Tag: Zimbra

Disabling services on Zimbra

This will disable snmp, you may also consider disabling logger and stats.

zmprov ms server.hostname.se -zimbraServiceEnabled snmp

 

 


Zimbra upgrade from 8.0.7 to 8.50

The upgrade went smoothly. The hiccoughs I had were based on the move of the Postfix postfix_transport_maps to LDAP and the decision to stop supporting hash function in the postfix transportfile from 8.50 onwards. This meant that the setting was broken and then migrated to LDAP.

The error message printed in zimbra.log is:

postfix/trivial-rewrite[22832]: warning: hash:/opt/zimbra/postfix/conf/transportfile is unavailable. unsupported dictionary type: hash

I could see the setting, which had the default setting and the server specific setting. The first output is the global setting that has been migrated, the second is the server specific setting:

zmprov getConfig zimbraMtaTransportMaps

The original result provided two results:

zimbraMtaTransportMaps: proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
zimbraMtaTransportMaps: hash:/opt/zimbra/postfix/conf/transportfile proxy:ldap:/opt/zimbra/conf/ldap-transport.cf

What I want in the end result is:

zimbraMtaTransportMaps: lmdb:/opt/zimbra/postfix/conf/transportfile proxy:ldap:/opt/zimbra/conf/ldap-transport.cf

To change this setting I used to be able to use zmprov; however the new setting is set in LDAP, which will require the use of        .

To start there is a very useful page here: https://wiki.zimbra.com/wiki/Ajcody-LDAP-Topics that gives some great tips to be able to do queries on the Zimbra LDAP database.  Changing to the zimbra user and sourcing the correct variables allows us to do very easy queries. We can do:

su – zimbra source ~/bin/zmshutil zmsetvars ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password

We are now given the full LDAP dump, which we can pipe through grep to find the transport settings:

ldapsearch -x -H $ldap_master_url -D $zimbra_ldap_userdn -w $zimbra_ldap_password | grep transport

I found two entries here as I mentioned, I want to change both of them.

I ought to be able to do this using zmprov and the zimbraMtaTransportMaps key. There is no example that I could find on the Internet and rather than experiment on the server I cheated and used a graphical LDAP editor to change the setting from hash to LDAP.

I browsed through config and then servers to find the global setting and then the server specific setting respectively.

Now when I run:

zmprov getConfig zimbraMtaTransportMaps

I get the correct result and Zimbra starts accpeting email again.

LDAP Zimbra login screen

LDAP Zimbra login screen

Zimbra LDAP browser

Zimbra LDAP browser

Comments Off on Zimbra upgrade from 8.0.7 to 8.50 more...

Difficulty with calendar sync on my Q10 – Resolved

Note – This has now been resolved. I found a couple of other people who had had similar issues.

Some long term repeat appointments cause all appointments to disappear in the calendar on the device. It also hides all appointments in other ActiveSync calendars too. The solution was to delete long term repeat appointments until the culprit is found. I will be looking through the logs to try to identify the particular issue so it may be fixed permanently.

When I add a new ActiveSync account on a Blackberry Q10 the calendar appointments appear initially but as I suppose the sync completes all the calendar appointments disappear. They still are held as I get reminders but they do not show.

 

ActiveSync 1

Initial ActiveSync sync with appointments showing

 

 

 

 

 

 

 

 

 

 

 

As the sync continues we see the months filling out:

ActiveSync 2

We can see the dates filling out, the larger the date number the more appointments

 

 

 

 

 

 

 

 

 

 

 

 

As the sync completes the appointments all disappear in the Q10 calendar app.

ActiveSync 3

Q10 appointments disappear as the sync completes

 

Calendar now blank

Calendar now blank

 

 

 

 

 

 

 

 

 

 

 

The appointments must still be present as we can see from the screenshot that they appear as a reminder on the lock screen.

ActiveSync 4

The appointments do not show in the Calendar app but do show in the lock screen.


Authenticating against Zimbra LDAP

 

Put the correct user, hostname and domain in. This is using example.co.uk as a domain. The capital w ensures it asks you for your password.

ldapsearch -x -h $hostname -D uid=$user,ou=people,dc=$example,dc=co,dc=uk -W

This search uses a standard user to authenticate.

You can authenticate using the main LDAP user and password; however I suggest creating a separate user with few permissions, just to make the bind.

You can find out the main LDAP password by running

zmlocalconfig -s | grep ‘ldap_’ | egrep ‘password|url’  as zimbra user on your mail server

If you really want to use the root LDAP user to bind the DN is uid=zimbra,cn=admins,cn=zimbra as seen below

The configuration below allows all zimbra users to connect to the owncloud instance using their zimbra details. Please also note that the default for Zimbra is to use unencrypted connections. This means that the bind is going across the network unencrypted. Hence not a great idea to use the root LDAP user. One can search for how to set up Zimbra to use ldaps.

Main LDAP config for owncloud

Main LDAP config for owncloud

Advanced LDAP config for owncloud

Advanced LDAP config for owncloud


Zimbra Host Admin

Unlock an account:

zmprov ma admin@example.com  zimbraAccountStatus active

To modify selinux rules

policycoreutils-python is needed

To set up mail on a new port with SELinux semanage port -a -t smtp_port_t -p tcp 25000
to list existing smtp ports:
semanage port -l|grep smtp

To allow apache to send email when using SELinux:

semanage boolean -m –on httpd_can_sendmail

This will list all the SElinux type labels that have been associated with ports.
#/usr/sbin/semanage port -l

#/usr/sbin/semanage port -a -t ssh_port_t -p tcp 330

LDAP queries

ldapsearch -x -Z -v -H ‘ldap://zimbraserver.example.com’ -b ‘ou=people,dc=example,dc=com’  -D ‘uid=admin,ou=people,dc=example,dc=com’ -W

Locked status and error messages

1. Login as #root

2. Change to zimbra user#su zimbra

3. Copy this code $ vi /opt/zimbra/jetty-6.1.5/webapps/zimbra/WEB-INF/classes/messages/ZMsg.properties

4. Find this account.CHANGE_PASSWORD = Your password in no longer valid. Please choose a new password.
http://nguoiquynhon.blogspot.co.uk/2010_03_01_archive.html
Domain Masquerading

If you want mail from user@domain.com or user@zimbra.domain.com to appear to come from user@example.com, you can set the canonical address for the entire domain.

zmprov md domain.com zimbraMailCatchAllAddress @domain.com zimbraMailCatchAllCanonicalAddress @example.com
zmprov md zimbra.domain.com zimbraMailCatchAllAddress @zimbra.domain.com zimbraMailCatchAllCanonicalAddress @example.com

Change webmail port

su – zimbra
zmprov ms mail.yourdomain.com zimbraMailPort 8888
zmprov ms mail.yourdomain.com zimbraMailSSLPort 8889
zmcontrol stop ; zmcontrol start

Change ssh port
zmprov ms www.harkness.se zimbraRemoteManagementPort 22

Adding a delimiter to Postfix
zmprov mcf zimbraMtaRecipientDelimiter –

Creating a user alias

zmprov aaa accountname@domain.com aliasname@domain.com

Import a self-signed certificate allowing connection to imap etc.

keytool -import -file /tmp/certificate.txt -alias mail.example.com -keystore /opt/zimbra/java/jre/lib/security/cacerts -storepass changeit

Fixing logger not starting
/opt/zimbra/libexec/zmsyslogsetup

Forwarding all mail for a particular domain to a new server
[zimbra@www ~]$ zmprov
prov> md lists2.example.com zimbraMailCatchAllAddress @mailinglists.example.com
prov> md lists2.example.com zimbraMailCatchAllForwardingAddress @mailinglists.example.com
prov> md lists2.example.com zimbraMailTransport smtp:mailman.example.com:25001
prov> quit

Changing Spam scores:
vi /opt/zimbra/conf/spamassassin/50_scores.cf

# make the Bayes scores unmutable (as discussed in bug 4505)
ifplugin Mail::SpamAssassin::Plugin::Bayes
score BAYES_00  0  0 -1.5   -1.9
score BAYES_05  0  0 -0.3   -0.5
score BAYES_20  0  0 -0.001 -0.001
score BAYES_40  0  0 -0.001 -0.001
score BAYES_50  0  0  3.0    1.8
score BAYES_60  0  0  3.5    2.5
score BAYES_80  0  0  4.7    4.0
score BAYES_95  0  0  6.2    6.0
score BAYES_99  0  0  9.8    9.5
endif

Filtering Spam
vi /opt/zimbra/conf/salocal.cf.in
uri VOUCHER4 /jeanpatrique.co.uk/
score VOUCHER4 40
uri VOUCHER3 /agency3.co.uk/
score VOUCHER3 20
uri VOUCHER1 /worldofvouchers.com/
score VOUCHER1 20
body UAESPAM /BroadcastUAE/i
score UAESPAM 20
body LOCAL_RULE    /jeanpatrique/
score LOCAL_RULE   30.5

Routing mail (example sending newdomain.com mail to primarydomain.co.uk)

Configuring transport tables to relay emails to a different mail server. In this example I am forwarding all emails for otherdomain.com to smtp.otherdomain.com . You can add as many transport maps as you need. All commands should be run as a user ‘zimbra’. After 5.0.9, postfix_transport_maps has been modified a bit, so we’ll show both ways.

$ zmlocalconfig   |grep -i postfix_transport_maps

This will show you the current transport maps file configuration:

postfix_transport_maps = ldap:/opt/zimbra/conf/ldap-transport.cf

or for Zimbra 5.0.9 and higher (including 6.0):

postfix_transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf

Create your transport file (owner/group-owner should be zimbra):

vi /opt/zimbra/postfix/conf/transportfile
otherdomain.com     :[smtp.otherdomain.com]

You can also add multiple transport maps, for example:

mydomain.com     :[mail.otherdomain.com]
mydomain.org     :[mail.otherdomain.com]
hisdomain.net    :[mail.otherdomain.com]

In this example all emails for 3 different domains will go to mail.otherdomain.com, so destination will be changed, while user name will remain as in original email address.

Convert the transport file into maptype database file:

$ postmap /opt/zimbra/postfix/conf/transportfile

The file transportfile.db will be created in this directory. Define the new transport file (original, not *.db one) BEFORE the default one. Run:

$ zmlocalconfig -e postfix_transport_maps=”hash:/opt/zimbra/postfix/conf/transportfile ldap:/opt/zimbra/conf/ldap-transport.cf”

Or for Zimbra 5.0.9 and higher:

$ zmlocalconfig -e postfix_transport_maps=”hash:/opt/zimbra/postfix/conf/transportfile proxy:ldap:/opt/zimbra/conf/ldap-transport.cf”

Finally, make sure that the relay_domains parameter in main.cf contains all domains handled by the server, whether locally or relayed elsewhere:

$ vi /opt/zimbra/postfix/conf/main.cf
relay_domains = otherdomain.com, mydomain.com, mydomain.org, hisdomain.net, locallyhandleddomain.com, localaliaseddomain.com

Restart Zimbra:

zmcontrol stop
zmcontrol start

Regenerating Keys

To regenerate the ssh keys, on all hosts (as the zimbra user):
zmsshkeygen

To deploy the keys, on all hosts (as the zimbra user):
zmupdateauthkeys
Verifying sshd configuration

The authentication method assumes that sshd on the mta is running on port 22, and that RSA Authentication is enabled. You can test the ssh command with:
ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM

Comments Off on Zimbra Host Admin more...

Zimbra migration

The first step was to set up Red Hat Enterprise 6 (RHEL6). It is important to keep the data separate from the root directory so that the mail server cannot cause the server to fail (and prevent debugging and fixing it.)

I have a fresh install on the new server with a 30Gb / partition and the remainder in /opt

Zimbra does not user the /home directory and all data goes in to /opt for a single server.

If you want to encrypt the file system it will provide further protection for your data, though be aware that you will need to put the password in every time it boots, which means that following a power failure the system will not automatically recover without intervention.

Leaving selinux on will protect services other than zimbra but note that zimbra will be running without selinux protection.

You might also want to install fail2ban which prevents scripts trying to guess smtp and ssh passwords.

Please note (Zimbra will fail to start correctly if this is not done) that the zimbra user ID has to be the same on the originating server as the new server. check by running id zimbra on both machines.

The new server also needs the /etc/hosts file set up correctly. It needs the following entry:

IPaddress Fully.Qualified.Hostname Hostname

The server also needs MX and A DNS records set correctly. This can be easily done using dnsmasq. A quick install: yum -y install dnsmasq

Then the following lines need to be set in /etc/dnsmasq.conf:

address=/fully.qualified.hostname/IPaddress

mx-host=yourdomainname.com,your.mailhost.com,50

#This line is your forwarding nameserver

server=IPaddress

Turn dnsmasq on by:

service dnsmasq restart

chkconfig dnsmasq on

Now we can install the zimbra binaries available from Zimbra.com

untar the binaries and then change to the new directory and run

./install

Answer all the questions and the install ought to run smoothly.

Then we can transfer the data from the old server to the new server. We can do this while the old server is running to get the majority of the data across and then the final change over with the old server stopped to ensure no mail is lost. As the data can take many hours to transfer on the first sync it is a better way to do it rather than transfer it with the originating server turned off for 10 or more hours.

The data can be transferred from the originating server with the following command (all on one line):

rsync -avHK --delete --progress --stats  --exclude 'data.mdb' /opt/zimbra  root@newserveraddress:/opt/

I have excluded the data.mdb file as it is a sparse file that is 80Gb and can take a huge amount of time to transfer and we can find a better way to transfer it.

Once this has been done we can take a copy of the database and do a final sync.

On the originating server stop zimbra:
service zimbra stop

The 80Gb file probably only contains about 100Mb of data, we can easily take a copy of the file and then transfer the smaller file:
mkdir /opt/databackup
#All on one line:
/opt/zimbra/openldap/bin/mdb_copy /opt/zimbra/data/ldap/mdb/db /opt/databackup

#All on one line:
rsync -turv --stats --progress /opt/databackup/data.mdb root@newserveraddress:/opt/zimbra/data/ldap/mdb/db/data.mdb

We then need to correct the permissions on the new server running the following command as root:
/opt/zimbra/libexec/zmfixperms --extended --verbose

Time to start the service:

service zimbra start

I have also found that while making the migration the logging service fails. This can be corrected with the following command run as root:

/opt/zimbra/libexec/zmsyslogsetup

The final item we need to correct is the ssh keys, which are set for the old server:

su - zimbra

#Create the keys

zmsshkeygen

#Deploy the keys

zmupdateauthkeys

All ought to be well. don’t forget to check the logs etc.

Comments Off on Zimbra migration more...

Zimbra Tweaks

An account on Zimbra can become locked if someone is running a dictionary attack against it. More than 10 wrong password attempts in an hour will lock it for about an hour (I think those are the defaults).

Unlock an account from the command line:
zmprov ma user@example.com  zimbraAccountStatus active
Fixing logger not starting
/opt/zimbra/libexec/zmsyslogsetup

 Change webmail port

su - zimbra
zmprov ms mail.yourdomain.com zimbraMailPort 8888
zmprov ms mail.yourdomain.com zimbraMailSSLPort 8889
zmcontrol stop ; zmcontrol start

Copyright © 1996-2013 Xander Harkness. All rights reserved.
iDream theme by Templates Next | Powered by WordPress
loading