Installing Zimbra 8.7.1 On centos 7

  

Before we begin

Before we even begin, this blog post assumes the reader has basic understanding of Linux, TCP/IP, DNS, and how email in general works. It also assumes you are familiar with the Linux command line. The commands highlighted in the black boxes, are the commands you need to run. Most of the time I will not go into what they output, I assume you are familiar with these, and if you are not, I suggest you become familiar before venturing any further.

A word of WARNING

Running an open source (free) mail server for a business can save you a LOT of money in license fees etc, however it also means that when the brown stuff hits the fan you are alone. Of course there are forums, and communities, but when  you have a 300+ user mail server, who just refuses to boot up after a power failure,  or just won’t work for no apparent reason, you won’t have time (or will power) to go lookup the forums and ask questions while patiently waiting for replies, which will perhaps never materialise anyway,  or if and when  they do, they could  make you dig an even deeper hole than the one you are already in.

What I mean to say is, Open Source is a great thing, as is the community behind it, but you need to prepare yourself for the worst. You are saving money on licenses for your mail server, make sure you invest in a good and reliable backup system, and have a disaster recovery plan in place. Disaster recovery simulations every so often on dummy servers are a MUST. This will ensure that if you ever need to restore from your backups, you will be able to, and not discover that the backups are useless, on your life’s worst day!

Simulations will also help you recover as quickly as possible from disasters, since you would have done it many times before, and you know what’s coming next and what to expect at every step.

I have been running a 270+ user Zimbra open source edition server for over 5 years now, and I would recommend it to anyone (who is comfortable with command line stuff and unix), however I also had my share of horror stories, but that’s for another blog post.

One final word of advice, if you are running the server in a virtualised environment, and you really should, before you touch anything you aren’t 100% sure of, take a snapshot, it won’t take time, and you will really be glad you did if things go south.

So let’s get cracking.

Basic server preparations

  • Install Centos 7 minimal
  • Login as “root”
  • Activate the Network connection, make it permanently active, and configure a fixed I.P. Address using the “nmtui” command (This example assumes 192.168.0.5/24).
  • For your DNS server use the I.P. Address of the server itself (192.168.0.5), and for secondary DNS server, use your default dns server. We will be installing and enabling a local DNS server for split DNS. More about this later
  • Install the net-tools package
  • #yum install net-tools
  • Check that the correct timezone is selected for the server. (check to see that the link /etc/localtime actually points to your timezone) if not this can be deleted and a new link created to the correct timezone.
  • All timezone files are located in “/usr/share/zoneinfo/“. In my case my timezone is Europe/Berlin.
  • #\rm /etc/locatime
    #ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime
    
  • Next we install, run, and enable on startup ntp
  • #yum intall ntp
    #ntpdate pool.ntp.org
    #chkconfig ntpdate on
  • Check that we now have the correct date and time on the server.
  • # date
    Tue 17 Jan 14:29:07 CET 2017 
  • We will now install a Local DNS Server
  • #yum install bind bind-utils
  • And my favourite editor  (vim)
  • #yum install vim
  • Make a copy of the named.conf file just in case
  • #cp /etc/named.conf /etc/named.conf.orig
  • Lets now edit the named configuration
  • #vim /etc/named.conf
  • Delete the line listen-on-v6 port 53 { ::1; };   (We will not be using IPv6)
  • and just below it add :- forwarders {8.8.8.8;8.8.4.4;}; You can also use your own dns servers here.
  • We now need to add our zone (for split dns) this is required by Zimbra. Since most mail servers live behind firewalls, the internal IP of the server, is not the same as the Public I.P. Zimbra requires an A and MX record for the server, so we need to set these up.
  • Add the following lines to the /etc/named.conf file (just above the final include lines)
    zone "YOURDOMAIN.COM" in {type master; file "YOURDOMAIN.COM";};
  • Your named.conf should look more or less like this :-
  • //
    // named.conf
    //
    // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
    // server as a caching only nameserver (as a localhost DNS resolver only).
    //
    // See /usr/share/doc/bind*/sample/ for example named configuration files.
    //
    // See the BIND Administrator's Reference Manual (ARM) for details about the
    // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
    
    options {
     listen-on port 53 { 127.0.0.1; };
     directory "/var/named";
     dump-file "/var/named/data/cache_dump.db";
     statistics-file "/var/named/data/named_stats.txt";
     memstatistics-file "/var/named/data/named_mem_stats.txt";
     allow-query { localhost; };
    
     /*
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable
     recursion.
     - If your recursive DNS server has a public IP address, you MUST enable access
     control to limit queries to your legitimate users. Failing to do so will
     cause your server to become part of large scale DNS amplification
     attacks. Implementing BCP38 within your network would greatly
     reduce such attack surface
     */
     recursion yes;
    
     dnssec-enable yes;
     dnssec-validation yes;
     forwarders {
     8.8.8.8;
     8.8.4.4;
     };
    
    
     /* Path to ISC DLV key */
     bindkeys-file "/etc/named.iscdlv.key";
    
     managed-keys-directory "/var/named/dynamic";
    
     pid-file "/run/named/named.pid";
     session-keyfile "/run/named/session.key";
    };
    
    logging {
     channel default_debug {
     file "data/named.run";
     severity dynamic;
     };
    };
    
    zone "." IN {
     type hint;
     file "named.ca";
    };
    
    zone "YOURDOMAIN.COM" in {
     type master;
     file "YOURDOMAIN.COM";
    };
    
    
    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
    

    Now lets create the zone file for the domain

     #cd /var/named 
     #vim YOURDOMAIN.COM 
    $ORIGIN YOURDOMAIN.COM.
    $TTL 38400
    YOURDOMAIN.COM. IN SOA NS1 Administrator.YOURDOMAIN.COM (
     2010022801        ; Serial
     10800             ; Refresh
     3600              ; Retry
     604800            ; Expire
     86400             ; Minimum
    )
    YOURDOMAIN.COM.              IN NS     ns1
    ns1                          IN A      8.8.8.8
    YOURDOMAIN.COM.              IN A      192.168.0.5
    mail                         IN A      192.168.0.5
    mail.YOURDOMAIN.COM.         IN A      192.168.0.5
    mail1.YOURDOMAIN.COM.        IN A      192.168.0.5
    webmail                      IN A      192.168.0.5
    @                            IN MX     10 mail
    YOURDOMAIN.COM.              IN MX     20 mail1
    webmail.YOURDOMAIN.COM       IN MX     30 mail 
  • Modify your zone file based on the above according to your needs
  • Do not omit any “.” in the names. The “.” means that the server is the qualified server for that domain.
  • Lets now start our Named Server
     #systemctl start named 
  • If there are no errors, lets now test the server
    #nslookup - 127.0.0.1 
  • Type in www.google.com
    > www.google.com
    Server: 127.0.0.1
    Address: 127.0.0.1#53
    
    Non-authoritative answer:
    Name: www.google.com
    Address: 74.125.206.99
    Name: www.google.com
    Address: 74.125.206.106
    Name: www.google.com
    Address: 74.125.206.103
    Name: www.google.com
    Address: 74.125.206.105
    Name: www.google.com
    Address: 74.125.206.104
    Name: www.google.com
    Address: 74.125.206.147
    >
    
  • WEBMAIL.YOURDOMAIN.COM should return 192.168.0.5
    > webmail.yourdomain.com
    Server: 127.0.0.1
    Address: 127.0.0.1#53
    
    Name: webmail.yourdomain.com
    Address: 192.168.0.5
    >
    
  • Note that for webmail.yourdomain.com, the answer is authoritative, (the “.” we talked about above, makes our server the authoritative server for our domain)
  • If everything works well, it is now time to setup a host name and the hosts file. Zimbra is very picky about this, so we need to get this right to avoid complaints from the installer.
  • hostname MAIL.YOURDOMAIN.COM
    #vim /etc/hosts 

    Add the following line to the end of your /etc/hosts file :

     192.168.0.5    mail.yourdomain.com yourdomain.com

    Set Selinux to Permissive

     #vim /etc/selinux/config 
    change from SELINUX=enforcing to SELINUX=permissive
  • Here is how the /etc/selinux/config file should look
    # This file controls the state of SELinux on the system.
    # SELINUX= can take one of these three values:
    # enforcing - SELinux security policy is enforced.
    # permissive - SELinux prints warnings instead of enforcing.
    # disabled - No SELinux policy is loaded.
    SELINUX=permissive
    # SELINUXTYPE= can take one of three two values:
    # targeted - Targeted processes are protected,
    # minimum - Modification of targeted policy. Only selected processes are protected.
    # mls - Multi Level Security protection.
    SELINUXTYPE=targeted 
  • save and quit
  • Disable the Firewall (This can be enabled later on if desired)
     #systemctl disable firewalld  
  • Install wget
     #yum install wget 
  • Install net-tools
     #yum install net-tools 
  • Next we install the zimbra dependencies :-
     #yum  install perl perl-core ntpl nmap openssh-clients libidn gmp libaio libstdc++ unzip sysstat sqlite 
  • It is now time to update everything
     #yum update -y 
  • Once the update finishes, reboot the server
     #reboot 

Installing Zimbra 

Some of the commands below, especially the installer, take quite a long time to execute, so it is NOT a good idea to run the next bits remotely. If for any reason the installer gets interrupted, it will leave a mess behind which you will need to clean before attempting a re-installation.

Run the installer either directly from a console, or using the “screen” command. If you do not know how to use the screen command, I recommend you google it.

If you intend to use SSL certificates like letsecrypt, make sure that your server name is the same as your webmail url name, or LDAP will not start with the following error (after you install the ssl certificates) :

 Unable to start TLS: hostname verification failed when connecting to ldap master. 

So basically name your server as webmail.YOURDOMAIN.COM, you can then add as many domains as you want including yourdomain.com for @yourdomain.com mail distribution after the installation is complete. You can do this from the web interface Configure –> Domains

Before we install zimbra, we  need to make sure that none of the standard mail daemons that come with linux are running. Login to the server as “root”

 #systemctl stop postfix 
 #systemctl disable postfix 
 #systemctl stop sendmail 
 #systemctl disable sendmail 

Let’s doublecheck that SELINUX is set to permissive

 #getenforce 

should return Permissive

Now let’s create a folder for our installer. (the installer needs to run as root)

 #mkdir /root/zimbra 
 #cd /root/zimbra 
 #mkdir installer 
 #cd installer 
 #wget https://files.zimbra.com/downloads/8.7.1_GA/zcs-8.7.1_GA_1670.RHEL7_64.20161025045328.tgz 

*At the time of writing 8.7.1_GA_1670 was the latest version

Next step is to Unzip and extract the tar ball

 #gzip -dc zcs-8.7.1_GA_1670.RHEL7_64.20161025045328.tgz | tar xvf - 

Once the unzipping operation finishes, it is time to run the installer

 #cd zcs-8.7.1_GA_1670.RHEL7_64.20161025045328 

Finally …. we run the installer : (note that since we are running our own dns server on port 53, we need to say NO to Install zimbra-dnscache [Y] )

 # ./install.sh 
Operations logged to /tmp/install.log.jK37Q47Z
Checking for existing installation...
zimbra-ldap...NOT FOUND
zimbra-logger...NOT FOUND
zimbra-mta...NOT FOUND
zimbra-dnscache...NOT FOUND
zimbra-snmp...NOT FOUND
zimbra-store...NOT FOUND
zimbra-apache...NOT FOUND
zimbra-spell...NOT FOUND
zimbra-convertd...NOT FOUND
zimbra-memcached...NOT FOUND
zimbra-proxy...NOT FOUND
zimbra-archiving...NOT FOUND
zimbra-core...NOT FOUND
----------------------------------------------------------------------
PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE.
SYNACOR, INC. ("SYNACOR") WILL ONLY LICENSE THIS SOFTWARE TO YOU IF YOU
FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY DOWNLOADING OR INSTALLING
THE SOFTWARE, OR USING THE PRODUCT, YOU ARE CONSENTING TO BE BOUND BY
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS
AGREEMENT, THEN DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT.
License Terms for this Zimbra Collaboration Suite Software:
https://www.zimbra.com/license/zimbra-public-eula-2-6.html
----------------------------------------------------------------------
Do you agree with the terms of the software license agreement? [N] y

Checking for installable packages

Found zimbra-core
Found zimbra-ldap
Found zimbra-logger
Found zimbra-mta
Found zimbra-dnscache
Found zimbra-snmp
Found zimbra-store
Found zimbra-apache
Found zimbra-spell
Found zimbra-memcached
Found zimbra-proxy

Use Zimbra's package repository [Y] Y
Importing Zimbra GPG key
Configuring package repository

Select the packages to install

Install zimbra-ldap [Y]

Install zimbra-logger [Y]

Install zimbra-mta [Y]

Install zimbra-dnscache [Y] N <------ Take Note

Install zimbra-snmp [Y]

Install zimbra-store [Y]

Install zimbra-apache [Y]

Install zimbra-spell [Y]

Install zimbra-memcached [Y]

Install zimbra-proxy [Y]
Checking required space for zimbra-core
Checking space for zimbra-store
Checking required packages for zimbra-store
zimbra-store package check complete.

Installing:
zimbra-core
zimbra-ldap
zimbra-logger
zimbra-mta
zimbra-snmp
zimbra-store
zimbra-apache
zimbra-spell
zimbra-memcached
zimbra-proxy

The system will be modified. Continue? [N] y
Installing packages

zimbra-core will be downloaded.
zimbra-ldap will be downloaded.
zimbra-logger will be downloaded.
zimbra-mta will be downloaded.
zimbra-snmp will be downloaded.
zimbra-store will be downloaded.
zimbra-apache will be downloaded.
zimbra-spell will be downloaded.
zimbra-memcached will be downloaded.
zimbra-proxy will be downloaded.
Downloading packages. This will not modify the system. This may take some time.

Removing /opt/zimbra
Removing zimbra crontab entry...done.
Cleaning up zimbra init scripts...done.
Cleaning up /etc/security/limits.conf...done.

Finished removing Zimbra Collaboration Server.

Local packages zimbra-core zimbra-ldap zimbra-logger zimbra-mta zimbra-snmp zimbra-store zimbra-apache zimbra-spell zimbra-proxy selected for installation
Monitor /tmp/install.log.jK37Q47Z for package installation progress
Remote package installation started
Installing zimbra-core-components zimbra-ldap-components zimbra-mta-components zimbra-snmp-components zimbra-store-components zimbra-apache-components zimbra-spell-components zimbra-memcached zimbra-proxy-components....done
Local package installation started
Installing zimbra-core zimbra-ldap zimbra-logger zimbra-mta zimbra-snmp zimbra-store zimbra-apache zimbra-spell zimbra-proxy...done
done
Operations logged to /tmp/zmsetup.20170111-122713.log
Installing LDAP configuration database...done.
Setting defaults... MX: mail.YOURDOMAIN.COM (192.168.0.5)
MX: mail1.YOURDOMAIN.COM (192.168.0.5)

Interface: 127.0.0.1
Interface: ::1
Interface: 192.168.0.5
192.168.0.5
192.168.0.5
192.168.0.5
done.
Checking for port conflicts

Main menu

1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-logger: Enabled
4) zimbra-mta: Enabled
5) zimbra-snmp: Enabled
6) zimbra-store: Enabled
+Create Admin User: yes
+Admin user to create: [email protected]
******* +Admin Password UNSET
+Anti-virus quarantine user: [email protected]
+Enable automated spam training: yes
+Spam training user: [email protected]
+Non-spam(Ham) training user: [email protected]
+SMTP host: YOURDOMAIN.COM
+Web server HTTP port: 8080
+Web server HTTPS port: 8443
+Web server mode: https
+IMAP server port: 7143
+IMAP server SSL port: 7993
+POP server port: 7110
+POP server SSL port: 7995
+Use spell check server: yes
+Spell server URL: http://YOURDOMAIN.COM:7780/aspell.php
+Enable version update checks: TRUE
+Enable version update notifications: TRUE
+Version update notification email: [email protected]
+Version update source email: [email protected]
+Install mailstore (service webapp): yes
+Install UI (zimbra,zimbraAdmin webapps): yes

7) zimbra-spell: Enabled
8) zimbra-proxy: Enabled
9) Default Class of Service Configuration:
s) Save config to file
x) Expand menu
q) Quit

We now need to set the Admin Password.
Address unconfigured (**) items(? – help) 6

Store configuration

1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: [email protected]
** 4) Admin Password UNSET
5) Anti-virus quarantine user: [email protected]
6) Enable automated spam training: yes
7) Spam training user: [email protected]
8) Non-spam(Ham) training user: [email protected]
9) SMTP host: YOURDOMAIN.COM
10) Web server HTTP port: 8080
11) Web server HTTPS port: 8443
12) Web server mode: https
13) IMAP server port: 7143
14) IMAP server SSL port: 7993
15) POP server port: 7110
16) POP server SSL port: 7995
17) Use spell check server: yes
18) Spell server URL: http://YOURDOMAIN.COM:7780/aspell.php
19) Enable version update checks: TRUE
20) Enable version update notifications: TRUE
21) Version update notification email: [email protected]
22) Version update source email: [email protected]
23) Install mailstore (service webapp): yes
24) Install UI (zimbra,zimbraAdmin webapps): yes 

Select, or ‘r’ for previous menu [r] 4

Password for [email protected]@YOURDOMAIN.COM (min 6 characters): [z1rrJPyNvW] (Press ‘enter’ here to choose the pre-defined password or enter one yourself, make sure you do not loose your password)

Store configuration

1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: [email protected]@YOURDOMAIN.COM
4) Admin Password set
5) Anti-virus quarantine user: [email protected]
6) Enable automated spam training: yes
7) Spam training user: [email protected]
8) Non-spam(Ham) training user: [email protected]
9) SMTP host: @YOURDOMAIN.COM
10) Web server HTTP port: 8080
11) Web server HTTPS port: 8443
12) Web server mode: https
13) IMAP server port: 7143
14) IMAP server SSL port: 7993
15) POP server port: 7110
16) POP server SSL port: 7995
17) Use spell check server: yes
18) Spell server URL: http://YOURDOMAIN.COM:7780/aspell.php
19) Enable version update checks: TRUE
20) Enable version update notifications: TRUE
21) Version update notification email: [email protected]@YOURDOMAIN.COM
22) Version update source email: [email protected]@YOURDOMAIN.COM
23) Install mailstore (service webapp): yes
24) Install UI (zimbra,zimbraAdmin webapps): yes

Select, or 'r' for previous menu [r] r

Main menu

1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-logger: Enabled
4) zimbra-mta: Enabled
5) zimbra-snmp: Enabled
6) zimbra-store: Enabled
7) zimbra-spell: Enabled
8) zimbra-proxy: Enabled
9) Default Class of Service Configuration:
s) Save config to file
x) Expand menu
q) Quit

*** CONFIGURATION COMPLETE - press 'a' to apply

Press the a key to apply
*** CONFIGURATION COMPLETE - press 'a' to apply
Select from menu, or press 'a' to apply config (? - help) a
Save configuration data to a file? [Yes] Yes
Save config in file: [/opt/zimbra/config.6201]
Saving config in /opt/zimbra/config.6201...done.
The system will be modified - continue? [No] Yes
Operations logged to /tmp/zmsetup.20170111-122713.log
Setting local config values...done.
Initializing core config...Setting up CA...done.
Deploying CA to /opt/zimbra/conf/ca ...done.
Creating SSL zimbra-store certificate...done.
Creating new zimbra-ldap SSL certificate...done.
Creating new zimbra-mta SSL certificate...done.
Creating new zimbra-proxy SSL certificate...done.
Installing mailboxd SSL certificates...done.
Installing MTA SSL certificates...done.
Installing LDAP SSL certificate...done.
Installing Proxy SSL certificate...done.
Initializing ldap...done.
Setting replication password...done.
Setting Postfix password...done.
Setting amavis password...done.
Setting nginx password...done.
Setting BES searcher password...done.
Creating server entry for YOURDOMAIN.COM...done.
Setting Zimbra IP Mode...done.
Saving CA in ldap...done.
Saving SSL Certificate in ldap...done.
Setting spell check URL...done.
Setting service ports on YOURDOMAIN.COM...done.
Setting zimbraFeatureTasksEnabled=TRUE...done.
Setting zimbraFeatureBriefcasesEnabled=TRUE...done.
Checking current setting of zimbraReverseProxyAvailableLookupTargets
Querying LDAP for other mailstores
Searching LDAP for reverseProxyLookupTargets...done.
Adding YOURDOMAIN.COM to zimbraReverseProxyAvailableLookupTargets
Setting TimeZone Preference...done.
Initializing mta config...done.
Setting services on YOURDOMAIN.COM...done.
Adding YOURDOMAIN.COM to zimbraMailHostPool in default COS...done.
Creating domain YOURDOMAIN.COM...done.
Setting default domain name...done.
Creating domain YOURDOMAIN.COM...already exists.
Creating admin account [email protected]
Creating root alias...done.
Creating postmaster alias...done.
Creating user [email protected]
Creating user [email protected]
Creating user [email protected]
Setting spam training and Anti-virus quarantine accounts...done.
Initializing store sql database...done.
Setting zimbraSmtpHostname for YOURDOMAIN.COM...done.
Configuring SNMP...done.
Setting up syslog.conf...done.
Starting servers...done.
Installing common zimlets...
com_zimbra_mailarchive...done.
com_zimbra_attachmail...done.
com_zimbra_tooltip...done.
com_zimbra_ymemoticons...done.
com_zimbra_attachcontacts...done.
com_zimbra_srchhighlighter...done.
com_zimbra_webex...done.
com_zimbra_url...done.
com_zimbra_bulkprovision...done.
com_zimbra_adminversioncheck...done.
com_zimbra_proxy_config...done.
com_zimbra_clientuploader...done.
com_zimbra_email...done.
com_zimbra_viewmail...done.
com_zimbra_date...done.
com_zimbra_phone...done.
com_zimbra_cert_manager...done.
Finished installing common zimlets.
Restarting mailboxd...done.
Creating galsync account for default domain...done.

You have the option of notifying Zimbra of your installation.
This helps us to track the uptake of the Zimbra Collaboration Server.
The only information that will be transmitted is:
The VERSION of zcs installed (8.7.1_GA_1670_RHEL7_64)
The ADMIN EMAIL ADDRESS created ([email protected])

Notify Zimbra of your installation? [Yes]
Notifying Zimbra of installation via http://www.zimbra.com/cgi-bin/notify.cgi?VER=8.7.1_GA_1670_RHEL7_64&[email protected]

Notification complete

Setting up zimbra crontab...done.

Moving /tmp/zmsetup.20170111-122713.log to /opt/zimbra/log

Configuration complete - press return to exit

Everything is now ready.

Next step is to login via the web interface https://192.168.0.5:7071 using admin as username and the password you had setup during the installation to manage your server.

 

20 comments On Installing Zimbra 8.7.1 On centos 7

  • Dear Johann,
    This is a good post. And I’d like to know how to configure Zimbra Email Server behind the Mikrotik Router. At Mikrotik WAN site is public IP and LAN site is Private IP. So I configured DNS A and MX to my Mikrotik WAN IP. And I installed and confgiured Zimbra 8 with CentOS7. It is not working. Can you help me in this problem?
    Thanks,
    Ye Naung

    • Dear Ye,

      I need some more information with regards to your setup. Are you able to connect to your Zimbra server on your lan (using the IP Address of the server) ?

      Remember that in your case you will need to use split DNS, so you need to have an internal DNS server on your lan, with an A and MX record of your server pointing to your server LAN address, and as you correctly did, you also need to setup an MX and A record pointing to your WAN IP on your public DNS server.

      The last step is then to forward (NAT) the required ports on the mikrotik from the WAN to the LAN IP of your server. Port 443 (https) for webmail access, SMTP (25 or 587), pop 3 (110), etc.

      Please let me know if you require further assistance

      J

      • Dear J,
        Thanks for your reply and explanation.I’d like to be make sure that my config is right.
        Zimbra server : 192.168.105.230/24 GW : 192.168.105.1 DNS : 192.168.105.10
        Hostname : mail.xxxxxxxx.com
        DNS Server :192.168.105.10/24 Forwarder : 8.8.8.8/8.8.4.4

        and forward( NAT) 443,465,110,143,993,995,7071

        is it right configuration?

        • Dear Ye,

          I managed to get to your login page at https://mail.xxxxxxxx.com so WELL DONE port 443 is correctly forwarded to your server.
          The browser obviously reports that the certificate is invalid, but this is not a problem at this stage.

          Your mx record also appears to be correctly setup :-
          host -t mx xxxxxxxxxx.com reports :-
          xxxxxxxx.com mail is handled by 10 mail.xxxxxx.com.

          Your A record for the server is setup correctly too :-
          host -t a mail.xxxxxx.com
          mail.xxxxxx.com has address nnn.xxx.yyy.zzz

          What you appear to be missing is the forwarding for PORTS 25 and 587

          When I tried telnetting to your server on port 25 I got a timeout

          telnet mail.xxxxxx.com 25
          Trying nnn.xxx.yyy.zzz…
          telnet: connect to address nnn.xxx.yyy.zzz: Operation timed out
          telnet: Unable to connect to remote host

          This is what you should actually see when you try to telnet to port 25 of your server :-

          iMac:~ Johann$ telnet nnn.xxx.yyy.zzz 25
          Trying nnn.xxx.yyy.zzz…
          Connected to mail.xxxxxx.com.
          Escape character is ‘^]’.
          220 mail.xxxxxx.com ESMTP Postfix

          (If you are using a Windows machine, you can use “putty” terminal program to telnet to your server on port 25

  • i hv setup zimbra 8.7.1 on centos 7, its working fine, but its unsecure, user can send receive mails with and without authentication, because MTA Trusted Network,
    its mean users can use fake email id to send email, help me to secure SMTP

    • Hi Arslam,

      You may secure SMTP by logging in to your admin console, from the left column choose “configure”, then again in the left column click “servers”, from the right pane, double click on your server fqdn, from the left column again click on MTA, and select both “enable authentication” and “TLS Authentication only” from the right pane.

      In MTA Trusted Networks, leave only 127.0.0.0/8

      This should avoid the open relay situation you are facing

      Let me know how it goes

      J

  • Hi Johann Fenech,
    I have configured same as u told me on MTA, both “enable authentication” and “TLS Authentication only” are selected.
    but if i leave only 127.0.0.0/8 in MTA Trusted Network, then error message appear ” Value for Trusted MTA Network must contain local network interface”
    so i could not save only 127.0.0.0/8 in MTA Trusted Network.
    What to do now, kindly help me

    • You Are correct. Apart from 127.0.0.0/8 you need to add you host ip /32 (eg. if your internal zimbra host ip is 10.10.130.10, add “10.10.130.10/32” to your MTA Trusted networks)

      J

  • yes if i add host ip eg. 10.10.130.10 then i cannot send email to external domains, but i add 10.10.130.0/32 then its work, but in this case all ip in 10.10.130.0/32 subnet added as trusted ip.

    in my case i hv two interfaces, one for LAN and 2nd for WAN, and added both subnets like “127.0.0.0/8 [::1]/128 192.168.0.0/32 10.10.130.0/32 ” in MTA trusted network.

    one my oracle developer colleague setup oracle 11 g Database and make a procedure to send mail through my email server, he just put ip of server in procedure and a dummy sender name, and send email to any external domains, that is strange and security risk, i am worry that why mail server not asking real user name and password before sending emails.

    kindly advise me what to do for the above,
    Note: my mail server running in https mode.

    • Hi Arlsam,

      Apologies for the late reply, but was very busy the last few days, and did not have much time to spare for the blog.

      First of all, unless absolutely necessary I would remove the ipv6 references in your “Trusted Networks”. Also specify 10.10.130.10/32 (not 10.10.130.0/32) assuming your mail server ip is 10.10.130.10.

      Further suggested reading at https://wiki.zimbra.com/wiki/ZimbraMtaMyNetworks

      Let me know if the issue is solved for you

      J

  • Hi Johann
    If i add host ip 10.10.130.10 (Server Public IP) then i cannot send email to external domains, and i can send and receive email within domain. and if i add 10.10.130.0/32 then its works and can send email to any external domain like gmail, yahoo.com or msn.com,
    it may be DNS issue?

    • Hi Arlsam,

      No I do not think it is a DNS issue. If I am understanding correctly, your Zimbra server has a public ip, and its LAN IP is the Public IP. I do not recommend this setup. Instead, setup your server behind a firewall, and forward only the ports you need, smtp, pop, http etc. This way, you can add your internal ip to the trusted networks, and no one from the outside can use it as an open relay. You will need to setup an internal DNS server (split DNS setup) for zimbra to operate correcly

      J

  • Existing email server (Domino)
    existing public mailserver hostname: mail.mycompany.com.ph

    I am now setting up Zimbra to be a secondary server on split DNS.
    I would like to ask if I will be using the same hostname of mail.mycompany.com.ph in setting up the hostname in Bind or if I can just make any hostname like mycompany,local/mail.mycompany.local.
    While I followed the guide, when I tried to resolve using mail.mycompany.com.ph for the Zimbra server, it is resolving the Public IP.

    Hope to clear this.
    Thanks in advance.

    • Hi Marvin,

      You should be using the same address for both external and internal DNS. This will save you a lot of head aches if in the future you decide to use letsencrypt ssl certificates. You also need to add an “A” record to your internal dns server pointing mail.mycompany.com to your internal zimbra ip. This would enable machines on the LAN to resolve the correct ip.

      Let me know if I any of the above is not clear

      J

  • Hi Johann!
    I can not find (install) the package ntpl (No package ntpl available)
    How can i fix it ?
    I use Centos 7.

    Thanks.

  • HI,

    I have the message Unable to start TLS: hostname verification failed when connecting to ldap master. when zmcontrol start . i can ‘t fix it.

    hostname: derview.net
    hostname: -f mail.derview.net

    try same doesn’t work my you help me. thank

    • Hi Yvan,

      The mta hostname, (configure –> Servers –> MTA) and your service host name (configure –> Servers) and your url are all the same. If for example your ssl certificate was issued for https://mail.derview.net,
      your web mail mta hostname must be set to mail.derview.net, and the service host name must also be the same, otherwise you will get the error above.

      Also your ldap master host must also be called mail.derview.net

      You can change your ldap host name from the command line using ZmSetServerName, however please make sure to read https://wiki.zimbra.com/wiki/ZmSetServerName carefully if you are doing this on a production server

      Let me know how it goes

  • Hi Sir,

    I am trying to run the #systemctl start named command after making the named.conf. I get errors and failed to run it, can you help me troubleshoot the issue, is the mail in the zone file the name of the server or a reserved word “mail”

    Thanks, hope to hear from you.

    • Hi Mark,
      can you please send me a screen shot of the errors you are getting, and perhaps email me a copy of your named.conf please ?

Leave a reply:

Your email address will not be published.