Managing ZCS Configuration

From Zimbra :: Wiki

Revision as of 22:02, 2 May 2006 by CAH (Talk | contribs)

Jump to: navigation, search

This chapter describes the following functions used to manage the Zimbra Collaboration Suite. Features can be managed from either the administration console or from the CLI utility.

Global configuration
Domains
Servers
User Accounts
Resource Accounts

Help is available from the administration console about how to perform tasks from the administration console. If the task is only available from the CLI, see Appendix A for a description of how to use the CLI utility.

Global Settings control default global rules that apply to accounts in the Zimbra servers. These are set during installation. The settings can be modified from the administration console.

Global settings include the following tabs:

General
Attachments
MTA
Pop
IMAP
Anti-Spam
Anti-Virus
HSM

Note: Configurations set in Global Settings define inherited default values for the following objects: server, account, COS, and domain. If these attributes are set in the COS or Account set up, they override the global settings.

General Tab

In the General tab configure the Most results returned by GAL search field, which sets a global ceiling for the number of GAL results returned from a user search. The default is 100 results per search.

Attachments Tab

The Attachments tab can be configured with global rules to reject mail with files attached, to convert attachments to HTML for viewing, and to disable viewing files attached to mail messages in users’ mailboxes. When attachment settings are configured in Global Settings, the global rule takes precedence over COS and Account settings.

If Disable attachment viewing from web mail UI is enabled, users cannot view any attachments in their mailbox. You can set this global setting to prevent a virus outbreak if you think that mail has already been sent.

(Network Edition only) If Convert attachments to HTML for viewing is enabled, users can view attachments as HTML, as well as in the original format if available on their computer.

Reject messages with attachment extension lets you select which file types are unauthorized for all accounts. The most common extensions are listed. You can also add different extension types to the list. Messages with those type of files attached are rejected and the sender gets a bounce notice. The recipient does not get the mail message and is not notified.

Note: Zimbra also supports the following types of attachment blocking:

Class of Service, to disable attachment viewing for members of that COS
Accounts, to disable attachment viewing for individual accounts

MTA Tab

The MTA tab is used to enable or disable authentication and configure a relay hostname, the maximum message size, enable DNS lookup, protocol checks, and DNS checks. For a description of Zimbra MTA, see Zimbra MTA.

Authentication should be enabled, to support mobile SMTP authentication users so that their email client can talk to the Zimbra MTA.
TLS authentication only forces all SMTP auth to use Transaction Level Security to avoid passing passwords in the clear.
The Relay MTA for external delivery is the relay host name. This is the Zimbra MTA to which Postfix relays non-local email.
If Enable DNS lookups is checked, the Zimbra MTA makes an explicit DNS query for the MX record of the recipient domain. If this option is disabled, set a relay host in the Relay MTA for external delivery.
The Protocol fields are checked to reject unsolicited commercial email (UCE), for SPAM control.
The DNS fields are checked to reject mail, if the client’s IP address is unknown, the hostname in the greeting is unknown and/or if the sender’s domain is unknown.

POP Tab

POP3 (Post Office Protocol) can be enabled to allow users with a POP client to retrieve their mail stored on the Zimbra server and download new mail to their computer after messages are downloaded. The POP configuration determines if messages are deleted from the Zimbra server.

IMAP Tab

The Internet Message Access Protocol (IMAP) can be enabled to allow users with an IMAP client to access their mail stored on the Zimbra mailbox server from more than one computer. Messages are stored on the mailbox server.

Anti-Spam Tab

Anti-spam protection can be enabled for each server when the Zimbra software is installed. The following options are configured:

Kill percent at 75%. Mail that is scored at 75% is considered spam and is not delivered.
Tag percent at 33%. Mail that is scored at 33% is considered spam and is delivered to the Junk folder.
Subject prefix field is blank. The prefix entered in this field is added to the subject line for messages tagged as spam.

When a message is tagged as spam, the message is delivered to the recipient’s Junk folder. Users can view the number of unread messages that are in their Junk folder and can open the Junk folder to review the messages marked as spam. If you have the anti-spam training filters enabled, when they add or remove messages in the Junk folder, their action helps train the spam filter. See Zimbra MTA “Anti-Spam Protection”.

RBL (Real time black-hole lists) can be turned on or off in SpamAssassin from the Zimbra CLI. See Zimbra MTA “To turn RBL on”.

Anti-Virus Tab

Anti-virus protection is enabled for each server when the Zimbra software is installed. The global settings for the anti-virus protection is configured with these options enabled:

Block encrypted archives, such as password protected zipped files.
Send notification to recipient to alert that a mail message had a virus and was not delivered.

During ZCS installation, the administrator notification address for anti-virus alerts is configured. The default is to set up the admin account to receive the notification. When a virus has been found, a notification is automatically sent to that address.

By default, the Zimbra MTA checks every two hours for any new anti-virus updates from ClamAV. The frequency can be set between 1 and 24 hours.

Note: Updates are obtained via HTTP from the ClamAV website.

HSM

(Network Edition Only)


Hierarchical Storage Management (HSM) can be configured as a secondary storage volume for older messages. To manage your email storage resources, you can implement a different HSM policy for each mailbox server. Messages and attachments are moved from a primary volume to the current secondary volume based on the age of the message. Users are not aware of any change and do not see any noticeable difference when opening an older message that has been moved.

The message age threshold for HSM can be set globally from the HSM tab or for individual servers from the Server, Volume tab.The thresholds configured on individual servers override the threshold configured as the global setting.

Sessions to move messages to the secondary volume can be scheduled in your cron table and you can manually start a session from the administration console, Servers, Volume tab. From the administration console you can manually start a session, monitor sessions, and abort sessions that are in progress.

Managing Domains

One domain is identified during the installation process and additional domains can be easily added to the Zimbra system from the administration console. For domains, you configure the Global Address List mode and the authentication mode.

The administration console can also be used to edit domain information or to remove a domain.

Global Address List (GAL) Mode

The Global Address List (GAL) is your company directory.

GAL is configured on a per-domain basis. The GAL mode setting for each domain determines where the GAL lookup is performed. Select one of the following GAL configurations:

Internal. The Zimbra LDAP server is used for directory lookups.
External. External directory servers are used for GAL lookups. You can configure multiple external LDAP hosts for GAL. All other directory services use the Zimbra LDAP service (configuration, mail routing, etc.).
Both. Internal and external directory servers are used for GAL lookups.

A GAL configuration wizard steps you through configuring the GAL mode and to set the maximum number of results returned for a search in GAL.

Authentication Modes

Authentication is the process of identifying a user or a server to the directory server and granting access to legitimate users based on user name and password information provided when users log in. Zimbra Collaboration Suite offers the following three authentication mechanisms:

Internal. The Internal authentication uses the Zimbra directory server for authentication on the domain. When you select Internal, no other configuration is required.
External LDAP. The user name and password is the authentication information supplied in the bind operation to the directory server. You must configure the LDAP URL, LDAP filter, and wither to use DN password to bind to the external server.
External Active Directory. The user name and password is the authentication information supplied to the Active Directory server. You identify the Active Directory domain name and URL.

On the administration console, you use an authentication wizard to configure the authentication settings on your domain.

Managing Servers

A server is a machine that has one or more of the Zimbra service packages installed. During the installation, the Zimbra server is automatically registered on the LDAP server.

You can view the current status of all the servers that are configured with Zimbra software, and you can edit or delete existing server records. You cannot add servers directly to LDAP. The Zimbra Installation program must be used to add new servers because the installer packages are designed to register the new host at the time of installation.

Server settings include the following tabs:

General
Services
MTA
IMAP
POP
Volumes

Servers inherit global settings if those values are not set in the server configuration. Settings that can be inherited from the Global configuration include MTA, SMTP, IMAP, POP, anti-virus, and anti-spam configurations.

General Tab

The General tab includes the server display name, the server hostname, and LMTP information including name and IP address if configured.

Services Tab

The Services tab shows the Zimbra services. A check mark identifies the services that are enabled for the selected server, including LDAP, Mailbox, MTA, SNMP, Logger, Spell, Anti-Virus, and Anti-Spam.

MTA Tab

From the MTA tab, you can enable or disable authentication, configure the Web mail MTA hostname, set Web mail MTA timeout, the relay MTA for external delivery and disable DNS lookup for the server.

IMAP and POP Tabs

From these tabs, you can configure IMAP and POP availability on a per server basis.

Volume Tab

The Volume tab can be used to manage storage volumes on your Zimbra Mailbox server. When Zimbra Collaboration Suite is installed, one index volume and one message volume are configured on each mailbox server. You can add new volumes, set the volume type, and set the compression threshold

Index Volume

Each Zimbra mailbox server is configured with one current index volume. Each mailbox is assigned to a permanent index directory on the current index volume. When an account is created, the current index volume is automatically defined for the account. You cannot change which index volume the account is assigned.

As volumes become full, you can create a new current index volume for new accounts. When a new current index volume is added, the older index volume is no longer assigned new accounts.

Index volumes not marked current are still actively in use as the index volumes for accounts assigned to them. Any index volume that is referenced by a mailbox as it's index volume cannot be deleted.

Message Volume

When a new message is delivered or created, the message is saved in the current message volume. Additional message volumes can be created, but only one is configured as the current volume where new messages are stored. When the volume is full, you can configure a new current message volume. The current message volume receives all new messages. New messages are never stored in the previous volume.

A current volume cannot be deleted. and message volumes that have messages referencing the volume cannot be deleted.

Managing User Accounts

Managing accounts in the Zimbra system allows you to create accounts and change features easily from the administration console or by using the zmprov command-line tool described in Appendix A.

From the administration console you can manage user accounts as follows:

Quickly create new accounts with the New Account Wizard
Find a specific account using the Search feature
Change account information
Create and change alias addresses
Change password for a selected account
View an account’s mailbox
Change an account’s status
Restore a mailbox
Delete an account

See the [../configuring%20mailbox%20features.8.1.html#1019719 Managing Mailbox Features], for descriptions of the mailbox features that can be configured.

Using Search

Search is used to quickly locate individual accounts, aliases, distribution lists, and resources on the LDAP server. Search by display name, first name, last name, the first part of the email address, alias, or delivery address. If you do not know the complete name, you can enter a partial name. Partial names can result in a list that has the partial name string anywhere in the information.

You can also use the Zimbra mailbox ID number to search for an account. To return a search from a mailbox ID, the complete ID string must be entered in the search.

Adding user accounts

If you are using the administration console, the New Account Wizard steps you through the account information to be completed. Before you add an user account, you should determine what features and access privileges should be assigned. You configure the following type of information:

General information, including account name, class of service to be assigned, password
Contact information, including phone number, company name and address
Aliases to be used
Forwarding directions
Features and preferences available for this specific account. Changes made at the account level override the rules in the COS assigned to the account.

Creating an account sets up the appropriate entries on the Zimbra LDAP directory server. When the end-user logs in for the first time or when an email is delivered to the user’s account, the mailbox is created on the mailbox server.

Batch Provisioning from the CLI Utility

For provisioning many accounts at once, you create a formatted text file with the user names. This file runs through a script, using the CLI command, zmprov. The zmprov utility provisions one account at a time.

Create a text file with the list of the accounts you want to add. Each account should be typed in the format of ca (Create Account), email address, empty password. For example, ca name@company.com ‘’

Note: In this example, the empty single quote indicates that there is no local password.

When the text file includes all the names to provision, log on to the Zimbra server and type the CLI command

zmprov <accounts.txt

Each of the names listed in the text file will be provisioned.

See the CLI commands for additional syntax definitions.

Manage Aliases

Manage and view all created aliases from the Aliases content pane. You can see to which account an alias is configured. From the Alias toolbar, you can move an alias from one account to another.

Distribution Lists

A distribution list is a group of email addresses contained in a list with a common email address. Distribution lists can be added, changed and deleted from the administration console.

Class of Service

Class of Service (COS) is a Zimbra-specific object that determines what default attributes a Zimbra Web Client email account has and what features are added or denied. The COS controls mailbox quotas, message lifetime, password restrictions, attachment blocking, and server pools for creation of new accounts.

A default COS is automatically created during the installation of Zimbra software. You can modify the default COS to set the attributes to your email restrictions, and you can create new COSs to assign to accounts.

Each account is assigned one class of service. When an account is created, if the COS is not explicitly set, the default COS is assigned. Also, if the COS assigned to the user no longer exists, the account is automatically assigned the default COS.

Note: COS settings assigned to an account are not enforced for IMAP clients.

A COS is global and is not restricted to a particular domain or set of domains.

Assigning a COS to an account quickly configures account features and restrictions. Some of the COS settings can be overridden either by global settings or by user settings. For example:

Whether outgoing messages are saved to Sent can be changed in the user Options.
Attachment blocking set as a global setting can override the COS setting.
See the Administration Console Help for a complete description of the fields in a class of service object.

Distributing Accounts Across Servers

In an environment with multiple mailbox servers, the class of service is used to assign a new account to a mailbox server. The COS server pool tab lists the mailbox servers in your Zimbra environment. When you configure the COS, you select which servers to add to the server pool. Within each pool of servers, a random algorithm assigns new mailboxes to any available server.

Note: You can assign an account to a particular server when you create an account in the New Account Wizard, Mail Server field.

Changing Password

Password restrictions can be set either at the COS level or at the account level. You can configure the following password rules:

Password length. The default is minimum 6, maximum 64. The password is case sensitive.
When passwords expire. The Zimbra default is to never expire the password.
How frequently a password can be reused. The default password history allows the password to be reused.
Password locked. Password cannot be changed.

View an Account’s Mailbox

View Mail in Accounts lets you view the selected account’s mailbox content, including all folders, calendar entries, and tags. This feature can be used to assist users who are having trouble with their mail account as you and the account user can be logged on to the account.

Any View Mail action to access an account is logged to the audit.log file.

Changing an Account’s Status

Account status determines whether a user can log in and receive mail. The account status is displayed when account names are listed on the Accounts content pane.

The following account statuses can be set:

Active. Active is the normal status for a mailbox account. Mail is delivered and users can log into the client interface.
Maintenance. When a mailbox status is set to maintenance, login is disabled, and mail addressed to the account is queued at the MTA. An account can be set to maintenance mode for backing up, importing or restoring the mailbox.
Locked. When a mailbox status is locked, the user cannot log in, but mail is still delivered to the account. The locked status can be set, if you suspect that a mail account has been hacked or is being used in an unauthorized manner.
Closed. When a mailbox status is closed, the login is disabled, and messages are bounced. This status is used to soft-delete an account before deleting it from the server.

Enforcing Mailbox and Contact Quotas

You can specify mailbox quotas and the number of contacts allowed for each account through the Zimbra administration console. These limits can be set in the Class of Service or on a per-account basis on the Advanced page.

Account quota is the amount of space in megabytes that an account can use. The quota includes email messages and calendar meetings. When the quota is reached, all email messages are rejected. You can view mailbox quotas from the administration console, Monitoring, Server Statistics.

The address book size limit field sets the maximum number of contacts a user can have in their personal contacts list.

Moving a Mailbox

(Network Edition only)

You can move a mailbox from one server to another without taking down the servers. The migration tool, zmmailboxmove, is provided through a command-line interface as described in Appendix A.

The migration tool does the following:

Puts the mailbox into maintenance mode. In this mode, incoming and outgoing messages are queued but not delivered or sent, and the user will be temporarily unable to access the mailbox
Packs up the mailbox’s Message Store directory and Index directory on the source server
Marks all rows associated with the mailbox in the Data Store on the source server
Creates the new entries and directories on the target server
Updates the routing information for mail delivery
Puts the mailbox back into the active mode

Managing Resources

A resource is a location or piece of equipment that can be scheduled for a meeting. The resource has its own mailbox address and accepts or rejects invitations automatically. Accounts with the Calendar feature can select resources for their meetings.

You create resources and manage their use from the administration console. A Resource Wizard guides you through the resource configuration, including designating the type of resource, the scheduling policy, the location, and a description.

To schedule a resource or location, users invite the equipment and/or location to a meeting. When they select the resource, they can view the notes about the resource and view free/busy status for the resource, if set up. When the meeting invite is sent, an email is sent to the resource account, and if the resource is free, the meeting is automatically entered in the resource’s calendar.

Personal tools