https://wiki.zimbra.com/api.php?action=feedcontributions&user=Baylink&feedformat=atomZimbra :: Tech Center - User contributions [en]2024-03-28T20:22:01ZUser contributionsMediaWiki 1.39.0https://wiki.zimbra.com/index.php?title=Mail_Queue_Monitoring&diff=37327Mail Queue Monitoring2012-01-06T16:02:34Z<p>Baylink: /* Disable SELinux */</p>
<hr />
<div>== Mail Queue Overview ==<br />
<br />
Incoming and outgoing mail is processed by postfix in a series of queues; normally, mail moves from the ''incoming'' queue to the ''active'' queue, from which it is delivered. If delivery is deferred, mail is moved to the ''deferred'' queue, and automatically reprocessed later.<br />
<br />
Additionally, mail can be put in the ''hold'' queue, which will prevent it from being delivered until it is manually removed from the ''hold'' queue.<br />
<br />
== Monitoring Queues ==<br />
<br />
Queues can be monitored from within the admin console; select ''Manage Mail Queues'' from the left sidebar and your queue information will be shown.<br />
<br />
== Troubleshooting Queue Monitoring ==<br />
<br />
=== Common Errors ===<br />
<br />
The most common problem is authentication to the mta server. This shows in the mailbox.log logfile as:<br />
<br />
Message: system failure: exception during auth {RemoteManager: MAIL.DOMAIN.COM->zimbra@MAIL.DOMAIN.COM:22}<br />
com.zimbra.cs.service.ServiceException: system failure: exception during auth {RemoteManager: <br />
MAIL.DOMAIN.COM->zimbra@MAIL.DOMAIN.COM:22}<br />
at com.zimbra.cs.service.ServiceException.FAILURE(ServiceException.java:174)<br />
at com.zimbra.cs.rmgmt.RemoteManager.getSession(RemoteManager.java:197)<br />
at com.zimbra.cs.rmgmt.RemoteManager.execute(RemoteManager.java:134) <br />
<br />
etc...<br />
<br />
Regenerating keys may very well fix this however, one other place to look is your ''/var/log/secure'' file. If you see something similar to:<br />
<pre><br />
sshd[16312]: Authentication refused: bad ownership or modes for directory /opt/zimbra<br />
</pre><br />
<br />
It's possible you only need to fix your ownership and permissions.<br />
<br />
<pre><br />
su - zimbra<br />
zmcontrol stop<br />
exit<br />
</pre><br />
<br />
Now login as root -- this command must be run as root, run zmfixperms, and start zimbra back up:<br />
<pre><br />
/opt/zimbra/libexec/zmfixperms <br />
su - zimbra<br />
zmcontrol start<br />
</pre><br />
<br />
If this doesn't fix any errors you'll probably need to regenerate your keys.<br />
<br />
=== Regenerating Keys ===<br />
<br />
To regenerate the ssh keys, on all hosts (as the zimbra user):<br />
zmsshkeygen<br />
<br />
To deploy the keys, on all hosts (as the zimbra user):<br />
zmupdateauthkeys<br />
<br />
=== Verifying sshd configuration ===<br />
<br />
The authentication method assumes that sshd on the mta is running on port 22, and that RSA Authentication is enabled. You can test the ssh command with:<br />
<br />
ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM<br />
<br />
(Swap MAIL.DOMAIN.COM for your hostname, as it appears in the error).<br />
<br />
You should NOT be prompted for a password; if you are, recreate the ssh keys and retry the test.<br />
<br />
If you're not running sshd on port 22, modify the zimbraRemoteManagementPort attribute on the server:<br />
zmprov ms MAIL.DOMAIN.COM zimbraRemoteManagementPort 2222<br />
<br />
Verify in /etc/sshd_config (or /etc/ssh/sshd_config) that the zimbra user is an allow user<br />
AllowUsers admin zimbra<br />
<br />
Note: applying this change resulted in not being to ssh as root. Should we add root to the list of AllowUsers!<br />
<br />
=== /etc/hosts.allow ===<br />
The Zimbra hostname may be different than the system. Add the Zimbra hostname to ''/etc/hosts.allow''.<br />
ALL: zimbra.domain.tld<br />
<br />
=== Zimbra account has been disabled ===<br />
If the above steps do not work then enable verbose output for ssh with:<br />
ssh -vi .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM<br />
<br />
If the output from ssh indicates that ''Next authentication method: password'' as below, then the Zimbra account may be locked.<br />
<br />
debug1: Next authentication method: publickey<br />
debug1: Offering public key: /opt/zimbra/.ssh/zimbra_identity<br />
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive<br />
debug1: Next authentication method: keyboard-interactive<br />
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive<br />
debug1: Next authentication method: password<br />
zimbra@MAIL.DOMAIN.COM's password:<br />
<br />
To verify this, as root check /etc/shadow. Locate the zimbra account. If the account has one or more ! in the line then the account is locked.<br />
zimbra:!!:13634:0:99999:7:::<br />
<br />
Use this command to unlock the zimbra account (or you can edit the shadow file directly and remove them).<br />
usermod -U zimbra<br />
<br />
Then check /etc/shadow again, there should be no ! for the zimbra account. You may need to do this multiple times to remove the ! and unlock the account.<br />
<br />
Once the account is unlocked, this command should work (it did for us!).<br />
ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM<br />
<br />
=== SSH doesn't allow Public Key Authentication ===<br />
<br />
Edit the /etc/ssh/sshd_config (or other sshd config file) and look for the following line<br />
PubkeyAuthentication no<br />
<br />
This must be set to yes. Restart the SSH daemon and try again<br />
<br />
=== Disable SELinux ===<br />
Edit /etc/selinux/config<br />
# This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# disabled - No SELinux policy is loaded.<br />
SELINUX=disabled<br />
# SELINUXTYPE= can take one of these two values:<br />
# targeted - Only targeted network daemons are protected.<br />
# strict - Full SELinux protection.<br />
SELINUXTYPE=targeted<br />
<br />
...and then reboot the system.<br />
For the '''other Linuxes''' which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf, if you're using the GRUB boot loader. On the kernel line, add '''selinux=0''' at the end. <br />
<br />
=== SSH bruteforce blockers ===<br />
<br />
Note also that if you run a daemon of any sort to block SSH bruteforce attacks, any of the above SSH failures will probably cause that daemon to have tripped, in whatever fashion, and you'll have to reset it, in /etc/hosts.allow or wherever else it may block. fail2ban can probably cause this as well.<br />
<br />
[[Category:Pending Certification]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Mail_Queue_Monitoring&diff=37326Mail Queue Monitoring2012-01-06T16:00:45Z<p>Baylink: /* = Yet another cause, SSH doesn't allow Public Key Authentication */</p>
<hr />
<div>== Mail Queue Overview ==<br />
<br />
Incoming and outgoing mail is processed by postfix in a series of queues; normally, mail moves from the ''incoming'' queue to the ''active'' queue, from which it is delivered. If delivery is deferred, mail is moved to the ''deferred'' queue, and automatically reprocessed later.<br />
<br />
Additionally, mail can be put in the ''hold'' queue, which will prevent it from being delivered until it is manually removed from the ''hold'' queue.<br />
<br />
== Monitoring Queues ==<br />
<br />
Queues can be monitored from within the admin console; select ''Manage Mail Queues'' from the left sidebar and your queue information will be shown.<br />
<br />
== Troubleshooting Queue Monitoring ==<br />
<br />
=== Common Errors ===<br />
<br />
The most common problem is authentication to the mta server. This shows in the mailbox.log logfile as:<br />
<br />
Message: system failure: exception during auth {RemoteManager: MAIL.DOMAIN.COM->zimbra@MAIL.DOMAIN.COM:22}<br />
com.zimbra.cs.service.ServiceException: system failure: exception during auth {RemoteManager: <br />
MAIL.DOMAIN.COM->zimbra@MAIL.DOMAIN.COM:22}<br />
at com.zimbra.cs.service.ServiceException.FAILURE(ServiceException.java:174)<br />
at com.zimbra.cs.rmgmt.RemoteManager.getSession(RemoteManager.java:197)<br />
at com.zimbra.cs.rmgmt.RemoteManager.execute(RemoteManager.java:134) <br />
<br />
etc...<br />
<br />
Regenerating keys may very well fix this however, one other place to look is your ''/var/log/secure'' file. If you see something similar to:<br />
<pre><br />
sshd[16312]: Authentication refused: bad ownership or modes for directory /opt/zimbra<br />
</pre><br />
<br />
It's possible you only need to fix your ownership and permissions.<br />
<br />
<pre><br />
su - zimbra<br />
zmcontrol stop<br />
exit<br />
</pre><br />
<br />
Now login as root -- this command must be run as root, run zmfixperms, and start zimbra back up:<br />
<pre><br />
/opt/zimbra/libexec/zmfixperms <br />
su - zimbra<br />
zmcontrol start<br />
</pre><br />
<br />
If this doesn't fix any errors you'll probably need to regenerate your keys.<br />
<br />
=== Regenerating Keys ===<br />
<br />
To regenerate the ssh keys, on all hosts (as the zimbra user):<br />
zmsshkeygen<br />
<br />
To deploy the keys, on all hosts (as the zimbra user):<br />
zmupdateauthkeys<br />
<br />
=== Verifying sshd configuration ===<br />
<br />
The authentication method assumes that sshd on the mta is running on port 22, and that RSA Authentication is enabled. You can test the ssh command with:<br />
<br />
ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM<br />
<br />
(Swap MAIL.DOMAIN.COM for your hostname, as it appears in the error).<br />
<br />
You should NOT be prompted for a password; if you are, recreate the ssh keys and retry the test.<br />
<br />
If you're not running sshd on port 22, modify the zimbraRemoteManagementPort attribute on the server:<br />
zmprov ms MAIL.DOMAIN.COM zimbraRemoteManagementPort 2222<br />
<br />
Verify in /etc/sshd_config (or /etc/ssh/sshd_config) that the zimbra user is an allow user<br />
AllowUsers admin zimbra<br />
<br />
Note: applying this change resulted in not being to ssh as root. Should we add root to the list of AllowUsers!<br />
<br />
=== /etc/hosts.allow ===<br />
The Zimbra hostname may be different than the system. Add the Zimbra hostname to ''/etc/hosts.allow''.<br />
ALL: zimbra.domain.tld<br />
<br />
=== Zimbra account has been disabled ===<br />
If the above steps do not work then enable verbose output for ssh with:<br />
ssh -vi .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM<br />
<br />
If the output from ssh indicates that ''Next authentication method: password'' as below, then the Zimbra account may be locked.<br />
<br />
debug1: Next authentication method: publickey<br />
debug1: Offering public key: /opt/zimbra/.ssh/zimbra_identity<br />
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive<br />
debug1: Next authentication method: keyboard-interactive<br />
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive<br />
debug1: Next authentication method: password<br />
zimbra@MAIL.DOMAIN.COM's password:<br />
<br />
To verify this, as root check /etc/shadow. Locate the zimbra account. If the account has one or more ! in the line then the account is locked.<br />
zimbra:!!:13634:0:99999:7:::<br />
<br />
Use this command to unlock the zimbra account (or you can edit the shadow file directly and remove them).<br />
usermod -U zimbra<br />
<br />
Then check /etc/shadow again, there should be no ! for the zimbra account. You may need to do this multiple times to remove the ! and unlock the account.<br />
<br />
Once the account is unlocked, this command should work (it did for us!).<br />
ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM<br />
<br />
=== SSH doesn't allow Public Key Authentication ===<br />
<br />
Edit the /etc/ssh/sshd_config (or other sshd config file) and look for the following line<br />
PubkeyAuthentication no<br />
<br />
This must be set to yes. Restart the SSH daemon and try again<br />
<br />
=== Disable SELinux ===<br />
Edit /etc/selinux/config<br />
# This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# disabled - No SELinux policy is loaded.<br />
SELINUX=disabled<br />
# SELINUXTYPE= can take one of these two values:<br />
# targeted - Only targeted network daemons are protected.<br />
# strict - Full SELinux protection.<br />
SELINUXTYPE=targeted<br />
<br />
...and then reboot the system.<br />
For the '''other Linuxes''' which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf, if you're using the GRUB boot loader. On the kernel line, add '''selinux=0''' at the end. <br />
<br />
<br />
[[Category:Pending Certification]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Mail_Queue_Monitoring&diff=37325Mail Queue Monitoring2012-01-06T16:00:29Z<p>Baylink: /* Another cause, Zimbra account has been disabled */</p>
<hr />
<div>== Mail Queue Overview ==<br />
<br />
Incoming and outgoing mail is processed by postfix in a series of queues; normally, mail moves from the ''incoming'' queue to the ''active'' queue, from which it is delivered. If delivery is deferred, mail is moved to the ''deferred'' queue, and automatically reprocessed later.<br />
<br />
Additionally, mail can be put in the ''hold'' queue, which will prevent it from being delivered until it is manually removed from the ''hold'' queue.<br />
<br />
== Monitoring Queues ==<br />
<br />
Queues can be monitored from within the admin console; select ''Manage Mail Queues'' from the left sidebar and your queue information will be shown.<br />
<br />
== Troubleshooting Queue Monitoring ==<br />
<br />
=== Common Errors ===<br />
<br />
The most common problem is authentication to the mta server. This shows in the mailbox.log logfile as:<br />
<br />
Message: system failure: exception during auth {RemoteManager: MAIL.DOMAIN.COM->zimbra@MAIL.DOMAIN.COM:22}<br />
com.zimbra.cs.service.ServiceException: system failure: exception during auth {RemoteManager: <br />
MAIL.DOMAIN.COM->zimbra@MAIL.DOMAIN.COM:22}<br />
at com.zimbra.cs.service.ServiceException.FAILURE(ServiceException.java:174)<br />
at com.zimbra.cs.rmgmt.RemoteManager.getSession(RemoteManager.java:197)<br />
at com.zimbra.cs.rmgmt.RemoteManager.execute(RemoteManager.java:134) <br />
<br />
etc...<br />
<br />
Regenerating keys may very well fix this however, one other place to look is your ''/var/log/secure'' file. If you see something similar to:<br />
<pre><br />
sshd[16312]: Authentication refused: bad ownership or modes for directory /opt/zimbra<br />
</pre><br />
<br />
It's possible you only need to fix your ownership and permissions.<br />
<br />
<pre><br />
su - zimbra<br />
zmcontrol stop<br />
exit<br />
</pre><br />
<br />
Now login as root -- this command must be run as root, run zmfixperms, and start zimbra back up:<br />
<pre><br />
/opt/zimbra/libexec/zmfixperms <br />
su - zimbra<br />
zmcontrol start<br />
</pre><br />
<br />
If this doesn't fix any errors you'll probably need to regenerate your keys.<br />
<br />
=== Regenerating Keys ===<br />
<br />
To regenerate the ssh keys, on all hosts (as the zimbra user):<br />
zmsshkeygen<br />
<br />
To deploy the keys, on all hosts (as the zimbra user):<br />
zmupdateauthkeys<br />
<br />
=== Verifying sshd configuration ===<br />
<br />
The authentication method assumes that sshd on the mta is running on port 22, and that RSA Authentication is enabled. You can test the ssh command with:<br />
<br />
ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM<br />
<br />
(Swap MAIL.DOMAIN.COM for your hostname, as it appears in the error).<br />
<br />
You should NOT be prompted for a password; if you are, recreate the ssh keys and retry the test.<br />
<br />
If you're not running sshd on port 22, modify the zimbraRemoteManagementPort attribute on the server:<br />
zmprov ms MAIL.DOMAIN.COM zimbraRemoteManagementPort 2222<br />
<br />
Verify in /etc/sshd_config (or /etc/ssh/sshd_config) that the zimbra user is an allow user<br />
AllowUsers admin zimbra<br />
<br />
Note: applying this change resulted in not being to ssh as root. Should we add root to the list of AllowUsers!<br />
<br />
=== /etc/hosts.allow ===<br />
The Zimbra hostname may be different than the system. Add the Zimbra hostname to ''/etc/hosts.allow''.<br />
ALL: zimbra.domain.tld<br />
<br />
=== Zimbra account has been disabled ===<br />
If the above steps do not work then enable verbose output for ssh with:<br />
ssh -vi .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM<br />
<br />
If the output from ssh indicates that ''Next authentication method: password'' as below, then the Zimbra account may be locked.<br />
<br />
debug1: Next authentication method: publickey<br />
debug1: Offering public key: /opt/zimbra/.ssh/zimbra_identity<br />
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive<br />
debug1: Next authentication method: keyboard-interactive<br />
debug1: Authentications that can continue: publickey,gssapi-with-mic,password,keyboard-interactive<br />
debug1: Next authentication method: password<br />
zimbra@MAIL.DOMAIN.COM's password:<br />
<br />
To verify this, as root check /etc/shadow. Locate the zimbra account. If the account has one or more ! in the line then the account is locked.<br />
zimbra:!!:13634:0:99999:7:::<br />
<br />
Use this command to unlock the zimbra account (or you can edit the shadow file directly and remove them).<br />
usermod -U zimbra<br />
<br />
Then check /etc/shadow again, there should be no ! for the zimbra account. You may need to do this multiple times to remove the ! and unlock the account.<br />
<br />
Once the account is unlocked, this command should work (it did for us!).<br />
ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@MAIL.DOMAIN.COM<br />
<br />
=== Yet another cause, SSH doesn't allow Public Key Authentication ==<br />
<br />
Edit the /etc/ssh/sshd_config (or other sshd config file) and look for the following line<br />
PubkeyAuthentication no<br />
<br />
This must be set to yes. Restart the SSH daemon and try again<br />
<br />
=== Disable SELinux ===<br />
Edit /etc/selinux/config<br />
# This file controls the state of SELinux on the system.<br />
# SELINUX= can take one of these three values:<br />
# enforcing - SELinux security policy is enforced.<br />
# permissive - SELinux prints warnings instead of enforcing.<br />
# disabled - No SELinux policy is loaded.<br />
SELINUX=disabled<br />
# SELINUXTYPE= can take one of these two values:<br />
# targeted - Only targeted network daemons are protected.<br />
# strict - Full SELinux protection.<br />
SELINUXTYPE=targeted<br />
<br />
...and then reboot the system.<br />
For the '''other Linuxes''' which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf, if you're using the GRUB boot loader. On the kernel line, add '''selinux=0''' at the end. <br />
<br />
<br />
[[Category:Pending Certification]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Ajcody-Notes-SSLCerts&diff=19590Ajcody-Notes-SSLCerts2010-04-27T16:05:33Z<p>Baylink: /* Recreating Self-Signed SSL Certificates */</p>
<hr />
<div>{| width="100%" border="0" <br />
| bgcolor="orange" | [[Image:Attention.png]] - This article is NOT official Zimbra documentation. It is a user contribution and may include unsupported customizations, references, suggestions, or information.<br />
|}<br />
<br />
==SSL Certificate Issues==<br />
<br />
===Actual SSL Certificate Issues Homepage===<br />
<br />
Please see [[Ajcody-Notes-SSLCerts]]<br />
<br />
===Resources For SSL Certificates===<br />
<br />
* General<br />
** [[5.x_Commercial_Certificates_Guide]]<br />
** [[Commercial_Certificate_in_5.x]]<br />
** [[4.x_Commercial_Certificates_Guide]]<br />
** [[Administration_Console_and_CLI_Certificate_Tools]]<br />
* Trouble Shooting<br />
** [[Cannot_install_a_Commercial_Certificate_in_Zimbra_5.0]] <br />
** [[Private_key_and_certificate_mismatch]]<br />
** [[4.5.x_to_5.0.x_Certificate_Upgrade_Issues]]<br />
** [[Failed_to_create_jetty.pkcs12]]<br />
** [[LDAP/Nginx_won%27t_start_and_asks_for_a_password]]<br />
** [[Problem_with_Certificate_can_cause_MTA_Failure]]<br />
** [[Unable_to_get_issuer_certificate]]<br />
* Specific Cert Wiki Pages:<br />
** [[Installing_a_GoDaddy_Commercial_Certificate]]<br />
** [[Installing_a_GeoTrust_Commercial_Certificate]]<br />
** [[Installing_a_Network_Solutions_Certificate_on_ZCS_5.0.x]]<br />
** [[Installing_a_Comodo_SSL_Certificate_on_ZCS_5.0.x]]<br />
** [[Installing_a_Thawte_SSL_Certificate_on_ZCS_5.0.x]]<br />
** [[Installing_a_Verisign_Test_Certificate]]<br />
<br />
===Bug & RFE's Related To SSL===<br />
<br />
====Multiple SSL Certificates Aren't Supported On One Server====<br />
<br />
* "multiple SSL certificates on one server"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=8128<br />
*** Allot of private comment details unfortunately.<br />
<br />
The -subjectAltNames option is the way to do, if your certificate provider doesn't support then you should inquire into another provider who does.<br />
<br />
===Recreating Self-Signed SSL Certificates===<br />
<br />
Other references:<br />
* I believe this wiki page has the best instructions. Sorry for the confusion about the state of the wiki pages on ssl certs. We are attempting to get them cleaned up.<br />
** [[Problem_with_Certificate_can_cause_MTA_Failure#For_Multi-Server:_Run_this_on_all_other_systems_in_the_multi-server_setup]]<br />
*** [[Zmcertinstall#Single-Node_Self-Signed_Certificate]]<br />
**** Has "Multi-Node Self-Signed Certificate" instructions as well.<br />
*** [[Recreating_a_Self-Signed_SSL_Certificate]]<br />
<br />
Steps I've used for a single ZCS 6 server that WAS NOT using commercial certificates. Also, this is for '''recreating''' self-signed certificates and not changing them. This documentation was done specifically for the issue when the self-signed certificates expired and caused upgrade issues. <br />
<br />
** have zimbra running - ldap at least - need to double check this<br />
** run as root<br />
** Prep work<br />
mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra_old<br />
** I had used the below, but think the above step is *better*<br />
* mv /opt/zimbra/ssl /root/ssl_old<br />
* mkdir /opt/zimbra/ssl<br />
* chown zimbra:zimbra /opt/zimbra/ssl<br />
** Creating new certs<br />
/opt/zimbra/bin/zmcertmgr createca -new <br />
/opt/zimbra/bin/zmcertmgr deployca -localonly <br />
** others have just used: /opt/zimbra/bin/zmcertmgr deployca <br />
/opt/zimbra/bin/zmcertmgr createcrt self -new <br />
** others have just used: /opt/zimbra/bin/zmcertmgr createcrt -new<br />
/opt/zimbra/bin/zmcertmgr verifycrt self <br />
/opt/zimbra/bin/zmcertmgr deploycrt self<br />
** run as zimbra<br />
zmcontrol stop<br />
zmcontrol start<br />
<br />
=== Contrib from Baylink ===<br />
<br />
(Here's an actual script you can copy to a file and run, by [[User:Baylink|Baylink]] 16:08, 25 March 2010 (UTC))<br />
<br />
echo "Backing up old certs..."<br />
mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.newcert-`timestamp`<br />
<br />
echo "Creating new CA..."<br />
/opt/zimbra/bin/zmcertmgr createca -new<br />
<br />
echo "Deploying new CA..."<br />
/opt/zimbra/bin/zmcertmgr deployca -localonly<br />
<br />
# added 12 Apr 2010 per tonyp@zimbra.com<br />
echo "Creating new CSR..."<br />
/opt/zimbra/bin/zmcertmgr createcsr self -new -subject "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=server.company.com" -subjectAltNames "server.company.com,altname.company.com,othername.company.com"<br />
<br />
echo "Creating new cert..."<br />
/opt/zimbra/bin/zmcertmgr createcrt -new -subject "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=server.company.com" -subjectAltNames "server.company.com,altname.company.com,othername.company.com"<br />
<br />
echo "Verifying new cert..."<br />
/opt/zimbra/bin/zmcertmgr verifycrt self<br />
<br />
echo "Deploying new cert..."<br />
/opt/zimbra/bin/zmcertmgr deploycrt self<br />
<br />
echo "Restarting Zimbra server"<br />
su - zimbra -c 'zmcontrol stop; zmcontrol start'<br />
<br />
Note that if you're running Exchange ActiveSync with iPhones, the '''iPhones''' require that the "server.company.com" name (the primary name) must<br />
<br />
* be the primary name on the SSL cert (I've tested this) and<br />
* resolve to the same IP both inside and outside your firewall which<br />
** requires a firewall that can do "hairpin" inbound-NAT<br />
<br />
So, if your mailbox server has a "real" name, then that, and any "role" name you use for ZWC user access must be secondary names, and the Active Sync name (I chose "async") must be primary.<br />
<br />
That script calls my 'timestamp' script, which is just:<br />
<br />
date +%Y%m%d-%H%M%S<br />
<br />
(end contrib)<br />
<br />
===Ldap And-Or MTA Doesn't Start After Cert Changes Or Upgrade===<br />
<br />
Brief summary of issues:<br />
* ''The ca directory contained extra links to different certificates. This seemed to not bother 5.0.9 but under 5.0.10 postfix has a fit if there are more then 3 files in that directory.''<br />
<br />
Example of LDAP error:<br />
<pre><br />
[zimbra@server-01 ~]$ zmcontrol start<br />
Host server-01.DOMAIN.com<br />
Starting ldap...Done.<br />
FAILED<br />
Failed to start slapd. Attempting debug start to determine error.<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:352<br />
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:354<br />
main: TLS init def ctx failed: -1<br />
</pre><br />
<br />
The fix is described in:<br />
<br />
* http://www.zimbra.com/forums/administrators/23104-5-0-10-upgrade-problem.html<br />
<br />
Details as related to MTA/Postfix - [[Error_(MTA):_Unable_to_set_STARTTLS]]<br />
<br />
More details as shared by a customer:<br />
<br />
<pre><br />
I moved the "ca" directory to "ca.BAK" to back it up, made a new ca directory, and then went through the steps detailed in that post.<br />
Once done, zimbra started up without a problem:<br />
<br />
1) Clear all the contents of the /opt/zimbra/conf/ca directory by backing them up<br />
somewhere on disk.<br />
2) Copy the /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/conf/ca/ca.key<br />
3) Copy /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/conf/ca/ca.pem<br />
4) Create the hash value<br />
ln -f -s ca.pem /opt/zimbra/conf/ca/`openssl x509 -hash -noout -in<br />
/opt/zimbra/conf/ca/ca.pem`.0<br />
5) Chmod 644 /opt/zimbra/conf/ca/*<br />
6) Restart the zmcontrol<br />
<br />
<br />
A sample of what the /opt/zimbra/conf/ca directory looked like:<br />
<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 0bb21872.0 -> commercial_ca_26.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 0c364b2d.0 -> commercial_ca_14.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 0e82f83a.0 -> commercial_ca_36.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 11f154d6.0 -> commercial_ca_49.pem<br />
lrwxrwxrwx 1 root root 19 Apr 9 20:29 128b9c8d.0 -> commercial_ca_9.pem<br />
lrwxrwxrwx 1 root root 19 Apr 9 20:29 1a147d5b.0 -> commercial_ca_5.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 1bb6c7e0.0 -> commercial_ca_24.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 1c647a6d.0 -> commercial_ca_21.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 256fd83b.0 -> commercial_ca_33.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 25f0cbee.0 -> commercial_ca_23.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 2d047263.0 -> commercial_ca_28.pem<br />
<br />
There we many more of the above entries, all of which pointed to .pem files that didn't exist.<br />
<br />
There was also:<br />
lrwxrwxrwx 1 root root 6 Apr 13 11:43 555ebb99.0 -> ca.pem<br />
lrwxrwxrwx 1 root root 17 Apr 9 20:29 8e6e2991.0 -> commercial_ca.pem<br />
lrwxrwxrwx 1 root root 17 Apr 13 11:43 c33a80d4.0 -> commercial_ca.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 c527e4ab.0 -> commercial_ca_57.pem<br />
-rw-r--r-- 1 root root 887 Apr 13 11:43 ca.key<br />
-rw-r--r-- 1 root root 989 Apr 13 11:43 ca.pem<br />
-rw-r--r-- 1 root root 1155 Apr 13 11:43 commercial_ca_1.pem<br />
-rw-r--r-- 1 root root 1156 Apr 13 11:43 commercial_ca.pem<br />
<br />
zmcertmgr output:<br />
<br />
./zmcertmgr deploycrt comm /opt/zimbra/certs/server-01.DOMAIN.com.crt /opt/zimbra/certs/ca_chain-server-01.DOMAIN.com.crt<br />
** Verifying /opt/zimbra/certs/server-01.DOMAIN.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/opt/zimbra/certs/server-01.DOMAIN.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /opt/zimbra/certs/server-01.DOMAIN.com.crt: OK<br />
** Copying /opt/zimbra/certs/server-01.DOMAIN.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
** Appending ca chain /opt/zimbra/certs/ca_chain-server-01.DOMAIN.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
** Saving server config key zimbraSSLCertificate...done.<br />
** Saving server config key zimbraSSLPrivateKey...done.<br />
** Installing mta certificate and key...done.<br />
** Installing slapd certificate and key...done.<br />
** Installing proxy certificate and key...done.<br />
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.<br />
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.<br />
** Installing CA to /opt/zimbra/conf/ca...done.<br />
</pre><br />
<br />
===Moving Your Certificates To New Or Another Server===<br />
<br />
Please see [[Transfer_SSL_certificates_between_servers]]<br />
<br />
===Commercial Cert Error - Subject Does Not Start With / ===<br />
<br />
As reported by a customer to me:<br />
<br />
''When creating a commercial cert for a server the zmcertmgr will fail if you don't supply a subjectAltName ---- Took me awhile to figure this out since the error isn't correctly describing the problem. It says that "Subject does not start with '/'." Which is incorrect. Subject does start with "/" , it's the subjectAltName that was needed. After I supplied this name, it generated the csr. Here are my commands for your own reference.''<br />
<br />
: I modified the Some* entries below.<br />
<br />
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=SomeState/L=SomeCity/O=Some Community College/OU=ITS/CN=zimbra.somecommunitycollege.edu" -subjectAltNames zimbra.somecommunitycollege.edu<br />
<br />
''then I went to thawte and applied for a ssl cert.''<br />
<br />
===How To Setup Certs With CACert.org - Free Certs===<br />
<br />
====CaCert.Org References====<br />
<br />
Free Certs with http://www.cacert.org/ <br />
<br />
====How-To (tested on 5.0.2)====<br />
<br />
Note, the following :<br />
<br />
su - root ; cd /opt/zimbra/ssl/zimbra/commercial/<br />
<br />
included in all steps in case someone is skipping through instructions.<br />
<br />
=====Clean up and start fresh=====<br />
<br />
su - root<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
tar -czvf /tmp/ssl.commercial.backup.tar.gz *<br />
rm -rf *<br />
<br />
=====Generate new csr=====<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
/opt/zimbra/bin/zmcertmgr createcsr comm -new<br />
<br />
This uses the defaults, note the items to change.<br />
<br />
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ITDepartment/CN=mail.CHANGEME.com"<br />
<br />
=====Confirm=====<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
ls -la<br />
<br />
There should only be two files and time/date should match - commercial.csr & commercial.key<br />
<br />
cat /opt/zimbra/ssl/zimbra/commercial/commercial.csr<br />
-----BEGIN CERTIFICATE REQUEST-----<br />
[delete]CCAWwCAQAwgZkxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNOL0ExDDAKBgNV<br />
[delete]4vQTEjMCEGA1UEChMaWmltYnJhIENvbGxhYm9yYXRpb24gU3VpdGUxIzAh<br />
[delete]AsTGlppbWJyYSBDb2xsYWJvcmF0aW9uIFN1aXRlMSQwIgYDVQQDExttYWls<br />
[delete]nRlcm5hbC5ob21ldW5peC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ<br />
[delete]AOri9/m6RtM1vASBROPgLvkUYybwf2WDI2xTdKUuAMI0rTpMH1IzjPRP/J+m<br />
[delete]RQTiJe1mRX3rJCy3qVooVzsLe2yJ1+rs3FzLSfQhazK6PqMD8GhpqHO0Y75<br />
[delete]LEA/qdOCrTFjosO9C3j3WPCW8lutTxf/QsoKGkIVs5tjAgMBAAGgKTAnBgkq<br />
[delete]0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEB<br />
[delete]A4GBAKMLVFilRjI9xvU/vZmP69yReVZyxa5YVpF/cEvwFwbOU6E4USkdONGT<br />
[delete]DRj1XxfzYD+CDf8TVuTY4tapaLvKPRUtdd/mM1PidY5t126QAObyKjHBRzy<br />
[delete]RJFQeP+0ktxcYJ99+sfiescwR/qzPJM58i6daqmMamQBZi<br />
-----END CERTIFICATE REQUEST-----<br />
<br />
=====Sign up for cacert.org use=====<br />
<br />
Goto http://www.cacert.org/<br />
<br />
Sign up - https://www.cacert.org/index.php?id=1<br />
<br />
Verify the email the confirmation email.<br />
<br />
Add a domain , it will send an email to some "admin" account to the domain. Make sure you can get it before you do this.<br />
<br />
=====Get New Server Certificate=====<br />
<br />
Now do a New Server Certificate from your administration page at http://www.cacert.org/<br />
<br />
You'll copy in the /opt/zimbra/ssl/zimbra/commercial/commercial.csr contents in window [all of it].<br />
<br />
It'll generate your cert. on the webpage.<br />
<br />
Copy this onto the server [paste in cert details]:<br />
<br />
vi /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
-----BEGIN CERTIFICATE-----<br />
[delete]TCCAl2gAwIBAgIDBPRRMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv<br />
[delete]0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ<br />
[delete]2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y<br />
[delete]NlcnQub3JnMB4XDTA4MDQxMTIwMjQzNloXDTA4MTAwODIwMjQzNlowJjEk<br />
[delete]1UEAxMbbWFpbDMuaW50ZXJuYWwuaG9tZXVuaXguY29tMIGfMA0GCSqGSIb3<br />
[delete]AQUAA4GNADCBiQKBgQDq4vf5ukbTNbwEgUTj4C75FGMm8H9lgyNsU3SlLgDC<br />
[delete]B9SM4z0T/yfpoZc3yUUE4iXtZkV96yQst6laKFc7C3tsidfq7Nxcy0n0IWs<br />
[delete]BoaahztGO+ZgsfCxAP6nTgq0xY6LDvQt491jwlvJbrU8X/0LKChpCFbOb<br />
[delete]QABo4HcMIHZMAwGA1UdEwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwIG<br />
[delete]QUFBwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMDMG<br />
[delete]QUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9y<br />
[delete]QYDVR0RBEowSIIbbWFpbDMuaW50ZXJuYWwuaG9tZXVuaXguY29toCkGCCsG<br />
[delete]wgFoB0MG21haWwzLmludGVybmFsLmhvbWV1bml4LmNvbTANBgkqhkiG9w0B<br />
[delete]AAOCAgEANzr/jRcEd5BF2QqF+X8deq4Xxp1tN9lFgji38C5ixNJ+Busq9Sk5<br />
[delete]O7YYJQbSf5K14eZyC1jaNEOEwqgzFiM1HRWL1HCca3EM7TXUoH8sMXS1Ng<br />
[delete]M5oyfQcFWZYa22CtKQANQEX5l7EYNkr0yvD/YnP02l3hk1jZr+3pszCW6Iw<br />
[delete]vabHMYcAXus+iOGgws788QsMaqzoZwla1AaacZ98s0lFAR0xdRiuXCHUFz<br />
[delete]meS5sK+med95/z+Mb6ShJzC7KAi1nfZk9CoNHUHVxMis5Cr+GT7MoIvhQ<br />
[delete]8fkiANQQoEgam37lyHezPKyc6iLxW4ag2PWKrZa2+3pyTg/6aHKxZR325z<br />
[delete]kcdwKYo/eUGaN1tNmsY638N4hCz01FHHKr97W0m4u5wtwKBo4/5Gy9e5nG6<br />
[delete]khOyjfOz6VYvZHNqDaqGJwsxitxSGGDc8bA+9d73RCOFuztwVrKYg5OJ<br />
[delete]Ei5C9gWzee7AmoGpgxOrYjgBrx4nuBw71EFzgKSOZqxUxSNiLuGAx+oVd2<br />
[delete]Z4EAPsa90ZNb0mLGagAuTAdccekOqPVnyZrqiINelY7fpAAUvO9rgTSB9A<br />
[delete]RxUydTgY1jyBtoXjp59HMVbCkAtOtX43NqIhPYJNPeSoyw/5SU=<br />
-----END CERTIFICATE-----<br />
<br />
=====Get Root CA's=====<br />
<br />
Root CA certs are found here : https://www.cacert.org/index.php?id=3<br />
<br />
Do the following on the server:<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
wget http://www.cacert.org/certs/root.crt<br />
mv root.crt commercial_ca.crt<br />
<br />
=====Verify=====<br />
<br />
Let's verify all is good.<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt<br />
<br />
Giving something like this:<br />
<br />
** Verifying commercial.crt against commercial.key<br />
Certificate (commercial.crt) and private key (commercial.key) match.<br />
Valid Certificate: commercial.crt: OK<br />
<br />
======Errors - Double check time======<br />
<br />
* Date [is it wrong?]<br />
** Install ntpd if it's not<br />
** Stop ntpd : <br />
*** <pre>/etc/init.d/ntpd stop</pre><br />
** Set time with : <br />
*** <pre>ntpdate us.pool.ntp.org</pre><br />
** Confirm time change : <br />
*** <pre>date</pre><br />
** Confirm hardware clock time : <br />
*** <pre>hwclock</pre><br />
** Sync hardware clock time : <br />
*** <pre>hwclock --systohc</pre><br />
** Confirm hardware clock time : <br />
*** <pre>hwclock</pre><br />
** Start ntpd now : <br />
*** <pre>/etc/init.d/ntpd start</pre><br />
<br />
====Deploy CA====<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt<br />
<br />
====Restart the webserver====<br />
<br />
su - zimbra<br />
zmmailboxdctl restart<br />
<br />
[[Category: Community Sandbox]] [[Category: Certificates]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Ajcody-Notes-SSLCerts&diff=19589Ajcody-Notes-SSLCerts2010-04-27T16:04:51Z<p>Baylink: /* Recreating Self-Signed SSL Certificates */</p>
<hr />
<div>{| width="100%" border="0" <br />
| bgcolor="orange" | [[Image:Attention.png]] - This article is NOT official Zimbra documentation. It is a user contribution and may include unsupported customizations, references, suggestions, or information.<br />
|}<br />
<br />
==SSL Certificate Issues==<br />
<br />
===Actual SSL Certificate Issues Homepage===<br />
<br />
Please see [[Ajcody-Notes-SSLCerts]]<br />
<br />
===Resources For SSL Certificates===<br />
<br />
* General<br />
** [[5.x_Commercial_Certificates_Guide]]<br />
** [[Commercial_Certificate_in_5.x]]<br />
** [[4.x_Commercial_Certificates_Guide]]<br />
** [[Administration_Console_and_CLI_Certificate_Tools]]<br />
* Trouble Shooting<br />
** [[Cannot_install_a_Commercial_Certificate_in_Zimbra_5.0]] <br />
** [[Private_key_and_certificate_mismatch]]<br />
** [[4.5.x_to_5.0.x_Certificate_Upgrade_Issues]]<br />
** [[Failed_to_create_jetty.pkcs12]]<br />
** [[LDAP/Nginx_won%27t_start_and_asks_for_a_password]]<br />
** [[Problem_with_Certificate_can_cause_MTA_Failure]]<br />
** [[Unable_to_get_issuer_certificate]]<br />
* Specific Cert Wiki Pages:<br />
** [[Installing_a_GoDaddy_Commercial_Certificate]]<br />
** [[Installing_a_GeoTrust_Commercial_Certificate]]<br />
** [[Installing_a_Network_Solutions_Certificate_on_ZCS_5.0.x]]<br />
** [[Installing_a_Comodo_SSL_Certificate_on_ZCS_5.0.x]]<br />
** [[Installing_a_Thawte_SSL_Certificate_on_ZCS_5.0.x]]<br />
** [[Installing_a_Verisign_Test_Certificate]]<br />
<br />
===Bug & RFE's Related To SSL===<br />
<br />
====Multiple SSL Certificates Aren't Supported On One Server====<br />
<br />
* "multiple SSL certificates on one server"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=8128<br />
*** Allot of private comment details unfortunately.<br />
<br />
The -subjectAltNames option is the way to do, if your certificate provider doesn't support then you should inquire into another provider who does.<br />
<br />
===Recreating Self-Signed SSL Certificates===<br />
<br />
Other references:<br />
* I believe this wiki page has the best instructions. Sorry for the confusion about the state of the wiki pages on ssl certs. We are attempting to get them cleaned up.<br />
** [[Problem_with_Certificate_can_cause_MTA_Failure#For_Multi-Server:_Run_this_on_all_other_systems_in_the_multi-server_setup]]<br />
*** [[Zmcertinstall#Single-Node_Self-Signed_Certificate]]<br />
**** Has "Multi-Node Self-Signed Certificate" instructions as well.<br />
*** [[Recreating_a_Self-Signed_SSL_Certificate]]<br />
<br />
Steps I've used for a single ZCS 6 server that WAS NOT using commercial certificates. Also, this is for '''recreating''' self-signed certificates and not changing them. This documentation was done specifically for the issue when the self-signed certificates expired and caused upgrade issues. <br />
<br />
** have zimbra running - ldap at least - need to double check this<br />
** run as root<br />
** Prep work<br />
mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra_old<br />
** I had used the below, but think the above step is *better*<br />
* mv /opt/zimbra/ssl /root/ssl_old<br />
* mkdir /opt/zimbra/ssl<br />
* chown zimbra:zimbra /opt/zimbra/ssl<br />
** Creating new certs<br />
/opt/zimbra/bin/zmcertmgr createca -new <br />
/opt/zimbra/bin/zmcertmgr deployca -localonly <br />
** others have just used: /opt/zimbra/bin/zmcertmgr deployca <br />
/opt/zimbra/bin/zmcertmgr createcrt self -new <br />
** others have just used: /opt/zimbra/bin/zmcertmgr createcrt -new<br />
/opt/zimbra/bin/zmcertmgr verifycrt self <br />
/opt/zimbra/bin/zmcertmgr deploycrt self<br />
** run as zimbra<br />
zmcontrol stop<br />
zmcontrol start<br />
<br />
(Here's an actual script you can copy to a file and run, by [[User:Baylink|Baylink]] 16:08, 25 March 2010 (UTC))<br />
<br />
echo "Backing up old certs..."<br />
mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.newcert-`timestamp`<br />
<br />
echo "Creating new CA..."<br />
/opt/zimbra/bin/zmcertmgr createca -new<br />
<br />
echo "Deploying new CA..."<br />
/opt/zimbra/bin/zmcertmgr deployca -localonly<br />
<br />
# added 12 Apr 2010 per tonyp@zimbra.com<br />
echo "Creating new CSR..."<br />
/opt/zimbra/bin/zmcertmgr createcsr self -new -subject "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=server.company.com" -subjectAltNames "server.company.com,altname.company.com,othername.company.com"<br />
<br />
echo "Creating new cert..."<br />
/opt/zimbra/bin/zmcertmgr createcrt -new -subject "/C=US/ST=N\/A/L=N\/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=server.company.com" -subjectAltNames "server.company.com,altname.company.com,othername.company.com"<br />
<br />
echo "Verifying new cert..."<br />
/opt/zimbra/bin/zmcertmgr verifycrt self<br />
<br />
echo "Deploying new cert..."<br />
/opt/zimbra/bin/zmcertmgr deploycrt self<br />
<br />
echo "Restarting Zimbra server"<br />
su - zimbra -c 'zmcontrol stop; zmcontrol start'<br />
<br />
Note that if you're running Exchange ActiveSync with iPhones, the '''iPhones''' require that the "server.company.com" name (the primary name) must<br />
<br />
* be the primary name on the SSL cert (I've tested this) and<br />
* resolve to the same IP both inside and outside your firewall which<br />
** requires a firewall that can do "hairpin" inbound-NAT<br />
<br />
So, if your mailbox server has a "real" name, then that, and any "role" name you use for ZWC user access must be secondary names, and the Active Sync name (I chose "async") must be primary.<br />
<br />
That script calls my 'timestamp' script, which is just:<br />
<br />
date +%Y%m%d-%H%M%S<br />
<br />
===Ldap And-Or MTA Doesn't Start After Cert Changes Or Upgrade===<br />
<br />
Brief summary of issues:<br />
* ''The ca directory contained extra links to different certificates. This seemed to not bother 5.0.9 but under 5.0.10 postfix has a fit if there are more then 3 files in that directory.''<br />
<br />
Example of LDAP error:<br />
<pre><br />
[zimbra@server-01 ~]$ zmcontrol start<br />
Host server-01.DOMAIN.com<br />
Starting ldap...Done.<br />
FAILED<br />
Failed to start slapd. Attempting debug start to determine error.<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:352<br />
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:354<br />
main: TLS init def ctx failed: -1<br />
</pre><br />
<br />
The fix is described in:<br />
<br />
* http://www.zimbra.com/forums/administrators/23104-5-0-10-upgrade-problem.html<br />
<br />
Details as related to MTA/Postfix - [[Error_(MTA):_Unable_to_set_STARTTLS]]<br />
<br />
More details as shared by a customer:<br />
<br />
<pre><br />
I moved the "ca" directory to "ca.BAK" to back it up, made a new ca directory, and then went through the steps detailed in that post.<br />
Once done, zimbra started up without a problem:<br />
<br />
1) Clear all the contents of the /opt/zimbra/conf/ca directory by backing them up<br />
somewhere on disk.<br />
2) Copy the /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/conf/ca/ca.key<br />
3) Copy /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/conf/ca/ca.pem<br />
4) Create the hash value<br />
ln -f -s ca.pem /opt/zimbra/conf/ca/`openssl x509 -hash -noout -in<br />
/opt/zimbra/conf/ca/ca.pem`.0<br />
5) Chmod 644 /opt/zimbra/conf/ca/*<br />
6) Restart the zmcontrol<br />
<br />
<br />
A sample of what the /opt/zimbra/conf/ca directory looked like:<br />
<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 0bb21872.0 -> commercial_ca_26.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 0c364b2d.0 -> commercial_ca_14.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 0e82f83a.0 -> commercial_ca_36.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 11f154d6.0 -> commercial_ca_49.pem<br />
lrwxrwxrwx 1 root root 19 Apr 9 20:29 128b9c8d.0 -> commercial_ca_9.pem<br />
lrwxrwxrwx 1 root root 19 Apr 9 20:29 1a147d5b.0 -> commercial_ca_5.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 1bb6c7e0.0 -> commercial_ca_24.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 1c647a6d.0 -> commercial_ca_21.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 256fd83b.0 -> commercial_ca_33.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 25f0cbee.0 -> commercial_ca_23.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 2d047263.0 -> commercial_ca_28.pem<br />
<br />
There we many more of the above entries, all of which pointed to .pem files that didn't exist.<br />
<br />
There was also:<br />
lrwxrwxrwx 1 root root 6 Apr 13 11:43 555ebb99.0 -> ca.pem<br />
lrwxrwxrwx 1 root root 17 Apr 9 20:29 8e6e2991.0 -> commercial_ca.pem<br />
lrwxrwxrwx 1 root root 17 Apr 13 11:43 c33a80d4.0 -> commercial_ca.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 c527e4ab.0 -> commercial_ca_57.pem<br />
-rw-r--r-- 1 root root 887 Apr 13 11:43 ca.key<br />
-rw-r--r-- 1 root root 989 Apr 13 11:43 ca.pem<br />
-rw-r--r-- 1 root root 1155 Apr 13 11:43 commercial_ca_1.pem<br />
-rw-r--r-- 1 root root 1156 Apr 13 11:43 commercial_ca.pem<br />
<br />
zmcertmgr output:<br />
<br />
./zmcertmgr deploycrt comm /opt/zimbra/certs/server-01.DOMAIN.com.crt /opt/zimbra/certs/ca_chain-server-01.DOMAIN.com.crt<br />
** Verifying /opt/zimbra/certs/server-01.DOMAIN.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/opt/zimbra/certs/server-01.DOMAIN.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /opt/zimbra/certs/server-01.DOMAIN.com.crt: OK<br />
** Copying /opt/zimbra/certs/server-01.DOMAIN.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
** Appending ca chain /opt/zimbra/certs/ca_chain-server-01.DOMAIN.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
** Saving server config key zimbraSSLCertificate...done.<br />
** Saving server config key zimbraSSLPrivateKey...done.<br />
** Installing mta certificate and key...done.<br />
** Installing slapd certificate and key...done.<br />
** Installing proxy certificate and key...done.<br />
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.<br />
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.<br />
** Installing CA to /opt/zimbra/conf/ca...done.<br />
</pre><br />
<br />
===Moving Your Certificates To New Or Another Server===<br />
<br />
Please see [[Transfer_SSL_certificates_between_servers]]<br />
<br />
===Commercial Cert Error - Subject Does Not Start With / ===<br />
<br />
As reported by a customer to me:<br />
<br />
''When creating a commercial cert for a server the zmcertmgr will fail if you don't supply a subjectAltName ---- Took me awhile to figure this out since the error isn't correctly describing the problem. It says that "Subject does not start with '/'." Which is incorrect. Subject does start with "/" , it's the subjectAltName that was needed. After I supplied this name, it generated the csr. Here are my commands for your own reference.''<br />
<br />
: I modified the Some* entries below.<br />
<br />
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=SomeState/L=SomeCity/O=Some Community College/OU=ITS/CN=zimbra.somecommunitycollege.edu" -subjectAltNames zimbra.somecommunitycollege.edu<br />
<br />
''then I went to thawte and applied for a ssl cert.''<br />
<br />
===How To Setup Certs With CACert.org - Free Certs===<br />
<br />
====CaCert.Org References====<br />
<br />
Free Certs with http://www.cacert.org/ <br />
<br />
====How-To (tested on 5.0.2)====<br />
<br />
Note, the following :<br />
<br />
su - root ; cd /opt/zimbra/ssl/zimbra/commercial/<br />
<br />
included in all steps in case someone is skipping through instructions.<br />
<br />
=====Clean up and start fresh=====<br />
<br />
su - root<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
tar -czvf /tmp/ssl.commercial.backup.tar.gz *<br />
rm -rf *<br />
<br />
=====Generate new csr=====<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
/opt/zimbra/bin/zmcertmgr createcsr comm -new<br />
<br />
This uses the defaults, note the items to change.<br />
<br />
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ITDepartment/CN=mail.CHANGEME.com"<br />
<br />
=====Confirm=====<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
ls -la<br />
<br />
There should only be two files and time/date should match - commercial.csr & commercial.key<br />
<br />
cat /opt/zimbra/ssl/zimbra/commercial/commercial.csr<br />
-----BEGIN CERTIFICATE REQUEST-----<br />
[delete]CCAWwCAQAwgZkxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNOL0ExDDAKBgNV<br />
[delete]4vQTEjMCEGA1UEChMaWmltYnJhIENvbGxhYm9yYXRpb24gU3VpdGUxIzAh<br />
[delete]AsTGlppbWJyYSBDb2xsYWJvcmF0aW9uIFN1aXRlMSQwIgYDVQQDExttYWls<br />
[delete]nRlcm5hbC5ob21ldW5peC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ<br />
[delete]AOri9/m6RtM1vASBROPgLvkUYybwf2WDI2xTdKUuAMI0rTpMH1IzjPRP/J+m<br />
[delete]RQTiJe1mRX3rJCy3qVooVzsLe2yJ1+rs3FzLSfQhazK6PqMD8GhpqHO0Y75<br />
[delete]LEA/qdOCrTFjosO9C3j3WPCW8lutTxf/QsoKGkIVs5tjAgMBAAGgKTAnBgkq<br />
[delete]0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEB<br />
[delete]A4GBAKMLVFilRjI9xvU/vZmP69yReVZyxa5YVpF/cEvwFwbOU6E4USkdONGT<br />
[delete]DRj1XxfzYD+CDf8TVuTY4tapaLvKPRUtdd/mM1PidY5t126QAObyKjHBRzy<br />
[delete]RJFQeP+0ktxcYJ99+sfiescwR/qzPJM58i6daqmMamQBZi<br />
-----END CERTIFICATE REQUEST-----<br />
<br />
=====Sign up for cacert.org use=====<br />
<br />
Goto http://www.cacert.org/<br />
<br />
Sign up - https://www.cacert.org/index.php?id=1<br />
<br />
Verify the email the confirmation email.<br />
<br />
Add a domain , it will send an email to some "admin" account to the domain. Make sure you can get it before you do this.<br />
<br />
=====Get New Server Certificate=====<br />
<br />
Now do a New Server Certificate from your administration page at http://www.cacert.org/<br />
<br />
You'll copy in the /opt/zimbra/ssl/zimbra/commercial/commercial.csr contents in window [all of it].<br />
<br />
It'll generate your cert. on the webpage.<br />
<br />
Copy this onto the server [paste in cert details]:<br />
<br />
vi /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
-----BEGIN CERTIFICATE-----<br />
[delete]TCCAl2gAwIBAgIDBPRRMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv<br />
[delete]0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ<br />
[delete]2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y<br />
[delete]NlcnQub3JnMB4XDTA4MDQxMTIwMjQzNloXDTA4MTAwODIwMjQzNlowJjEk<br />
[delete]1UEAxMbbWFpbDMuaW50ZXJuYWwuaG9tZXVuaXguY29tMIGfMA0GCSqGSIb3<br />
[delete]AQUAA4GNADCBiQKBgQDq4vf5ukbTNbwEgUTj4C75FGMm8H9lgyNsU3SlLgDC<br />
[delete]B9SM4z0T/yfpoZc3yUUE4iXtZkV96yQst6laKFc7C3tsidfq7Nxcy0n0IWs<br />
[delete]BoaahztGO+ZgsfCxAP6nTgq0xY6LDvQt491jwlvJbrU8X/0LKChpCFbOb<br />
[delete]QABo4HcMIHZMAwGA1UdEwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwIG<br />
[delete]QUFBwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMDMG<br />
[delete]QUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9y<br />
[delete]QYDVR0RBEowSIIbbWFpbDMuaW50ZXJuYWwuaG9tZXVuaXguY29toCkGCCsG<br />
[delete]wgFoB0MG21haWwzLmludGVybmFsLmhvbWV1bml4LmNvbTANBgkqhkiG9w0B<br />
[delete]AAOCAgEANzr/jRcEd5BF2QqF+X8deq4Xxp1tN9lFgji38C5ixNJ+Busq9Sk5<br />
[delete]O7YYJQbSf5K14eZyC1jaNEOEwqgzFiM1HRWL1HCca3EM7TXUoH8sMXS1Ng<br />
[delete]M5oyfQcFWZYa22CtKQANQEX5l7EYNkr0yvD/YnP02l3hk1jZr+3pszCW6Iw<br />
[delete]vabHMYcAXus+iOGgws788QsMaqzoZwla1AaacZ98s0lFAR0xdRiuXCHUFz<br />
[delete]meS5sK+med95/z+Mb6ShJzC7KAi1nfZk9CoNHUHVxMis5Cr+GT7MoIvhQ<br />
[delete]8fkiANQQoEgam37lyHezPKyc6iLxW4ag2PWKrZa2+3pyTg/6aHKxZR325z<br />
[delete]kcdwKYo/eUGaN1tNmsY638N4hCz01FHHKr97W0m4u5wtwKBo4/5Gy9e5nG6<br />
[delete]khOyjfOz6VYvZHNqDaqGJwsxitxSGGDc8bA+9d73RCOFuztwVrKYg5OJ<br />
[delete]Ei5C9gWzee7AmoGpgxOrYjgBrx4nuBw71EFzgKSOZqxUxSNiLuGAx+oVd2<br />
[delete]Z4EAPsa90ZNb0mLGagAuTAdccekOqPVnyZrqiINelY7fpAAUvO9rgTSB9A<br />
[delete]RxUydTgY1jyBtoXjp59HMVbCkAtOtX43NqIhPYJNPeSoyw/5SU=<br />
-----END CERTIFICATE-----<br />
<br />
=====Get Root CA's=====<br />
<br />
Root CA certs are found here : https://www.cacert.org/index.php?id=3<br />
<br />
Do the following on the server:<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
wget http://www.cacert.org/certs/root.crt<br />
mv root.crt commercial_ca.crt<br />
<br />
=====Verify=====<br />
<br />
Let's verify all is good.<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt<br />
<br />
Giving something like this:<br />
<br />
** Verifying commercial.crt against commercial.key<br />
Certificate (commercial.crt) and private key (commercial.key) match.<br />
Valid Certificate: commercial.crt: OK<br />
<br />
======Errors - Double check time======<br />
<br />
* Date [is it wrong?]<br />
** Install ntpd if it's not<br />
** Stop ntpd : <br />
*** <pre>/etc/init.d/ntpd stop</pre><br />
** Set time with : <br />
*** <pre>ntpdate us.pool.ntp.org</pre><br />
** Confirm time change : <br />
*** <pre>date</pre><br />
** Confirm hardware clock time : <br />
*** <pre>hwclock</pre><br />
** Sync hardware clock time : <br />
*** <pre>hwclock --systohc</pre><br />
** Confirm hardware clock time : <br />
*** <pre>hwclock</pre><br />
** Start ntpd now : <br />
*** <pre>/etc/init.d/ntpd start</pre><br />
<br />
====Deploy CA====<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt<br />
<br />
====Restart the webserver====<br />
<br />
su - zimbra<br />
zmmailboxdctl restart<br />
<br />
[[Category: Community Sandbox]] [[Category: Certificates]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Ajcody-Notes-SSLCerts&diff=18776Ajcody-Notes-SSLCerts2010-03-25T16:08:32Z<p>Baylink: /* Recreating Self-Signed SSL Certificates */ - had to make a script anyway...</p>
<hr />
<div>{| width="100%" border="0" <br />
| bgcolor="orange" | [[Image:Attention.png]] - This article is NOT official Zimbra documentation. It is a user contribution and may include unsupported customizations, references, suggestions, or information.<br />
|}<br />
<br />
==SSL Certificate Issues==<br />
<br />
===Actual SSL Certificate Issues Homepage===<br />
<br />
Please see [[Ajcody-Notes-SSLCerts]]<br />
<br />
===Resources For SSL Certificates===<br />
<br />
* General<br />
** [[5.x_Commercial_Certificates_Guide]]<br />
** [[Commercial_Certificate_in_5.x]]<br />
** [[4.x_Commercial_Certificates_Guide]]<br />
** [[Administration_Console_and_CLI_Certificate_Tools]]<br />
* Trouble Shooting<br />
** [[Cannot_install_a_Commercial_Certificate_in_Zimbra_5.0]] <br />
** [[Private_key_and_certificate_mismatch]]<br />
** [[4.5.x_to_5.0.x_Certificate_Upgrade_Issues]]<br />
** [[Failed_to_create_jetty.pkcs12]]<br />
** [[LDAP/Nginx_won%27t_start_and_asks_for_a_password]]<br />
** [[Problem_with_Certificate_can_cause_MTA_Failure]]<br />
** [[Unable_to_get_issuer_certificate]]<br />
* Specific Cert Wiki Pages:<br />
** [[Installing_a_GoDaddy_Commercial_Certificate]]<br />
** [[Installing_a_GeoTrust_Commercial_Certificate]]<br />
** [[Installing_a_Network_Solutions_Certificate_on_ZCS_5.0.x]]<br />
** [[Installing_a_Comodo_SSL_Certificate_on_ZCS_5.0.x]]<br />
** [[Installing_a_Thawte_SSL_Certificate_on_ZCS_5.0.x]]<br />
** [[Installing_a_Verisign_Test_Certificate]]<br />
<br />
===Bug & RFE's Related To SSL===<br />
<br />
====Multiple SSL Certificates Aren't Supported On One Server====<br />
<br />
* "multiple SSL certificates on one server"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=8128<br />
*** Allot of private comment details unfortunately.<br />
<br />
The -subjectAltNames option is the way to do, if your certificate provider doesn't support then you should inquire into another provider who does.<br />
<br />
===Recreating Self-Signed SSL Certificates===<br />
<br />
Other references:<br />
* I believe this wiki page has the best instructions. Sorry for the confusion about the state of the wiki pages on ssl certs. We are attempting to get them cleaned up.<br />
** [[Problem_with_Certificate_can_cause_MTA_Failure#For_Multi-Server:_Run_this_on_all_other_systems_in_the_multi-server_setup]]<br />
*** [[Zmcertinstall#Single-Node_Self-Signed_Certificate]]<br />
**** Has "Multi-Node Self-Signed Certificate" instructions as well.<br />
*** [[Recreating_a_Self-Signed_SSL_Certificate]]<br />
<br />
Steps I've used for a single ZCS 6 server that WAS NOT using commercial certificates:<br />
<br />
** have zimbra running - ldap at least - need to double check this<br />
** run as root<br />
** Prep work<br />
mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra_old<br />
** I had used the below, but think the above step is *better*<br />
* mv /opt/zimbra/ssl /root/ssl_old<br />
* mkdir /opt/zimbra/ssl<br />
* chown zimbra:zimbra /opt/zimbra/ssl<br />
** Creating new certs<br />
/opt/zimbra/bin/zmcertmgr createca -new <br />
/opt/zimbra/bin/zmcertmgr deployca -localonly <br />
** others have just used: /opt/zimbra/bin/zmcertmgr deployca <br />
/opt/zimbra/bin/zmcertmgr createcrt self -new <br />
** others have just used: /opt/zimbra/bin/zmcertmgr createcrt -new<br />
/opt/zimbra/bin/zmcertmgr verifycrt self <br />
/opt/zimbra/bin/zmcertmgr deploycrt self<br />
** run as zimbra<br />
zmcontrol stop<br />
zmcontrol start<br />
<br />
(Here's an actual script you can copy to a file and run, by [[User:Baylink|Baylink]] 16:08, 25 March 2010 (UTC))<br />
<br />
echo "Backing up old certs..."<br />
mv /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra_old <br />
<br />
echo "Creating new CA..."<br />
/opt/zimbra/bin/zmcertmgr createca -new<br />
<br />
echo "Deploying new CA..."<br />
/opt/zimbra/bin/zmcertmgr deployca -localonly<br />
<br />
echo "Creating new cert..."<br />
/opt/zimbra/bin/zmcertmgr createcrt self -new<br />
<br />
echo "Verifying new cert..."<br />
/opt/zimbra/bin/zmcertmgr verifycrt self<br />
<br />
echo "Deploying new cert..."<br />
/opt/zimbra/bin/zmcertmgr deploycrt self <br />
<br />
echo "Restarting Zimbra server"<br />
su - zimbra -c 'zmcontrol stop; zmcontrol start'<br />
<br />
===Ldap And-Or MTA Doesn't Start After Cert Changes Or Upgrade===<br />
<br />
Brief summary of issues:<br />
* ''The ca directory contained extra links to different certificates. This seemed to not bother 5.0.9 but under 5.0.10 postfix has a fit if there are more then 3 files in that directory.''<br />
<br />
Example of LDAP error:<br />
<pre><br />
[zimbra@server-01 ~]$ zmcontrol start<br />
Host server-01.DOMAIN.com<br />
Starting ldap...Done.<br />
FAILED<br />
Failed to start slapd. Attempting debug start to determine error.<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:647<br />
TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:352<br />
TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:354<br />
main: TLS init def ctx failed: -1<br />
</pre><br />
<br />
The fix is described in:<br />
<br />
* http://www.zimbra.com/forums/administrators/23104-5-0-10-upgrade-problem.html<br />
<br />
Details as related to MTA/Postfix - [[Error_(MTA):_Unable_to_set_STARTTLS]]<br />
<br />
More details as shared by a customer:<br />
<br />
<pre><br />
I moved the "ca" directory to "ca.BAK" to back it up, made a new ca directory, and then went through the steps detailed in that post.<br />
Once done, zimbra started up without a problem:<br />
<br />
1) Clear all the contents of the /opt/zimbra/conf/ca directory by backing them up<br />
somewhere on disk.<br />
2) Copy the /opt/zimbra/ssl/zimbra/commercial/commercial.key /opt/zimbra/conf/ca/ca.key<br />
3) Copy /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/conf/ca/ca.pem<br />
4) Create the hash value<br />
ln -f -s ca.pem /opt/zimbra/conf/ca/`openssl x509 -hash -noout -in<br />
/opt/zimbra/conf/ca/ca.pem`.0<br />
5) Chmod 644 /opt/zimbra/conf/ca/*<br />
6) Restart the zmcontrol<br />
<br />
<br />
A sample of what the /opt/zimbra/conf/ca directory looked like:<br />
<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 0bb21872.0 -> commercial_ca_26.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 0c364b2d.0 -> commercial_ca_14.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 0e82f83a.0 -> commercial_ca_36.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 11f154d6.0 -> commercial_ca_49.pem<br />
lrwxrwxrwx 1 root root 19 Apr 9 20:29 128b9c8d.0 -> commercial_ca_9.pem<br />
lrwxrwxrwx 1 root root 19 Apr 9 20:29 1a147d5b.0 -> commercial_ca_5.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 1bb6c7e0.0 -> commercial_ca_24.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 1c647a6d.0 -> commercial_ca_21.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 256fd83b.0 -> commercial_ca_33.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 25f0cbee.0 -> commercial_ca_23.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 2d047263.0 -> commercial_ca_28.pem<br />
<br />
There we many more of the above entries, all of which pointed to .pem files that didn't exist.<br />
<br />
There was also:<br />
lrwxrwxrwx 1 root root 6 Apr 13 11:43 555ebb99.0 -> ca.pem<br />
lrwxrwxrwx 1 root root 17 Apr 9 20:29 8e6e2991.0 -> commercial_ca.pem<br />
lrwxrwxrwx 1 root root 17 Apr 13 11:43 c33a80d4.0 -> commercial_ca.pem<br />
lrwxrwxrwx 1 root root 20 Apr 9 20:29 c527e4ab.0 -> commercial_ca_57.pem<br />
-rw-r--r-- 1 root root 887 Apr 13 11:43 ca.key<br />
-rw-r--r-- 1 root root 989 Apr 13 11:43 ca.pem<br />
-rw-r--r-- 1 root root 1155 Apr 13 11:43 commercial_ca_1.pem<br />
-rw-r--r-- 1 root root 1156 Apr 13 11:43 commercial_ca.pem<br />
<br />
zmcertmgr output:<br />
<br />
./zmcertmgr deploycrt comm /opt/zimbra/certs/server-01.DOMAIN.com.crt /opt/zimbra/certs/ca_chain-server-01.DOMAIN.com.crt<br />
** Verifying /opt/zimbra/certs/server-01.DOMAIN.com.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key<br />
Certificate (/opt/zimbra/certs/server-01.DOMAIN.com.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.<br />
Valid Certificate: /opt/zimbra/certs/server-01.DOMAIN.com.crt: OK<br />
** Copying /opt/zimbra/certs/server-01.DOMAIN.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
** Appending ca chain /opt/zimbra/certs/ca_chain-server-01.DOMAIN.com.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
** Saving server config key zimbraSSLCertificate...done.<br />
** Saving server config key zimbraSSLPrivateKey...done.<br />
** Installing mta certificate and key...done.<br />
** Installing slapd certificate and key...done.<br />
** Installing proxy certificate and key...done.<br />
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12...done.<br />
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore...done.<br />
** Installing CA to /opt/zimbra/conf/ca...done.<br />
</pre><br />
<br />
===Moving Your Certificates To New Or Another Server===<br />
<br />
Please see [[Transfer_SSL_certificates_between_servers]]<br />
<br />
===Commercial Cert Error - Subject Does Not Start With / ===<br />
<br />
As reported by a customer to me:<br />
<br />
''When creating a commercial cert for a server the zmcertmgr will fail if you don't supply a subjectAltName ---- Took me awhile to figure this out since the error isn't correctly describing the problem. It says that "Subject does not start with '/'." Which is incorrect. Subject does start with "/" , it's the subjectAltName that was needed. After I supplied this name, it generated the csr. Here are my commands for your own reference.''<br />
<br />
: I modified the Some* entries below.<br />
<br />
/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=US/ST=SomeState/L=SomeCity/O=Some Community College/OU=ITS/CN=zimbra.somecommunitycollege.edu" -subjectAltNames zimbra.somecommunitycollege.edu<br />
<br />
''then I went to thawte and applied for a ssl cert.''<br />
<br />
===How To Setup Certs With CACert.org - Free Certs===<br />
<br />
====CaCert.Org References====<br />
<br />
Free Certs with http://www.cacert.org/ <br />
<br />
====How-To (tested on 5.0.2)====<br />
<br />
Note, the following :<br />
<br />
su - root ; cd /opt/zimbra/ssl/zimbra/commercial/<br />
<br />
included in all steps in case someone is skipping through instructions.<br />
<br />
=====Clean up and start fresh=====<br />
<br />
su - root<br />
cd /opt/zimbra/ssl/zimbra/commercial/<br />
tar -czvf /tmp/ssl.commercial.backup.tar.gz *<br />
rm -rf *<br />
<br />
=====Generate new csr=====<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
/opt/zimbra/bin/zmcertmgr createcsr comm -new<br />
<br />
This uses the defaults, note the items to change.<br />
<br />
/opt/zimbra/bin/zmcertmgr createcsr comm -new "/C=US/ST=TX/L=Somewhere/O=Company, Inc./OU=ITDepartment/CN=mail.CHANGEME.com"<br />
<br />
=====Confirm=====<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
ls -la<br />
<br />
There should only be two files and time/date should match - commercial.csr & commercial.key<br />
<br />
cat /opt/zimbra/ssl/zimbra/commercial/commercial.csr<br />
-----BEGIN CERTIFICATE REQUEST-----<br />
[delete]CCAWwCAQAwgZkxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNOL0ExDDAKBgNV<br />
[delete]4vQTEjMCEGA1UEChMaWmltYnJhIENvbGxhYm9yYXRpb24gU3VpdGUxIzAh<br />
[delete]AsTGlppbWJyYSBDb2xsYWJvcmF0aW9uIFN1aXRlMSQwIgYDVQQDExttYWls<br />
[delete]nRlcm5hbC5ob21ldW5peC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ<br />
[delete]AOri9/m6RtM1vASBROPgLvkUYybwf2WDI2xTdKUuAMI0rTpMH1IzjPRP/J+m<br />
[delete]RQTiJe1mRX3rJCy3qVooVzsLe2yJ1+rs3FzLSfQhazK6PqMD8GhpqHO0Y75<br />
[delete]LEA/qdOCrTFjosO9C3j3WPCW8lutTxf/QsoKGkIVs5tjAgMBAAGgKTAnBgkq<br />
[delete]0BCQ4xGjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEB<br />
[delete]A4GBAKMLVFilRjI9xvU/vZmP69yReVZyxa5YVpF/cEvwFwbOU6E4USkdONGT<br />
[delete]DRj1XxfzYD+CDf8TVuTY4tapaLvKPRUtdd/mM1PidY5t126QAObyKjHBRzy<br />
[delete]RJFQeP+0ktxcYJ99+sfiescwR/qzPJM58i6daqmMamQBZi<br />
-----END CERTIFICATE REQUEST-----<br />
<br />
=====Sign up for cacert.org use=====<br />
<br />
Goto http://www.cacert.org/<br />
<br />
Sign up - https://www.cacert.org/index.php?id=1<br />
<br />
Verify the email the confirmation email.<br />
<br />
Add a domain , it will send an email to some "admin" account to the domain. Make sure you can get it before you do this.<br />
<br />
=====Get New Server Certificate=====<br />
<br />
Now do a New Server Certificate from your administration page at http://www.cacert.org/<br />
<br />
You'll copy in the /opt/zimbra/ssl/zimbra/commercial/commercial.csr contents in window [all of it].<br />
<br />
It'll generate your cert. on the webpage.<br />
<br />
Copy this onto the server [paste in cert details]:<br />
<br />
vi /opt/zimbra/ssl/zimbra/commercial/commercial.crt<br />
-----BEGIN CERTIFICATE-----<br />
[delete]TCCAl2gAwIBAgIDBPRRMA0GCSqGSIb3DQEBBQUAMHkxEDAOBgNVBAoTB1Jv<br />
[delete]0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ<br />
[delete]2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y<br />
[delete]NlcnQub3JnMB4XDTA4MDQxMTIwMjQzNloXDTA4MTAwODIwMjQzNlowJjEk<br />
[delete]1UEAxMbbWFpbDMuaW50ZXJuYWwuaG9tZXVuaXguY29tMIGfMA0GCSqGSIb3<br />
[delete]AQUAA4GNADCBiQKBgQDq4vf5ukbTNbwEgUTj4C75FGMm8H9lgyNsU3SlLgDC<br />
[delete]B9SM4z0T/yfpoZc3yUUE4iXtZkV96yQst6laKFc7C3tsidfq7Nxcy0n0IWs<br />
[delete]BoaahztGO+ZgsfCxAP6nTgq0xY6LDvQt491jwlvJbrU8X/0LKChpCFbOb<br />
[delete]QABo4HcMIHZMAwGA1UdEwEB/wQCMAAwNAYDVR0lBC0wKwYIKwYBBQUHAwIG<br />
[delete]QUFBwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwCwYDVR0PBAQDAgWgMDMG<br />
[delete]QUFBwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9y<br />
[delete]QYDVR0RBEowSIIbbWFpbDMuaW50ZXJuYWwuaG9tZXVuaXguY29toCkGCCsG<br />
[delete]wgFoB0MG21haWwzLmludGVybmFsLmhvbWV1bml4LmNvbTANBgkqhkiG9w0B<br />
[delete]AAOCAgEANzr/jRcEd5BF2QqF+X8deq4Xxp1tN9lFgji38C5ixNJ+Busq9Sk5<br />
[delete]O7YYJQbSf5K14eZyC1jaNEOEwqgzFiM1HRWL1HCca3EM7TXUoH8sMXS1Ng<br />
[delete]M5oyfQcFWZYa22CtKQANQEX5l7EYNkr0yvD/YnP02l3hk1jZr+3pszCW6Iw<br />
[delete]vabHMYcAXus+iOGgws788QsMaqzoZwla1AaacZ98s0lFAR0xdRiuXCHUFz<br />
[delete]meS5sK+med95/z+Mb6ShJzC7KAi1nfZk9CoNHUHVxMis5Cr+GT7MoIvhQ<br />
[delete]8fkiANQQoEgam37lyHezPKyc6iLxW4ag2PWKrZa2+3pyTg/6aHKxZR325z<br />
[delete]kcdwKYo/eUGaN1tNmsY638N4hCz01FHHKr97W0m4u5wtwKBo4/5Gy9e5nG6<br />
[delete]khOyjfOz6VYvZHNqDaqGJwsxitxSGGDc8bA+9d73RCOFuztwVrKYg5OJ<br />
[delete]Ei5C9gWzee7AmoGpgxOrYjgBrx4nuBw71EFzgKSOZqxUxSNiLuGAx+oVd2<br />
[delete]Z4EAPsa90ZNb0mLGagAuTAdccekOqPVnyZrqiINelY7fpAAUvO9rgTSB9A<br />
[delete]RxUydTgY1jyBtoXjp59HMVbCkAtOtX43NqIhPYJNPeSoyw/5SU=<br />
-----END CERTIFICATE-----<br />
<br />
=====Get Root CA's=====<br />
<br />
Root CA certs are found here : https://www.cacert.org/index.php?id=3<br />
<br />
Do the following on the server:<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
wget http://www.cacert.org/certs/root.crt<br />
mv root.crt commercial_ca.crt<br />
<br />
=====Verify=====<br />
<br />
Let's verify all is good.<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
/opt/zimbra/bin/zmcertmgr verifycrt comm commercial.key commercial.crt<br />
<br />
Giving something like this:<br />
<br />
** Verifying commercial.crt against commercial.key<br />
Certificate (commercial.crt) and private key (commercial.key) match.<br />
Valid Certificate: commercial.crt: OK<br />
<br />
======Errors - Double check time======<br />
<br />
* Date [is it wrong?]<br />
** Install ntpd if it's not<br />
** Stop ntpd : <br />
*** <pre>/etc/init.d/ntpd stop</pre><br />
** Set time with : <br />
*** <pre>ntpdate us.pool.ntp.org</pre><br />
** Confirm time change : <br />
*** <pre>date</pre><br />
** Confirm hardware clock time : <br />
*** <pre>hwclock</pre><br />
** Sync hardware clock time : <br />
*** <pre>hwclock --systohc</pre><br />
** Confirm hardware clock time : <br />
*** <pre>hwclock</pre><br />
** Start ntpd now : <br />
*** <pre>/etc/init.d/ntpd start</pre><br />
<br />
====Deploy CA====<br />
<br />
[ su - root ; cd /opt/zimbra/ssl/zimbra/commercial/ ]<br />
<br />
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt<br />
<br />
====Restart the webserver====<br />
<br />
su - zimbra<br />
zmmailboxdctl restart<br />
<br />
[[Category: Community Sandbox]] [[Category: Certificates]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Open_Source_Mobile_Calendar_and_Contact_Synchronization&diff=15281Open Source Mobile Calendar and Contact Synchronization2009-11-06T15:19:25Z<p>Baylink: /* Installation Guide */ - add note that server must be running during install-modules</p>
<hr />
<div>{{Unsupported}}<br />
<br />
Method to provide mobile calendar and contact synchronization<br />
<br />
With the great work from the forum user Wolfroma - a Zimbra/Funambol connector surfaced to allow the synchronization of calendar and contacts between Zimbra user accounts and their mobile devices.<br />
<br />
The connector is stable but feedback reveals some minor incompletion with re-occurring events not syncing.<br />
<br />
At present the most documentation is available directly on the [http://zimbrafunambol.wiki.sourceforge.net/installation-guide Sourceforge wiki page] (also where you can download the Funambol Zimbra connector).<br />
<br />
<br />
==== The source editor has granted permission to use the material directly - furthermore I personally worked on the main article ====<br />
<br />
=Installation Guide=<br />
<br />
Installation contains fifteen steps.<br />
<br />
1. Download the Funambol ds-server (I recommend you [http://funambol.com/opensource/downloads.php download] the PIM bundle version) download, the instructions in this article are current as of v6.5.12.<br />
<br />
2. Install the Funambol ds-server ([http://forge.objectweb.org/project/download.php?group_id=96&file_id=10011 this is] the detailed guide for v 6.5, if the link is broken then search in the [http://forge.objectweb.org/projects/sync4j project page]).<br />
N.B.- for the duration of this article, the directory where you install the funambol bundle will be referred to as <FUNAMBOL>.<br />
<br />
3. Download the latest Funambol Zimbra Connector version from this [https://sourceforge.net/project/platformdownload.php?group_id=219645 link].<br />
<br />
3.1 For Funambol 8.x, you will need to download the ZimbraConnector.zip released by Zoltan67, and attached to his post in the [http://www.zimbra.com/forums/zimbra-mobile/23988-zimbra-funambol-sync4j-code-24.html#post151879 Zimbra + Funambol Sync4j Code].<br />
<br />
4. The file name will resemble the following syntax: ZimbraConnector_0.x.x.s4j<br />
<br />
5. Copy the downloaded connector module to <FUNAMBOL>/ds-server/modules<br />
<br />
rename ZimbraConnector_0.x.x.s4j ZimbraConnector.s4j<br />
copy ZimbraConnector.s4j "<FUNAMBOL>/ds-server/modules"<br />
<br />
5.1. For Funambol Zimbra Connector vesion 0.4.95 and above you should create ZimbraConnector.xml configuration file in the <FUNAMBOL>/ds-server/config/connector/ directory for Funambol v6.5<br />
or <FUNAMBOL>/config/connector/ for Funambol v7.x (You have to create this directory if she doesn't exist.)<br />
<br />
Example of this file: ZimbraConnector.xml<br />
<br />
<java version="1.5.0" class="java.beans.XMLDecoder"><br />
<object class="ru.korusconsulting.connector.config.ConnectorConfig"><br />
<void property="dataSource"><br />
<string>jdbc/fnblds</string> <!--The funambol datasource--><br />
</void><br />
</object><br />
</java><br />
<br />
6. Edit the install.properties file in the <FUNAMBOL>/ds-server directory and find the line beginning: "modules-to-install=..., (usually the last line) and add ZimbraConnector, the result should look similar to the following :<br />
<br />
modules-to-install=foundation-6.5.10,...,funambol-email-connector-6.5.9,ZimbraConnector<br />
<br />
7. Install the new connector into the ds-server by using the following commands, depending on your Funambol version. Note that you ''should not shut down the Funambol server''; it must be running when you run install-modules. If it's not running yet,<br />
start it now. Then type:<br />
<br />
7.1. Funambol 6.x:<br />
<br />
cd <FUNAMBOL>/ds-server<br />
bin/install-modules.sh<br />
<br />
7.2. Funambol 7.x:<br />
<br />
cd <FUNAMBOL>/bin<br />
./install-modules.sh<br />
<br />
7.3 Funambol 8.x:<br />
<br />
cd <FUNAMBOL>/bin<br />
./install-modules<br />
<br />
8. For existing modules you can answer as you wish (answering yes will overwrite any existing data) -- Answer "y" (Yes), to questions about creating a database for the ZimbraConnector.<br />
<br />
9. Now the Zimbra connector is ready to use, but it is not configured yet.<br />
<br />
10. Start administration tools , and connect to your ds-server, by default http://localhost:8080/funambol/ds<br />
<br />
11. Remove follow items from the foundation connector :<br />
<br />
*PIM Calendar SyncSource -- cal; event; scal; stask; task<br />
<br />
*PIM Contact SyncSource -- card; scard<br />
<br />
<br />
12. Now you should add new SyncSources to FunambolZimbraConnector.<br />
<br />
Modules > zimbra > FunambolZimbraConnector>CalendarSyncSource<br />
<br />
First of all click on zimbra>FunambolZimbraConnector, then right click on the "CalendarSyncSource" and select "Add SyncSource".<br />
<br />
Enter the following details - Adding new SyncSource items for cal, event, scal, stask and task.<br />
<br />
*Source URI = cal,event,scal,stask,task<br />
<br />
*Name = cal,event,scal,stask,task<br />
<br />
*Zimbra URL = http://<hostname>:port/service/soap/<br />
<br />
*'' secure URL = https://<hostname>:port/service/soap/<br />
<br />
<br />
<br />
Modules > zimbra > FunambolZimbraConnector>ContactSyncSource<br />
<br />
First of all click on zimbra>FunambolZimbraConnector, then right click on the "ContactSyncSource" and select "Add SyncSource".<br />
<br />
Enter the following details - Adding new SyncSource items for both card and scard.<br />
<br />
*Source URI = card, scard<br />
<br />
*Name = card, scard<br />
<br />
*Zimbra URL = http://<hostname>:port/service/soap/<br />
<br />
*'' secure URL = https://<hostname>:port/service/soap/<br />
<br />
<br />
<br />
Modules > zimbra > FunambolZimbraConnector>GALContactSyncSource<br />
<br />
First of all click on zimbra>FunambolZimbraConnector, then right click on the "GALSyncSource" and select "Add SyncSource".<br />
<br />
Enter the following details - Adding a new SyncSource item for zimbraGALContacts.<br />
<br />
*Source URI = zimbraGalContacts<br />
<br />
*Name = zimbraGalContacts<br />
<br />
*Zimbra URL = http://<hostname>:port/service/soap/<br />
<br />
*'' secure URL = https://<hostname>:port/service/soap/<br />
<br />
<br />
13. Configuration of all sync sources should resemble the picture below:<br />
<br />
[[Image:funambol_snapshot.jpg]]<br />
<br />
15. The article instructions leave a correctly configured Funambol Zimbra connector.<br />
<br />
{{Article_Footer|unknown|3/4/2008}}<br />
<br />
[[Category: Mobile]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Configuring_Postfix_to_work_with_piped_scripts&diff=14946Configuring Postfix to work with piped scripts2009-09-18T16:33:36Z<p>Baylink: /* Steps for integrating RT */</p>
<hr />
<div>{{Unsupported}}<br />
<br />
== Background ==<br />
<br />
Many users of Zimbra may want to integrate Request Tracker (RT) or Mailman, both of which are typically configured by executing scripts from /etc/aliases. With Zimbra 5, /etc/aliases appears to be mostly ignored and therefore cannot be used. This wiki entry is based on a trick that was figured out in [http://www.zimbra.com/forums/installation/2859-aliases-scripts.html this forum post.]<br />
<br />
== Steps for integrating RT ==<br />
'''0. Make sure you're user Zimbra'''<br />
$ su - zimbra<br />
# su - zimbra<br />
In the first case you may have permissions problems; in the second, your $PATH will be suboptimal.<br />
<br />
'''1. Configure the Postfix main.cf to handle an additional transport map'''<br />
Execute the following command:<br />
<br />
zmlocalconfig -e postfix_transport_maps=' hash:/opt/zimbra/postfix/conf/transport,ldap:/opt/zimbra/conf/ldap-transport.cf'<br />
<br />
This will add /opt/zimbra/postfix/conf/transport as an additional transport map.<br />
<br />
<br />
'''2. Create the transport map'''<br />
<br />
Edit /opt/zimbra/postfix/conf/transport and place the following lines at the top:<br />
<br />
# Pipe transports for RT queues<br />
# YOU HAVE TO ADD THE PIPES TO /opt/zimbra/postfix/conf/master.cf if you want them to work!!!<br />
rt@example.com rt-pipe<br />
rt-comment@example.com rt-comment-pipe<br />
<br />
<br />
And then create the transport db by executing (as zimbra)<br />
<br />
postmap /opt/zimbra/postfix/conf/transport<br />
<br />
<br />
<br />
'''3. Define the pipe transports'''<br />
<br />
The transport definitions 'rt-pipe' and 'rt-comment-pipe' must now be defined. Edit /opt/zimbra/postfix/conf/master.cf'''.in''' and add the following lines to the end of the file:<br />
<br />
rt-pipe unix - n n - - pipe<br />
flags= user=www argv=/opt/rt3/bin/rt-mailgate --queue general --action correspond --url http://rt.example.com/<br />
rt-comment-pipe unix - n n - - pipe<br />
flags= user=www argv=/opt/rt3/bin/rt-mailgate --queue general --action comment --url https://rt.example.com/<br />
<br />
Note that the 2nd line needs to be right under the first and must start with whitespace. Also make sure the user= line is pointing to a valid user with permissions to execute the script.<br />
<br />
<br />
'''4. Restart Postfix and test'''<br />
<br />
Execute the following commands:<br />
<br />
zmmtactl stop ; zmmtactl start<br />
<br />
Now, you should be able to email rt@example.com and receive a message back. grep for RT in /var/log/messages as well as tail /var/log/mail to watch for errors.<br />
<br />
<br />
<br />
{{Article Footer|Unknown|8/1/2008}}<br />
<br />
[[Category:MTA]]<br />
[[Category:Customizing ZCS]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Configuring_Postfix_to_work_with_piped_scripts&diff=14945Configuring Postfix to work with piped scripts2009-09-18T15:55:30Z<p>Baylink: Note necessity of being Zimbra. Yes, I know; everything requires that...</p>
<hr />
<div>{{Unsupported}}<br />
<br />
== Background ==<br />
<br />
Many users of Zimbra may want to integrate Request Tracker (RT) or Mailman, both of which are typically configured by executing scripts from /etc/aliases. With Zimbra 5, /etc/aliases appears to be mostly ignored and therefore cannot be used. This wiki entry is based on a trick that was figured out in [http://www.zimbra.com/forums/installation/2859-aliases-scripts.html this forum post.]<br />
<br />
== Steps for integrating RT ==<br />
'''0. Make sure you're user Zimbra'''<br />
$ su - zimbra<br />
# su - zimbra<br />
In the first case you may have permissions problems; in the second, your $PATH will be suboptimal.<br />
<br />
'''1. Configure the Postfix main.cf to handle an additional transport map'''<br />
Execute the following command:<br />
<br />
zmlocalconfig -e postfix_transport_maps=' hash:/opt/zimbra/postfix/conf/transport,ldap:/opt/zimbra/conf/ldap-transport.cf'<br />
<br />
This will add /opt/zimbra/postfix/conf/transport as an additional transport map.<br />
<br />
<br />
'''2. Create the transport map'''<br />
<br />
Edit /opt/zimbra/postfix/conf/transport and place the following lines at the top:<br />
<br />
# Pipe transports for RT queues<br />
# YOU HAVE TO ADD THE PIPES TO /opt/zimbra/postfix/conf/master.cf if you want them to work!!!<br />
rt@example.com rt-pipe<br />
rt-comment@example.com rt-comment-pipe<br />
<br />
<br />
And then create the transport db by executing (as zimbra)<br />
<br />
postmap /opt/zimbra/postfix/conf/transport<br />
<br />
<br />
<br />
'''3. Define the pipe transports'''<br />
<br />
The transport definitions 'rt-pipe' and 'rt-comment-pipe' must now be defined. Edit /opt/zimbra/postfix/conf/master.cf and add the following lines to the end of the file:<br />
<br />
rt-pipe unix - n n - - pipe<br />
flags= user=www argv=/opt/rt3/bin/rt-mailgate --queue general --action correspond --url http://rt.example.com/<br />
rt-comment-pipe unix - n n - - pipe<br />
flags= user=www argv=/opt/rt3/bin/rt-mailgate --queue general --action comment --url https://rt.example.com/<br />
<br />
Note that the 2nd line needs to be right under the first and must start with whitespace. Also make sure the user= line is pointing to a valid user with permissions to execute the script.<br />
<br />
<br />
'''4. Restart Postfix and test'''<br />
<br />
Execute the following commands:<br />
<br />
zmmtactl stop ; zmmtactl start<br />
<br />
Now, you should be able to email rt@example.com and receive a message back. grep for RT in /var/log/messages as well as tail /var/log/mail to watch for errors.<br />
<br />
<br />
<br />
{{Article Footer|Unknown|8/1/2008}}<br />
<br />
[[Category:MTA]]<br />
[[Category:Customizing ZCS]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Migrating_from_Exchange&diff=14770Migrating from Exchange2009-09-02T14:59:08Z<p>Baylink: /* Build a Machine */</p>
<hr />
<div>{{WIP}}<br />
<br />
This is a step by step guide to migrating your domain's email from Exchange to Zimbra. It will take some side trips along the way -- my example domain, for instance, has Exchange 5.5, and yours will probably be newer, and is behind an older MailScanner box, which you might not be -- but hopefully the 5000 foot view information will be of help to you, and you can figure out the 500 foot stuff yourself when it differs.<br />
<br />
'''This is a work in progress, as long as this notice remains, and that's why it's not yet linked from anywhere, including categories. Once I'm done with it, I'll link it in. (And my apologies it's taking so long; work and my personal life have both swamped me this <s>month</s>year. I've just (mostly) completed building '''3''' new facilities for my company, and I should finally have time to finish both writing about this, and doing it. --Baylink)<br />
<br />
== Introduction ==<br />
<br />
My goal in migrating to Zimbra was never to leave myself in a position where an executive mandated a back-out, and I had to lose something to do it.<br />
<br />
Accomplishing this wasn't too overly difficult, but did require some forethought, and I'll try to put that all down here, so you don't have to do it over again.<br />
<br />
== The Old Installation ==<br />
<br />
The email 'solution' from which we were trying to extricate ourselves was a Win2k machine running Exchange 5.5, authenticating to a PDC running NT4. Yes, NT4.<br />
<br />
Now that you're done laughing...<br />
<br />
I do have a reasonably recent Samba installation in the building, also authenticating off that PDC, but I didn't want to migrate domain control in the middle of the rest of the mess, if I didn't have to.<br />
<br />
If I have to set some passwords by hand, that will be acceptable to me for now.<br />
<br />
Part of the reason for this migration is that my 16GB-limit mailstore was at about 15GB. I think. There's a bug that keeps me from getting accurate answers to that question, that I apparently can't upgrade around, either.<br />
<br />
So, Zimbra.<br />
<br />
== Prep Work ==<br />
<br />
As you might expect, I had to grow some grass to get a hamburger for lunch (the cattle need to eat, you see); let's look at what that entailed.<br />
<br />
=== Build a Machine ===<br />
<br />
Based on the fact that RHEL5 is a supported platform, and that CentOS5 is ''supposedly'' bug-for-bug identical to it, that's what I chose for my pilot install. There's a move on to make CentOS a formally supported platform, but since an RHEL license costs as much a year as the Zimbra license does, for my mailbox count, I figured it couldn't get me in any trouble I couldn't get myself out of. So far, that's proven true.<br />
<br />
So I built CentOS5 with KDE, and upgraded it to current.<br />
<br />
Then I downloaded Zimbra for RHEL5, and [[Installing 5.0.9 NE on RHEL5/Centos|built it]]. (We've since upgraded to 5.0.18)<br />
<br />
=== Install Zimbra ===<br />
== Stage 1: The Zimbra Server ==<br />
=== Configure Zimbra ===<br />
=== Basic Testing ===<br />
== Stage 2: On-line testing ==<br />
=== DNS set up ===<br />
<br />
<br />
{{Article Footer||9/17/2008}}<br />
<br />
[[Category:Migration]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Copying_distribution_lists&diff=14769Copying distribution lists2009-09-02T14:47:49Z<p>Baylink: New page: I manually created an "everyone" list on my 75-seat system, which required a lot of painstaking sifting through the list of users, some of whom aren't people. Then I needed a second such ...</p>
<hr />
<div>I manually created an "everyone" list on my 75-seat system, which required a lot of painstaking sifting through the list of users, some of whom aren't people.<br />
<br />
Then I needed a second such list, with a couple of people removed, for weather announcements.<br />
<br />
There's no easy way to do that on Zimbra.<br />
<br />
So I wrote a script:<br />
<br />
# copy a Zimbra distribution list's members to a newly created list<br />
# final version with all the test scaffolding removed<br />
#<br />
# written Wed Sep 2 10:11:00 EDT 2009 by jra@vicimarketing.com<br />
<br />
OLD=$1<br />
NEW=$2<br />
<br />
# if we're not user 'zimbra', fix it<br />
[ $USER = "zimbra" ] || exec su - zimbra -c "$0 $*"<br />
<br />
# create the new list, first<br />
zmprov cdl $NEW<br />
<br />
# then add all the users.<br />
zmprov gdl $OLD |<br />
grep 'zimbraMailForwardingAddress' |<br />
sed -e "s/zim.*ess:/adlm $NEW /" |<br />
zmprov<br />
<br />
This works ok on my 5.0.18 system; YMMV. Hat tip to elgato for the push in the right direction.</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Migrating_from_Exchange&diff=13108Migrating from Exchange2009-04-05T13:32:16Z<p>Baylink: </p>
<hr />
<div>{{WIP}}<br />
<br />
This is a step by step guide to migrating your domain's email from Exchange to Zimbra. It will take some side trips along the way -- my example domain, for instance, has Exchange 5.5, and yours will probably be newer, and is behind an older MailScanner box, which you might not be -- but hopefully the 5000 foot view information will be of help to you, and you can figure out the 500 foot stuff yourself when it differs.<br />
<br />
'''This is a work in progress, as long as this notice remains, and that's why it's not yet linked from anywhere, including categories. Once I'm done with it, I'll link it in. (And my apologies it's taking so long; work and my personal life have both swamped me this <s>month</s>year. I've just (mostly) completed building '''3''' new facilities for my company, and I should finally have time to finish both writing about this, and doing it. --Baylink)<br />
<br />
== Introduction ==<br />
<br />
My goal in migrating to Zimbra was never to leave myself in a position where an executive mandated a back-out, and I had to lose something to do it.<br />
<br />
Accomplishing this wasn't too overly difficult, but did require some forethought, and I'll try to put that all down here, so you don't have to do it over again.<br />
<br />
== The Old Installation ==<br />
<br />
The email 'solution' from which we were trying to extricate ourselves was a Win2k machine running Exchange 5.5, authenticating to a PDC running NT4. Yes, NT4.<br />
<br />
Now that you're done laughing...<br />
<br />
I do have a reasonably recent Samba installation in the building, also authenticating off that PDC, but I didn't want to migrate domain control in the middle of the rest of the mess, if I didn't have to.<br />
<br />
If I have to set some passwords by hand, that will be acceptable to me for now.<br />
<br />
Part of the reason for this migration is that my 16GB-limit mailstore was at about 15GB. I think. There's a bug that keeps me from getting accurate answers to that question, that I apparently can't upgrade around, either.<br />
<br />
So, Zimbra.<br />
<br />
== Prep Work ==<br />
<br />
As you might expect, I had to grow some grass to get a hamburger for lunch (the cattle need to eat, you see); let's look at what that entailed.<br />
<br />
=== Build a Machine ===<br />
<br />
Based on the fact that RHEL5 is a supported platform, and that CentOS5 is ''supposedly bug-for-bug identical to it, that's what I chose for my pilot install. There's a move on to make CentOS a formally supported platform, but since an RHEL license costs as much a year as the Zimbra license does, for my mailbox count, I figured it couldn't get me in any trouble I couldn't get myself out of.<br />
<br />
So I built CentOS5 with KDE, and upgraded it to current.<br />
<br />
Then I downloaded Zimbra for RHEL5, and [[Installing 5.0.9 NE on RHEL5/Centos|built it]]<br />
<br />
=== Install Zimbra ===<br />
== Stage 1: The Zimbra Server ==<br />
=== Configure Zimbra ===<br />
=== Basic Testing ===<br />
== Stage 2: On-line testing ==<br />
=== DNS set up ===<br />
<br />
<br />
{{Article Footer||9/17/2008}}<br />
<br />
[[Category:Migration]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Migrating_from_Exchange&diff=11462Migrating from Exchange2008-10-27T22:43:16Z<p>Baylink: </p>
<hr />
<div>{{WIP}}<br />
<br />
This is a step by step guide to migrating your domain's email from Exchange to Zimbra. It will take some side trips along the way -- my example domain, for instance, has Exchange 5.5, and yours will probably be newer, and is behind an older MailScanner box, which you might not be -- but hopefully the 5000 foot view information will be of help to you, and you can figure out the 500 foot stuff yourself when it differs.<br />
<br />
'''This is a work in progress, as long as this notice remains, and that's why it's not yet linked from anywhere, including categories. Once I'm done with it, I'll link it in. (And my apologies it's taking so long; work and my personal life have both swamped me this month. I promise I'll get back to it as soon as I can.)<br />
<br />
== Introduction ==<br />
<br />
My goal in migrating to Zimbra was never to leave myself in a position where an executive mandated a back-out, and I had to lose something to do it.<br />
<br />
Accomplishing this wasn't too overly difficult, but did require some forethought, and I'll try to put that all down here, so you don't have to do it over again.<br />
<br />
== The Old Installation ==<br />
<br />
The email 'solution' from which we were trying to extricate ourselves was a Win2k machine running Exchange 5.5, authenticating to a PDC running NT4. Yes, NT4.<br />
<br />
Now that you're done laughing...<br />
<br />
I do have a reasonably recent Samba installation in the building, also authenticating off that PDC, but I didn't want to migrate domain control in the middle of the rest of the mess, if I didn't have to.<br />
<br />
If I have to set some passwords by hand, that will be acceptable to me for now.<br />
<br />
Part of the reason for this migration is that my 16GB limit mailstore was at about 15GB. I think. There's a bug that keeps me from getting accurate answers to that question, that I apparently can't upgrade around, either.<br />
<br />
So, Zimbra.<br />
<br />
== Prep Work ==<br />
<br />
As you might expect, I had to grow some grass to get a hamburger for lunch (the cattle need to eat, you see); let's look at what that entailed.<br />
<br />
=== Build a Machine ===<br />
<br />
Based on the fact that RHEL5 is a supported platform, and that CentOS5 is ''supposedly bug-for-bug identical to it, that's what I chose for my pilot install. There's a move on to make CentOS a formally supported platform, but since an RHEL license costs as much a year as the Zimbra license does, for my mailbox count, I figured it couldn't get me in any trouble I couldn't get myself out of.<br />
<br />
So I built CentOS5 with KDE, and upgraded it to current.<br />
<br />
Then I downloaded Zimbra for RHEL5, and [[Installing 5.0.9 NE on RHEL5/Centos|built it]]<br />
=== Install Zimbra ===<br />
== Stage 1: The Zimbra Server ==<br />
=== Configure Zimbra ===<br />
=== Basic Testing ===<br />
== Stage 2: On-line testing ==<br />
=== DNS set up ===<br />
<br />
<br />
{{Article Footer||9/17/2008}}<br />
<br />
[[Category:Migration]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Migrating_from_Exchange&diff=10451Migrating from Exchange2008-09-18T14:34:28Z<p>Baylink: </p>
<hr />
<div>This is a step by step guide to migrating your domain's email from Exchange to Zimbra. It will take some side trips along the way -- my example domain, for instance, has Exchange 5.5, and yours will probably be newer, and is behind an older MailScanner box, which you might not be -- but hopefully the 5000 foot view information will be of help to you, and you can figure out the 500 foot stuff yourself when it differs.<br />
<br />
'''This is a work in progress, as long as this notice remains, and that's why it's not yet linked from anywhere, including categories. Once I'm done with it, I'll link it in.<br />
<br />
== Introduction ==<br />
<br />
My goal in migrating to Zimbra was never to leave myself in a position where an executive mandated a back-out, and I had to lose something to do it.<br />
<br />
Accomplishing this wasn't too overly difficult, but did require some forethought, and I'll try to put that all down here, so you don't have to do it over again.<br />
<br />
== The Old Installation ==<br />
<br />
The email 'solution' from which we were trying to extricate ourselves was a Win2k machine running Exchange 5.5, authenticating to a PDC running NT4. Yes, NT4.<br />
<br />
Now that you're done laughing...<br />
<br />
I do have a reasonably recent Samba installation in the building, also authenticating off that PDC, but I didn't want to migrate domain control in the middle of the rest of the mess, if I didn't have to.<br />
<br />
If I have to set some passwords by hand, that will be acceptable to me for now.<br />
<br />
Part of the reason for this migration is that my 16GB limit mailstore was at about 15GB. I think. There's a bug that keeps me from getting accurate answers to that question, that I apparently can't upgrade around, either.<br />
<br />
So, Zimbra.<br />
<br />
== Prep Work ==<br />
<br />
As you might expect, I had to grow some grass to get a hamburger for lunch (the cattle need to eat, you see); let's look at what that entailed.<br />
<br />
=== Build a Machine ===<br />
<br />
Based on the fact that RHEL5 is a supported platform, and that CentOS5 is ''supposedly bug-for-bug identical to it, that's what I chose for my pilot install. There's a move on to make CentOS a formally supported platform, but since an RHEL license costs as much a year as the Zimbra license does, for my mailbox count, I figured it couldn't get me in any trouble I couldn't get myself out of.<br />
<br />
So I built CentOS5 with KDE, and upgraded it to current.<br />
<br />
Then I downloaded Zimbra for RHEL5, and [[Installing 5.0.9 NE on RHEL5/Centos|built it]]<br />
=== Install Zimbra ===<br />
== Stage 1: The Zimbra Server ==<br />
=== Configure Zimbra ===<br />
=== Basic Testing ===<br />
== Stage 2: On-line testing ==<br />
=== DNS set up ===</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Migrating_from_Exchange&diff=10394Migrating from Exchange2008-09-17T18:27:11Z<p>Baylink: New page: This is a step by step guide to migrating your domain's email from Exchange to Zimbra. It will take some side trips along the way -- my example domain, for instance, has Exchange 5.5, and...</p>
<hr />
<div>This is a step by step guide to migrating your domain's email from Exchange to Zimbra. It will take some side trips along the way -- my example domain, for instance, has Exchange 5.5, and yours will probably be newer, and is behind an older MailScanner box, which you might not be -- but hopefully the 5000 foot view information will be of help to you, and you can figure out the 500 foot stuff yourself when it differs.<br />
<br />
'''This is a work in progress, as long as this notice remains, and that's why it's not yet linked from anywhere, including categories. Once I'm done with it, I'll link it in.<br />
<br />
== Prep Work ==<br />
=== Build a Machine ===<br />
=== Install Zimbra ===<br />
== Stage 1: The Zimbra Server ==<br />
=== Configure Zimbra ===<br />
=== Basic Testing ===<br />
== Stage 2: On-line testing ==<br />
=== DNS set up ===</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Split_DNS&diff=10368Split DNS2008-09-15T20:15:13Z<p>Baylink: Add a definition to lede</p>
<hr />
<div>= Overview =<br />
Installations of Zimbra behind a firewall often require the creation of some form of '''split DNS''', also called '''split-horizon''' or '''dual-horizon''' DNS. This is a DNS installation where machines receive different IP address answers to queries depending on whether they are (commonly) inside or outside a firewall.<br />
<br />
This is because the Postfix mail system used by Zimbra performs a DNS lookup when attempting to route email to the back-end message store. Frequently, this is the same physical host as Postfix. The DNS server frequently returns the external address of the mail host, not the internal address. Depending on how the firewall and network are configured, the external address may not even be reachable from the mail host, and mail will not be delivered.<br />
<br />
Split DNS avoids this problem by providing an internal DNS server that can be used to resolve the internal address of the server. This guide will detail how to set up a very specific, single-host DNS server that can be installed on the Zimbra host itself so that it can resolve its own address. This should not be used for a multi-node Zimbra installation, and should not be used as the DNS server for any other hosts on your network.<br />
<br />
It ''is'' possible to use a generalized split-horizon DNS server to perform this function, but it will need to be set up differently, and many people recommend against it because even a couple ms of delay can be too much on a heavily loaded system.<br />
<br />
= Configuring Bind on the Zimbra Server (Red Hat Enterprise Linux) =<br />
1. Use up2date to download bind from Red Hat Network.<br />
# up2date bind<br />
<br />
2. Edit the /etc/named.conf file. (Substitute your fully-qualified server name for '''server.example.com''' in all cases, and if named runs in a chroot'ed directory /var/named/chroot, named.conf should be placed in /etc/named/chroot/etc/named.conf and you should create a symbolic link to /etc/named.conf.)<br />
// Default named.conf generated by install of bind-9.2.4-2<br />
options {<br />
directory "/var/named";<br />
dump-file "/var/named/data/cache_dump.db";<br />
statistics-file "/var/named/data/named_stats.txt";<br />
forwarders { <address of current DNS server> ; };<br />
};<br />
include "/etc/rndc.key";<br />
// We are the master server for server.example.com<br />
zone "server.example.com" {<br />
type master;<br />
file "db.server.example.com";<br />
};<br />
Make sure to set the forwarders to match the DNS servers currently in use on your system. The forwarders setting allows the server to query those DNS servers for any addresses for which it is not authoritative.<br />
<br />
3. Create a /var/named/db.server.example.com zone file. (If named runs in a chroot'ed directory /var/named/chroot, db.server.example.com should be placed in /etc/named/chroot/var/named/db.server.example.com and you should create a symbolic link to /var/named/db.server.example.com.)<br />
<br />
;<br />
; Addresses and other host information.<br />
;<br />
@ IN SOA server.example.com. hostmaster.server.example.com. (<br />
10118 ; Serial<br />
43200 ; Refresh<br />
3600 ; Retry<br />
3600000 ; Expire<br />
2592000 ) ; Minimum<br />
; Define the nameservers and the mail servers<br />
IN NS <internal address of server><br />
IN A <internal address of server><br />
IN MX 10 server.example.com.<br />
<br />
<br />
4. Change /etc/resolv.conf to use the Zimbra server as the primary DNS address. Also remember to change the search path to be the name of the Zimbra server.<br />
<br />
5. Start named on the zimbra server<br />
# /etc/init.d/named start<br />
<br />
6. Enable autostart of named on boot<br />
# chkconfig named on<br />
<br />
You can verify that this is working by typing 'nslookup server.example.com'. It should return the internal address of your server instead of the external address. This should also allow Postfix to deliver mail to your mailboxes.<br />
<br />
If you have a number of servers inside the firewall that need to use internal addresses to communicate to each other, you should consider setting up a full internal DNS server that can be authoritative for the whole domain. This example is not suitable for this task.<br />
<br />
For information on performing the same task w/ TinyDNS / DJBDNS: http://www.fefe.de/djbdns/#splithorizon<br />
<br />
Additional Information: Zimbra Power Tip: http://www.zimbra.com/blog/archives/2007/06/making_zimbra_bind_work_together_1.html<br />
<br />
{{Article Footer|unknown|10/5/2006}}<br />
<br />
[[Category:Troubleshooting]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Installing_Zimbra_5.0.9_NE_on_RHEL5/Centos&diff=10283Installing Zimbra 5.0.9 NE on RHEL5/Centos2008-09-10T14:56:25Z<p>Baylink: </p>
<hr />
<div>This is an installation walkthrough for NE 5.0.9 on RHEL5.<br />
<br />
(I'm actually doing it on CentOS 5.2, but that's supposed to be bug-for-bug compatible, and I'm told it will still be supported, as long as that specific point isn't what's breaking any given thing... I won't tell if you don't.)<br />
<br />
I've stolen the excellent Ubuntu 6 walkthough, and I'll be modifying and expanding it as I go for the difference in OS -- which will be substantial, since Ubuntu is Debian based, instead of Red Hat based.<br />
<br />
[ I think I'm done with this, but see also [http://www.zimbra.com/forums/installation/22140-installing-zcs-5-0-x-centos-5-offline-mail-server-complete-guide.html this forum posting], which goes into much more detail on the CentOS side (which I'd already completed when I started editing this. --baylink ]<br />
<br />
== Introduction ==<br />
<br />
The following guide is for installing ZCS 5.0 on RHEL/CentOS 5.2, where the server resides inside a DNAT firewall and so needs to be able to resolve DNS names to its own internal (private subnet) IP address rather than the public IP address that is published to the world. This is a setting where a firewall/router supplies the translation from the public IP to the DMZ IP (DNAT--Destination Network Address Translation) so that translation is not known to the server itself. This configuration is desirable for security, but it makes bits of the Zimbra configuration more complex than they might otherwise be.<br />
<br />
For simplicity's sake, I'm referring to Zimbra's IP address as the "private IP address" from here on. By that I mean that the Zimbra box has only one IP address, it's on the private network, and can be seen by my all the machines on my LAN -- including the back side of the firewall/NAT router -- but not the public. When I say "public IP address" I'm not talking about another address on the Zimbra box, but rather the address that gets DNATed to my box and which is resolved by machines on the Internet at large.<br />
<br />
===DNS===<br />
<br />
The DNS issue discussed throughout this thread is PARAMOUNT! If you don't have your DNS working properly, don't even bother trying to install Zimbra, because trying to fix DNS after the fact may result in an install that can do everything except send mail--even from a Zimbra user to himself! So I'll say it again:<br />
<br />
'''If you can't resolve your mailserver's own private IP address (NOT the public IP) using dig, fix it BEFORE you install Zimbra!'''<br />
<br />
Specifically: <br />
<br />
$ dig -t mx domain.com<br />
<br />
should return an ANSWER section that has a line ending in the internal DNS name of your mailserver, and if you<br />
<br />
$ dig thatfqdn.com<br />
<br />
you should in turn get back an ANSWER section which has the ''private'' IP address of that machine... all these commands being executed ''on that machine'' -- the Zimbra server (the mta server, if you're building a cluster).<br />
<br />
== The Installation ==<br />
<br />
I installed from the CentOS 5.2 DVD installation.<br />
<br />
1) The installation defaults to configuring your LAN via DHCP. When asked, manually configure it with a static IP address, netmask, and gateway. <br />
<br />
You will need to make sure that the mta server can resolve those two addresses mentioned above properly. Since one is an MX record, you can't do this using /etc/hosts; you will need to do one of:<br />
<br />
# set up an internal DNS server for the zone, that forwards to your external resolvers<br />
# set up your edge zone/resolver servers to do [http://en.wikipedia.org/wiki/Split-horizon_DNS split-horizon DNS]<br />
# set up a DNS zone server ''on the mta server itself''<br />
<br />
In my case, I was already running split-horizon DNS, so that's the approach I will describe here; for the "DNS server on the mta server" approach, see the original Ubuntu writeup. (It is unreasonably difficult to find information on how to run split-horizon DNS; there's some good material on that and many other DNS issues [http://www.softpanorama.org/DNS/security.shtml#Split_DNS here].)<br />
<br />
2) Check /etc/resolv.conf and make sure it looks like this:<br />
nameserver xxx.xxx.xxx.xxx<br />
The IP address here should be the private ip address of your split-horizon DNS server.<br />
<br />
3) Now reboot the machine (restarting bind wasn't enough to work for me) and try to resolve your mail server.<br />
nslookup mydomain.com<br />
If it returns your public IP address, your internal DNS is not working. If things are configured correctly it'll return the internal address.<br />
<br />
=== Hosts Table ===<br />
<br />
Before you get to the install you also need to modify your /etc/hosts file. There are two possible structures. If you are using 4.5.7 or later (and we are), do it right:<br />
127.0.0.1 localhost.localdomain localhost<br />
10.3.2.244 mail.tractor-equip.net mail<br />
There is a bug in 4.5.6 that required a nonstandard hosts setup to get the install to work. Most users will (obviously) be installing the latest release, but if for any reason you're installing 4.5.6 use the following format:<br />
127.0.0.1 localhost<br />
xxx.xxx.xxx.xxx hostname.mydomain.com mydomain.com mail<br />
ONLY IF this is working, it's now time to update your packages and install Zimbra.<br />
<br />
===Required Packages===<br />
<br />
The install has several dependencies, and the easiest way to make sure you've fulfilled all of them is just to run the install and watch.<br />
<br />
Get a [http://www.zimbra.com/products/download_network.html trial license], if you haven't already, and either way, [http://www.zimbra.com/products/downloads.html download] the proper installer file. Pay attention to which processor type you need, and note that since you're installing NE, you expect support -- you need to make sure you're on a supported OS. In particular (I'm a SuSE guy), OpenSUSE is not supported at all; you have to use SLES. CentOS is supported as an RHEL derivative on a best effort basis, I'm told, since it's supposed to be identical except for the pictures.<br />
<br />
So grab the tarball -- it's big, close to 300MB, and will take some time to get -- and unpack it:<br />
<br />
tar xvfz $TARBALL<br />
<br />
It will create a directory named similarly to the tarfile itself, with the install inside it; we'll call this the '''unpack directory'''.<br />
<br />
cd to that directory, and <br />
<br />
./install.sh<br />
<br />
as root.<br />
<br />
It's not going to work the first time, but it'll give you a list of missing dependencies. Write down all the package names it says are missing. Your list may be slightly different than mine, but whatever it is, '''Zimbra won't tell you that you also need perl, so be sure and load it too'''. (And be careful; there are some [http://www.zimbra.com/forums/developers/21802-how-does-perl-packaging-bug-affect-z.html recently discovered problems] with some builds of perl 5.8, notably from RedHat). Just separate each package name with a space like this:<br />
apt-get install libidn11 curl fetchmail libpcre3 libgmp3c2 libxml2 libstdc++6 openssl perl<br />
Now re-run your Zimbra install and accept all the defaults except:<br />
<br />
When it asks you for your domain, it's going to have the fully-qualified domain name of the mail machine you're installing on (hostname.mydomain.com) rather than just the domain, and probably complain about not finding an MX record. Change the hostname to just mydomain.com and it'll find the names through nslookup, and it'll be happy. The rest of the install should proceed without errors, except for asking you to set your administrative user's password (option 6 and then 4).<br />
<br />
Finally, when the install is done and it has given you the last "Press Enter to finish" you need to turn on crontab for the user zimbra or your logs won't work.<br />
crontab -u zimbra -l<br />
Now reboot the system, and when it comes back up,give it a couple minutes to start the rest of the Zimbra processes. If your installation is successful, you can go to <nowiki>https://xxx.xxx.xxx.xxx:7071</nowiki> (your internal ip address again) to get the administrative console, or <nowiki>http://xxx.xxx.xxx.xxx</nowiki> to log in as a user.<br />
<br />
Congratulations--one shiny new Zimbra installation on RHEL/CentOS!<br />
<br />
=Directory Permissions on /tmp=<br />
It is possible if the /tmp directory does not have the correct permissions it could hinder your efforts to install ZCS.<br />
<br />
Make sure the /tmp directory has the following permissions.<br />
drwxrwxrwt root root /tmp<br />
<br />
If your /tmp permissions do not match the above, run the following commands as root:<br />
# chown root:root /tmp **Optional, good chance /tmp is already owned by root**<br />
# chmod 777 /tmp<br />
# chmod +t /tmp<br />
<br />
<br />
The '''t''' in the end of the permissions is called the sticky bit. It replaces the '''x''' and indicates that in this directory files can only be deleted by their owners, the owner of the directory, or the root superuser. This way it is not enough for a user to have write permission on /tmp -- he also needs to be the owner of the file to be able to delete it.<br />
<br />
=Sending Mail from Terminal=<br />
In some situations, it is necessary for monitoring scripts or cron jobs to send mail to users on the system. On any Unix installations, this is done with the 'mail' command. The default Ubuntu installation described here will not include this command. Installing the mailx package to add mail will also cause Ubuntu to add a Mail Transport Agent application to handle mail delivery. This is not a problem if there is no Zimbra Postfix MTA running on your system, but if one is present then the new MTA could interfere with the Zimbra MTA and will disrupt mail routing. To safely add 'mail' and the associated package, you will need to do the following:<br />
wget http://ubuntu.lnix.net/misc/mta-dummy/mta-dummy_1.0_all.deb <br />
dpkg -i mta-dummy_1.0_all.deb<br />
apt-get install mailx<br />
Add the following to /etc/mail.rc:<br />
set sendmail=/opt/zimbra/postfix/sbin/sendmail<br />
When this is done, test it by running:<br />
mail <user>@<yourdomain><br />
Enter a subject and body, using '.' on a blank line to end the message. When you have sent it, check /var/log/zimbra.log to confirm that the message has been processed correctly.<br />
<br />
If you have a multi-node Zimbra system and the server you are installing mailx on does not run an MTA, you can let it install Postfix, and during configuration specify a dedicated relay server, which you should set to one of your existing Zimbra MTA hosts.<br />
<br />
{{Article Footer|RHEL/CentOS 5.2, ZCS 5.0.9|8/27/2008}}<br />
<br />
[[Category:Installation]]<br />
[[Category:RHEL5]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Installing_Zimbra_5.0.9_NE_on_RHEL5/Centos&diff=10282Installing Zimbra 5.0.9 NE on RHEL5/Centos2008-09-10T14:56:11Z<p>Baylink: </p>
<hr />
<div>This is an installation walkthrough for NE 5.0.9 on RHEL5.<br />
<br />
(I'm actually doing it on CentOS 5.2, but that's supposed to be bug-for-bug compatible, and I'm told it will still be supported, as long as that specific point isn't what's breaking any given thing... I won't tell if you don't.)<br />
<br />
I've stolen the excellent Ubuntu 6 walkthough, and I'll be modifying and expanding it as I go for the difference in OS -- which will be substantial, since Ubuntu is Debian based, instead of Red Hat based.<br />
<br />
[ I think I'm done with this, but see also [http://www.zimbra.com/forums/installation/22140-installing-zcs-5-0-x-centos-5-offline-mail-server-complete-guide.html this forum posting, which goes into much more detail on the CentOS side (which I'd already completed when I started editing this. --baylink ]<br />
<br />
== Introduction ==<br />
<br />
The following guide is for installing ZCS 5.0 on RHEL/CentOS 5.2, where the server resides inside a DNAT firewall and so needs to be able to resolve DNS names to its own internal (private subnet) IP address rather than the public IP address that is published to the world. This is a setting where a firewall/router supplies the translation from the public IP to the DMZ IP (DNAT--Destination Network Address Translation) so that translation is not known to the server itself. This configuration is desirable for security, but it makes bits of the Zimbra configuration more complex than they might otherwise be.<br />
<br />
For simplicity's sake, I'm referring to Zimbra's IP address as the "private IP address" from here on. By that I mean that the Zimbra box has only one IP address, it's on the private network, and can be seen by my all the machines on my LAN -- including the back side of the firewall/NAT router -- but not the public. When I say "public IP address" I'm not talking about another address on the Zimbra box, but rather the address that gets DNATed to my box and which is resolved by machines on the Internet at large.<br />
<br />
===DNS===<br />
<br />
The DNS issue discussed throughout this thread is PARAMOUNT! If you don't have your DNS working properly, don't even bother trying to install Zimbra, because trying to fix DNS after the fact may result in an install that can do everything except send mail--even from a Zimbra user to himself! So I'll say it again:<br />
<br />
'''If you can't resolve your mailserver's own private IP address (NOT the public IP) using dig, fix it BEFORE you install Zimbra!'''<br />
<br />
Specifically: <br />
<br />
$ dig -t mx domain.com<br />
<br />
should return an ANSWER section that has a line ending in the internal DNS name of your mailserver, and if you<br />
<br />
$ dig thatfqdn.com<br />
<br />
you should in turn get back an ANSWER section which has the ''private'' IP address of that machine... all these commands being executed ''on that machine'' -- the Zimbra server (the mta server, if you're building a cluster).<br />
<br />
== The Installation ==<br />
<br />
I installed from the CentOS 5.2 DVD installation.<br />
<br />
1) The installation defaults to configuring your LAN via DHCP. When asked, manually configure it with a static IP address, netmask, and gateway. <br />
<br />
You will need to make sure that the mta server can resolve those two addresses mentioned above properly. Since one is an MX record, you can't do this using /etc/hosts; you will need to do one of:<br />
<br />
# set up an internal DNS server for the zone, that forwards to your external resolvers<br />
# set up your edge zone/resolver servers to do [http://en.wikipedia.org/wiki/Split-horizon_DNS split-horizon DNS]<br />
# set up a DNS zone server ''on the mta server itself''<br />
<br />
In my case, I was already running split-horizon DNS, so that's the approach I will describe here; for the "DNS server on the mta server" approach, see the original Ubuntu writeup. (It is unreasonably difficult to find information on how to run split-horizon DNS; there's some good material on that and many other DNS issues [http://www.softpanorama.org/DNS/security.shtml#Split_DNS here].)<br />
<br />
2) Check /etc/resolv.conf and make sure it looks like this:<br />
nameserver xxx.xxx.xxx.xxx<br />
The IP address here should be the private ip address of your split-horizon DNS server.<br />
<br />
3) Now reboot the machine (restarting bind wasn't enough to work for me) and try to resolve your mail server.<br />
nslookup mydomain.com<br />
If it returns your public IP address, your internal DNS is not working. If things are configured correctly it'll return the internal address.<br />
<br />
=== Hosts Table ===<br />
<br />
Before you get to the install you also need to modify your /etc/hosts file. There are two possible structures. If you are using 4.5.7 or later (and we are), do it right:<br />
127.0.0.1 localhost.localdomain localhost<br />
10.3.2.244 mail.tractor-equip.net mail<br />
There is a bug in 4.5.6 that required a nonstandard hosts setup to get the install to work. Most users will (obviously) be installing the latest release, but if for any reason you're installing 4.5.6 use the following format:<br />
127.0.0.1 localhost<br />
xxx.xxx.xxx.xxx hostname.mydomain.com mydomain.com mail<br />
ONLY IF this is working, it's now time to update your packages and install Zimbra.<br />
<br />
===Required Packages===<br />
<br />
The install has several dependencies, and the easiest way to make sure you've fulfilled all of them is just to run the install and watch.<br />
<br />
Get a [http://www.zimbra.com/products/download_network.html trial license], if you haven't already, and either way, [http://www.zimbra.com/products/downloads.html download] the proper installer file. Pay attention to which processor type you need, and note that since you're installing NE, you expect support -- you need to make sure you're on a supported OS. In particular (I'm a SuSE guy), OpenSUSE is not supported at all; you have to use SLES. CentOS is supported as an RHEL derivative on a best effort basis, I'm told, since it's supposed to be identical except for the pictures.<br />
<br />
So grab the tarball -- it's big, close to 300MB, and will take some time to get -- and unpack it:<br />
<br />
tar xvfz $TARBALL<br />
<br />
It will create a directory named similarly to the tarfile itself, with the install inside it; we'll call this the '''unpack directory'''.<br />
<br />
cd to that directory, and <br />
<br />
./install.sh<br />
<br />
as root.<br />
<br />
It's not going to work the first time, but it'll give you a list of missing dependencies. Write down all the package names it says are missing. Your list may be slightly different than mine, but whatever it is, '''Zimbra won't tell you that you also need perl, so be sure and load it too'''. (And be careful; there are some [http://www.zimbra.com/forums/developers/21802-how-does-perl-packaging-bug-affect-z.html recently discovered problems] with some builds of perl 5.8, notably from RedHat). Just separate each package name with a space like this:<br />
apt-get install libidn11 curl fetchmail libpcre3 libgmp3c2 libxml2 libstdc++6 openssl perl<br />
Now re-run your Zimbra install and accept all the defaults except:<br />
<br />
When it asks you for your domain, it's going to have the fully-qualified domain name of the mail machine you're installing on (hostname.mydomain.com) rather than just the domain, and probably complain about not finding an MX record. Change the hostname to just mydomain.com and it'll find the names through nslookup, and it'll be happy. The rest of the install should proceed without errors, except for asking you to set your administrative user's password (option 6 and then 4).<br />
<br />
Finally, when the install is done and it has given you the last "Press Enter to finish" you need to turn on crontab for the user zimbra or your logs won't work.<br />
crontab -u zimbra -l<br />
Now reboot the system, and when it comes back up,give it a couple minutes to start the rest of the Zimbra processes. If your installation is successful, you can go to <nowiki>https://xxx.xxx.xxx.xxx:7071</nowiki> (your internal ip address again) to get the administrative console, or <nowiki>http://xxx.xxx.xxx.xxx</nowiki> to log in as a user.<br />
<br />
Congratulations--one shiny new Zimbra installation on RHEL/CentOS!<br />
<br />
=Directory Permissions on /tmp=<br />
It is possible if the /tmp directory does not have the correct permissions it could hinder your efforts to install ZCS.<br />
<br />
Make sure the /tmp directory has the following permissions.<br />
drwxrwxrwt root root /tmp<br />
<br />
If your /tmp permissions do not match the above, run the following commands as root:<br />
# chown root:root /tmp **Optional, good chance /tmp is already owned by root**<br />
# chmod 777 /tmp<br />
# chmod +t /tmp<br />
<br />
<br />
The '''t''' in the end of the permissions is called the sticky bit. It replaces the '''x''' and indicates that in this directory files can only be deleted by their owners, the owner of the directory, or the root superuser. This way it is not enough for a user to have write permission on /tmp -- he also needs to be the owner of the file to be able to delete it.<br />
<br />
=Sending Mail from Terminal=<br />
In some situations, it is necessary for monitoring scripts or cron jobs to send mail to users on the system. On any Unix installations, this is done with the 'mail' command. The default Ubuntu installation described here will not include this command. Installing the mailx package to add mail will also cause Ubuntu to add a Mail Transport Agent application to handle mail delivery. This is not a problem if there is no Zimbra Postfix MTA running on your system, but if one is present then the new MTA could interfere with the Zimbra MTA and will disrupt mail routing. To safely add 'mail' and the associated package, you will need to do the following:<br />
wget http://ubuntu.lnix.net/misc/mta-dummy/mta-dummy_1.0_all.deb <br />
dpkg -i mta-dummy_1.0_all.deb<br />
apt-get install mailx<br />
Add the following to /etc/mail.rc:<br />
set sendmail=/opt/zimbra/postfix/sbin/sendmail<br />
When this is done, test it by running:<br />
mail <user>@<yourdomain><br />
Enter a subject and body, using '.' on a blank line to end the message. When you have sent it, check /var/log/zimbra.log to confirm that the message has been processed correctly.<br />
<br />
If you have a multi-node Zimbra system and the server you are installing mailx on does not run an MTA, you can let it install Postfix, and during configuration specify a dedicated relay server, which you should set to one of your existing Zimbra MTA hosts.<br />
<br />
{{Article Footer|RHEL/CentOS 5.2, ZCS 5.0.9|8/27/2008}}<br />
<br />
[[Category:Installation]]<br />
[[Category:RHEL5]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Baylink-Notes&diff=10236Baylink-Notes2008-09-08T17:39:07Z<p>Baylink: Redirecting to User:Baylink</p>
<hr />
<div>#REDIRECT [[User:Baylink]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Installing_Zimbra_5.0.9_NE_on_RHEL5/Centos&diff=10060Installing Zimbra 5.0.9 NE on RHEL5/Centos2008-08-30T01:00:21Z<p>Baylink: /* The Installation */</p>
<hr />
<div>This is an installation walkthrough for NE 5.0.9 on RHEL5.<br />
<br />
(I'm actually doing it on CentOS 5.2, but that's supposed to be bug-for-bug compatible, and I'm told it will still be supported, as long as that specific point isn't what's breaking any given thing... I won't tell if you don't.)<br />
<br />
I've stolen the excellent Ubuntu 6 walkthough, and I'll be modifying and expanding it as I go for the difference in OS -- which will be substantial, since Ubuntu is Debian based, instead of Red Hat based.<br />
<br />
[ This writeup is about 90% complete; I'm going over it to make sure I didn't change anything to sound stupid. :-) --baylink ]<br />
<br />
== Introduction ==<br />
<br />
The following guide is for installing ZCS 5.0 on RHEL/CentOS 5.2, where the server resides inside a DNAT firewall and so needs to be able to resolve DNS names to its own internal (private subnet) IP address rather than the public IP address that is published to the world. This is a setting where a firewall/router supplies the translation from the public IP to the DMZ IP (DNAT--Destination Network Address Translation) so that translation is not known to the server itself. This configuration is desirable for security, but it makes bits of the Zimbra configuration more complex than they might otherwise be.<br />
<br />
For simplicity's sake, I'm referring to Zimbra's IP address as the "private IP address" from here on. By that I mean that the Zimbra box has only one IP address, it's on the private network, and can be seen by my all the machines on my LAN -- including the back side of the firewall/NAT router -- but not the public. When I say "public IP address" I'm not talking about another address on the Zimbra box, but rather the address that gets DNATed to my box and which is resolved by machines on the Internet at large.<br />
<br />
===DNS===<br />
<br />
The DNS issue discussed throughout this thread is PARAMOUNT! If you don't have your DNS working properly, don't even bother trying to install Zimbra, because trying to fix DNS after the fact may result in an install that can do everything except send mail--even from a Zimbra user to himself! So I'll say it again:<br />
<br />
'''If you can't resolve your mailserver's own private IP address (NOT the public IP) using dig, fix it BEFORE you install Zimbra!'''<br />
<br />
Specifically: <br />
<br />
$ dig -t mx domain.com<br />
<br />
should return an ANSWER section that has a line ending in the internal DNS name of your mailserver, and if you<br />
<br />
$ dig thatfqdn.com<br />
<br />
you should in turn get back an ANSWER section which has the ''private'' IP address of that machine... all these commands being executed ''on that machine'' -- the Zimbra server (the mta server, if you're building a cluster).<br />
<br />
== The Installation ==<br />
<br />
I installed from the CentOS 5.2 DVD installation.<br />
<br />
1) The installation defaults to configuring your LAN via DHCP. When asked, manually configure it with a static IP address, netmask, and gateway. <br />
<br />
You will need to make sure that the mta server can resolve those two addresses mentioned above properly. Since one is an MX record, you can't do this using /etc/hosts; you will need to do one of:<br />
<br />
# set up an internal DNS server for the zone, that forwards to your external resolvers<br />
# set up your edge zone/resolver servers to do [http://en.wikipedia.org/wiki/Split-horizon_DNS split-horizon DNS]<br />
# set up a DNS zone server ''on the mta server itself''<br />
<br />
In my case, I was already running split-horizon DNS, so that's the approach I will describe here; for the "DNS server on the mta server" approach, see the original Ubuntu writeup. (It is unreasonably difficult to find information on how to run split-horizon DNS; there's some good material on that and many other DNS issues [http://www.softpanorama.org/DNS/security.shtml#Split_DNS here].)<br />
<br />
2) Check /etc/resolv.conf and make sure it looks like this:<br />
nameserver xxx.xxx.xxx.xxx<br />
The IP address here should be the private ip address of your split-horizon DNS server.<br />
<br />
3) Now reboot the machine (restarting bind wasn't enough to work for me) and try to resolve your mail server.<br />
nslookup mydomain.com<br />
If it returns your public IP address, your internal DNS is not working. If things are configured correctly it'll return the internal address.<br />
<br />
=== Hosts Table ===<br />
<br />
Before you get to the install you also need to modify your /etc/hosts file. There are two possible structures. If you are using 4.5.7 or later (and we are), do it right:<br />
127.0.0.1 localhost.localdomain localhost<br />
10.3.2.244 mail.tractor-equip.net mail<br />
There is a bug in 4.5.6 that required a nonstandard hosts setup to get the install to work. Most users will (obviously) be installing the latest release, but if for any reason you're installing 4.5.6 use the following format:<br />
127.0.0.1 localhost<br />
xxx.xxx.xxx.xxx hostname.mydomain.com mydomain.com mail<br />
ONLY IF this is working, it's now time to update your packages and install Zimbra.<br />
<br />
===Required Packages===<br />
<br />
The install has several dependencies, and the easiest way to make sure you've fulfilled all of them is just to run the install and watch.<br />
<br />
Get a [http://www.zimbra.com/products/download_network.html trial license], if you haven't already, and either way, [http://www.zimbra.com/products/downloads.html download] the proper installer file. Pay attention to which processor type you need, and note that since you're installing NE, you expect support -- you need to make sure you're on a supported OS. In particular (I'm a SuSE guy), OpenSUSE is not supported at all; you have to use SLES. CentOS is supported as an RHEL derivative on a best effort basis, I'm told, since it's supposed to be identical except for the pictures.<br />
<br />
So grab the tarball -- it's big, close to 300MB, and will take some time to get -- and unpack it:<br />
<br />
tar xvfz $TARBALL<br />
<br />
It will create a directory named similarly to the tarfile itself, with the install inside it; we'll call this the '''unpack directory'''.<br />
<br />
cd to that directory, and <br />
<br />
./install.sh<br />
<br />
as root.<br />
<br />
It's not going to work the first time, but it'll give you a list of missing dependencies. Write down all the package names it says are missing. Your list may be slightly different than mine, but whatever it is, '''Zimbra won't tell you that you also need perl, so be sure and load it too'''. (And be careful; there are some [http://www.zimbra.com/forums/developers/21802-how-does-perl-packaging-bug-affect-z.html recently discovered problems] with some builds of perl 5.8, notably from RedHat). Just separate each package name with a space like this:<br />
apt-get install libidn11 curl fetchmail libpcre3 libgmp3c2 libxml2 libstdc++6 openssl perl<br />
Now re-run your Zimbra install and accept all the defaults except:<br />
<br />
When it asks you for your domain, it's going to have the fully-qualified domain name of the mail machine you're installing on (hostname.mydomain.com) rather than just the domain, and probably complain about not finding an MX record. Change the hostname to just mydomain.com and it'll find the names through nslookup, and it'll be happy. The rest of the install should proceed without errors, except for asking you to set your administrative user's password (option 6 and then 4).<br />
<br />
Finally, when the install is done and it has given you the last "Press Enter to finish" you need to turn on crontab for the user zimbra or your logs won't work.<br />
crontab -u zimbra -l<br />
Now reboot the system, and when it comes back up,give it a couple minutes to start the rest of the Zimbra processes. If your installation is successful, you can go to <nowiki>https://xxx.xxx.xxx.xxx:7071</nowiki> (your internal ip address again) to get the administrative console, or <nowiki>http://xxx.xxx.xxx.xxx</nowiki> to log in as a user.<br />
<br />
Congratulations--one shiny new Zimbra installation on RHEL/CentOS!<br />
<br />
=Directory Permissions on /tmp=<br />
It is possible if the /tmp directory does not have the correct permissions it could hinder your efforts to install ZCS.<br />
<br />
Make sure the /tmp directory has the following permissions.<br />
drwxrwxrwt root root /tmp<br />
<br />
If your /tmp permissions do not match the above, run the following commands as root:<br />
# chown root:root /tmp **Optional, good chance /tmp is already owned by root**<br />
# chmod 777 /tmp<br />
# chmod +t /tmp<br />
<br />
<br />
The '''t''' in the end of the permissions is called the sticky bit. It replaces the '''x''' and indicates that in this directory files can only be deleted by their owners, the owner of the directory, or the root superuser. This way it is not enough for a user to have write permission on /tmp -- he also needs to be the owner of the file to be able to delete it.<br />
<br />
=Sending Mail from Terminal=<br />
In some situations, it is necessary for monitoring scripts or cron jobs to send mail to users on the system. On any Unix installations, this is done with the 'mail' command. The default Ubuntu installation described here will not include this command. Installing the mailx package to add mail will also cause Ubuntu to add a Mail Transport Agent application to handle mail delivery. This is not a problem if there is no Zimbra Postfix MTA running on your system, but if one is present then the new MTA could interfere with the Zimbra MTA and will disrupt mail routing. To safely add 'mail' and the associated package, you will need to do the following:<br />
wget http://ubuntu.lnix.net/misc/mta-dummy/mta-dummy_1.0_all.deb <br />
dpkg -i mta-dummy_1.0_all.deb<br />
apt-get install mailx<br />
Add the following to /etc/mail.rc:<br />
set sendmail=/opt/zimbra/postfix/sbin/sendmail<br />
When this is done, test it by running:<br />
mail <user>@<yourdomain><br />
Enter a subject and body, using '.' on a blank line to end the message. When you have sent it, check /var/log/zimbra.log to confirm that the message has been processed correctly.<br />
<br />
If you have a multi-node Zimbra system and the server you are installing mailx on does not run an MTA, you can let it install Postfix, and during configuration specify a dedicated relay server, which you should set to one of your existing Zimbra MTA hosts.<br />
<br />
{{Article Footer|RHEL/CentOS 5.2, ZCS 5.0.9|8/27/2008}}<br />
<br />
[[Category:Installation]]<br />
[[Category:RHEL5]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Installing_Zimbra_5.0.9_NE_on_RHEL5/Centos&diff=10059Installing Zimbra 5.0.9 NE on RHEL5/Centos2008-08-30T00:44:37Z<p>Baylink: /* The Installation */</p>
<hr />
<div>This is an installation walkthrough for NE 5.0.9 on RHEL5.<br />
<br />
(I'm actually doing it on CentOS 5.2, but that's supposed to be bug-for-bug compatible, and I'm told it will still be supported, as long as that specific point isn't what's breaking any given thing... I won't tell if you don't.)<br />
<br />
I've stolen the excellent Ubuntu 6 walkthough, and I'll be modifying and expanding it as I go for the difference in OS -- which will be substantial, since Ubuntu is Debian based, instead of Red Hat based.<br />
<br />
[ This writeup is about 90% complete; I'm going over it to make sure I didn't change anything to sound stupid. :-) --baylink ]<br />
<br />
== Introduction ==<br />
<br />
The following guide is for installing ZCS 5.0 on RHEL/CentOS 5.2, where the server resides inside a DNAT firewall and so needs to be able to resolve DNS names to its own internal (private subnet) IP address rather than the public IP address that is published to the world. This is a setting where a firewall/router supplies the translation from the public IP to the DMZ IP (DNAT--Destination Network Address Translation) so that translation is not known to the server itself. This configuration is desirable for security, but it makes bits of the Zimbra configuration more complex than they might otherwise be.<br />
<br />
For simplicity's sake, I'm referring to Zimbra's IP address as the "private IP address" from here on. By that I mean that the Zimbra box has only one IP address, it's on the private network, and can be seen by my all the machines on my LAN -- including the back side of the firewall/NAT router -- but not the public. When I say "public IP address" I'm not talking about another address on the Zimbra box, but rather the address that gets DNATed to my box and which is resolved by machines on the Internet at large.<br />
<br />
===DNS===<br />
<br />
The DNS issue discussed throughout this thread is PARAMOUNT! If you don't have your DNS working properly, don't even bother trying to install Zimbra, because trying to fix DNS after the fact may result in an install that can do everything except send mail--even from a Zimbra user to himself! So I'll say it again:<br />
<br />
'''If you can't resolve your mailserver's own private IP address (NOT the public IP) using dig, fix it BEFORE you install Zimbra!'''<br />
<br />
Specifically: <br />
<br />
$ dig -t mx domain.com<br />
<br />
should return an ANSWER section that has a line ending in the internal DNS name of your mailserver, and if you<br />
<br />
$ dig thatfqdn.com<br />
<br />
you should in turn get back an ANSWER section which has the ''private'' IP address of that machine... all these commands being executed ''on that machine'' -- the Zimbra server (the mta server, if you're building a cluster).<br />
<br />
== The Installation ==<br />
<br />
I installed from the CentOS 5.2 DVD installation.<br />
<br />
1) The installation defaults to configuring your LAN via DHCP. When asked, manually configure it with a static IP address, netmask, and gateway. <br />
<br />
You will need to make sure that the mta server can resolve those two addresses mentioned above properly. Since one is an MX record, you can't do this using /etc/hosts; you will need to do one of:<br />
<br />
# set up an internal DNS server for the zone, that forwards to your external resolvers<br />
# set up your edge zone/resolver servers to do [Split Domain|split-horizon DNS]<br />
# set up a DNS zone server ''on the mta server itself''<br />
<br />
In my case, I was already running split-horizon DNS, so that's the approach I will describe here; for the "DNS server on the mta server" approach, see the original Ubuntu writeup.<br />
<br />
2) Check /etc/resolv.conf and make sure it looks like this:<br />
nameserver xxx.xxx.xxx.xxx<br />
The IP address here should be the private ip address of your split-horizon DNS server.<br />
<br />
3) Now reboot the machine (restarting bind wasn't enough to work for me) and try to resolve your mail server.<br />
nslookup mydomain.com<br />
If it returns your public IP address, your internal DNS is not working. If things are configured correctly it'll return the internal address.<br />
<br />
=== Hosts Table ===<br />
<br />
Before you get to the install you also need to modify your /etc/hosts file. There are two possible structures. If you are using 4.5.7 or later (and we are), do it right:<br />
127.0.0.1 localhost.localdomain localhost<br />
10.3.2.244 mail.tractor-equip.net mail<br />
There is a bug in 4.5.6 that required a nonstandard hosts setup to get the install to work. Most users will (obviously) be installing the latest release, but if for any reason you're installing 4.5.6 use the following format:<br />
127.0.0.1 localhost<br />
xxx.xxx.xxx.xxx hostname.mydomain.com mydomain.com mail<br />
ONLY IF this is working, it's now time to update your packages and install Zimbra.<br />
<br />
===Required Packages===<br />
<br />
The install has several dependencies, and the easiest way to make sure you've fulfilled all of them is just to run the install and watch.<br />
<br />
Get a [http://www.zimbra.com/products/download_network.html trial license], if you haven't already, and either way, [http://www.zimbra.com/products/downloads.html download] the proper installer file. Pay attention to which processor type you need, and note that since you're installing NE, you expect support -- you need to make sure you're on a supported OS. In particular (I'm a SuSE guy), OpenSUSE is not supported at all; you have to use SLES. CentOS is supported as an RHEL derivative on a best effort basis, I'm told, since it's supposed to be identical except for the pictures.<br />
<br />
So grab the tarball -- it's big, close to 300MB, and will take some time to get -- and unpack it:<br />
<br />
tar xvfz $TARBALL<br />
<br />
It will create a directory named similarly to the tarfile itself, with the install inside it; we'll call this the '''unpack directory'''.<br />
<br />
cd to that directory, and <br />
<br />
./install.sh<br />
<br />
as root.<br />
<br />
It's not going to work the first time, but it'll give you a list of missing dependencies. Write down all the package names it says are missing. Your list may be slightly different than mine, but whatever it is, '''Zimbra won't tell you that you also need perl, so be sure and load it too'''. (And be careful; there are some [http://www.zimbra.com/forums/developers/21802-how-does-perl-packaging-bug-affect-z.html recently discovered problems] with some builds of perl 5.8, notably from RedHat). Just separate each package name with a space like this:<br />
apt-get install libidn11 curl fetchmail libpcre3 libgmp3c2 libxml2 libstdc++6 openssl perl<br />
Now re-run your Zimbra install and accept all the defaults except:<br />
<br />
When it asks you for your domain, it's going to have the fully-qualified domain name of the mail machine you're installing on (hostname.mydomain.com) rather than just the domain, and probably complain about not finding an MX record. Change the hostname to just mydomain.com and it'll find the names through nslookup, and it'll be happy. The rest of the install should proceed without errors, except for asking you to set your administrative user's password (option 6 and then 4).<br />
<br />
Finally, when the install is done and it has given you the last "Press Enter to finish" you need to turn on crontab for the user zimbra or your logs won't work.<br />
crontab -u zimbra -l<br />
Now reboot the system, and when it comes back up,give it a couple minutes to start the rest of the Zimbra processes. If your installation is successful, you can go to <nowiki>https://xxx.xxx.xxx.xxx:7071</nowiki> (your internal ip address again) to get the administrative console, or <nowiki>http://xxx.xxx.xxx.xxx</nowiki> to log in as a user.<br />
<br />
Congratulations--one shiny new Zimbra installation on RHEL/CentOS!<br />
<br />
=Directory Permissions on /tmp=<br />
It is possible if the /tmp directory does not have the correct permissions it could hinder your efforts to install ZCS.<br />
<br />
Make sure the /tmp directory has the following permissions.<br />
drwxrwxrwt root root /tmp<br />
<br />
If your /tmp permissions do not match the above, run the following commands as root:<br />
# chown root:root /tmp **Optional, good chance /tmp is already owned by root**<br />
# chmod 777 /tmp<br />
# chmod +t /tmp<br />
<br />
<br />
The '''t''' in the end of the permissions is called the sticky bit. It replaces the '''x''' and indicates that in this directory files can only be deleted by their owners, the owner of the directory, or the root superuser. This way it is not enough for a user to have write permission on /tmp -- he also needs to be the owner of the file to be able to delete it.<br />
<br />
=Sending Mail from Terminal=<br />
In some situations, it is necessary for monitoring scripts or cron jobs to send mail to users on the system. On any Unix installations, this is done with the 'mail' command. The default Ubuntu installation described here will not include this command. Installing the mailx package to add mail will also cause Ubuntu to add a Mail Transport Agent application to handle mail delivery. This is not a problem if there is no Zimbra Postfix MTA running on your system, but if one is present then the new MTA could interfere with the Zimbra MTA and will disrupt mail routing. To safely add 'mail' and the associated package, you will need to do the following:<br />
wget http://ubuntu.lnix.net/misc/mta-dummy/mta-dummy_1.0_all.deb <br />
dpkg -i mta-dummy_1.0_all.deb<br />
apt-get install mailx<br />
Add the following to /etc/mail.rc:<br />
set sendmail=/opt/zimbra/postfix/sbin/sendmail<br />
When this is done, test it by running:<br />
mail <user>@<yourdomain><br />
Enter a subject and body, using '.' on a blank line to end the message. When you have sent it, check /var/log/zimbra.log to confirm that the message has been processed correctly.<br />
<br />
If you have a multi-node Zimbra system and the server you are installing mailx on does not run an MTA, you can let it install Postfix, and during configuration specify a dedicated relay server, which you should set to one of your existing Zimbra MTA hosts.<br />
<br />
{{Article Footer|RHEL/CentOS 5.2, ZCS 5.0.9|8/27/2008}}<br />
<br />
[[Category:Installation]]<br />
[[Category:RHEL5]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Installing_Zimbra_5.0.9_NE_on_RHEL5/Centos&diff=10058Installing Zimbra 5.0.9 NE on RHEL5/Centos2008-08-30T00:44:15Z<p>Baylink: /* The Installation */</p>
<hr />
<div>This is an installation walkthrough for NE 5.0.9 on RHEL5.<br />
<br />
(I'm actually doing it on CentOS 5.2, but that's supposed to be bug-for-bug compatible, and I'm told it will still be supported, as long as that specific point isn't what's breaking any given thing... I won't tell if you don't.)<br />
<br />
I've stolen the excellent Ubuntu 6 walkthough, and I'll be modifying and expanding it as I go for the difference in OS -- which will be substantial, since Ubuntu is Debian based, instead of Red Hat based.<br />
<br />
[ This writeup is about 90% complete; I'm going over it to make sure I didn't change anything to sound stupid. :-) --baylink ]<br />
<br />
== Introduction ==<br />
<br />
The following guide is for installing ZCS 5.0 on RHEL/CentOS 5.2, where the server resides inside a DNAT firewall and so needs to be able to resolve DNS names to its own internal (private subnet) IP address rather than the public IP address that is published to the world. This is a setting where a firewall/router supplies the translation from the public IP to the DMZ IP (DNAT--Destination Network Address Translation) so that translation is not known to the server itself. This configuration is desirable for security, but it makes bits of the Zimbra configuration more complex than they might otherwise be.<br />
<br />
For simplicity's sake, I'm referring to Zimbra's IP address as the "private IP address" from here on. By that I mean that the Zimbra box has only one IP address, it's on the private network, and can be seen by my all the machines on my LAN -- including the back side of the firewall/NAT router -- but not the public. When I say "public IP address" I'm not talking about another address on the Zimbra box, but rather the address that gets DNATed to my box and which is resolved by machines on the Internet at large.<br />
<br />
===DNS===<br />
<br />
The DNS issue discussed throughout this thread is PARAMOUNT! If you don't have your DNS working properly, don't even bother trying to install Zimbra, because trying to fix DNS after the fact may result in an install that can do everything except send mail--even from a Zimbra user to himself! So I'll say it again:<br />
<br />
'''If you can't resolve your mailserver's own private IP address (NOT the public IP) using dig, fix it BEFORE you install Zimbra!'''<br />
<br />
Specifically: <br />
<br />
$ dig -t mx domain.com<br />
<br />
should return an ANSWER section that has a line ending in the internal DNS name of your mailserver, and if you<br />
<br />
$ dig thatfqdn.com<br />
<br />
you should in turn get back an ANSWER section which has the ''private'' IP address of that machine... all these commands being executed ''on that machine'' -- the Zimbra server (the mta server, if you're building a cluster).<br />
<br />
== The Installation ==<br />
<br />
I installed from the CentOS 5.2 DVD installation.<br />
<br />
1) The installation defaults to configuring your LAN via DHCP. When asked, manually configure it with a static IP address, netmask, and gateway. <br />
<br />
You will need to make sure that the mta server can resolve those two addresses mentioned above properly. Since one is an MX record, you can't do this using /etc/hosts; you will need to <br />
<br />
# set up an internal DNS server for the zone, that forwards to your external resolvers<br />
# set up your edge zone/resolver servers to do [Split Domain|split-horizon DNS]<br />
# set up a DNS zone server ''on the mta server itself''<br />
<br />
In my case, I was already running split-horizon DNS, so that's the approach I will describe here; for the "DNS server on the mta server" approach, see the original Ubuntu writeup.<br />
<br />
2) Check /etc/resolv.conf and make sure it looks like this:<br />
nameserver xxx.xxx.xxx.xxx<br />
The IP address here should be the private ip address of your split-horizon DNS server.<br />
<br />
3) Now reboot the machine (restarting bind wasn't enough to work for me) and try to resolve your mail server.<br />
nslookup mydomain.com<br />
If it returns your public IP address, your internal DNS is not working. If things are configured correctly it'll return the internal address.<br />
<br />
=== Hosts Table ===<br />
<br />
Before you get to the install you also need to modify your /etc/hosts file. There are two possible structures. If you are using 4.5.7 or later (and we are), do it right:<br />
127.0.0.1 localhost.localdomain localhost<br />
10.3.2.244 mail.tractor-equip.net mail<br />
There is a bug in 4.5.6 that required a nonstandard hosts setup to get the install to work. Most users will (obviously) be installing the latest release, but if for any reason you're installing 4.5.6 use the following format:<br />
127.0.0.1 localhost<br />
xxx.xxx.xxx.xxx hostname.mydomain.com mydomain.com mail<br />
ONLY IF this is working, it's now time to update your packages and install Zimbra.<br />
<br />
===Required Packages===<br />
<br />
The install has several dependencies, and the easiest way to make sure you've fulfilled all of them is just to run the install and watch.<br />
<br />
Get a [http://www.zimbra.com/products/download_network.html trial license], if you haven't already, and either way, [http://www.zimbra.com/products/downloads.html download] the proper installer file. Pay attention to which processor type you need, and note that since you're installing NE, you expect support -- you need to make sure you're on a supported OS. In particular (I'm a SuSE guy), OpenSUSE is not supported at all; you have to use SLES. CentOS is supported as an RHEL derivative on a best effort basis, I'm told, since it's supposed to be identical except for the pictures.<br />
<br />
So grab the tarball -- it's big, close to 300MB, and will take some time to get -- and unpack it:<br />
<br />
tar xvfz $TARBALL<br />
<br />
It will create a directory named similarly to the tarfile itself, with the install inside it; we'll call this the '''unpack directory'''.<br />
<br />
cd to that directory, and <br />
<br />
./install.sh<br />
<br />
as root.<br />
<br />
It's not going to work the first time, but it'll give you a list of missing dependencies. Write down all the package names it says are missing. Your list may be slightly different than mine, but whatever it is, '''Zimbra won't tell you that you also need perl, so be sure and load it too'''. (And be careful; there are some [http://www.zimbra.com/forums/developers/21802-how-does-perl-packaging-bug-affect-z.html recently discovered problems] with some builds of perl 5.8, notably from RedHat). Just separate each package name with a space like this:<br />
apt-get install libidn11 curl fetchmail libpcre3 libgmp3c2 libxml2 libstdc++6 openssl perl<br />
Now re-run your Zimbra install and accept all the defaults except:<br />
<br />
When it asks you for your domain, it's going to have the fully-qualified domain name of the mail machine you're installing on (hostname.mydomain.com) rather than just the domain, and probably complain about not finding an MX record. Change the hostname to just mydomain.com and it'll find the names through nslookup, and it'll be happy. The rest of the install should proceed without errors, except for asking you to set your administrative user's password (option 6 and then 4).<br />
<br />
Finally, when the install is done and it has given you the last "Press Enter to finish" you need to turn on crontab for the user zimbra or your logs won't work.<br />
crontab -u zimbra -l<br />
Now reboot the system, and when it comes back up,give it a couple minutes to start the rest of the Zimbra processes. If your installation is successful, you can go to <nowiki>https://xxx.xxx.xxx.xxx:7071</nowiki> (your internal ip address again) to get the administrative console, or <nowiki>http://xxx.xxx.xxx.xxx</nowiki> to log in as a user.<br />
<br />
Congratulations--one shiny new Zimbra installation on RHEL/CentOS!<br />
<br />
=Directory Permissions on /tmp=<br />
It is possible if the /tmp directory does not have the correct permissions it could hinder your efforts to install ZCS.<br />
<br />
Make sure the /tmp directory has the following permissions.<br />
drwxrwxrwt root root /tmp<br />
<br />
If your /tmp permissions do not match the above, run the following commands as root:<br />
# chown root:root /tmp **Optional, good chance /tmp is already owned by root**<br />
# chmod 777 /tmp<br />
# chmod +t /tmp<br />
<br />
<br />
The '''t''' in the end of the permissions is called the sticky bit. It replaces the '''x''' and indicates that in this directory files can only be deleted by their owners, the owner of the directory, or the root superuser. This way it is not enough for a user to have write permission on /tmp -- he also needs to be the owner of the file to be able to delete it.<br />
<br />
=Sending Mail from Terminal=<br />
In some situations, it is necessary for monitoring scripts or cron jobs to send mail to users on the system. On any Unix installations, this is done with the 'mail' command. The default Ubuntu installation described here will not include this command. Installing the mailx package to add mail will also cause Ubuntu to add a Mail Transport Agent application to handle mail delivery. This is not a problem if there is no Zimbra Postfix MTA running on your system, but if one is present then the new MTA could interfere with the Zimbra MTA and will disrupt mail routing. To safely add 'mail' and the associated package, you will need to do the following:<br />
wget http://ubuntu.lnix.net/misc/mta-dummy/mta-dummy_1.0_all.deb <br />
dpkg -i mta-dummy_1.0_all.deb<br />
apt-get install mailx<br />
Add the following to /etc/mail.rc:<br />
set sendmail=/opt/zimbra/postfix/sbin/sendmail<br />
When this is done, test it by running:<br />
mail <user>@<yourdomain><br />
Enter a subject and body, using '.' on a blank line to end the message. When you have sent it, check /var/log/zimbra.log to confirm that the message has been processed correctly.<br />
<br />
If you have a multi-node Zimbra system and the server you are installing mailx on does not run an MTA, you can let it install Postfix, and during configuration specify a dedicated relay server, which you should set to one of your existing Zimbra MTA hosts.<br />
<br />
{{Article Footer|RHEL/CentOS 5.2, ZCS 5.0.9|8/27/2008}}<br />
<br />
[[Category:Installation]]<br />
[[Category:RHEL5]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Installing_Zimbra_5.0.9_NE_on_RHEL5/Centos&diff=10057Installing Zimbra 5.0.9 NE on RHEL5/Centos2008-08-30T00:43:35Z<p>Baylink: /* The Installation */</p>
<hr />
<div>This is an installation walkthrough for NE 5.0.9 on RHEL5.<br />
<br />
(I'm actually doing it on CentOS 5.2, but that's supposed to be bug-for-bug compatible, and I'm told it will still be supported, as long as that specific point isn't what's breaking any given thing... I won't tell if you don't.)<br />
<br />
I've stolen the excellent Ubuntu 6 walkthough, and I'll be modifying and expanding it as I go for the difference in OS -- which will be substantial, since Ubuntu is Debian based, instead of Red Hat based.<br />
<br />
[ This writeup is about 90% complete; I'm going over it to make sure I didn't change anything to sound stupid. :-) --baylink ]<br />
<br />
== Introduction ==<br />
<br />
The following guide is for installing ZCS 5.0 on RHEL/CentOS 5.2, where the server resides inside a DNAT firewall and so needs to be able to resolve DNS names to its own internal (private subnet) IP address rather than the public IP address that is published to the world. This is a setting where a firewall/router supplies the translation from the public IP to the DMZ IP (DNAT--Destination Network Address Translation) so that translation is not known to the server itself. This configuration is desirable for security, but it makes bits of the Zimbra configuration more complex than they might otherwise be.<br />
<br />
For simplicity's sake, I'm referring to Zimbra's IP address as the "private IP address" from here on. By that I mean that the Zimbra box has only one IP address, it's on the private network, and can be seen by my all the machines on my LAN -- including the back side of the firewall/NAT router -- but not the public. When I say "public IP address" I'm not talking about another address on the Zimbra box, but rather the address that gets DNATed to my box and which is resolved by machines on the Internet at large.<br />
<br />
===DNS===<br />
<br />
The DNS issue discussed throughout this thread is PARAMOUNT! If you don't have your DNS working properly, don't even bother trying to install Zimbra, because trying to fix DNS after the fact may result in an install that can do everything except send mail--even from a Zimbra user to himself! So I'll say it again:<br />
<br />
'''If you can't resolve your mailserver's own private IP address (NOT the public IP) using dig, fix it BEFORE you install Zimbra!'''<br />
<br />
Specifically: <br />
<br />
$ dig -t mx domain.com<br />
<br />
should return an ANSWER section that has a line ending in the internal DNS name of your mailserver, and if you<br />
<br />
$ dig thatfqdn.com<br />
<br />
you should in turn get back an ANSWER section which has the ''private'' IP address of that machine... all these commands being executed ''on that machine'' -- the Zimbra server (the mta server, if you're building a cluster).<br />
<br />
== The Installation ==<br />
<br />
I installed from the CentOS 5.2 DVD installation.<br />
<br />
1) The installation defaults to configuring your LAN via DHCP. Cancel it before it gets that far, and manually configure it with a static IP address, netmask, and gateway. <br />
<br />
You will need to make sure that the mta server can resolve those two addresses mentioned above properly. Since one is an MX record, you can't do this using /etc/hosts; you will need to <br />
<br />
# set up an internal DNS server for the zone, that forwards to your external resolvers<br />
# set up your edge zone/resolver servers to do [Split Domain|split-horizon DNS]<br />
# set up a DNS zone server ''on the mta server itself''<br />
<br />
In my case, I was already running split-horizon DNS, so that's the approach I will describe here; for the "DNS server on the mta server" approach, see the original Ubuntu writeup.<br />
<br />
2) Check /etc/resolv.conf and make sure it looks like this:<br />
nameserver xxx.xxx.xxx.xxx<br />
The IP address here should be the private ip address of your split-horizon DNS server.<br />
<br />
3) Now reboot the machine (restarting bind wasn't enough to work for me) and try to resolve your mail server.<br />
nslookup mydomain.com<br />
If it returns your public IP address, your internal DNS is not working. If things are configured correctly it'll return the internal address.<br />
<br />
=== Hosts Table ===<br />
<br />
Before you get to the install you also need to modify your /etc/hosts file. There are two possible structures. If you are using 4.5.7 or later (and we are), do it right:<br />
127.0.0.1 localhost.localdomain localhost<br />
10.3.2.244 mail.tractor-equip.net mail<br />
There is a bug in 4.5.6 that required a nonstandard hosts setup to get the install to work. Most users will (obviously) be installing the latest release, but if for any reason you're installing 4.5.6 use the following format:<br />
127.0.0.1 localhost<br />
xxx.xxx.xxx.xxx hostname.mydomain.com mydomain.com mail<br />
ONLY IF this is working, it's now time to update your packages and install Zimbra.<br />
<br />
===Required Packages===<br />
<br />
The install has several dependencies, and the easiest way to make sure you've fulfilled all of them is just to run the install and watch.<br />
<br />
Get a [http://www.zimbra.com/products/download_network.html trial license], if you haven't already, and either way, [http://www.zimbra.com/products/downloads.html download] the proper installer file. Pay attention to which processor type you need, and note that since you're installing NE, you expect support -- you need to make sure you're on a supported OS. In particular (I'm a SuSE guy), OpenSUSE is not supported at all; you have to use SLES. CentOS is supported as an RHEL derivative on a best effort basis, I'm told, since it's supposed to be identical except for the pictures.<br />
<br />
So grab the tarball -- it's big, close to 300MB, and will take some time to get -- and unpack it:<br />
<br />
tar xvfz $TARBALL<br />
<br />
It will create a directory named similarly to the tarfile itself, with the install inside it; we'll call this the '''unpack directory'''.<br />
<br />
cd to that directory, and <br />
<br />
./install.sh<br />
<br />
as root.<br />
<br />
It's not going to work the first time, but it'll give you a list of missing dependencies. Write down all the package names it says are missing. Your list may be slightly different than mine, but whatever it is, '''Zimbra won't tell you that you also need perl, so be sure and load it too'''. (And be careful; there are some [http://www.zimbra.com/forums/developers/21802-how-does-perl-packaging-bug-affect-z.html recently discovered problems] with some builds of perl 5.8, notably from RedHat). Just separate each package name with a space like this:<br />
apt-get install libidn11 curl fetchmail libpcre3 libgmp3c2 libxml2 libstdc++6 openssl perl<br />
Now re-run your Zimbra install and accept all the defaults except:<br />
<br />
When it asks you for your domain, it's going to have the fully-qualified domain name of the mail machine you're installing on (hostname.mydomain.com) rather than just the domain, and probably complain about not finding an MX record. Change the hostname to just mydomain.com and it'll find the names through nslookup, and it'll be happy. The rest of the install should proceed without errors, except for asking you to set your administrative user's password (option 6 and then 4).<br />
<br />
Finally, when the install is done and it has given you the last "Press Enter to finish" you need to turn on crontab for the user zimbra or your logs won't work.<br />
crontab -u zimbra -l<br />
Now reboot the system, and when it comes back up,give it a couple minutes to start the rest of the Zimbra processes. If your installation is successful, you can go to <nowiki>https://xxx.xxx.xxx.xxx:7071</nowiki> (your internal ip address again) to get the administrative console, or <nowiki>http://xxx.xxx.xxx.xxx</nowiki> to log in as a user.<br />
<br />
Congratulations--one shiny new Zimbra installation on RHEL/CentOS!<br />
<br />
=Directory Permissions on /tmp=<br />
It is possible if the /tmp directory does not have the correct permissions it could hinder your efforts to install ZCS.<br />
<br />
Make sure the /tmp directory has the following permissions.<br />
drwxrwxrwt root root /tmp<br />
<br />
If your /tmp permissions do not match the above, run the following commands as root:<br />
# chown root:root /tmp **Optional, good chance /tmp is already owned by root**<br />
# chmod 777 /tmp<br />
# chmod +t /tmp<br />
<br />
<br />
The '''t''' in the end of the permissions is called the sticky bit. It replaces the '''x''' and indicates that in this directory files can only be deleted by their owners, the owner of the directory, or the root superuser. This way it is not enough for a user to have write permission on /tmp -- he also needs to be the owner of the file to be able to delete it.<br />
<br />
=Sending Mail from Terminal=<br />
In some situations, it is necessary for monitoring scripts or cron jobs to send mail to users on the system. On any Unix installations, this is done with the 'mail' command. The default Ubuntu installation described here will not include this command. Installing the mailx package to add mail will also cause Ubuntu to add a Mail Transport Agent application to handle mail delivery. This is not a problem if there is no Zimbra Postfix MTA running on your system, but if one is present then the new MTA could interfere with the Zimbra MTA and will disrupt mail routing. To safely add 'mail' and the associated package, you will need to do the following:<br />
wget http://ubuntu.lnix.net/misc/mta-dummy/mta-dummy_1.0_all.deb <br />
dpkg -i mta-dummy_1.0_all.deb<br />
apt-get install mailx<br />
Add the following to /etc/mail.rc:<br />
set sendmail=/opt/zimbra/postfix/sbin/sendmail<br />
When this is done, test it by running:<br />
mail <user>@<yourdomain><br />
Enter a subject and body, using '.' on a blank line to end the message. When you have sent it, check /var/log/zimbra.log to confirm that the message has been processed correctly.<br />
<br />
If you have a multi-node Zimbra system and the server you are installing mailx on does not run an MTA, you can let it install Postfix, and during configuration specify a dedicated relay server, which you should set to one of your existing Zimbra MTA hosts.<br />
<br />
{{Article Footer|RHEL/CentOS 5.2, ZCS 5.0.9|8/27/2008}}<br />
<br />
[[Category:Installation]]<br />
[[Category:RHEL5]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Installing_Zimbra_5.0.9_NE_on_RHEL5/Centos&diff=10056Installing Zimbra 5.0.9 NE on RHEL5/Centos2008-08-30T00:43:11Z<p>Baylink: /* DNS */</p>
<hr />
<div>This is an installation walkthrough for NE 5.0.9 on RHEL5.<br />
<br />
(I'm actually doing it on CentOS 5.2, but that's supposed to be bug-for-bug compatible, and I'm told it will still be supported, as long as that specific point isn't what's breaking any given thing... I won't tell if you don't.)<br />
<br />
I've stolen the excellent Ubuntu 6 walkthough, and I'll be modifying and expanding it as I go for the difference in OS -- which will be substantial, since Ubuntu is Debian based, instead of Red Hat based.<br />
<br />
[ This writeup is about 90% complete; I'm going over it to make sure I didn't change anything to sound stupid. :-) --baylink ]<br />
<br />
== Introduction ==<br />
<br />
The following guide is for installing ZCS 5.0 on RHEL/CentOS 5.2, where the server resides inside a DNAT firewall and so needs to be able to resolve DNS names to its own internal (private subnet) IP address rather than the public IP address that is published to the world. This is a setting where a firewall/router supplies the translation from the public IP to the DMZ IP (DNAT--Destination Network Address Translation) so that translation is not known to the server itself. This configuration is desirable for security, but it makes bits of the Zimbra configuration more complex than they might otherwise be.<br />
<br />
For simplicity's sake, I'm referring to Zimbra's IP address as the "private IP address" from here on. By that I mean that the Zimbra box has only one IP address, it's on the private network, and can be seen by my all the machines on my LAN -- including the back side of the firewall/NAT router -- but not the public. When I say "public IP address" I'm not talking about another address on the Zimbra box, but rather the address that gets DNATed to my box and which is resolved by machines on the Internet at large.<br />
<br />
===DNS===<br />
<br />
The DNS issue discussed throughout this thread is PARAMOUNT! If you don't have your DNS working properly, don't even bother trying to install Zimbra, because trying to fix DNS after the fact may result in an install that can do everything except send mail--even from a Zimbra user to himself! So I'll say it again:<br />
<br />
'''If you can't resolve your mailserver's own private IP address (NOT the public IP) using dig, fix it BEFORE you install Zimbra!'''<br />
<br />
Specifically: <br />
<br />
$ dig -t mx domain.com<br />
<br />
should return an ANSWER section that has a line ending in the internal DNS name of your mailserver, and if you<br />
<br />
$ dig thatfqdn.com<br />
<br />
you should in turn get back an ANSWER section which has the ''private'' IP address of that machine... all these commands being executed ''on that machine'' -- the Zimbra server (the mta server, if you're building a cluster).<br />
<br />
=== The Installation ===<br />
<br />
I installed from the CentOS 5.2 DVD installation.<br />
<br />
1) The installation defaults to configuring your LAN via DHCP. Cancel it before it gets that far, and manually configure it with a static IP address, netmask, and gateway. <br />
<br />
You will need to make sure that the mta server can resolve those two addresses mentioned above properly. Since one is an MX record, you can't do this using /etc/hosts; you will need to <br />
<br />
# set up an internal DNS server for the zone, that forwards to your external resolvers<br />
# set up your edge zone/resolver servers to do [Split Domain|split-horizon DNS]<br />
# set up a DNS zone server ''on the mta server itself''<br />
<br />
In my case, I was already running split-horizon DNS, so that's the approach I will describe here; for the "DNS server on the mta server" approach, see the original Ubuntu writeup.<br />
<br />
2) Check /etc/resolv.conf and make sure it looks like this:<br />
nameserver xxx.xxx.xxx.xxx<br />
The IP address here should be the private ip address of your split-horizon DNS server.<br />
<br />
3) Now reboot the machine (restarting bind wasn't enough to work for me) and try to resolve your mail server.<br />
nslookup mydomain.com<br />
If it returns your public IP address, your internal DNS is not working. If things are configured correctly it'll return the internal address.<br />
<br />
=== Hosts Table ===<br />
<br />
Before you get to the install you also need to modify your /etc/hosts file. There are two possible structures. If you are using 4.5.7 or later (and we are), do it right:<br />
127.0.0.1 localhost.localdomain localhost<br />
10.3.2.244 mail.tractor-equip.net mail<br />
There is a bug in 4.5.6 that required a nonstandard hosts setup to get the install to work. Most users will (obviously) be installing the latest release, but if for any reason you're installing 4.5.6 use the following format:<br />
127.0.0.1 localhost<br />
xxx.xxx.xxx.xxx hostname.mydomain.com mydomain.com mail<br />
ONLY IF this is working, it's now time to update your packages and install Zimbra.<br />
<br />
===Required Packages===<br />
<br />
The install has several dependencies, and the easiest way to make sure you've fulfilled all of them is just to run the install and watch.<br />
<br />
Get a [http://www.zimbra.com/products/download_network.html trial license], if you haven't already, and either way, [http://www.zimbra.com/products/downloads.html download] the proper installer file. Pay attention to which processor type you need, and note that since you're installing NE, you expect support -- you need to make sure you're on a supported OS. In particular (I'm a SuSE guy), OpenSUSE is not supported at all; you have to use SLES. CentOS is supported as an RHEL derivative on a best effort basis, I'm told, since it's supposed to be identical except for the pictures.<br />
<br />
So grab the tarball -- it's big, close to 300MB, and will take some time to get -- and unpack it:<br />
<br />
tar xvfz $TARBALL<br />
<br />
It will create a directory named similarly to the tarfile itself, with the install inside it; we'll call this the '''unpack directory'''.<br />
<br />
cd to that directory, and <br />
<br />
./install.sh<br />
<br />
as root.<br />
<br />
It's not going to work the first time, but it'll give you a list of missing dependencies. Write down all the package names it says are missing. Your list may be slightly different than mine, but whatever it is, '''Zimbra won't tell you that you also need perl, so be sure and load it too'''. (And be careful; there are some [http://www.zimbra.com/forums/developers/21802-how-does-perl-packaging-bug-affect-z.html recently discovered problems] with some builds of perl 5.8, notably from RedHat). Just separate each package name with a space like this:<br />
apt-get install libidn11 curl fetchmail libpcre3 libgmp3c2 libxml2 libstdc++6 openssl perl<br />
Now re-run your Zimbra install and accept all the defaults except:<br />
<br />
When it asks you for your domain, it's going to have the fully-qualified domain name of the mail machine you're installing on (hostname.mydomain.com) rather than just the domain, and probably complain about not finding an MX record. Change the hostname to just mydomain.com and it'll find the names through nslookup, and it'll be happy. The rest of the install should proceed without errors, except for asking you to set your administrative user's password (option 6 and then 4).<br />
<br />
Finally, when the install is done and it has given you the last "Press Enter to finish" you need to turn on crontab for the user zimbra or your logs won't work.<br />
crontab -u zimbra -l<br />
Now reboot the system, and when it comes back up,give it a couple minutes to start the rest of the Zimbra processes. If your installation is successful, you can go to <nowiki>https://xxx.xxx.xxx.xxx:7071</nowiki> (your internal ip address again) to get the administrative console, or <nowiki>http://xxx.xxx.xxx.xxx</nowiki> to log in as a user.<br />
<br />
Congratulations--one shiny new Zimbra installation on RHEL/CentOS!<br />
<br />
=Directory Permissions on /tmp=<br />
It is possible if the /tmp directory does not have the correct permissions it could hinder your efforts to install ZCS.<br />
<br />
Make sure the /tmp directory has the following permissions.<br />
drwxrwxrwt root root /tmp<br />
<br />
If your /tmp permissions do not match the above, run the following commands as root:<br />
# chown root:root /tmp **Optional, good chance /tmp is already owned by root**<br />
# chmod 777 /tmp<br />
# chmod +t /tmp<br />
<br />
<br />
The '''t''' in the end of the permissions is called the sticky bit. It replaces the '''x''' and indicates that in this directory files can only be deleted by their owners, the owner of the directory, or the root superuser. This way it is not enough for a user to have write permission on /tmp -- he also needs to be the owner of the file to be able to delete it.<br />
<br />
=Sending Mail from Terminal=<br />
In some situations, it is necessary for monitoring scripts or cron jobs to send mail to users on the system. On any Unix installations, this is done with the 'mail' command. The default Ubuntu installation described here will not include this command. Installing the mailx package to add mail will also cause Ubuntu to add a Mail Transport Agent application to handle mail delivery. This is not a problem if there is no Zimbra Postfix MTA running on your system, but if one is present then the new MTA could interfere with the Zimbra MTA and will disrupt mail routing. To safely add 'mail' and the associated package, you will need to do the following:<br />
wget http://ubuntu.lnix.net/misc/mta-dummy/mta-dummy_1.0_all.deb <br />
dpkg -i mta-dummy_1.0_all.deb<br />
apt-get install mailx<br />
Add the following to /etc/mail.rc:<br />
set sendmail=/opt/zimbra/postfix/sbin/sendmail<br />
When this is done, test it by running:<br />
mail <user>@<yourdomain><br />
Enter a subject and body, using '.' on a blank line to end the message. When you have sent it, check /var/log/zimbra.log to confirm that the message has been processed correctly.<br />
<br />
If you have a multi-node Zimbra system and the server you are installing mailx on does not run an MTA, you can let it install Postfix, and during configuration specify a dedicated relay server, which you should set to one of your existing Zimbra MTA hosts.<br />
<br />
{{Article Footer|RHEL/CentOS 5.2, ZCS 5.0.9|8/27/2008}}<br />
<br />
[[Category:Installation]]<br />
[[Category:RHEL5]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Installing_Zimbra_5.0.9_NE_on_RHEL5/Centos&diff=10055Installing Zimbra 5.0.9 NE on RHEL5/Centos2008-08-30T00:42:09Z<p>Baylink: </p>
<hr />
<div>This is an installation walkthrough for NE 5.0.9 on RHEL5.<br />
<br />
(I'm actually doing it on CentOS 5.2, but that's supposed to be bug-for-bug compatible, and I'm told it will still be supported, as long as that specific point isn't what's breaking any given thing... I won't tell if you don't.)<br />
<br />
I've stolen the excellent Ubuntu 6 walkthough, and I'll be modifying and expanding it as I go for the difference in OS -- which will be substantial, since Ubuntu is Debian based, instead of Red Hat based.<br />
<br />
[ This writeup is about 90% complete; I'm going over it to make sure I didn't change anything to sound stupid. :-) --baylink ]<br />
<br />
== Introduction ==<br />
<br />
The following guide is for installing ZCS 5.0 on RHEL/CentOS 5.2, where the server resides inside a DNAT firewall and so needs to be able to resolve DNS names to its own internal (private subnet) IP address rather than the public IP address that is published to the world. This is a setting where a firewall/router supplies the translation from the public IP to the DMZ IP (DNAT--Destination Network Address Translation) so that translation is not known to the server itself. This configuration is desirable for security, but it makes bits of the Zimbra configuration more complex than they might otherwise be.<br />
<br />
For simplicity's sake, I'm referring to Zimbra's IP address as the "private IP address" from here on. By that I mean that the Zimbra box has only one IP address, it's on the private network, and can be seen by my all the machines on my LAN -- including the back side of the firewall/NAT router -- but not the public. When I say "public IP address" I'm not talking about another address on the Zimbra box, but rather the address that gets DNATed to my box and which is resolved by machines on the Internet at large.<br />
<br />
===DNS===<br />
<br />
The DNS issue discussed throughout this thread is PARAMOUNT! If you don't have your DNS working properly, don't even bother trying to install Zimbra, because trying to fix DNS after the fact may result in an install that can do everything except send mail--even from a Zimbra user to himself! So I'll say it again:<br />
<br />
'''If you can't resolve your mailserver's own private IP address (NOT the public IP) using dig, fix it BEFORE you install Zimbra!'''<br />
<br />
Specifically: <br />
<br />
$ dig -t mx domain.com<br />
<br />
should return an ANSWER section that has a line ending in the internal DNS name of your mailserver, and if you<br />
<br />
$ dig thatfqdn.com<br />
<br />
you should in turn get back an ANSWER section which has the ''private'' IP address of that machine... all these commands being executed ''on that machine'' -- the Zimbra server (the mta server, if you're building a cluster).<br />
<br />
I installed from the CentOS 5.2 DVD installation.<br />
<br />
1) The installation defaults to configuring your LAN via DHCP. Cancel it before it gets that far, and manually configure it with a static IP address, netmask, and gateway. <br />
<br />
You will need to make sure that the mta server can resolve those two addresses mentioned above properly. Since one is an MX record, you can't do this using /etc/hosts; you will need to <br />
<br />
# set up an internal DNS server for the zone, that forwards to your external resolvers<br />
# set up your edge zone/resolver servers to do [Split Domain|split-horizon DNS]<br />
# set up a DNS zone server ''on the mta server itself''<br />
<br />
In my case, I was already running split-horizon DNS, so that's the approach I will describe here; for the "DNS server on the mta server" approach, see the original Ubuntu writeup.<br />
<br />
2) Check /etc/resolv.conf and make sure it looks like this:<br />
nameserver xxx.xxx.xxx.xxx<br />
The IP address here should be the private ip address of your split-horizon DNS server.<br />
<br />
3) Now reboot the machine (restarting bind wasn't enough to work for me) and try to resolve your mail server.<br />
nslookup mydomain.com<br />
If it returns your public IP address, your internal DNS is not working. If things are configured correctly it'll return the internal address.<br />
<br />
=== Hosts Table ===<br />
<br />
Before you get to the install you also need to modify your /etc/hosts file. There are two possible structures. If you are using 4.5.7 or later (and we are), do it right:<br />
127.0.0.1 localhost.localdomain localhost<br />
10.3.2.244 mail.tractor-equip.net mail<br />
There is a bug in 4.5.6 that required a nonstandard hosts setup to get the install to work. Most users will (obviously) be installing the latest release, but if for any reason you're installing 4.5.6 use the following format:<br />
127.0.0.1 localhost<br />
xxx.xxx.xxx.xxx hostname.mydomain.com mydomain.com mail<br />
ONLY IF this is working, it's now time to update your packages and install Zimbra.<br />
<br />
===Required Packages===<br />
<br />
The install has several dependencies, and the easiest way to make sure you've fulfilled all of them is just to run the install and watch.<br />
<br />
Get a [http://www.zimbra.com/products/download_network.html trial license], if you haven't already, and either way, [http://www.zimbra.com/products/downloads.html download] the proper installer file. Pay attention to which processor type you need, and note that since you're installing NE, you expect support -- you need to make sure you're on a supported OS. In particular (I'm a SuSE guy), OpenSUSE is not supported at all; you have to use SLES. CentOS is supported as an RHEL derivative on a best effort basis, I'm told, since it's supposed to be identical except for the pictures.<br />
<br />
So grab the tarball -- it's big, close to 300MB, and will take some time to get -- and unpack it:<br />
<br />
tar xvfz $TARBALL<br />
<br />
It will create a directory named similarly to the tarfile itself, with the install inside it; we'll call this the '''unpack directory'''.<br />
<br />
cd to that directory, and <br />
<br />
./install.sh<br />
<br />
as root.<br />
<br />
It's not going to work the first time, but it'll give you a list of missing dependencies. Write down all the package names it says are missing. Your list may be slightly different than mine, but whatever it is, '''Zimbra won't tell you that you also need perl, so be sure and load it too'''. (And be careful; there are some [http://www.zimbra.com/forums/developers/21802-how-does-perl-packaging-bug-affect-z.html recently discovered problems] with some builds of perl 5.8, notably from RedHat). Just separate each package name with a space like this:<br />
apt-get install libidn11 curl fetchmail libpcre3 libgmp3c2 libxml2 libstdc++6 openssl perl<br />
Now re-run your Zimbra install and accept all the defaults except:<br />
<br />
When it asks you for your domain, it's going to have the fully-qualified domain name of the mail machine you're installing on (hostname.mydomain.com) rather than just the domain, and probably complain about not finding an MX record. Change the hostname to just mydomain.com and it'll find the names through nslookup, and it'll be happy. The rest of the install should proceed without errors, except for asking you to set your administrative user's password (option 6 and then 4).<br />
<br />
Finally, when the install is done and it has given you the last "Press Enter to finish" you need to turn on crontab for the user zimbra or your logs won't work.<br />
crontab -u zimbra -l<br />
Now reboot the system, and when it comes back up,give it a couple minutes to start the rest of the Zimbra processes. If your installation is successful, you can go to <nowiki>https://xxx.xxx.xxx.xxx:7071</nowiki> (your internal ip address again) to get the administrative console, or <nowiki>http://xxx.xxx.xxx.xxx</nowiki> to log in as a user.<br />
<br />
Congratulations--one shiny new Zimbra installation on RHEL/CentOS!<br />
<br />
=Directory Permissions on /tmp=<br />
It is possible if the /tmp directory does not have the correct permissions it could hinder your efforts to install ZCS.<br />
<br />
Make sure the /tmp directory has the following permissions.<br />
drwxrwxrwt root root /tmp<br />
<br />
If your /tmp permissions do not match the above, run the following commands as root:<br />
# chown root:root /tmp **Optional, good chance /tmp is already owned by root**<br />
# chmod 777 /tmp<br />
# chmod +t /tmp<br />
<br />
<br />
The '''t''' in the end of the permissions is called the sticky bit. It replaces the '''x''' and indicates that in this directory files can only be deleted by their owners, the owner of the directory, or the root superuser. This way it is not enough for a user to have write permission on /tmp -- he also needs to be the owner of the file to be able to delete it.<br />
<br />
=Sending Mail from Terminal=<br />
In some situations, it is necessary for monitoring scripts or cron jobs to send mail to users on the system. On any Unix installations, this is done with the 'mail' command. The default Ubuntu installation described here will not include this command. Installing the mailx package to add mail will also cause Ubuntu to add a Mail Transport Agent application to handle mail delivery. This is not a problem if there is no Zimbra Postfix MTA running on your system, but if one is present then the new MTA could interfere with the Zimbra MTA and will disrupt mail routing. To safely add 'mail' and the associated package, you will need to do the following:<br />
wget http://ubuntu.lnix.net/misc/mta-dummy/mta-dummy_1.0_all.deb <br />
dpkg -i mta-dummy_1.0_all.deb<br />
apt-get install mailx<br />
Add the following to /etc/mail.rc:<br />
set sendmail=/opt/zimbra/postfix/sbin/sendmail<br />
When this is done, test it by running:<br />
mail <user>@<yourdomain><br />
Enter a subject and body, using '.' on a blank line to end the message. When you have sent it, check /var/log/zimbra.log to confirm that the message has been processed correctly.<br />
<br />
If you have a multi-node Zimbra system and the server you are installing mailx on does not run an MTA, you can let it install Postfix, and during configuration specify a dedicated relay server, which you should set to one of your existing Zimbra MTA hosts.<br />
<br />
{{Article Footer|RHEL/CentOS 5.2, ZCS 5.0.9|8/27/2008}}<br />
<br />
[[Category:Installation]]<br />
[[Category:RHEL5]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Installing_Zimbra_5.0.9_NE_on_RHEL5/Centos&diff=10054Installing Zimbra 5.0.9 NE on RHEL5/Centos2008-08-30T00:31:06Z<p>Baylink: /* Required Packages */</p>
<hr />
<div>This is an installation walkthrough for NE 5.0.9 on RHEL5.<br />
<br />
(I'm actually doing it on CentOS 5.2, but that's supposed to be bug-for-bug compatible, and I'm told it will still be supported, as long as that specific point isn't what's breaking any given thing... I won't tell if you don't.<br />
<br />
I've stolen the excellent Ubuntu 6 walkthough, and I'll be modifying and expanding it as I go for the difference in OS -- which will be substantial, since Ubuntu is Debian based, instead of Red Hat based.<br />
<br />
Everything south of here is Work In Progress, until I remove this header.<br />
<br />
== Introduction ==<br />
<br />
The following guide is for installing ZCS 5.0 on RHEL/CentOS 5.2, where the server resides inside a DNAT firewall and so needs to be able to resolve DNS names to its own internal (private subnet) IP address rather than the public IP address that is published to the world. This is a setting where a firewall/router supplies the translation from the public IP to the DMZ IP (DNAT--Destination Network Address Translation) so that translation is not known to the server itself. This configuration is desirable for security, but it makes bits of the Zimbra configuration more complex than they might otherwise be.<br />
<br />
For simplicity's sake, I'm referring to Zimbra's IP address as the "private IP address" from here on. By that I mean that the Zimbra box has only one IP address, it's on the private network, and can be seen by my all the machines on my LAN -- including the back side of the firewall/NAT router -- but not the public. When I say "public IP address" I'm not talking about another address on the Zimbra box, but rather the address that gets DNATed to my box and which is resolved by machines on the Internet at large.<br />
<br />
===DNS===<br />
<br />
The DNS issue discussed throughout this thread is PARAMOUNT! If you don't have your DNS working properly, don't even bother trying to install Zimbra, because trying to fix DNS after the fact may result in an install that can do everything except send mail--even from a Zimbra user to himself! So I'll say it again:<br />
<br />
'''If you can't resolve your mailserver's own private IP address (NOT the public IP) using dig, fix it BEFORE you install Zimbra!'''<br />
<br />
Specifically: <br />
<br />
$ dig -t mx domain.com<br />
<br />
should return an ANSWER section that has a line ending in the internal DNS name of your mailserver, and if you<br />
<br />
$ dig thatfqdn.com<br />
<br />
you should in turn get back an ANSWER section which has the ''private'' IP address of that machine... all these commands being executed ''on that machine'' -- the Zimbra server (the mta server, if you're building a cluster).<br />
<br />
I installed from the CentOS 5.2 DVD installation.<br />
<br />
1) The installation defaults to configuring your LAN via DHCP. Cancel it before it gets that far, and manually configure it with a static IP address, netmask, and gateway. <br />
<br />
You will need to make sure that the mta server can resolve those two addresses mentioned above properly. Since one is an MX record, you can't do this using /etc/hosts; you will need to <br />
<br />
# set up an internal DNS server for the zone, that forwards to your external resolvers<br />
# set up your edge zone/resolver servers to do [Split Domain|split-horizon DNS]<br />
# set up a DNS zone server ''on the mta server itself''<br />
<br />
In my case, I was already running split-horizon DNS, so that's the approach I will describe here; for the "DNS server on the mta server" approach, see the original Ubuntu writeup.<br />
<br />
2) Check /etc/resolv.conf and make sure it looks like this:<br />
nameserver xxx.xxx.xxx.xxx<br />
The IP address here should be the private ip address of your split-horizon DNS server.<br />
<br />
3) Now reboot the machine (restarting bind wasn't enough to work for me) and try to resolve your mail server.<br />
nslookup mydomain.com<br />
If it returns your public IP address, your internal DNS is not working. If things are configured correctly it'll return the internal address.<br />
<br />
=== Hosts Table ===<br />
<br />
Before you get to the install you also need to modify your /etc/hosts file. There are two possible structures. If you are using 4.5.7 or later (and we are), do it right:<br />
127.0.0.1 localhost.localdomain localhost<br />
10.3.2.244 mail.tractor-equip.net mail<br />
There is a bug in 4.5.6 that required a nonstandard hosts setup to get the install to work. Most users will (obviously) be installing the latest release, but if for any reason you're installing 4.5.6 use the following format:<br />
127.0.0.1 localhost<br />
xxx.xxx.xxx.xxx hostname.mydomain.com mydomain.com mail<br />
ONLY IF this is working, it's now time to update your packages and install Zimbra.<br />
<br />
===Required Packages===<br />
<br />
The install has several dependencies, and the easiest way to make sure you've fulfilled all of them is just to run the install and watch.<br />
<br />
Get a [http://www.zimbra.com/products/download_network.html trial license], if you haven't already, and either way, [http://www.zimbra.com/products/downloads.html download] the proper installer file. Pay attention to which processor type you need, and note that since you're installing NE, you expect support -- you need to make sure you're on a supported OS. In particular (I'm a SuSE guy), OpenSUSE is not supported at all; you have to use SLES. CentOS is supported as an RHEL derivative on a best effort basis, I'm told, since it's supposed to be identical except for the pictures.<br />
<br />
So grab the tarball -- it's big, close to 300MB, and will take some time to get -- and unpack it:<br />
<br />
tar xvfz $TARBALL<br />
<br />
It will create a directory named similarly to the tarfile itself, with the install inside it; we'll call this the '''unpack directory'''.<br />
<br />
cd to that directory, and <br />
<br />
./install.sh<br />
<br />
as root.<br />
<br />
It's not going to work the first time, but it'll give you a list of missing dependencies. Write down all the package names it says are missing. Your list may be slightly different than mine, but whatever it is, '''Zimbra won't tell you that you also need perl, so be sure and load it too'''. (And be careful; there are some [http://www.zimbra.com/forums/developers/21802-how-does-perl-packaging-bug-affect-z.html recently discovered problems] with some builds of perl 5.8, notably from RedHat). Just separate each package name with a space like this:<br />
apt-get install libidn11 curl fetchmail libpcre3 libgmp3c2 libxml2 libstdc++6 openssl perl<br />
Now re-run your Zimbra install and accept all the defaults except:<br />
<br />
When it asks you for your domain, it's going to have the fully-qualified domain name of the mail machine you're installing on (hostname.mydomain.com) rather than just the domain, and probably complain about not finding an MX record. Change the hostname to just mydomain.com and it'll find the names through nslookup, and it'll be happy. The rest of the install should proceed without errors, except for asking you to set your administrative user's password (option 6 and then 4).<br />
<br />
Finally, when the install is done and it has given you the last "Press Enter to finish" you need to turn on crontab for the user zimbra or your logs won't work.<br />
crontab -u zimbra -l<br />
Now reboot the system, and when it comes back up,give it a couple minutes to start the rest of the Zimbra processes. If your installation is successful, you can go to <nowiki>https://xxx.xxx.xxx.xxx:7071</nowiki> (your internal ip address again) to get the administrative console, or <nowiki>http://xxx.xxx.xxx.xxx</nowiki> to log in as a user.<br />
<br />
Congratulations--one shiny new Zimbra installation on RHEL/CentOS!<br />
<br />
=Directory Permissions on /tmp=<br />
It is possible if the /tmp directory does not have the correct permissions it could hinder your efforts to install ZCS.<br />
<br />
Make sure the /tmp directory has the following permissions.<br />
drwxrwxrwt root root /tmp<br />
<br />
If your /tmp permissions do not match the above, run the following commands as root:<br />
# chown root:root /tmp **Optional, good chance /tmp is already owned by root**<br />
# chmod 777 /tmp<br />
# chmod +t /tmp<br />
<br />
<br />
The '''t''' in the end of the permissions is called the sticky bit. It replaces the '''x''' and indicates that in this directory files can only be deleted by their owners, the owner of the directory, or the root superuser. This way it is not enough for a user to have write permission on /tmp -- he also needs to be the owner of the file to be able to delete it.<br />
<br />
=Sending Mail from Terminal=<br />
In some situations, it is necessary for monitoring scripts or cron jobs to send mail to users on the system. On any Unix installations, this is done with the 'mail' command. The default Ubuntu installation described here will not include this command. Installing the mailx package to add mail will also cause Ubuntu to add a Mail Transport Agent application to handle mail delivery. This is not a problem if there is no Zimbra Postfix MTA running on your system, but if one is present then the new MTA could interfere with the Zimbra MTA and will disrupt mail routing. To safely add 'mail' and the associated package, you will need to do the following:<br />
wget http://ubuntu.lnix.net/misc/mta-dummy/mta-dummy_1.0_all.deb <br />
dpkg -i mta-dummy_1.0_all.deb<br />
apt-get install mailx<br />
Add the following to /etc/mail.rc:<br />
set sendmail=/opt/zimbra/postfix/sbin/sendmail<br />
When this is done, test it by running:<br />
mail <user>@<yourdomain><br />
Enter a subject and body, using '.' on a blank line to end the message. When you have sent it, check /var/log/zimbra.log to confirm that the message has been processed correctly.<br />
<br />
If you have a multi-node Zimbra system and the server you are installing mailx on does not run an MTA, you can let it install Postfix, and during configuration specify a dedicated relay server, which you should set to one of your existing Zimbra MTA hosts.<br />
<br />
{{Article Footer|RHEL/CentOS 5.2, ZCS 5.0.9|8/27/2008}}<br />
<br />
[[Category:Installation]]<br />
[[Category:RHEL5]]</div>Baylinkhttps://wiki.zimbra.com/index.php?title=Installing_Zimbra_5.0.9_NE_on_RHEL5/Centos&diff=10032Installing Zimbra 5.0.9 NE on RHEL5/Centos2008-08-27T17:47:10Z<p>Baylink: New page: This is an installation walkthrough for NE 5.0.9 on RHEL5. (I'm actually doing it on CentOS 5.2, but that's supposed to be bug-for-bug compatible, and I'm told it will still be supported,...</p>
<hr />
<div>This is an installation walkthrough for NE 5.0.9 on RHEL5.<br />
<br />
(I'm actually doing it on CentOS 5.2, but that's supposed to be bug-for-bug compatible, and I'm told it will still be supported, as long as that specific point isn't what's breaking any given thing... I won't tell if you don't.<br />
<br />
I've stolen the excellent Ubuntu 6 walkthough, and I'll be modifying and expanding it as I go for the difference in OS -- which will be substantial, since Ubuntu is Debian based, instead of Red Hat based.<br />
<br />
Everything south of here is Work In Progress, until I remove this header.<br />
<br />
== Introduction ==<br />
<br />
The following guide is for installing ZCS 5.0 on RHEL/CentOS 5.2, where the server resides inside a DNAT firewall and so needs to be able to resolve DNS names to its own internal (private subnet) IP address rather than the public IP address that is published to the world. This is a setting where a firewall/router supplies the translation from the public IP to the DMZ IP (DNAT--Destination Network Address Translation) so that translation is not known to the server itself. This configuration is desirable for security, but it makes bits of the Zimbra configuration more complex than they might otherwise be.<br />
<br />
For simplicity's sake, I'm referring to Zimbra's IP address as the "private IP address" from here on. By that I mean that the Zimbra box has only one IP address, it's on the private network, and can be seen by my all the machines on my LAN -- including the back side of the firewall/NAT router -- but not the public. When I say "public IP address" I'm not talking about another address on the Zimbra box, but rather the address that gets DNATed to my box and which is resolved by machines on the Internet at large.<br />
<br />
===DNS===<br />
<br />
The DNS issue discussed throughout this thread is PARAMOUNT! If you don't have your DNS working properly, don't even bother trying to install Zimbra, because trying to fix DNS after the fact may result in an install that can do everything except send mail--even from a Zimbra user to himself! So I'll say it again:<br />
<br />
'''If you can't resolve your mailserver's own private IP address (NOT the public IP) using dig, fix it BEFORE you install Zimbra!'''<br />
<br />
Specifically: <br />
<br />
$ dig -t mx domain.com<br />
<br />
should return an ANSWER section that has a line ending in the internal DNS name of your mailserver, and if you<br />
<br />
$ dig thatfqdn.com<br />
<br />
you should in turn get back an ANSWER section which has the ''private'' IP address of that machine... all these commands being executed ''on that machine'' -- the Zimbra server (the mta server, if you're building a cluster).<br />
<br />
I installed from the CentOS 5.2 DVD installation.<br />
<br />
1) The installation defaults to configuring your LAN via DHCP. Cancel it before it gets that far, and manually configure it with a static IP address, netmask, and gateway. <br />
<br />
You will need to make sure that the mta server can resolve those two addresses mentioned above properly. Since one is an MX record, you can't do this using /etc/hosts; you will need to <br />
<br />
# set up an internal DNS server for the zone, that forwards to your external resolvers<br />
# set up your edge zone/resolver servers to do [Split Domain|split-horizon DNS]<br />
# set up a DNS zone server ''on the mta server itself''<br />
<br />
In my case, I was already running split-horizon DNS, so that's the approach I will describe here; for the "DNS server on the mta server" approach, see the original Ubuntu writeup.<br />
<br />
2) Check /etc/resolv.conf and make sure it looks like this:<br />
nameserver xxx.xxx.xxx.xxx<br />
The IP address here should be the private ip address of your split-horizon DNS server.<br />
<br />
3) Now reboot the machine (restarting bind wasn't enough to work for me) and try to resolve your mail server.<br />
nslookup mydomain.com<br />
If it returns your public IP address, your internal DNS is not working. If things are configured correctly it'll return the internal address.<br />
<br />
=== Hosts Table ===<br />
<br />
Before you get to the install you also need to modify your /etc/hosts file. There are two possible structures. If you are using 4.5.7 or later (and we are), do it right:<br />
127.0.0.1 localhost.localdomain localhost<br />
10.3.2.244 mail.tractor-equip.net mail<br />
There is a bug in 4.5.6 that required a nonstandard hosts setup to get the install to work. Most users will (obviously) be installing the latest release, but if for any reason you're installing 4.5.6 use the following format:<br />
127.0.0.1 localhost<br />
xxx.xxx.xxx.xxx hostname.mydomain.com mydomain.com mail<br />
ONLY IF this is working, it's now time to update your packages and install Zimbra.<br />
<br />
===Required Packages===<br />
<br />
The install has several dependencies, and the easiest way to make sure you've fulfilled all of them is just to run the install and watch.<br />
<br />
Get a [http://www.zimbra.com/products/download_network.html trial license], if you haven't already, and either way, [http://www.zimbra.com/products/downloads.html download] the proper installer file. Pay attention to which processor type you need, and note that since you're installing NE, you expect support -- you need to make sure you're on a supported OS. In particular (I'm a SuSE guy), OpenSUSE is not supported at all; you have to use SLES. CentOS is supported as an RHEL derivative on a best effort basis, I'm told, since it's supposed to be identical except for the pictures.<br />
<br />
So grab the tarball -- it's big, close to 300MB, and will take some time to get -- and unpack it:<br />
<br />
tar xvfz $TARBALL<br />
<br />
It will create a directory named similarly to the tarfile itself, with the install inside it; we'll call this the '''unpack directory'''.<br />
<br />
cd to that directory, and <br />
<br />
./install.sh<br />
<br />
as root.<br />
<br />
''' stopped here '''<br />
<br />
It's not going to work the first time, but it'll give you a list of missing dependencies. Write down all the package names it says are missing. Your list may be slightly different than mine, but whatever it is, '''Zimbra won't tell you that you also need perl, so be sure and load it too'''. Just separate each package name with a space like this:<br />
apt-get install libidn11 curl fetchmail libpcre3 libgmp3c2 libxml2 libstdc++6 openssl perl<br />
Now re-run your Zimbra install and accept all the defaults except:<br />
<br />
When it asks you for your domain, it's going to have your fully-qualified domain name (hostname.mydomain.com) rather than just the domain, and probably complain about not having an MX record. Change the hostname to just mydomain.com and it'll find the names through nslookup, and it'll be happy. The rest of the install should proceed without errors, except for asking you to set your administrative user's password (option 6 and then 4).<br />
<br />
Finally, when the install is done and it has given you the last "press Enter to finish" you need to turn on crontab for the user zimbra or your logs won't work.<br />
crontab -u zimbra -l<br />
Now reboot the system, and when it comes back up,give it a couple minutes to start the rest of the Zimbra processes. If your installation is successful, you can go to <nowiki>https://xxx.xxx.xxx.xxx:7071</nowiki> (your internal ip address again) to get the administrative console, or <nowiki>http://xxx.xxx.xxx.xxx</nowiki> to log in as a user.<br />
<br />
Congratulations--one shiny new Zimbra installation on Ubuntu!<br />
<br />
=Directory Permissions on /tmp=<br />
It is possible if the /tmp directory does not have the correct permissions it could hinder your efforts to install ZCS.<br />
<br />
Make sure the /tmp directory has the following permissions.<br />
drwxrwxrwt root root /tmp<br />
<br />
If your /tmp permissions do not match the above, run the following commands as root:<br />
# chown root:root /tmp **Optional, good chance /tmp is already owned by root**<br />
# chmod 777 /tmp<br />
# chmod +t /tmp<br />
<br />
<br />
The '''t''' in the end of the permissions is called the sticky bit. It replaces the '''x''' and indicates that in this directory files can only be deleted by their owners, the owner of the directory, or the root superuser. This way it is not enough for a user to have write permission on /tmp -- he also needs to be the owner of the file to be able to delete it.<br />
<br />
=Sending Mail from Terminal=<br />
In some situations, it is necessary for monitoring scripts or cron jobs to send mail to users on the system. On any Unix installations, this is done with the 'mail' command. The default Ubuntu installation described here will not include this command. Installing the mailx package to add mail will also cause Ubuntu to add a Mail Transport Agent application to handle mail delivery. This is not a problem if there is no Zimbra Postfix MTA running on your system, but if one is present then the new MTA could interfere with the Zimbra MTA and will disrupt mail routing. To safely add 'mail' and the associated package, you will need to do the following:<br />
wget http://ubuntu.lnix.net/misc/mta-dummy/mta-dummy_1.0_all.deb <br />
dpkg -i mta-dummy_1.0_all.deb<br />
apt-get install mailx<br />
Add the following to /etc/mail.rc:<br />
set sendmail=/opt/zimbra/postfix/sbin/sendmail<br />
When this is done, test it by running:<br />
mail <user>@<yourdomain><br />
Enter a subject and body, using '.' on a blank line to end the message. When you have sent it, check /var/log/zimbra.log to confirm that the message has been processed correctly.<br />
<br />
If you have a multi-node Zimbra system and the server you are installing mailx on does not run an MTA, you can let it install Postfix, and during configuration specify a dedicated relay server, which you should set to one of your existing Zimbra MTA hosts.<br />
<br />
{{Article Footer|RHEL/CentOS 5.2, ZCS 5.0.9|8/27/2008}}<br />
<br />
[[Category:Installation]]<br />
[[Category:RHEL5]]</div>Baylink