grs blog

Tag: zimbra

  • How to merge two zimbra mailboxes

    If you want to merge 2 zimbra mailboxes, you can simply export the source mailbox and import it to the target mailbox. This can be easilly achieved with a couple of zimbra commands.

    • SSH into your zimbra server.
    • Change to zimbra server:
      su - zimbra
    • Now type:
      /opt/zimbra/bin/zmmailbox -z -m [email protected] getRestURL "//?fmt=tgz" > /tmp/temp.tgz && /opt/zimbra/bin/zmmailbox -z -m [email protected] postRestURL "//?fmt=tgz&resolve=modify" /tmp/temp.tgz
      This is actually two commands in one line: first export to temp.tgz and, if export is successfull (&&), import to target mailbox.

    Make sure you replace [email protected] and [email protected] with proper addresses.

    If the old mailbox is big you may encounter the following error: 

    ERROR: zclient.IO_ERROR (Read timed out) (cause: java.net.SocketTimeoutException Read timed out)

    This is because the programmers of zmmailbox command have set a default timeout to avoid endless execution. Luckily for us, they have also supplied zmmailbox with the t option which let us specify the amount of time before the timeout error occurs. An infinite timeout is set with -t 0. So you may now want to rewrite the command like this:

    /opt/zimbra/bin/zmmailbox -z -t 0 -m [email protected] getRestURL "//?fmt=tgz" > /tmp/temp.tgz && /opt/zimbra/bin/zmmailbox -z -t 0 -m [email protected] postRestURL "//?fmt=tgz&resolve=modify" /tmp/temp.tgz

    Initially we have found the the idea in zimbra forums (https://forums.zimbra.org/viewtopic.php?t=62378) and we have also tried it many times in our own servers, especially with merging some multi giga byte accounts we manage and host.

  • zimbra: multiple letsencrypt certificates and Unable to start TLS error

    The following guide is tested against zimbra 8.8: Installing a Let’s Encrypt SSL Certificate

    If this error occurs: ‘Unable to start TLS: hostname verification failed when connecting to ldap master.
    make sure you have included your hostname in your letsencrypt signing domains and follow the guide once again.
    For instance, if your hostname is mail5.example.com, use letsencrypt to sign mail5.example.com along with all other domains.

    Example:

    [email protected]:~/tmp/letsencrypt# ./letsencrypt-auto certonly --standalone -d mail5.example.com -d mail.example.com -d webmail.example.com -d mail.test.com -d webmail.test.com

    Make also sure you append https://www.identrust.com/certificates/trustid/root-download-x3.html to chain.pem

    The whole procedure seems a bit tricky but actually it’s easy and it works.

    Hopefully, some clever people have developed a bunch of scripts to automate the whole procedure, not all of them work in all cases. We have successfully tested the first automated method (https://github.com/VojtechMyslivec/letsencrypt-zimbra/) and it works great, as long as you keep incuding hostname in your config to avoid the “Unable to start TLS” error.

    So open up your config at:

    /opt/letsencrypt-zimbra/letsencrypt-zimbra.cfg

    And edit the line with common names:

    
common_names=( "mail5.example.com" "mail.example.com" "webmail.example.com" "mail.test.com" "webmail.test.com" )

     

    Automated method installation instructions are very simple – just follow them here: https://github.com/VojtechMyslivec/letsencrypt-zimbra/

    The manual method, although hasn’t any real difficulties, has some steps though that might prove a nightmare when it comes to renew certs every 3 months for letsencrypt certs. Anyhow, for all of you manual people, steps are the following:

    • Stop zimbra services: zmcontrol stop
    • Use letsencrypt to fetch the certificates: ./letsencrypt-auto certonly --standalone -d mail5.example.com -d mail.example.com -d webmail.example.com -d mail.test.com -d webmail.test.com. If asked, select expand (E).
    • Append missing certificate to chain.pem
    • Copy created certificates to zimbra location: cp /etc/letsencrypt/live/mail5.example.com/* /opt/zimbra/ssl/letsencrypt/
    • Set rights: chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
    • Login as zimbra: su - zimbra
    • Goto certificates path: cd /opt/zimbra/ssl/letsencrypt
    • Check certificate validity: /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
    • Take a backup: cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
    • Deploy certificates to zimbra installation: /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
    • Restart zimbra: zmcontrol restart

  • how to configure dkim on zimbra

    Just type the following:


    su - zimbra
    /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com

    Then add the output to a txt record in your dns config.

    Check your configuration using this link:

    https://mxtoolbox.com/dkim.aspx

  • how to install zimbra on ubuntu 16.04

    Guide for installing zimbra on ubuntu 16.04.
    If you use clouldflare or another dns service provider you can skip bind part.

    https://linoxide.com/ubuntu-how-to/setup-zimbra-suite-ubuntu-16/

  • migrate from zimbra to zimbra

    Guide below is tested against zimbra 8.6, 8.7, 8.8. It’s not a full zimbra to zimbra migration, missed some things, but it works to migrating most important stuff. There might also exist some minor bugs, but if you have a basic experience in linux shell you won’t have a problem tweaking commands.

    Zimbra Server Migration and Zimbra Account Transfer – The Perfect Method

    There’s also this link provided by zimbra official wiki, but it’s not at all tested by our team:

    https://wiki.zimbra.com/index.php?title=Open_Source_Edition_Backup_Procedure
  • protect zimbra from memcached attack

    protect zimbra from memcached attack

    Zimbra uses memcached and if not properly configured could lead to a vulnerable system.

    If you want to read more on memcached attack read this:

    https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/

    How to resolve this vulnerability in 3 steps:

    1. Enable firewall on your server
    2. Setup zimbra specific rules
    3. Bind memcached to localhost
    4. Deny memcached port from localhost

    Let’s start.

    (more…)

  • install and configure policyd on zimbra

    Ahmad Imanudin has a nice series of tutorials on installing and configuring policyd on Zimbra.

    1. Install and enable web ui.

    How To Install PolicyD on Zimbra 8.5

    2. Password protect web ui with .htaccess

    Zimbra Tips: How To Protect Policyd WebUI

    3. Configure policyd using web ui

    Zimbra Tips : How To Configure Rate Limit Sending Message on PolicyD

    4. Reject unlisted domain using policyd web ui

    Improving Anti Spam : Reject Unlisted Domain On Zimbra 8.5