Zimbra dns cache настройка
Почтовый сервер Zimbra устанавливается с помощью скрипта, который можно скачать с сайта разработчика. После установки мы получим полноценный почтовый сервер:
- SMTP-сервер для отправки писем.
- Чтение и работа с почтой по POP3/IMAP.
- Работа с почтой по веб-интерфейсу.
- Графическая панель управления почтовым сервером.
Прежде, чем начать, нам понадобится:
В процессе мы также должны будем настроить:
- Записи в DNS для корректной отправки почты.
- Проброс портов (если наш сервер находится за NAT).
- Корректный сертификат для подключения к серверу без ошибок и предупреждений.
Принцип установки аналогичный для любого дистрибутива Linux. Важно, чтобы данный дистрибутив официально поддерживался Zimbra.
[Resolved]DNS cache seems corrupt
davidkillingsworth Outstanding Member
Posts: 247 Joined: Sat Sep 13, 2014 2:26 am ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24
Upgrade blocking
Starting with ZCS 8.5 and later, upgrades in a multi-node environment will be blocked if the LDAP master has not yet been upgraded to the ZCS version being installed. This will prevent out of order node upgrades, which have caused problems in the past. In addition, it allows the proxy server to correctly handle traffic between upgraded and non-upgraded store servers.
1. Настройка времени
Устанавливаем корректный часовой пояс:
timedatectl set-timezone Europe/Moscow
* в данном примере мы зададим московское время.
Теперь установим утилиту для синхронизации времени и запустим ее.
а) если используем систему на базе RPM (CentOS / Red Hat):
yum install chrony
systemctl enable chronyd --now
б) если используем систему на базе deb (Ubuntu):
apt-get install chrony
systemctl enable chrony --now
How it works
dnscache adds into the MTA servers a local DNS cache server that can keep all the external DNS request, using it the MTA server only need to ask one time to obtain the DNS info of the external domains, and the next times instead ask the Public DNS, the MTA will ask itself saving bandwidth and keep the MTA out of be blacklisted for high DNS request traffic.
Features affecting Amavis
The following features have been added in JP affecting Amavis. Amavis provides several features for the ZCS product:
- Spam scanning (via SpamAssassin)
- Virus scanning (via ClamAV)
- Disclaimer support (via altermime)
- Archiving support
Amavis as a service
Traditionally, Amavis has only run if one of antispam or antivirus is enabled. Unfortunately, this causes severe problems for customers who do not wish to use our AV/AS offerings, but do want to use disclaimers or archiving. In the past, they've had to keep one of AS/AV enabled to do this. Starting with ZCS 8.0.8 or later, Amavis is now its own service separate from AS/AV. This means it is possible to disable AS/AV support and keep disclaimer and archiving support. For customers who do not wish to run any of these services, it is possible to disable all of them.
Command line active monitoring of Amavis
Command line monitoring of the active amavis processes now exists. As the zimbra user on an MTA running amavis, it is possible to execute a process that indicates what the active amavis processes are doing:
Output is text based:
Adding -h to the command outputs the meaning of the various possible codes:
amavisd-status has two command options:
- -c how many times to check the status (default: forever)
- -w how long to wait between checks (default: 1 second)
Allow Spam preservation regardless of scoring
Some countries and companies have requirements that all email be preserved, regardless of how high the spam score is, but still want spam scoring to occur. To meet this request, we now allow end users to configure what happens to spam that exceeds the threshold for preservation. This is stored in the zimbraAmavisFinalSpamDestiny globalConfig/server LDAP attribute. The default action is D_DISCARD, which drops spam exceeding the threshold rather than delivering it.
Domain level disclaimer support
In ZCS8.0 and previous, ZCS only supported having a single, global disclaimer that was attached to all emails, regardless of the number of domains on the installation. Starting with ZCS 8.5, we now allow per-domain global disclaimers. This meets critical needs of our hosting providers to allow different disclaimers based on the domains they have on their systems.
See - ZCS 8.5 Admin Guide > Enabling Support for Domain Disclaimers
Upgrade considerations
To handle the change from global to domain specific disclaimers, when a system is upgraded, the global disclaimer will be attached to all existing domains in the installation. This way there is no change in behavior post-upgrade. Once the upgrade is complete, the client can modify the new domain level disclaimers as they see fit. There is no option any longer to have a global disclaimer.
Enabling disclaimer support
This enables the use of disclaimers *at all*. If this is not done, no disclaimers will be attached to emails, regardless of whether or not a domain has a disclaimer associated with it. I.e., it is the global on/off switch
Adding a disclaimer to a domain
Adding disclaimers to a domain takes multiple steps. The first step is to add the disclaimer text into the LDAP server:
Plain-Text Example
HTML Example
After the disclaimer text is added to the LDAP server, disclaimers for the specific domain must be enabled, and then all MTAs updated to grab the disclaimer text. On the first MTA, as the zimbra user:
On all additional MTAs:
To remove a disclaimer from a domain
Removing a disclaimer for a domain that currently has it enabled takes multiple steps.
On the first MTA, as the Zimbra user:
On all additional MTAs:
Completely disable the disclaimer feature
It is possible to completely remove support for disclaimers by setting the related attribute to FALSE
Disable disclaimers for intra-domain emails
Starting with ZCS 8.5, it is now possible to make it so that emails between individuals in the same domain do not have the disclaimer attached. This is done via the zimbraAmavisOutboundDisclaimersOnly attribute. To preserve backwards compatibility it defaults to FALSE.
Set the Amavis Log level
Starting with ZCS 8.0.5 and later, it is possible to set the Amavis log level. This can be extremely useful for a number of things, such as determining how a particular email got scored the way it did. It is possible to to generate extremely useful timing data with the amavis-logwatch utility at a log level of 2 as well.
Set the Amavis SpamAssassin Log level
Starting with ZCS 8.5 and later, it is possible to set the level of logging that SpamAssassin should use via the Amavis configuration. This is set with the attribute zimbraAmavisSALogLevel.
amavis-logwatch utility
Starting with ZCS 8.5 and later, two new utilities (amavis-logwatch and postfix-logwatch) will be included with the MTA package with ZCS. These utilities generate extremely useful statistical information about how the MTA is performing and what issue(s) it is encountering. They will likely be added to the Daily Report as well.
NOTE: ZCS versions +8.7.x amavis-logwatch is located in /opt/zimbra/common/bin/
DKIM verification inside of Amavis can be disabled
Starting with ZC 8.5 and later, it is possible to disable DKIM verification inside of Amavis. This is done via the zimbraAmavisEnableDKIMVerification LDAP attribute, which is globalConfig, server applicable.
Amavis/ClamAV concurrency
Starting with ZCS 8.5 and later, it is now possible to adjust the number of processes (concurrency) that are spawned by Amavis, ClamAV, and Postfix. There are two LDAP variables involved, zimbraAmavisMaxServers and zimbraClamAVMaxThreads. These values default to 10, and should always equal one another. I.e., there should be a 1:1 relation between the number of Amavis Servers and ClamAV threads. Having more ClamAV threads than Amavis servers is ok.
SpamAssassin layout updated
- /opt/zimbra/data/spamassassin/localrules -> This directory contains the *.pre files and local customizations (salocal.cf, sauser.cf)
- /opt/zimbra/data/spamassassin/rules -> This directory contains the default ruleset we ship with ZCS
- /opt/zimbra/data/spamassassin/state -> This directory contains SpamAssassin rule updates and compiled rules
SpamAssassin compiled rules
Starting with ZCS 8.5 and later, we ship a utility named zmsacompile that is a wrapper for sa-compile. It allows the compilation of SpamAssassin rules. You can also make it so that any new rulesets that are downloaded via zmsaupdate are also automatically compiled. Compiling SpamAssassin rules can significantly decrease the amount of time it takes to process them, speeding up spam scoring and mail deliver. Automatic compilation is controlled with the antispam_enable_rule_compilation localconfig key
Настройка DNS
Для корректной работы почты необходимо настроить DNS для нашего домена.
1. Запись MX.
Позволяет определить почтовый сервер для домена. Подробнее о том, что это и как ее правильно прописать в статье Что такое MX-запись.
2. Запись A.
3. PTR.
Данная запись представляет из себя обратное разрешение IP-адреса в домен. С ее помощью подтверждается легитимность отправителя. Подробнее в статье Что такое PTR-запись.
4. SPF.
Это запись TXT, которая определяет список серверов для домена, с которых разрешена отправка почты. Подробнее — Что такое SPF.
5. DKIM.
Подтверждение владельца домена. Письмо отправляется с зашифрованным заголовком и расшифровать его можно с помощью последовательности, хранящейся в TXT-записи на DNS. Соответственно, если владелец домена разместил такую последовательность, то он и является его владельцем. Подробнее — Что такое DKIM. Также в данной инструкции ниже мы разберем настройку DKIM на Zimbra.
6. DMARC.
Определяет для домена политику проверки писем. Подробнее — Что такое DMARC.
SSL Cert requests should use SHA 256 signatures
To enhance security, the default signature of cert requests is now 256 bits.
Установка сертификата
Процесс установки сертификата для зимбры, несколько, отличается от многих других сервисов — он требует дополнительных телодвижений.
И так, сначала скопируем полученные сертификаты в каталог зимбры — в моем случае, команды такие:
Меняем владельца для скопированных файлов:
chown zimbra /opt/zimbra/ssl/zimbra/commercial/*
Теперь нюанс — zimbra не примет цепочку сертификатов, если в ней не будет корневых от Let's Encrypt. Получить их можно по ссылкам:
Полученную последовательность добавляем к файлу chain.pem:
- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.
- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.
Starting with Zimbra Collaboration 8.5 and above, there is now a DNS caching service available for installation. It is specifically targeted for MTA nodes, and could be perfect for Single-Server Installations. Three of our supported features rely heavily on DNS lookups:
- DKIM verification
- SpamAssassin Scoring
- Postfix RBLs for spam blocking
However, remote sites that provide the SpamAssassin scoring and Postfix RBLs do *not* like heavy DNS traffic overloading their servers as DNS-Blocklists often run on the "free for some" model and/or they may limit the number of queries you can perform to maximize resources. Prolonged over-use of their DNS systems will in fact get your MTAs blacklisted from using those services, severely reducing the effectiveness of said services.
Настройка zimbra после установки
Proxy/Memcached packages default to YES for new installations
Starting with ZCS 8.5, the installer prompts to include proxy/memcached on installation. We have new features that heavily rely on both of these products. For example, the mailbox store will now use memached if it is available. Generally expectation is that ALL clients should have at least one proxy/memcached node. 2 or more nodes is required for AlwaysOn.
Добавление домена
Если мы не меняли рабочий домен в настройках во время установки сервера, то основной домен будет таким же, как имя сервера. Как правило, это не то, что нам нужно. И так, заходим в Настройка - Домены. В правой части окна кликаем по значку шестеренки и Создать:
Задаем название для нового домена:
. и кликаем Далее.
В следующем окне выбираем сервер:
. можно нажать Готово.
Теперь поменяем домен по умолчанию. Переходим в Настройка - Глобальные настройки. Меняем значение для поля «Домен по умолчанию»:
. и нажимаем Сохранить.
Check the DNSMasterIP
You can check the DNSMasterIP that your dnscache is using, you can have more than one:
General changes not specifically related to a service
The following changes are general and do not apply to a specific service
Remove a DNSMasterIP
If you want to remove a DNSMasterIP that was introduced wrong, or because the DNS server is not longer available, etc, run the next command:
Exchange compatible journaling
Starting with ZCS 8.5, it is possible to create a journal for all messages entering or leaving the MTAs that will be delivered to a specific address.
NOTE: Enabling postjournal disables DKIM signing AND origination tagging.
Add a DNSMasterIP
You can also add more DNSMasterIP anytime if you need it, in case that you add some new internal DNS Server, or if you want to have more than the Google ones, for example:
Store related changes
The changes affect the store stack
zimbraMtaLmtpHostLookup
Если наш сервер находится за NAT и разрешение IP происходит не во внутренний адрес, а внешний (можно проверить командой nslookup ), после настройки наш сервер не сможет принимать почту, а в логах мы можем увидеть ошибку delivery temporarily suspended: connect to 7025: Connection refused). Это происходит из-за попытки Zimbra передать письмо в очереди по внутреннему порту локальной почты 7025 (LMTP) на внешний адрес, который недоступен из NAT. Для решения проблемы можно использовать внутренний DNS с другими А-записями (split dns) или собственный поиск IP-адресов для lmtp, а не для DNS. Рассмотрим второй вариант — вводим две команды:
su - zimbra -c "zmprov ms $myhostname zimbraMtaLmtpHostLookup native"
su - zimbra -c "zmprov mcf zimbraMtaLmtpHostLookup native"
* где $myhostname — имя нашего почтового сервера.
После перезапускаем службы зимбры:
su - zimbra -c "zmmtactl restart"
[Resolved]DNS cache seems corrupt
Post by davidkillingsworth » Tue May 07, 2019 12:54 pm
zimbra@zimbra:~$ cat /etc/issue
Ubuntu 14.04.6 LTS \n \l
zimbra@zimbra:~$ zmcontrol -v
Release 8.8.11.GA.3737.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.8.11_P4.
The part that originally didn't catch my attention was that there was a DNS query timeout. This causes the spam score in Spamassassin to go above the spam threashold since DKIM fails.
Lo and behold it failed.
dns-nameservers 8.8.8.8 8.8.4.4
zimbra@zimbra:~$ zmprov getServer `zmhostname` | grep DNSMasterIP
zimbraDNSMasterIP: 8.8.8.8
zimbraDNSMasterIP: 8.8.4.4
I have tried flushing the cache, but it doesn't help.
I have tried changing the DNS servers to the ISP DNS servers instead of Google, and that doesn't help.
If I shut down the dnscache service using the following command - the query starts working correctly.
The same type of queries to other domains work perfectly fine, so it's not a firewall blocking issue.
Any ideas on what might be going on here? This is really really weird.
Only thing I can possibly think of is the virtual nic card type in VMware guest settings.
JDunphy Outstanding Member
Posts: 706 Joined: Fri Sep 12, 2014 11:18 pm Location: Victoria, BC ZCS/ZD Version: 8.8.15_P31 RHEL8 Network Edition
Post by JDunphy » Wed May 08, 2019 3:15 pm
The part that originally didn't catch my attention was that there was a DNS query timeout. This causes the spam score in Spamassassin to go above the spam threashold since DKIM fails.
Wild guess in case you have a cached AAAA NS record present for aetna . Do you have an ipv6 address on that nic? Does this work any better on the problem machine in failure mode?
It seems like unbound supports extra debugging and verbose modes. just not sure how to do it the zimbra way. One way is to add the verbose flag when $unbound starts in zmdnscachectl . line 87 (sudo $unbound) . You would think there must be a way to send it a signal or method via a control interface to enable logging/debugging on an already running instance. I am only seeing flags on start however. Another thing you could do the next time your dig fails. change /etc/resolv.conf to 1.1.1.1 (cloudflare) or google (8.8.8.8) and run your dig command again. If that fails, it points us away from unbound and to a FW/Networking issue. I gather the failure remains from the command prompt (dig) once it happens or does it come and go? I run BIND on my zimbra servers and have no experience with unbound. Out of ideas at this time.
davidkillingsworth Outstanding Member
Posts: 247 Joined: Sat Sep 13, 2014 2:26 am ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24
Post by davidkillingsworth » Wed May 08, 2019 4:15 pm
JDunphy wrote: Wild guess in case you have a cached AAAA NS record present for aetna . Do you have an ipv6 address on that nic? Does this work any better on the problem machine in failure mode?
Afterwards, it still showed that IPv6 was disabled and the only real difference is that when I did an $ifconfig, there wasn't an IPv6 address listed with Eth0.
Can you elaborate what you mean by "failure mode?"
JDunphy wrote: It seems like unbound supports extra debugging and verbose modes. just not sure how to do it the zimbra way. One way is to add the verbose flag when $unbound starts in zmdnscachectl . line 87 (sudo $unbound) . You would think there must be a way to send it a signal or method via a control interface to enable logging/debugging on an already running instance. I am only seeing flags on start however. Another thing you could do the next time your dig fails. change /etc/resolv.conf to 1.1.1.1 (cloudflare) or google (8.8.8.8) and run your dig command again. If that fails, it points us away from unbound and to a FW/Networking issue. I gather the failure remains from the command prompt (dig) once it happens or does it come and go? I run BIND on my zimbra servers and have no experience with unbound. Out of ideas at this time.
This is what my Zimbra DNS settings look like.
davidkillingsworth Outstanding Member
Posts: 247 Joined: Sat Sep 13, 2014 2:26 am ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24
Post by davidkillingsworth » Wed May 08, 2019 5:31 pm
More progress on this. I figured out that the dns caching server that is built into Zimbra is called unbound.
I went into /opt/zimbra/conf/unbound.conf.in
and changed the log level to from 1 (default) to 3.
Restarted the DNScache service with
I then grep'd the zimbra.log for unbound.
I'm not sure if this really tells me much more than I knew before.
JDunphy Outstanding Member
Posts: 706 Joined: Fri Sep 12, 2014 11:18 pm Location: Victoria, BC ZCS/ZD Version: 8.8.15_P31 RHEL8 Network Edition
Post by JDunphy » Wed May 08, 2019 5:35 pm
They have a lot of data. so switching to tcp for dns queries.. See below for cause. Double check FW that you are allowing DNS tcp queries and/or limits on large UDP packets via DNS extensions.
JDunphy Outstanding Member
Posts: 706 Joined: Fri Sep 12, 2014 11:18 pm Location: Victoria, BC ZCS/ZD Version: 8.8.15_P31 RHEL8 Network Edition
Post by JDunphy » Wed May 08, 2019 5:41 pm
davidkillingsworth Outstanding Member
Posts: 247 Joined: Sat Sep 13, 2014 2:26 am ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24
Post by davidkillingsworth » Wed May 08, 2019 5:57 pm
It could be something on the firewall. It's an older Cisco ASA 5505.
However, I'm running a terminal monitor on it at the same time as doing a dig query and I don't see any traffic being blocked from the mail server.
The failure occurs when I have zimbra's dnscache running. If I turn zimbra dnscache off, the dig queries actually work.
The only other thing I can think of that might cause very strange issues that I have seen is the virtual network card type. This is a VMware 6.5 server and the virtual network card for this zimbra server is VMXNET 3. I have seen problems with virtual network card types. I may also try to change the network card type to E1000 and see if that has any affect.
JDunphy Outstanding Member
Posts: 706 Joined: Fri Sep 12, 2014 11:18 pm Location: Victoria, BC ZCS/ZD Version: 8.8.15_P31 RHEL8 Network Edition
Post by JDunphy » Wed May 08, 2019 6:14 pm
I thought this was a caching DNS resolver. nope. From the documentation - "dnscache adds into the MTA servers a local DNS cache server that can keep all the external DNS request". Anyway, here is the root cause.
"configured forward servers failed -- returning SERVFAIL"
So you are looking at unbound + external resolver for possible cause. If it was me, I would use /etc/resolv.conf and figure out why the external resolver is failing at times with dig. After you rule out your FW then investigate if the external resolver has any limits that you might be hitting. You are close to figuring this out.
Another thing is how to handle some RBL's that could fail in unexpected ways because they have limits on the number of queries per day per by resolver IPs.
JDunphy Outstanding Member
Posts: 706 Joined: Fri Sep 12, 2014 11:18 pm Location: Victoria, BC ZCS/ZD Version: 8.8.15_P31 RHEL8 Network Edition
Post by JDunphy » Wed May 08, 2019 8:25 pm
You might want to play with dnsping,dnseval and dnstraceroute. Will definitely show oddities like transparent proxying (ISP/NSP interception), throttling, FW, slowness, etc.
Something like this for udp and then tcp might shine a light.
% dnsping -h
dnsping version 1.6.4
usage: dnsping [-ehqv] [-s server] [-p port] [-P port] [-S address] [-c count] [-t type] [-w wait] hostname
-h --help Show this help
-q --quiet Quiet
-v --verbose Print actual dns response
-s --server DNS server to use (default: first entry from /etc/resolv.conf)
-p --port DNS server port number (default: 53)
-T --tcp Use TCP instead of UDP
-4 --ipv4 Use IPv4 as default network protocol
-6 --ipv6 Use IPv6 as default network protocol
-P --srcport Query source port number (default: 0)
-S --srcip Query source IP address (default: default interface address)
-c --count Number of requests to send (default: 10)
-w --wait Maximum wait time for a reply (default: 2 seconds)
-i --interval Time between each request (default: 1 seconds)
-t --type DNS request record type (default: A)
-e --edns Disable EDNS0 (default: Enabled)
Be on the look out for any lost queries.
And now for the question of who has a faster resolver from your location - cloudflare or google with TCP and UDP queries.
--- 127.0.0.1 dnsping statistics ---
10 requests transmitted, 10 responses received, 0% lost
min=0.427 ms, avg=0.504 ms, max=0.608 ms, stddev=0.054 ms
Your numbers should be similar to mine above for unbound after that initial latency for the first fetch to the external resolver. Looks like we are in the same datacenter on my test case as one of .Akamai's NS for aetna. Not as lucky on a Toronto datacenter where it took 82ms for the initial fetch but after that was < 0.5ms for the subsequent 9. If there was ever any doubt what a caching dns server can do it should be gone now.
davidkillingsworth Outstanding Member
Posts: 247 Joined: Sat Sep 13, 2014 2:26 am ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24
Post by davidkillingsworth » Thu May 30, 2019 7:20 pm
I went back to looking at this. I'm still not sure what's going on.
I changed the VMWare virtual network card type from VMX3 to E1000, but that didn't help anything.
I ended up having to just disable DNSCache in Zimbra to get DNS queries working properly.
Note, the commands below are both with Zimbra's DNS cache disabled.
I suspect that maybe there is something wrong with the configuration of the Cisco ASA 5505 we have as a firewall at that site. We are not blocking outbound UDP or TCP packets. I did view the terminal monitor on the ASA to look for any blocked traffic, but couldn't see any errors through all of this testing.
I have a couple of other Ubuntu servers at this location (10.04 and 18.04) that don't seem to have the issues DNS query issues though. Perhaps, I just need to upgrade from Ubuntu 14.04 to 16.04.
:: Zimbra and DNS Challenges ::
Zimbra, like all email servers, is highly reliant on performant DNS not only to be able to send and receive email, but also to be able to perform anti-spam tasks. Certain components of Zimbra even use DNS to find other Zimbra components and servers in the same hosting environment.
dnsmasq To The Rescue
Zimbra’s supported operating systems all now ship dnsmasq as part of the distribution. dnsmasq is a reasonably performant cacheing DNS server, with a configuration file that “masks” listed entries. In other words, you need only put all the A, MX, TXT and PTR lookups in dnsmasq’s configuration file that need to resolve with private IP addresses, without the need to have a comprehensive zone file for all records on the domain on which Zimbra is hosted.
Zimbra’s own Split DNS wiki page will give you further background into how, for example, Zimbra’s Postfix relies on RFC1918 address resolution. The wiki page even provides a sample configuration file for dnsmasq. Unfortunately, the sample is incomplete in that it doesn’t include reverse lookups, needed for some Zimbra log file entries in production environments. The sample dnsmasq configuration file in the wiki also doesn’t increase dnsmasq’s very tiny default cache, which most Zimbra servers will churn continuously if not increased.
In Amazon Web Services environments, unless you architect your VPCs carefully with custom DHCP options, your Zimbra server will have a hostname that’s not even remotely related to the public hostname of the Zimbra server, and that creates some challenges that dnsmasq can be used to solve as well.
Be sure also to ensure that /etc/resolv.conf is updated accordingly! You would be surprised how often this gets overlooked, and then otherwise incredibly competent and attentive system administrators wonder why they are having intermittent issues with email delivery, anti-spam etc.
Comprehensive dnsmasq Sample Config File Entries
Here’s the sample template we use on the dnsmasq instance installed on the proxy server of our Zimbra BSP (Business Service Provider) multi-tenant hosting environment. The configs handle forward and reverse lookups of the Zimbra server itself, along with a few other items not included in the Zimbra wiki page.
Hopefully, the embedded comments below will help you create your own dnsmasq configuration file entries, and the Zimbra wiki site will help you with the installation of dnsmasq itself.
If you need help with your Zimbra environment, don’t hesitate to contact us for a Professional Services quote.
Hope that helps,
L. Mark Stone
Mission Critical Email
15 March 2018
The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone personally. The contents of this site are not intended as advice for any purpose and are subject to change without notice. Mission Critical Email makes no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.
Загрузка дистрибутива и установка Zimbra
Переходим по одной из ссылок выше для загрузки платной или бесплатной версии.
Если мы планируем установить платную версию, сначала кликаем по START FREE TRIAL:
Проходим процедуру регистрации. На указанный адрес электронной почты мы получим файл с лицензией (на 60 дней). Переносим данный файл на сервер Zimbra, например, при помощи программы WinSCP.
Возвращаемся на страницу загрузки zimbra и копируем ссылку на дистрибутив:
Используя скопированную ссылку, загружаем дистрибутив Zimbra:
Распаковываем скачанный архив:
tar -xzvf zcs-*.tgz
Переходим в распакованный каталог:
Запускаем установку почтового сервера:
На экране отобразится лицензионное соглашение — принимаем его:
Do you agree with the terms of the software license agreement? [N] Y
* в платной версии лицензионное соглашение нужно принять дважды.
Разрешаем использование репозитория от Zimbra:
Use Zimbra's package repository [Y] Y
Устанавливаем необходимые модули (или все):
Install zimbra-ldap [Y] Y
Install zimbra-logger [Y] Y
Install zimbra-mta [Y] Y
Install zimbra-dnscache [Y] Y
Install zimbra-snmp [Y] Y
Install zimbra-store [Y] Y
Install zimbra-apache [Y] Y
Install zimbra-spell [Y] Y
Install zimbra-convertd [Y] Y
Install zimbra-memcached [Y] Y
Install zimbra-proxy [Y] Y
Install zimbra-archiving [N] Y
Install zimbra-drive [Y] Y
Install zimbra-imapd (BETA - for evaluation only) [N] N
Install zimbra-network-modules-ng [Y] Y
Install zimbra-talk [Y] Y
Подтверждаем ранее введенные настройки:
The system will be modified. Continue? [N] Y
Начнется процесс установки и конфигурирования Zimbra. Ждем окончания процесса.
It is suggested that the domain name have an MX record configured in DNS
Установщик предложит поменять домен — отвечаем отрицательно:
Change domain name? [Yes] No
. установщик покажет меню с настройкой Zimbra:
8) zimbra-spell: Enabled
9) zimbra-convertd: Enabled
10) zimbra-proxy: Enabled
11) Default Class of Service Configuration:
12) Enable default backup schedule: yes
s) Save config to file
x) Expand menu
q) Quit
В данном случае мы можем поменять любую из настроек. Настройки, которые необходимо сделать для продолжения установки показаны звездочками — в данном примере необходимо задать пароль администратора (Admin Password) и указать путь до файла с лицензией (License filename). И так, кликаем 7:
Address unconfigured (**) items (? - help) 7
Переходим к установке пароля:
Select, or 'r' for previous menu [r] 4
. и задаем пароль.
Если мы устанавливаем платную версию, указываем путь до файла с лицензией:
Select, or 'r' for previous menu [r] 25
. и указываем путь до файла с лицензией, например:
Enter the name of the file that contains the license: /opt/zimbra/ZCSLicense.xml
Теперь выходим из меню:
Select, or 'r' for previous menu [r] r
Select from menu, or press 'a' to apply config (? - help) a
Сохраняем конфигурационный файл:
Save configuration data to a file? [Yes] Y
Соглашаемся с путем сохранения файла:
Save config in file: [/opt/zimbra/config.20863]
The system will be modified - continue? [No] Y
Дожидаемся окончания установки, на запрос отправки уведомления можно ответить отказом:
Notify Zimbra of your installation? [Yes] n
В конечном итоге, нажимаем Enter:
Configuration complete - press return to exit
Сервер установлен. Однако, установщик меняет пароль пользователя root. Меняем его обратно:
Key migrations from localconfig to LDAP
Starting with ZCS 8.5, almost every single attribute related to MTA tuning that was store in localconfig is now stored in the LDAP server. By moving attributes out of localconfig and into LDAP, it is now much simpler to configure groups of MTAs in the same fashion, as these settings are nearly always the same between all systems. In this way, the settings can be made at the globalconfig level rather than at the server level, and apply to all MTAs.
Listing the attributes, please refer zmconfigd.cf or see Postconf_keys for which postconf attribute this would set -
MySQL replaced with MariaDB
Starting with ZCS 8.5 and later, MySQL has been replaced with MariaDB. This was due to a number of factors, including:
- Oracle's loss of MySQL developers
- Oracle's attempts to close source as much of MySQL as possible
- Better performance from MariaDB
- Better development team for MariaDB
- Better response time for issues raised with MariaDB
In essence, MariaDB is the *true* MySQL software as it is developed by over 90% of the original MySQL developers, including the founder (Monty).
2. Безопасность
SELinux
Если на сервере используется SELinux (по умолчанию, на системах RPM), рекомендуется ее отключить. Для этого вводим 2 команды:
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config
Брандмауэр
Для нормальной работы Zimbra нужно открыть много портов:
В зависимости от утилиты управления фаерволом, команды будут следующие.
а) Если используем firewalld (Red Hat, CentOS):
б) Если используем iptables (Ubuntu):
iptables -I INPUT -p tcp --match multiport --dports 80,443 -j ACCEPT
Порты для почты:
iptables -I INPUT -p tcp --match multiport --dports 25,110,143,465,587,993,995 -j ACCEPT
Порты для Zimbra:
iptables -I INPUT -p tcp --match multiport --dports 5222,5223,9071,7071,8443,7143,7993,7110,7995 -j ACCEPT
* если команда вернет ошибку, то установим пакет: apt-get install iptables-persistent.
в) Если используем ufw (Ubuntu):
ufw allow 25,80,110,143,443,465,587,993,995,5222,5223,9071,7071,8443,7143,7993,7110,7995/tcp
innotop and mytop
Verified Against: Zimbra Collaboration 8.5 | Date Created: 08/16/2014 |
Article ID: https://wiki.zimbra.com/index.php?title=New_Features_ZCS_8.5 | Date Modified: 2019-02-05 |
Try Zimbra Collaboration with a 60-day free trial.
Get it now »
A new Zero-day exploit has been identified that affects Zimbra 8.8.15.
Установка SSL-сертификата
При заходе на веб-интерфейс мы будем получать ошибку, так как по умолчанию, создается самоподписный сертификат. Рассмотрим процесс установки бесплатного сертификата от Let;s Encrypt.
Проброс портов
Если наш сервер находится во внутренней сети, необходимо настроить проброс портов. В двух словах, это настройка на сетевом устройстве, которое смотрит в Интернет, которая позволит запросы на определенный порт передать на наш почтовый сервер.
Пример настройки для Mikrotik приведен в инструкции Перенаправление запросов (проброс портов) на Mikrotik.
Отправка тестового письма
Если наше письмо не получило 10 баллов, анализируем проблемы и исправляем их.
Создание почтового ящика
Переходим с главного меню панели администрирования в Управление - Учетные записи. Справа кликаем по шестеренке - Создать:
Задаем имя учетной записи, а также фамилию пользователя:
Задаем пароль пользователя и, по желанию, ставим галочку Требуется сменить пароль:
При необходимости создания административной учетной записи ставим галочку Глобальный администратор:
Нажимаем Готово.
Выбор дистрибутива Linux и версии Zimbra
Список дистрибутивов Linux, которые поддерживаются разработчиком Zimbra, описан на официальном сайте страницах загрузки. В данной инструкции мы рассмотрим процесс установки для Ubuntu 18.04 и CentOS 7, однако, процесс настройки для других систем, во многом, аналогичен.
Zimbra имеет две основные версии — платную Network Edition и бесплатную Open Source Edition (OSE). К сожалению, последняя больше не поддерживается — для загрузки доступна только версия 8.8.12, которая больше не обновляется. Сравнение данных версий можно найти на официальном сайте. В центре загрузки Zimbra мы также можем выбрать и скачать дистрибутив для платной или бесплатной версий. В данной инструкции мы скачем и установим платную demo-версию и лицензируем ее временным ключом, дающим право использовать программный продукт в течение 60 дней. По прошествии данного периода, программный продукт необходимо купить или прекратить использовать.
How to enable it
To ensure you do not have your MTAs blacklisted the DNS caching package is now part of Zimbra Collaboration. General setup:
The installer will automatically reconfigure the DNS cache as the primary resolver for the OS.
If you didn't select any DNS server IP, the dnscache will use the Google DNS by default (8.8.8.8)
You can start, stop, restart, reload or see the status using the next command like Zimbra user:
NOTE: SHOULD NOT BE INSTALLED ON SYSTEMS THAT ALREADY HAVE BIND OR OTHER DNS SERVICES INSTALLED. Instead, the client should configure such servers to also act as a DNS cache.
Zimbra DNSCache
Вместе с зимброй мы установили службу dnscache, которая позволяет увеличить производительность почтового сервера. Однако, принцип работы сети немного меняется, а именно, в файле /etc/resolv.conf появляется запись:
. а разрешение DNS имени в IP-адреса перестает работать. Удаление или смена записи в файле resolv.conf ни к чему не приводит, так как, по прошествии некоторого времени, настройка принимает исходный вид.
Для корректной настройки службы dnscache необходимо сначала посмотреть Master DNS в настройках Zimbra:
su - zimbra -c "zmprov getServer '$myhostname' | grep DNSMasterIP"
В моем случае было:
Удалить данную запись:
su - zimbra -c "zmprov ms '$myhostname' -zimbraDNSMasterIP 127.0.0.53"
И добавить свои рабочие серверы DNS, например:
su - zimbra -c "zmprov ms '$myhostname' +zimbraDNSMasterIP 192.168.1.1"
su - zimbra -c "zmprov ms '$myhostname' +zimbraDNSMasterIP 8.8.8.8"
su - zimbra -c "zmprov ms '$myhostname' +zimbraDNSMasterIP 77.88.8.8"
* где 192.168.1.1 — DNS сервер в моей сети; 8.8.8.8 — DNS сервер от Google; 77.88.8.8 — DNS сервер от Яндекс.
Теперь DNS-запросы на сервере будут работать.
Features affecting Postfix
The following features have been added in JP affecting Postfix. Postfix is the primary Mail Transport Agent for the ZCS product.
LMDB as the supported backend for on-disk database maps
Starting with ZCS8.5 and later, Postfix is linked to LMDB, the same backend we use with OpenLDAP. Prior to ZCS 8.0, Postfix was linked to Berkeley DB.
Upgrade considerations
ZCS has never officially supported using any postfix on-disk database maps prior to ZCS 8.5. However, many clients have used them via custom non-preserved modifications to the postconf configuration. As usual, these modifications will be lost on upgrade. In addition, to restore the modifications post-upgrade, they will also need to:
- Run postmap against the database input file to generate an LMDB database
- use lmdb: format instead of hash: format for their modifications
It is worthwhile noting that many of the previously unsupported features that required the use of on-disk database maps are now fully supported, so they will also want to check if this is the case, so that their customizations are correctly carried forward across upgrades.
Ability to blacklist specific IP addresses
Starting with ZCS 8.5 and later, it is now possible to maintain an IP blacklist for connections to Postfix. This is useful in DOS and targeted spam attack scenarios.
postmap will need to be re-run on the file anytime an IP address is added or removed.
Split Domain support
Ability to whitelist blacklisted IP addresses
Many clients use RBLs to block spammers from flooding their MTAs with spam. Unfortunately perfectly valid sites occasionally end up on these lists. It is now possible with ZCS 8.5 and later to create an on-disk database map that allows the client to whitelist specific blacklisted IPs so that emails from those IPs still get delivered.
postmap will need to be re-run on the file anytime an IP address is added or removed.
Ability to reject or accept deny emails for specific users
Starting with ZCS 8.5, it is possible to configure postfix to deny or accept specific emails for a given user address, IP address, etc.. This can be used to effectively block spammers targeting a given user, or coming in from a specific IP.
Ability to configure smtp_generic_maps
Starting with ZCS 8.5, it is possible to configure postfix to preserve the value for smtp_generic_maps across upgrades. This may be used to handle how subdomain routing is done for users.
Ability to reject mail where authenticated user and sender do not match
Starting with ZCS 8.5, it is possible to configure postfix to reject emails where the authenticated user address does not match the From: header of the email. This is primarily to prevent spammers who obtain a user's password from sending out email with different From addresses as they tend to do.
postfix-logwatch utility
Starting with ZCS 8.5 and later, two new utilities (amavis-logwatch and postfix-logwatch) will be included with the MTA package with ZCS. These utilities generate extremely useful statistical information about how the MTA is performing and what issue(s) it is encountering. They will likely be added to the Daily Report as well.
NOTE: ZCS versions +8.7.x , postfix-logwatch is located in /opt/zimbra/common/bin/
Ability to configure cipher strength for smtp and stmpd daemons
Starting with ZCS 8.5, it is possible to configure the TLS related strength factors for postfix to not only enforce encryption but to enforce a certain strength of encryption. To this end multiple LDAP attributes were added:
Ability to preserve PCI compliance
With ZCS 8.5 and later, it is now possible to preserve PCI compliance configuration across upgrades.
MTA related changes
These changes affect the MTA stack, which consists of Postfix, Amavis, Cluebringer (cbpolicyd), SpamAssassin, OpenDKIM, Zimbra policy server, ClamAV, DSPAM, DNS caching, Exchange compatible journaling, and the Zimbra Milter.
3. DNS и имя сервера
Для корректной работы почтового сервера необходимо создать mx-записи для домена (подробнее о записях в DNS).
Но для установки Zimbra важнее, чтобы в локальном файле hosts была запись о нашем сервере, в противном случае, установка прервется с ошибкой. И так, задаем FQDN-имя для сервера:
Теперь открываем на редактирование файл:
Не совсем очевидная проблема, но если в системе не будет пакета hostname, при попытке запустить установку зимбры, мы будем получать ошибку определения IP-адреса по имени. Устанавливаем пакет.
а) для CentOS (Red Hat):
yum install hostname
б) если Ubuntu (Debian):
apt-get install hostname
OracleJDK replaced with OpenJDK (and upgraded to version 8)
Starting with ZCS 8.5 and later, we have moved from using the Oracle provided JDK builds to our own build of OpenJDK. OpenJDK has significantly friendlier license terms for our product, and has evolved to the point where Oracle builds their JDK from OpenJDK and then removes features. In this way, we get the full OpenJDK feature set and are free of Oracle's restrictions. In addition, we are now running version 8 of the JDK.
Настройка DKIM
Отдельно рассмотрим процесс настройки подписи DKIM на почтовом сервере Zimbra. Формирование ключей выполняется для каждого из доменов из командной строки. Подключаемся к серверу по SSH и вводим команду:
su - zimbra -c "/opt/zimbra/libexec/zmdkimkeyutil -a -d dmosk.ru"
Мы должны получить ответ на подобие:
В данном ответе нас интересуют записи 5D8C3E02-4EFA-11EA-872A-D9A5B4628C49._domainkey — это имя для TXT в домене dmosk.ru; "v=DKIM1; k=rsa; " "p=M. AB" — содержимое записи.
В настройках домена необходимо добавить данную запись, после чего подождать, минут 15. После выполняем проверку:
Для просмотра имеющихся записей DKIM можно воспользоваться командой:
su - zimbra -c "/opt/zimbra/libexec/zmdkimkeyutil -q -d dmosk.ru"
4. Системная переменная для имени сервера
Чтобы нам было удобнее вводить команды, где требуется указать имя сервера, создадим системную переменную:
Теперь мы можем в команде использовать переменную $myhostname.
Подготовка сервера
Независимо от выбранного дистрибутива Linux или редакции Zimbra выполняем следующие действия для подготовки сервера к корректной работы почтового сервера.
Real time attachment scanning for outgoing mail sent via the web client
Starting with ZCS 8.5, it is possible to enable real-time scanning of attachments in outgoing emails sent via the web client. If enabled, when someone adds an attachment to an email, it will be scanned via ClamAV prior to being able to send the message. If ClamAV detects a virus, it will block attaching the file to the message. By default, scanning is configured for a single node installation. To enable in single node:
In ZCS 8.6.x and later, it is possible to enable/disable attachment scanning globally or per server.
To enable in a multi-node environment, We now support using multiple MTAs for scanning. zimbraClamAVBindAddress is set *per server* on the MTA nodes. It tells the clamav process what hostname to bind to.
DNS caching service
Starting with ZCS8.5 and later, there is now a DNS caching service available for installation. It is specifically targeted for MTA nodes, but could be useful on any node. Three of our supported features rely heavily on DNS lookups:
- DKIM verification
- SpamAssassin Scoring
- Postfix RBLs for spam blocking
However, remote sites that provide the SpamAssassin scoring and Postfix RBLs do *not* like heavy DNS traffic overloading their servers for some reason. Prolonged over-use of their DNS systems will in fact get your MTAs blacklisted from using those services, severely reducing the effectiveness of said services. To ensure our clients do not have their MTAs blacklisted the DNS caching package is now part of ZCS. General setup:
- Answer [Y] to install zimbra-dnscache
- When prompted, list the IP(s) of the sites local DNS servers
The installer will automatically reconfigure the DNS cache as the primary resolver for the OS.
NOTE: SHOULD NOT BE INSTALLED ON SYSTEMS THAT ALREADY HAVE BIND OR OTHER DNS SERVICES INSTALLED. Instead, the client should configure such servers to also act as a DNS cache.
Testing the DNS caching service (dnscache)
Second time once request the DNS, is taking 0ms because the MTA asks the dnscache, and the dnscache have the info already cached, using 0ms not latency, neither bandwidth:
- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.
- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.
Bringing to notice some notable new features and functionality released with ZCS 8.5
Получение сертификата
Загружаем в него утилиту letsencrypt-auto:
Разрешаем ее запускать на выполнение:
chmod +x /opt/letsencrypt/letsencrypt-auto
/opt/letsencrypt/letsencrypt-auto certonly --standalone
Будет установлено несколько пакетов, после необходимо ввести адрес почты, принять лицензионное соглашение и, в принципе, можно подписаться на рассылки от Let's Encrypt:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
После утилита предложит ввести адрес, для которого необходимо получить сертификат — вводим адрес нашего сервера, например:
Мы должны получить что-то на подобие:
Читайте также: