Managing ZCS Configuration

From Zimbra :: Wiki

(Difference between revisions)
Jump to: navigation, search
(Configuring IMAP and POP Proxy Server)
m (Anti-Spam Settings)
Line 333: Line 333:
  
 
===Anti-Spam Settings===
 
===Anti-Spam Settings===
 
+
<div class="Body">
</div><div class="Body">
+
  
 
Anti-spam protection can be enabled for each server when the Zimbra software is installed. The following options are configured:
 
Anti-spam protection can be enabled for each server when the Zimbra software is installed. The following options are configured:

Revision as of 18:14, 11 September 2006

This chapter describes the following functions used to manage the Zimbra Collaboration Suite. Features can be managed from either the administration console or from the CLI utility.

Global configuration
Domains
Servers
User Accounts
Resource Accounts

Help is available from the administration console about how to perform tasks from the administration console. If the task is only available from the CLI, see Appendix A for a description of how to use the CLI utility.

Global Settings control default global rules that apply to accounts in the Zimbra servers. The global settings are set during installation. The settings can be modified from the administration console. A series of tabs make it easy to manage the settings.

Global settings that can be configured include:

Defining the default domain.
Setting the number of results returned for GAL searches.
Setting how users view email attachments and what type of attachments are not allowed.
Configuring authentication process, setting the Relay MTA for external delivery, and enabling DNS lookup.
Enabling Pop and IMAP and the port numbers. If IMAP/POP proxy is set up, making sure that the port numbers are configured correctly.
Enable anti-spam protection and set the spam controls.
Set anti-virus options for messages received that may have a virus.
Set the global HSM schedule for when messages should be moved to a secondary storage space.

You can view the current Zimbra license information, update the license if necessary and view the number of accounts created in Global Settings.

Note: Configurations set in Global Settings define inherited default values for the following objects: server, account, COS, and domain. If these attributes are set in the server. COS or Account set up, they override the global settings.

General Global Settings

In the General tab configure the Most results returned by GAL search field, which sets a global ceiling for the number of GAL results returned from a user search. The default is 100 results per search.

Global Attachment Settings

The Attachments tab can be configured with global rules to reject mail with files attached, to convert attachments to HTML for viewing, and to disable viewing files attached to mail messages in users’ mailboxes. When attachment settings are configured in Global Settings, the global rule takes precedence over COS and Account settings.

The attachment settings are as follows:

Attachments cannot be viewed regardless of COS. Users cannot view any attachments. This global setting can be set to prevent a virus outbreak from attachments, as no mail attachments can be opened.
Attachments are viewed in HTML regardless of COS. Email attachments can only be viewed in HTML. The COS may have another setting but this global setting overrides the COS setting.
Attachments are viewed according to COS. This global settings states the COS sets the rules for how email attachments are viewed.

Reject messages with attachment extension lets you select which file types are unauthorized for all accounts. The most common extensions are listed. You can also add different extension types to the list. Messages with those type of files attached are rejected and the sender gets a bounce notice. The recipient does not get the mail message and is not notified.

Note: Attachments settings can also be set for a Class of Service (COS) and for accounts.

Global MTA Settings

The MTA tab is used to enable or disable authentication and configure a relay hostname, the maximum message size, enable DNS lookup, protocol checks, and DNS checks. For a description of Zimbra MTA, see Zimbra MTA.

Authentication should be enabled, to support mobile SMTP authentication users so that their email client can talk to the Zimbra MTA.
TLS authentication only forces all SMTP auth to use Transaction Level Security to avoid passing passwords in the clear.
The Relay MTA for external delivery is the relay host name. This is the Zimbra MTA to which Postfix relays non-local email.
If Enable DNS lookups is checked, the Zimbra MTA makes an explicit DNS query for the MX record of the recipient domain. If this option is disabled, set a relay host in the Relay MTA for external delivery.
The Protocol fields are checked to reject unsolicited commercial email (UCE), for SPAM control.
The DNS fields are checked to reject mail, if the client’s IP address is unknown, the hostname in the greeting is unknown and/or if the sender’s domain is unknown.

Global IMAP and POP Settings

IMAP and POP access can be enabled as a global setting or server setting.

With POP3 (Post Office Protocol) users can retrieve their mail stored on the Zimbra server and download new mail to their computer. The user’s POP configuration determines if messages are deleted from the Zimbra server.

With Internet Message Access Protocol (IMAP), users can access their mail from any computer as the mail is stored on the Zimbra server.

Configuring IMAP and POP Proxy Server

Setting up a IMAP/POP proxy server is useful for larger ZCS sites that want to present a single hostname for POP/IMAP. Enabling IMAP/POP proxy servers allows mail retrieval for a domain to be split across multiple Zimbra servers on an account basis.

Note: An IMAP/POP proxy server should not be configured for ZCS running on a single server.

The IMAP/POP Proxy server feature can be enabled when ZCS is installed or any time from the administration console. Both SSL and non-SSL connections can be configured.

When an IMAP or POP user enters his email address and password, the IMAP/POP proxy server searches the LDAP directory server to find which Zimbra server host the account is created on and then passes the authentication through to the appropriate mailbox server. The proxy server does not contain any data.

When the proxy server is configured, the default POP and IMAP ports are configured for the proxy server. ZCS designates the Zimbra server port numbers. These port numbers cannot be changed. When you enable a proxy server on any Zimbra server, servers that do not have the proxy server enabled must be configured with appropriate server port number listed below.

  • IMAP Proxy port - 143
  • IMAP SSL proxy port - 993
  • POP proxy port - 110
  • POP SSL proxy port 995
  • IMAP server port - 7143
  • IMAP SSL server port - 7993
  • POP server port - 7110
  • POP SSL server port - 7995

Anti-Spam Settings

Anti-spam protection can be enabled for each server when the Zimbra software is installed. The following options are configured:

Kill percent at 75%. Mail that is scored at 75% is considered spam and is not delivered.
Tag percent at 33%. Mail that is scored at 33% is considered spam and is delivered to the Junk folder.
Subject prefix field is blank. The prefix entered in this field is added to the subject line for messages tagged as spam.

When a message is tagged as spam, the message is delivered to the recipient’s Junk folder. Users can view the number of unread messages that are in their Junk folder and can open the Junk folder to review the messages marked as spam. If you have the anti-spam training filters enabled, when they add or remove messages in the Junk folder, their action helps train the spam filter. See “Anti-Spam Protection” .

RBL (Real time black-hole lists) can be turned on or off in SpamAssassin from the Zimbra CLI. See “To turn RBL on”.

Anti-Virus Settings

Anti-virus protection is enabled for each server when the Zimbra software is installed. The global settings for the anti-virus protection is configured with these options enabled:

Block encrypted archives, such as password protected zipped files.
Send notification to recipient to alert that a mail message had a virus and was not delivered.

During ZCS installation, the administrator notification address for anti-virus alerts is configured. The default is to set up the admin account to receive the notification. When a virus has been found, a notification is automatically sent to that address.

By default, the Zimbra MTA checks every two hours for any new anti-virus updates from ClamAV. The frequency can be set between 1 and 24 hours.

Note: Updates are obtained via HTTP from the ClamAV website.

Global HSM Session Setting

Global Settings HSM (Hierarchical Storage Management) sets the default message age thresholds to 30 days. The HSM global setting is the default unless you change the schedule in the Server configuration. See Scheduling HSM Sessions” .

Customizing Themes for Zimbra Web Client

Themes lets you customize the background colors viewed on a user’s Zimbra Web Client. The default theme is Sand. ZCS comes with a selection of UI themes to choose from to customize the background colors. When ZCS is installed these themes are enabled. In the Class of Service configuration, you can set which themes are available. Users can change the ZWC background colors from Options>General.

For those wanting to define their own theme or looking for more information about themes, see Themes on the Zimbra Wiki website.

Managing Domains

One domain is identified during the installation process and additional domains can be easily added to the Zimbra system from the administration console.

For domains, you configure the Global Address List mode, the authentication mode, and virtual domains.

Global Address List (GAL) Mode

The Global Address List (GAL) is your company directory.

GAL is configured on a per-domain basis. The GAL mode setting for each domain determines where the GAL lookup is performed. Select one of the following GAL configurations:

Internal. The Zimbra LDAP server is used for directory lookups.
External. External directory servers are used for GAL lookups. You can configure multiple external LDAP hosts for GAL. All other directory services use the Zimbra LDAP service (configuration, mail routing, etc.).
Both. Internal and external directory servers are used for GAL lookups.

A GAL configuration wizardsteps you through configuring the GAL mode and to set the maximum number of results returned for a search in GAL.

Authentication Modes

Authentication is the process of identifying a user or a server to the directory server and granting access to legitimate users based on user name and password information provided when users log in. Zimbra Collaboration Suite offers the following three authentication mechanisms:

Internal. The Internal authentication uses the Zimbra directory server for authentication on the domain. When you select Internal, no other configuration is required.
External LDAP. The user name and password is the authentication information supplied in the bind operation to the directory server. You must configure the LDAP URL, LDAP filter, and wither to use DN password to bind to the external server.
External Active Directory. The user name and password is the authentication information supplied to the Active Directory server. You identify the Active Directory domain name and URL.

On the administration console, you use an authentication wizard to configure the authentication settings on your domain.

Virtual Hosts

Virtual hosting allows you to host more than one domain name on a server. When you create a virtual host, users can log in without have to specify the domain name as part of their user name.

Virtual hosts are entered on the Domains>Virtual Hosts tab on the administrator’s console. The virtual host requires a valid DNS configuration with an A record.

When users log in, they enter the virtual host name in the browser. For example, https://mail.company.com. When the Zimbra logon screen displays, users enter only their user name and password. The authentication request searches for a domain with that virtual host name. When the virtual host is found, the authentication is completed against that domain.

Documents

Zimbra Documents is a document sharing and collaboration application. Users can create, organize, and share web documents. Images, spreadsheets, and other rich web content objects can be embedded into Documents via the AJAX Linking and Embedding (ALE) specification.

The Documents application consists of a Global Documents account which holds the templates, one optional domain Documents account per domain, and Documents Wikis folders for individual accounts. For end users, Documents is enabled from the COS or for individual accounts.

The Global Documents account is automatically created when ZCS is installed. One domain Documents account can be created per domain. The domain Documents wiki Notebook folder can be used to collect, organize, and share information with your users. For the documents folder, you can set access for the following: all users in your domain, all users in the ZCS environment, public view-only, individual user, and distribution lists for groups. You can change the access permissions at any time from the administration console.

Managing Servers

A server is a machine that has one or more of the Zimbra service packages installed. During the installation, the Zimbra server is automatically registered on the LDAP server.

You can view the current status of all the servers that are configured with Zimbra software, and you can edit or delete existing server records. You cannot add servers directly to LDAP. The Zimbra Installation program must be used to add new servers because the installer packages are designed to register the new host at the time of installation.

The server settings include:

General information about the service host name, and LMTP advertised name and bind address.
A list of enabled services
Determining how authentication should work for the server, setting a web mail MTA hostname different from global. setting relay MTA for external delivery, and enabling DNS lookup if required.
Enabling Pop and IMAP and setting the port numbers for a server. If IMAP/POP proxy is set up, making sure that the port numbers are configured correctly.
Adding and configuring new index and message volumes.

Servers inherit global settings if those values are not set in the server configuration. Settings that can be inherited from the Global configuration include MTA, SMTP, IMAP, POP, anti-virus, and anti-spam configurations.

General Server Settings

The General tab includes the server display name, the server hostname, and LMTP information including name and IP address if configured.

Services Settings

The Services tab shows the Zimbra services. A check mark identifies the services that are enabled for the selected server, including LDAP, Mailbox, MTA, SNMP, Logger, Spell, Anti-Virus, and Anti-Spam.

MTA Server Settings

From the MTA tab, you can enable or disable authentication, configure the Web mail MTA hostname, set Web mail MTA timeout, the relay MTA for external delivery and disable DNS lookup for the server.

IMAP and POP Server Settings

From these tabs, you can configure IMAP and POP availability on a per server basis.

Volume Settings

The Volume tab can be used to manage storage volumes on your Zimbra Mailbox server. When Zimbra Collaboration Suite is installed, one index volume and one message volume are configured on each mailbox server. You can add new volumes, set the volume type, and set the compression threshold

Index Volume

Each Zimbra mailbox server is configured with one current index volume. Each mailbox is assigned to a permanent index directory on the current index volume. When an account is created, the current index volume is automatically defined for the account. You cannot change which index volume the account is assigned.

As volumes become full, you can create a new current index volume for new accounts. When a new current index volume is added, the older index volume is no longer assigned new accounts.

Index volumes not marked current are still actively in use as the index volumes for accounts assigned to them. Any index volume that is referenced by a mailbox as it's index volume cannot be deleted.

Message Volume

When a new message is delivered or created, the message is saved in the current message volume. Additional message volumes can be created, but only one is configured as the current volume where new messages are stored. When the volume is full, you can configure a new current message volume. The current message volume receives all new messages. New messages are never stored in the previous volume.

A current volume cannot be deleted. and message volumes that have messages referencing the volume cannot be deleted.

Scheduling HSM Sessions

HSM can be configured for secondary storage volumes for older messages. Messages and attachments are moved from a primary volume to the current secondary volume based on the age of the message. Users are not aware of any change and do not see any noticeable difference when opening an older message that has been moved.

To manage your email storage resources, you can implement a different HSM policy for each mailbox server. The message age threshold for HSM is set globally on the HSM tab or for individual servers from the Server, Volume tab. The default is 30 days. The thresholds configured on individual servers override the threshold configured as the global setting.

Sessions to move messages to the secondary volume are scheduled in your cron table. From the administration console, when you select and server, you can manually start a session, monitor sessions, and abort sessions that are in progress from the Volumes tab.

Managing User Accounts

Managing accounts in the Zimbra system allows you to create accounts and change features easily from the administration console or by using the zmprov command-line tool described in Appendix A.

From the administration console you can manage user accounts as follows:

Quickly create new accounts with the New Account Wizard
Find a specific account using the Search feature
Change account information
Add or delete an account to multiple distribution lists at one time, and view which lists the account is on
Create, change, and move alias addresses
Change password for a selected account
View an account’s mailbox
Change an account’s status
Restore a mailbox
Reindex a mailbox
Delete an account

See the Managing End-User Mailbox Features, for descriptions of the mailbox features that can be configured.

You can move a mailbox using the CLI zmmailboxmove command.

Using Search

Search is used to quickly locate individual accounts, aliases, distribution lists, and resources on the LDAP server. Search by display name, first name, last name, the first part of the email address, alias, or delivery address. If you do not know the complete name, you can enter a partial name. Partial names can result in a list that has the partial name string anywhere in the information.

You can also use the Zimbra mailbox ID number to search for an account. To return a search from a mailbox ID, the complete ID string must be entered in the search.

Adding user accounts

If you are using the administration console, the New Account Wizard steps you through the account information to be completed. Before you add an user account, you should determine what features and access privileges should be assigned. You configure the following type of information:

General information, including account name, class of service to be assigned, password
Contact information, including phone number, company name and address
Aliases to be used
Forwarding directions
Features and preferences available for this specific account. Changes made at the account level override the rules in the COS assigned to the account.

Creating an account sets up the appropriate entries on the Zimbra LDAP directory server. When the end-user logs in for the first time or when an email is delivered to the user’s account, the mailbox is created on the mailbox server.

Batch Provisioning from the CLI Utility

For provisioning many accounts at once, you create a formatted text file with the user names. This file runs through a script, using the CLI command, zmprov. The zmprov utility provisions one account at a time.

Create a text file with the list of the accounts you want to add. Each account should be typed in the format of ca (Create Account), email address, empty password. For example, ca name@company.com ‘’

Note: In this example, the empty single quote indicates that there is no local password.

When the text file includes all the names to provision, log on to the Zimbra server and type the CLI command

zmprov <accounts.txt

Each of the names listed in the text file will be provisioned.

See Appendix A, for more zmprov commands.

Manage Aliases

An email alias is an email address that redirects all mail to a specified mail account. An alias is not an email account. Each account can have unlimited numbers of aliases.

When you select Aliases from the Manage Addresses Overview pane, all aliases that are configured are displayed in the content pane. From Aliases you can quickly view the account information for a specific alias, move the alias from one account to another, and delete the alias.

Class of Service

Class of Service (COS) determines what default attributes a Zimbra Web Client email account has and which features are enabled or denied. The COS controls mailbox quotas, message lifetime, password restrictions, attachment blocking, and server pools for creation of new accounts.

A default COS is automatically created during the installation of Zimbra Collaboration Suite. You can modify the default COS to set the attributes to your email restrictions, and you can create new COS’s to assign to accounts. A COS is global and is not restricted to a particular domain or set of domains.

Each account is assigned one COS. When an account is created, if the COS is not explicitly set, the default COS is assigned. If the COS assigned to the user no longer exists, the account is automatically assigned the default COS.

Assigning a COS to an account quickly configures account features and restrictions. Some of the COS settings can be overridden either by global settings or by user settings. For example:

Whether outgoing messages are saved to Sent can be changed in the user Options.
Attachment blocking set as a global setting can override the COS setting.

Note: COS settings assigned to an account are not enforced for IMAP clients.

See the Administration Console Help for a complete description of the fields in a class of service.

Distributing Accounts Across Servers

In an environment with multiple mailbox servers, the class of service is used to assign a new account to a mailbox server. The COS server pool tab lists the mailbox servers in your Zimbra environment. When you configure the COS, you select which servers to add to the server pool. Within each pool of servers, a random algorithm assigns new mailboxes to any available server.

Note: You can assign an account to a particular mailbox server when you create an account in the New Account Wizard, Mail Server field. Uncheck auto and enter the mailbox server in the Mail Server field.

Changing Password

Password restrictions can be set either at the COS level or at the account level. You can configure the following password rules:

Password length. The default is minimum 6, maximum 64. The password is case sensitive.
When passwords expire. The Zimbra default is to never expire the password.
How frequently a password can be reused. The default password history allows the password to be reused.
Password locked. Password cannot be changed.

View an Account’s Mailbox

View Mail in Accounts lets you view the selected account’s mailbox content, including all folders, calendar entries, and tags. This feature can be used to assist users who are having trouble with their mail account as you and the account user can be logged on to the account.

Any View Mail action to access an account is logged to the audit.log file.

Changing an Account’s Status

Account status determines whether a user can log in and receive mail. The account status is displayed when account names are listed on the Accounts content pane.

The following account statuses can be set:

Active. Active is the normal status for a mailbox account. Mail is delivered and users can log into the client interface.
Maintenance. When a mailbox status is set to maintenance, login is disabled, and mail addressed to the account is queued at the MTA. An account can be set to maintenance mode for backing up, importing or restoring the mailbox.
Locked. When a mailbox status is locked, the user cannot log in, but mail is still delivered to the account. The locked status can be set, if you suspect that a mail account has been hacked or is being used in an unauthorized manner.
Closed. When a mailbox status is closed, the login is disabled, and messages are bounced. This status is used to soft-delete an account before deleting it from the server.

Enforcing Mailbox and Contact Quotas

You can specify mailbox quotas and the number of contacts allowed for each account through the Zimbra administration console. These limits can be set in the Class of Service or on a per-account basis on the Advanced page.

Account quota is the amount of space in megabytes that an account can use. The quota includes email messages and Calendar meeting information. When the quota is reached, all email messages are rejected and users cannot add to their Calendars. You can view mailbox quotas from the administration console, Monitoring, Server Statistics.

The address book size limit field sets the maximum number of contacts a user can have across all of their address books. When the number is reached, users cannot add new contacts.

Moving a Mailbox

Mailboxes can be moved between Zimbra servers that share the same LDAP server. You can move a mailbox from one server to another without taking down the servers. The migration tool, zmmailboxmove, is provided through a command-line interface as described in Appendix A.

The migration tool does the following:

Puts the mailbox into maintenance mode. In this mode, incoming and outgoing messages are queued but not delivered or sent, and the user will be temporarily unable to access the mailbox
Packs up the mailbox’s Message Store directory and Index directory on the source server
Marks all rows associated with the mailbox in the Data Store on the source server
Creates the new entries and directories on the target server
Updates the routing information for mail delivery
Puts the mailbox back into the active mode

After the mailbox is moved to a new server, a copy still remains on the older server, but the status of old mailbox is closed. Users cannot log on and mail is not delivered. You should check to see that all the mailbox contents were moved successfully before purging the old mailbox.

Managing Distribution Lists

A distribution list is a group of email addresses contained in a list with a common email address. When users send to a distribution list, they are sending to everyone whose address is included in the list. The address line displays the distribution list address; the individual recipient addresses cannot be viewed. Only administrators can create, change, or delete distribution lists.

When an Zimbra user’s email address is added to a distribution list, the user ‘s account is updated with user account’s Member Of tab. When a distribution list is deleted or the removed, the distribution list is automatically removed from the Member Of tab.

The Hide in GAL check box can be enabled to create distribution lists that do not display in the Global Address List (GAL). You can use this feature to limit the exposure of the distribution list to only those that know the address.

Using Distribution Lists for Group Sharing

Distribution lists can be created as group lists so that users can quickly share their contact lists, calendars, and Zimbra documents with everyone on the list. Everyone has the same share privileges that the user defines. When new members are added to the group distribution list, they are automatically granted the same shared privileges as other members of the group. When members are removed from the group distribution list, their share privileges are revoked.

If you create a distribution list for sharing and do not want the distribution list to receive mail, you can disable the Can receive mail checkbox.

Managing Resources

A resource is a location or piece of equipment that can be scheduled for a meeting. The resource has its own mailbox address and accepts or rejects invitations automatically. Accounts with the Calendar feature can select resources for their meetings.

You create resources and manage their use from the administration console. A Resource Wizard guides you through the resource configuration, including designating the type of resource, the scheduling policy, the location, and a description.

To schedule a resource or location, users invite the equipment and/or location to a meeting. When they select the resource, they can view the notes about the resource and view free/busy status for the resource, if set up. When the meeting invite is sent, an email is sent to the resource account, and if the resource is free, the meeting is automatically entered in the resource’s calendar.
Personal tools