====Zimbra Mail Server====
https://www.howtoforge.com/zimbra-collaboration-suite-open-source-edition-on-centos
In this tutorial I use the hostname mail.geekdept.com with the IP address of 192.168.0.45 and a gateway of 192.168.0.1. These settings should be replaced with the appropriate hostname and IP address for your setting.
====Install CentOS 8 (Mail)====
Set your static IPv4 IP, Netmask, Gateway and DNS (if you want to authenticate against Active Directory securely via LDAPS you should have internal DNS servers already, use these). Set your hostname to your FQDN (where outside devices will know to send your E-Mail to).
Set your time zone, enable NTP.
Software selection should be set to minimal.
Partitioning:
1GB /boot on XFS
10GB / on XFS
4GB SWAP
Remaining GB /opt on XFS
Start the install and set the root password.
====Initial Setup (Mail)====
==Update and install vim==
dnf update && dnf install vim
==Create sudo User + Disable root SSH Access==
useradd sudo_username && passwd sudo_username
==Add user to wheel group for sudo privileges==
usermod -aG wheel sudo_username
Log out of root and into newly created account.
==Disable root login over SSH==
sudo vim /etc/ssh/sshd_config
Add/change the line to:
PermitRootLogin no
==Restart SSHD==
sudo systemctl restart sshd
==Install required packages==
sudo dnf install tar perl rsyslog wget nc libidn dnsmasq bind-utils unzip sysstat net-tools bzip2 spax
==Configure FirewallD==
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --zone=public --add-port=25/tcp
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
sudo firewall-cmd --permanent --zone=public --add-port=587/tcp
sudo firewall-cmd --permanent --zone=public --add-port=993/tcp
sudo firewall-cmd --permanent --zone=public --add-port=995/tcp
sudo firewall-cmd --permanent --zone=public --add-port=7071/tcp
For Proxy Server Access
sudo firewall-cmd --permanent --zone=public --add-port=514/udp
sudo firewall-cmd --permanent --zone=public --add-port=3443/tcp
sudo firewall-cmd --permanent --zone=public --add-port=7072/tcp
sudo firewall-cmd --permanent --zone=public --add-port=8080/tcp
sudo firewall-cmd --permanent --zone=public --add-port=8443/tcp
sudo firewall-cmd --permanent --zone=public --add-port=7995/tcp
sudo firewall-cmd --permanent --zone=public --add-port=7993/tcp
sudo firewall-cmd --permanent --zone=public --add-port=389/tcp
sudo firewall-cmd --permanent --zone=public --add-port=11211/tcp
sudo firewall-cmd --permanent --zone=public --add-port=686/tcp
sudo firewall-cmd --reload
sudo systemctl daemon-reload
==Configure Swappiness/Disable IPV6==
Set the swappiness to reduce disk writing unless necessary (note: vm.swappiness=0 will turn off swap file where vm.swappiness=1 will only use swap in out of memory occasions; we'll use vm.swappiness=1). Also we will disable IPV6.
sudo vim /etc/sysctl.conf
Add/modify the lines:
vm.swappiness = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
==Enable DNSmasq==
sudo systemctl enable dnsmasq
sudo systemctl start dnsmasq
==Configure Network Interface==
sudo vim /etc/sysconfig/network-scripts/ifcfg-enp1s0
Remove anything with DNS1, DNS2 and IPV6 then add the line:
DNS1="127.0.0.1"
==Restart Network Services==
sudo nmcli connection reload && sudo systemctl restart NetworkManager
==Disk Settings==
FSTRIM is useful for SSDs or virtual disk images, enable anyway as it won't hurt.
sudo systemctl enable fstrim.timer
sudo systemctl start fstrim.timer
Check status of timer by showing systemd timers: systemctl list-timers
Check trim support by: lsblk --discard
Stop writing a timestamp every time a file is accessed
Edit the /etc/fstab file and replace all the defaults strings by defaults,noatime.
* Use noatime and dirsync on everything except / and swap
* Use noatime on /
sudo vim /etc/fstab
For example:
/dev/mapper/rhel-root / xfs defaults 1 1
becomes:
/dev/mapper/rhel-root / xfs defaults,noatime,dirsync 1 1
This completes the base installation of CentOS. On the next page we will setup Split DNS which is essential for ZCS. Go ahead and reboot, and fill up that coffee cup.
====Configure Split DNS (Mail)====
Setting up DNSMasq instead of BIND for bulletproof internal DNS resolution (SplitDNS)
This guide will guide you through the setup of DNSMasq in order to achieve the following:
- When the Zimbra server performs a DNS query for the A record of the Public Service Hostname of one of the hosted domains, answer with the LAN IP of the server itself.
- When the Zimbra server performs a DNS query for the MX record of one of the hosted domains, answer with the LAN IP of the server itself.
- When the Zimbra server performs any other DNS query, let another DNS server manage it.
- Let DNSMasq only bind to the interface it's using so that other DNS servers can be ran on the server is needed.
Why DNSMasq instead of BIND?
One word: SIMPLICITY.
BIND is a full-fledged DNS server that can perform the roles of both an Authoritative and a Recursive nameserver, but chances are that you don't need this, as you probably already have an authoritative server for your domain - for example the one of your domain Registrar or a local Active Directory server - and one or more Recursive nameservers either internal, provided by your ISP or by a dedicated DNS service such as OpenDNS. So why using it when DNSMasq, a lightweight DNS forwarder, can let you achieve a Split DNS situation in a much easier way?
Our Example Environment:
192.168.0.45 is the LAN ip of your server \\
mail.domain.com is the hostname of the server \\
domain.com is the main mail domain \\
domain2.com is an additional mail domain \\
8.8.8.8 and 8.8.4.4 are the DNS servers you want to use (in this case, Google's public DNS servers, or use your internal DNS servers as noted at the start of the document...) \\
==Edit hosts File==
sudo vim /etc/hosts
Remove any IPV6 lines and add the line for your FQDN and private IP as shown in example below:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.0.45 mail.domain.com mail
==Configure Resolver==
To have the host resolve through dnsmasq, you have to set your localhost (127.0.0.1) as the nameserver.
sudo vim /etc/resolv.conf
Set your search domain and localhost nameserver:
search domain.com
nameserver 127.0.0.1
==Configure DNSMasq==
DNSMasq will bind on the local address to answer DNS queries.
We'll instruct DNSMasq to answer just some queries and in the way we want, while all other queries will be forwarded to external DNS servers. Set your nameservers(server) that will be used for external DNS queries, if using AD authentication use the DNS servers of the AD domain:
sudo vim /etc/dnsmasq.conf
The file is quite large, I'll only write the config elements relevant to this guide. Add/modify the following lines, be sure to use your AD DNS servers if in use:
server=8.8.8.8
server=8.8.4.4
#except-interface=lo
listen-address=127.0.0.1
bind-interfaces
domain=domain.com
This sets up DNSMasq to listen on the local IP address and to only bind on the interface it's listening on. Also, it forces to answer any A-record DNS requests for mail.domain.com with the LAN IP. This is a "naive" trick that allows you to provisionally use the same hostname on two servers without any issues of sort.
In the same file (/etc/dnsmasq.conf), add one line like the following for each domain on your server:
mx-host=domain.com,mail.domain.com,10
This line instructs DNSMasq to always return "mail.domain.com" as the MX record for your domains which, if your /etc/hosts file is correctly configured will always point to the local server.
==Restart DNSMasq and Check==
sudo systemctl restart dnsmasq
and check that returns the local hostname/address:
dig mx domain.com
Example:
[root@mail ~]# dig mx domain.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.2 <<>> mx domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57740
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;domain.com. IN MX
;; ANSWER SECTION:
domain.com. 0 IN MX 10 mail.domain.com.
;; ADDITIONAL SECTION:
mail.domain.com. 0 IN A 192.168.0.45
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Feb 18 14:16:12 PST 2016
;; MSG SIZE rcvd: 79
Also, make sure that the server can correctly resolve any other IP, try pinging some public websites to verify.
====Install Zimbra (Mail)====
Download Zimbra from: https://www.zimbra.com/downloads/zimbra-collaboration-open-source/
try using this to bypass the form mailer: https://www.zimbra.com/try/zimbra-collaboration-open-source/thank-you/
==wget the Installer==
wget http://current.zimbra.url.and.package.tgz
Next untar, change into the directory of the installer and run the installer.
tar xvzf zcs…
cd zcs…
./install.sh
The output should look something like:
Checking for existing installation...
zimbra-drive...NOT FOUND
zimbra-imapd...NOT FOUND
zimbra-patch...NOT FOUND
zimbra-license-tools...NOT FOUND
zimbra-license-extension...NOT FOUND
zimbra-network-store...NOT FOUND
zimbra-network-modules-ng...NOT FOUND
zimbra-chat...NOT FOUND
zimbra-talk...NOT FOUND
zimbra-ldap...NOT FOUND
zimbra-logger...NOT FOUND
zimbra-mta...NOT FOUND
zimbra-dnscache...NOT FOUND
zimbra-snmp...NOT FOUND
zimbra-store...NOT FOUND
zimbra-apache...NOT FOUND
zimbra-spell...NOT FOUND
zimbra-convertd...NOT FOUND
zimbra-memcached...NOT FOUND
zimbra-proxy...NOT FOUND
zimbra-archiving...NOT FOUND
Select Y for the license agreement and hit enter.
Next you need to select the packages to install. Select Y or N as indicated below.
Use Zimbra's package repository [Y]
Install zimbra-ldap [Y]
Install zimbra-logger [Y]
Install zimbra-mta [Y]
Install zimbra-dnscache [N] (remember to select No)
Install zimbra-snmp [Y]
Install zimbra-store [Y]
Install zimbra-apache [Y]
Install zimbra-spell [Y]
Install zimbra-memcached [Y]
Install zimbra-proxy [Y]
Install zimbra-drive [N] (remember to select No)
Install zimbra-imapd (BETA - for evaluation only) [N] (remember to select No)
Install zimbra-chat [N] (remember to select No)
The system will be modified. Continue? [N] Y
You might get “DNS ERROR resolving MX for mail.domain.com…. Change domain name?” Say NO. This is likely because your public mx record is different from that of the one you setup in dnsmasq… I think.
Once the install is finished you are presented with the Main Menu. It looks like this:
Main menu
1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-logger: Enabled
4) zimbra-mta: Enabled
5) zimbra-snmp: Enabled
6) zimbra-store: Enabled
+Create Admin User: yes
+Admin user to create: admin@maila.domain.com
******* +Admin Password UNSET
+Anti-virus quarantine user: virus-quarantine.j_fhj6nf@maila.domain.com
+Enable automated spam training: yes
+Spam training user: spam._pitqlww8@maila.domain.com
+Non-spam(Ham) training user: ham.usmf9z9om@maila.domain.com
+SMTP host: maila.domain.com
+Web server HTTP port: 8080
+Web server HTTPS port: 8443
+Web server mode: https
+IMAP server port: 7143
+IMAP server SSL port: 7993
+POP server port: 7110
+POP server SSL port: 7995
+Use spell check server: yes
+Spell server URL: http://maila.domain.com:7780/aspell.php
+Enable version update checks: TRUE
+Enable version update notifications: TRUE
+Version update notification email: admin@maila.domain.com
+Version update source email: admin@maila.domain.com
+Install mailstore (service webapp): yes
+Install UI (zimbra,zimbraAdmin webapps): yes
7) zimbra-spell: Enabled
8) zimbra-proxy: Enabled
9) Default Class of Service Configuration:
s) Save config to file
x) Expand menu
q) Quit
Address unconfigured (**) items (? - help)
Notice the asterisks next to the Admin Password. You need to set the Admin Password before you complete the install. To do this enter 6 at the prompt and hit enter then 4 and enter. You will be prompted to change the password. After you change the password hit r which will take you back to the previous menu. Enter a at the prompt to save the configuration.
====Misc Post Setup (Mail)====
Now do the following steps to run the server properly.
==Configure Rsyslog==
sudo vim /etc/rsyslog.conf
Uncomment these two lines:
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
==Enable and Restart the Rsyslogd Service==
sudo systemctl enable rsyslog
sudo systemctl restart rsyslog
==Resetup Zimbra Syslog==
sudo /opt/zimbra/libexec/zmsyslogsetup
==Update Zimbra Auth Keys and Restart Services==
sudo su - zimbra
zmupdateauthkeys
zmcontrol restart
zmcontrol status
==Enable HTTPS only for Web UI==
zmtlsctl https
zmcontrol restart
exit
==Set SELinux Context for Init Script==
sudo chcon system_u:object_r:initrc_exec_t:s0 /etc/init.d/zimbra
==SeLinux for logs==
https://forums.zimbra.org/viewtopic.php?t=68186
sudo semanage fcontext -a -t var_log_t "/opt/zimbra/log(/.*)?"
sudo restorecon -Rv /opt/zimbra/log
==Disable Exposing Zimbra Info==
https://www.basvanbeek.nl/linux/prevent-zimbra-from-sending-x-mailer-x-originating-ip-headers/
zmprov mcf zimbraSmtpSendAddMailer FALSE;
zmprov mcf zimbraSmtpSendAddOriginatingIP FALSE;
==Prevent Google/etc from indexing your Zimbra server==
https://www.basvanbeek.nl/miscellaneous/how-to-prevent-zimbra-from-being-indexed-by-google/
zmprov mcf zimbraMailKeepOutWebCrawlers TRUE +zimbraResponseHeader "X-Robots-Tag: noindex"
==Set Message and Attachment Size Limits==
https://aarvik.dk/how-to-fix-imap-bad-maximum-literal-size-exceeded-in-zimbra/index.html
zmprov modifyConfig zimbraFileUploadMaxSize 52428800
zmprov modifyConfig zimbraImapMaxRequestSize 52428800
zmprov modifyConfig zimbraMailContentMaxSize 52428800
zmprov modifyConfig zimbraMtaMaxMessageSize 52428800
zmprov mc default zimbraMailHighlightObjectsMaxSize 400
postfix reload
zmcontrol restart
==Whitelist your local networks for DoSFilter==
I use Z-PUSH, Outlook, Blackberry mail , iOS mail and the webclient; issue with Z-PUSH not syncing deleted items and errors in Web UI were fixed by whitelisting my local network (which includes the IPs of all inside clients, proxy servers and z-push servers.
zmprov mcf +zimbraHttpThrottleSafeIPs 10.100.0.0/16
The installation is complete and you are all set to access the administrative web interface.
You can access the admin web interface by going to https://mail.domain.com:7071
The best place to start is with domains. Right now you most likely have a domain like mail.geekdept.com. You are going to want people to send email to geekdept.com. So click on domains and add that domain to the list.
====Install CentOS 8 (Proxy)====
Set your static IPv4 IP, Netmask, Gateway and DNS (if you want to authenticate against Active Directory securely via LDAPS you should have internal DNS servers already, use these). Set your hostname to your FQDN (where users will go to access their webmail).
Set your time zone, enable NTP.
Software selection should be set to minimal.
Partitioning:
1GB /boot on XFS
10GB / on XFS
4GB SWAP
Start the install and set the root password.
==Update and install vim==
dnf update && dnf install vim
==Create sudo User + Disable root SSH Access==
useradd sudo_username && passwd sudo_username
==Add user to wheel group for sudo privileges==
usermod -aG wheel sudo_username
Log out of root and into newly created account.
==Disable root login over SSH==
sudo vim /etc/ssh/sshd_config
Add/change the line to:
PermitRootLogin no
==Restart SSHD==
sudo systemctl restart sshd
==Install required packages==
sudo dnf install tar perl-core rsyslog wget nc libidn bind-utils unzip sysstat net-tools bzip2
==Configure FirewallD==
sudo systemctl enable firewalld
sudo systemctl start firewalld
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
sudo firewall-cmd --permanent --zone=public --add-port=993/tcp
sudo firewall-cmd --permanent --zone=public --add-port=995/tcp
sudo firewall-cmd --permanent --zone=public --add-port=7071/tcp
sudo firewall-cmd --permanent --zone=public --add-port=514/udp
sudo firewall-cmd --reload
sudo systemctl daemon-reload
==Configure Swappiness/Disable IPV6==
Set the swappiness to reduce disk writing unless necessary (note: vm.swappiness=0 will turn off swap file where vm.swappiness=1 will only use swap in out of memory occasions; we'll use vm.swappiness=1). Also we will disable IPV6.
sudo vim /etc/sysctl.conf
Add/modify the lines:
vm.swappiness = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
==Disk Settings==
FSTRIM is useful for SSDs or virtual disk images, enable anyway as it won't hurt.
sudo systemctl enable fstrim.timer
sudo systemctl start fstrim.timer
Check status of timer by showing systemd timers: systemctl list-timers
Check trim support by: lsblk --discard
Stop writing a timestamp every time a file is accessed
Edit the /etc/fstab file and replace all the defaults strings by defaults,noatime.
* Use noatime and dirsync on everything except / and swap
* Use noatime on /
sudo vim /etc/fstab
For example:
/dev/mapper/rhel-root / xfs defaults 1 1
becomes:
/dev/mapper/rhel-root / xfs defaults,noatime,dirsync 1 1
==Configure hosts File==
Our Example Environment: \\
192.168.0.45 is the LAN ip of your server \\
192.168.0.46 is the LAN ip of your proxy server \\
mail.domain.com is the hostname of the server \\
webmail.domain.com is the hostname of the proxy server \\
domain.com is the main mail domain \\
domain2.com is an additional mail domain \\
8.8.8.8 and 8.8.4.4 are the DNS servers you want to use (in this case, Google's public DNS servers)
sudo vim /etc/hosts
Remove IPV6 line and add the 2 entries, 1 for the proxy server and one for the mail server:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.0.45 mail.domain.com mail
192.168.0.46 webmail.domain.com webmail
Note: be sure to add the Proxy server domain and IP in all the other Zimbra server /etc/hosts files.
====Install Zimbra (Proxy)====
Download Zimbra from: https://www.zimbra.com/downloads/zimbra-collaboration-open-source/
try using this to bypass the form mailer: https://www.zimbra.com/try/zimbra-collaboration-open-source/thank-you/
==wget the Installer==
wget http://current.zimbra.url.and.package.tgz
Next untar, change into the directory of the installer and run the installer.
tar xvzf zcs…
cd zcs…
./install.sh
The output should look something like:
Checking for existing installation...
zimbra-drive...NOT FOUND
zimbra-imapd...NOT FOUND
zimbra-patch...NOT FOUND
zimbra-license-tools...NOT FOUND
zimbra-license-extension...NOT FOUND
zimbra-network-store...NOT FOUND
zimbra-network-modules-ng...NOT FOUND
zimbra-chat...NOT FOUND
zimbra-talk...NOT FOUND
zimbra-ldap...NOT FOUND
zimbra-logger...NOT FOUND
zimbra-mta...NOT FOUND
zimbra-dnscache...NOT FOUND
zimbra-snmp...NOT FOUND
zimbra-store...NOT FOUND
zimbra-apache...NOT FOUND
zimbra-spell...NOT FOUND
zimbra-convertd...NOT FOUND
zimbra-memcached...NOT FOUND
zimbra-proxy...NOT FOUND
zimbra-archiving...NOT FOUND
Select Y for the license agreement and hit enter.
Next you need to select the packages to install. Select Y or N as indicated below.
Use Zimbra's package repository [Y]
Install zimbra-ldap [N]
Install zimbra-logger [N]
Install zimbra-mta [N]
Install zimbra-dnscache [N] (remember to select No)
Install zimbra-snmp [N]
Install zimbra-store [N]
Install zimbra-apache [N]
Install zimbra-spell [N]
Install zimbra-memcached [Y]
Install zimbra-proxy [Y]
Install zimbra-drive [N] (remember to select No)
Install zimbra-imapd (BETA - for evaluation only) [N] (remember to select No)
Install zimbra-chat [N] (remember to select No)
The system will be modified. Continue? [N] Y
==Retrieve Zimbra LDAP master URL and Password==
To connect the Proxy install to the Mail Server you will need to know the LDAP url and password.
http://platonic.techfiz.info/2014/03/retrieve-zimbra-ldap-master-url/
Do this in the main Zimbra server:
sudo su – zimbra
zmlocalconfig -s zimbra_ldap_password ldap_master_url
For the url, just use the domain name, not the ldaps and 389 at the end; eg: only mail.domain.com.
The same command might reveal the admin password too.
You can also use the following commands to retrieve the ldap admin password:
zmlocalconfig -s | grep ldap_amavis_password
zmlocalconfig -s | grep ldap_nginx_password
zmlocalconfig -s | grep ldap_postfix_password
zmlocalconfig -s | grep ldap_replication_password
zmlocalconfig -s | grep ldap_root_password
zmlocalconfig -s | grep zimbra_ldap_password
==Secure Zimbra Interserver Communication==
Make sure ALL servers use secure communications between one another (i.e run these commands on ALL Zimbra installs and Proxy, etc):
https://wiki.zimbra.com/wiki/TLS/STARTTLS_Localconfig_Values
zmlocalconfig -e zimbra_require_interprocess_security=1
zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e ldap_starttls_required=true
====Misc Post Setup (Proxy)====
Now do the following steps to run the server properly.
==Configure Rsyslog==
sudo vim /etc/rsyslog.conf
Uncomment these two lines:
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
==Enable and Restart the Rsyslogd Service==
sudo systemctl enable rsyslog
sudo systemctl restart rsyslog
==Resetup Zimbra Syslog==
sudo /opt/zimbra/libexec/zmsyslogsetup
==Update Zimbra Auth Keys and Restart Services==
sudo su - zimbra
zmupdateauthkeys
zmcontrol restart
zmcontrol status
==Enable HTTPS only for Web UI==
zmtlsctl https
zmcontrol restart
exit
==Set SELinux Context for Init Script==
sudo chcon system_u:object_r:initrc_exec_t:s0 /etc/init.d/zimbra
==SeLinux for logs==
https://forums.zimbra.org/viewtopic.php?t=68186
sudo semanage fcontext -a -t var_log_t "/opt/zimbra/log(/.*)?"
sudo restorecon -Rv /opt/zimbra/log
==Fix Logging Issue for DoS Filter==
https://wiki.zimbra.com/wiki/How_to_fix_multiple_OIP_logging_issue
I was seeing a lot of Ignoring malformed remote address 99.99.99.99, 10.49.100.22 in my zmmailboxd.out
Run this on the proxy server
sed -i 's/$proxy_add_x_forwarded_for/$http_x_forwarded_for/g' /opt/zimbra/conf/nginx/templates/*
zmproxyctl restart
The installation is complete and you are all set to access the web interface.
You can access the admin web interface by going to https://webmail.domain.com
====Install CentOS 7 (Z-PUSH)====
CentOS 7 is used instead of 8 since there is no Z-PUSH repo for 8 yet.
Set your static IPv4 IP, Netmask, Gateway and DNS (if you want to authenticate against Active Directory securely via LDAPS you should have internal DNS servers already, use these). Set your hostname to your FQDN (set this to autodiscover.domain.com).
Set your time zone, enable NTP.
Software selection should be set to minimal.
Partitioning: \\
1GB /boot on XFS \\
10GB / on XFS \\
4GB SWAP \\
Start the install and set the root password.
https://wiki.z-hub.io/display/ZP/Installation
====Initial Setup (Z-PUSH)====
==Update and install vim==
yum update && yum install vim
==Create sudo User + Disable root SSH Access==
useradd sudo_username && passwd sudo_username
==Add user to wheel group for sudo privileges==
usermod -aG wheel sudo_username
Log out of root and into newly created account.
==Disable root login over SSH==
sudo vim /etc/ssh/sshd_config
Add/change the line to:
PermitRootLogin no
==Restart SSHD==
sudo systemctl restart sshd
==Install Z-PUSH Repo==
sudo vim /etc/yum.repos.d/z-push.repo
Add the following:
[z-push]
name=Z-Push noarch Enterprise Linux 7 - $basearch
baseurl=http://repo.z-hub.io/z-push:/final/RHEL_7
failovermethod=priority
enabled=1
gpgcheck=0
==Install Remi PHP 7.4 Repo==
sudo yum install https://rpms.remirepo.net/enterprise/remi-release-7.rpm
sudo yum install yum-utils
sudo yum-config-manager --enable remi-php74
==Install required packages==
sudo yum install z-push-common z-push-config-apache z-push-autodiscover z-push-backend-carddav wget vim mod_ssl z-push-ipc-sharedmemory php-cli php-soap php-process php-mbstring php
==Configure FirewallD==
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
sudo firewall-cmd --reload
sudo systemctl daemon-reload
==Configure Swappiness/Disable IPV6==
Set the swappiness to reduce disk writing unless necessary (note: vm.swappiness=0 will turn off swap file where vm.swappiness=1 will only use swap in out of memory occasions; we'll use vm.swappiness=1). Also we will disable IPV6.
sudo vim /etc/sysctl.conf
Add/modify the lines:
vm.swappiness = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
==Disk Settings==
FSTRIM is useful for SSDs or virtual disk images, enable anyway as it won't hurt.
sudo systemctl enable fstrim.timer
sudo systemctl start fstrim.timer
Check status of timer by showing systemd timers: systemctl list-timers
Check trim support by: lsblk --discard
Stop writing a timestamp every time a file is accessed
Edit the /etc/fstab file and replace all the defaults strings by defaults,noatime.
* Use noatime and dirsync on everything except / and swap
* Use noatime on /
sudo vim /etc/fstab
For example:
/dev/mapper/rhel-root / xfs defaults 1 1
becomes:
/dev/mapper/rhel-root / xfs defaults,noatime,dirsync 1 1
Configure hosts File
Our Example Environment:
192.168.0.45 is the LAN ip of your server \\
192.168.0.46 is the LAN ip of your proxy server \\
192.168.0.47 is the LAN ip of your ZPUSH server \\
mail.domain.com is the hostname of the server \\
webmail.domain.com is the hostname of the proxy server \\
autodiscover.domain.com is the hostname of the ZPUSH server \\
domain.com is the main mail domain \\
domain2.com is an additional mail domain \\
8.8.8.8 and 8.8.4.4 are the DNS servers you want to use (in this case, Google's public DNS servers) \\
sudo vim /etc/hosts
Remove IPV6 line and add the 2 entries, 1 for the proxy server and one for the mail server:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.0.45 mail.domain.com mail
192.168.0.46 webmail.domain.com webmail
192.168.0.47 autodiscover.domain.com autodiscover
Note: be sure to add the Proxy server and ZPUSH server domainnames and IPs in all the other Zimbra server /etc/hosts files.
====Apache and Zimbra Backend (Z-PUSH)====
==Configure Apache==
sudo systemctl enable httpd
sudo systemctl start httpd
####sudo chown -R apache: /usr/share/z-push
####sudo chmod 755 /var/lib/z-push /var/log/z-push
sudo chown apache:apache /var/lib/z-push /var/log/z-push
sudo chcon -R -t httpd_sys_rw_content_t /var/lib/z-push
sudo chcon -R -t httpd_sys_rw_content_t /var/log/z-push
sudo rm /etc/httpd/conf.d/welcome.conf
==Disable Default Published Apache Directory==
sudo vim /etc/httpd/conf/httpd.conf
Set the following Directory statements with only the following options:
DocumentRoot "/var/www/html"
AllowOverride None
Require all denied
Options None
AllowOverride None
Require all denied
Options None
AllowOverride None
Require all denied
Options None
==Configure Z-PUSH==
sudo vim /usr/share/z-push/config.php
Find the backend provider initialization - and replace with Zimbra - as follows:
define('BACKEND_PROVIDER', ‘BackendZimbra');
define('TIMEZONE', ‘America/Los_Angeles');
define('PROVISIONING', false);
==Configure Z-PUSH Autodiscover==
https://wiki.z-hub.io/display/ZP/Configuring+Z-Push+Autodiscover
First you'll need public DNS entries pointing your Z-PUSH server, the name needs to be autodiscover.maildomain.com. Later you'll need a valid TLS certificate for the Z-PUSH server.
sudo vim /usr/share/z-push/autodiscover.php
Set the following:
define('TIMEZONE', 'America/Los_Angeles');
define('USE_FULLEMAIL_FOR_LOGIN', true);
define('BACKEND_PROVIDER','BackendZimbra');
http://vwiki.co.uk/Z-Push_v2_with_Zimbra#Pre_Z-Push_v2.0.6
Z-Push v2 with Zimbra
Share
The procedure below should get you up and running so that you can sync your mobile device to your Zimbra server, using the Active-Sync protocol, provided by Z-Push.
It doesn't include setting up provisioning, which is the Active-Sync feature that enhances security by providing a mechanism to remote wipe your devices, enforce storage encryption etc. Buried in the Zimbra forum thread are instructions on how to set it up - Z-Push Zimbra Backend (Push Email, Contacts, Appointments & Tasks) - Zimbra :: Forums.
Do not attempt to install Z-Push on the same server as Zimbra.
It is possible, but will require you to hack your Zimbra installation, and performing a Zimbra upgrade will probably break Z-Push.
Z-Push is essentially a website. Mobile devices access the site in order to be able to sync with your Zimbra server. Therefore, you need a publicly accessible server that can host the site, and a DNS record that points to it (that client mobile devices will need to be able to resolve)
You are advised to read the INSTALL file that comes with the Zimbra backend before you attempt the install. Don't just blindly follow the steps below, they should work but are intended to provide additional support and not to replace any of the documentation supplied by Z-Push or the Zimbra Backend's authors. You may miss a critical dependency or alteration required for your environment.
Version 65 and later has a script “zpzb-install.sh” to automate the install. Download that into your z-push backend folder (/usr/share/z-push/backend) along with the backend archive: https://sourceforge.net/projects/zimbrabackend/files/
==Download Zimbra Backend==
cd /usr/share/z-push/backend
sudo wget https://sourceforge.net/projects/zimbrabackend/files/Release70/zimbra70.tgz
sudo wget https://sourceforge.net/projects/zimbrabackend/files/Release70/zpzb-install.sh
==Make Installer Executable then Install==
Execute the script by typing ./zpzb-install.sh NN. The latest zimbraNN.tgz will be extracted into a directory zimbraNN
sudo chmod +700 zpzb-install.sh
sudo ./zpzb-install.sh 79
==Edit Backend==
sudo vim ./zimbra/config.php
Then edit the config.php in the ./backend/zimbra folder:
Add your server address (the Proxy server address is preferred, you can also use the DNS name instead of the IP if your hosts file is setup properly):
define('ZIMBRA_URL', 'https://webmail.mailserver.com');
Add another option if z-push is on the same private subnet as the Zimbra server:
define('ZIMBRA_DISABLE_URL_OVERRIDE', true);
Some additional steps are sometimes required due to bugs etc, see the INSTALL file included with the backend for more info.
• If running Zimbra 7.2 onwards and have clients with multiple devices you need to allow them to connect simultaneously, on your Zimbra server allow an appropriate number of sessions (default is 5)
◦ zmlocalconfig -e zimbra_session_limit_soap=7
◦ zmconfigdctl reload
• If running Zimbra 8 onwards you need to whitelist your Z-Push server otherwise its likely to get blocked by Zimbra, on your Zimbra server allow your Z-Push server's IP address
==Whitelist Z-PUSH Server in Zimbra==
zmprov mcf +zimbraHttpThrottleSafeIPs 192.168.0.47
==Testing==
In theory, it should be working now, in order to test...
1. Browse to your server, eg http://autodiscover.domain.com/Microsoft-Server-ActiveSync
◦ You should be prompted for a username and password (for an account on your Zimbra server)
◦ If Apache has failed to deliver the prompt to you, check the webserver log. Either your website isn't configured correctly or Z-Push experienced a PHP error.
2. Enter a valid Zimbra user/pass (use the full email address for the username)
◦ You should get a page showing "Z-Push - Open Source ActiveSync" which doesn't contain errors - this confirms that connectivity exists between all the required components (Apache, Z-Push, Zimbra), and that they are basically OK.
==Configure Autodiscover Backend==
You'll want this if you want autodiscover to work...
sudo vim /usr/share/z-push/autodiscover/config.php
Find the backend provider initialization - and replace with Zimbra - as follows:
define('BACKEND_PROVIDER', ‘BackendZimbra');
define('TIMEZONE', ‘America/Los_Angeles');
define('USE_FULLEMAIL_FOR_LOGIN', true);
==Modify Z-PUSH Conf File==
This was neccessary to pass the Activesync test
sudo vim /etc/httpd/conf.d/z-push.conf
Erase everything above # Security and add this:
# Z-Push - ActiveSync over-the-air - default Apache configuration
Alias /Microsoft-Server-ActiveSync /usr/share/z-push/index.php
AliasMatch (?i)/Autodiscover/Autodiscover.xml "/usr/share/z-push/autodiscover/autodiscover.php"
# Don't list a directory index, follow symlinks (maybe state dir is somewhere linked)
DirectoryIndex index.php
Options -Indexes +FollowSymLinks
# Z-push requirements
php_value magic_quotes_gpc off
php_value magic_quotes_runtime off
php_value register_globals off
php_value short_open_tag on
# Optional
# php_value display_errors off
# Setting memory limit higher (larger attachments)
php_value memory_limit 128M
Restart Apache
sudo systemctl restart httpd
==Fix Z-PUSH Logrotate==
This was needed to make the bundled z-push.lr work on CentOS
sudo chown apache:apache /var/log/z-push
Modify the logrotate config:
sudo vim /etc/logrotate.d/z-push.lr
Edit so that is matches the following:
/var/log/z-push/*.log {
size 1k
create 664 root z-push
compress
rotate 4
su root z-push
}
You can change the rotate 4 to a higher value if you want a longer history, just make sure you have enough disk space for it.
====Letsencrypt (Z-PUSH)====
Make sure you have port 80 and 443 tcp forwarded to your Z-PUSH server and the public A record pointing the autodiscover address to your public IP.
==Create Virtualhost==
This is needed so Certbot can validate a running virtualhost
sudo vim /etc/httpd/conf.d/autodiscover.domain.com.conf
Add the following:
ServerName autodiscover.domain.com
Create a new autodiscover virtual host for each email domain you'll be using.
==Remove Apache Welcome Page==
sudo rm /etc/httpd/conf.d/welcome.conf
==Restart Apache==
sudo systemctl restart httpd
==Install certbot (via snapd)==
Install/enable epel-release and snapd
sudo yum install epel-release
sudo yum install snapd
sudo systemctl enable --now snapd.socket
sudo systemctl start snapd
sudo ln -s /var/lib/snapd/snap /snap
sudo snap install core; sudo snap refresh core
Remove old certbot if it exists
sudo yum remove certbot
sudo sed -i '/certbot-auto/d' /etc/crontab
sudo rm /usr/local/bin/certbot-auto
sudo rm -rf /opt/eff.org
Install certbot via snap
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Request and install certificates for virtual hosts
sudo /usr/bin/certbot --apache
When prompted enabled Redirect so all requests go over https
==Enable autorenew via crontab==
echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/bin/certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
==Manual Certificate Renewal for Z-PUSH==
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Fill out requested info, put in domain name you're creating the certificate for when asked for the server name.
Submit the CSR
For Namecheap.com
Download the CRT and Bundle from Namecheap and copy the crt, bundle and server.key to their respective locations per your .conf file
Edit the Apache conf file:
SSLCertificateFile /etc/pki/tls/certs/autodiscover_domain_com.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/server.key
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/pki/tls/certs/autodiscover_domain_com.bundle
chmod the server.key file to 600
Restart Apache
====Fail2ban (Z-PUSH)====
https://wiki.z-hub.io/display/ZP/Fail2Ban+support
==Install Fail2ban==
sudo yum install fail2ban policycoreutils-python
==Enable Auth Fail Logging==
sudo vim /etc/z-push/z-push.conf.php
Set the following:
define('LOGAUTHFAIL', true);
==Create a Jail for SSHd==
sudo vim /etc/fail2ban/jail.d/sshd.local
Add the following:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[selinux-ssh]
enabled = true
port = ssh
logpath = %(auditd_log)s
==Create a Jail for Apache==
sudo vim /etc/fail2ban/jail.d/apache.local
Add the following:
[apache-auth]
enabled = true
port = http,https
logpath = %(apache_error_log)s
[apache-badbots]
enabled = true
port = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1
[apache-noscript]
enabled = true
port = http,https
logpath = %(apache_error_log)s
[apache-overflows]
enabled = true
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-nohome]
enabled = true
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-botsearch]
enabled = true
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-fakegooglebot]
enabled = true
port = http,https
logpath = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot
[apache-modsecurity]
enabled = true
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-shellshock]
enabled = true
port = http,https
logpath = %(apache_error_log)s
maxretry = 1
==Create a filter for Z-PUSH==
sudo vim /etc/fail2ban/filter.d/z-push.conf
Add the following:
# FILE : /etc/fail2ban/filter.d/z-push.conf
# Fail2Ban configuration file
[INCLUDES]
before = common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = IP: failed to authenticate user
ignoreregex =
[Init]
journalmatch = _SYSTEMD_UNIT=fail2ban.service
==Create a jail for Z-PUSH==
sudo vim /etc/fail2ban/jail.d/z-push.local
Add the following:
# z-push.local
[z-push]
enabled = true
port = http,https
filter = z-push
logpath = /var/log/z-push/z-push-error.log
maxretry = 5
bantime = 7200
==Fix SELinux Issue==
After an update SELinux and Fail2Ban is broken: https://bugzilla.redhat.com/show_bug.cgi?id=1777562
We'll need to use audit2allow to fix this.
==Set selinux to Permissive mode==
setenforce 0
==Restart/Enable/Check Services==
sudo systemctl restart httpd
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo fail2ban-client status z-push
==Use audit2allow to Generate selinux Rule==
https://wiki.centos.org/HowTos/SELinux
sudo grep fail2ban /var/log/audit/audit.log | sudo audit2allow -m fail2banlocal > fail2banlocal.te
Check the file to make sure it looks like everything is on the up and up.
Now make the rule:
sudo grep fail2ban /var/log/audit/audit.log | sudo audit2allow -M fail2banlocal
Make the policy active:
sudo semodule -i fail2banlocal.pp
Re-enable selinux:
sudo setenforce 1
Restart fail2ban:
sudo systemctl restart fail2ban
sudo fail2ban-client status z-push
Test it by logging into https://autodiscover.domain.com with an incorrect username/password 5 times then check:
sudo fail2ban-client status z-push
Unban your IP by typing:
sudo fail2ban-client unban --all
====Install TLS/SSL certificate====
I use the Positive SSL from namecheap.com which is a Comodo SSL.
https://wiki.zimbra.com/wiki/Installing_a_Comodo_SSL_Certificate_on_Zimbra_Collaboration
Generate the CSR via the admin console: Configure -> Certificates -> Install Certificate (for each Zimbra Server)
Download the archives that the CA sends, copy crt only to the /tmp folder (even though the CSR is generated on the Admin console, installing the certificates is done on the actual server that uses the certificate)
Download the root/intermediate certificates: \\
Sectigo RSA DV Bundle [ Intermediate + Cross Signed ] (SectigoRSADVBundle.pem) \\
SHA-2 Root : USERTrust RSA Certification Authority (SHA-2 Root USERTrust RSA Certification Authority.crt) \\
from: https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO . Copy them to the /tmp folder.
Combine the Root and Intermediate certificates (do this on each respective Zimbra server):
cat /tmp/"SHA-2 Root USERTrust RSA Certification Authority.crt" /tmp/SectigoRSADVBundle.pem > /tmp/commercial_ca.crt
cp /tmp/my_domain_com.crt /tmp/commercial.crt
If the command below fails try adding the contents of "SHA-2 Root USERTrust RSA Certification Authority.crt" to the top of "SectigoRSADVBundle.pem" and rename that commercial_ca.crt
For the commerical_ca.crt this worked as of June 13 2024 (here as a shortcut to those of you that are doing this certificate renewal thing on Zimbra often)
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
vGp4z7h/jnZymQyd/teRCBaho1+V
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----
==Validate Certificates and Chains==
If you get an error here you can't continue.
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/commercial.crt /tmp/commercial_ca.crt
==Deploy the Certificates==
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/commercial_ca.crt
zmcontrol restart
==Enable LDAPS==
zmlocalconfig -e ldap_common_require_tls=1
zmcontrol restart
====Fail2Ban (MAIL & PROXY)====
NOTE: this needs to be tested and modified accordingly (07-03-2020) \\
NOTE: If a user account gets disabled in Zimbra due to too many incorrect logins, it's likely the IP is also banned in Fail2Ban on the Z-PUSH/Proxy/Mail servers.
==Install Fail2Ban==
sudo dnf install epel-release
sudo dnf install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
==Create a Jail for SSHd==
sudo vim /etc/fail2ban/jail.d/sshd.local
Add the following:
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[selinux-ssh]
enabled = true
port = ssh
logpath = %(auditd_log)s
==Create Zimbra Filter==
https://github.com/leogallego/fail2ban-zimbra
sudo vim /etc/fail2ban/filter.d/zimbra.conf
Add the following:
# Fail2Ban configuration file
#
# Author: Leonardo A. Gallego
#
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
failregex = \[ip=;\] account – authentication failed for .* \(no such account\)$
\[ip=;\] security – cmd=Auth; .* error=authentication failed for .*, invalid password;$
\[ip=;\] security – cmd=AdminAuth; .* error=authentication failed for .*, invalid password;$
\[ip=;\] security – cmd=Auth; .* error=authentication failed for .*, account lockout$
\[ip=;\] account – authentication failed for .* \(account lockout\)$
;oip=;.* security – cmd=Auth; .* protocol=soap; error=authentication failed for .* invalid password;$
\[oip=;.* SoapEngine – handler exception: authentication failed for .*, account not found$
WARN .*ip=;ua=ZimbraWebClient .* security – cmd=AdminAuth; .* error=authentication failed for .*;$
WARN \[.*\] \[name=.*;ip=;ua=.*;\] security - cmd=Auth; account=.*; protocol=.*; error=.*, invalid password;
INFO .*ip=;ua=zclient.*\] .* authentication failed for \[.*\], (invalid password|account not found)+$
NOQUEUE: reject: RCPT from .*\[\]: 550 5.1.1 .*: Recipient address rejected:
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#ignoreregex =
==Create a Postfix SASL Filter==
sudo vim /etc/fail2ban/filter.d/postfix-sasl.conf
Add the following:
# Fail2Ban filter for postfix authentication failures
#
#
# Author: Leonardo A. Gallego
# Revision: 16.12.05
# Description: Modified SASL filter for Zimbra Postfix authentication failures
[INCLUDES]
before = common.conf
[Definition]
_daemon = postfix/smtpd
failregex = (?i): warning: [-._\w]+\[\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/ ]*)?$
#ignoreregex =
==Create Zimbra Jail==
https://forums.zimbra.org/viewtopic.php?t=58894
sudo vim /etc/fail2ban/jail.d/zimbra.local
Add the following:
# Zimbra 8.0.x compatible
[DEFAULT]
ignoreip = 200.200.200/32 ##Put the IP of your external relay if you use one, I've had issues with zimbra-recipient banning our relay as of 8.8 with the rules used in this document...
[zimbra-account]
### Set to enabled = false on Zimbra Proxy
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-account]
logpath = /opt/zimbra/log/mailbox.log
bantime = 7200
maxretry = 5
[zimbra-audit]
### Set to enabled = false on Zimbra Proxy
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-audit]
logpath = /opt/zimbra/log/audit.log
bantime = 7200
maxretry = 5
[zimbra-recipient]
enabled = true
filter = zimbra
action = iptables-allports[name=Zimbra-recipient]
logpath = /var/log/zimbra.log
findtime = 604800
bantime = 7200
maxretry = 5
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=Postfix, port=smtp, protocol=tcp]
logpath = /var/log/zimbra.log
bantime = 7200
maxretry = 5
[sasl-iptables]
enabled = true
#filter = sasl
filter = postfix-sasl
action = iptables-allports[name=sasl]
logpath = /var/log/zimbra.log
bantime = 7200
maxretry = 5
# filter: postfix-sasl must exist in filter.d
==Restart Fail2Ban and Check Status==
sudo systemctl restart fail2ban
sudo fail2ban-client status
====Misc Polishing====
==Add Proxy and Z-PUSH Server IPs to Trusted List==
This allows external IP addresses to show up as OIP in Zimbra logs, plus other useful stuff I’m sure. The needs to be done on a single server only, preferably the main server.
zmprov mcf +zimbraMailTrustedIP 192.168.0.46
zmprov mcf +zimbraMailTrustedIP 192.168.0.47
zmcontrol restart
==Verify the Settings==
zmprov gcf zimbraMailTrustedIP
==Relaying/Domain Forwarding==
https://wiki.zimbra.com/wiki/Managing_Domains
If you want the Zimbra server to relay all mail destined for a particular domain (say, example.com) to another mta (say, other-mta.domain.com), you can forward the domain.
zmprov
md example.com zimbraMailCatchAllAddress @example.com
md example.com zimbraMailCatchAllForwardingAddress @example.com
md example.com zimbraMailTransport smtp:other-mta.domain.com
==Removal of Relaying/Domain Forwarding==
If at a later date you wish to remove the domain forwarding/catchall address run the following commands:
zmprov md domain.com zimbraMailCatchAllAddress ""
zmprov md domain.com zimbraMailCatchAllForwardingAddress ""
zmprov md domain.com zimbraMailTransport lmtp:server.domain.com:7025
Where domain.com is your domain and server.domain.com is the FQDN (Fully Qualified Domain Name) of your Zimbra server.
==Domain Catchall==
If you want to set up an account "user@domain.com" to catch any mail not delivered to existing users in the domain "domain.com", you can configure the account as a domain catchall.
zmprov modifyAccount user@domain.com zimbraMailCatchAllAddress @domain.com
If the users "john@domain.com", "webmaster@domain.com", and "xyznobody@domain.com" don't exist, and mail arrives for them, it will be delivered to the catchall account "user@domain.com". This will increase the amount of spam delivered, and can lead to being blacklisted. To remove the catchall from an email account, unset the catchall address:
zmprov modifyAccount user@domain.com zimbraMailCatchallAddress ""
==DKIM==
https://wiki.zimbra.com/wiki/Configuring_for_DKIM_Signing
We normally use a relay to send E-mail through and DKIM signatures are added there, but with DMARC added internal messages were being flagged as SPAM so it appears E-Mail that doesn't go out through the relay will need to be signed as well.
Add DKIM data
/opt/zimbra/libexec/zmdkimkeyutil -a -d example.com
Copy the data it generates and record it in your Zimbra document. Create a DNS record for the public DKIM key.
====Tuning====
Incorporate some of info found here after verification: https://wiki.zimbra.com/wiki/Ajcody-Mysql-Topics
Incorporate some of info found here after verification: https://forums.zimbra.org/viewtopic.php?t=18006
Use a Mysql tuner which will check and make recommendations for mysql settings (note: use after production server is running for over 24hours, run at least once a year): https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl
wget https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl
mv mysqltuner.pl /opt/zimbra/mysqltuner.pl
chown zimbra.zimbra /opt/zimbra/mysqltuner.pl
chmod +x /opt/zimbra/mysqltuner.pl
su - zimbra
./mysqltuner.pl
===Set Cache sizes===
This is for inactive IMAP sessions \\
https://forums.zimbra.org/viewtopic.php?f=15&t=62916
zmprov ms `zmhostname` zimbraImapInactiveSessionEhcacheSize 104857600
zmprov ms `zmhostname` zimbraImapInactiveSessionCacheMaxDiskSize 2147483648
====BONUS Reverse Proxy====
If you setup a reverse proxy for any of your other public services you can use it too for the z-push and Zimbra proxy server. This way you can setup letsencrypt on the proxy and use your own internal certificate authority for the z-push and proxy servers (the mta should still use a publicly trusted certificate); no worrying about renewing certificates on 3 mail devices every year... and it saves you your very precious public ips.