Hocky-Notes: Difference between revisions
Hocky.zimbra (talk | contribs) |
Hocky.zimbra (talk | contribs) |
||
| (46 intermediate revisions by 2 users not shown) | |||
| Line 52: | Line 52: | ||
To setup the proper proxy information for freshclam (the process which fetch the signatures updates for clamav) you have to modify the freshclam.conf.in file, not freshclam.conf | To setup the proper proxy information for freshclam (the process which fetch the signatures updates for clamav) you have to modify the freshclam.conf.in file, not freshclam.conf | ||
Check the log to make sure everything is ok : | |||
less /opt/zimbra/log/freshclam.log | |||
=== proxy out for zimlets === | === proxy out for zimlets === | ||
| Line 72: | Line 75: | ||
''Windows: replace / by \ and : by ;'' | ''Windows: replace / by \ and : by ;'' | ||
This sort of worked for me with Ubuntu 9.04 & ZD v1.0 build 1593: it installs without error message but then i don't see all zimlets installed in ZD (3 out of 4 are visible). | This sort of worked for me with Ubuntu 9.04 & ZD v1.0 build 1593: it installs without error message but then i don't see all zimlets installed in ZD (3 out of 4 are visible). Bug in the zimlet or install that needs another product ? | ||
== configuration == | == configuration == | ||
=== backups === | |||
Tried the standard | |||
zmschedulebackup -R f "0 1 * * 7" i "0 1 * * 1-6" d 1m "0 0 * * *" | |||
as the zimbra user | |||
if the answer is ... | |||
You (zimbra) are not allowed to use this program (crontab) | |||
you must add the zimbra user to /etc/cron.allow (and/or remove it from cron.deny) | |||
vi /etc/cron.allow | |||
CLI to set to default save plan: | |||
zmschedulebackup -D | |||
CLI review current save plan: | |||
zmschedulebackup -q | |||
=== https only === | === https only === | ||
We want to encrypt | We want to encrypt all network communications (you don't want the CEO mails being eavesdropped do you ?): | ||
Users can connect in http but they are re-directed to https and stay there. | Users can connect in http but they are re-directed to https and stay there. | ||
| Line 83: | Line 105: | ||
zmcontrol stop | zmcontrol stop | ||
zmcontrol start | zmcontrol start | ||
=== GAL === | === GAL === | ||
| Line 90: | Line 111: | ||
All done via the web UI in 5.0.16. | All done via the web UI in 5.0.16. | ||
Caveat: I suppose this can have an impact on performances depending on the search string. | |||
Note: There is a parameter to setup in the user preferences/address book to have dynamic GAL look-up. | |||
=== SSO === | |||
We wanted to be able to connect through our current sso solution: | |||
* the user connects to the company portal and logs in | |||
* he clicks on a link to Zimbra | |||
* we redirect him to his mailbox | |||
We used the preauth feature to achieve that. | |||
This is documented here: | |||
http://wiki.zimbra.com/index.php?title=Preauth | |||
---- | |||
'''information below is obsolete for our implementation''' | |||
<p>'''to be removed after server cleanup''' | |||
---- | |||
I used this information: http://wiki.zimbra.com/index.php?title=Zimbra_with_Apache_using_mod_jk#For_Zimbra_5.0 | |||
* Installed jetty-ajp-6.1.5.jar in /opt/zimbra/jetty/lib/ext/. | |||
* Changed the owner to zimbra:zimbra | |||
Next, edit the file /opt/zimbra/jetty/etc/jetty.xml.in: | |||
* Search for these lines: | |||
<pre> | |||
<!-- =========================================================== --> | |||
<!-- Set connectors --> | |||
<!-- =========================================================== --> | |||
</pre> | |||
* Below them, add the following: | |||
<Call name="addConnector"> | |||
<Arg> | |||
<New id="ajp" class="org.mortbay.jetty.ajp.Ajp13SocketConnector"> | |||
<Set name="port">8009</Set> | |||
</New> | |||
</Arg> | |||
</Call> | |||
Then, edit the file /opt/zimbra/jetty/etc/service.web.xml.in: | |||
* Search for instances of the allowed.ports parameter, which will look like this: | |||
<init-param> | |||
<param-name>allowed.ports</param-name> | |||
<param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071</param-value> | |||
</init-param> | |||
* If the parameter value already contains %%zimbraMailPort%% and %%zimbraMailSSLPort%%, as above, then add port 8009 to the end of the list, like this: | |||
... | |||
<param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071, 8009</param-value> | |||
... | |||
* If you wish to enable access to the Zimbra administrative web interface, then also perform the above step on any instance of allowed.ports in which the value already contains 7071. | |||
Finally, restart the application server : | |||
zmmailboxdctl restart | |||
=== bcc to the old mailserver during the testing phase === | |||
in /opt/zimbra/postfix/conf create a file called sender_bcc | |||
and add the users you want to copy/send to | |||
employee@zimbra.domain.com employee@oldmailapp.domain.com | |||
in /opt/zimbra/postfix/conf/main.conf add | |||
sender_bcc_maps = hash:/opt/zimbra/postfix/conf/sender_bcc | |||
then run as zimbra user | |||
postmap /opt/zimbra/postfix/conf/sender_bcc | |||
restart postfix - | |||
postfix reload | |||
You may do the same with a recipient_bcc map if needed. | |||
=== from old domain === | |||
in our test setup we change the originator to the non-test domain address | |||
this is done by assigning a unique canonical address to the user + smtp generic map (doing it directly in the canonical address field created loops with our convoluted test set-up) | |||
== Certificates stuff == | |||
You have to be root for all of this. | |||
To prevent the warnings linked to the self-signing, i created a csr to get it signed by our company CA: | |||
./zmcertmgr createcsr comm -new -subject "/C=FR/O=xxxx/OU=xxxx/CN=xxxx.xxx.fr" -subjectAltNames xxxx.xxx.fr | |||
Bug: | |||
If you don't specify -subjectAltNames then you get an error: | |||
Subject does not start with '/'. | |||
In our company we get a single file containing both the cert for the server and the ca chain, so i had to cut the file in two parts, one for the cert and the other for the ca. | |||
Install the cert | |||
/opt/zimbra/bin/zmcertmgr deploycrt comm certfromcomm.crt commercial_ca.crt | |||
=== Monitoring / Tuning === | |||
* Verifiy that zmstat is running: | |||
zmstatctl status | |||
(returns nothing if down in v5.0.16) or | |||
Running: zmstat-mtaqueue | |||
Running: zmstat-proc | |||
Running: zmstat-fd | |||
Running: zmstat-vm | |||
Running: zmstat-convertd | |||
Running: zmstat-cpu | |||
Running: zmstat-mysql | |||
* Generate stats of the day: | |||
zmstat-chart -s /opt/zimbra/zmstat --start-at "09/30/2009 00:00:00" -d ~/zmstat/charts | |||
* Copy the schema to your PC: | |||
pscp -r zimbra@x.x.x.x:/opt/zimbra/zmstat/charts . | |||
* Enjoy: open charts/index.html | |||
= command line stuff = | |||
To remove all content (all mails and other) from an account: | |||
for f in `zmmailbox -z -m account@domain.com gaf |awk '/\// {print $5}'|sort|uniq` ; | |||
do zmmailbox -z -m account@domain.com emptyFolder $f ; | |||
done | |||
Accounts data (including the creation date): | |||
zmaccts | |||
Assign a COS to several accounts at the same time | |||
for a in account1@domain.com account2@domain.com; do zmprov sac $a newcos; done | |||
Size of the backups, in the backup/sessions directory: | |||
for f in `ls` ; do du -sh $f ;done | |||
= links = | = links = | ||
| Line 102: | Line 269: | ||
== Themes, skins == | == Themes, skins == | ||
http://files.zimbra.com/docs/skins/Themes.html | http://files.zimbra.com/docs/skins/Themes.html | ||
Note that changes you make to the skin framework will not necessarily survive major upgrades to the ZWC product. | |||
=== skins === | === skins === | ||
Slight customisation: | Slight customisation: | ||
cd /opt/zimbra/jetty/webapps/zimbra/skins/ | |||
mkdir customskin | |||
cp -r steel/* customskin | |||
cd customskin | |||
vi skin.properties | |||
modify the lines | |||
SkinName = customskin | |||
SkinVersion = 1 | |||
uncomment the lines | |||
LogoImgDir = /zimbra/skins/@SkinName@/logos | |||
LogoURL = http://www.yourcompany.com | |||
save | |||
copy your new logo files to the logos directory (if you have the network edition) | |||
Logo files are : | |||
* 450 x 100 pixels | |||
* 120 x 35 pixels | |||
rename files | |||
mv logo450x100.png LoginBanner.png | |||
mv logo120x35.png AppBanner.png | |||
cd /opt/zimbra/jetty/webapps/zimbra/skins/ | |||
zmskindeploy customskin/ | |||
you have to restart the mailbox to see the changes (+ don't forget to change the skin in the user prefs) | |||
=== customisation for zdesktop === | |||
the instructions for the server customisation don't work for the windows desktop because the command zmskindeploy does not exist for zimbra desktop | |||
== Miscellaneous == | |||
If you need to reset permission | |||
/opt/zimbra/libexec/zmfixperms --extended -verbose | |||
extended and verbose are optional | |||
Might be a good idea to | |||
zmcontrol stop | |||
before running this... | |||
= todo = | = todo = | ||
| Line 116: | Line 325: | ||
* check character sets | * check character sets | ||
* check default language | * check default language | ||
[[Category: Community Sandbox]] | |||
Latest revision as of 14:05, 26 October 2009
Introduction
Those are notes i took while setting-up a POC for our corporate envt.
The installed version is ZCS 5.0.16 on RHEL 4.
We have a proxy to connect to the internet.
Installation
walkthrough
preparation
- check the documentation from zimbra site for pre-requisites
- set the proxy
export http_proxy=http://example.com
- get the package
wget -cv http://h.yimg.com/lo/downloads/5.0.16_GA/zcs-NETWORK-5.0.16_GA_2922.RHEL4.20090429013859.tgz
- get the md5
wget -cv http://h.yimg.com/lo/downloads/5.0.16_GA/zcs-NETWORK-5.0.16_GA_2922.RHEL4.20090429013859.tgz.md5
- check md5
md5sum -c zcs-NETWORK-5.0.16_GA_2922.RHEL4.20090429013859.tgz.md5 > zcs-NETWORK-5.0.16_GA_2922.RHEL4.20090429013859.tgz: OK
- untar
- copy the license file on the server, you will need it
- if your infrastructure guys insist on installing in an alternate directory use a bind in /etc/fstab, for instance:
/prd/live /opt/zimbra auto bind
and then
mkdir /opt/zimbra mount -a
install
- have the installation .PDFs from Zimbra website ready
- run install.sh as root
bugs
/etc/hosts file issue
The install program (install.sh) checks that all entries in the hosts file are of the format: <ip> <fqdn> <name> even the entries which have nothing to do with the name of the server.
You may have to remove temporarily (or comment out) the offending lines and restore them after the installation has completed successfully.
That happened to me with version 5.0.16 NE.
Tags: error installation hosts install
proxy stuff
freshclam
it's there:
vi /opt/zimbra/conf/freshclam.conf.in
To setup the proper proxy information for freshclam (the process which fetch the signatures updates for clamav) you have to modify the freshclam.conf.in file, not freshclam.conf
Check the log to make sure everything is ok :
less /opt/zimbra/log/freshclam.log
proxy out for zimlets
If zimlets need to access the internet from behind a proxy, you have to set this variable up:
zmprov mcf zimbraHttpProxyURL http://my.proxy:80
mcf = zimbra wide, it can also be set by server
zimlets
Notes links
The standard zimlet com_zimbra_url can mess-up with the Notes urls Notes://2134564984561321 if this is the case, deactivate it
desktop zimlets
To install zimlets on a linux zimbra desktop (ZD), run the following command:
java -cp jetty/lib/log4j-1.2.8.jar:jetty/common/lib/commons-httpclient-3.0.jar:jetty/common/lib/mail.jar:jetty/common/lib/commons-logging.jar:jetty/common/lib/commons-codec-1.3.jar:jetty/common/lib/json.jar:jetty/common/lib/dom4j-1.5.jar:jetty/common/lib/zimbracommon.jar:jetty/webapps/service/WEB-INF/lib/zimbrastore.jar -Dzimbra.config=conf/localconfig.xml com.zimbra.cs.zimlet.ZimletUtil deploy <path2zimlet>/<zimlet>.zip
Windows: replace / by \ and : by ;
This sort of worked for me with Ubuntu 9.04 & ZD v1.0 build 1593: it installs without error message but then i don't see all zimlets installed in ZD (3 out of 4 are visible). Bug in the zimlet or install that needs another product ?
configuration
backups
Tried the standard
zmschedulebackup -R f "0 1 * * 7" i "0 1 * * 1-6" d 1m "0 0 * * *"
as the zimbra user
if the answer is ...
You (zimbra) are not allowed to use this program (crontab)
you must add the zimbra user to /etc/cron.allow (and/or remove it from cron.deny)
vi /etc/cron.allow
CLI to set to default save plan:
zmschedulebackup -D
CLI review current save plan:
zmschedulebackup -q
https only
We want to encrypt all network communications (you don't want the CEO mails being eavesdropped do you ?): Users can connect in http but they are re-directed to https and stay there.
zmtlsctl redirect zmcontrol stop zmcontrol start
GAL
Set the GAL as mixed: internal + external and bind the external to an existing LDAP.
All done via the web UI in 5.0.16.
Caveat: I suppose this can have an impact on performances depending on the search string.
Note: There is a parameter to setup in the user preferences/address book to have dynamic GAL look-up.
SSO
We wanted to be able to connect through our current sso solution:
- the user connects to the company portal and logs in
- he clicks on a link to Zimbra
- we redirect him to his mailbox
We used the preauth feature to achieve that.
This is documented here: http://wiki.zimbra.com/index.php?title=Preauth
information below is obsolete for our implementation
to be removed after server cleanup
I used this information: http://wiki.zimbra.com/index.php?title=Zimbra_with_Apache_using_mod_jk#For_Zimbra_5.0
- Installed jetty-ajp-6.1.5.jar in /opt/zimbra/jetty/lib/ext/.
- Changed the owner to zimbra:zimbra
Next, edit the file /opt/zimbra/jetty/etc/jetty.xml.in:
- Search for these lines:
<!-- =========================================================== --> <!-- Set connectors --> <!-- =========================================================== -->
- Below them, add the following:
<Call name="addConnector">
<Arg>
<New id="ajp" class="org.mortbay.jetty.ajp.Ajp13SocketConnector">
<Set name="port">8009</Set>
</New>
</Arg>
</Call>
Then, edit the file /opt/zimbra/jetty/etc/service.web.xml.in:
- Search for instances of the allowed.ports parameter, which will look like this:
<init-param> <param-name>allowed.ports</param-name> <param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071</param-value> </init-param>
- If the parameter value already contains %%zimbraMailPort%% and %%zimbraMailSSLPort%%, as above, then add port 8009 to the end of the list, like this:
... <param-value>%%zimbraMailPort%%, %%zimbraMailSSLPort%%, 7070, 7443, 7071, 8009</param-value> ...
- If you wish to enable access to the Zimbra administrative web interface, then also perform the above step on any instance of allowed.ports in which the value already contains 7071.
Finally, restart the application server :
zmmailboxdctl restart
bcc to the old mailserver during the testing phase
in /opt/zimbra/postfix/conf create a file called sender_bcc and add the users you want to copy/send to
employee@zimbra.domain.com employee@oldmailapp.domain.com
in /opt/zimbra/postfix/conf/main.conf add
sender_bcc_maps = hash:/opt/zimbra/postfix/conf/sender_bcc
then run as zimbra user
postmap /opt/zimbra/postfix/conf/sender_bcc
restart postfix -
postfix reload
You may do the same with a recipient_bcc map if needed.
from old domain
in our test setup we change the originator to the non-test domain address
this is done by assigning a unique canonical address to the user + smtp generic map (doing it directly in the canonical address field created loops with our convoluted test set-up)
Certificates stuff
You have to be root for all of this.
To prevent the warnings linked to the self-signing, i created a csr to get it signed by our company CA:
./zmcertmgr createcsr comm -new -subject "/C=FR/O=xxxx/OU=xxxx/CN=xxxx.xxx.fr" -subjectAltNames xxxx.xxx.fr
Bug:
If you don't specify -subjectAltNames then you get an error:
Subject does not start with '/'.
In our company we get a single file containing both the cert for the server and the ca chain, so i had to cut the file in two parts, one for the cert and the other for the ca.
Install the cert
/opt/zimbra/bin/zmcertmgr deploycrt comm certfromcomm.crt commercial_ca.crt
Monitoring / Tuning
- Verifiy that zmstat is running:
zmstatctl status
(returns nothing if down in v5.0.16) or
Running: zmstat-mtaqueue Running: zmstat-proc Running: zmstat-fd Running: zmstat-vm Running: zmstat-convertd Running: zmstat-cpu Running: zmstat-mysql
- Generate stats of the day:
zmstat-chart -s /opt/zimbra/zmstat --start-at "09/30/2009 00:00:00" -d ~/zmstat/charts
- Copy the schema to your PC:
pscp -r zimbra@x.x.x.x:/opt/zimbra/zmstat/charts .
- Enjoy: open charts/index.html
command line stuff
To remove all content (all mails and other) from an account:
for f in `zmmailbox -z -m account@domain.com gaf |awk '/\// {print $5}'|sort|uniq` ;
do zmmailbox -z -m account@domain.com emptyFolder $f ;
done
Accounts data (including the creation date):
zmaccts
Assign a COS to several accounts at the same time
for a in account1@domain.com account2@domain.com; do zmprov sac $a newcos; done
Size of the backups, in the backup/sessions directory:
for f in `ls` ; do du -sh $f ;done
links
Desktop
http://wiki.zimbra.com/index.php?title=Yahoo!_Zimbra_Desktop
Themes, skins
http://files.zimbra.com/docs/skins/Themes.html
Note that changes you make to the skin framework will not necessarily survive major upgrades to the ZWC product.
skins
Slight customisation:
cd /opt/zimbra/jetty/webapps/zimbra/skins/ mkdir customskin cp -r steel/* customskin cd customskin vi skin.properties
modify the lines
SkinName = customskin SkinVersion = 1
uncomment the lines
LogoImgDir = /zimbra/skins/@SkinName@/logos LogoURL = http://www.yourcompany.com
save
copy your new logo files to the logos directory (if you have the network edition)
Logo files are :
- 450 x 100 pixels
- 120 x 35 pixels
rename files
mv logo450x100.png LoginBanner.png mv logo120x35.png AppBanner.png
cd /opt/zimbra/jetty/webapps/zimbra/skins/ zmskindeploy customskin/
you have to restart the mailbox to see the changes (+ don't forget to change the skin in the user prefs)
customisation for zdesktop
the instructions for the server customisation don't work for the windows desktop because the command zmskindeploy does not exist for zimbra desktop
Miscellaneous
If you need to reset permission
/opt/zimbra/libexec/zmfixperms --extended -verbose
extended and verbose are optional
Might be a good idea to
zmcontrol stop
before running this...
todo
- explore zimlets stuff
- check character sets
- check default language
