Zimbra ZCS on Ubuntu 14 Lts


Zimbra, by far the best mail solution out there, making use of postfix, clamav, openldap, amavis,nginx,memcacheed and more defacto standard open source solutions to deliver an enterprise class email solution.

Deploying this to Ubuntu 14 is quite straight forward, but most of the guides out there seem to be incomplete, so here is mine.

Zimbra is a bit resource hungry since it relies on Java, so deploy a VM with 6GB mem (4 works too) and 4 cores. We use a standard 16GB OS partition and move our mailstore to an Nexenta/NFS store at later stage.

1st things first, fetch and untar the binary from zimbra.com, the site is rather slow so it takes some time. The version is 8.6.0/1153 at the time of writing.

wget https://files.zimbra.com/downloads/8.6.0_GA/zcs-8.6.0_GA_1153.UBUNTU14_64.20141215151116.tgz
tar -zxvf zcs*

Now, edit your hosts file and hostname to have the correct referrals

#cat /etc/hosts
127.0.0.1 localhost
192.168.1.15 cinhk1mail01.legal-it.net cinhk1mail01 mail

Now install the pre-requisites, for us on a image in our cloud we need to add

apt-get install libaio1 pax sysstat unzip libgmp10

Next run the ./install.sh and select the components you want. I don’t use DNS Cache since our Internal DNS is rigid and we have MX records for our domains set up correctly, if you do not have this sorted, use dnsmasq as described here: https://www.maketecheasier.com/install-zimbra-ubuntu-server/

Install zimbra-ldap [Y]
Install zimbra-logger [Y]
Install zimbra-mta [Y]
Install zimbra-dnscache [Y] N
Install zimbra-snmp [Y]
Install zimbra-store [Y]
Install zimbra-apache [Y]
Install zimbra-spell [Y]
Install zimbra-memcached [Y]
Install zimbra-proxy [Y] N

After installing the packages, this can take some time, Zimbra will complain about the domain name, change the domain from the FQDN to the actual domain-name

DNS ERROR resolving MX for cinhk1mail01.legal-it.net
It is suggested that the domain name have an MX record configured in DNS
Change domain name? [Yes] 
Create domain: [cinhk1mail01.legal-it.net] legal-it.net
 MX: cinhk1mx01.legal-it.net (192.168.1.15)

Now walk through the setup menu and set the passwords for the Admin user (in the zimbra-store submenu) I personally change all LDAP passwords to something we have recorded in our security database to make addition of servers and separation of roles at a later stage easier. Don’t forget to set the timezone in the common configuration as well. We also enable the option “Configure for use with web proxy: ” since in our house, access to webmail is done through an NGINX reverse proxy.

Now check your installation by running zmcontrol status as the zimbra user:

su - zimbra -c "zmcontrol status"

All should be running and happy at this moment, so it is time for a reboot and see if all comes back after.

Now log in to your zimbra server admin console using your favorite browser (https://cinhk1mail01.legal-it.net:7071) mind it’s an HTTPS. If your server shows all red in the server status (in contradiction to what zmcontrol status had told you before) you might have some RSYSLOG issues. In this case, just create a syslog file (/etc/syslog) with the content:

# Zimbra logs 
local0.* -/var/log/zimbra.log 
local1.* -/var/log/zimbra-stats.log 
auth.* -/var/log/zimbra.log 
mail.* -/var/log/zimbra.log

and reconfigure zimbra syslog for good measure with /opt/zimbra/libexec/zmsyslogsetup

And restart Zimbra (or reboot) (service zimbra restart), all should be green and happy after.

Now Zimbra can read the correct log files and determine the status of the services.

Next up is the install ZeXtras, an absolutely brilliant add in for Zimbra to enable ZCS to work well with mobile connections, do some easy backups, and most important easily move your data-stores around. We use it on all our production servers and it is certainly worth the few dollars they ask for it, if you need some quote or help with ZeXtras, drop us a line at sales@integrative.it

To install, first wget and untar the add-in.

wget http://www.zextras.com/download/zextras_suite-latest.tgz
tar -zxvf zextras_suite-latest.tgz
cd zextras_suite-2.0.3 
./install.sh all

2.0.3 is the version at hand to date, follow the install questions and after the install navigate back to the admin console, reload the page to see if the plug in is installed.

Now we have a Nexenta back end storage for NFS and ISCSI, so we use this as our data-store. We created a mount point /mailstore in which we created a folder called store01. we changed the owership to zimbra on this folder (chown zimbra:zimbra /mailstore/store01). Now navigate to the zxPowerstore section of ZexTras and add a new volume pointing to the NFS mount. We don’t need compression as the Nexenta server will take care of that for us.

Screenshot from 2015-09-17 13:47:06

It’s now time to add our wildcard certificate. If you don’t have one, just go through the setup wizard and create a self signed one or create a request for an issuer and skip this step. But in our case we have our own trusted CA from where we spawn certificates. So if you have the same, do the following:

go to the folder /opt/zimbra/ssl/zimbra/commercial, copy your CA certificate as commercial_ca.crt, your wildcard certificate as commercial.crt and the key as commercial.key. Now verify if all computes with

/opt/zimbra/openssl/bin/openssl verify -CAfile commercial_ca.crt commercial.crt

and if all is good, commit the certificates with

/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

Now reload your admin page and check if your certificate is used

Now domains (and users) can be added to the server, for external ldap authentication, check this post: http://tonylixu.blogspot.com/2014/06/zimbra-807ga-how-to-configure-external.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s