostname --fqdn
# Do all DNS settings and MX records on Domain Registrar's DNS
dig -t A mail.rhomicom.com
dig -t MX rhomicom.com
#Install Let'sencrypt CentOS7
yum install epel-release
yum install certbot
wget https://files.zimbra.com/downloads/8.8.10_GA/zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz --no-check-certificate
tar zxpvf zcs-8.8.10_GA_3039.RHEL7_64.20180928094617.tgz
cd zcs-8.8.10_GA_3039.RHEL7_64.20180928094617
./install.sh
#Answer Y to all options
# Answer Yes to Create Domain
# enter domain rhomicom.com
# enter MX mail.rhomicom.com
# Unconfigured Modules, Choose 7
# Choose 4 to set admin password
# choose r to go back
# choose a to apply all settings
# Wait for system to complete configuration and login
su - zimbra -c "zmcontrol start"
su - zimbra -c "zmcontrol stop"
su - zimbra -c "zmcontrol status"
su - zimbra -c "zmcontrol restart"Uninstall
cd /root/zimbra/zcs-8.8.10_GA_3039.RHEL7_64.20180928094617 zcs-8.8.10_GA_3039.RHEL7_64.20180928094617]# ./install.sh -u
Move from Old to New Server
# On Old Server
tar -czvf zimbkp29Aug2021-17-39.tar.gz /opt/zimbra/
# On New Server
# Install Same version of ZCS
rsync -avH rhouser@1.1.1.1:/home/rhouser/*.t*z --progress --human-readable /home/rhouser
tar -xzvf zimbkp29Aug2021-17-39.tar.gz
mv /opt/zimbra /home
mv opt/zimbra /opt
/opt/zimbra/libexec/zmfixperms -e -v # as root
postfix check
#temporarily switch to self-signed cert to avoid some SSL/TLS errors
/opt/zimbra/bin/zmcertmgr createcrt -new -days 3650
/opt/zimbra/bin/zmcertmgr deploycrt self
# Alternatively you may disable TLS Connections temporarily
su - zimbra
zmlocalconfig -e ssl_allow_untrusted_certs=true
zmlocalconfig -e ldap_starttls_supported=0
zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_common_require_tls=0
zmcontrol restart
#Validate LDAP Configuration
su - zimbra
zmcontrol stop
zmlocalconfig -s ldap_root_password
/opt/zimbra/common/sbin/slappasswd -s Y0uRP4S5w0Rd
#sample output - {SSHA}SXzTa82PbLST97854mZOp746PBLA2378
cd /opt/zimbra/data/ldap/config/cn=config
vi olcDatabase={0}config.ldif
#CHange olcRootPW:: e1NTSEE112123gblVeVJ2UjU3UE1512312366jjkj128080as2bDQ5eVgxNXhWSlFPUWhTQmxhQ1d4L1RaNWdsdVRsWWJyRXJDcTA4V0Y0YVRYOE5ma23451wR3A1QytBZUZocEZ1
# to olcRootPw: {SSHA}SXzTa82PbLST97854mZOp746PBLA2378
zmcontrol start
# or reboot PC
# and re-run zcs install
./install.sh
# Enable TLS Connections after install if they were disabled
su - zimbra
zmlocalconfig -e ssl_allow_untrusted_certs=true
zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e ldap_starttls_required=true
zmlocalconfig -e ldap_common_require_tls=1
zmcontrol restart
Install Letsencrypt Cert Zimbra
sudo certbot --version
sudo su - zimbra -c "zmproxyctl stop"
sudo su - zimbra -c "zmmailboxdctl stop"
export EMAIL="admin@rhomicom.com"
certbot certonly --standalone -d mail.rhomicom.com --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring
ls -lh /etc/letsencrypt/live/mail.rhomicom.com/
sudo mkdir /opt/zimbra/ssl/letsencrypt #NOT NEEDED IN RENEWAL
CERTPATH=/etc/letsencrypt/live/mail.rhomicom.com
sudo \cp -rf $CERTPATH/* /opt/zimbra/ssl/letsencrypt/
ls /opt/zimbra/ssl/letsencrypt/
cat $CERTPATH/chain.pem | sudo tee /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
cat /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
#ADD THE LETSENCRYPT CERT
sudo tee -a /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem<<EOF
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
EOF
cat /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
ls -lha /opt/zimbra/ssl/letsencrypt/
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
sudo chown -R zimbra:zimbra /etc/letsencrypt/
cd /opt/zimbra/ssl/letsencrypt
ls -halt
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/cert.pem cert.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/chain.pem chain.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/fullchain.pem fullchain.pem
ln -sf /etc/letsencrypt/live/mail.rhomicom.com/privkey.pem privkey.pem
ls -halt
cat cert.pem
sudo chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
sudo cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%.m%.d-%H.%M")
sudo cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
sudo chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
sudo su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/zimbra_chain.pem'
sudo su - zimbra -c "zmcontrol restart"SSH Errors on Zimbra Monitor Message Queue
Regenerating Keys
To regenerate the ssh keys, on all hosts (as the zimbra user):
zmsshkeygen
To deploy the keys, on all hosts (as the zimbra user):
zmupdateauthkeys
Verifying sshd configuration
The authentication method assumes that sshd on the mta is running on port 22, and that RSA Authentication is enabled. You can test the ssh command with:
ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM
(Swap MAIL.DOMAIN.COM for your hostname, as it appears in the error).
You should NOT be prompted for a password; if you are, recreate the ssh keys and retry the test.
If you're not running sshd on port 22, modify the zimbraRemoteManagementPort attribute on the server:
zmprov ms MAIL.DOMAIN.COM zimbraRemoteManagementPort 2222
Verify in /etc/sshd_config (or /etc/ssh/sshd_config) that the zimbra user is an allow user
AllowUsers admin zimbra