1
-----
Install Zimbra 8.7 on CentOS7
Basic server preparations
Install Centos 7 minimal
Login as “root”
Activate the Network connection, make it permanently active, and configure a fixed I.P. Address using the “nmtui” command (This example assumes 192.168.0.5/24).
For your DNS server use the I.P. Address of the server itself (192.168.0.5), and for secondary DNS server, use your default dns server. We will be installing and enabling a local DNS server for split DNS. More about this later
Install the net-tools package
#yum install net-tools
Check that the correct timezone is selected for the server. (check to see that the link /etc/localtime actually points to your timezone) if not this can be deleted and a new link created to the correct timezone.
All timezone files are located in “/usr/share/zoneinfo/“. In my case my timezone is Europe/Berlin.
#\rm /etc/locatime #ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime
Next we install, run, and enable on startup ntp
#yum intall ntp #ntpdate pool.ntp.org #chkconfig ntpdate on
Check that we now have the correct date and time on the server.
# date Tue 17 Jan 14:29:07 CET 2017
We will now install a Local DNS Server
#yum install bind bind-utils
And my favourite editor (vim)
#yum install vim
Make a copy of the named.conf file just in case
#cp /etc/named.conf /etc/named.conf.orig
Lets now edit the named configuration
#vim /etc/named.conf
Delete the line listen-on-v6 port 53 { ::1; }; (We will not be using IPv6)
and just below it add :- forwarders {8.8.8.8;8.8.4.4;}; You can also use your own dns servers here.
We now need to add our zone (for split dns) this is required by Zimbra. Since most mail servers live behind firewalls, the internal IP of the server, is not the same as the Public I.P. Zimbra requires an A and MX record for the server, so we need to set these up.
Add the following lines to the /etc/named.conf file (just above the final include lines)
zone "YOURDOMAIN.COM" in {type master; file "YOURDOMAIN.COM";};
Your named.conf should look more or less like this :-
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { 127.0.0.1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; forwarders { 8.8.8.8; 8.8.4.4; }; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "YOURDOMAIN.COM" in { type master; file "YOURDOMAIN.COM"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
Now lets create the zone file for the domain
#cd /var/named
#vim YOURDOMAIN.COM
$ORIGIN YOURDOMAIN.COM. $TTL 38400 YOURDOMAIN.COM. IN SOA NS1 Administrator.YOURDOMAIN.COM ( 2010022801 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ; Minimum ) YOURDOMAIN.COM. IN NS ns1 ns1 IN A 8.8.8.8 YOURDOMAIN.COM. IN A 192.168.0.5 mail IN A 192.168.0.5 mail.YOURDOMAIN.COM. IN A 192.168.0.5 mail1.YOURDOMAIN.COM. IN A 192.168.0.5 webmail IN A 192.168.0.5 @ IN MX 10 mail YOURDOMAIN.COM. IN MX 20 mail1 webmail.YOURDOMAIN.COM IN MX 30 mail
Modify your zone file based on the above according to your needs
Do not omit any “.” in the names. The “.” means that the server is the qualified server for that domain.
Lets now start our Named Server
#systemctl start named
If there are no errors, lets now test the server
#nslookup - 127.0.0.1
Type in www.google.com
> www.google.com Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: www.google.com Address:74125206.99 Name: www.google.com Address:74125206106 Name: www.google.com Address:74125206103 Name: www.google.com Address:74125206105 Name: www.google.com Address:74125206104 Name: www.google.com Address:74125206147 >
WEBMAIL.YOURDOMAIN.COM should return 192.168.0.5
> webmail.yourdomain.com Server: 127.0.0.1 Address: 127.0.0.1#53 Name: webmail.yourdomain.com Address: 192.168.0.5 >
Note that for webmail.yourdomain.com, the answer is authoritative, (the “.” we talked about above, makes our server the authoritative server for our domain)
If everything works well, it is now time to setup a host name and the hosts file. Zimbra is very picky about this, so we need to get this right to avoid complaints from the installer.
hostname MAIL.YOURDOMAIN.COM
#vim /etc/hosts
Add the following line to the end of your /etc/hosts file :
192.168.0.5 mail.yourdomain.com yourdomain.com
Set Selinux to Permissive
#vim /etc/selinux/config
change from SELINUX=enforcing to SELINUX=permissive
Here is how the /etc/selinux/config file should look
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
save and quit
Disable the Firewall (This can be enabled later on if desired)
#systemctl disable firewalld
Install wget
#yum install wget
Install net-tools
#yum install net-tools
Next we install the zimbra dependencies :-
#yum install perl perl-core ntpl nmap openssh-clients libidn gmp libaio libstdc++ unzip sysstat sqlite
It is now time to update everything
#yum update -y
Once the update finishes, reboot the server
#reboot
Installing Zimbra
Some of the commands below, especially the installer, take quite a long time to execute, so it is NOT a good idea to run the next bits remotely. If for any reason the installer gets interrupted, it will leave a mess behind which you will need to clean before attempting a re-installation.
Run the installer either directly from a console, or using the “screen” command. If you do not know how to use the screen command, I recommend you google it.
If you intend to use SSL certificates like letsecrypt, make sure that your server name is the same as your webmail url name, or LDAP will not start with the following error (after you install the ssl certificates) :
Unable to start TLS: hostname verification failed when connecting to ldap master.
So basically name your server as webmail.YOURDOMAIN.COM, you can then add as many domains as you want including yourdomain.com for @yourdomain.com mail distribution after the installation is complete. You can do this from the web interface Configure –> Domains
Before we install zimbra, we need to make sure that none of the standard mail daemons that come with linux are running. Login to the server as “root”
#systemctl stop postfix
#systemctl disable postfix
#systemctl stop sendmail
#systemctl disable sendmail
Let’s doublecheck that SELINUX is set to permissive
#getenforce
should return Permissive
Now let’s create a folder for our installer. (the installer needs to run as root)
#mkdir /root/zimbra
#cd /root/zimbra
#mkdir installer
#cd installer
#wget https://files.zimbra.com/downloads/8.7.1_GA/zcs-8.7.1_GA_1670.RHEL7_6420161025045328.tgz
Download Opensource
https://www.zimbra.com/downloads/zimbra-collaboration-open-source/
https://files.zimbra.com/downloads/8.8.6_GA/zcs-8.8.6_GA_1906.RHEL7_64.20171130041047.tgz
*At the time of writing 8.7.1_GA_1670 was the latest version
Next step is to Unzip and extract the tar ball
#gzip -dc zcs-8.7.1_GA_1670.RHEL7_6420161025045328.tgz | tar xvf -
Once the unzipping operation finishes, it is time to run the installer
#cd zcs-8.7.1_GA_1670.RHEL7_6420161025045328
Finally …. we run the installer : (note that since we are running our own dns server on port 53, we need to say NO to Install zimbra-dnscache [Y] )
# ./install.sh
Operations logged to /tmp/install.log.jK37Q47Z Checking for existing installation... zimbra-ldap...NOT FOUND zimbra-logger...NOT FOUND zimbra-mta...NOT FOUND zimbra-dnscache...NOT FOUND zimbra-snmp...NOT FOUND zimbra-store...NOT FOUND zimbra-apache...NOT FOUND zimbra-spell...NOT FOUND zimbra-convertd...NOT FOUND zimbra-memcached...NOT FOUND zimbra-proxy...NOT FOUND zimbra-archiving...NOT FOUND zimbra-core...NOT FOUND ---------------------------------------------------------------------- PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. SYNACOR, INC. ("SYNACOR") WILL ONLY LICENSE THIS SOFTWARE TO YOU IF YOU FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY DOWNLOADING OR INSTALLING THE SOFTWARE, OR USING THE PRODUCT, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THEN DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT. License Terms for this Zimbra Collaboration Suite Software: https://www.zimbra.com/license/zimbra-public-eula-2-6.html ---------------------------------------------------------------------- Do you agree with the terms of the software license agreement? [N] y Checking for installable packages Found zimbra-core Found zimbra-ldap Found zimbra-logger Found zimbra-mta Found zimbra-dnscache Found zimbra-snmp Found zimbra-store Found zimbra-apache Found zimbra-spell Found zimbra-memcached Found zimbra-proxy Use Zimbra's package repository [Y] Y Importing Zimbra GPG key Configuring package repository Select the packages to install Install zimbra-ldap [Y] Install zimbra-logger [Y] Install zimbra-mta [Y] Install zimbra-dnscache [Y] N <------ Take Note Install zimbra-snmp [Y] Install zimbra-store [Y] Install zimbra-apache [Y] Install zimbra-spell [Y] Install zimbra-memcached [Y] Install zimbra-proxy [Y] Checking required space for zimbra-core Checking space for zimbra-store Checking required packages for zimbra-store zimbra-store package check complete. Installing: zimbra-core zimbra-ldap zimbra-logger zimbra-mta zimbra-snmp zimbra-store zimbra-apache zimbra-spell zimbra-memcached zimbra-proxy The system will be modified. Continue? [N] y Installing packages zimbra-core will be downloaded. zimbra-ldap will be downloaded. zimbra-logger will be downloaded. zimbra-mta will be downloaded. zimbra-snmp will be downloaded. zimbra-store will be downloaded. zimbra-apache will be downloaded. zimbra-spell will be downloaded. zimbra-memcached will be downloaded. zimbra-proxy will be downloaded. Downloading packages. This will not modify the system. This may take some time. Removing /opt/zimbra Removing zimbra crontab entry...done. Cleaning up zimbra init scripts...done. Cleaning up /etc/security/limits.conf...done. Finished removing Zimbra Collaboration Server. Local packages zimbra-core zimbra-ldap zimbra-logger zimbra-mta zimbra-snmp zimbra-store zimbra-apache zimbra-spell zimbra-proxy selected for installation Monitor /tmp/install.log.jK37Q47Z for package installation progress Remote package installation started Installing zimbra-core-components zimbra-ldap-components zimbra-mta-components zimbra-snmp-components zimbra-store-components zimbra-apache-components zimbra-spell-components zimbra-memcached zimbra-proxy-components....done Local package installation started Installing zimbra-core zimbra-ldap zimbra-logger zimbra-mta zimbra-snmp zimbra-store zimbra-apache zimbra-spell zimbra-proxy...done done Operations logged to /tmp/zmsetup20170111122713.log Installing LDAP configuration database...done. Setting defaults... MX: mail.YOURDOMAIN.COM (192.168.0.5) MX: mail1.YOURDOMAIN.COM (192.168.0.5) Interface: 127.0.0.1 Interface: ::1 Interface: 192.168.0.5 192.168.0.5 192.168.0.5 192.168.0.5 done. Checking for port conflicts Main menu 1) Common Configuration: 2) zimbra-ldap: Enabled 3) zimbra-logger: Enabled 4) zimbra-mta: Enabled 5) zimbra-snmp: Enabled 6) zimbra-store: Enabled +Create Admin User: yes +Admin user to create: admin@YOURDOMAIN.COM ******* +Admin Password UNSET +Anti-virus quarantine user: virus-quarantine.aejbbp2he@YOURDOMAIN.COM +Enable automated spam training: yes +Spam training user: spam.kenzcrm1e@YOURDOMAIN.COM +Non-spam(Ham) training user: ham.z3ddhlli@YOURDOMAIN.COM +SMTP host: YOURDOMAIN.COM +Web server HTTP port: 8080 +Web server HTTPS port: 8443 +Web server mode: https +IMAP server port: 7143 +IMAP server SSL port: 7993 +POP server port: 7110 +POP server SSL port: 7995 +Use spell check server: yes +Spell server URL: http://YOURDOMAIN.COM:7780/aspell.php +Enable version update checks: TRUE +Enable version update notifications: TRUE +Version update notification email: admin@YOURDOMAIN.COM +Version update source email: admin@YOURDOMAIN.COM +Install mailstore (service webapp): yes +Install UI (zimbra,zimbraAdmin webapps): yes 7) zimbra-spell: Enabled 8) zimbra-proxy: Enabled 9) Default Class of Service Configuration: s) Save config to file x) Expand menu q) Quit
We now need to set the Admin Password.
Address unconfigured (**) items(? – help) 6
Store configuration 1) Status: Enabled 2) Create Admin User: yes 3) Admin user to create: admin@YOURDOMAIN.COM ** 4) Admin Password UNSET 5) Anti-virus quarantine user: virus-quarantine.aejbbp2he@mYOURDOMAIN.COM 6) Enable automated spam training: yes 7) Spam training user: spam.kenzcrm1e@YOURDOMAIN.COM 8) Non-spam(Ham) training user: ham.z3ddhlli@YOURDOMAIN.COM 9) SMTP host: YOURDOMAIN.COM 10) Web server HTTP port: 8080 11) Web server HTTPS port: 8443 12) Web server mode: https 13) IMAP server port: 7143 14) IMAP server SSL port: 7993 15) POP server port: 7110 16) POP server SSL port: 7995 17) Use spell check server: yes 18) Spell server URL: http://YOURDOMAIN.COM:7780/aspell.php 19) Enable version update checks: TRUE 20) Enable version update notifications: TRUE 21) Version update notification email: admin@YOURDOMAIN.COM 22) Version update source email: admin@YOURDOMAIN.COM 23) Install mailstore (service webapp): yes 24) Install UI (zimbra,zimbraAdmin webapps): yes
Select, or ‘r’ for previous menu [r] 4
Password for admin@@YOURDOMAIN.COM (min 6 characters): [z1rrJPyNvW] (Press ‘enter’ here to choose the pre-defined password or enter one yourself, make sure you do not loose your password)
Store configuration 1) Status: Enabled 2) Create Admin User: yes 3) Admin user to create: admin@@YOURDOMAIN.COM 4) Admin Password set 5) Anti-virus quarantine user: virus-quarantine.aejbbp2he@YOURDOMAIN.COM 6) Enable automated spam training: yes 7) Spam training user: spam.kenzcrm1e@YOURDOMAIN.COM 8) Non-spam(Ham) training user: ham.z3ddhlli@YOURDOMAIN.COM 9) SMTP host: @YOURDOMAIN.COM 10) Web server HTTP port: 8080 11) Web server HTTPS port: 8443 12) Web server mode: https 13) IMAP server port: 7143 14) IMAP server SSL port: 7993 15) POP server port: 7110 16) POP server SSL port: 7995 17) Use spell check server: yes 18) Spell server URL: http://YOURDOMAIN.COM:7780/aspell.php 19) Enable version update checks: TRUE 20) Enable version update notifications: TRUE 21) Version update notification email: admin@@YOURDOMAIN.COM 22) Version update source email: admin@@YOURDOMAIN.COM 23) Install mailstore (service webapp): yes 24) Install UI (zimbra,zimbraAdmin webapps): yes Select, or 'r' for previous menu [r] r Main menu 1) Common Configuration: 2) zimbra-ldap: Enabled 3) zimbra-logger: Enabled 4) zimbra-mta: Enabled 5) zimbra-snmp: Enabled 6) zimbra-store: Enabled 7) zimbra-spell: Enabled 8) zimbra-proxy: Enabled 9) Default Class of Service Configuration: s) Save config to file x) Expand menu q) Quit *** CONFIGURATION COMPLETE - press 'a' to apply Press the a key to apply *** CONFIGURATION COMPLETE - press 'a' to apply Select from menu, or press 'a' to apply config (? - help) a Save configuration data to a file? [Yes] Yes Save config in file: [/opt/zimbra/config.6201] Saving config in /opt/zimbra/config.6201...done. The system will be modified - continue? [No] Yes Operations logged to /tmp/zmsetup20170111122713.log Setting local config values...done. Initializing core config...Setting up CA...done. Deploying CA to /opt/zimbra/conf/ca ...done. Creating SSL zimbra-store certificate...done. Creating new zimbra-ldap SSL certificate...done. Creating new zimbra-mta SSL certificate...done. Creating new zimbra-proxy SSL certificate...done. Installing mailboxd SSL certificates...done. Installing MTA SSL certificates...done. Installing LDAP SSL certificate...done. Installing Proxy SSL certificate...done. Initializing ldap...done. Setting replication password...done. Setting Postfix password...done. Setting amavis password...done. Setting nginx password...done. Setting BES searcher password...done. Creating server entry for YOURDOMAIN.COM...done. Setting Zimbra IP Mode...done. Saving CA in ldap...done. Saving SSL Certificate in ldap...done. Setting spell check URL...done. Setting service ports on YOURDOMAIN.COM...done. Setting zimbraFeatureTasksEnabled=TRUE...done. Setting zimbraFeatureBriefcasesEnabled=TRUE...done. Checking current setting of zimbraReverseProxyAvailableLookupTargets Querying LDAP for other mailstores Searching LDAP for reverseProxyLookupTargets...done. Adding YOURDOMAIN.COM to zimbraReverseProxyAvailableLookupTargets Setting TimeZone Preference...done. Initializing mta config...done. Setting services on YOURDOMAIN.COM...done. Adding YOURDOMAIN.COM to zimbraMailHostPool in default COS...done. Creating domain YOURDOMAIN.COM...done. Setting default domain name...done. Creating domain YOURDOMAIN.COM...already exists. Creating admin account admin@YOURDOMAIN.COM...done. Creating root alias...done. Creating postmaster alias...done. Creating user spam.kenzcrm1e@YOURDOMAIN.COM...done. Creating user ham.z3ddhlli@YOURDOMAIN.COM...done. Creating user virus-quarantine.aejbbp2he@YOURDOMAIN.COM...done. Setting spam training and Anti-virus quarantine accounts...done. Initializing store sql database...done. Setting zimbraSmtpHostname for YOURDOMAIN.COM...done. Configuring SNMP...done. Setting up syslog.conf...done. Starting servers...done. Installing common zimlets... com_zimbra_mailarchive...done. com_zimbra_attachmail...done. com_zimbra_tooltip...done. com_zimbra_ymemoticons...done. com_zimbra_attachcontacts...done. com_zimbra_srchhighlighter...done. com_zimbra_webex...done. com_zimbra_url...done. com_zimbra_bulkprovision...done. com_zimbra_adminversioncheck...done. com_zimbra_proxy_config...done. com_zimbra_clientuploader...done. com_zimbra_email...done. com_zimbra_viewmail...done. com_zimbra_date...done. com_zimbra_phone...done. com_zimbra_cert_manager...done. Finished installing common zimlets. Restarting mailboxd...done. Creating galsync account for default domain...done. You have the option of notifying Zimbra of your installation. This helps us to track the uptake of the Zimbra Collaboration Server. The only information that will be transmitted is: The VERSION of zcs installed (8.7.1_GA_1670_RHEL7_64) The ADMIN EMAIL ADDRESS created (admin@YOURDOMAIN.COM) Notify Zimbra of your installation? [Yes] Notifying Zimbra of installation via http://www.zimbra.com/cgi-bin/notify.cgi?VER=8.7.1_GA_1670_RHEL7_64&MAIL=admin@YOURDOMAIN.COM Notification complete Setting up zimbra crontab...done. Moving /tmp/zmsetup20170111122713.log to /opt/zimbra/log Configuration complete - press return to exit
Everything is now ready.
Next step is to login via the web interface https://192.168.0.5:7071 using admin as username and the password you had setup during the installation to manage your server.
---