Tag Archive Zimbra

Zimbra Tweaks

This is a collection of various Zimbra tweaks.

Set Zimbra to Automatically Redirect to HTTPS

When a user wants to log in with a web browser, I want to force HTTPS to be used. All connections to http://mail.domain.com are redirected to https://mail.domain.com.

$ zmtlsctl redirect
$ zmcontrol stop
$ zmcontrol start

Reference: CLI zmtlsctl to Set Web Server Mode

Set the Default Time Zone

Zimbra is very picky about the time zone string. The complete list is at the very bottom of Time Zones in ZCS.

zmprov mc default zimbraPrefTimeZoneId '(GMT-07.00) Mountain Time (US & Canada)'

Reference: Time Zones in ZCS

 

Tags, , , , , , , , ,

Adding a GoDaddy SSL Certificate to Zimbra 7

I’ve struggled with getting a GoDaddy-issued SSL certificate installed into a new Zimbra instance for a client. Fortunately I used a virtual machine and was able to make snapshots of the VM along the way. Most of the struggle revolved around the fact that (1) GoDaddy makes the required files available in many versions and formats, and (2) the Zimbra documentation really sucks in this area.

Fortunately I found David McKay’s article How to Renew a GoDaddy Certificate on Zimbra. This gave me insight into which combination of files to use.

Zimbra Installation

  1. The Zimbra instance must install cleanly. My Zimbra installation notes are here.
  2. You must be able to view the Zimbra Certificates page without error. The page is found on the lower portion of the side bar.

The Certificate page in the Zimbra administrative panel.

Get the Certificate Files

  1. Use the Install Certificate button to create the CSR.
  2. Download the CSR.
  3. Paste the CSR into GoDaddy’s SSL certificate page.
  4. When downloading the certificate, there is a list of formats to choose from. Choose Apache.
  5. Also download GoDaddy’s root certificate file gd-class2-root.crt from their Repository page. As of this writing, this is the first file listed.

Installing the SSL Certificate

Back on the Zimbra Certificate page, click on Install Certificate button. You’ll be asked for several files.

  1. Certificate File: This is the new SSL certificate from the zip file. The default name is domain.crt.
  2. Root CA File: This is the file gd-class2-root.crt that you downloaded separately.
  3. Intermediate CA file: This is the file gd_bundle.crt found in the zip file.

This was the combination of files I was looking for but didn’t quite ever get right.

Store these files with backups.


Tags, , , , , , ,

Installing Zimbra 7 on CentOS

These are personal notes for installing Zimbra 7 on Centos 5, including split DNS for servers behind firewalls.

Preliminaries

Caveats

  • This is for a small installation, where a single server can handle everything.
  • Zimbra is not officially supported on CentOS, even though it comes directly from RHEL’s sources. If you need support from the company, don’t use it.

Requirements

  • Zimbra 7 is 64-bits. Don’t use the 32-bit versions since they are officially deprecated and are slated to be dropped.
  • If you are installing directly onto bare metal, there should be no problem.
  • If you are installing in a virtual machine, then ensure that the processor has the physical hardware support for 64-bit virtualization, i.e. Intel VT or AMD-V. (None of the older machines that I have support).
  • At least 1.5 GB RAM as an absolute minimum, but Zimbra may be slow at times. The Quick Start guide recommends 4GB.
  • Zimbra will run on a single processor; two are better.
  • I can’t recommend starting with less than 20-40GB HD space. I anticipate adding disks and expanding the file system as needed.

Virtual Machine

  • I like to name the (virtual) physical disks pv00, pv01, pv02, etc. (pv=physical volume) so they’re easy to track.
  • The NIC must be bridged. Save yourself the pain.
  • I remove the floppy disk, sound, card, and printer.

Installing CentOS

Disk Layout

  • I generally create two partitions: /boot and the rest a LVM partition
  • Inside I create a volume group with the name vg00, and create inside of it:
    • lvRoot mounted on /
    • lvTmp mounted on /tmp
    • lvVar mounted on /var
    • lvOpt mounted on /opt
    • lvSwap
    • Unallocated space for expansion of any non-lvOpt partition that threatens to get full. I treat lvOpt differently because it’s the mail storage partition, and if it fills up I want to at least double the amount of space available. If /opt starts to get full, I will:
      • add a whole new disk,
      • add it as a physical volume,
      • expand the volume group with the physical volume,
      • expand lvOpt, and
      • expand the /opt filesystem.

Package Selection

Note that this is not fine tuned, and more akin to a shotgun approach. Even though RHEL is an officially-supported OS, there does not appear to be any recommendations from Zimbra on which package groups to install. This section will be updated if I can find more information.

  • For package selection, deselect Desktop – Gnome.
  • Select Customize now
  • Click Next
  • Ensure that only the following categories are selected for install. Note: This is for simplicity. It does not attempt to strip the system down to its bare nubs.
    • Applications
      • Editors
    • Development
      • Development Libraries
      • Development Tools
      • Legacy Software Development
    • Base System
      • Administration Tools
      • Base
      • Legacy Software Support

First-Time Setup

Services

I noticed that ntpd was not being started. Ensure that it’s checked in the services list or run

chkconfig ntpd on

Firewall Configuration

  • SELinux: Disabled
  • Customize open ports:
    • SSH
    • WWW (HTTP)
    • Secure WWW (HTTPS)
    • Mail (SMTP)
    • Other ports: 143, 993, 110, 995, 7071

Zimbra will not function correctly with SELinux enabled. A reboot is required.

Operating System Finalization

Apply Operating System Updates

Log in as root.

Use yum to update the server.

yum update -y

Package Preparation

Remove sendmail.

yum erase sendmail

Interestingly, this also removes redhat-lsb and mdadm. I’m installing this on a virtual machine that resides on a disk that is already mirrored, so I don’t use any soft RAID.

Ensure dependencies are installed.

yum install gmp compat-libstdc++-33 sysstat sudo libidn wget libtool-ltdl

With the current version of CentOS (5.5), this only installs sysstat and libtool-ltdl.

Visually Verify the /etc/hosts File

The /etc/hosts file should look something like:

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1		localhost.localdomain localhost
::1			localhost6.localdomain6 localhost6
aaa.bbb.ccc.ddd		yourhostname.yourdomain.com yourhostname

Where aaa.bbb.ccc.ddd is the local behind-the-firewall IP address for the server. Note: This was set to the external IP address for some reason.

If the server resides behind a firewall, the IP address is the local address behind the firewall, which may not match what DNS returns. (The discrepancy will be taken care of below.)

If Behind a Firewall (Set Up Split DNS)

If the server is behind a firewall, split DNS needs to be set up so that when Zimbra tries to perform a lookup for the server, the normal DNS lookup is short-circuited, and the behind-the-firewall IP address comes back to Zimbra.

Install Bind

yum install bind bind-chroot bind-libs bind-utils

Ensure bind starts automatically.

 chkconfig named on

Create the named Configuration File

vim /var/named/chroot/etc/named.conf
chmod 644 /var/named/chroot/etc/named.conf

Insert the following. Be sure to change the forwarders IP address (eee.fff.ggg.hhh, iii.jjj.kkk.lll) to the IP addresses of the old DNS server. Be sure to replace domain.com with your own domain.

options {
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    forwarders {
        eee.fff.ggg.hhh ;
        iii.jjj.kkk.lll ;
    };
};
include "/etc/rndc.key";
// Specify that this server is the master for mail.domain.com
zone "mail.domain.com" {
    type master;
    file "db.mail.domain.com";
};

Create the file described in the file line. Be sure to change domain.com to the domain of your server.

vim /var/named/chroot/var/named/db.mail.domain.com
chmod 644 /var/named/chroot/var/named/db.mail.domain.com

Insert the following. Also pay attention the fact that adminaccount.domain.com is the system administrator’s e-mail address adminaccount@domain.com. DNS turns the first period into the @ sign.

@       IN      SOA     mail.domain.com. adminaccount.domain.com. (
                               10118      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

               IN      NS      aaa.bbb.ccc.ddd
               IN      A       aaa.bbb.ccc.ddd
               IN      MX      10 mail.domain.com.

Adjust resolv.conf

Adjust the resolv.conf file to search the local server for primary DNS

vim /etc/resolv.conf

Change it to look like:

search domain.com
nameserver aaa.bbb.ccc.ddd

Start the named Dæmon

chkconfig named on
service named start

Check its operation with:

dig mail.domain.com mx

It should return something similar to:

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> mail.domain.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40071
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;mail.domain.com.		IN	MX

;; ANSWER SECTION:
mail.domain.com.	2592000	IN	MX	10 mail.domain.com.

;; AUTHORITY SECTION:
mail.domain.com.	2592000	IN	NS	aaa.bbb.ccc.ddd.mail.domain.com.

;; ADDITIONAL SECTION:
mail.domain.com.	2592000	IN	A	aaa.bbb.ccc.ddd

;; Query time: 1 msec
;; SERVER: aaa.bbb.ccc.ddd#53(aaa.bbb.ccc.ddd)
;; WHEN: Sat Mar 12 17:42:25 2011
;; MSG SIZE  rcvd: 93

and

dig mail.domain.com any

should return something like:

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> mail.domain.com any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1326
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mail.domain.com.		IN	ANY

;; ANSWER SECTION:
mail.domain.com.	2592000	IN	SOA	mail.domain.com. sysadmin.domain.com. 10118 43200 3600 3600000 2592000
mail.domain.com.	2592000	IN	NS	aaa.bbb.ccc.ddd.mail.domain.com.
mail.domain.com.	2592000	IN	A	aaa.bbb.ccc.ddd
mail.domain.com.	2592000	IN	MX	10 mail.domain.com.

;; Query time: 1 msec
;; SERVER: aaa.bbb.ccc.ddd#53(aaa.bbb.ccc.ddd)
;; WHEN: Sat Mar 12 17:43:23 2011
;; MSG SIZE  rcvd: 138

The final check is the following. Note! This must be typed verbatim!

host $(hostname)

Should return something like:

mail.domain.com has address aaa.bbb.ccc.ddd
mail.domain.com mail is handled by 10 mail.domain.com.

Adjust the Yum Update Dæmon

It may be advisable to tweak the yum dæmon so that it automatically downloads updates and sends an e-mail to notify you that the machine can be updated. Details on how to do that may be found here.

Install Zimbra

Download Zimbra

Download the 64-bit version of Zimbra for Red Hat Enterprise Linux 5 here. I just right click on the link and paste it onto the command line, and make liberal use of tab completion in bash. For example:

cd /tmp
wget wget http://files2.zimbra.com/downloads/7.0.1_GA/zcs-7.0.1_GA_3105.RHEL5_64.20110304210645.tgz
tar xvzf zcs-7.0.1_GA_3105.RHEL5_64.20110304210645.tgz
cd zcs-7.0.1_GA_3105.RHEL5_64.20110304210645

Run the Installer

Run the install script.

./install.sh --platform-override

You must include the platform override option, else the installer will abort with the following error:

You appear to be installing packages on a platform different
than the platform for which they were built.

This platform is CentOS5_64
Packages found: RHEL5_64
This may or may not work.

Installation can not continue without manual override.
You can override this safety check with ./install.sh --platform-override

WARNING: Bypassing this check may result in an install or
upgrade that is NOT usable.

You will go through the following steps.

  • License agreement. Type answer with “Y”.
  • Prerequisite check. This should pass cleanly.
  • Package self-test.
  • Select the packages to install. Accept the defaults.
    • zimbra-ldap
    • zimbra-logger
    • zimbra-mta
    • zimbra-snmp
    • zimbra-store
    • zimbra-apache
    • zimbra-spell
    • zimbra-memcached
    • zimbra-proxy
  • A warning that you are not running on Red Hat, with the question, “Install anyway?”. Answer with “Y”.
  • A warning that the system will be modified. Answer with “Y”.
  • Installing packages.
  • Administrative install menu.

On the administrative menu, the important item to do is to set the admin password.

When complete, use “a” to apply the changes, and confirm with “Yes”.

  • When complete, use “a” to apply the changes.
  • Confirm with “Yes”.
  • Accept the default configuration file name.
  • It will warn, “The system will be modified – continue?”. Answer with “Yes”.
  • The installer will set up a few more items, including creating a self-signed SSL certificate.
  • The installer will ask if you want to notify Zimbra of your installation. Your choice.
  • The installer will start the servers.
  • The installer will install zimlets &c.

At last you will see:

Configuration complete - press return to exit

At this point you can point the web browser to port 7071 of the server and log in as the administrator. The install is complete.

References

  • Zimbra documentation
  • An out-of-date but useful guide is on the Zimbra forums here.
  • Setting up split DNS can be found on the Zimbra wiki here.

 

Tags, ,

Zimbra Administration Gotchas

Zimbra has proven to be a fabulous platform that matches what we’ve needed over the past few years. I’ve run into two small setup problems that were fairly easy to fix.

Server Status Shows Nothing But Red X

We’ve run Zimbra on CentOS for years, upgrading across multiple Zimbra versions. (Again, my hat’s off to the team tasked with handling upgrades.) The Server Status panel showed nothing but red X marks everywhere. The cause turned out to be syslogd was running, preventing rsyslogd from starting. I disabled syslogd from the startup, and enabled rsyslogd. Problem fixed.

Mail Server Statistics Giving Error

Specifically, the ever-so intuitive:

exception during auth {RemoteManager: mail.xxxxx.com->zimbra@mail.xxxx.com:22} Error code: service.FAILURE Details:soap:Receiver

Zimbra is built to be distributed across several machines, so even when run on a single machine it uses cryptographic keys to enable secure passwordless access to the statistics. The Mail Queue Monitoring wiki entry had a number of suggestions for diagnosing and correcting the problem. Following its instructions I regenerated the cryptographic keys. When that didn’t work then it dawned on me that I run sshd on an alternate port to help keep the number of unauthorized access attempts down. Zimbra assumes port 22, so obviously the ssh login was failing.

Tags, , , , , , , ,

Zimbra Start Error: slapd daemon: bind(7) failed errno=99 (Cannot assign requested address)

If you move a Zimbra server and give it a new IP address, you may get the following error after attempting to start up:

Initializing ldap[3725] daemon: bind(7) failed errno=99 (Cannot assign requested address)

On the Zimbra forums, jholder says, “an error 99 for ldap start is almost always a hostfile issue.” Remember to change the entry for the server in /etc/hosts.

Tags, , , , , , ,

%d bloggers like this: