https://wiki.zimbra.com/api.php?action=feedcontributions&user=William+Lac&feedformat=atomZimbra :: Tech Center - User contributions [en]2024-03-28T15:24:43ZUser contributionsMediaWiki 1.39.0https://wiki.zimbra.com/index.php?title=After_Upgrade_Mobile_Devices_Stop_Working&diff=56901After Upgrade Mobile Devices Stop Working2015-02-04T22:20:27Z<p>William Lac: </p>
<hr />
<div>{{Article Infobox|{{admin}}|{{ZCS 8.0}}|{{ZCS 8.5}}|{{ZCS 8.6}}}}After upgrading to a new Zimbra Collaboration Server, there have been many reports where mobile devices are unable to connect right after the upgrade. There have been reports of this happening after an upgrade to, ZCS 8.0.8, 8.0.9, 8.5.0, 8.5.1, and 8.6.0.<br />
<br />
*'''Note''': The information shown in this wiki article works only if Mobile Devices were able to sync to ZCS before the upgrade.<br />
<br />
First you can take a look at the sync.log to see if there is any activity in the log that may describe the problem:<br />
tail -f /opt/zimbra/log/sync.log<br />
<br />
If the sync.log is not active, at an appropriate time, try restarting mailboxd, and the MTA services:<br />
su - zimbra<br />
zmmailboxdctl restart<br />
<br />
Then issue this command on your MTA server:<br />
su - zimbra<br />
zmmtactl restart<br />
<br />
Then check sync.log to see if devices are able to sync to ZCS.<br />
<br />
[[:Category: Troubleshooting Mobile]]<br />
<br />
{{Article Footer| 1/29/2015}}</div>William Lachttps://wiki.zimbra.com/index.php?title=After_Upgrade_Mobile_Devices_Stop_Working&diff=56840After Upgrade Mobile Devices Stop Working2015-01-30T00:26:48Z<p>William Lac: After Upgrade Mobile Devices Stop Working</p>
<hr />
<div>{{Article Infobox|{{admin}}|{{ZCS 8.0}}|{{ZCS 8.5}}|{{ZCS 8.6}}}}After upgrading to a new Zimbra Collaboration Server, there have been many reports where mobile devices are unable to connect right after the upgrade. There have been reports of this happening after and upgrade to, ZCS 8.0.8, 8.0.9, 8.5.0, 8.5.1, and 8.6.0.<br />
<br />
*'''Note''': The information shown in this wiki article works only if Mobile Devices were able to sync to ZCS before the upgrade.<br />
<br />
First you can take a look at the sync.log to see if there is any activity in the log that may describe the problem:<br />
tail -f /opt/zimbra/log/sync.log<br />
<br />
If the sync.log is not active, at an appropriate time, try restarting mailboxd, and the MTA services:<br />
su - zimbra<br />
zmmailboxdctl restart<br />
<br />
Then issue this command on your MTA server:<br />
su - zimbra<br />
zmmtactl restart<br />
<br />
Then check sync.log to see if devices are able to sync to ZCS.<br />
<br />
[[:Category: Troubleshooting Mobile]]<br />
<br />
{{Article Footer|1/29/2015}}</div>William Lachttps://wiki.zimbra.com/index.php?title=How_to_disable_SSLv3&diff=56628How to disable SSLv32015-01-15T02:17:27Z<p>William Lac: Added some information regarding the default disabling of SSLv3 on ZCS 8.6.0</p>
<hr />
<div>{{ZC}}{{Article Infobox|{{admin}}|{{ZCS 8.5}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}}==How to disable SSLv3==<br />
<br />
Last Update: '''2:00, 15 January 2015 (UTC)'''<br />
<br />
Due to the recent discovery of a new SSLv3 vulnerability ([http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html CVE-2014-3566: Poodle SSLv3]), this protocol has been considered unsafe. This is a protocol flaw and Zimbra will include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976 for more information.<br />
<br />
As a workaround, this guide helps show how to disable SSLv3 in Zimbra where possible. This has been tested on both ZCS 8.0.8 and 8.5.0 releases.<br />
<br />
'''Warnings:'''<br />
* The published attack vector as shown by the researchers works with controlling the plaintext sent to the server using Javascript being run on the victim's machine. Attacks via other vectors exist with varying levels of difficulty, and the use of SSLv3 will be deprecated in a future version of ZCS. This document includes information on how to disable SSLv3 for Postfix (MTA), nginx (POP3-SSL and IMAP-SSL) for customers want to do this now. At the moment, it's not possible to disable SSLv3 with mailboxd (Jetty) for POP3-SSL and IMAP-SSL (this will be fixed in 8.6.0, ref https://bugzilla.zimbra.com/show_bug.cgi?id=96040). Bug https://bugzilla.zimbra.com/show_bug.cgi?id=96041 is tracking the deprecation of SSLv3 in ZCS.<br />
<br />
* Disabling SSLv3 might prevent older clients/browsers to connect to Zimbra using SSL as they don't support TLS 1.0. Microsoft Internet Explorer 6 on Windows XP or earlier is known to to require SSLv3 (it does not support TLS1.0, TLS1.1 or TLS1.2): https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers<br />
<br />
* There may be issues with "Windows Phone 7" [https://en.wikipedia.org/wiki/Windows_Phone_7] requiring SSLv3 (unconfirmed). Most users should already be on Windows Phone 8, as Windows Phone 7 was EOL'd by Microsoft on Oct 14, 2014.<br />
<br />
* Disabling SSLv3 for POP3-SSL and IMAP-SSL through nginx might prevent a few clients to connect to Zimbra. Windows Phone 7 users are known to have this issue. This affects users using the Nokia Lumia 710 and Lumia 800 devices.<br />
<br />
* Using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA with zimbraSSLExcludeCipherSuites prevents saslauthd (through libcurl) to work properly when it defaults back to TLS. This affects smtpd authentication via zmauth. Please remove it from your list of excluded ciphers with: zmprov mcf -zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA<br />
<br />
'''Recommendation:'''<br />
* For multi-server installations where only your proxy/MTAs will be exposed do the Internet, it should be enough to only disable SSLv3 at these hosts.<br />
<br />
'''Note:'''<br />
We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack [reference: see https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley]. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected. See also: https://community.zimbra.com/support/security/b/weblog/archive/2014/12/11/poodle-revisited<br />
<br />
'''Regarding ZCS 8.6.0:'''<br />
<br />
By default, SSLv3 is now disabled/deprecated in ZCS 8.6.0, please see the below referenced bug for more information:<br />
*Bug 96041 - "Deprecate use of SSLv3 in the product as a whole" https://bugzilla.zimbra.com/show_bug.cgi?id=96041<br />
*Bug 96171 - "Remove or no longer enable SSLv3 by default in zimbra-attrs.xml" https://bugzilla.zimbra.com/show_bug.cgi?id=96171<br />
<br />
=== Nginx (Proxy) ===<br />
<br />
==== ZCS 8.0.x / 8.5.x ====<br />
Tarballs of the SSL specific Nginx configuration template files have been provided which disables SSLv3 for HTTPS/IMAPS/POP3S. '''Please make a backup of /opt/zimbra/conf/nginx/templates''' prior to proceeding. <br />
<br />
'''ZCS 8.0.x''' http://files.zimbra.com/downloads/support/bug95976/nginx/nginx-ssl-templates-80x.tgz<br />
<br />
'''ZCS 8.5.0''' http://files.zimbra.com/downloads/support/bug95976/nginx/nginx-ssl-templates-850.tgz<br />
<br />
Installation is the same for both ZCS 8.0.x and 8.5.0, just be sure to download the correct tarball for your ZCS version. To install as root<br />
<br />
<pre><br />
cd /opt/zimbra/conf/nginx/templates<br />
curl http://files.zimbra.com/downloads/support/bug95976/nginx/nginx-ssl-templates-80x.tgz | tar zxvf -<br />
su - zimbra<br />
zmproxyctl restart<br />
</pre><br />
<br />
Alternatively, you can edit each nginx template file separately. For all nginx templates in /opt/zimbra/conf/nginx/templates/ that use SSL, set the ssl_protocols option:<br />
<br />
/opt/zimbra/conf/nginx/templates/:<br />
nginx.conf.mail.imaps.default.template<br />
nginx.conf.mail.imaps.template<br />
nginx.conf.mail.imap.default.template (for starttls)<br />
nginx.conf.mail.imap.template (for starttls)<br />
nginx.conf.mail.pop3s.default.template<br />
nginx.conf.mail.pop3s.template<br />
nginx.conf.mail.pop3.default.template (for starttls)<br />
nginx.conf.mail.pop3.template (for starttls)<br />
nginx.conf.mail.template<br />
nginx.conf.web.admin.default.template<br />
nginx.conf.web.admin.template<br />
nginx.conf.web.https.default.template<br />
nginx.conf.web.https.template<br />
nginx.conf.web.sso.default.template<br />
nginx.conf.web.sso.template<br />
<br />
For example, you will see an "ssl" block in each of these within the server { } section: <br />
<br />
ssl on;<br />
ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};<br />
ssl_ciphers ${web.ssl.ciphers};<br />
ssl_certificate ${ssl.crt.default};<br />
ssl_certificate_key ${ssl.key.default};<br />
<br />
Add the following to the end of the ssl section:<br />
<br />
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br />
<br />
The result will look something like this (may vary per file):<br />
<br />
server<br />
{<br />
${core.ipboth.enabled}listen [::]:${web.https.port} default;<br />
${core.ipv4only.enabled}listen ${web.https.port} default;<br />
${core.ipv6only.enabled}listen [::]:${web.https.port} default ipv6only=on;<br />
server_name ${web.server_name.default}.default;<br />
client_max_body_size 0;<br />
ssl on;<br />
ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};<br />
ssl_ciphers ${web.ssl.ciphers};<br />
ssl_certificate ${ssl.crt.default};<br />
ssl_certificate_key ${ssl.key.default};<br />
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br />
...<br />
<br />
Restart the proxy servers with the following:<br />
zmproxyctl restart<br />
<br />
==== ZCS 7.x.y ====<br />
Disabling SSlv3 for ZCS 7 must be performed manually, and is only available for the nginx proxy and postfix. General recommendation is to use the nginx proxy on all ZCS sites, even single-server platform. <br />
<br />
For all nginx templates in /opt/zimbra/conf/nginx/templates/ that use SSL, set the ssl_protocols option:<br />
<br />
/opt/zimbra/conf/nginx/templates/:<br />
nginx.conf.mail.imaps.default.template<br />
nginx.conf.mail.imaps.template<br />
nginx.conf.mail.imap.default.template (for starttls)<br />
nginx.conf.mail.imap.template (for starttls)<br />
nginx.conf.mail.pop3s.default.template<br />
nginx.conf.mail.pop3s.template<br />
nginx.conf.mail.pop3.default.template (for starttls)<br />
nginx.conf.mail.pop3.template (for starttls)<br />
nginx.conf.mail.template<br />
nginx.conf.web.https.default.template<br />
nginx.conf.web.https.template<br />
nginx.conf.web.sso.default.template<br />
nginx.conf.web.sso.template<br />
<br />
For example, you will see an "ssl" block in each of these within the server { } section: <br />
<br />
ssl on;<br />
ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};<br />
ssl_ciphers ${web.ssl.ciphers};<br />
ssl_certificate ${ssl.crt.default};<br />
ssl_certificate_key ${ssl.key.default};<br />
<br />
Note that nginx 0.9 is used in ZCS 7, so only the ssl_protocols option "TLSv1" is available. Add the following to the end of the ssl section:<br />
<br />
ssl_protocols TLSv1;<br />
<br />
The result will look something like this (may vary per file):<br />
<br />
server<br />
{<br />
${core.ipboth.enabled}listen [::]:${web.https.port} default;<br />
${core.ipv4only.enabled}listen ${web.https.port} default;<br />
${core.ipv6only.enabled}listen [::]:${web.https.port} default ipv6only=on;<br />
server_name ${web.server_name.default}.default;<br />
client_max_body_size 0;<br />
ssl on;<br />
ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};<br />
ssl_ciphers ${web.ssl.ciphers};<br />
ssl_certificate ${ssl.crt.default};<br />
ssl_certificate_key ${ssl.key.default};<br />
ssl_protocols TLSv1;<br />
...<br />
<br />
Restart the proxy servers with the following:<br />
zmproxyctl restart<br />
<br />
==== Testing ====<br />
<br />
You can run the following command to verify common ports when using the Zimbra proxy (run this at the proxy):<br />
<br />
<pre>for p in 993 995 443 ; do echo Port $p ; timeout 3 openssl s_client -connect `zmhostname`:$p -ssl3 |grep failure ; done</pre><br />
<br />
If it shows a failure, it's good and we don't support SSLv3:<br />
<pre><br />
140532971947680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40<br />
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:<br />
</pre><br />
If you are seeing:<br />
<pre><br />
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA<br />
Server public key is 2048 bit<br />
Secure Renegotiation IS supported<br />
</pre><br />
SSLv3 is still enabled and you need to verify the changes.<br />
<br />
If you are proxying adminUI, please add port 9071, 7071 or the port you have configured. If you are proxying SSO requests, please add port 3443.<br />
<br />
In alternative, you can test the following ports individually:<br />
<pre><br />
443 - HTTPS<br />
993 - IMAP-SSL<br />
995 - POP3-SSL<br />
9071 or 7071 - AdminUI SSL<br />
</pre><br />
<br />
with<br />
<br />
<pre>openssl s_client -connect host.zimbra.com:<port> -ssl3</pre><br />
<br />
=== Jetty (mailboxd) ===<br />
<br />
==== ZCS 8.0.x ====<br />
<br />
* Note: at the moment, it's not possible to disable SSLv3 with mailboxd (Jetty) for POP3-SSL and IMAP-SSL. These templates only disable SSLv3 on https (443 and 7071).<br />
<br />
We have provided downloadable '''/opt/zimbra/jetty/etc/jetty.xml.in''' file locations for ZCS 8.0.x. Make sure you backup the original jetty.xml.in first.<br />
<br />
'''ZCS 8.0.0-8.0.2'''<br />
http://files.zimbra.com/downloads/support/bug95976/jetty/800-802/jetty.xml.in<br />
<br />
'''ZCS 8.0.3'''<br />
http://files.zimbra.com/downloads/support/bug95976/jetty/803/jetty.xml.in<br />
<br />
'''ZCS 8.0.4-8.0.6'''<br />
http://files.zimbra.com/downloads/support/bug95976/jetty/804-806/jetty.xml.in<br />
<br />
'''ZCS 8.0.7-8.0.8'''<br />
http://files.zimbra.com/downloads/support/bug95976/jetty/807-808/jetty.xml.in<br />
<br />
In alternative you can edit the file and find the '''SslSelectChannelConnector''' instances in '''/opt/zimbra/jetty/etc/jetty.xml.in''':<br />
<br />
<pre><br />
$ grep SslSelectChannel jetty.xml.in<br />
<br />
<New id="ssl" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"><br />
<New id="ssl-clientcert" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"><br />
<New id="admin" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"><br />
<New id="admin_local" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"><br />
</pre><br />
<br />
Under each, add the following XML<br />
<pre><br />
<Get name="SslContextFactory"><br />
<Set name="ExcludeProtocols"><br />
<Array type="java.lang.String"><br />
<Item>SSLv3</Item><br />
</Array><br />
</Set><br />
</Get><br />
</pre><br />
<br />
Don't forget to do a "zmmailboxdctl restart' to apply the changes.<br />
<br />
==== ZCS 8.5.x ====<br />
<br />
* Note: at the moment, it's not possible to disable SSLv3 with mailboxd (Jetty) for POP3-SSL and IMAP-SSL.<br />
<br />
Find the '''SslContextFactory''' in '''/opt/zimbra/jetty/etc/jetty.xml.in''' and add this XML:<br />
<pre><br />
<Set name="ExcludeProtocols"><br />
<Array type="java.lang.String"><br />
<Item>SSLv3</Item><br />
</Array><br />
</Set><br />
</pre><br />
Do a "zmmailboxdctl restart' to apply the changes.<br />
<br />
==== Testing ====<br />
<br />
We should run the following command (as zimbra) for every port using SSL:<br />
<br />
<pre>openssl s_client -connect `zmhostname`:<port> -ssl3</pre><br />
<br />
Example, for port 443:<br />
<pre>openssl s_client -connect `zmhostname`:443 -ssl3</pre><br />
<br />
If it shows a failure, it's good and we don't support SSLv3:<br />
<pre><br />
140532971947680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40<br />
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:<br />
</pre><br />
<br />
or below (an example with ZCS 8.0.x and Jetty 7.6 w/SSLv3 successfully disabled):<br />
<pre><br />
CONNECTED(00000003)<br />
write:errno=104<br />
---<br />
no peer certificate available<br />
---<br />
No client certificate CA names sent<br />
---<br />
SSL handshake has read 0 bytes and written 0 bytes<br />
---<br />
New, (NONE), Cipher is (NONE)<br />
Secure Renegotiation IS NOT supported<br />
Compression: NONE<br />
Expansion: NONE<br />
SSL-Session:<br />
Protocol : SSLv3<br />
Cipher : 0000<br />
Session-ID:<br />
Session-ID-ctx:<br />
Master-Key:<br />
Key-Arg : None<br />
Krb5 Principal: None<br />
PSK identity: None<br />
PSK identity hint: None<br />
Start Time: 1413506064<br />
Timeout : 7200 (sec)<br />
Verify return code: 0 (ok)<br />
---<br />
</pre><br />
<br />
If you are seeing:<br />
<pre><br />
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA<br />
Server public key is 2048 bit<br />
Secure Renegotiation IS supported<br />
</pre><br />
SSLv3 is still enabled and you need to verify the changes.<br />
<br />
List of common ports:<br />
<pre><br />
443 - HTTPS<br />
993 - IMAP-SSL<br />
995 - POP3-SSL<br />
7071 - AdminUI SSL<br />
</pre><br />
<br />
=== Postfix (MTA)===<br />
<br />
'''Warnings:'''<br />
<br />
* Disabling SSLv3 might prevent [http://en.wikipedia.org/wiki/Comparison_of_email_clients#SSL_and_TLS_support older mail clients] to connect to Zimbra since they might not support TLS. This is important when using the 465 port (SMTP-SSL), where encryption is mandatory (smtpd_tls_mandatory_protocols).<br />
<br />
<br />
==== ZCS 8.5.x ====<br />
<br />
At the MTA server, run (as zimbra):<br />
<br />
<pre>zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'</pre><br />
<br />
'''Run "zmmtactl stop ; zmmtactl start" to force the changes''' on ''zimbraMtaSmtpdTlsProtocols'' or wait for zmconfigd to rewrite Postfix config from LDAP in 1 minute or less.<br />
<br />
==== ZCS 8.0.x and ZCS 7.x.y ====<br />
<br />
At the MTA server, run (as zimbra):<br />
<br />
postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3'<br />
postconf -e smtpd_tls_mandatory_protocols='!SSLv2,!SSLv3'<br />
<br />
Note that smtpd_tls_protocols and smtpd_tls_mandatory_protocols will need to be set after every upgrade for 8.0.x or 7.x.y versions.<br />
<br />
==== Testing STARTTLS on port 25 ====<br />
<br />
Run openssl, forcing SSLv3:<br />
openssl s_client -connect mail.example.com:25 -ssl3 -starttls smtp<br />
<br />
Confirm that connection is refused with an "ssl handshake failure":<br />
<br />
CONNECTED(00000003)<br />
140701008086856:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40<br />
140701008086856:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:'''ssl handshake failure''':s3_pkt.c:596:<br />
---<br />
SSL handshake has read 220 bytes and written 0 bytes<br />
---<br />
New, (NONE), Cipher is (NONE)<br />
Secure Renegotiation IS NOT supported<br />
Compression: NONE<br />
Expansion: NONE<br />
SSL-Session:<br />
Protocol : SSLv3<br />
Cipher : 0000<br />
Session-ID:<br />
Session-ID-ctx:<br />
Master-Key:<br />
Key-Arg : None<br />
Krb5 Principal: None<br />
PSK identity: None<br />
PSK identity hint: None<br />
Start Time: 1413400965<br />
Timeout : 7200 (sec)<br />
Verify return code: 0 (ok)<br />
<br />
==== Testing SMTP-SSL ====<br />
<br />
<pre>timeout 3 openssl s_client -connect mail.example.com:465 -ssl3</pre><br />
<br />
If it shows a failure, it's good and we don't support SSLv3:<br />
<pre><br />
140532971947680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40<br />
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:<br />
</pre></div>William Lachttps://wiki.zimbra.com/index.php?title=Ajcody-Notes-Archive-Discovery-Mailstore-Setup&diff=56627Ajcody-Notes-Archive-Discovery-Mailstore-Setup2015-01-14T19:24:50Z<p>William Lac: /* MTA's - Require Configuration */</p>
<hr />
<div>{| width="100%" border="0" <br />
| bgcolor="orange" | [[Image:Attention.png]] - This article is NOT official Zimbra documentation. It is a user contribution and may include unsupported customizations, references, suggestions, or information.<br />
|}<br />
<br />
====Actual Multi-Server & New Mailstore A&D Setup Homepage====<br />
<br />
Please see [[Ajcody-Notes-Archive-Discovery-Mailstore-Setup]]<br />
<br />
====Issues That Have Caused Confusion====<br />
<br />
=====What Gets Installed Where?=====<br />
<br />
======RFE To Clear Up The Confusion======<br />
<br />
* "Clear Up "archiving" service/package confusion"<br />
** https://bugzilla.zimbra.com/show_bug.cgi?id=95931<br />
<br />
======zimbra-archive package/rpm - Mailstores======<br />
<br />
zimbra-archive (the package/rpm you see from the installer) should be installed on all mailstores which you want to use for cross mailbox search. This also sets the zimbraComponentAvailable archiving config attribute which allows the mta(s) to turn on archiving. '''zimbra-archive is not installed directly on the mta, it's just enabled.'''<br />
<br />
Note, you install zimbra-archive on a mailbox server '''but the service runs on the mta node.'''<br />
<br />
======MTA's - Require Configuration======<br />
<br />
If you add zimbra-archiving to an existing install you need to :<br />
* Install zimbra-archiving on one or more of your mailbox servers<br />
* Then set zimbraServiceInstalled archiving and zimbraServiceEnabled archiving on all the mta servers<br />
* Restart the mta services<br />
<br />
For example:<br />
<br />
zmprov ms mta.example.com +zimbraServiceInstalled archiving +zimbraServiceEnabled archiving<br />
<br />
On the mta server:<br />
<br />
zmmtactl restart<br />
<br />
To confirm the /opt/zimbra/conf/amavisd.conf was modified correctly, you should see on the mta:<br />
<br />
#$archive_quarantine_method = 'smtp:[127.0.0.1]:10025'; <br />
<br />
Was uncommented out:<br />
<br />
$archive_quarantine_method = 'smtp:[127.0.0.1]:10025';<br />
<br />
You'll be able to then notice in the /var/log/zimbra.log file if the redirect to the A&D account is happening [once A&D accounts are setup that is]. Example uses example.com.archive as the archive domain I setup for the A&D accounts :<br />
<br />
<pre><br />
grep "example.com.archive" /var/log/zimbra.log<br />
Dec 11 13:38:52 mta-server amavis[1978]: (01978-19) SEND via SMTP: <> -> <br />
<user-20081211@example.com.archive>,ENVID=AM.8ISxcrQG8uAj.20081211T193852Z@mailstore.example.com <br />
BODY=7BIT 250 2.6.0 Ok, id=01978-19, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as <br />
5ADF8F120C4<br />
Dec 11 13:38:52 mta-server postfix/lmtp[21864]: 5ADF8F120C4: <br />
to=<user-20081211@example.com.archive>, relay=archive.example.com[X.X.X.93]:7025, <br />
delay=0.07, delays=0/0/0/0.06, dsn=2.1.5, status=sent (250 2.1.5 OK)<br />
</pre><br />
<br />
======Enabling Amavis And Archiving With 8.5+ While Antispam And AntiVirus Are Disabled======<br />
<br />
With 808 and 8.5 , archiving should be able to run without as/av being enabled.<br />
<br />
* It should be possible to remove Amavis as a service<br />
** https://bugzilla.zimbra.com/show_bug.cgi?id=89603<br />
<br />
For example, disabling antispam and antivirus but enabling amavis [required] and archiving on a mta server [note - this server had the full mta package already installed on it and had antivirus, antispam, [amavis], and postfix running on it] :<br />
<br />
<pre><br />
[zimbra@850-mta1 ~]$ zmcontrol status | egrep 'amavis|antispam|antivirus|archiving'<br />
amavis Running<br />
antispam Running<br />
antivirus Running<br />
<br />
[zimbra@850-mta1 ~]$ zmprov ms `zmhostname` +zimbraServiceEnabled archiving \<br />
+zimbraServiceEnabled amavis -zimbraServiceEnabled antispam -zimbraServiceEnabled antivirus<br />
<br />
[zimbra@850-mta1 ~]$ zmcontrol restart <br />
Host 850-ldap1.zimbra.homeunix.com<br />
Stopping vmware-ha...Done.<br />
[cut]<br />
Stopping ldap...Done.<br />
Host 850-ldap1.zimbra.homeunix.com<br />
Starting ldap...Done.<br />
Starting zmconfigd...Done.<br />
Starting dnscache...Done.<br />
Starting logger...Done.<br />
Starting convertd...Done.<br />
Starting mailbox...Done.<br />
Starting memcached...Done.<br />
Starting proxy...Done.<br />
Starting amavis...Done.<br />
Starting opendkim...Done.<br />
Starting archiving...Done.<br />
Starting snmp...Done.<br />
Starting spell...Done.<br />
Starting mta...Done.<br />
Starting stats...Done.<br />
Starting service webapp...Done.<br />
Starting zimbra webapp...Done.<br />
Starting zimbraAdmin webapp...Done.<br />
Starting zimlet webapp...Done.<br />
[zimbra@850-ldap1 ~]$ zmcontrol status | egrep 'amavis|antispam|antivirus|archiving'<br />
amavis Running<br />
archiving Running<br />
</pre><br />
<br />
======zimbra_xmbxsearch zimlet======<br />
<br />
For 5.x installs, this zimbra_xmbsearch zimlet will get configured on each mailstore that you install the zimbra-archive package on. The documentation in various places might cause confusion on this matter, because for the 4.x releases it was a separate step.<br />
<br />
You should find the zimlet already located at /opt/zimbra/zimlets-network/zimbra_xmbxsearch.zip<br />
<br />
After the installation, you should see when you go to the admin web console on the mailstore you install the zimbra-archive package on that the cross-mailbox search zimlet is there. It shows up in two locations:<br />
<br />
* Left Pane : Configuration > Admin Extensions > zimbra_xmbxsearch<br />
* Left Pane : Tools > Search Mail<br />
<br />
If you wanted this zimlet to also be available on a server that didn't have the zimbra-archiving packaged installed you could then deploy it on that server.<br />
<br />
cd /opt/zimbra/zimlets-network/<br />
zmzimletctl deploy zimbra_xmbxsearch.zip<br />
## ls the directory and confirm the full name - you might need this:<br />
zmzimletctl deploy com_zimbra_xmbxsearch.zip<br />
<br />
====The How-To====<br />
<br />
=====Reference Documents=====<br />
<br />
http://www.zimbra.com/docs/ne/latest/multi_server_install/multi-server_install.5.1.html<br />
<br />
http://www.zimbra.com/docs/ne/latest/administration_guide/Archiving.16.1.html<br />
<br />
=====Assumptions=====<br />
<br />
This install how-to assumes you have an existing LDAP/Mailstore/MTA server(s) for your normal production environment, the Zimbra license and logger are installed on the primary ZCS server(s), and that you are NOT running the proxy module. <br />
<br />
Example archive mailstore hostname is : archive.example.com<br />
<br />
Example primary ZCS hostname is : mail.example.com<br />
<br />
=====Preliminary Items=====<br />
<br />
Things to do or check before install:<br />
<br />
* DNS entry for new mailstore and primary ZCS server(s) can resolve to it.<br />
* DNS configured properly on mailstore server.<br />
* Master Root LDAP Server mail.example.com<br />
* Master Root LDAP Password<br />
** On LDAP server do : su – zimbra ; zmlocalconfig –s | grep ldap_root_password<br />
* Master LDAP port – default is 389<br />
* SMTP Server<br />
<br />
=====Installation Of New Mailstore That Will Have A&D=====<br />
<br />
======Install Modules======<br />
<br />
* Type y to install the zimbra-store, zimbra-archiving and zimbra-spell (optional) packages. <br />
** '''Do Not Install MTA! These Instructions Do Not Take That Into Account.'''<br />
** When zimbra-spell is installed the zimbra-apache package is also installed.<br />
* Installing: zimbra-core zimbra-store zimbra-apache zimbra-spell<br />
<br />
======Modify Configuration======<br />
<br />
Press Enter to modify the system. The selected packages are installed on the server.<br />
<br />
At this point the Main menu displays the default entries for the Zimbra component you are installing. <br />
<br />
To expand the menu to see the configuration values type x and press Enter.<br />
<br />
To navigate the Main menu, select the menu item to change. You can modify any of the defaults.<br />
<br />
* Common Configuration<br />
** LDAP<br />
*** Ldap master host: [set this to the FQDN of your LDAP server]<br />
*** Ldap port: 389 [set this if your LDAP server isn’t using default]<br />
*** Ldap Admin password: [this is your LDAP servers Root LDAP password]<br />
**** On LDAP server do : su – zimbra ; zmlocalconfig –s ldap_root_password<br />
*** TimeZone: [set this]<br />
<br />
* For zimbra-store<br />
** Set the Admin Password<br />
*** +License filename: UNSET [if you see this, then something is wrong with your <br />
** LDAP configuration. It should of pulled the license info from the LDAP server.<br />
** Set the SMTP host<br />
<br />
Type r to return to the Main menu, if you aren’t there already.<br />
<br />
When the mailbox server is configured, return to the Main menu and type a to apply the configuration changes. <br />
<br />
Press Enter to save the configuration data.<br />
<br />
When Save Configuration data to a file appears, press Enter.<br />
<br />
The next request is where to save the files. To accept the default, press Enter. <br />
<br />
To save the files to another directory, enter the directory and then press Enter.<br />
<br />
When “The system will be modified - continue?” appears type y and press Enter.<br />
<br />
The server is modified. <br />
<br />
Installing all the components and configuring the server can take a few minutes.<br />
<br />
When Installation complete - press return to exit displays, press Enter.<br />
<br />
The installation of the mailbox server is complete.<br />
<br />
======After Install======<br />
<br />
Confirm server status<br />
<br />
su – zimbra ; zmcontrol status<br />
<br />
Populate the ssh keys, on each server in your environment<br />
<br />
su - zimbra ; zmupdateauthkeys <br />
<br />
The key is updated on /opt/zimbra/.ssh/authorized_keys.<br />
<br />
=====Upgrading A Zimbra Server For An Archive & Discovery Mailstore=====<br />
<br />
======Adding Package For A&D======<br />
<br />
This will retain your current settings for the system. Your server will experience downtime during the upgrade.<br />
<br />
untar zcs*.tar that matches your existing system<br />
<br />
<pre><br />
cd zcs-version-directory<br />
./install<br />
choose upgrade<br />
select zimbra-archiving<br />
</pre><br />
<br />
The upgrade of the mailbox server is complete.<br />
<br />
======After Upgrade======<br />
<br />
Confirm server status<br />
<br />
su – zimbra ; zmcontrol status<br />
<br />
'''Note, zimbra-archiving only runs as a service on a MTA server.'''<br />
<br />
Populate the ssh keys, on each server in your environment<br />
<br />
su-zimbra ; zmupdateauthkeys <br />
<br />
The key is updated on /opt/zimbra/.ssh/authorized_keys. <br />
<br />
=====Configure Zimbra For Use Of The New Mailstore and A&D=====<br />
<br />
Example A&D mailstore hostname is : archive.example.com<br />
<br />
* Go to your primary admin console url. [https://[example.com]:7071/zimbraAdmin]<br />
# Confirm you see the new mailstore under Configuration > Servers<br />
## Under Configuration > Servers > [MTA servername(s)] > Services<br />
### [each MTA server needs this]<br />
### You’ll see a box for Archiving and Discovery<br />
#### Check this to enable the MTA server(s) for Archiving and Discovery. '''If this is grayed out, run the command below (modified for your server) on your one of your mailstores.'''<br />
####* This effectively does:<br />
####* <pre>zmprov ms mta.example.com +zimbraServiceInstalled archiving +zimbraServiceEnabled archiving</pre><br />
####** Remember, zmprov uses the variable below. '''A mta only server ''can't'' be set for localhost, change it to point to a mailstore.'''<br />
####** <pre> [root@mta ~]# zmlocalconfig | grep zmprov</pre><br />
####** <pre> zimbra_zmprov_default_soap_server = localhost</pre><br />
####** <pre> [root@mta ~]# zmlocalconfig -e zimbra_zmprov_default_soap_server=mailstore.example.com</pre><br />
# Go to Configuration > Class of Service > default [or your primary domain] > Server Pool<br />
## You’ll want to make sure it’s limited to the correct server pools<br />
### Your '''new mailstore for A&D should be unchecked'''.<br />
## Click on New for a new Class of Server (COS)<br />
### Call it archive or something similar<br />
#### Under Server Pool > Limit > have only the new mailstore checked<br />
<br />
=====Setup Initial A&D With First Account - Creation Of The Archive Domain=====<br />
<br />
======Revisit To COS - Naming Scheme Of Archive Accounts======<br />
<br />
When archive accounts are created they use the zimbraArchiveAccountNameTemplate variable from the COS. The default is:<br />
<br />
$ zmprov gc default | grep -i archive<br />
zimbraArchiveAccountDateTemplate: yyyyMMdd<br />
zimbraArchiveAccountNameTemplate: ${USER}-${DATE}@${DOMAIN}.archive<br />
<br />
I, personally, don't like the use of the $DATE variable in this. I change my ARCHIVE COS to use the normal username but retain the .archive for the domain.<br />
<br />
zmprov mc archive zimbraArchiveAccountNameTemplate '${USER}@${DOMAIN}.archive'<br />
<br />
Bug to be aware of:<br />
<br />
* "zimbraArchiveAccountNameTemplate is case sensitive - PDF doc is wrong"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=44659<br />
<br />
======The Creation======<br />
<br />
On server with zmarchiveconfig (most likely mailstore you installed A&D on) and as zimbra (su – zimbra) do the following to setup your first A&D account.<br />
<br />
format : zmarchiveconfig –s servername enable user@example.com archive-cos <cos><br />
<br />
example : <br />
<br />
zmarchiveconfig –s archive.example.com enable account@example.com archive-cos archive<br />
<br />
'''NOTE'''<br />
: If the above command doesn't seem to create the archive account/domain. Drop the use of [ -s servername ]. Basically, just run this on the A&D mailstore:<br />
<br />
:: <pre>zmarchiveconfig enable account@example.com archive-cos archive</pre><br />
<br />
The above command will create the mail domain for the archive accounts using the template defaults, user@example.com to make example.com.archive<br />
<br />
On your main ldap server or where ever you usually access the zimbra admin web console, login to the admin web console.<br />
<br />
# Confirm the archive domain was setup. <br />
## Configuration > Domains > [domainname].archive > General<br />
## Confirm or adjust the archive domain to use the right COS<br />
### Configuration > Domains > [domainname].archive > General Information<br />
#### Change “Default Class of Service” to your COS [archive], if needed for your configuration.<br />
# Now check for the new archive account you made<br />
## Address > Accounts<br />
## Click on account and hit the edit button<br />
## In the top summary section you'll be able to confirm the COS and Mail Server being used for the account.<br />
### '''NOTE''', if it's showing the account is on the primary mailstore and NOT the A&D mailstore.<br />
#### Remove the A&D account<br />
####* <pre> zmprov ra [user]@[domainname].archive</pre><br />
#### Add the account back again using the zmarchiveconfig command<br />
####* <pre>zmarchiveconfig enable account@example.com archive-cos archive</pre><br />
#### Now confirm, as above, that the account is using the A&D mailstore.<br />
####* This might be a bug related to the archive domain being created for the first time.<br />
<br />
Send the primary account a test email and then shortly afterwards do a "View Mail" within the admin console for the archive account. You should see the archive message in the archive account.<br />
<br />
======Error: unknown document: EnableArchiveRequest======<br />
<br />
If you get this error when trying to create the archive account "Error: unknown document: EnableArchiveRequest" you most likely needed to install a new license for A&D and have not restart the mailboxd services . Updating the license is not enough, you'll need to restart ZCS on the mailstores also.<br />
<br />
See the following bug:<br />
<br />
* zimbra-archive extension fails to load when init() fails due to LDAP server outage<br />
** https://bugzilla.zimbra.com/show_bug.cgi?id=66484<br />
<br />
======RFE's On Archive Accounts======<br />
<br />
* RFE: COS option to create archiving account automatically by default <br />
** https://bugzilla.zimbra.com/show_bug.cgi?id=83665<br />
<br />
=====Testing Of Archive Mail Flow=====<br />
<br />
Send the primary account a test email and then shortly afterwards do a "View Mail" within the admin console for the archive account. You should see the archive message in the archive account.<br />
<br />
You should confirm mail flow copies occur with the following:<br />
<br />
# Inbound<br />
## External Account (email) to the primary zimbra account setup for archive.<br />
## A zimbra account that ISN'T the archive account in question to the primary account setup for archive.<br />
# Outbound<br />
## With primary account setup for archive, send an email to an external email address.<br />
## With primary account setup for archive, send an email to another internal zimbra email address.<br />
<br />
=====Archive Account Isn't Getting Email=====<br />
<br />
Let's double check everything was done correctly up above.<br />
<br />
Assumption on syntax of account creation:<br />
<br />
zmarchiveconfig enable user@example.com archive-cos archive<br />
<br />
Let's check what actually was done:<br />
<br />
zmprov ga user@example.com | grep -i archive<br />
amavisArchiveQuarantineTo: user-20081211@example.com.archive<br />
zimbraArchiveAccount: user-20081211@example.com.archive<br />
zimbraArchiveAccountNameTemplate: ${USER}-${DATE}@${DOMAIN}.archive<br />
<br />
It should reference an account that's like, if you are using the archive templates:<br />
<br />
user-[date]@example.com.archive<br />
<br />
that account should exist and reference lmtp, rather than smtp, for the transport:<br />
<br />
zmprov ga user-20081211@example.com.archive | grep -i trans<br />
zimbraMailTransport: lmtp:archive.example.com:7025<br />
<br />
=====Checking Logs For Archive Operations=====<br />
<br />
On the '''mta-server''', you should find a reference to the archive account in /var/log/zimbra.log<br />
<br />
grep archive /var/log/zimbra.log<br />
Dec 11 13:38:52 mta-server amavis[1978]: (01978-19) SEND via SMTP: <> -> <br />
<user-20081211@example.com.archive>,ENVID=AM.8ISxcrQG8uAj.20081211T193852Z@mailstore.example.com <br />
BODY=7BIT 250 2.6.0 Ok, id=01978-19, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as <br />
5ADF8F120C4<br />
Dec 11 13:38:52 mta-server postfix/lmtp[21864]: 5ADF8F120C4: <br />
to=<user-20081211@example.com.archive>, relay=archive.example.com[X.X.X.93]:7025, <br />
delay=0.07, delays=0/0/0/0.06, dsn=2.1.5, status=sent (250 2.1.5 OK)<br />
<br />
On the '''archive-server''', you should find reference to the delivery in /opt/zimbra/log/mailbox.log<br />
<br />
grep archive /opt/zimbra/log/mailbox.log<br />
2008-12-11 14:45:32,923 INFO [LmtpServer-9] <br />
[name=user-20081211@example.com.archive;mid=7;] mailop - Adding Message: id=257,<br />
Message-ID=<1350363939.41021229024728317.JavaMail.root@EXTERNAL-MTA.DOMAIN.com>, parentId=-1,<br />
folderId=2, folderName=Inbox.<br />
<br />
=====Mass Accounts Configuration=====<br />
<br />
::'''Update''', our 6.0 release will have a zmarchiveconfig -f command for batch processing from a file input.<br />
<br />
'''CHECK YOUR AVAILABLE LICENSES BEFORE YOU PROCEED!!'''<br />
<br />
'''One could put all the accounts in a txt file and then use a for-loop to process the account@example.com variable.'''<br />
<br />
zmprov -l gaa > /tmp/accounts.txt<br />
<br />
'''Remove any accounts you've already done and those not necessary for archiving (ex. admin, ham, spam, etc.)'''<br />
<br />
You can give gaa other options, look at zmprov help account. For example, you could also narrow this down to a dump of accounts in a domain:<br />
<br />
zmprov -l gaa [DOMAIN] > /tmp/accounts.txt<br />
<br />
'''Note, the below uses the above setup for A&D - You'll need to modify for your environment.'''<br />
<br />
<pre><br />
for i in `cat /tmp/accounts.txt`<br />
do<br />
zmarchiveconfig –s archive.example.com enable $i archive-cos archive<br />
sleep 3<br />
done<br />
</pre><br />
<br />
You can be tailing /opt/zimbra/log/mailbox.log on the archive server to watch the progress.<br />
<br />
=====Searches After Configuration Is Done=====<br />
<br />
Please see [[Ajcody-Server-Misc-Topics#Cross_Mailbox_Searches_and_Tracing]]<br />
<br />
=====Searches Limited To 500 or 1000 Maximum Results=====<br />
<br />
See [[Ajcody-Server-Misc-Topics#Searches_Limited_To_500_or_1000_Maximum_Results]]<br />
<br />
[[Category: Community Sandbox]]<br />
[[Category: Archive & Discovery]]</div>William Lachttps://wiki.zimbra.com/index.php?title=Ajcody-MTA-Postfix-Topics&diff=56526Ajcody-MTA-Postfix-Topics2014-12-16T18:18:36Z<p>William Lac: /* Confirming And Setting zimbraMtaRelayHost And zimbraMtaDnsLookupsEnabled */</p>
<hr />
<div>{| width="100%" border="0" <br />
| bgcolor="orange" | [[Image:Attention.png]] - This article is NOT official Zimbra documentation. It is a user contribution and may include unsupported customizations, references, suggestions, or information.<br />
|}<br />
<br />
==Postfix - MTA==<br />
<br />
===Actual MTA & Postfix Topics Homepage===<br />
<br />
Please see [[Ajcody-MTA-Postfix-Topics]]<br />
<br />
===Missing main.cf Error===<br />
<br />
If you get something like:<br />
<br />
postfix/postqueue[8739]: fatal: open /opt/zimbra/postfix-2.4.7.5z/conf/main.cf: No such file or directory <br />
<br />
All you need to do is create an empty main.cf file and zimbra will rewrite it.<br />
<br />
touch main.cf<br />
<br />
When you now do something to start the mta, it will generate the values for main.cf<br />
<br />
zmmtactl stop<br />
zmmtactl start<br />
<br />
===MTA Mail Flow - Birds-eye Overview===<br />
<br />
The following references are very good reads to familiarize yourself with in regards to postfix.<br />
<br />
* http://www.onlamp.com/pub/a/onlamp/2004/01/22/postfix.html<br />
* http://www.linuxjournal.com/article/9454 [5 pages]<br />
* https://help.ubuntu.com/community/PostfixBasicSetupHowto [nice flowcharts]<br />
* http://www.postfix.org/OVERVIEW.html<br />
* http://www.postfix.org/smtpd.8.html<br />
* http://www.postfix.org/QSHAPE_README.html - "Postfix Bottleneck Analysis"<br />
** This explains how the postfix queues work, a must read.<br />
*** http://www.postfix.org/QSHAPE_README.html#queues<br />
* Also look at [[Ajcody-MTA-Postfix-Topics#Getting_Some_Initial_Summary_Data]] since having this date or reports on hand might make the following above more meaningful.<br />
<br />
Below is my initial attempt to show the flow within ZCS.<br />
<br />
<pre><br />
Incoming mail > smtp port 25<br />
<br />
> netstat -plnt | grep ":25 " <br />
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN - <br />
## smtp port 25 is because 'mta is enabled'<br />
<br />
> zmprov gs `zmhostname` zimbraServiceEnabled | grep mta<br />
zimbraServiceEnabled: mta<br />
<br />
Postfix's "Incoming Queue"<br />
/opt/zimbra/data/postfix/spool/incoming/<br />
<br />
Postfix's "Active Queue"<br />
/opt/zimbra/data/postfix/spool/active/<br />
<br />
su - zimbra<br />
$ sudo /opt/zimbra/libexec/zmqstat<br />
hold=0<br />
corrupt=0<br />
deferred=0<br />
active=0<br />
incoming=0<br />
<br />
Is amavisd enabled?<br />
zcs721:/opt/zimbra/postfix/conf # diff main.cf /tmp/before/postfix/conf/main.cf<br />
< content_filter = <br />
> content_filter = smtp-amavis:[127.0.0.1]:10024<br />
<br />
Then messages goto port 10024<br />
zimbra@zcs721:~> netstat -plnt | grep 10024<br />
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 2583/amavisd (ch8-a <br />
<br />
Three things amavisd is enabled for:<br />
<br />
1. spamassassin<br />
zmprov ms `zmhostname` +zimbraServiceEnabled antispam <br />
<br />
/opt/zimbra/conf> diff amavisd.conf /tmp/before/amavisd.conf<br />
<br />
< @bypass_spam_checks_maps = (1); # uncomment to DISABLE anti-spam code<br />
> # @bypass_spam_checks_maps = (1); # uncomment to DISABLE anti-spam code<br />
<br />
2. clamav<br />
zmprov ms `zmhostname` +zimbraServiceEnabled antivirus<br />
<br />
/opt/zimbra/conf> diff amavisd.conf /tmp/before/amavisd.conf<br />
< @bypass_virus_checks_maps = (1); # uncomment to DISABLE anti-virus code<br />
> # @bypass_virus_checks_maps = (1); # uncomment to DISABLE anti-virus code<br />
<br />
3. archiving<br />
zmprov ms `zmhostname` +zimbraServiceEnabled archiving<br />
<br />
/opt/zimbra/conf> diff amavisd.conf /tmp/before/amavisd.conf<br />
< $archive_quarantine_method = 'smtp:[127.0.0.1]:10025';<br />
> #$archive_quarantine_method = 'smtp:[127.0.0.1]:10025';<br />
<br />
zimbra@zcs721:~/postfix/conf> netstat -plnt | grep 1002 <br />
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 13779/amavisd (mast <br />
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN <br />
<br />
Once the amavis related items are checked, the message goes back to postfix's <br />
active queue via port 10025 and will get delivered to the mailstore via lmtp/port 7025<br />
<br />
> netstat -plnt | grep 7025<br />
tcp 0 0 0.0.0.0:7025 0.0.0.0:* LISTEN - <br />
<br />
You can see how the ports are configured in /opt/zimbra/postfix/conf in the master.cf & master.cf.in<br />
files. Port 10025 [always configured] and 10024 [only configured if amavis is enabled] <br />
are setup there also.<br />
<br />
</pre><br />
<br />
===Understanding /var/log/zimbra.log And Postfix Log Events===<br />
<br />
Ref: <br />
* http://www.onlamp.com/pub/a/onlamp/2004/01/22/postfix.html<br />
* https://wiki.kolab.org/What_is_happening_to_my_emails_where_are_their._Search_your_postfix_log_to_find_them<br />
<br />
To see some of the basic warning:<br />
<br />
$ egrep '(reject|warning|error|fatal|panic):' /var/log/zimbra.log<br />
<br />
Log events follow this basic pattern:<br />
<pre><br />
Description <br />
|| Date & Time || Hostname || Postfix component id || Message<br />
Example <br />
Dec 31 11:34:21 testserver postfix/smtpd[1677]: connect from mail.example.com[192.168.100.45]<br />
</pre><br />
The process ID is in the square brackets. <br />
<br />
====Postfix Queue ID vs. message-id====<br />
<br />
* '''Note, postfix queue ID is NOT message-id.''' <br />
* '''''For the examples below, the ZCS server being used has an ip address of 10.137.27.32 .'''''<br />
<br />
A message-id is assigned by the MUA or postfix if the message doesn't have one. The message-id is in the header of the email. The postfix queue ID is NOT in the header of the emails. An email header will also have the original emails message-id if it's an reply.<br />
<br />
<pre><br />
Date: Tue, 4 Jun 2013 06:43:55 -0700 (PDT)<br />
From: Adam Cody 2 <ajcody2@zcs723.EXAMPLE.com><br />
To: Adam Cody <ajcody@zcs723.EXAMPLE.com><br />
### COMMENT START - Below are the two message-id's<br />
### The message-id is noted the /var/log/zimbra.log log events<br />
### Example will be shown farther down<br />
Message-ID: <315186059.60.1370353435012.JavaMail.root@zcs723.EXAMPLE.com><br />
In-Reply-To: <692082388.59.1370352733069.JavaMail.root@zcs723.EXAMPLE.com><br />
### End Of COMMENT<br />
Subject: Re: test email<br />
MIME-Version: 1.0<br />
Content-Type: text/plain; charset=utf-8<br />
Content-Transfer-Encoding: 7bit<br />
X-Originating-IP: [10.16.XX.XX]<br />
X-Mailer: Zimbra 7.2.3_GA_2872 (ZimbraWebClient - [unknown] (Win)/0.0)<br />
<br />
reply back<br />
<br />
----- Original Message -----<br />
From: "Adam Cody" <ajcody@zcs723.EXAMPLE.com><br />
To: "Adam Cody 2" <ajcody2@zcs723.EXAMPLE.com><br />
Sent: Tuesday, June 4, 2013 9:32:13 AM<br />
Subject: test email<br />
</pre><br />
<br />
When a message enters the Postfix system [incoming or outgoing] it is immediately assigned a queue ID. Postfix/ZCS will most likely have a message leave the postfix queue for other processing: amavis, filters, etc. This will cause the message to get a new queue ID's. This can also happen if you were to requeue your messages by doing something like: postsuper -r . You will need to note the '''message-id and ALL queue ID's''' to get the complete picture of what was happening for a particular email. For the example below, I first did a search for the message-id [found by looking at the header, ZWC > Sent box > View Original on email I sent] in /var/log/zimbra.log. <br />
<br />
egrep "692082388.59.1370352733069.JavaMail.root" /var/log/zimbra.log<br />
<br />
This output then gave me the associated postfix queue ID's, there were two unique ones. I then did another search using all three variables:<br />
<br />
<pre><br />
QueueID QueueID MessageID<br />
egrep "59E261E78D1|C6CAA1E78D2|692082388.59.1370352733069.JavaMail.root" /var/log/zimbra.log<br />
</pre><br />
<br />
Below is the return to find the full log event in /var/log/zimbra.log for this one email.<br />
<br />
<pre><br />
Jun 4 06:32:14 zcs723 postfix/smtpd[16290]: <br />
59E261E78D1: client=zcs723.EXAMPLE.com[10.137.27.32]<br />
Jun 4 06:32:14 zcs723 postfix/cleanup[16293]: <br />
59E261E78D1: message-id=<692082388.59.1370352733069.JavaMail.root@zcs723.EXAMPLE.com><br />
Jun 4 06:32:14 zcs723 postfix/qmgr[7864]: <br />
59E261E78D1: from=<ajcody@zcs723.EXAMPLE.com>, size=673, nrcpt=1 (queue active)<br />
Jun 4 06:32:44 zcs723 postfix/smtpd[16310]: <br />
C6CAA1E78D2: client=localhost[127.0.0.1]<br />
Jun 4 06:32:44 zcs723 postfix/cleanup[16293]: <br />
C6CAA1E78D2: message-id=<692082388.59.1370352733069.JavaMail.root@zcs723.EXAMPLE.com><br />
Jun 4 06:32:44 zcs723 postfix/qmgr[7864]: <br />
C6CAA1E78D2: from=<ajcody@zcs723.EXAMPLE.com>, size=1361, nrcpt=1 (queue active)<br />
Jun 4 06:32:44 zcs723 amavis[19662]: (19662-02) <br />
FWD via SMTP: <ajcody@zcs723.EXAMPLE.com> -> <ajcody2@zcs723.EXAMPLE.com>,<br />
BODY=7BIT 250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as C6CAA1E78D2<br />
Jun 4 06:32:45 zcs723 postfix/lmtp[16311]: C6CAA1E78D2: to=<ajcody2@zcs723.EXAMPLE.com>, <br />
relay=zcs723.EXAMPLE.com[10.137.27.32]:7025, delay=0.85, delays=0.11/0.01/0.39/0.34, <br />
dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)<br />
Jun 4 06:32:45 zcs723 postfix/qmgr[7864]: C6CAA1E78D2: removed<br />
Jun 4 06:32:46 zcs723 amavis[19662]: (19662-02) <br />
Passed CLEAN, MYNETS LOCAL [10.137.27.32] [10.137.27.32] <br />
<ajcody@zcs723.EXAMPLE.com> -> <ajcody2@zcs723.EXAMPLE.com>, <br />
Message-ID: <692082388.59.1370352733069.JavaMail.root@zcs723.EXAMPLE.com>, <br />
mail_id: GGpaucYR0-4J, Hits: -1.106, size: 673, queued_as: C6CAA1E78D2, 28828 ms<br />
Jun 4 06:32:46 zcs723 postfix/smtp[16294]: 59E261E78D1: to=<ajcody2@zcs723.EXAMPLE.com>, <br />
relay=127.0.0.1[127.0.0.1]:10024, delay=32, delays=0.16/0.09/5.3/26, dsn=2.0.0, <br />
status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as C6CAA1E78D2)<br />
Jun 4 06:32:46 zcs723 postfix/qmgr[7864]: 59E261E78D1: removed<br />
</pre><br />
<br />
And the reply to the above message is shown below. [Note, both accounts are on the same ZCS system]:<br />
<br />
<pre><br />
Jun 4 06:43:56 zcs723 postfix/cleanup[20443]: <br />
EFD1D1E78D1: message-id=<315186059.60.1370353435012.JavaMail.root@zcs723.us.zimbralab.com><br />
Jun 4 06:44:28 zcs723 postfix/cleanup[20443]: <br />
C0E171E78D2: message-id=<315186059.60.1370353435012.JavaMail.root@zcs723.us.zimbralab.com><br />
Jun 4 06:44:29 zcs723 amavis[19663]: (19663-02) <br />
Passed CLEAN, MYNETS LOCAL [10.137.27.32] [10.137.27.32] <br />
<ajcody2@zcs723.us.zimbralab.com> -> <ajcody@zcs723.us.zimbralab.com>, <br />
Message-ID: <315186059.60.1370353435012.JavaMail.root@zcs723.us.zimbralab.com>, <br />
mail_id: 0XbLSIeuewz3, Hits: -1.106, size: 969, queued_as: C0E171E78D2, 31775 ms<br />
</pre><br />
<br />
When using any of the postfix commands to view/manipulate messages, they will be using the queueID that the message currently has. For example, mailq output looks like this:<br />
<br />
<pre><br />
[root@zcs723 ~]# /opt/zimbra/postfix/sbin/mailq<br />
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------<br />
C12E6246BC 514 Tue Mar 26 08:00:35 root<br />
zimbra<br />
<br />
C7F00246A8 517 Tue Mar 26 07:00:24 root<br />
zimbra<br />
<br />
9A2D124693 530 Mon Apr 15 19:04:20 root<br />
zimbra<br />
</pre><br />
<br />
To view a message that is still in the postfix queues/spool, you can use the postcat command with the -q option [-q (access queue)].<br />
<br />
postcat -q C12E6246BC | more<br />
<br />
====Authentication Log Events====<br />
<br />
=====IMAP And Authenticated SMTP [SSL] Example=====<br />
<br />
* '''''For the examples below, the ZCS server being used has an ip address of 10.137.27.32 .'''''<br />
* '''Note, I included the client IP address [10.16.245.217] of the IMAP client and also the -C2 flag for egrep to show 2 lines proceeding and after the match for ip and username. I also trimmed the output using the time I did the initial IMAP setup and used the -F option for grep because of the : character. [ | grep -F 'Jun 4 08:4' ] '''<br />
<br />
Using the test account above, ajcody@ , I configured it to use IMAP [Use SSL option] and authenticated SMTP [SSL and "password" option] with Apple's Mail.App. My initially login creates these authentication events below.<br />
<br />
First, to give you a general impression what logs will hold information on a username and the ip address the client is connection from. The -l option for grep/egrep will just list the files names that have a math to the search.<br />
<br />
<pre><br />
[root@zcs723 log]# egrep -l 'ajcody|10.16.245.217' /opt/zimbra/log/*<br />
/opt/zimbra/log/2013_05_31.trace.log << Because of my ZWC login session<br />
/opt/zimbra/log/2013_06_04.trace.log << Because of my ZWC login session<br />
/opt/zimbra/log/access_log.2013-05-31 << Because of my ZWC login session<br />
/opt/zimbra/log/access_log.2013-06-04 << Because of my ZWC login session<br />
/opt/zimbra/log/audit.log<br />
/opt/zimbra/log/mailbox.log<br />
<br />
[root@zcs723 log]# egrep -l 'ajcody|10.16.245.217' /var/log/*<br />
## Removed not related matches because I've sshd into the server<br />
/var/log/maillog<br />
/var/log/maillog-20130602<br />
/var/log/messages<br />
/var/log/messages-20130602<br />
/var/log/zimbra.log<br />
</pre><br />
<br />
Now to see what the events are. In the /opt/zimbra/log/audit.log file we have:<br />
<br />
<pre><br />
# grep egrep -C2 'ajcody|10.16.245.217' /opt/zimbra/log/audit.log | grep -F 'Jun 4 08:4'<br />
[cut out prior events]<br />
2013-06-04 08:43:01,943 INFO [ImapServer-1] [ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] <br />
security - cmd=Auth; account=ajcody@zcs723.EXAMPLE.com; protocol=imap;<br />
2013-06-04 08:43:04,031 INFO [ImapServer-2] [ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] <br />
security - cmd=Auth; account=ajcody@zcs723.EXAMPLE.com; protocol=imap;<br />
2013-06-04 08:43:07,078 INFO [ImapServer-3] [ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] <br />
security - cmd=Auth; account=ajcody@zcs723.EXAMPLE.com; protocol=imap;<br />
2013-06-04 08:43:09,437 INFO [ImapServer-4] [ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] <br />
security - cmd=Auth; account=ajcody@zcs723.EXAMPLE.com; protocol=imap;<br />
2013-06-04 08:43:11,645 INFO [ImapServer-5] [ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] <br />
security - cmd=Auth; account=ajcody@zcs723.EXAMPLE.com; protocol=imap;<br />
</pre><br />
<br />
And in the /var/log/zimbra.log :<br />
<br />
<pre><br />
[root@zcs723 log]# egrep -C2 'ajcody|10.16.245.217' zimbra.log | grep -F 'Jun 4 08:4'<br />
[cut out prior events]<br />
Jun 4 08:42:07 zcs723 zmmailboxdmgr[1389]: status requested<br />
Jun 4 08:42:07 zcs723 zmmailboxdmgr[1389]: status OK<br />
Jun 4 08:42:27 zcs723 postfix/smtpd[1487]: connect from unknown[10.16.245.217]<br />
Jun 4 08:42:28 zcs723 postfix/smtpd[1487]: setting up TLS connection from unknown[10.16.245.217]<br />
Jun 4 08:42:30 zcs723 postfix/smtpd[1487]: SSL_accept error from unknown[10.16.245.217]: -1<br />
Jun 4 08:42:30 zcs723 postfix/smtpd[1487]: lost connection after STARTTLS from unknown[10.16.245.217]<br />
Jun 4 08:42:30 zcs723 postfix/smtpd[1487]: disconnect from unknown[10.16.245.217]<br />
Jun 4 08:42:30 zcs723 postfix/smtpd[1487]: connect from unknown[10.16.245.217]<br />
Jun 4 08:42:31 zcs723 postfix/smtpd[1487]: setting up TLS connection from unknown[10.16.245.217]<br />
Jun 4 08:42:31 zcs723 postfix/smtpd[1487]: Anonymous TLS connection established from unknown[10.16.245.217]: <br />
TLSv1 with cipher AES128-SHA (128/128 bits)<br />
Jun 4 08:42:32 zcs723 postfix/smtpd[1497]: connect from unknown[10.16.245.217]<br />
Jun 4 08:42:32 zcs723 postfix/smtpd[1497]: setting up TLS connection from unknown[10.16.245.217]<br />
Jun 4 08:42:32 zcs723 postfix/smtpd[1497]: Anonymous TLS connection established from unknown[10.16.245.217]: <br />
TLSv1 with cipher AES128-SHA (128/128 bits)<br />
--<br />
Jun 4 08:42:33 zcs723 saslauthd[8077]: auth_zimbra: ajcody auth OK<br />
Jun 4 08:42:34 zcs723 postfix/smtpd[1497]: disconnect from unknown[10.16.245.217]<br />
Jun 4 08:42:34 zcs723 postfix/smtpd[1487]: lost connection after EHLO from unknown[10.16.245.217]<br />
Jun 4 08:42:34 zcs723 postfix/smtpd[1487]: disconnect from unknown[10.16.245.217]<br />
Jun 4 08:43:01 zcs723 zmmailboxdmgr[1583]: status requested<br />
Jun 4 08:43:01 zcs723 zmmailboxdmgr[1583]: status OK<br />
--<br />
Jun 4 08:45:08 zcs723 zmmailboxdmgr[2353]: status requested<br />
Jun 4 08:45:08 zcs723 zmmailboxdmgr[2353]: status OK<br />
Jun 4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max connection rate 3/60s for <br />
(smtp:10.16.245.217) at Jun 4 08:42:32<br />
Jun 4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max connection count 2 for <br />
(smtp:10.16.245.217) at Jun 4 08:42:32<br />
Jun 4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max cache size 1 at Jun 4 08:42:27<br />
Jun 4 08:46:07 zcs723 zmmailboxdmgr[2706]: status requested<br />
</pre><br />
<br />
In the /opt/zimbra/log/mailbox.log :<br />
<br />
<pre><br />
[root@zcs723 log]# egrep -C2 'ajcody|10.16.245.217' mailbox.log | grep -F 'Jun 4 08:4'<br />
<br />
2013-06-04 08:43:00,343 INFO [ImapServer-1] [] imap - [10.16.245.217] connected<br />
2013-06-04 08:43:01,999 INFO [ImapServer-1] [name=ajcody@zcs723.EXAMPLE.com;ip=10.16.245.217;<br />
ua=Mac OS X Mail/6.2 (1499);] imap - user ajcody@zcs723.EXAMPLE.com authenticated, mechanism=PLAIN [TLS]<br />
2013-06-04 08:43:02,640 INFO [ImapServer-2] [] imap - [10.16.245.217] connected<br />
2013-06-04 08:43:04,031 INFO [ImapServer-2] [name=ajcody@zcs723.EXAMPLE.com;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] <br />
imap - user ajcody@zcs723.EXAMPLE.com authenticated, mechanism=PLAIN [TLS]<br />
2013-06-04 08:43:04,721 WARN [ImapServer-2] [name=ajcody@zcs723.EXAMPLE.com;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] <br />
ConfigurationFactory - No configuration found. Configuring ehcache from ehcache-failsafe.xml <br />
found in the classpath: <br />
jar:file:/opt/zimbra/jetty-6.1.22.z6/webapps/service/WEB-INF/lib/ehcache-core-2.5.1.jar!/ehcache-failsafe.xml<br />
2013-06-04 08:43:05,010 WARN [ImapServer-2] [name=ajcody@zcs723.EXAMPLE.com;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] <br />
ConfigurationFactory - No configuration found. Configuring ehcache from ehcache-failsafe.xml <br />
found in the classpath: <br />
jar:file:/opt/zimbra/jetty-6.1.22.z6/webapps/service/WEB-INF/lib/ehcache-core-2.5.1.jar!/ehcache-failsafe.xml<br />
2013-06-04 08:43:05,420 INFO [ImapServer-2] [name=ajcody@zcs723.EXAMPLE.com;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] <br />
imap - selected folder INBOX<br />
2013-06-04 08:43:05,922 INFO [ImapServer-3] [] imap - [10.16.245.217] connected<br />
2013-06-04 08:43:07,390 INFO [ImapServer-3] [name=ajcody@zcs723.EXAMPLE.com;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] <br />
imap - user ajcody@zcs723.EXAMPLE.com authenticated, mechanism=PLAIN [TLS]<br />
2013-06-04 08:43:08,220 INFO [ImapServer-4] [] imap - [10.16.245.217] connected<br />
2013-06-04 08:43:09,437 INFO [ImapServer-4] [name=ajcody@zcs723.EXAMPLE.com;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] <br />
imap - user ajcody@zcs723.EXAMPLE.com authenticated, mechanism=PLAIN [TLS]<br />
2013-06-04 08:43:10,395 INFO [ImapServer-1] [] imap - dropping connection for user <br />
ajcody@zcs723.EXAMPLE.com (server-initiated)<br />
2013-06-04 08:43:10,395 INFO [ImapServer-1] [] ProtocolHandler - Handler exiting normally<br />
2013-06-04 08:43:10,447 INFO [ImapServer-5] [] imap - [10.16.245.217] connected<br />
2013-06-04 08:43:11,645 INFO [ImapServer-5] [name=ajcody@zcs723.EXAMPLE.com;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] <br />
imap - user ajcody@zcs723.EXAMPLE.com authenticated, mechanism=PLAIN [TLS]<br />
2013-06-04 08:43:12,521 INFO [ImapServer-3] [name=ajcody@zcs723.EXAMPLE.com;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Contacts<br />
2013-06-04 08:43:12,685 INFO [ImapServer-4] [name=ajcody@zcs723.EXAMPLE.com;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Emailed Contacts<br />
2013-06-04 08:43:13,813 INFO [ImapServer-3] [name=ajcody@zcs723.EXAMPLE.com;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Junk<br />
2013-06-04 08:43:13,971 INFO [ImapServer-5] [name=ajcody@zcs723.EXAMPLE.com;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Sent<br />
2013-06-04 08:43:15,614 INFO [ImapServer-3] [name=ajcody@zcs723.EXAMPLE.com;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Trash<br />
2013-06-04 08:43:16,694 INFO [ImapServer-4] [name=ajcody@zcs723.EXAMPLE.com;mid=15;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Chats<br />
2013-06-04 08:43:17,211 INFO [ImapServer-3] [name=ajcody@zcs723.EXAMPLE.com;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Emailed Contacts<br />
2013-06-04 08:43:17,344 INFO [ImapServer-2] [name=ajcody@zcs723.EXAMPLE.com;mid=15;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Drafts<br />
2013-06-04 08:43:17,358 INFO [ImapServer-3] [name=ajcody@zcs723.EXAMPLE.com;mid=15;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder INBOX<br />
2013-06-04 08:43:17,840 INFO [ImapServer-4] [name=ajcody@zcs723.EXAMPLE.com;<br />
ip=10.16.245.217;ua=Mac OS X Mail/6.2 (1499);] imap - selected folder Emailed Contacts<br />
2013-06-04 08:44:00,813 INFO [MailboxPurge] [name=ajcody@zcs723.EXAMPLE.com;mid=15;] <br />
purge - Purging messages.<br />
2013-06-04 08:44:41,428 INFO [btpool0-28://zcs723.EXAMPLE.com/service/soap/NoOpRequest] <br />
[name=ajcody2@zcs723.EXAMPLE.com;mid=16;ip=10.16.245.217;ua=ZimbraWebClient - [unknown] (Win)/0.0;] <br />
soap - NoOpRequest elapsed=0<br />
2013-06-04 08:45:00,818 INFO [MailboxPurge] [name=ajcody2@zcs723.EXAMPLE.com;mid=16;] <br />
purge - Purging messages.<br />
</pre><br />
<br />
The /var/log/messages and /var/log/maillog had the same events:<br />
<br />
<pre><br />
[root@zcs723 log]# egrep -C2 'ajcody|10.16.245.217' /var/log/messages | grep -F 'Jun 4 08:42'<br />
Jun 4 08:42:07 zcs723 zmmailboxdmgr[1389]: status requested<br />
Jun 4 08:42:07 zcs723 zmmailboxdmgr[1389]: status OK<br />
Jun 4 08:42:27 zcs723 postfix/smtpd[1487]: connect from unknown[10.16.245.217]<br />
Jun 4 08:42:28 zcs723 postfix/smtpd[1487]: setting up TLS connection from unknown[10.16.245.217]<br />
Jun 4 08:42:30 zcs723 postfix/smtpd[1487]: SSL_accept error from unknown[10.16.245.217]: -1<br />
Jun 4 08:42:30 zcs723 postfix/smtpd[1487]: lost connection after STARTTLS from unknown[10.16.245.217]<br />
Jun 4 08:42:30 zcs723 postfix/smtpd[1487]: disconnect from unknown[10.16.245.217]<br />
Jun 4 08:42:30 zcs723 postfix/smtpd[1487]: connect from unknown[10.16.245.217]<br />
Jun 4 08:42:31 zcs723 postfix/smtpd[1487]: setting up TLS connection from unknown[10.16.245.217]<br />
Jun 4 08:42:31 zcs723 postfix/smtpd[1487]: Anonymous TLS connection established <br />
from unknown[10.16.245.217]: TLSv1 with cipher AES128-SHA (128/128 bits)<br />
Jun 4 08:42:32 zcs723 postfix/smtpd[1497]: connect from unknown[10.16.245.217]<br />
Jun 4 08:42:32 zcs723 postfix/smtpd[1497]: setting up TLS connection from unknown[10.16.245.217]<br />
Jun 4 08:42:32 zcs723 postfix/smtpd[1497]: Anonymous TLS connection established <br />
from unknown[10.16.245.217]: TLSv1 with cipher AES128-SHA (128/128 bits)<br />
Jun 4 08:42:34 zcs723 postfix/smtpd[1497]: disconnect from unknown[10.16.245.217]<br />
Jun 4 08:42:34 zcs723 postfix/smtpd[1487]: lost connection after EHLO from unknown[10.16.245.217]<br />
Jun 4 08:42:34 zcs723 postfix/smtpd[1487]: disconnect from unknown[10.16.245.217]<br />
Jun 4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max connection rate 3/60s <br />
for (smtp:10.16.245.217) at Jun 4 08:42:32<br />
Jun 4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max connection count 2 <br />
for (smtp:10.16.245.217) at Jun 4 08:42:32<br />
Jun 4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max cache size 1 at Jun 4 08:42:27<br />
<br />
[root@zcs723 log]# egrep -C2 'ajcody|10.16.245.217' /var/log/maillog | grep -F 'Jun 4 08:42'<br />
Jun 4 08:42:07 zcs723 zmmailboxdmgr[1389]: status requested<br />
Jun 4 08:42:07 zcs723 zmmailboxdmgr[1389]: status OK<br />
Jun 4 08:42:27 zcs723 postfix/smtpd[1487]: connect from unknown[10.16.245.217]<br />
Jun 4 08:42:28 zcs723 postfix/smtpd[1487]: setting up TLS connection from unknown[10.16.245.217]<br />
Jun 4 08:42:30 zcs723 postfix/smtpd[1487]: SSL_accept error from unknown[10.16.245.217]: -1<br />
Jun 4 08:42:30 zcs723 postfix/smtpd[1487]: lost connection after STARTTLS from unknown[10.16.245.217]<br />
Jun 4 08:42:30 zcs723 postfix/smtpd[1487]: disconnect from unknown[10.16.245.217]<br />
Jun 4 08:42:30 zcs723 postfix/smtpd[1487]: connect from unknown[10.16.245.217]<br />
Jun 4 08:42:31 zcs723 postfix/smtpd[1487]: setting up TLS connection from unknown[10.16.245.217]<br />
Jun 4 08:42:31 zcs723 postfix/smtpd[1487]: Anonymous TLS connection established <br />
from unknown[10.16.245.217]: TLSv1 with cipher AES128-SHA (128/128 bits)<br />
Jun 4 08:42:32 zcs723 postfix/smtpd[1497]: connect from unknown[10.16.245.217]<br />
Jun 4 08:42:32 zcs723 postfix/smtpd[1497]: setting up TLS connection from unknown[10.16.245.217]<br />
Jun 4 08:42:32 zcs723 postfix/smtpd[1497]: Anonymous TLS connection established <br />
from unknown[10.16.245.217]: TLSv1 with cipher AES128-SHA (128/128 bits)<br />
Jun 4 08:42:34 zcs723 postfix/smtpd[1497]: disconnect from unknown[10.16.245.217]<br />
Jun 4 08:42:34 zcs723 postfix/smtpd[1487]: lost connection after EHLO from unknown[10.16.245.217]<br />
Jun 4 08:42:34 zcs723 postfix/smtpd[1487]: disconnect from unknown[10.16.245.217]<br />
Jun 4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max connection rate 3/60s <br />
for (smtp:10.16.245.217) at Jun 4 08:42:32<br />
Jun 4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max connection count 2 <br />
for (smtp:10.16.245.217) at Jun 4 08:42:32<br />
Jun 4 08:45:54 zcs723 postfix/anvil[1489]: statistics: max cache size 1 at Jun 4 08:42:27<br />
</pre><br />
<br />
======IMAP Test Via Telnet And Logging Events Of It - Proxy Included======<br />
<br />
<pre><br />
<br />
### TELNET FROM CLIENT ###<br />
# telnet zcs806.DOMAIN.com 143 <br />
Trying 192.168.27.36...<br />
Connected to zcs806.DOMAIN.com.<br />
Escape character is '^]'.<br />
* OK IMAP4 ready<br />
01 LOGIN proxylogtest@zcs806.DOMAIN.com [REPLACE WITH ACCT PASSWORD]<br />
01 OK [CAPABILITY IMAP4rev1 ACL BINARY CATENATE CHILDREN CONDSTORE ENABLE ESEARCH ESORT <br />
I18NLEVEL=1 ID IDLE LIST-EXTENDED LIST-STATUS LITERAL+ LOGIN-REFERRALS MULTIAPPEND <br />
NAMESPACE QRESYNC QUOTA RIGHTS=ektx SASL-IR SEARCHRES SORT THREAD=ORDEREDSUBJECT <br />
UIDPLUS UNSELECT WITHIN XLIST] LOGIN completed<br />
01 logout<br />
<br />
### LOGS ON ZCS SERVER ###<br />
<br />
[zimbra@zcs806 log]$ egrep "192\.168\.27\.37|proxylogtest" *<br />
<br />
nginx.log:2014/02/28 09:32:16 [info] 25611#0: *2595 client 192.168.27.37 connected to 0.0.0.0:143<br />
nginx.log:2014/02/28 09:32:38 [info] 25611#0: *2595 client logged in, client: 192.168.27.37, <br />
server: 0.0.0.0:143, login: "proxylogtest@zcs806.DOMAIN.com", upstream: 192.168.27.36:7993 <br />
(192.168.27.37:45080-192.168.27.36:143) <=> (192.168.27.36:53326-192.168.27.36:7993)<br />
<br />
audit.log:2014-02-28 09:32:35,532 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] security - cmd=Auth; <br />
account=proxylogtest@zcs806.DOMAIN.com; protocol=imap;<br />
<br />
mailbox.log:2014-02-28 09:32:35,527 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37; <br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] imap - ID elapsed=8<br />
mailbox.log:2014-02-28 09:32:35,743 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailbox - Creating database <br />
mboxgroup50<br />
mailbox.log:2014-02-28 09:32:37,986 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailbox - <br />
Creating mailbox with id 50 and group id 50 for proxylogtest@zcs806.DOMAIN.com.<br />
mailbox.log:2014-02-28 09:32:37,986 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] cache - initializing folder <br />
and tag caches for mailbox 50<br />
mailbox.log:2014-02-28 09:32:37,987 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder ROOT: <br />
id=11, parentId=11.<br />
mailbox.log:2014-02-28 09:32:38,010 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Tags: <br />
id=8, parentId=11.<br />
mailbox.log:2014-02-28 09:32:38,011 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder <br />
Conversations: id=9, parentId=11.<br />
mailbox.log:2014-02-28 09:32:38,011 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder <br />
Comments: id=17, parentId=11.<br />
mailbox.log:2014-02-28 09:32:38,012 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder <br />
USER_ROOT: id=1, parentId=11.<br />
mailbox.log:2014-02-28 09:32:38,012 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Inbox: <br />
id=2, parentId=1.<br />
mailbox.log:2014-02-28 09:32:38,013 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Trash: <br />
id=3, parentId=1.<br />
mailbox.log:2014-02-28 09:32:38,013 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Junk: <br />
id=4, parentId=1.<br />
mailbox.log:2014-02-28 09:32:38,014 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Sent: <br />
id=5, parentId=1.<br />
mailbox.log:2014-02-28 09:32:38,014 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Drafts: <br />
id=6, parentId=1.<br />
mailbox.log:2014-02-28 09:32:38,015 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Contacts: <br />
id=7, parentId=1.<br />
mailbox.log:2014-02-28 09:32:38,023 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Calendar: <br />
id=10, parentId=1.<br />
mailbox.log:2014-02-28 09:32:38,023 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder Tasks: <br />
id=15, parentId=1.<br />
mailbox.log:2014-02-28 09:32:38,024 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder <br />
Emailed Contacts: id=13, parentId=1.<br />
mailbox.log:2014-02-28 09:32:38,024 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder <br />
Chats: id=14, parentId=1.<br />
mailbox.log:2014-02-28 09:32:38,025 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mailop - adding folder <br />
Briefcase: id=16, parentId=1.<br />
mailbox.log:2014-02-28 09:32:38,038 INFO [Index-8] [name=proxylogtest@zcs806.DOMAIN.com;mid=50;] <br />
index - Batch complete processed=0,failed=0,elapsed=1 (0.00 items/sec)<br />
mailbox.log:2014-02-28 09:32:38,071 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] index - OpenLuceneIndex <br />
impl=NIOFSDirectory,dir=/opt/zimbra/index/0/50/index/0<br />
mailbox.log:2014-02-28 09:32:38,071 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] mbxmgr - Mailbox 50 <br />
account 0028aab0-3d17-4c51-aad8-da7500247079 CREATED<br />
mailbox.log:2014-02-28 09:32:38,079 INFO [ImapSSLServer-13] [name=proxylogtest@zcs806.DOMAIN.com;<br />
ip=192.168.27.36;oip=192.168.27.37;via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] <br />
imap - user proxylogtest@zcs806.DOMAIN.com authenticated, mechanism=LOGIN [TLS]<br />
mailbox.log:2014-02-28 09:32:38,079 INFO [ImapSSLServer-13] [name=proxylogtest@zcs806.DOMAIN.com;<br />
ip=192.168.27.36;oip=192.168.27.37;via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] <br />
imap - LOGIN elapsed=2550<br />
mailbox.log:2014-02-28 09:32:46,258 WARN [ImapSSLServer-16] [name=proxylogtest@zcs806.DOMAIN.com;<br />
ip=192.168.27.36;oip=192.168.27.37;via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] <br />
imap - BAD parse error: command not implemented<br />
mailbox.log:2014-02-28 09:32:46,258 INFO [ImapSSLServer-16] [name=proxylogtest@zcs806.DOMAIN.com;<br />
ip=192.168.27.36;oip=192.168.27.37;via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] <br />
imap - EXIT elapsed=1<br />
mailbox.log:2014-02-28 09:32:48,648 WARN [ImapSSLServer-13] [name=proxylogtest@zcs806.DOMAIN.com;<br />
ip=192.168.27.36;oip=192.168.27.37;via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] <br />
imap - BAD parse error: command not implemented<br />
mailbox.log:2014-02-28 09:32:48,648 INFO [ImapSSLServer-13] [name=proxylogtest@zcs806.DOMAIN.com;<br />
ip=192.168.27.36;oip=192.168.27.37;via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] <br />
imap - QUIT elapsed=1<br />
</pre><br />
<br />
======IMAP Login Via Openssl - LOGIN TLS - Proxy Included======<br />
<br />
You would run from the CLI:<br />
<br />
<pre> openssl s_client -crlf -connect zcs806.DOMAIN.com:993</pre><br />
<br />
Once it shows "* OK IMAP4 ready" you'll be able to give the login command:<br />
<br />
<pre>tag login proxylogtest@zcs806.DOMAIN.com PASSWORD</pre><br />
<br />
Another good example of this is at [http://delog.wordpress.com/2011/05/10/access-imap-server-from-the-command-line-using-openssl/ Access IMAP server from the command line using OpenSSL]<br />
<br />
The log events for this are:<br />
<br />
<pre><br />
$ egrep "192\.168\.27\.37|proxylogtest" * | grep "28 10"<br />
<br />
audit.log:2014-02-28 10:37:51,207 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra); ua=Zimbra/8.0.6_GA_5922;] security - cmd=Auth; <br />
account=proxylogtest@zcs806.DOMAIN.com; protocol=imap;<br />
<br />
mailbox.log:2014-02-28 10:37:51,204 INFO [ImapSSLServer-13] [ip=192.168.27.36;oip=192.168.27.37;<br />
via=192.168.27.36(nginx/1.2.0-zimbra); ua=Zimbra/8.0.6_GA_5922;] imap - ID elapsed=1<br />
mailbox.log:2014-02-28 10:37:51,207 INFO [ImapSSLServer-13] [name=proxylogtest@zcs806.DOMAIN.com;<br />
ip=192.168.27.36;oip=192.168.27.37; via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] <br />
imap - user proxylogtest@zcs806.DOMAIN.com authenticated, mechanism=LOGIN [TLS]<br />
mailbox.log:2014-02-28 10:37:51,207 INFO [ImapSSLServer-13] [name=proxylogtest@zcs806.DOMAIN.com;<br />
ip=192.168.27.36;oip=192.168.27.37; via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] <br />
imap - LOGIN elapsed=2<br />
mailbox.log:2014-02-28 10:38:10,132 INFO [ImapSSLServer-13] [name=proxylogtest@zcs806.DOMAIN.com;<br />
ip=192.168.27.36;oip=192.168.27.37; via=192.168.27.36(nginx/1.2.0-zimbra);ua=Zimbra/8.0.6_GA_5922;] <br />
imap - LIST elapsed=12<br />
<br />
nginx.log:2014/02/28 10:32:01 [info] 25609#0: *2602 client 192.168.27.37 connected to 0.0.0.0:993<br />
nginx.log:2014/02/28 10:37:07 [info] 25609#0: *2603 client 192.168.27.37 connected to 0.0.0.0:993<br />
nginx.log:2014/02/28 10:37:51 [info] 25609#0: *2603 client logged in, client: 192.168.27.37, server: 0.0.0.0:993, <br />
login: "proxylogtest@zcs806.DOMAIN.com", upstream: 192.168.27.36:7993 <br />
(192.168.27.37:41009-192.168.27.36:993) <=> (192.168.27.36:53613-192.168.27.36:7993)<br />
</pre><br />
<br />
===Network Tracing Between A Remote Host And A ZCS MTA===<br />
<br />
How to network trace between a remote host and a ZCS MTA. You can run the following on the MTA to get the trace:<br />
<br />
<pre> tcpdump -w /root/tcpdump1.cap -s 15000 port 25 and host <Sending_host_IP> </pre><br />
<br />
===zmmsgtrace===<br />
<br />
See the following for details [for 7.1.1+]:<br />
* zmmsgtrace replacement<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=41078<br />
<br />
===How To Get SMTP Debug Logging===<br />
<br />
You can obtain this by modifying the master.cf.in which is located at /opt/zimbra/postfix/conf . <br />
Go to the smtpd line and at the end of the line add -vv<br />
<br />
<pre> smtp inet n - n - - smtpd -vv</pre><br />
<br />
restart the mta by running the following<br />
<br />
<pre> zmmtactl restart</pre><br />
<br />
===Simple Troubleshooting For SMTP Via Telnet, Openssl===<br />
<br />
====First - Understanding Your Authentication Requirements In ZCS====<br />
<br />
In the admin console, under the MTA tab, you see two options:<br />
<br />
* Enable Authentication<br />
** Attribute Name = zimbraMtaSaslAuthEnable [yes or no]<br />
*** zmprov gacf zimbraMtaSaslAuthEnable or zmprov gs `zmhostname` zimbraMtaSaslAuthEnable<br />
** Description = Value for postconf : smtpd_sasl_auth_enable = yes<br />
* TLS Authentication Only<br />
** Attribute Name = zimbraMtaTlsAuthOnly [TRUE or FALSE]<br />
*** zmprov gacf zimbraMtaTlsAuthOnly or zmprov gs `zmhostname` zimbraMtaTlsAuthOnly<br />
** Description Value for postconf : smtpd_tls_auth_only = yes<br />
<br />
A good reference to understanding exactly what these options mean and do is the [http://www.postfix.org/SASL_README.html SASL_READ] at the postfix.org site. I'll include the highlights below.<br />
<br />
When you do the telnet test below and issue the EHLO state, you'll see a return that states [example]:<br />
<br />
<pre><br />
esx2:~ ajcody$ telnet zcs723.EXAMPLE.com 25<br />
Trying 10.137.27.32...<br />
Connected to zcs723.EXAMPLE.com.<br />
Escape character is '^]'.<br />
220 zcs723.EXAMPLE.com ESMTP Postfix<br />
helo myworkstation<br />
250 zcs723.EXAMPLE.com<br />
ehlo myworkstation<br />
250-zcs723.EXAMPLE.com<br />
250-PIPELINING<br />
250-SIZE 10240000<br />
250-VRFY<br />
250-ETRN<br />
250-STARTTLS<br />
250-AUTH LOGIN PLAIN<br />
250-AUTH=LOGIN PLAIN<br />
250-ENHANCEDSTATUSCODES<br />
250-8BITMIME<br />
250 DSN<br />
</pre><br />
<br />
When you check, "Enable Authentication" [remember its specific to SASL] in the admin console and reload postfix you will then see the AUTH line when you do the telnet test above and AUTH will say LOGIN and PLAIN. AUTH supports a number of different types of protocols: PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI. Zimbra only supports the use of LOGIN and PLAIN though.<br />
<br />
What is LOGIN and PLAIN and the difference?<br />
<br />
<pre><br />
--enable-login You wish to support the Outlook Express <br />
5.x client, which uses the non-standard, <br />
undocumented LOGIN protocol. Passwords<br />
are passed over the wire in the clear.<br />
This is disabled by default.<br />
--disable-plain Do not use the PLAIN protocol, which <br />
sends the password in plaintext. This <br />
is enabled by default and should only <br />
be used for testing unless you are <br />
encrypting the session via TLS, IPsec, <br />
or other mechanism.<br />
</pre><br />
<br />
So, the above might be alarming. The postfix SASL_README gives us some context though, '''''"Plaintext mechanisms (PLAIN, LOGIN) send credentials unencrypted. This information should be protected by an additional security layer such as a TLS-encrypted SMTP session (see: [http://www.postfix.org/TLS_README.html TLS_README])."''''' Also note, both PLAIN and LOGIN use BASE64 encoding of the username and password but those strings can be ran through a mime-decoder to discover what they are. You see this in my telnet examples below.<br />
<br />
The other variable/options for the '''"Postfix SMTP Server policy - SASL mechanism properties"''' you will need to know about are:<br />
<br />
* /opt/zimbra/postfix/conf/main.cf <br />
** smtpd_sasl_security_options =<br />
** smtpd_sasl_tls_security_options = [note, this can reuse smtpd_sasl_security_options with $smtpd_sasl_security_options]<br />
*** noanonymous Don't use mechanisms that permit anonymous authentication. <br />
**** Always set at least the noanonymous option. Otherwise, the Postfix SMTP server can give strangers the same authorization as a properly-authenticated client. <br />
*** noplaintext Don't use mechanisms that transmit unencrypted username and password information. <br />
*** nodictionary Don't use mechanisms that are vulnerable to dictionary attacks. <br />
*** forward_secrecy Require forward secrecy between sessions (breaking one session does not break earlier sessions). <br />
*** mutual_auth Use only mechanisms that authenticate both the client and the server to each other. <br />
<br />
'''Mail relay authorization options to know are:''' [http://www.postfix.org/SASL_README.html [From the SASL_READ]] With permit_sasl_authenticated the Postfix SMTP server can allow SASL-authenticated SMTP clients to send mail to remote destinations. Examples:<br />
<pre><br />
# With Postfix 2.10 and later, the mail relay policy is<br />
# preferably specified under smtpd_relay_restrictions.<br />
/opt/zimbra/postfix/conf/main.cf:<br />
smtpd_relay_restrictions =<br />
permit_mynetworks<br />
permit_sasl_authenticated<br />
reject_unauth_destination<br />
<br />
# Older configurations combine relay control and spam control under<br />
# smtpd_recipient_restrictions. To use this example with Postfix ≥<br />
# 2.10 specify "smtpd_relay_restrictions=".<br />
/opt/zimbra/postfix/conf/main.cf:<br />
smtpd_recipient_restrictions =<br />
permit_mynetworks<br />
permit_sasl_authenticated<br />
reject_unauth_destination<br />
...other rules...<br />
</pre><br />
<br />
'''Envelope sender address authorization options:''' [http://www.postfix.org/SASL_README.html [From the SASL_READ]] By default an SMTP client may specify any envelope sender address in the MAIL FROM command. That is because the Postfix SMTP server only knows the remote SMTP client hostname and IP address, but not the user who controls the remote SMTP client.<br />
<br />
This changes the moment an SMTP client uses SASL authentication. Now, the Postfix SMTP server knows who the sender is. Given a table of envelope sender addresses and SASL login names, the Postfix SMTP server can decide if the SASL authenticated client is allowed to use a particular envelope sender address:<br />
<pre><br />
/opt/zimbra/postfix/conf/main.cf:<br />
virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf<br />
smtpd_sender_login_maps = $virtual_mailbox_maps<br />
<br />
smtpd_recipient_restrictions =<br />
...<br />
reject_sender_login_mismatch<br />
permit_sasl_authenticated<br />
...<br />
</pre><br />
The controlled_envelope_senders table specifies the binding between a sender envelope address and the SASL login names that own that address [see above, ZCS will have in main.cf a line showing virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf]:<br />
<pre><br />
/opt/zimbra/conf/ldap-vmm.cf<br />
server_host = ldap://zcs723.EXAMPLE.com:389<br />
server_port = 389<br />
search_base =<br />
query_filter = (&(zimbraMailDeliveryAddress=%s)(zimbraMailStatus=enabled))<br />
result_attribute = zimbraMailDeliveryAddress<br />
version = 3<br />
start_tls = yes<br />
tls_ca_cert_dir = /opt/zimbra/conf/ca<br />
bind = yes<br />
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra<br />
bind_pw = XXXXXXXXXXX<br />
timeout = 30<br />
</pre><br />
<br />
A default postfix install [non-ZCS] might have something like:<br />
<pre><br />
/etc/postfix/controlled_envelope_senders<br />
# envelope sender owners (SASL login names)<br />
john@example.com john@example.com<br />
helpdesk@example.com john@example.com, mary@example.com<br />
postmaster admin@example.com<br />
@example.net barney, fred, john@example.com, mary@example.com<br />
</pre><br />
With this, the reject_sender_login_mismatch restriction above will reject the sender address in the MAIL FROM command if smtpd_sender_login_maps does not specify the SMTP client's login name as an owner of that address.<br />
<br />
See also reject_authenticated_sender_login_mismatch and reject_unauthenticated_sender_login_mismatch for additional control over the SASL login name and the envelope sender.<br />
<br />
====Second - Encoding Username And Passwords For AUTH Sequence====<br />
<br />
Here is an example of getting the base64 encoding for a username and also how to check if the encoding was correct. This might expose how special characters threw off the encoding.<br />
<br />
<pre><br />
[USERNAME EXAMPLE - If you use the domainname, you'll have to \ the @]<br />
# perl -MMIME::Base64 -le 'print encode_base64("ajcody\@zcs723.EXAMPLE.com");'<br />
YWpjb2R5QHpjczcyMy5FWEFNUExFLmNvbQ==<br />
# perl -MMIME::Base64 -le 'print decode_base64("YWpjb2R5QHpjczcyMy5FWEFNUExFLmNvbQ==");'<br />
ajcody@zcs723.EXAMPLE.com<br />
<br />
[PASSWORD EXAMPLE]<br />
# perl -MMIME::Base64 -le 'print encode_base64("MySimplePa33");'<br />
TXlTaW1wbGVQYTMz<br />
# perl -MMIME::Base64 -le 'print decode_base64("TXlTaW1wbGVQYTMz");'<br />
MySimplePa33<br />
<br />
[USERNAME And PASSWORD - For Auth PLAIN. The \000 is for a space .]<br />
# perl -MMIME::Base64 -le 'print encode_base64("ajcody\@zcs723.EXAMPLE.com\000MySimplePa33");'<br />
YWpjb2R5QHpjczcyMy5FWEFNUExFLmNvbQBNeVNpbXBsZVBhMzM=<br />
# perl -MMIME::Base64 -le 'print decode_base64("YWpjb2R5QHpjczcyMy5FWEFNUExFLmNvbQBNeVNpbXBsZVBhMzM=");'<br />
ajcody@zcs723.EXAMPLE.comMySimplePa33<br />
</pre><br />
<br />
====For ESMTP Auth is LOGIN - Example====<br />
<br />
If you are using TLS you will need to encrypt your username & password before transiting it.<br />
<br />
For Auth is LOGIN you'll need to get the login encoding as described above. When AUTH is Login, it requires username and password to be separate :<br />
<br />
For example [I've mangled the hash below by the way]:<br />
<br />
perl -MMIME::Base64 -e 'print encode_base64("ajcody\@zcs723.EXAMPLE.com");'<br />
YYYYYYY5QHpjczcyMy51cy56aW1icmFsYWIuY29t<br />
perl -MMIME::Base64 -e 'print encode_base64("Somepasswd");'<br />
YYYYYYYkMW0=<br />
<br />
The working example now using telnet:<br />
<br />
<pre><br />
esx2:~ ajcody$ telnet zcs723.EXAMPLE.com 25<br />
Trying 10.137.27.32...<br />
Connected to zcs723.EXAMPLE.com.<br />
Escape character is '^]'.<br />
220 zcs723.EXAMPLE.com ESMTP Postfix<br />
helo myworkstation<br />
250 zcs723.EXAMPLE.com<br />
ehlo myworkstation<br />
250-zcs723.EXAMPLE.com<br />
250-PIPELINING<br />
250-SIZE 10240000<br />
250-VRFY<br />
250-ETRN<br />
250-STARTTLS<br />
250-AUTH LOGIN PLAIN<br />
250-AUTH=LOGIN PLAIN<br />
250-ENHANCEDSTATUSCODES<br />
250-8BITMIME<br />
250 DSN<br />
AUTH LOGIN<br />
334 VXNlcm5hbWU6<br />
YYYYYYY5QHpjczcyMy51cy56aW1icmFsYWIuY29t<br />
334 UGFzc3dvcmQ6<br />
YYYYYYYkMW0=<br />
235 2.7.0 Authentication successful<br />
mail from: <ajcody@zcs723.EXAMPLE.com><br />
250 2.1.0 Ok<br />
rcpt to: <ajcody2@zcs723.EXAMPLE.com><br />
250 2.1.5 Ok<br />
data<br />
354 End data with <CR><LF>.<CR><LF><br />
From: Adam <ajcody@zcs723.EXAMPLE.com> <br />
To: Adam 2 <ajcody2@zcs723.EXAMPLE.com><br />
Subject: Test ESMTP Auth LOGIN<br />
testing<br />
.<br />
250 2.0.0 Ok: queued as 361C11E78D1<br />
quit<br />
221 2.0.0 Bye<br />
Connection closed by foreign host.<br />
</pre><br />
<br />
====For ESMTP Auth is Plain - Example====<br />
<br />
If you are using TLS you will need to encrypt your username & password before transiting it.<br />
<br />
When AUTH is PLAIN, the username and password will be in the same encoding. For example [I've mangled the hash below by the way]:<br />
<br />
perl -MMIME::Base64 -e 'print encode_base64("\000ajcody\@zcs723.EXAMPLE.com\000mypassword");' <br />
AGFqY29keUB6Y3M3MjMXXXXXXXXXXXXXXXXXX5MzkzMWQxbQ==<br />
<br />
The working example now using telnet:<br />
<br />
<pre><br />
esx2:~ ajcody$ telnet zcs723.EXAMPLE.com 25<br />
Trying 10.137.27.32...<br />
Connected to zcs723.EXAMPLE.com.<br />
Escape character is '^]'.<br />
220 zcs723.EXAMPLE.com ESMTP Postfix<br />
helo myworkstation<br />
250 zcs723.EXAMPLE.com<br />
ehlo myworkstation<br />
250-zcs723.EXAMPLE.com<br />
250-PIPELINING<br />
250-SIZE 10240000<br />
250-VRFY<br />
250-ETRN<br />
250-STARTTLS<br />
250-AUTH LOGIN PLAIN<br />
250-AUTH=LOGIN PLAIN<br />
250-ENHANCEDSTATUSCODES<br />
250-8BITMIME<br />
250 DSN<br />
AUTH PLAIN AGFqY29keUB6Y3M3MjMXXXXXXXXXXXXXXXXXX5MzkzMWQxbQ==<br />
235 2.7.0 Authentication successful<br />
mail from: <ajcody@zcs723.EXAMPLE.com><br />
250 2.1.0 Ok<br />
rcpt to: <ajcody2@zcs723.EXAMPLE.com><br />
250 2.1.5 Ok<br />
data<br />
354 End data with <CR><LF>.<CR><LF><br />
From: Adam <ajcody@zcs723.EXAMPLE.com><br />
To: Adam 2 <ajcody2@zcs723.EXAMPLE.com><br />
Subject: Test ESMTP Auth PLAIN<br />
testing<br />
.<br />
250 2.0.0 Ok: queued as 804E01E78D1<br />
quit<br />
221 2.0.0 Bye<br />
Connection closed by foreign host.<br />
</pre><br />
<br />
====For TLS/SSL - Example====<br />
<br />
Basic telnet does not support SSL or TLS, so you have to use openssl or stunnel to make your connection to the smtp server. To connect to a server using TLS/SSL run something like this:<br />
<br />
openssl s_client -starttls smtp -crlf -connect zcs723.EXAMPLE.com:25<br />
<br />
Now you can run one of the above telnet sessions like you had before. You will most likely still need to log in.<br />
<br />
Default zimbra [[Ports|ports]] to be aware of and test:<br />
<br />
* port 25<br />
** smtp [mta] - incoming mail to postfix <br />
* port 465<br />
** smtps [mta] - incoming mail to postfix over ssl '''(Outlook only)''' <br />
* port 587<br />
** smtp [mta] - Mail '''submission port''' over tls <br />
* "RFC 3207 specifies only the well-known port 25 and the "Submission port," which is TCP port 587, for the STARTTLS command, the precursor for an encrypted SMTP session using TLS. It makes no mention of the unofficial port 465." [http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol SMTP on Wikipedia]<br />
<br />
An example login is below :<br />
<br />
<pre><br />
esx2:~ ajcody$ openssl s_client -starttls smtp -crlf -connect zcs723.EXAMPLE.com:25<br />
<br />
CONNECTED(00000003)<br />
depth=0 /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=zcs723.EXAMPLE.com<br />
verify error:num=20:unable to get local issuer certificate<br />
verify return:1<br />
depth=0 /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=zcs723.EXAMPLE.com<br />
verify error:num=27:certificate not trusted<br />
verify return:1<br />
depth=0 /C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=zcs723.EXAMPLE.com<br />
verify error:num=21:unable to verify the first certificate<br />
verify return:1<br />
---<br />
Certificate chain<br />
0 s:/C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=zcs723.EXAMPLE.com<br />
i:/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=zcs723.EXAMPLE.com<br />
---<br />
Server certificate<br />
-----BEGIN CERTIFICATE-----<br />
MIICsjCCAhugAwIBAgIFE2MYV2EwDQYJKoZIhvcNAQEFBQAwgZUxCzAJBgNVBAYT<br />
[cut]<br />
LrFtuUlX6mb5Uq8dx8D25QWqsyeDXA==<br />
-----END CERTIFICATE-----<br />
subject=/C=US/ST=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=zcs723.EXAMPLE.com<br />
issuer=/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/OU=Zimbra Collaboration Suite/CN=zcs723.EXAMPLE.com<br />
---<br />
No client certificate CA names sent<br />
---<br />
SSL handshake has read 1528 bytes and written 360 bytes<br />
---<br />
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA<br />
Server public key is 1024 bit<br />
Secure Renegotiation IS supported<br />
Compression: NONE<br />
Expansion: NONE<br />
SSL-Session:<br />
Protocol : TLSv1<br />
Cipher : DHE-RSA-AES256-SHA<br />
Session-ID: 06F03A7C2AB0EA3E97cut7CD4A4A6166D551B<br />
Session-ID-ctx: <br />
Master-Key: 1A2FF452C3E09F9D7B2DECEcutFB67158960BA6<br />
Key-Arg : None<br />
Start Time: 1370375286<br />
Timeout : 300 (sec)<br />
Verify return code: 21 (unable to verify the first certificate)<br />
---<br />
250 DSN<br />
helo myworkstation<br />
250 zcs723.EXAMPLE.com<br />
ehlo myworkstation<br />
250-zcs723.EXAMPLE.com<br />
250-PIPELINING<br />
250-SIZE 10240000<br />
250-VRFY<br />
250-ETRN<br />
250-AUTH LOGIN PLAIN<br />
250-AUTH=LOGIN PLAIN<br />
250-ENHANCEDSTATUSCODES<br />
250-8BITMIME<br />
250 DSN<br />
AUTH LOGIN<br />
334 VXNlcm5hbWU6<br />
YYYYYYY5QHpjczcyMy51cy56aW1icmFsYWIuY29t<br />
334 UGFzc3dvcmQ6<br />
YYYYYYYkMW0=<br />
235 2.7.0 Authentication successful<br />
mail from:<ajcody@zcs723.EXAMPLE.com><br />
250 2.1.0 Ok<br />
rcpt to: <ajcody2@zcs723.EXAMPLE.com><br />
250 2.1.5 Ok<br />
data<br />
354 End data with <CR><LF>.<CR><LF><br />
From: Adam <ajcody@zcs723.EXAMPLE.com><br />
To: Adam 2 <ajcody2@zcs723.EXAMPLE.com><br />
Subject: Test Auth LOGIN TLS Example<br />
test<br />
.<br />
250 2.0.0 Ok: queued as BA68B1E78D1<br />
quit<br />
221 2.0.0 Bye<br />
closed<br />
</pre><br />
<br />
=====Testing Against Port 465=====<br />
<br />
References on Port 465:<br />
<br />
* http://wiki.zimbra.com/wiki/Mail_client_Configuration#SMTP_over_SSL_port_465<br />
<br />
<pre><br />
$ openssl s_client -crlf -connect zcs723.EXAMPLE.com:465<br />
<br />
CONNECTED(00000003) <br />
<br />
[cut of repeated data above]<br />
<br />
---<br />
250 DSN<br />
helo myworkstation<br />
250 zcs723.EXAMPLE.com<br />
ehlo myworkstation<br />
250-zcs723.EXAMPLE.com<br />
250-PIPELINING<br />
250-SIZE 8388608<br />
250-VRFY<br />
250-ETRN<br />
250-AUTH PLAIN LOGIN<br />
250-AUTH=PLAIN LOGIN<br />
250-ENHANCEDSTATUSCODES<br />
250-8BITMIME<br />
250 DSN<br />
AUTH PLAIN [cut - emailaddress/password string goes here]<br />
<br />
!!! note - you get the auth plain string by doing [don't remove the \000 parts]:<br />
!!! perl -MMIME::Base64 -e 'print encode_base64("\000user\@mdomain.com\000your_password");'<br />
<br />
235 2.7.0 Authentication successful<br />
mail from:<ajcody@zcs723.EXAMPLE.com><br />
250 2.1.0 Ok<br />
rcpt to: <ajcody2@zcs723.EXAMPLE.com><br />
250 2.1.5 Ok<br />
data<br />
354 End data with <CR><LF>.<CR><LF><br />
From: Adam <ajcody@zcs723.EXAMPLE.com><br />
To: Adam 2 <ajcody2@zcs723.EXAMPLE.com><br />
Subject: Test Auth LOGIN TLS Example<br />
test<br />
.<br />
250 2.0.0 Ok: queued as BA68B1E78D1<br />
quit<br />
221 2.0.0 Bye<br />
closed<br />
</pre><br />
<br />
Example of logs events in /var/log/zimbra.log on the mta server [different test from the one above]:<br />
<br />
<pre><br />
Jun 7 08:28:52 zcs806 postfix/smtps/smtpd[8151]: connect from unknown[10.X.X.110]<br />
Jun 7 08:28:52 zcs806 postfix/smtps/smtpd[8151]: Anonymous TLS connection established <br />
from unknown[10.1X.X.110]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)<br />
Jun 7 08:31:53 zcs806 saslauthd[3317]: zmauth: authenticating against elected url<br />
https://zcs806.us.DOMAIN.com:7071/service/admin/soap/' ...<br />
Jun 7 08:31:53 zcs806 saslauthd[3317]: zmpost: url='https://zcs806.us.DOMAIN.com:7071/<br />
service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="<br />
http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><br />
<change token="75599"/></context></soap:Header><soap:Body><AuthResponse <br />
xmlns="urn:zimbraAccount"><authToken>0_b47233e5e226eb1c0519cd9c35da2fc198f[cut]272<br />
613b</authToken><lifetime>172800000</lifetime><skin>serenity</skin></AuthResponse><br />
</soap:Body></soap:Envelope>', hti->error=''<br />
Jun 7 08:31:53 zcs806 saslauthd[3317]: auth_zimbra: admin@zcs806.us.DOMAIN.com auth OK<br />
Jun 7 08:32:47 zcs806 postfix/smtps/smtpd[8151]: 0279C3434: client=unknown[10.X.X.110], <br />
sasl_method=PLAIN, sasl_username=admin@zcs806.us.DOMAIN.com<br />
Jun 7 08:33:32 zcs806 postfix/qmgr[3484]: 0279C3434: from=<admin@zcs806.us.DOMAIN.com>, <br />
size=400, nrcpt=1 (queue active)<br />
Jun 7 08:33:33 zcs806 postfix/dkimmilter/smtpd[9661]: connect from localhost[127.0.0.1]<br />
Jun 7 08:33:33 zcs806 postfix/dkimmilter/smtpd[9661]: Anonymous TLS connection established <br />
from localhost[127.0.0.1]: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)<br />
Jun 7 08:33:33 zcs806 postfix/dkimmilter/smtpd[9661]: 0F798344C: client=localhost[127.0.0.1]<br />
Jun 7 08:33:33 zcs806 postfix/cleanup[9638]: 0F798344C: message-id=<20140607153247.0279C3434@DOMAIN.com><br />
Jun 7 08:33:33 zcs806 postfix/smtp[9660]: 0279C3434: to=<test@zcs806.us.DOMAIN.com>, <br />
relay=127.0.0.1[127.0.0.1]:10030, delay=63, delays=63/0.06/0.07/0.07, dsn=2.0.0, status=sent <br />
(250 2.0.0 Ok: queued as 0F798344C)<br />
Jun 7 08:33:33 zcs806 postfix/dkimmilter/smtpd[9661]: disconnect from localhost[127.0.0.1]<br />
Jun 7 08:33:33 zcs806 postfix/qmgr[3484]: 0F798344C: from=<admin@zcs806.us.DOMAIN.com>, <br />
size=627, nrcpt=1 (queue active)<br />
Jun 7 08:33:33 zcs806 postfix/qmgr[3484]: 0279C3434: removed<br />
Jun 7 08:33:38 zcs806 postfix/smtps/smtpd[8151]: disconnect from unknown[10.X.X.110]<br />
</pre><br />
<br />
====To Confirm An Auth User Can't Send With Another FROM Address====<br />
<br />
The below example is using an auth has for ajcody@zcs723.EXAMPLE.com .<br />
<br />
<pre><br />
esx2:~ ajcody$ telnet zcs723.EXAMPLE.com 25<br />
Trying 10.137.27.32...<br />
Connected to zcs723.EXAMPLE.com.<br />
Escape character is '^]'.<br />
220 zcs723.EXAMPLE.com ESMTP Postfix<br />
helo myworkstation<br />
250 zcs723.EXAMPLE.com<br />
ehlo myworkstation<br />
250-zcs723.EXAMPLE.com<br />
250-PIPELINING<br />
250-SIZE 10240000<br />
250-VRFY<br />
250-ETRN<br />
250-STARTTLS<br />
250-AUTH LOGIN PLAIN<br />
250-AUTH=LOGIN PLAIN<br />
250-ENHANCEDSTATUSCODES<br />
250-8BITMIME<br />
250 DSN<br />
AUTH PLAIN AGFqY29[cut]bQA5MzkzMWQxbQ==<br />
235 2.7.0 Authentication successful<br />
mail from: <admin@zcs723.EXAMPLE.com><br />
250 2.1.0 Ok<br />
rcpt to: <ajcody2@zcs723.EXAMPLE.com> <br />
553 5.7.1 <admin@zcs723.EXAMPLE.com>: Sender address rejected: not owned by user ajcody@zcs723.EXAMPLE.com<br />
</pre><br />
<br />
Notice how this is different when I'm telnet'ing from the server [localhost] back to itself.<br />
<br />
<pre><br />
[root@zcs723 ~]# telnet localhost 25<br />
Trying ::1...<br />
telnet: connect to address ::1: Connection refused<br />
Trying 127.0.0.1...<br />
Connected to localhost.<br />
Escape character is '^]'.<br />
220 zcs723.EXAMPLE.com ESMTP Postfix<br />
helo myworkstation<br />
250 zcs723.EXAMPLE.com<br />
ehlo myworkstation<br />
250-zcs723.EXAMPLE.com<br />
250-PIPELINING<br />
250-SIZE 10240000<br />
250-VRFY<br />
250-ETRN<br />
250-STARTTLS<br />
250-AUTH LOGIN PLAIN<br />
250-AUTH=LOGIN PLAIN<br />
250-ENHANCEDSTATUSCODES<br />
250-8BITMIME<br />
250 DSN<br />
AUTH PLAIN AGFqY29kAAAAAAAAAAAAAAAAAAAAAAAmNvbQA5MzkzMWQxbQ==<br />
235 2.7.0 Authentication successful<br />
mail from: <admin@zcs723.EXAMPLE.com><br />
250 2.1.0 Ok<br />
rcpt to: <ajcody2@zcs723.EXAMPLE.com><br />
250 2.1.5 Ok<br />
Subject: Test mynetwork bypasses From match to AUTH<br />
221 2.7.0 Error: I can break rules, too. Goodbye.<br />
Connection closed by foreign host.<br />
</pre><br />
<br />
===Adding A New MTA Server===<br />
<br />
Basic instructions can be found here:<br />
* http://www.zimbra.com/docs/ne/latest/multi_server_install/toc.html<br />
** See "Installing Zimbra MTA on a Server"<br />
<br />
Additional instructions needed beyond the above will follow as I hear about them.<br />
<br />
===Load Balancing For SMTP - Out Bound Mail===<br />
<br />
Currently, '''5.x code''', you have the following options:<br />
<br />
* Configure zimbraMtaRelayHost and zimbraSmtpHostname [[Ajcody-Server-Topics#Using_Different_SMTP_Server_For_Webclient_.28ZWC.29.2C_Mobiles.2C_And_ZCO|zimbraSmtpHostname Details]] to:<br />
<br />
** An external load balancing device that will then split the traffic behind it<br />
** Setup a round-robin A record situation in your DNS for the external mta's you'll be using.<br />
<br />
In, '''GNR/6.x''', you are able to add multiple targets to the variables and we'll have some degree of "balancing" between them.<br />
<br />
* "allow list for zimbraSmtpHostname"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=10695<br />
* "make zimbraSmtpHostname fault tolerant"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=36173<br />
<br />
===User Alias Mapping And Mail Transport with Postfix & LDAP===<br />
<br />
See [[User_Alias_Mapping_and_Mail_Transport_with_Postfix_%26_LDAP]]<br />
<br />
====Multiple LDAP Servers?====<br />
<br />
Completed RFE:<br />
<br />
* "mta should be able to take a list of LDAP servers to take advantage of replicas."<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=9353<br />
*** zmmtainit to allow for multiple command line options that will set the URL. Grab the contents of the ldap_url localconfig variable.<br />
<br />
From :<br />
<br />
* http://www.postfix.org/ldap_table.5.html<br />
<br />
<pre><br />
server_host (default: localhost)<br />
The name of the host running the LDAP server, e.g.<br />
<br />
server_host = ldap.example.com<br />
<br />
Depending on the LDAP client library you're using,<br />
it should be possible to specify multiple servers<br />
here, with the library trying them in order should<br />
the first one fail. It should also be possible to<br />
give each server in the list a different port<br />
(overriding server_port below), by naming them like<br />
<br />
server_host = ldap.example.com:1444<br />
<br />
With OpenLDAP, a (list of) LDAP URLs can be used to<br />
specify both the hostname(s) and the port(s):<br />
<br />
server_host = ldap://ldap.example.com:1444<br />
ldap://ldap2.example.com:1444<br />
<br />
All LDAP URLs accepted by the OpenLDAP library are<br />
supported, including connections over UNIX domain<br />
sockets, and LDAP SSL (the last one provided that<br />
OpenLDAP was compiled with support for SSL):<br />
<br />
server_host = ldapi://%2Fsome%2Fpath<br />
ldaps://ldap.example.com:636<br />
<br />
**my note**<br />
This thread - http://archives.neohapsis.com/archives/postfix/2004-09/1763.html<br />
give me the impression they made a mistake in modifying the help file on this<br />
and they dropped the use/need of the command:<br />
<br />
server_host = ldap://ldap.example.com:1444, ldap://ldap2.example.com:1444<br />
</pre><br />
<br />
Just a small note on where var shows up:<br />
<br />
<pre><br />
[root@mail3 conf]# pwd<br />
/opt/zimbra/conf<br />
[root@mail3 conf]# grep server_host *<br />
amavisd.conf.in:$myhostname = '@@zimbra_server_hostname@@'; # must be a fully-qualified domain name!<br />
ldap-scm.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389<br />
ldap-transport.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389<br />
ldap-vad.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389<br />
ldap-vam.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389<br />
ldap-vmd.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389<br />
ldap-vmm.cf:server_host = ldap://mail3.zimbra.DOMAIN.com:389<br />
localconfig.xml: <key name="zimbra_server_hostname"><br />
zmmta.cf: LOCAL zimbra_server_hostname<br />
zmmta.cf: POSTCONF myhostname LOCAL zimbra_server_hostname<br />
</pre><br />
<br />
References:<br />
<br />
* http://archives.neohapsis.com/archives/postfix/2000-04/0200.html<br />
<br />
===Traditional Aliases Use - /etc/aliases type lookups===<br />
<br />
Filed this RFE:<br />
* "Support traditional email aliases via aliases file or ldap - admin console view"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=33642<br />
*** Aliases use without being tied into authentication methods or consuming a license file.<br />
<br />
===Allowing Accounts To Change The From Address===<br />
<br />
Please see:<br />
<br />
* [http://www.zimbra.com/forums/installation/18171-solved-setting-up-email-response-aliases-non-system-domains.html#post92121 Changing The From Field]<br />
<br />
====Related BUG/RFE's====<br />
<br />
* Identities: Auto verify user settable from address [marked as dup of 29974]<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=12094<br />
* persona/external account from field address verification<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=29974<br />
* ZCO Support for zimbraAllowAnyFromAddress<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=31278<br />
<br />
===Creating A Domain Alias===<br />
<br />
Please see [[ManagingDomains#Creating_a_Domain_Alias]]<br />
<br />
===Relay Domain Forwarding===<br />
<br />
Please see [[ManagingDomains#Relaying.2FDomain_Forwarding]]<br />
<br />
===Domain Catchall===<br />
<br />
Please see [[ManagingDomains#Domain_Catchall]]<br />
<br />
===Rewriting From Address For Outbound Email===<br />
<br />
Please see [[ManagingDomains#Domain_Masquerading]]<br />
<br />
===Rewrite Recipient Address For Incoming Email===<br />
<br />
There is a way to rewrite the incoming mail, but it's not a standard Zimbra feature. You can implement it as a configuration change in Postfix. Here's what you do:<br />
<br />
# Create a file in /opt/zimbra/conf named 'postfix_recipientmap'. <br />
#* The format is a single line that reads something like: @alias.domain.com @domain.com<br />
# Run 'postmap postfix_recipientmap' in the conf directory.<br />
# Run "postconf -e recipient_canonical_maps=hash:/opt/zimbra/conf/postfix_recipientmap".<br />
# Run 'postfix reload'.<br />
<br />
This will cause postfix to map any incoming mail with a recipient of '@alias.domain.com' to '@domain.com'. You will need to re-apply this postconf change after upgrades, though the postfix_recipientmap file should survive.<br />
<br />
===Automatic BCC===<br />
<br />
====Option 1 - Via Postfix Customization====<br />
<br />
From the postfix website:<br />
<br />
*always_bcc = address<br />
** Deliver a copy of all mail to the specified address. In Postfix versions before 2.1, this feature is implemented by smtpd(8), qmqpd(8), or pickup(8). <br />
* sender_bcc_maps = type:table<br />
** Search the specified "type:table" lookup table with the envelope sender address for an automatic BCC address. This feature is available in Postfix 2.1 and later. <br />
* recipient_bcc_maps = type:table<br />
** Search the specified "type:table" lookup table with the envelope recipient address for an automatic BCC address. This feature is available in Postfix 2.1 and later. <br />
* Note: automatic BCC recipients are produced only for new mail. To avoid mailer loops, automatic BCC recipients are not generated for mail that Postfix forwards internally, nor for mail that Postfix generates itself. <br />
<br />
Please see the following:<br />
<br />
* A very nice forum post on the subject from our very own mmorse<br />
** http://www.zimbra.com/forums/administrators/28606-master-incoming-outgoing-archive.html#post134490<br />
* Postfix workaround<br />
** http://www.postfix.com/ADDRESS_REWRITING_README.html#auto_bcc<br />
* "User defined auto bcc"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=15306<br />
* "Next rev of (mail) identities preferences management (server side)"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=17320<br />
<br />
====Option 2 - Via ZCS Legal Intercept====<br />
<br />
Generally used for [[Ajcody-User-Management-Topics#Managing_Legal_Requests_for_Information|Managing Legal Requests for Information]]<br />
<br />
Description:<br />
:: The ZCS legal intercept feature is used to obtain copies of email messages that are sent, received, or saved as drafts from targeted accounts and send these message to a designated “shadow” email address. Legal Intercept can be configured to send the complete content of the message or to send only the header information. When a targeted account sends, receives, or saves a draft message, an intercept message is automatically created to forward copies of the messages as attachments to the specified email address.<br />
<br />
Please see:<br />
* http://www.zimbra.com/docs/ne/latest/administration_guide/managing_other_zcs_features.8.1.html<br />
* http://wiki.zimbra.com/index.php?title=Legal_Intercept<br />
* http://bugzilla.zimbra.com/show_bug.cgi?id=17539<br />
<br />
====Option 3 - Zimbra's Archiving And Discovery====<br />
<br />
See [[Ajcody-Notes-Archive-Discovery]] concerning A&D setup and options.<br />
<br />
===Limiting Or Increasing Number Of Recipents / Messages===<br />
<br />
====Mailing Lists - Distribution Lists====<br />
<br />
Please see [[Ajcody-MailingLists-And-Mailman#Problems_Resolving_Virtual_Aliases_For_Members_Of_Large_Distribution_Lists]]<br />
<br />
====Policy Daemon====<br />
<br />
If you want to restrict messages per hour, you can look into Policy Daemon:<br />
<br />
* http://wiki.zimbra.com/wiki/Postfix_Policyd<br />
* http://wiki.zimbra.com/wiki/How-to_for_cbpolicyd<br />
* http://www.policyd.org/features.html<br />
<br />
Beta release in ZCS 7 , see:<br />
<br />
* "make support for postfix-policyd easier"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=8791<br />
<br />
====Postfix====<br />
<br />
Also, there are some default postfix parameters set to control sending a message to x amount recipients. The parameters you will need to look at are smtpd_recipient_limit & smtpd_recipient_overshoot_limit, these have a default value of 1000.<br />
<br />
Postfix defines these parameters as:<br />
<br />
* smtpd_recipient_limit: The maximum number of recipients that the Postfix SMTP server accepts per message delivery request.<br />
* smtpd_recipient_overshoot_limit: The number of recipients that a remote SMTP client can send in excess of the limit specified with $smtpd_recipient_limit, before the Postfix SMTP server increments the per-session error count for each excess recipient.<br />
<br />
From the command line you can change the default values.<br />
<br />
su - zimbra<br />
postconf -e smtpd_recipient_limit=<new value><br />
postconf -e smtpd_recipient_overshoot_limit=<new value><br />
postfix reload<br />
<br />
====Bugs RFE's For Customers To Get Behind====<br />
<br />
I'm wondering if policyd gives one the control everyone is looking for? I've not used it myself.<br />
<br />
Policyd References:<br />
* http://www.policyd.org/tiki-index.php?page=Documentation<br />
* http://www.policyd.org/tiki-index.php?page=Quotas&structure=Documentation<br />
* http://www.policyd.org/tiki-index.php?page=Accounting&structure=Documentation<br />
* http://www.policyd.org/tiki-index.php?page=Policies%20%26%20Groups&structure=Documentation<br />
* http://wiki.zimbra.com/index.php?title=Postfix_Policyd<br />
<br />
There's other additions [add-on's] one can get for policyd.<br />
<br />
We have this RFE in regards to policyd support:<br />
<br />
* "make support for postfix-policyd easier"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=8791<br />
*** Target Milestone currently for Helix release [ http://pm.zimbra.com ]<br />
<br />
Other related rfe/bugs, specially to push variables into admin web console:<br />
<br />
* "rate limit amount of mail sent via web client"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=22300<br />
*** *Target Milestone currently for Helix release<br />
* "mta "advanced" tab"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=14645<br />
*** Target Milestone currently for Helix release<br />
* "Option to IP Blocking through UI"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=19240<br />
*** Target Milestone currently for Helix release<br />
* "Mail policies and access control for sending to distribution lists"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=9620<br />
*** Target Milestone currently for GunsNRoses<br />
<br />
===Controlling SMTPD Client Connections===<br />
<br />
Mmorse did a good write up on these variables in the forum:<br />
<br />
* http://www.zimbra.com/forums/administrators/13591-solved-limit-max-recipriants.html#post69582<br />
<br />
Postfix Resources At Their Site (All Clients/Connections):<br />
* [http://www.postfix.org/TUNING_README.html#conn_limit Measures against clients that make too many connections]<br />
* [http://www.postfix.org/anvil.8.html anvil - Postfix session count and request rate control]<br />
* [http://www.postfix.org/postconf.5.html#anvil_rate_time_unit anvil_rate_time_unit - The time unit over which client connection rates and other rates are calculated.]<br />
* [http://www.postfix.org/postconf.5.html#smtpd_client_connection_count_limit smtpd_client_connection_count_limit - How many simultaneous connections any client is allowed to make to this service. ]<br />
* [http://www.postfix.org/postconf.5.html#smtpd_client_message_rate_limit smtpd_client_message_rate_limit - The maximal number of message delivery requests that any client is allowed to make to this service per time unit, regardless of whether or not Postfix actually accepts those messages.]<br />
* [http://www.postfix.org/postconf.5.html#smtpd_client_recipient_rate_limit smtpd_client_recipient_rate_limit - The maximal number of recipient addresses that any client is allowed to send to this service per time unit, regardless of whether or not Postfix actually accepts those recipients.]<br />
* [http://www.postfix.org/postconf.5.html#smtpd_client_connection_rate_limit smtpd_client_connection_rate_limit - The maximal number of connection attempts any client is allowed to make to this service per time unit.]<br />
<br />
Postfix Resources At Their Site (Exceptions To Clients/Connections Or Single Source):<br />
* [http://www.postfix.org/postconf.5.html#smtpd_client_event_limit_exceptions smtpd_client_event_limit_exceptions - Clients that are excluded from connection count, connection rate, or SMTP request rate restrictions.]<br />
<br />
===Restrictions===<br />
<br />
Besides using external mailing list software, [[Ajcody-MailingLists-And-Mailman#Mailman_-_Mailing_List_Manager|Mailman]] or [[Ajcody-MailingLists-And-Mailman#Sympa_-_Mailing_List_Manager|Sympa]], here's some other topical items in regards to restrictions.<br />
<br />
Some user contributed articles:<br />
<br />
* [[RestrictPostfixRecipients]]<br />
* [[Restrict_sending_to_certain_domains]]<br />
* [[Restrict_users_to_certain_domain]]<br />
* [http://www.zimbra.com/forums/administrators/15041-guide-postifx-how-multiple-access-lists-protected-distribution-lists.html Forum Post: GUIDE: Postifx: HOW TO: Multiple access lists for protected Distribution-lists]<br />
<br />
Some Postfix references:<br />
<br />
* http://www.postfix.org/RESTRICTION_CLASS_README.html#internal<br />
* http://www.postfix.org/SMTPD_POLICY_README.html<br />
<br />
Some RFE's related to mta based restrictions [targets are based upon today - July 21, 2010]:<br />
<br />
* "Dynamic distribution lists - Internal Directory"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=3884<br />
* "per-domain send restriction" - Not Committed<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=5595<br />
*** These are marked as dup's of the above:<br />
**** "disable outbound e-mail for one user"<br />
***** http://bugzilla.zimbra.com/show_bug.cgi?id=34654<br />
**** "Add an facility to detemine internal relay users in admin"<br />
***** http://bugzilla.zimbra.com/show_bug.cgi?id=33255<br />
* "policy for who can send to a distribution lists" - Helix<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=9620<br />
*** RFE 9620 is also a blocker for the following RFE:<br />
**** "milter to check if sender can send to a distribution list"<br />
***** http://bugzilla.zimbra.com/show_bug.cgi?id=46311<br />
*** These are marked as dup's of the above:<br />
**** "Ability to Specify Mail Policy"<br />
***** http://bugzilla.zimbra.com/show_bug.cgi?id=5555<br />
**** "domain level filters rules"<br />
***** http://bugzilla.zimbra.com/show_bug.cgi?id=6128<br />
**** "Distribution List Restrictions"<br />
***** http://bugzilla.zimbra.com/show_bug.cgi?id=7104<br />
**** "Feature request - Mail Policies"<br />
***** http://bugzilla.zimbra.com/show_bug.cgi?id=9328<br />
**** "limit "send from" to certain domains"<br />
***** http://bugzilla.zimbra.com/show_bug.cgi?id=12038<br />
**** "'Internal email only' options in admin control panel"<br />
***** http://bugzilla.zimbra.com/show_bug.cgi?id=16671<br />
**** "Access control for free busy and resources (ie permission to invite)"<br />
***** http://bugzilla.zimbra.com/show_bug.cgi?id=22913<br />
**** "RFE: Admin GUI: Restrict the use of Distribution List among users."<br />
***** http://bugzilla.zimbra.com/show_bug.cgi?id=29305<br />
* "Implement smtpd_sender_restrictions"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=15808<br />
* "How to restrict a user to only send via zwc"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=16623<br />
* "enable configuration of "smtpd_sender_restriction""<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=22363<br />
<br />
===Spam Control And Related Issues===<br />
<br />
====High Over View Steps Of What To Do====<br />
<br />
* '''Step 1:''' Confirm your not an open relay and double check your postfix $mynetworks variable.<br />
** [[ZimbraMtaMyNetworks|ZimbraMtaMyNetworks And Postfix mynetworks]]<br />
** [[Ajcody-MTA-Postfix-Topics#Open_Relay_Check|Open Relay Check]]<br />
* '''Step 2:''' Stop or put on-hold mail queue.<br />
** Put all messages into HOLD queue:<br />
*** Get a report of your current mailq [can be useful if you clean out the queue later but need to identify what external mail hosts are now denying you and who you'll need to contact about getting removed from their denial list]<br />
**** Example: /opt/zimbra/postfix/sbin/mailq > /tmp/zimbra_mailq_report.txt<br />
*** /opt/zimbra/postfix/sbin/postsuper -h ALL<br />
** Or put all messages match compromised account into HOLD queue:<br />
*** /opt/zimbra/postfix/sbin/mailq | grep user_compromised@domain | awk '{ print $1 }' | tr -d '!*' | /opt/zimbra/postfix/sbin/postsuper -h -<br />
**** Note, this is an example - you might with the grep grab more than the compromised account with the match.<br />
** See whole section - [[Ajcody-MTA-Postfix-Topics#Managing_Postfix_Queue| Managing The Postfix Queue]]<br />
* '''Step 3:''' Check your mail log [On ZCS servers running MTA services] - /var/log/zimbra.log <br />
** [[Ajcody-MTA-Postfix-Topics#Understanding_.2Fvar.2Flog.2Fzimbra.log_And_Postfix_Log_Events| Understanding the zimbra.log file and Postfix log events.]] , see subsection about queue ID and message ID also.<br />
** [[Ajcody-MTA-Postfix-Topics#Who.27s_My_Spammer.3F| Who's My Spammer?]]<br />
* '''Step 4:''' Identify compromised account authenticating SMTP AUTH connection or block ip address where emails are coming from at firewall.<br />
** [[Ajcody-MTA-Postfix-Topics#Who.27s_My_Spammer.3F| Who's My Spammer?]]<br />
** Continue to monitor compromised account and block ip addresses:<br />
*** tail -f /var/log/zimbra.log | grep username | grep sasl<br />
**** Jun 8 18:14:10 mail postfix/smtpd[15794]: 004358EEB16: client=unknown[XXXX.236.197.216], sasl_method=LOGIN, sasl_username=username@domain<br />
* '''Step 5:''' Disable the exploited email account, expire auth session, etc.<br />
** [[Ajcody-User-Management-Topics#Resetting_A_User.27s_Account_From_CLI| Resetting Or Expiring User Auth]]<br />
** '''Note''' - Restarting the mta services will be important once you reset the password/s or lock the account. It's required to ensure the active connections will be closed and any existing auth tokens no longer are valid. See:<br />
*** Force currently active SMTP authenticated sessions to be renegotiated when locking an account <br />
**** https://bugzilla.zimbra.com/show_bug.cgi?id=80299<br />
* '''Step 6:''' Move the mail queue or delete the spam email<br />
** See whole section - [[Ajcody-MTA-Postfix-Topics#Managing_Postfix_Queue| Managing The Postfix Queue]]<br />
* '''Step 7:''' Release Mail queue<br />
<br />
====Who's My Spammer?====<br />
<br />
=====Getting Some Initial Summary Data=====<br />
<br />
======zmdialyreport======<br />
<br />
First, some notable bug/RFE's in regards to the zmdailyreport:<br />
<br />
* RFE - add explanations to Daily mail report / pflogsumm.pl output<br />
** https://bugzilla.zimbra.com/show_bug.cgi?id=86630<br />
* Daily mail report shows incorrect output because pflogsumm.pl doubles the result<br />
** https://bugzilla.zimbra.com/show_bug.cgi?id=84444<br />
* Descriptions of mta_counts numbers vs daily reports and other msg stats<br />
** https://bugzilla.zimbra.com/show_bug.cgi?id=79632<br />
<br />
You can first get some summary data by doing the following:<br />
<br />
<pre><br />
[zimbra@zcs806 ~]$ /opt/zimbra/libexec/zmdailyreport<br />
<br />
Grand Totals<br />
------------<br />
messages<br />
<br />
7 received<br />
11 delivered<br />
0 forwarded<br />
0 deferred<br />
0 bounced<br />
3 rejected (21%)<br />
0 reject warnings<br />
0 held<br />
0 discarded (0%)<br />
<br />
2780 bytes received<br />
10914 bytes delivered<br />
2 senders<br />
1 sending hosts/domains<br />
1 recipients<br />
1 recipient hosts/domains<br />
<br />
<br />
Per-Hour Traffic Summary<br />
time received delivered deferred bounced rejected<br />
--------------------------------------------------------------------<br />
0000-0100 0 0 0 0 0<br />
0100-0200 1 3 0 0 0<br />
0200-0300 0 0 0 0 0<br />
0300-0400 0 0 0 0 0<br />
0400-0500 0 0 0 0 0<br />
0500-0600 0 0 0 0 0<br />
0600-0700 0 0 0 0 0<br />
0700-0800 1 0 0 0 2<br />
0800-0900 1 0 0 0 0<br />
0900-1000 0 0 0 0 1<br />
1000-1100 0 0 0 0 0<br />
1100-1200 0 0 0 0 0<br />
1200-1300 4 8 0 0 0<br />
1300-1400 0 0 0 0 0<br />
1400-1500 0 0 0 0 0<br />
1500-1600 0 0 0 0 0<br />
1600-1700 0 0 0 0 0<br />
1700-1800 0 0 0 0 0<br />
1800-1900 0 0 0 0 0<br />
1900-2000 0 0 0 0 0<br />
2000-2100 0 0 0 0 0<br />
2100-2200 0 0 0 0 0<br />
2200-2300 0 0 0 0 0<br />
2300-2400 0 0 0 0 0<br />
<br />
Host/Domain Summary: Message Delivery (top 50)<br />
sent cnt bytes defers avg dly max dly host/domain<br />
-------- ------- ------- ------- ------- -----------<br />
11 10914 0 7.4 s 24.0 s zcs806.DOMAIN.com<br />
<br />
Host/Domain Summary: Messages Received (top 50)<br />
msg cnt bytes host/domain<br />
-------- ------- -----------<br />
5 2780 zcs806.DOMAIN.com<br />
<br />
top 50 Senders by message count<br />
-------------------------------<br />
4 zimbra@zcs806.DOMAIN.com<br />
1 admin@zcs806.DOMAIN.com<br />
<br />
top 50 Recipients by message count<br />
----------------------------------<br />
11 admin@zcs806.DOMAIN.com<br />
<br />
top 50 Senders by message size<br />
------------------------------<br />
1974 zimbra@zcs806.DOMAIN.com<br />
806 admin@zcs806.DOMAIN.com<br />
<br />
top 50 Recipients by message size<br />
---------------------------------<br />
10914 admin@zcs806.DOMAIN.com<br />
<br />
message deferral detail: none<br />
<br />
message bounce detail (by relay): none<br />
<br />
message reject detail<br />
---------------------<br />
MAIL<br />
5.3.4 Message size exceeds fixed limit (total: 3)<br />
3 domain-ext.com<br />
<br />
message reject warning detail: none<br />
<br />
message hold detail: none<br />
<br />
message discard detail: none<br />
<br />
smtp delivery failures: none<br />
<br />
Warnings<br />
--------<br />
sendmail (total: 3)<br />
1 or the command is run from a set-uid root process<br />
1 the Postfix sendmail command has set-uid root file permissions<br />
1 the Postfix sendmail command must be installed without set-uid ...<br />
smtpd (total: 1)<br />
1 7A735345A: queue file size limit exceeded<br />
<br />
Fatal Errors: none<br />
<br />
Panics: none<br />
<br />
Master daemon messages: none<br />
</pre><br />
<br />
======client_usage_report.py======<br />
<br />
This will give some stats on your mail activity. Note, there are some issue with this script double reporting mail counts etc, but it's useful to identify the top 50 for activity.<br />
<br />
<pre><br />
[zimbra@zcs806 ~]$ /opt/zimbra/libexec/client_usage_report.py<br />
Reading /opt/zimbra/log/access_log.2014-04-17 ..<br />
Reading /opt/zimbra/log/access_log.2014-04-18 ..<br />
Reading /opt/zimbra/log/access_log.2014-04-19 ..<br />
Reading /opt/zimbra/log/access_log.2014-04-20 ..<br />
Reading /opt/zimbra/log/access_log.2014-04-21 ..<br />
Reading /opt/zimbra/log/access_log.2014-04-22 ..<br />
Reading /opt/zimbra/log/access_log.2014-04-23 ..<br />
Writing /opt/zimbra/zmstat/client_usage_report_2014-04-24.csv ..<br />
</pre><br />
<br />
Then review the file it will create , it will give : "user_agent","client_IP","req_count"<br />
<br />
<pre><br />
[zimbra@zcs806 ~]$ cat /opt/zimbra/zmstat/client_usage_report_2014-04-24.csv<br />
"user_agent","client_IP","req_count"<br />
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.166","14"<br />
"Mozilla/5.0 (Windows NT 6.2; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.166","93"<br />
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.174","6"<br />
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0","192.168.1.166","71"<br />
</pre><br />
<br />
======qshape======<br />
<br />
You can also look at the results of [[http://www.postfix.org/qshape.1.html qshape]] - the default is the active queue. For more on qshape, see [[http://www.postfix.org/QSHAPE_README.html Postfix Qshape Readme]] .<br />
<br />
<pre><br />
qshape deferred<br />
T 5 10 20 40 80 160 320 640 1280 1280+<br />
TOTAL 12 0 0 0 0 0 0 0 0 0 12<br />
gmail.com 9 0 0 0 0 0 0 0 0 0 9<br />
yahoo.com 3 0 0 0 0 0 0 0 0 0 3<br />
</pre><br />
<br />
======3rd Party Log Reports - postfix-logwatch and amavis-logwatch======<br />
<br />
Created RFE for us to include these in ZCS:<br />
<br />
* Include postfix-logwatch_and_amavis-logwatch<br />
** https://bugzilla.zimbra.com/show_bug.cgi?id=89450<br />
<br />
You can download them from http://logreporters.sourceforge.net/ . It's a fairly simply install, download and then extract - cd into extracted directory and as root type :<br />
<br />
make install-standalone<br />
<br />
They will install to /usr/local/bin/amavis-logwatch & postfix-logwatch . The config files are in /usr/local/etc/amavis-logwatch.conf & postfix-logwatch.conf . Here's an example of the output.<br />
<br />
/usr/local/bin/amavis-logwatch output example:<br />
<br />
<pre><br />
[root@zcs806 amavis-logwatch-1.51.02]# /usr/local/bin/amavis-logwatch /var/log/zimbra.log<br />
****** Summary *************************************************************************************<br />
<br />
4 Total messages scanned ------------------ 100.00%<br />
1.926K Total bytes scanned 1,972<br />
======== ==================================================<br />
<br />
4 Passed ---------------------------------- 100.00%<br />
4 Clean passed 100.00%<br />
======== ==================================================<br />
<br />
4 Ham ------------------------------------- 100.00%<br />
4 Clean passed 100.00%<br />
======== ==================================================<br />
<br />
<br />
==================================================================================<br />
Spam Score Percentiles 0% 50% 90% 95% 98% 100%<br />
----------------------------------------------------------------------------------<br />
Score Ham (4) -1.900 -1.900 -1.900 -1.900 -1.900 -1.900<br />
==================================================================================<br />
<br />
======================================================================================================<br />
Spam Score Frequency <= -10 <= -5 <= 0 <= 5 <= 10 <= 20 <= 30 > 30<br />
------------------------------------------------------------------------------------------------------<br />
Hits (4) 0 0 4 0 0 0 0 0<br />
Percent of Hits 0.00% 0.00% 100.00% 0.00% 0.00% 0.00% 0.00% 0.00%<br />
======================================================================================================<br />
</pre><br />
<br />
/usr/local/bin/postfix-logwatch output example:<br />
<br />
<pre><br />
[root@zcs806 amavis-logwatch-1.51.02]# /usr/local/bin/postfix-logwatch /var/log/zimbra.log<br />
<br />
****** Summary *************************************************************************************<br />
<br />
1 *Warning: Queue file size limit exceeded<br />
<br />
6.512K Bytes accepted 6,668<br />
1.928K Bytes sent via SMTP 1,974<br />
4.584K Bytes sent via LMTP 4,694<br />
======== ==================================================<br />
<br />
10 Accepted 76.92%<br />
3 Rejected 23.08%<br />
-------- --------------------------------------------------<br />
13 Total 100.00%<br />
======== ==================================================<br />
<br />
3 5xx Reject message size 100.00%<br />
-------- --------------------------------------------------<br />
3 Total 5xx Rejects 100.00%<br />
======== ==================================================<br />
<br />
10 Connections<br />
10 Disconnections<br />
8 Removed from queue<br />
4 Sent via SMTP<br />
4 Sent via LMTP<br />
4 Filtered<br />
<br />
****** Detail (10) *********************************************************************************<br />
<br />
3 5xx Reject message size -----------------------------------------------------------------<br />
3 192.168.1.166 remote.domain.com<br />
3 *unavailable<br />
3 *unavailable<br />
<br />
4 Sent via SMTP ---------------------------------------------------------------------------<br />
4 zcs806.DOMAIN.com<br />
<br />
4 Sent via LMTP ---------------------------------------------------------------------------<br />
4 zcs806.DOMAIN.com<br />
<br />
4 Filtered --------------------------------------------------------------------------------<br />
2 smtp-amavis:[127.0.0.1]:10024<br />
2 Sender address<br />
1 admin@zcs806.DOMAIN.com<br />
1 admin@zcs806.DOMAIN.com<br />
1 192.168.1.166 remote.domain.com<br />
1 user@DOMAIN.com<br />
1 admin@zcs806.DOMAIN.com<br />
1 192.168.1.184 remote2.domain.com<br />
2 smtp-amavis:[127.0.0.1]:10026<br />
2 Sender address<br />
1 admin@zcs806.DOMAIN.com<br />
1 admin@zcs806.DOMAIN.com<br />
1 192.168.1.166 remote.domain.com<br />
1 user@DOMAIN.com<br />
1 admin@zcs806.DOMAIN.com<br />
1 192.168.1.184 remote2.domain.com<br />
<br />
=== Delivery Delays Percentiles ============================================================<br />
0% 25% 50% 75% 90% 95% 98% 100%<br />
--------------------------------------------------------------------------------------------<br />
Before qmgr 0.04 0.09 0.11 0.11 0.23 0.35 0.43 0.48<br />
In qmgr 0.00 0.00 0.01 0.01 0.04 0.07 0.08 0.09<br />
Conn setup 0.00 0.01 0.29 1.30 2.05 2.23 2.33 2.40<br />
Transmission 0.10 2.81 4.85 9.60 21.00 21.00 21.00 21.00<br />
Total 0.20 2.91 5.20 11.00 23.30 23.65 23.86 24.00<br />
============================================================================================<br />
</pre><br />
<br />
'''Note''' - First, look at the options each command has using the -h output. You might want to use --full when doing an investigation and also include a wildcard - /var/log/zimbra.lo* to take in all the log data. For example:<br />
<br />
<pre><br />
[zimbra@zcs806 ~]$ /usr/local/bin/postfix-logwatch --full /var/log/zimbra.lo*<br />
****** Summary *************************************************************************************<br />
<br />
9 *Fatal: General fatal<br />
1 *Warning: Queue file size limit exceeded<br />
21 Miscellaneous warnings<br />
<br />
710.888K Bytes accepted 727,949<br />
193.036K Bytes sent via SMTP 197,669<br />
520.114K Bytes sent via LMTP 532,597<br />
======== ==================================================<br />
<br />
1041 Accepted 99.71%<br />
3 Rejected 0.29%<br />
-------- --------------------------------------------------<br />
1044 Total 100.00%<br />
======== ==================================================<br />
<br />
3 5xx Reject message size 100.00%<br />
-------- --------------------------------------------------<br />
3 Total 5xx Rejects 100.00%<br />
======== ==================================================<br />
<br />
65 Connections<br />
65 Disconnections<br />
1041 Removed from queue<br />
523 Sent via SMTP<br />
517 Sent via LMTP<br />
2 Bounced (local)<br />
1 Bounced (remote)<br />
9 Filtered<br />
2 Notifications sent<br />
<br />
4 Timeouts (inbound)<br />
1 PIX workaround enabled<br />
<br />
****** Detail (10) *********************************************************************************<br />
<br />
9 *Fatal: General fatal -----------------------------------------------------------------<br />
3 Queue report unavailable - mail system is down<br />
3 Usage: sendmail [options]<br />
2 The Postfix mail system is not running<br />
1 Usage: send-mail [options]<br />
<br />
21 Miscellaneous warnings ------------------------------------------------------------------<br />
7 or the command is run from a set-uid root process<br />
7 the Postfix sendmail command has set-uid root file permissions<br />
7 the Postfix sendmail command must be installed without set-uid root file permissions<br />
<br />
3 5xx Reject message size -----------------------------------------------------------------<br />
3 10.X.X.166 fence.DOMAIN.com<br />
3 *unavailable<br />
3 *unavailable<br />
<br />
523 Sent via SMTP ---------------------------------------------------------------------------<br />
507 86.lab<br />
15 zcs806.DOMAIN.com<br />
1 domaina.com<br />
<br />
517 Sent via LMTP ---------------------------------------------------------------------------<br />
507 86.lab<br />
10 zcs806.DOMAIN.com<br />
<br />
2 Bounced (local) -------------------------------------------------------------------------<br />
2 5.0.0: Permanent failure: Other/Undefined status: Other undefined status<br />
2 zcs806.DOMAIN.com<br />
2 Zcs806.DOMAIN.com<br />
1 subject:test<br />
1 zimbra<br />
<br />
1 Bounced (remote) ------------------------------------------------------------------------<br />
1 5.0.0: Permanent failure: Other/Undefined status: Other undefined status<br />
1 domain.com<br />
1 user<br />
1 64.X.X.28 sentry.DOMAIN.com<br />
1 505 5.0.0 Unknown recipient: RCPT TO<br />
<br />
9 Filtered --------------------------------------------------------------------------------<br />
7 smtp-amavis:[127.0.0.1]:10026<br />
7 Sender address<br />
3 admin@zcs806.DOMAIN.com<br />
3 admin@zcs806.DOMAIN.com<br />
2 10.X.X.36 zcs806.DOMAIN.com<br />
1 10.X.X.166 gatewayXX.DOMAIN.com<br />
2 zimbra@zcs806.DOMAIN.com<br />
2 admin@zcs806.DOMAIN.com<br />
2 10.X.X.36 zcs806.DOMAIN.com<br />
1 ajcody@DOMAIN.com<br />
1 admin@zcs806.DOMAIN.com<br />
1 10.X.X.184 edgeXX.DOMAIN.com<br />
1 san5@zcs806.DOMAIN.com<br />
1 b@zcs806.DOMAIN.com<br />
1 10.X.X.36 zcs806.DOMAIN.com<br />
2 smtp-amavis:[127.0.0.1]:10024<br />
2 Sender address<br />
1 admin@zcs806.DOMAIN.com<br />
1 admin@zcs806.DOMAIN.com<br />
1 10.X.X.166 gatewayXX.DOMAIN.com<br />
1 ajcody@DOMAIN.com<br />
1 admin@zcs806.DOMAIN.com<br />
1 10.X.X.184 edgeXX.DOMAIN.com<br />
<br />
2 Notifications sent ----------------------------------------------------------------------<br />
2 Non-delivery<br />
2 sender<br />
<br />
4 Timeouts (inbound) ----------------------------------------------------------------------<br />
4 After END-OF-MESSAGE<br />
<br />
1 PIX workaround enabled ------------------------------------------------------------------<br />
1 disable_esmtp delay_dotcrlf<br />
1 64.X.X.28 sentry.DOMAIN.com<br />
<br />
=== Delivery Delays Percentiles ============================================================<br />
0% 25% 50% 75% 90% 95% 98% 100%<br />
--------------------------------------------------------------------------------------------<br />
Before qmgr 0.01 0.03 0.06 0.14 0.27 0.34 0.48 2.60<br />
In qmgr 0.00 0.00 0.08 117.50 193.00 216.00 231.48 246.00<br />
Conn setup 0.00 0.00 0.00 0.00 0.02 0.04 0.22 20.00<br />
Transmission 0.05 0.09 3.60 9.80 10.00 10.00 11.00 160.00<br />
Total 0.07 0.13 3.80 129.00 203.00 226.00 241.64 259.00<br />
============================================================================================<br />
</pre><br />
<br />
======zmaccts======<br />
<br />
One way to note accounts that are actively logging in vs. those that aren't, can help shrink the number of accounts you might want to investigate or monitor. [example below, I cut out a lot of the accounts]<br />
<br />
<pre><br />
account status created last logon<br />
------------------------------------ ----------- --------------- ---------------<br />
zcstest001@zcs806.DOMAIN.com active 01/20/14 18:47 03/02/14 21:11<br />
zcstest002@zcs806.DOMAIN.com active 01/30/14 01:48 02/19/14 00:07<br />
admin-20140415@zcs806.DOMAIN.com active 04/15/14 14:42 never<br />
archtest-prod-20140402@zcs806.DOMAIN active 04/02/14 07:42 never<br />
<br />
account status created last logon<br />
------------------------------------ ----------- --------------- ---------------<br />
bruce@test1.lab active 02/22/14 09:32 never<br />
test.cal@test1.lab active 04/06/14 05:35 04/06/14 05:35<br />
test200@test1.lab active 04/12/14 00:50 never<br />
<br />
domain summary<br />
<br />
domain active closed locked maintenance total<br />
----------------------- -------- -------- -------- ------------- --------<br />
test1.lab 3 0 0 0 3<br />
test2.com 2 0 0 0 2<br />
angad.com 2 0 0 0 2<br />
test.test 3 0 0 0 3<br />
test.DOMAIN.com 6 0 0 0 6<br />
zcs806.DOMAIN.com 58 0 0 0 58<br />
zcs806.DOMAIN.com 2 0 0 0 2<br />
</pre><br />
<br />
=====By Authentication Attempts=====<br />
<br />
A fast way to see who is doing a lot of authentications, which normally happens when a spammer has compromised an account with a weak password, is to do:<br />
<br />
<pre><br />
# cat /var/log/zimbra.log | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n<br />
1 Auser@domain.com<br />
3 Buser@domain.com<br />
4 Cuser@domain.com<br />
5 Duser@domain.com<br />
36 SPAMMER@domain.com<br />
</pre><br />
<br />
'''Note - This might take a long time, if so - try pruning it down'''<br />
<br />
Example:<br />
<pre><br />
# cat /var/log/zimbra.log | grep sasl_username > /tmp/zimbra_sasl_username.txt<br />
# cat /tmp/zimbra_sasl_username.txt | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n<br />
1 Auser@domain.com<br />
3 Buser@domain.com<br />
4 Cuser@domain.com<br />
5 Duser@domain.com<br />
36 SPAMMER@domain.com<br />
</pre><br />
<br />
The full log event will look like this:<br />
<pre><br />
zimbra1 postfix/smtpd[29431]: B28914D5978: client=xxxxx.server.com[w.x.y.z], sasl_method=LOGIN, sasl_username=user<br />
zimbra1 postfix/cleanup[5522]: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com><br />
zimbra1 postfix/qmgr[20690]: B28914D5978: from=<spam@spam.com>, size=6026, nrcpt=10 (queue active)<br />
zimbra1 postfix/cleanup[3983]: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com><br />
</pre><br />
<br />
Against your older logs, you could:<br />
<br />
<pre><br />
# zcat /var/log/zimbra.log* | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n<br />
</pre><br />
<br />
And you can look at the specific information for the user in question with:<br />
<br />
<pre><br />
# grep -C2 "sasl_username=SPAMMER@domain.com" /var/log/zimbra.log<br />
</pre><br />
<br />
Or if searching against the older logs:<br />
<br />
<pre><br />
# zgrep -C2 "sasl_username=SPAMMER@domain.com" /var/log/zimbra.log*<br />
</pre><br />
<br />
If you want to check on a specific message ID, do:<br />
<br />
<pre><br />
grep 9DF7520804A /var/log/zimbra.log*<br />
</pre><br />
<br />
For older message logs:<br />
<br />
<pre><br />
zgrep 9DF7520804A /var/log/zimbra.log*<br />
</pre><br />
<br />
To read/view the message in the queue:<br />
<br />
/opt/zimbra/postfix/sbin/postcat -q 9DF7520804A <br />
<br />
One would then normally lock/change password on the one account showing the most activity. Grep'ing the /var/log/zimbra.log with the username in question will also show the ip address being used, this can be blocked with your firewall.<br />
<br />
To be alerted of a compromised account and have it lock automatically see below. Slightly modified from this reference : http://www.zimbra.com/forums/administrators/62613-identify-compromised-accounts.html#post278732 :<br />
<br />
<pre><br />
<br />
#!/bin/bash<br />
# checks log file and gets a count of authentications sent per minute, per user<br />
# and if the count exceeds the maxmails value the user's account is locked.<br />
<br />
logfile="/var/log/zimbra.log"<br />
maxmails="10"<br />
mydomain="example.com"<br />
support="<postmaster-userid>@$mydomain"<br />
accounts="/tmp/active_accounts"<br />
<br />
su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts<br />
<br />
zgrep -i "auth ok" $logfile | sed 's/ / /g' | awk -F"[ :]" '{print $3":"$4,$11;}' | uniq -c | sort -n | \<br />
while read line<br />
do<br />
count=`echo ${line} | cut -d' ' -f 1`<br />
userid=`echo ${line} | cut -d' ' -f 3`<br />
timestamp=`echo ${line} | cut -d' ' -f 2`<br />
active=`grep "$userid@$mydomain" $accounts`<br />
<br />
if [ "$count" -gt "$maxmails" ] && [ "$active" == "$userid@$mydomain" ]; then<br />
echo "Maximum email rate exceeded, $userid@$mydomain will be locked"<br />
su zimbra -c "/opt/zimbra/bin/zmprov ma $userid@$mydomain zimbraAccountStatus locked"<br />
subject="$userid account locked due to excessive connections"<br />
# Email text/message<br />
message="/tmp/emailmessage.txt"<br />
echo "$userid account has been locked as there were $count connections made at"> $message<br />
echo "$timestamp. Please have the user change their password, and check for phishing" >>$message<br />
echo "emails if possible." >>$message<br />
# send an email using /bin/mail<br />
/usr/bin/mail -s "$subject" "$support" < $message<br />
rm -f $message<br />
<br />
#update list of active accounts<br />
su zimbra -c "/opt/zimbra/bin/zmaccts" | grep "@" | grep active | awk '{print $1}' > $accounts<br />
fi<br />
done<br />
<br />
rm -f $accounts<br />
<br />
</pre><br />
<br />
Then run it as a cron job. The frequency will depend on the number of accounts you're managing.<br />
<br />
<pre><br />
* * * * * /opt/zimbra/find_spammer.sh<br />
</pre><br />
<br />
=====By Connecting IP - Useful For Blocking IP At Firewall=====<br />
<br />
See also the following:<br />
<br />
* http://wiki.zimbra.com/wiki/Log_Files#Logging_the_Originating_IP<br />
<br />
To find the originating IP address of where the emails are coming from:<br />
<br />
grep 'connect from' /var/log/zimbra.log | sed 's/.*connect from.*\[\(.[^]]*\)\]/\1/g' | sort | uniq -c | sort -nr | head<br />
<br />
To check your older logs [example output below]:<br />
<br />
<pre><br />
zgrep 'connect from' /var/log/zimbra.log* | sed 's/.*connect from.*\[\(.[^]]*\)\]/\1/g' | sort | uniq -c | sort -nr | head<br />
36 10.137.xx.34<br />
34 127.0.0.1<br />
</pre><br />
<br />
=====Open Relay Check=====<br />
<br />
You should also confirm you aren't an open relay.<br />
<br />
<pre><br />
$ host -t mx DOMAIN.com<br />
DOMAIN.com mail is handled by 10 mail.DOMAIN.com.<br />
<br />
$ telnet mail.DOMAIN.com 25<br />
Trying 184.###.##.## ...<br />
Connected to mail.DOMAIN.com.<br />
Escape character is '^]'.<br />
220 mail.DOMAIN.com ESMTP Postfix<br />
helo support.test<br />
250 mail.DOMAIN.com<br />
mail from:<SPAMMER@domain.com><br />
250 2.1.0 Ok<br />
rcpt to:<TEST@DOMAIN.COM><br />
554 5.7.1 <TEST@DOMAIN.COM>: Relay access denied<br />
<br />
rcpt to:<SPAMMER@domain.com><br />
554 5.7.1 Service unavailable; Client host [71.XXX.XX.XX] blocked <br />
using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=71.202.XX.XX<br />
quit<br />
221 2.0.0 Bye<br />
Connection closed by foreign host.<br />
</pre><br />
<br />
=====Telnet Test To Confirm/Show Authentication Required For SMTP/Port 25=====<br />
<br />
This is an example:<br />
<br />
<pre><br />
esx2:~ ajcody$ telnet zcs723.EXAMPLE.com 25<br />
<br />
Trying 10.137.27.32...<br />
Connected to zcs723.EXAMPLE.com.<br />
Escape character is '^]'.<br />
220 zcs723.EXAMPLE.com ESMTP Postfix<br />
helo zcs723.EXAMPLE.com << I typed<br />
250 zcs723.EXAMPLE.com<br />
mail from:ajcody@zcs723.EXAMPLE.com << I typed<br />
250 2.1.0 Ok<br />
rcpt to:ajcody2@zcs723.EXAMPLE.com << I typed<br />
553 5.7.1 <ajcody@zcs723.EXAMPLE.com>: Sender address rejected: not logged in<br />
</pre><br />
<br />
But note - if you do this from the ZCS server or a server that is within the ip range or has it's specific ip listed in the mynetworks, you will not get this authentication requirement.<br />
<br />
<pre><br />
[root@zcs723 ~]# telnet localhost 25<br />
Trying ::1...<br />
telnet: connect to address ::1: Connection refused<br />
Trying 127.0.0.1...<br />
Connected to localhost.<br />
Escape character is '^]'.<br />
220 zcs723.EXAMPLE.com ESMTP Postfix<br />
helo myworkstation<br />
250 zcs723.EXAMPLE.com<br />
ehlo myworkstation<br />
250-zcs723.EXAMPLE.com<br />
250-PIPELINING<br />
250-SIZE 10240000<br />
250-VRFY<br />
250-ETRN<br />
250-STARTTLS<br />
250-AUTH LOGIN PLAIN<br />
250-AUTH=LOGIN PLAIN<br />
250-ENHANCEDSTATUSCODES<br />
250-8BITMIME<br />
250 DSN<br />
mail from:<ajcody@zcs723.EXAMPLE.com><br />
250 2.1.0 Ok<br />
rcpt to: <ajcody2@zcs723.EXAMPLE.com><br />
250 2.1.5 Ok<br />
data<br />
354 End data with <CR><LF>.<CR><LF><br />
From: Adam <ajcody@zcs723.EXAMPLE.com><br />
To: Adam 2 <ajcody2@zcs723.EXAMPLE.com><br />
Subject: From Localhost - NOT Auth<br />
test<br />
.<br />
250 2.0.0 Ok: queued as 8B19E1E78D1<br />
quit<br />
221 2.0.0 Bye<br />
Connection closed by foreign host.<br />
</pre><br />
<br />
====Resources====<br />
<br />
A list of resources you'll find useful:<br />
<br />
* [[Zimbra_MTA#Anti-Spam_Training_Filters]]<br />
* [[CLI_zmtrainsa]]<br />
* [[Improving_Anti-spam_system]]<br />
* [[Postfix_Policyd]]<br />
* [[IP_Address_whitelisting]]<br />
* [[Spam_training]]<br />
* Restrict by user <br />
** [[RestrictPostfixRecipients]]<br />
* Restrict by ip addresses and sender and other items:<br />
** [http://www.postfix.org/RESTRICTION_CLASS_README.html Postfix - Restriction Class Readme]<br />
*** Note, from the readme:<br />
**** "What follows is based on the SMTP client IP address, and therefore is subject to IP spoofing."<br />
**** "What follows is based on the sender SMTP envelope address, and therefore is subject to SMTP sender spoofing."<br />
<br />
Wiki articles that have been assigned to the anit-spam category:<br />
<br />
* [http://wiki.zimbra.com/index.php?title=Category:Anti-spam Category:Anti-spam]<br />
<br />
Down to the end-user:<br />
<br />
* [[Cool_User_Spam_Filters]]<br />
* [http://www.zimbra.com/community/end_user_guide_and_how_to.html End-User Guide And How-To]<br />
<br />
=====External Relay Test Pages=====<br />
<br />
* http://www.checkor.com/<br />
** Note - this test is in regards to the From spoofing spammers sometimes do for DL's.<br />
** Also, for the test - make an account/DL on your system for test1@[your domain] . Otherwise you'll just error about account not existing.<br />
<pre><br />
RSET<br />
250 2.0.0 Ok<br />
MAIL FROM: spam@mail59.DOMAIN.com<br />
250 2.1.0 Ok<br />
RCPT TO: test1@mail59.DOMAIN.com<br />
Test Failed, 250 2.1.5 Ok <br />
</pre><br />
<br />
* http://www.mailradar.com/openrelay/<br />
<br />
====Blocking MAIL FROM - smtpd_sender_restrictions - Default Is Empty====<br />
<br />
=====External References=====<br />
<br />
* External Sources<br />
** Postfix<br />
*** [http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions Postfix On smtpd_sender_restrictions]<br />
** Milter<br />
*** [http://www.postfix.org/MILTER_README.html#limitations Postfix's Milter Readme - Limitations]<br />
**** [http://puszcza.gnu.org.ua/software/mailfromd/ Mailfromd]<br />
***** [http://puszcza.gnu.org.ua/software/mailfromd/manual/html_section/SAV.html#SEC7 Mailfromd - Sender Address Verification]<br />
** [http://www.symantec.com/connect/articles/anti-spam-solutions-and-security Anti-Spam Solutions and Security]<br />
<br />
=====Zimbra References And Bugs & RFE's=====<br />
<br />
* Zimbra Related Soures<br />
** "policy for who can send to a distribution lists"<br />
*** https://bugzilla.zimbra.com/show_bug.cgi?id=9620<br />
**** '''Note - This will not stop spammers from mailing into your DL's by way of forged Mail From and guessing your DL address in the To'''<br />
** "support smtpd_sender_login_maps for smtp auth"<br />
*** http://bugzilla.zimbra.com/show_bug.cgi?id=11258<br />
** "Implement smtpd_sender_restrictions"<br />
*** http://bugzilla.zimbra.com/show_bug.cgi?id=15808<br />
** "milter to check if sender can send to a distribution list"<br />
*** https://bugzilla.zimbra.com/show_bug.cgi?id=46311<br />
**** Dependent upon bug 9620<br />
** Zimbra Forum Post on using smtpd_sender_restrictions options<br />
*** [http://www.zimbra.com/forums/administrators/28770-how-enforce-sasl_username-address.html How to enforce sasl_username=FROM ADDRESS"<br />
** Another Zimbra Forum Post on using smtpd_sender_restrictions options<br />
*** [http://www.zimbra.com/forums/administrators/39095-need-urgent-help-spamming-issue.html Need urgent help on spamming issue]<br />
<br />
=====Protecting DL's From Spammers - Forging Mail From=====<br />
<br />
======First Recommendation - As Given By Dev's From Critical Meeting Notes======<br />
<br />
----<br />
<br />
* Enabled SASL/SMTP Authentication<br />
** Ref: http://wiki.zimbra.com/index.php?title=SMTP_Auth_Problems<br />
* Implement how-to as described in :<br />
** Permitted Senders: [[RestrictPostfixRecipients]]<br />
*** '''Note: You'll see on the above page a reference to the spoof hole.'''<br />
**** '''''"This method can be spoofed by forging the MAIL FROM: header (so mail appears to originate from within the domain), so it isn't foolproof, but it works for basic needs."'''''<br />
*** '''Note: You'll also modify the instructions as above with addition details provided below.'''<br />
* Force authentication for local-domain senders:<br />
** modify the main.cf to have the following:<br />
*** smtpd_sender_restrictions = check_sender_access hash:/path/to/file<br />
** Then for the /path/to/file that you used in the mail.cf for smtpd_sender_restrictions, you'll have a line like:<br />
*** example.com permit_sasl_authenticated, reject<br />
<br />
======Second Recommendation - Unpredictable DL name or Non-routing Domain======<br />
<br />
----<br />
<br />
Do not use predictable DL names. Instead of using everyone@company.com , use something like everyone-[random-string]@company.com .<br />
<br />
Another option is to use a non-routing domain - company.local - and setup your DL's there. You'll want to configure your main domain to be able to query the GAL of this domain.<br />
<br />
To see the existing setting:<br />
<br />
zmprov gd [domainname] zimbraGalLdapSearchBase<br />
<br />
To change the variable for the domain:<br />
<br />
zmprov md [domainname] zimbraGalInternalSearchBase ROOT<br />
<br />
======Third Recommendation - Using smtpd_sender_restrictions======<br />
<br />
----<br />
<br />
:::'''Work In Progress. I'm testing this now. Please don't attempt until this line is removed.'''<br />
<br />
Update: See the following:<br />
* "Enforcing a match between the FROM Address and sasl_username in Zimbra Collaboration Server (2011281)"<br />
** http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2011281<br />
<br />
This should work if your "clients" are using ZWC, ZCO, or ActiveSync mobile devices. If you are using IMAP/POP + STMP thick clients, you'll most likely have to enable smtp authentication [sasl] and use the reject_authenticated_sender_login_mismatch variable instead.<br />
<br />
postconf -e smtpd_sender_restrictions=reject_sender_login_mismatch<br />
postfix reload<br />
<br />
This option is described as: <br />
<br />
:'''''reject_sender_login_mismatch'''''<br />
:: ''Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.'' [http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions Man page]<br />
<br />
====Some Other SMTP Sending Restrictions====<br />
<br />
=====Blocking Incoming From Domain And By User=====<br />
<br />
See the following:<br />
<br />
* [[Domain_level_blocking_of_users]]<br />
* [[Improving_Anti-spam_system#Implementing_Whitelist.2FBlacklist]]<br />
<br />
=====check_client_access=====<br />
<br />
The smtpd_client_restrictions parameter restricts what clients this system accepts SMTP connections from. The default behavior is to allow SMTP connections from any client. This is discussed under [http://www.postfix.org/spam.html Spam Controls] on the Postfix site.<br />
<br />
Example:<br />
<br />
check_client_access regexp:/etc/postfix/access_sender_client_server,<br />
<br />
Example:<br />
<br />
check_sender_access regexp:/etc/postfix/access_sender_toplevel<br />
<br />
=====smtpd_reject_unlisted_sender=====<br />
<br />
Details can be found on the [http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_recipient mail.cf] Postfix page.<br />
<br />
Example:<br />
<br />
smtpd_reject_unlisted_sender = yes<br />
<br />
Possible Bug:<br />
<br />
http://bugzilla.zimbra.com/show_bug.cgi?id=24889<br />
<br />
====What's Your SPF Records Say, When Getting "does not designate 74.x.x.x as permitted sender Errors"====<br />
<br />
This is most likely related to the SPF records for your domain and what the header content of the sending email states as it's Mail From. For example, this is from the header of an email that was "received":<br />
<br />
<pre><br />
Received: from mail.XYZ-FAKE.com (mailhost.XYZ-FAKE.com [74.X.X.244]) by mta01.ABC-FAKE.com with ESMTP id <br />
Cft0mO3fjlFGQjTA for <support@ABC-FAKE.com>; Tue, 21 Apr 2009 05:14:13 -0700 (PDT)<br />
X-Barracuda-Envelope-From: testuser@XYZ-FAKE.com<br />
Received-SPF: pass (mta01.ABC-FAKE.com: domain of testuser@XYZ-FAKE.com designates 74.X.X.244 as permitted sender) <br />
receiver=mta01.ABC-FAKE.com; client_ip=74.X.X.244; envelope-from=testuser@XYZ-FAKE.com;<br />
</pre><br />
<br />
To see what this check was done against, do the following below. I'll trim the output and adjust the information used to protect the innocent. Also, notice how a DNS "alias" might cause an issue here? :<br />
<br />
<pre><br />
<br />
$ host 74.X.X.244<br />
244.X.X.74.in-addr.arpa domain name pointer mailhost.XYZ-FAKE.com.<br />
<br />
$ host mailhost.XYZ-FAKE.com<br />
mailhost.XYZ-FAKE.com has address 74.X.X.244<br />
<br />
$ host mail.XYZ-FAKE.com<br />
mail.XYZ-FAKE.com is an alias for mailhost.XYZ-FAKE.com.<br />
mailhost.XYZ-FAKE.com has address 74.X.X.244<br />
<br />
$ dig XYZ-FAKE.com MX<br />
<br />
;; QUESTION SECTION:<br />
;XYZ-FAKE.com. IN MX<br />
<br />
;; ANSWER SECTION:<br />
XYZ-FAKE.com. 3600 IN MX 22 serverA.DNS-FAKE.com.<br />
XYZ-FAKE.com. 3600 IN MX 11 serverB.DNS-FAKE.com.<br />
<br />
$ dig XYZ-FAKE.com TXT<br />
<br />
;; QUESTION SECTION:<br />
;XYZ-FAKE.com. IN TXT<br />
<br />
;; ANSWER SECTION:<br />
XYZ-FAKE.com. 3600 IN TXT "v=spf1 a:mail.XYZ-FAKE.com ~all"<br />
<br />
</pre><br />
<br />
See the following for more information:<br />
<br />
* http://www.openspf.org/<br />
* http://www.schlitt.net/spf/spf_classic/draft-schlitt-spf-classic-02.html#publishing<br />
** All of the 3.x section.<br />
<br />
===Using Different SMTP Server For Webclient (ZWC), Mobiles, And ZCO===<br />
<br />
====Note Of Caution About Using External MTAs====<br />
<br />
Using non-zimbra MTA's can cause some options in zimbra to not function anymore - since it no longer has zimbra's mta services available. <br />
<br />
=====Zimbra Mail Forwarding Possibly Will Not Work - Turn Off User Option To Set MailForwarding=====<br />
<br />
Mail forwarding might no longer work depending on the configuration you setup regarding the use of your external mta's. When this happens you'll most likely want to disable the option for users to set a mail forwarding address in their preferences. This can be done via their COS or USER configuration.<br />
<br />
* In the admin console, goto the COS configuration the user/s are using and the "Features" tab. Uncheck the option "Allow the user to specify a forwarding address" under Mail Features. It is in the same location under a USERs configuration panel in the admin console.<br />
<br />
In the CLI, you will see these set as the defaults for the default COS. The admin gui option above only adjusts the zimbraFeatureMailForwardingEnabled variable :<br />
<br />
$ zmprov gc default | grep zimbraFeatureMailForwarding<br />
zimbraFeatureMailForwardingEnabled: TRUE<br />
zimbraFeatureMailForwardingInFiltersEnabled: TRUE<br />
<br />
$ zmprov ga ajcody@`zmhostname` | grep zimbraFeatureMailForwarding<br />
zimbraFeatureMailForwardingEnabled: TRUE<br />
zimbraFeatureMailForwardingInFiltersEnabled: TRUE<br />
<br />
More details about them are in the /opt/zimbra/conf/attrs/zimbra-attrs.xml file.<br />
<br />
<pre><br />
<attr id="342" name="zimbraFeatureMailForwardingEnabled" type="boolean" cardinality="single" <br />
optionalIn="account,cos" flags="accountInfo,accountInherited,domainAdminModifiable"><br />
<defaultCOSValue>TRUE</defaultCOSValue><br />
<desc>enable end-user mail forwarding features</desc><br />
</attr><br />
<br />
<attr id="704" name="zimbraFeatureMailForwardingInFiltersEnabled" type="boolean" <br />
cardinality="single" optionalIn="account,cos" flags="accountInfo,accountInherited,<br />
domainAdminModifiable" since="5.0.10"><br />
<defaultCOSValue>TRUE</defaultCOSValue><br />
<desc>enable end-user mail forwarding defined in mail filters features</desc><br />
</attr><br />
</pre><br />
<br />
=====Configure External MTA To Use LDAP Virtual Alias Maps=====<br />
<br />
Here's the basic info in regards to how Zimbra's mta [postfix/etc] uses Zimbra's LDAP to get the forwarding information:<br />
<br />
$ grep Forward conf/ldap-*<br />
conf/ldap-vam.cf:result_attribute = <br />
zimbraMailDeliveryAddress,zimbraMailForwardingAddress,<br />
zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress<br />
<br />
$ postconf |grep vam<br />
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf<br />
<br />
See http://www.postfix.org/postconf.5.html#virtual_alias_maps for more information.<br />
<br />
====Confirming And Setting zimbraMtaRelayHost And zimbraMtaDnsLookupsEnabled====<br />
<br />
First we'll set '''''zimbraMtaRelayHost''''' and '''''zimbraMtaDnsLookupsEnabled''''' variables. These options are also shown in the admin console and can be configured there. These variable alone will not redirect ALL traffic to an external MTA first though. There's alao a variable called zimbraSmtpHostname that is in the global (zmprov gacf) and server (zmprov gs `hostname`) configs - addressed in the section below. It's defaulted value is 'localhost' - at least on a single ZCS configuration.<br />
<br />
In situations where you need/want all mail to be processed by, for example, an external non-Zimbra spam filter box you could set this variable to the spam filter servers hostname.<br />
<br />
Normally, when zimbraMtaRelayHost is set to a non-zimbra external MTA would disable DNS lookups. If you disable DNS Lookups (under the MTA tab of the admin console, or with zmprov), Zimbra will end up using (according to the postconf man page) the "gethostbyname() system library routine which normally also looks in /etc/hosts" (based on the entries on the "hosts" line in /etc/nsswitch.conf). If you do this but don't also specify an SMTP relay host (typically your ISP's SMTP server), which will take care of checking DNS, you will reverse your ability to send mail: suddenly you can send mail to other users on the Zimbra server, but you can't send to the internet (though you can still receive mail from the internet either way).<br />
<br />
Query Global - `zmhostname` would use the value returned, you can manual type out the servername as well :<br />
<br />
zmprov gacf zimbraMtaRelayHost<br />
zmprov gacf zimbraMtaDnsLookupsEnabled<br />
<br />
Query Per Server - `zmhostname` would use the value returned, you can manual type out the servername as well :<br />
<br />
zmprov gs `zmhostname` zimbraMtaRelayHost<br />
zmprov gs `zmhostname` zimbraMtaDnsLookupsEnabled<br />
<br />
Note - if you get errors about doing the query on your non-mailstores like, "ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)" then you might need to adjust this variable. First query it, it's most likely set to localhost<br />
<br />
zmlocalconfig zimbra_zmprov_default_soap_server<br />
<br />
If you had the error and it was set to localhost, modify it to be one of your mailstores.<br />
<br />
zmlocalconfig -e zimbra_zmprov_default_soap_server=mailstore.example.com<br />
<br />
No restart of anything is needed, the zmprov query should now work.<br />
<br />
Modify Global - `zmhostname` would use the value returned, you can manual type out the servername as well :<br />
<br />
zmprov mcf zimbraMtaRelayHost hostname-of-ext-server:PORT<br />
** ex : zmprov mcf zimbraMtaRelayHost primary.YYY.state.XX.us:25<br />
** At the end, 25 is the port number for smtp on the targeted system. <br />
** Adjust this number if you changed the smtp port.<br />
zmprov mcf zimbraMtaDnsLookupsEnabled FALSE<br />
<br />
Modify Per Server - `zmhostname` would use the value returned, you can manual type out the servername as well :<br />
<br />
zmprov ms `zmhostname` zimbraMtaRelayHost hostname-of-ext-server:PORT<br />
** ex : zmprov ms `zmhostname` zimbraMtaRelayHost primary.YYY.state.XX.us:25<br />
** At the end, 25 is the port number for smtp on the targeted system. <br />
** Adjust this number if you changed the smtp port.<br />
zmprov ms `zmhostname` zimbraMtaDnsLookupsEnabled FALSE<br />
<br />
====Confirming And Setting zimbraSmtpHostname====<br />
<br />
I'm assuming you already set, '''''zimbraMtaRelayHost''''' and '''''zimbraMtaDnsLookupsEnabled''''' for your needs - see above section. The variable called zimbraSmtpHostname is in the global (zmprov gacf) and server (zmprov gs `hostname`) configs. It's default value is set to 'localhost' - at least on a single ZCS configuration.<br />
<br />
In cases where you need/want all mail to be processed by, for example, an external non-Zimbra spam filter box you could set this variable to the spam filter boxes hostname.<br />
<br />
Query Global - `zmhostname` would use the value returned, you can manual type out the servername as well :<br />
<br />
zmprov gacf zimbraSmtpHostname<br />
<br />
Query Per Server - `zmhostname` would use the value returned, you can manual type out the servername as well :<br />
<br />
zmprov gs `zmhostname` zimbraSmtpHostname<br />
<br />
Note - if you get errors about doing the query on your non-mailstores like, "ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)" then you might need to adjust this variable. First query it, it's most likely set to localhost<br />
<br />
zmlocalconfig zimbra_zmprov_default_soap_server<br />
<br />
If you had the error and it was set to localhost, modify it to be one of your mailstores.<br />
<br />
zmlocalconfig -e zimbra_zmprov_default_soap_server=mailstore.example.com<br />
<br />
No restart of anything is needed, the zmprov query should now work.<br />
<br />
Modify Global - `zmhostname` would use the value returned, you can manual type out the servername as well :<br />
<br />
zmprov mcf zimbraSmtpHostname hostname-of-ext-server<br />
** ex : zmprov mcf zimbraSmtpHostname primary.YYY.state.XX.us<br />
<br />
Modify Per Server - `zmhostname` would use the value returned, you can manual type out the servername as well :<br />
<br />
zmprov ms `zmhostname` zimbraSmtpHostname hostname-of-ext-server<br />
** ex : zmprov ms `zmhostname` zimbraSmtpHostname primary.YYY.state.XX.us<br />
<br />
====External Email Clients Setting A SMTP Server====<br />
<br />
The above variable, zimbraSmtpHostname, will not alter your third party email clients that are setting the smtp server to your ZCS mta's. Here are your options if you also need to have that traffic to go through another device [mta, spam filter, etc.] prior to local delivery [lmtp] to an internal address.<br />
<br />
* Set your clients to use the another devices ip address or hostname that you set for zimbraSmtpHostname.<br />
<br />
If you can't do the above, for whatever reason -- maybe security constraints or issues that might arise being a hosting provider, then see below.<br />
<br />
# You could investigate the alternation of postfix's content_filter option to place the external device/host [a barracuda for example] within that process. postfix.org has information on this - [http://www.postfix.org/FILTER_README.html Postfix After-Queue Content Filter]. This would be unsupported by Zimbra.<br />
# Contact Zimbra's Professional Services [PS] team for help.<br />
# Setup another server using a mta of your choice [postfix , sendmail] that the clients can use for the smtp server variable. This "new" mta would then simply relay to the device - a barracuda box for example. The barracuda would then do what it needs to and then forwards the messages to the appropriate servers for delivery. Your ZCS mta's in the case of local delivery that would of normally occurred over lmtp - userA@domainC.com sending to userB@domainC.com .<br />
<br />
===Global Or System Wide Filters===<br />
<br />
There is no "supported" solution for this - depending on the exact circumstances. It's a complex issue because each request for "global filters" tends to be very specific on either what's to be filter, what actions are to be taken, and so forth.<br />
<br />
====RFE's Related To Global Filters====<br />
<br />
* "Define a default filter rule for spam that users can apply before custom filters"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=12701<br />
* "admin assignable mail filters"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=35452<br />
<br />
====Use The Legal Intercept Method====<br />
<br />
Depending on the details of your request, using the Legal Intercept options might be useful. You could take the results that goto the LI mailbox and then perform your admin global searches against your mailbox accounts to take the appropriate action.<br />
<br />
See [[Legal_Intercept]]<br />
<br />
====Sieve Filter Set For Every Account====<br />
<br />
One could setup a forloop for all of your users and setup a sieve filter. Downside here is the rules are editable by the users and you would have to manage the rules for new accounts going forward.<br />
<br />
See [[User_Migration#Migrating_Sieve_Filter_Rules ]] for details.<br />
<br />
====Double Check The Current Anti-Spam Options====<br />
<br />
Make sure your request can't be solved by the current solutions described in [[Category:Anti-spam]] articles.<br />
<br />
====Postfix , Amavis Customizations====<br />
<br />
I've seen some posts on the forums that customers found their own workarounds by customizing postfix and amavis. This will most likely result in an unsupported situation. Unfortunately, those forum posts don't also include details that I can share here. Hopefully I can find them going forward and I'll post them here.<br />
<br />
===Global Disclaimer Options===<br />
<br />
Here's the url to review for a "current" possibility:<br />
<br />
* http://wiki.zimbra.com/index.php?title=Domain_Disclaimer_Extension_Admin_UI<br />
<br />
And in the notes section there's a comment about multi-servers:<br />
<br />
* http://wiki.zimbra.com/index.php?title=Talk:Domain_Disclaimer_Extension_Admin_UI<br />
<br />
Please note though, "This article is a community contribution and may include unsupported customizations." Meaning, it's an unsupported customization, so please take the necessary precautions.<br />
<br />
In regards to an official and supported way to do this, please review this RFE:<br />
<br />
* http://bugzilla.zimbra.com/show_bug.cgi?id=4720<br />
<br />
===Quota Issues===<br />
<br />
====Where To Adjust Message User Gets When They Are Over Quota====<br />
<br />
* From the web admin console:<br />
** Configuration > Class of Service<br />
** Select the COS in question<br />
** Then goto the Advanced tab on the right<br />
** There's a quota section. The sub-section you want is called:<br />
*** "Quota warning message template:"<br />
<br />
====See Current User Qoutas====<br />
<br />
Please see [[Ajcody-Logging#Getting_All_User_Quota_Data_.28not_zmstat_related_really.29|Getting All User Quota Data (not zmstat related really)]]<br />
<br />
====Controlling Behavior For Messages Sent To Over Quota Mailbox - LMTP====<br />
<br />
The variable to set for a 452 Temp/Try Again response verses a 552 Permanent Error. This happens over lmtp rather than smtp. For smtp, see below.<br />
<br />
zmprov gacf zimbraLmtpPermanentFailureWhenOverQuota<br />
<br />
Setting to TRUE will flag it for the 552 response.<br />
<br />
zmprov mcf zimbraLmtpPermanentFailureWhenOverQuota TRUE<br />
<br />
References:<br />
<br />
* "Configurable treatment for inbound over quota mail"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=27838<br />
* http://www.zimbra.com/forums/administrators/19950-about-postfix-lmtp-quotas.html<br />
<br />
====Controlling Behavior For Messages Sent To Over Quota Mailbox - SMTP====<br />
<br />
References:<br />
<br />
* RFE "quota check during smtp transaction"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=32592<br />
** Currently, Sept 2010, targeted for the IronMaiden release.<br />
* http://www.zimbra.com/forums/administrators/19950-about-postfix-lmtp-quotas.html<br />
<br />
====Message Senders Receive About Mailbox Over Quota====<br />
<br />
File that holds text of message:<br />
<br />
/opt/zimbra/postfix/conf/bounce.cf.default<br />
<br />
Note, please read the [http://www.postfix.org/bounce.5.html bounce MAN] page before you attempt to edit this file directly.<br />
<br />
Also, I haven't been able to confirm the relationship of this above file with the postconf default output:<br />
<br />
<pre><br />
[root@mail3 ~]# postconf | grep -i bounce<br />
2bounce_notice_recipient = postmaster<br />
backwards_bounce_logfile_compatibility = yes<br />
bounce_notice_recipient = postmaster<br />
bounce_queue_lifetime = 5d<br />
bounce_service_name = bounce<br />
bounce_size_limit = 50000<br />
bounce_template_file = <br />
disable_verp_bounces = no<br />
double_bounce_sender = double-bounce<br />
multi_recipient_bounce_reject_code = 550<br />
soft_bounce = no<br />
</pre><br />
<br />
To use a bounce.cf file, you'll want to add the file to variable and reload postfix via the zmmtactl script. It looks like zmlocalconfig doesn't currently handle this variable.<br />
<br />
cp /opt/zimbra/postfix/conf/bounce.cf.default /opt/zimbra/postfix/conf/bounce.cf<br />
postconf -e bounce_template_file="/opt/zimbra/postfix/conf/bounce.cf"<br />
zmmtactl reload<br />
<br />
Note, this might get lost during upgrades so make a note to yourself about this change.<br />
<br />
Another reference : [http://www.howtoforge.com/configure-custom-postfix-bounce-messages Configure Customer Postfix Bounce Messages]<br />
<br />
====Quota Not Showing In Admin Console - After ZCS Upgrade====<br />
<br />
There might be some server attributes missing. To have the mail quota work properly, zimbraServiceInstalled mailbox must be true. <br />
<br />
$zmprov gs `zmhostname` zimbraServiceInstalled<br />
<br />
It must contain mailbox for the quota information to be available.<br />
<br />
To set the zimbraServiceInstalled to true for "mailbox".<br />
<br />
$zmprov ms `zmhostname` +zimbraServiceInstalled mailbox<br />
<br />
I would think a zimbra restart would necessary as well for us to see the changes in the quota admin console view.<br />
<br />
===Managing Postfix Queue===<br />
<br />
====Postfix, Amavis, Clamav Spool Directory Paths And Names====<br />
<br />
ls /opt/zimbra/data<br />
amavisd clamav dspam postfix<br />
<br />
ls /opt/zimbra/data/postfix/spool/<br />
active active.old bounce corrupt defer deferred <br />
flush hold incoming incoming.old maildrop pid <br />
private public saved trace<br />
<br />
====Stop And Starting Postfix And Mta====<br />
<br />
To only stop and start postfix:<br />
<br />
postfix stop<br />
postfix start<br />
<br />
To stop and start postfix, amavis, and clam:<br />
<br />
zmmtactl stop<br />
zmmtactl start<br />
<br />
====To See Postfix Queue====<br />
<br />
As zimbra using sudo - show a summary of queue count - ~/libexec/zmqstat:<br />
<pre><br />
[zimbra@mail37 ~]$ sudo ~/libexec/zmqstat<br />
hold=0<br />
corrupt=0<br />
deferred=0<br />
active=0<br />
incoming=0<br />
</pre><br />
<br />
As zimbra - /opt/zimbra/postfix/sbin/postqueue -p<br />
<pre><br />
[zimbra@mail37 ~]$ /opt/zimbra/postfix/sbin/postqueue -p<br />
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------<br />
EC753D0D00* 328 Thu Apr 5 14:34:09 sender@sourcedomainname.local<br />
recipient@destinationdomainname.local<br />
<br />
-- 0 Kbytes in 1 Request.<br />
</pre><br />
<br />
As zimbra - mailq<br />
<pre><br />
[zimbra@mail37 ~]$ mailq<br />
Mail queue is empty<br />
</pre><br />
<br />
=====Qshape - Print Postfix queue domain and age distribution=====<br />
<br />
/opt/zimbra/bin/qshape<br />
<br />
References:<br />
<br />
* http://www.postfix.org/qshape.1.html<br />
* http://www.postfix.org/QSHAPE_README.html<br />
<br />
Example output:<br />
<br />
<pre><br />
$ qshape -s hold | head<br />
T 5 10 20 40 80 160 320 640 1280 1280+<br />
TOTAL 486 0 0 1 0 0 2 4 20 40 419<br />
yahoo.com 14 0 0 1 0 0 0 0 1 0 12<br />
extremepricecuts.net 13 0 0 0 0 0 0 0 2 0 11<br />
ms35.hinet.net 12 0 0 0 0 0 0 0 0 1 11<br />
winnersdaily.net 12 0 0 0 0 0 0 0 2 0 10<br />
hotmail.com 11 0 0 0 0 0 0 0 0 1 10<br />
worldnet.fr 6 0 0 0 0 0 0 0 0 0 6<br />
ms41.hinet.net 6 0 0 0 0 0 0 0 0 0 6<br />
osn.de 5 0 0 0 0 0 1 0 0 0 4<br />
</pre><br />
<br />
====To View A Message In The Queue====<br />
<br />
Get the message id and use post cat:<br />
<br />
/opt/zimbra/postfix/sbin/postcat -q EC753D0D00<br />
<br />
or with more information, include the -v option:<br />
<br />
/opt/zimbra/postfix/sbin/postcat -qv EC753D0D00<br />
<br />
====To Flush Postfix Queue====<br />
<br />
/opt/zimbra/postfix/sbin/postqueue -f<br />
<br />
====To Requeue Messages In Postfix====<br />
<br />
/opt/zimbra/postfix/sbin/postsuper -r ALL<br />
<br />
More explanation from the postsuper man page:<br />
<br />
<pre><br />
-r queue_id<br />
Requeue the message with the named queue ID from<br />
the named mail queue(s) (default: hold, incoming,<br />
active and deferred). To requeue multiple mes-<br />
sages, specify multiple -r command-line options.<br />
<br />
Alternatively, if a queue_id of - is specified, the<br />
program reads queue IDs from standard input.<br />
<br />
Specify "-r ALL" to requeue all messages. As a<br />
safety measure, the word ALL must be specified in<br />
upper case.<br />
<br />
A requeued message is moved to the maildrop queue,<br />
from where it is copied by the pickup(8) and<br />
cleanup(8) daemons to a new queue file. In many<br />
respects its handling differs from that of a new<br />
local submission.<br />
<br />
o The message is not subjected to the<br />
smtpd_milters or non_smtpd_milters settings.<br />
When mail has passed through an external<br />
content filter, this would produce incorrect<br />
results with Milter applications that depend<br />
on original SMTP connection state informa-<br />
tion.<br />
<br />
o The message is subjected again to mail<br />
address rewriting and substitution. This is<br />
useful when rewriting rules or virtual map-<br />
pings have changed.<br />
<br />
The address rewriting context (local or<br />
remote) is the same as when the message was<br />
received.<br />
<br />
o The message is subjected to the same con-<br />
tent_filter settings (if any) as used for<br />
new local mail submissions. This is useful<br />
when content_filter settings have changed.<br />
<br />
Warning: Postfix queue IDs are reused. There is a<br />
very small possibility that postsuper(1) requeues<br />
the wrong message file when it is executed while<br />
the Postfix mail system is running, but no harm<br />
should be done.<br />
<br />
This feature is available in Postfix 1.1 and later.<br />
</pre><br />
<br />
====To Put Messages On Hold====<br />
<br />
If there’s ‘*’ character next to queue ID , EC753D0D00* , it means that this message is in the active queue e.g. attempts to deliver the messages are made.<br />
<br />
If there’s ‘!’ character next to queue ID , EC753D0D00! , it means that this message is put “on hold”.<br />
<br />
To put a message on hold:<br />
<br />
~# /opt/zimbra/postfix/sbin/postsuper -h EC753D0D00<br />
<br />
To put on hold messages from user@domain.com:<br />
<br />
~# /opt/zimbra/postfix/sbin/postqueue -p | awk ‘BEGIN { RS = “” } { if ($7 == “user@domain.com” ) print $1 }’ | tr -d ‘!*’ | postsuper -h -<br />
<br />
To put all messages on hold:<br />
<br />
~# /opt/zimbra/postfix/sbin/postsuper -h ALL<br />
postsuper: Placed on hold: 6 messages<br />
<br />
====To Delete Messages From Queue====<br />
<br />
=====Cautionary Note=====<br />
<br />
::'''Warning, deleting messages from the queue can have a negative consequence of your users. You might need to account for the action and/or confirm your deletion was appropriate. Please try to save the postqueue -p information from the various messages prior to deleting them. This will at least you give you he information to later justify your actions on why you delete msg#.'''<br />
<br />
=====Relevant Sections Of Postsuper Man Page=====<br />
<br />
<pre><br />
By default, postsuper(1) performs the operations requested with the -s and -p <br />
command-line options on all Postfix queue directories - this includes the incoming, <br />
active and deferred directories with mail files and the bounce, defer, trace and flush <br />
directories with log files.<br />
<br />
-d queue_id Delete one message with the named queue ID from the named mail queue(s) <br />
(default: hold, incoming, active and deferred).<br />
If a queue_id of - is specified, the program reads queue IDs from standard input. <br />
For example, to delete all mail with exactly one recipient user@example.com:<br />
<br />
mailq | tail +2 | grep -v '^ *(' | awk 'BEGIN { RS = "" }<br />
# $7=sender, $8=recipient1, $9=recipient2<br />
{ if ($8 == "user@example.com" && $9 == "")<br />
print $1 }<br />
' | tr -d '*!' | postsuper -d -<br />
<br />
Specify "-d ALL" to remove all messages; for example, specify "-d ALL deferred" <br />
to delete all mail in the deferred queue. As a safety measure, the word ALL must <br />
be specified in upper case.<br />
<br />
Warning: Postfix queue IDs are reused. There is a very small possibility that <br />
postsuper deletes the wrong message file when it is executed while the Postfix mail <br />
system is delivering mail.<br />
<br />
The scenario is as follows:<br />
1) The Postfix queue manager deletes the message that postsuper(1) is asked to <br />
delete, because Postfix is finished with the message (it is delivered, or it is <br />
returned to the sender).<br />
2) New mail arrives, and the new message is given the same queue ID as the message <br />
that postsuper(1) is supposed to delete. The probability for reusing a deleted <br />
queue ID is about 1 in 2**15 (the number of different microsecond values that <br />
the system clock can distinguish within a second).<br />
3) postsuper(1) deletes the new message, instead of the old message that it should <br />
have deleted.<br />
<br />
-h queue_id Put mail "on hold" so that no attempt is made to deliver it. Move one <br />
message with the named queue ID from the named mail queue(s) (default: incoming, <br />
active and deferred) to the hold queue.<br />
<br />
If a queue_id of - is specified, the program reads queue IDs from standard input.<br />
Specify "-h ALL" to hold all messages; for example, specify "-h ALL deferred" to hold<br />
all mail in the deferred queue. As a safety measure, the word ALL must be specified <br />
in upper case.<br />
Note: while mail is "on hold" it will not expire when its time in the queue exceeds <br />
the maximal_queue_lifetime or bounce_queue_lifetime setting. It becomes subject to <br />
expiration after it is released from "hold".<br />
<br />
-H queue_id Release mail that was put "on hold". Move one message with the named queue <br />
ID from the named mail queue(s) (default: hold) to the deferred queue.<br />
<br />
If a queue_id of - is specified, the program reads queue IDs from standard input.<br />
Note: specify "postsuper -r" to release mail that was kept on hold for a significant <br />
fraction of $maximal_queue_lifetime or $bounce_queue_lifetime, or longer.<br />
<br />
Specify "-H ALL" to release all mail that is "on hold". As a safety measure, the <br />
word ALL must be specified in upper case.<br />
<br />
-p Purge old temporary files that are left over after system or software crashes.<br />
</pre><br />
<br />
=====To Delete Single Message From Queue=====<br />
<br />
/opt/zimbra/postfix/sbin/postsuper -d [MSGID From postqueue -p]<br />
<br />
=====To Delete ALL Messages From Queue=====<br />
<br />
/opt/zimbra/postfix/sbin/postsuper -d ALL<br />
<br />
Another way to do this:<br />
<br />
mailq | awk '{print $1}' | postsuper -d -<br />
<br />
======To Delete ALL Messages From The Deferred Queue======<br />
<br />
/opt/zimbra/postfix/sbin/postsuper -d ALL deferred<br />
<br />
======To Delete ALL Messages From The Hold Queue======<br />
<br />
/opt/zimbra/postfix/sbin/postsuper -d ALL hold<br />
<br />
=====To Delete Many Messages From Queue=====<br />
<br />
To delete a large number of files one would use:<br />
<br />
/opt/zimbra/postfix/sbin/postsuper -d - < filename-with-queue-ids.txt<br />
<br />
The filename, filename-with-queue-ids.txt example, would have a listing of id's like:<br />
<br />
<pre><br />
3E1C6CAFFFE<br />
6B862CC9D76<br />
0BC38CC1BC9<br />
90628CC6F3C<br />
E26B9CC3C62<br />
92A35CC943D<br />
A84BDBCE15D<br />
EA57CB1DF04<br />
0F102CC74CB<br />
386E8CC4DFF<br />
92606CC0BDA<br />
0799FC8149A<br />
024CFCBD0DE<br />
2D30FC47DA0<br />
31D85CC6308<br />
B8B3FC3DEBC<br />
AA4C7C913D0<br />
280F5CC8C6C<br />
9F341CC8A26<br />
93CD1B3B0EC<br />
433D0BF3716<br />
A1435CB4C38<br />
2DB04CC911D<br />
56A29CC8819<br />
11881C8268C<br />
5C050A79851<br />
C6739CC4BA5<br />
11D3FCC7D09<br />
8CBC0B20E0A<br />
</pre><br />
<br />
=====Delete From Queue By Email Address=====<br />
<br />
'''Note - ''Some of the shell scripting below might fail on messages with particular status ("on delivery" or "on hold") because a "*" or a "!" is appended to the ID of the message.'''''<br />
<br />
======From CLI======<br />
<br />
Change the [ email@address.com ] variable below first.<br />
<br />
'''To first see what would be deleted.''' As '''root''':<br />
<br />
/opt/zimbra/postfix/sbin/postqueue -p | egrep -v '^ *\(|-Queue ID-' \<br />
| awk 'BEGIN { RS = "" } { if ($7 == "email@domain.com") print $1} ' | tr -d '*!'<br />
<br />
If you get error about egrep, you might need to use this syntax:<br />
<br />
/opt/zimbra/postfix/sbin/postqueue -p | /bin/egrep -v '*\(|-Queue ID-' \<br />
| awk 'BEGIN { RS = "" } { if ($7 == "email@address.com") print $1} ' | tr -d '*!'<br />
<br />
<br />
'''To now delete, just include the postsuper -d at end''':<br />
<br />
/opt/zimbra/postfix/sbin/postqueue -p | egrep -v '^ *\(|-Queue ID-' \<br />
| awk 'BEGIN { RS = "" } { if ($7 == "email@domain.com") print $1} ' \<br />
| tr -d '*!' | /opt/zimbra/postfix/sbin/postsuper -d -<br />
<br />
'''''Older example of what I had; the ''tail +2'' was rhel4 specific'''''<br />
<br />
:To first see what would be deleted:<br />
<br />
:: <pre>mailq | tail +2 | grep -v '^ *(' | awk 'BEGIN { RS = "" } { if ($8 == "email@address.com" && $9 == "") print $1 } ' | tr -d '*!'</pre><br />
<br />
:To now delete, just include the postsuper -d at end:<br />
<br />
:: <pre>mailq | tail +2 | grep -v '^ *(' | awk 'BEGIN { RS = "" } { if ($8 == "email@address.com" && $9 == "") print $1 } ' | tr -d '*!' | postsuper -d -</pre><br />
<br />
======Script To Delete From Queue By Email Address======<br />
<br />
::'''Non-Zimbra Script and not QA'd or tested. Path adjusted though for /opt/zimbra/postfix/sbin/*'''<br />
<br />
From http://www.ustrem.org/en/articles/postfix-queue-delete-en/<br />
<br />
Save on file system, calling it something like - delete-queue-by-email.sh . Give it execute permission. '''Run as root'''. Example usage would be: ./delete-queue-by-email.sh user-name@domain-test.com<br />
<br />
<pre><br />
#!/usr/bin/perl -w<br />
#<br />
# pfdel - deletes message containing specified address from<br />
# Postfix queue. Matches either sender or recipient address.<br />
#<br />
# Usage: pfdel <email_address><br />
#<br />
<br />
use strict;<br />
<br />
# Change these paths if necessary.<br />
my $LISTQ = "/opt/zimbra/postfix/sbin/postqueue -p";<br />
my $POSTSUPER = "/opt/zimbra/postfix/sbin/postsuper";<br />
<br />
my $email_addr = "";<br />
my $qid = "";<br />
my $euid = $>;<br />
<br />
if ( @ARGV != 1 ) {<br />
die "Usage: pfdel <email_address>\n";<br />
} else {<br />
$email_addr = $ARGV[0];<br />
}<br />
<br />
if ( $euid != 0 ) {<br />
die "You must be root to delete queue files.\n";<br />
}<br />
<br />
<br />
open(QUEUE, "$LISTQ |") || <br />
die "Can't get pipe to $LISTQ: $!\n";<br />
<br />
my $entry = <QUEUE>; # skip single header line<br />
$/ = ""; # Rest of queue entries print on<br />
# multiple lines.<br />
while ( $entry = <QUEUE> ) {<br />
if ( $entry =~ / $email_addr$/m ) {<br />
($qid) = split(/\s+/, $entry, 2);<br />
$qid =~ s/[\*\!]//;<br />
next unless ($qid);<br />
<br />
#<br />
# Execute postsuper -d with the queue id.<br />
# postsuper provides feedback when it deletes<br />
# messages. Let its output go through.<br />
#<br />
if ( system($POSTSUPER, "-d", $qid) != 0 ) {<br />
# If postsuper has a problem, bail.<br />
die "Error executing $POSTSUPER: error " .<br />
"code " . ($?/256) . "\n";<br />
}<br />
}<br />
}<br />
close(QUEUE);<br />
<br />
if (! $qid ) {<br />
die "No messages with the address <$email_addr> " .<br />
"found in queue.\n";<br />
}<br />
<br />
exit 0;<br />
</pre><br />
<br />
======Script To Delete From Queue By Various Variable Targets======<br />
<br />
::'''Non-Zimbra Script and not QA'd or tested. Path adjusted though for /opt/zimbra/postfix/sbin/*'''<br />
<br />
From http://jwcub.wordpress.com/2006/01/20/bulk-delete-from-postfix-queue/<br />
<br />
Perl script called “delete-from-mailq”:<br />
<br />
<pre><br />
#!/usr/bin/perl<br />
<br />
$REGEXP = shift || die “no email-adress given (regexp-style, e.g. bl.*\@yahoo.com)!”;<br />
<br />
@data = qx;<br />
for (@data) {<br />
if (/^(\w+)(\*|\!)?\s/) {<br />
$queue_id = $1;<br />
}<br />
if($queue_id) {<br />
if (/$REGEXP/i) {<br />
$Q{$queue_id} = 1;<br />
$queue_id = “”;<br />
}<br />
}<br />
}<br />
<br />
open(POSTSUPER,”|/opt/zimbra/postfix/sbin/postsuper -d -”) || die “couldn’t open postsuper” ;<br />
<br />
foreach (keys %Q) {<br />
print POSTSUPER “$_\n”;<br />
};<br />
close(POSTSUPER);<br />
</pre><br />
<br />
Save the above script to a file say “delete-queue.pl” in your home directory, and make it excutable:<br />
<br />
chmod 755 delete-queue<br />
<br />
Usage - '''Run as root''' :<br />
<br />
*Delete all queued messages from or to the domain “iamspammer.com”<br />
./delete-queue iamspammer.com<br />
*Delete all queued messages to specific address “bogususer@mydomain.com”<br />
./delete-queue bogususer@mydomain.com<br />
*Delete all queued messages that begin with the word “bush” in the e-mail address:<br />
./delete-queue bush*\@whateverdomain.com<br />
*Delete all queued messages that contain the word “biz” in the e-mail address:<br />
./delete-queue biz<br />
<br />
[[Category: Community Sandbox]]</div>William Lachttps://wiki.zimbra.com/index.php?title=Ajcody-Notes-Archive-Discovery-Mailstore-Setup&diff=56525Ajcody-Notes-Archive-Discovery-Mailstore-Setup2014-12-16T18:09:31Z<p>William Lac: /* zimbra_xmbxsearch zimlet */</p>
<hr />
<div>{| width="100%" border="0" <br />
| bgcolor="orange" | [[Image:Attention.png]] - This article is NOT official Zimbra documentation. It is a user contribution and may include unsupported customizations, references, suggestions, or information.<br />
|}<br />
<br />
====Actual Multi-Server & New Mailstore A&D Setup Homepage====<br />
<br />
Please see [[Ajcody-Notes-Archive-Discovery-Mailstore-Setup]]<br />
<br />
====Issues That Have Caused Confusion====<br />
<br />
=====What Gets Installed Where?=====<br />
<br />
======RFE To Clear Up The Confusion======<br />
<br />
* "Clear Up "archiving" service/package confusion"<br />
** https://bugzilla.zimbra.com/show_bug.cgi?id=95931<br />
<br />
======zimbra-archive package/rpm - Mailstores======<br />
<br />
zimbra-archive (the package/rpm you see from the installer) should be installed on all mailstores which you want to use for cross mailbox search. This also sets the zimbraComponentAvailable archiving config attribute which allows the mta(s) to turn on archiving. '''zimbra-archive is not installed directly on the mta, it's just enabled.'''<br />
<br />
Note, you install zimbra-archive on a mailbox server '''but the service runs on the mta node.'''<br />
<br />
======MTA's - Require Configuration======<br />
<br />
If you add zimbra-archiving to an existing install you need to :<br />
* Install zimbra-archiving on one or more of your mailbox servers<br />
* Then set zimbraServiceInstalled archiving and zimbraServiceEnabled archiving on all the mta servers<br />
* Restart the mta services<br />
<br />
For example:<br />
<br />
zmprov ms mta.example.com +zimbraServiceInstalled archiving +zimbraServiceEnabled archiving<br />
<br />
On the mta server:<br />
<br />
zmmtactrl restart<br />
<br />
To confirm the /opt/zimbra/conf/amavisd.conf was modified correctly, you should see on the mta:<br />
<br />
#$archive_quarantine_method = 'smtp:[127.0.0.1]:10025'; <br />
<br />
Was uncommented out:<br />
<br />
$archive_quarantine_method = 'smtp:[127.0.0.1]:10025';<br />
<br />
You'll be able to then notice in the /var/log/zimbra.log file if the redirect to the A&D account is happening [once A&D accounts are setup that is]. Example uses example.com.archive as the archive domain I setup for the A&D accounts :<br />
<br />
<pre><br />
grep "example.com.archive" /var/log/zimbra.log<br />
Dec 11 13:38:52 mta-server amavis[1978]: (01978-19) SEND via SMTP: <> -> <br />
<user-20081211@example.com.archive>,ENVID=AM.8ISxcrQG8uAj.20081211T193852Z@mailstore.example.com <br />
BODY=7BIT 250 2.6.0 Ok, id=01978-19, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as <br />
5ADF8F120C4<br />
Dec 11 13:38:52 mta-server postfix/lmtp[21864]: 5ADF8F120C4: <br />
to=<user-20081211@example.com.archive>, relay=archive.example.com[X.X.X.93]:7025, <br />
delay=0.07, delays=0/0/0/0.06, dsn=2.1.5, status=sent (250 2.1.5 OK)<br />
</pre><br />
<br />
<br />
======Enabling Amavis And Archiving With 8.5+ While Antispam And AntiVirus Are Disabled======<br />
<br />
With 808 and 8.5 , archiving should be able to run without as/av being enabled.<br />
<br />
* It should be possible to remove Amavis as a service<br />
** https://bugzilla.zimbra.com/show_bug.cgi?id=89603<br />
<br />
For example, disabling antispam and antivirus but enabling amavis [required] and archiving on a mta server [note - this server had the full mta package already installed on it and had antivirus, antispam, [amavis], and postfix running on it] :<br />
<br />
<pre><br />
[zimbra@850-mta1 ~]$ zmcontrol status | egrep 'amavis|antispam|antivirus|archiving'<br />
amavis Running<br />
antispam Running<br />
antivirus Running<br />
<br />
[zimbra@850-mta1 ~]$ zmprov ms `zmhostname` +zimbraServiceEnabled archiving \<br />
+zimbraServiceEnabled amavis -zimbraServiceEnabled antispam -zimbraServiceEnabled antivirus<br />
<br />
[zimbra@850-mta1 ~]$ zmcontrol restart <br />
Host 850-ldap1.zimbra.homeunix.com<br />
Stopping vmware-ha...Done.<br />
[cut]<br />
Stopping ldap...Done.<br />
Host 850-ldap1.zimbra.homeunix.com<br />
Starting ldap...Done.<br />
Starting zmconfigd...Done.<br />
Starting dnscache...Done.<br />
Starting logger...Done.<br />
Starting convertd...Done.<br />
Starting mailbox...Done.<br />
Starting memcached...Done.<br />
Starting proxy...Done.<br />
Starting amavis...Done.<br />
Starting opendkim...Done.<br />
Starting archiving...Done.<br />
Starting snmp...Done.<br />
Starting spell...Done.<br />
Starting mta...Done.<br />
Starting stats...Done.<br />
Starting service webapp...Done.<br />
Starting zimbra webapp...Done.<br />
Starting zimbraAdmin webapp...Done.<br />
Starting zimlet webapp...Done.<br />
[zimbra@850-ldap1 ~]$ zmcontrol status | egrep 'amavis|antispam|antivirus|archiving'<br />
amavis Running<br />
archiving Running<br />
</pre><br />
<br />
======zimbra_xmbxsearch zimlet======<br />
<br />
For 5.x installs, this zimbra_xmbsearch zimlet will get configured on each mailstore that you install the zimbra-archive package on. The documentation in various places might cause confusion on this matter, because for the 4.x releases it was a separate step.<br />
<br />
You should find the zimlet already located at /opt/zimbra/zimlets-network/zimbra_xmbxsearch.zip<br />
<br />
After the installation, you should see when you go to the admin web console on the mailstore you install the zimbra-archive package on that the cross-mailbox search zimlet is there. It shows up in two locations:<br />
<br />
* Left Pane : Configuration > Admin Extensions > zimbra_xmbxsearch<br />
* Left Pane : Tools > Search Mail<br />
<br />
If you wanted this zimlet to also be available on a server that didn't have the zimbra-archiving packaged installed you could then deploy it on that server.<br />
<br />
cd /opt/zimbra/zimlets-network/<br />
zmzimletctl deploy zimbra_xmbxsearch.zip<br />
## ls the directory and confirm the full name - you might need this:<br />
zmzimletctl deploy com_zimbra_xmbxsearch.zip<br />
<br />
====The How-To====<br />
<br />
=====Reference Documents=====<br />
<br />
http://www.zimbra.com/docs/ne/latest/multi_server_install/multi-server_install.5.1.html<br />
<br />
http://www.zimbra.com/docs/ne/latest/administration_guide/Archiving.16.1.html<br />
<br />
=====Assumptions=====<br />
<br />
This install how-to assumes you have an existing LDAP/Mailstore/MTA server(s) for your normal production environment, the Zimbra license and logger are installed on the primary ZCS server(s), and that you are NOT running the proxy module. <br />
<br />
Example archive mailstore hostname is : archive.example.com<br />
<br />
Example primary ZCS hostname is : mail.example.com<br />
<br />
=====Preliminary Items=====<br />
<br />
Things to do or check before install:<br />
<br />
* DNS entry for new mailstore and primary ZCS server(s) can resolve to it.<br />
* DNS configured properly on mailstore server.<br />
* Master Root LDAP Server mail.example.com<br />
* Master Root LDAP Password<br />
** On LDAP server do : su – zimbra ; zmlocalconfig –s | grep ldap_root_password<br />
* Master LDAP port – default is 389<br />
* SMTP Server<br />
<br />
=====Installation Of New Mailstore That Will Have A&D=====<br />
<br />
======Install Modules======<br />
<br />
* Type y to install the zimbra-store, zimbra-archiving and zimbra-spell (optional) packages. <br />
** '''Do Not Install MTA! These Instructions Do Not Take That Into Account.'''<br />
** When zimbra-spell is installed the zimbra-apache package is also installed.<br />
* Installing: zimbra-core zimbra-store zimbra-apache zimbra-spell<br />
<br />
======Modify Configuration======<br />
<br />
Press Enter to modify the system. The selected packages are installed on the server.<br />
<br />
At this point the Main menu displays the default entries for the Zimbra component you are installing. <br />
<br />
To expand the menu to see the configuration values type x and press Enter.<br />
<br />
To navigate the Main menu, select the menu item to change. You can modify any of the defaults.<br />
<br />
* Common Configuration<br />
** LDAP<br />
*** Ldap master host: [set this to the FQDN of your LDAP server]<br />
*** Ldap port: 389 [set this if your LDAP server isn’t using default]<br />
*** Ldap Admin password: [this is your LDAP servers Root LDAP password]<br />
**** On LDAP server do : su – zimbra ; zmlocalconfig –s ldap_root_password<br />
*** TimeZone: [set this]<br />
<br />
* For zimbra-store<br />
** Set the Admin Password<br />
*** +License filename: UNSET [if you see this, then something is wrong with your <br />
** LDAP configuration. It should of pulled the license info from the LDAP server.<br />
** Set the SMTP host<br />
<br />
Type r to return to the Main menu, if you aren’t there already.<br />
<br />
When the mailbox server is configured, return to the Main menu and type a to apply the configuration changes. <br />
<br />
Press Enter to save the configuration data.<br />
<br />
When Save Configuration data to a file appears, press Enter.<br />
<br />
The next request is where to save the files. To accept the default, press Enter. <br />
<br />
To save the files to another directory, enter the directory and then press Enter.<br />
<br />
When “The system will be modified - continue?” appears type y and press Enter.<br />
<br />
The server is modified. <br />
<br />
Installing all the components and configuring the server can take a few minutes.<br />
<br />
When Installation complete - press return to exit displays, press Enter.<br />
<br />
The installation of the mailbox server is complete.<br />
<br />
======After Install======<br />
<br />
Confirm server status<br />
<br />
su – zimbra ; zmcontrol status<br />
<br />
Populate the ssh keys, on each server in your environment<br />
<br />
su - zimbra ; zmupdateauthkeys <br />
<br />
The key is updated on /opt/zimbra/.ssh/authorized_keys.<br />
<br />
=====Upgrading A Zimbra Server For An Archive & Discovery Mailstore=====<br />
<br />
======Adding Package For A&D======<br />
<br />
This will retain your current settings for the system. Your server will experience downtime during the upgrade.<br />
<br />
untar zcs*.tar that matches your existing system<br />
<br />
<pre><br />
cd zcs-version-directory<br />
./install<br />
choose upgrade<br />
select zimbra-archiving<br />
</pre><br />
<br />
The upgrade of the mailbox server is complete.<br />
<br />
======After Upgrade======<br />
<br />
Confirm server status<br />
<br />
su – zimbra ; zmcontrol status<br />
<br />
'''Note, zimbra-archiving only runs as a service on a MTA server.'''<br />
<br />
Populate the ssh keys, on each server in your environment<br />
<br />
su-zimbra ; zmupdateauthkeys <br />
<br />
The key is updated on /opt/zimbra/.ssh/authorized_keys. <br />
<br />
=====Configure Zimbra For Use Of The New Mailstore and A&D=====<br />
<br />
Example A&D mailstore hostname is : archive.example.com<br />
<br />
* Go to your primary admin console url. [https://[example.com]:7071/zimbraAdmin]<br />
# Confirm you see the new mailstore under Configuration > Servers<br />
## Under Configuration > Servers > [MTA servername(s)] > Services<br />
### [each MTA server needs this]<br />
### You’ll see a box for Archiving and Discovery<br />
#### Check this to enable the MTA server(s) for Archiving and Discovery. '''If this is grayed out, run the command below (modified for your server) on your one of your mailstores.'''<br />
####* This effectively does:<br />
####* <pre>zmprov ms mta.example.com +zimbraServiceInstalled archiving +zimbraServiceEnabled archiving</pre><br />
####** Remember, zmprov uses the variable below. '''A mta only server ''can't'' be set for localhost, change it to point to a mailstore.'''<br />
####** <pre> [root@mta ~]# zmlocalconfig | grep zmprov</pre><br />
####** <pre> zimbra_zmprov_default_soap_server = localhost</pre><br />
####** <pre> [root@mta ~]# zmlocalconfig -e zimbra_zmprov_default_soap_server=mailstore.example.com</pre><br />
# Go to Configuration > Class of Service > default [or your primary domain] > Server Pool<br />
## You’ll want to make sure it’s limited to the correct server pools<br />
### Your '''new mailstore for A&D should be unchecked'''.<br />
## Click on New for a new Class of Server (COS)<br />
### Call it archive or something similar<br />
#### Under Server Pool > Limit > have only the new mailstore checked<br />
<br />
=====Setup Initial A&D With First Account - Creation Of The Archive Domain=====<br />
<br />
======Revisit To COS - Naming Scheme Of Archive Accounts======<br />
<br />
When archive accounts are created they use the zimbraArchiveAccountNameTemplate variable from the COS. The default is:<br />
<br />
$ zmprov gc default | grep -i archive<br />
zimbraArchiveAccountDateTemplate: yyyyMMdd<br />
zimbraArchiveAccountNameTemplate: ${USER}-${DATE}@${DOMAIN}.archive<br />
<br />
I, personally, don't like the use of the $DATE variable in this. I change my ARCHIVE COS to use the normal username but retain the .archive for the domain.<br />
<br />
zmprov mc archive zimbraArchiveAccountNameTemplate '${USER}@${DOMAIN}.archive'<br />
<br />
Bug to be aware of:<br />
<br />
* "zimbraArchiveAccountNameTemplate is case sensitive - PDF doc is wrong"<br />
** http://bugzilla.zimbra.com/show_bug.cgi?id=44659<br />
<br />
======The Creation======<br />
<br />
On server with zmarchiveconfig (most likely mailstore you installed A&D on) and as zimbra (su – zimbra) do the following to setup your first A&D account.<br />
<br />
format : zmarchiveconfig –s servername enable user@example.com archive-cos <cos><br />
<br />
example : <br />
<br />
zmarchiveconfig –s archive.example.com enable account@example.com archive-cos archive<br />
<br />
'''NOTE'''<br />
: If the above command doesn't seem to create the archive account/domain. Drop the use of [ -s servername ]. Basically, just run this on the A&D mailstore:<br />
<br />
:: <pre>zmarchiveconfig enable account@example.com archive-cos archive</pre><br />
<br />
The above command will create the mail domain for the archive accounts using the template defaults, user@example.com to make example.com.archive<br />
<br />
On your main ldap server or where ever you usually access the zimbra admin web console, login to the admin web console.<br />
<br />
# Confirm the archive domain was setup. <br />
## Configuration > Domains > [domainname].archive > General<br />
## Confirm or adjust the archive domain to use the right COS<br />
### Configuration > Domains > [domainname].archive > General Information<br />
#### Change “Default Class of Service” to your COS [archive], if needed for your configuration.<br />
# Now check for the new archive account you made<br />
## Address > Accounts<br />
## Click on account and hit the edit button<br />
## In the top summary section you'll be able to confirm the COS and Mail Server being used for the account.<br />
### '''NOTE''', if it's showing the account is on the primary mailstore and NOT the A&D mailstore.<br />
#### Remove the A&D account<br />
####* <pre> zmprov ra [user]@[domainname].archive</pre><br />
#### Add the account back again using the zmarchiveconfig command<br />
####* <pre>zmarchiveconfig enable account@example.com archive-cos archive</pre><br />
#### Now confirm, as above, that the account is using the A&D mailstore.<br />
####* This might be a bug related to the archive domain being created for the first time.<br />
<br />
Send the primary account a test email and then shortly afterwards do a "View Mail" within the admin console for the archive account. You should see the archive message in the archive account.<br />
<br />
======Error: unknown document: EnableArchiveRequest======<br />
<br />
If you get this error when trying to create the archive account "Error: unknown document: EnableArchiveRequest" you most likely needed to install a new license for A&D and have not restart the mailboxd services . Updating the license is not enough, you'll need to restart ZCS on the mailstores also.<br />
<br />
See the following bug:<br />
<br />
* zimbra-archive extension fails to load when init() fails due to LDAP server outage<br />
** https://bugzilla.zimbra.com/show_bug.cgi?id=66484<br />
<br />
======RFE's On Archive Accounts======<br />
<br />
* RFE: COS option to create archiving account automatically by default <br />
** https://bugzilla.zimbra.com/show_bug.cgi?id=83665<br />
<br />
=====Testing Of Archive Mail Flow=====<br />
<br />
Send the primary account a test email and then shortly afterwards do a "View Mail" within the admin console for the archive account. You should see the archive message in the archive account.<br />
<br />
You should confirm mail flow copies occur with the following:<br />
<br />
# Inbound<br />
## External Account (email) to the primary zimbra account setup for archive.<br />
## A zimbra account that ISN'T the archive account in question to the primary account setup for archive.<br />
# Outbound<br />
## With primary account setup for archive, send an email to an external email address.<br />
## With primary account setup for archive, send an email to another internal zimbra email address.<br />
<br />
=====Archive Account Isn't Getting Email=====<br />
<br />
Let's double check everything was done correctly up above.<br />
<br />
Assumption on syntax of account creation:<br />
<br />
zmarchiveconfig enable user@example.com archive-cos archive<br />
<br />
Let's check what actually was done:<br />
<br />
zmprov ga user@example.com | grep -i archive<br />
amavisArchiveQuarantineTo: user-20081211@example.com.archive<br />
zimbraArchiveAccount: user-20081211@example.com.archive<br />
zimbraArchiveAccountNameTemplate: ${USER}-${DATE}@${DOMAIN}.archive<br />
<br />
It should reference an account that's like, if you are using the archive templates:<br />
<br />
user-[date]@example.com.archive<br />
<br />
that account should exist and reference lmtp, rather than smtp, for the transport:<br />
<br />
zmprov ga user-20081211@example.com.archive | grep -i trans<br />
zimbraMailTransport: lmtp:archive.example.com:7025<br />
<br />
=====Checking Logs For Archive Operations=====<br />
<br />
On the '''mta-server''', you should find a reference to the archive account in /var/log/zimbra.log<br />
<br />
grep archive /var/log/zimbra.log<br />
Dec 11 13:38:52 mta-server amavis[1978]: (01978-19) SEND via SMTP: <> -> <br />
<user-20081211@example.com.archive>,ENVID=AM.8ISxcrQG8uAj.20081211T193852Z@mailstore.example.com <br />
BODY=7BIT 250 2.6.0 Ok, id=01978-19, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as <br />
5ADF8F120C4<br />
Dec 11 13:38:52 mta-server postfix/lmtp[21864]: 5ADF8F120C4: <br />
to=<user-20081211@example.com.archive>, relay=archive.example.com[X.X.X.93]:7025, <br />
delay=0.07, delays=0/0/0/0.06, dsn=2.1.5, status=sent (250 2.1.5 OK)<br />
<br />
On the '''archive-server''', you should find reference to the delivery in /opt/zimbra/log/mailbox.log<br />
<br />
grep archive /opt/zimbra/log/mailbox.log<br />
2008-12-11 14:45:32,923 INFO [LmtpServer-9] <br />
[name=user-20081211@example.com.archive;mid=7;] mailop - Adding Message: id=257,<br />
Message-ID=<1350363939.41021229024728317.JavaMail.root@EXTERNAL-MTA.DOMAIN.com>, parentId=-1,<br />
folderId=2, folderName=Inbox.<br />
<br />
=====Mass Accounts Configuration=====<br />
<br />
::'''Update''', our 6.0 release will have a zmarchiveconfig -f command for batch processing from a file input.<br />
<br />
'''CHECK YOUR AVAILABLE LICENSES BEFORE YOU PROCEED!!'''<br />
<br />
'''One could put all the accounts in a txt file and then use a for-loop to process the account@example.com variable.'''<br />
<br />
zmprov -l gaa > /tmp/accounts.txt<br />
<br />
'''Remove any accounts you've already done and those not necessary for archiving (ex. admin, ham, spam, etc.)'''<br />
<br />
You can give gaa other options, look at zmprov help account. For example, you could also narrow this down to a dump of accounts in a domain:<br />
<br />
zmprov -l gaa [DOMAIN] > /tmp/accounts.txt<br />
<br />
'''Note, the below uses the above setup for A&D - You'll need to modify for your environment.'''<br />
<br />
<pre><br />
for i in `cat /tmp/accounts.txt`<br />
do<br />
zmarchiveconfig –s archive.example.com enable $i archive-cos archive<br />
sleep 3<br />
done<br />
</pre><br />
<br />
You can be tailing /opt/zimbra/log/mailbox.log on the archive server to watch the progress.<br />
<br />
=====Searches After Configuration Is Done=====<br />
<br />
Please see [[Ajcody-Server-Misc-Topics#Cross_Mailbox_Searches_and_Tracing]]<br />
<br />
=====Searches Limited To 500 or 1000 Maximum Results=====<br />
<br />
See [[Ajcody-Server-Misc-Topics#Searches_Limited_To_500_or_1000_Maximum_Results]]<br />
<br />
[[Category: Community Sandbox]]<br />
[[Category: Archive & Discovery]]</div>William Lac