This is Guide to install Zimbra and SSL Config on Centos 7
By Default Centos run postfix, so we need to disable that very first
# systemctl stop postfix
# systemctl disable postfix
Then set a hostname
After the reboot, set the hostname of your server
if you going to use this mail server for multiple mail domains please insert those as well
if you going to use this mail server for multiple mail domains please insert those as well
# hostnamectl set-hostname "mail.usefuleverything.com"
# yum install -y nano
Add the following lines in /etc/hosts file,
192.168.0.108 mail.usefuleverything.com
Install Zimbra dependencies using yum
Run the below command to install Zimbra / ZCS dependencies
# yum install unzip net-tools sysstat openssh-clients perl-core libaio nmap-ncat wget -y
wget command to download the latest version of ZCS 8.8.12 from the terminal,
| Platform | Download 64-bit |
|---|---|
 Red Hat Enterprise Linux 6 | 64bit x86 (MD5) (SHA 256) |
 CentOS 6 | 64bit x86 (MD5) (SHA 256) |
 Oracle Linux 6 | 64bit x86 (MD5) (SHA 256) |
| Red Hat Enterprise Linux 7 | 64bit x86 (MD5) (SHA 256) |
| CentOS 7 | 64bit x86 (MD5) (SHA 256) |
| Oracle Linux 7 | 64bit x86 (MD5) (SHA 256) |
 Ubuntu 14.04 LTS | 64bit x86 (MD5) (SHA 256) |
| Ubuntu 16.04 LTS | 64bit x86 (MD5) (SHA 256) |
| Ubuntu 18.04 LTS | 64bit x86 (MD5) (SHA 256) BETA |
# wget https://files.zimbra.com/downloads/8.8.12_GA/zcs-8.8.12_GA_3794.RHEL7_64.20190329045002.tgz --no-check-certificate
Install Zimbra / ZCS 8.8.12
Extract the downloaded tgz file of ZCS 8.8.10 using the beneath tar command
# tar zxpvf zcs-8.8.12_GA_3794.RHEL7_64.20190329045002.tgz # cd zcs-8.8.12_GA_3794.RHEL7_64.20190329045002 # ./install.sh
# firewall-cmd --permanent --add-port={25,80,110,143,443,465,587,993,995,5222,5223,9071,7071,7025}/tcp
# firewall-cmd --reload
Now Config the SSL
Now Login via SSH as root
Install certboat
# yum install -y epel-release # yum install -y certbot # certbot certonly
Then enter required details to generate ssl
then go to /etc/letsencrypt/live/$domain
then copy to zimbra folder
mkdir /opt/zimbra/ssl/lets
cp * /opt/zimbra/ssl/lets/
cd /opt/zimbra/ssl/lets/
Make sure to give ownership to zimbra user
chown zimbra:root *
then switch to zimbra
# su zimbra
nano chain.pem
Your chain.pem should look like: add this below code
-----BEGIN CERTIFICATE-----YOURCHAIN
-----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE-----
then check
# /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
# cp "privkey.pem" "/opt/zimbra/ssl/zimbra/commercial/commercial.key"
# /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
then restart zimbra services
# zmcontrol stop
# zmcontrol start
Following for additional Domains
Configuring the IP address per domain
- 1. Add the new domain, in this case example.com. Set zimbraVirtualHostName to mail.example.com and zimbraVirtualIPAddress to 1.2.3.4. Make sure the zimbraVirtualHostName is set to the name which will be used to access the domain (URL) and the SSL certificate is signed for the same name.
zmprov md example.com zimbraVirtualHostName mail.example.com zimbraVirtualIPAddress 1.2.3.4
NOTE: If the server is behind a firewall and NAT'ed with an external address, make sure external requests for "mail.example.com" hit the aliased IP address and not the actual local IP address of server.
Verifying and Preparing the Certificates
We have three files received from the CA. The server (domain) certificate, two chain certs. And we have existing key file (which was used to generate the csr)
1. Save the example.com certificate, key and chain files to a directory /tmp/example.com. You can receive single or multiple chain certs from your CA. Here we have two chain certs from the CA. i.e. example.com.root.crt and example.com.intermediate.crt.
ls /tmp/example.com
example.com.key
example.com.crt
example.com.root.crt
example.com.intermediate.crt
2. Add the chain certs to a single file called example.com_ca.crt
cat example.com.root.crt example.com.intermediate.crt >> example.com_ca.crt
3. Confirm if the key and certificate matches and chain certs completes the trust.
/opt/zimbra/bin/zmcertmgr verifycrt comm /tmp/example.com/example.com.key /tmp/example.com/example.com.crt /tmp/example.com/example.com_ca.crt
- Check the output, it should say something like this. If not, make sure you have correct key and chain cert files.
** Verifying example.com.crt against example.com.key
Certificate (example.com.crt) and private key (example.com.key) match.
Valid Certificate: example.com.crt: OK
Deploying the Certificate on domain
1. Add the domain certificate and chain files to a single file called example.com.bundle
cat example.com.crt example.com_ca.crt >> example.com.bundle
2. Run following to save the certificates and key in ldap database.
/opt/zimbra/libexec/zmdomaincertmgr savecrt example.com example.com.bundle example.com.key
- The syntax is:
/opt/zimbra/libexec/zmdomaincertmgr savecrt <domainname> <certificate with chain certs> <keyfile>
3. Run following to deploy the domain certificate. This will save the certificate and key as /opt/zimbra/conf/domaincerts/example.com
/opt/zimbra/libexec/zmdomaincertmgr deploycrts
4. Make sure the example.com is resolving to its local IP address from Zimbra host. Or make an similar entry in /etc/hosts file.
1.2.3.4 example.com
Proxy Check
Run these commands on proxy hosts.
- zimbraReverseProxyGenConfigPerVirtualHostname should be set to TRUE in server and global config.
zmprov gs `zmhostname` zimbraReverseProxyGenConfigPerVirtualHostname
zmprov gacf zimbraReverseProxyGenConfigPerVirtualHostname
Use these command to set it to TRUE.
zmprov ms `zmhostname` zimbraReverseProxyGenConfigPerVirtualHostname TRUE
zmprov mcf zimbraReverseProxyGenConfigPerVirtualHostname TRUE
Re-write and restart Proxy
- Restart the proxy to re-write the changes to proxy config
zmproxyctl restart
- Once the restart is successfull, try to access the domain using the URL which is set in "zimbraVirtualHostName" over https. And check the certificate loaded in the browser. In this case the URL will be https://example.com
Backup Script for Zimbra
Installation
# yum install epel-release -y# yum install parallel wget httpie sqlite3 git -y
Download the latest package with the BETA tag in "Release" section, or git clone the development branch:
git clone -b 1.2-version https://github.com/lucascbeyeler/zmbackup.git# cd zmbackup
# chmod +x install.sh
# ./install.sh
# su - zimbra
$ zmbackup -v
zmbackup version: 1.2.3
Taking Full Backup
$ zmbackup -f