Skip to content

Instantly share code, notes, and snippets.

@bouroo

bouroo/zimbra-letsencrypt.sh

Last active October 14, 2021 06:38
Show Gist options
  • Save bouroo/ab6b11d4a857a7c453e121d8b29a4d68 to your computer and use it in GitHub Desktop.
Save bouroo/ab6b11d4a857a7c453e121d8b29a4d68 to your computer and use it in GitHub Desktop.
Download ZIP
Install Zimbra Collaboration on ubuntu LTS
Raw
zimbra-letsencrypt.sh
#!/usr/bin/env bash
MAIL_DOMAIN="your.mail.domain"
# Run once
# Download Java Cryptography Extension (JCE) from http://www.oracle.com/technetwork/java/javase/downloads/index.html
# and extract .jar replace in /opt/zimbra/common/lib/jvm/java/jre/lib/security
# Use strong cipher for nginx
#su - zimbra -c "zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE+CHACHA20:ECDHE+AESGCM:DHE+AESGCM:ECDHE+AES:DHE+AES:RSA+AESGCM:RSA+AES:!DES-CBC3-SHA:!DSS'"
#su - zimbra -c 'zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"'
#su - zimbra -c "zmdhparam set -new 4096"
# Disable weak ciphers
#su - zimbra -c "zmprov mcf zimbraSSLExcludeCipherSuites .*_RC4_.*"
#su - zimbra -c "zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
#su - zimbra -c "zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA"
#su - zimbra -c "zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"
#su - zimbra -c "zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA"
#su - zimbra -c "zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA"
#su - zimbra -c "zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5"
#su - zimbra -c "zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA"
# Stop the jetty or nginx service
su - zimbra -c "zmproxyctl stop"
su - zimbra -c "zmmailboxdctl stop"
# Get certificate
/usr/bin/letsencrypt certonly --standalone --agree-tos --email [email protected] -d ${MAIL_DOMAIN}
# Renew certificate
# /usr/bin/letsencrypt renew --agree-tos --email [email protected]
# Build the proper Intermediate CA plus Root CA
#wget -q https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -O /etc/letsencrypt/live/${MAIL_DOMAIN}/chain.pem
cat <<EOF >>/etc/letsencrypt/live/${MAIL_DOMAIN}/chain.pem
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
EOF
# Verify your commercial certificate
mkdir -p /opt/zimbra/ssl/letsencrypt
cat /etc/letsencrypt/live/${MAIL_DOMAIN}/cert.pem > /opt/zimbra/ssl/letsencrypt/cert.pem
cat /etc/letsencrypt/live/${MAIL_DOMAIN}/chain.pem > /opt/zimbra/ssl/letsencrypt/chain.pem
cat /etc/letsencrypt/live/${MAIL_DOMAIN}/fullchain.pem > /opt/zimbra/ssl/letsencrypt/fullchain.pem
cat /etc/letsencrypt/live/${MAIL_DOMAIN}/privkey.pem > /opt/zimbra/ssl/letsencrypt/privkey.pem
chown -R zimbra:zimbra /opt/zimbra/ssl/letsencrypt/
#cd /opt/zimbra/ssl/letsencrypt/
su - zimbra -c "/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem"
# Backup Zimbra SSL directory
su - zimbra -c 'cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")'
# Copy the private key under Zimbra SSL path
su - zimbra -c "cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key"
# Final SSL deployment
su - zimbra -c "/opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/letsencrypt/cert.pem /opt/zimbra/ssl/letsencrypt/chain.pem"
su - zimbra -c "zmcontrol restart"
exit 0
Raw
zimbra.sh
#!/usr/bin/env bash
## Preparing all the variables like IP, Hostname, etc, all of them from the container
HOSTNAME=$(hostname -s)
DOMAIN=$(hostname -d)
RANDOMHAM=$(date +%s|sha256sum|base64|head -c 10)
RANDOMSPAM=$(date +%s|sha256sum|base64|head -c 10)
RANDOMVIRUS=$(date +%s|sha256sum|base64|head -c 10)
TZ=$(cat /etc/timezone)
PUBLICIP4=$(curl http://v4.ipv6-test.com/api/myip.php)
PUBLICIP6=$(curl http://v6.ipv6-test.com/api/myip.php)
CONTAINERIP4=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
CONTAINERIP6=$(ip addr | grep 'state UP' -A4 | tail -n1 | awk '{print $2}' | cut -f1 -d'/')
CIDR4=$(ip addr | grep 'state UP' -A2 | tail -n1 | awk '{print $2}' | cut -f2 -d'/')
CIDR6=$(ip addr | grep 'state UP' -A4 | tail -n1 | awk '{print $2}' | cut -f2 -d'/')
if [ "${PUBLICIP6}" == "" ]; then
PUBLICIP6="::1"
fi
if [ "${PUBLICIP4}" == "${CONTAINERIP4}" ]; then
MTA="127.0.0.0/8 [::1]/128 $PUBLICIP4/32 [$PUBLICIP6]/128"
else
MTA="127.0.0.0/8 [::1]/128 $CONTAINERIP4/$CIDR4 [$CONTAINERIP6]/$CIDR6 $PUBLICIP4/32 [$PUBLICIP6]/128"
fi
if [ "$1" == "" ]; then
PASSWORD=$(date +%s|sha256sum|base64|head -c 10)
else
PASSWORD="$1"
fi
# Require packages
sudo apt-get update && sudo apt-get -y dist-upgrade
sudo apt-get install -y build-essential wget dnsutils netcat-openbsd sudo libidn11 libpcre3 libgmp10 libexpat1 libstdc++6 libperl5.26 libaio1 resolvconf unzip pax sysstat sqlite libreoffice-core "libreoffice-l10n-*" fonts-vlgothic
#Install a DNS Server
if [ "$2" == "bind" ]; then
sudo apt-get install -y bind9 bind9utils bind9-doc
echo "Installing Bind DNS Server"
sed "s/-u/-4 -u/g" /etc/default/bind9 > /etc/default/bind9.new
mv /etc/default/bind9.new /etc/default/bind9
rm /etc/bind/named.conf.options
cat <<EOF >>/etc/bind/named.conf.options
options {
directory "/var/cache/bind";
listen-on { $CONTAINERIP4; }; # ns1 private IP address - listen on private network only
allow-transfer { none; }; # disable zone transfers by default
forwarders {
1.1.1.2;
8.8.8.8;
};
auth-nxdomain no; # conform to RFC1035
#listen-on-v6 { any; };
};
EOF
cat <<EOF >>/etc/bind/named.conf.local
zone "$DOMAIN" {
type master;
file "/etc/bind/db.$DOMAIN";
};
EOF
touch "/etc/bind/db.${DOMAIN}"
cat <<EOF >"/etc/bind/db.${DOMAIN}"
\$TTL 604800
@ IN SOA ns1.$DOMAIN. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.$DOMAIN.
@ IN A $CONTAINERIP4
@ IN MX 10 $HOSTNAME.$DOMAIN.
$HOSTNAME IN A $CONTAINERIP4
ns1 IN A $CONTAINERIP4
mail IN A $CONTAINERIP4
pop3 IN A $CONTAINERIP4
imap IN A $CONTAINERIP4
imap4 IN A $CONTAINERIP4
smtp IN A $CONTAINERIP4
EOF
sudo service bind9 restart
fi
if [ "$2" == "dnsmasq" ]; then
echo "Installing dnsmasq DNS Server"
sudo apt-get install -y dnsmasq
echo "Configuring DNS Server"
mv /etc/dnsmasq.conf /etc/dnsmasq.conf.old
cat <<EOF >>/etc/dnsmasq.conf
server=1.1.1.2
server=8.8.8.8
listen-address=127.0.0.1
domain=$DOMAIN
mx-host=$DOMAIN,$HOSTNAME.$DOMAIN,0
address=/$HOSTNAME.$DOMAIN/$CONTAINERIP4
EOF
sudo service dnsmasq restart
else
echo "Installing dnsmasq DNS Server"
sudo apt-get install -y dnsmasq
echo "Configuring DNS Server"
mv /etc/dnsmasq.conf /etc/dnsmasq.conf.old
cat <<EOF >>/etc/dnsmasq.conf
server=1.1.1.2
server=8.8.8.8
listen-address=127.0.0.1
domain=$DOMAIN
mx-host=$DOMAIN,$HOSTNAME.$DOMAIN,0
address=/$HOSTNAME.$DOMAIN/$CONTAINERIP4
EOF
sudo service dnsmasq restart
fi
##Preparing the config files to inject
echo "Creating the Scripts files"
mkdir -p /tmp/zcs
cd /tmp/zcs || exit 1
touch /tmp/zcs/installZimbraScript
cat <<EOF >/tmp/zcs/installZimbraScript
AVDOMAIN="$DOMAIN"
AVUSER="admin@$DOMAIN"
CREATEADMIN="admin@$DOMAIN"
CREATEDOMAIN="$DOMAIN"
DOCREATEADMIN="yes"
DOCREATEDOMAIN="yes"
DOTRAINSA="yes"
EXPANDMENU="no"
HOSTNAME="$HOSTNAME.$DOMAIN"
HTTPPORT="8080"
HTTPPROXY="TRUE"
HTTPPROXYPORT="80"
HTTPSPORT="8443"
HTTPSPROXYPORT="443"
IMAPPORT="7143"
IMAPPROXYPORT="143"
IMAPSSLPORT="7993"
IMAPSSLPROXYPORT="993"
INSTALL_WEBAPPS="service zimlet zimbra zimbraAdmin"
JAVAHOME="/opt/zimbra/common/lib/jvm/java"
LDAPBESSEARCHSET="set"
LDAPHOST="$HOSTNAME.$DOMAIN"
LDAPPORT="389"
LDAPREPLICATIONTYPE="master"
LDAPSERVERID="2"
MAILBOXDMEMORYPERCENT="20"
MAILPROXY="TRUE"
MODE="https"
MYSQLMEMORYPERCENT="20"
POPPORT="7110"
POPPROXYPORT="110"
POPSSLPORT="7995"
POPSSLPROXYPORT="995"
PROXYMODE="https"
REMOVE="no"
RUNARCHIVING="no"
RUNAV="yes"
RUNCBPOLICYD="no"
RUNDKIM="yes"
RUNSA="yes"
RUNVMHA="no"
SERVICEWEBAPP="yes"
SMTPDEST="admin@$DOMAIN"
SMTPHOST="$HOSTNAME.$DOMAIN"
SMTPNOTIFY="yes"
SMTPSOURCE="admin@$DOMAIN"
SNMPNOTIFY="yes"
SNMPTRAPHOST="$HOSTNAME.$DOMAIN"
SPELLURL="http://$HOSTNAME.$DOMAIN:7780/aspell.php"
STARTSERVERS="yes"
SYSTEMMEMORY="1.0"
TRAINSAHAM="ham.$RANDOMHAM@$DOMAIN"
TRAINSASPAM="spam.$RANDOMSPAM@$DOMAIN"
UIWEBAPPS="yes"
UPGRADE="yes"
USEEPHEMERALSTORE="no"
USESPELL="yes"
VERSIONUPDATECHECKS="TRUE"
VIRUSQUARANTINE="virus-quarantine.$RANDOMVIRUS@$DOMAIN"
ZIMBRA_REQ_SECURITY="yes"
ldap_bes_searcher_password="$PASSWORD"
ldap_dit_base_dn_config="cn=zimbra"
ldap_nginx_password="$PASSWORD"
mailboxd_directory="/opt/zimbra/mailboxd"
mailboxd_keystore="/opt/zimbra/mailboxd/etc/keystore"
mailboxd_keystore_password="$PASSWORD"
mailboxd_server="jetty"
mailboxd_truststore="/opt/zimbra/common/lib/jvm/java/jre/lib/security/cacerts"
mailboxd_truststore_password="changeit"
postfix_mail_owner="postfix"
postfix_setgid_group="postdrop"
ssl_default_digest="sha256"
zimbraFeatureBriefcasesEnabled="Enabled"
zimbraFeatureTasksEnabled="Enabled"
zimbraIPMode="both"
zimbraMailProxy="TRUE"
zimbraMtaMyNetworks="$MTA"
zimbraPrefTimeZoneId="$TZ"
zimbraReverseProxyLookupTarget="TRUE"
zimbraVersionCheckNotificationEmail="admin@$DOMAIN"
zimbraVersionCheckNotificationEmailFrom="admin@$DOMAIN"
zimbraVersionCheckSendNotifications="TRUE"
zimbraWebProxy="TRUE"
zimbra_ldap_userdn="uid=zimbra,cn=admins,cn=zimbra"
zimbra_require_interprocess_security="1"
INSTALL_PACKAGES="zimbra-core zimbra-ldap zimbra-logger zimbra-mta zimbra-snmp zimbra-store zimbra-apache zimbra-spell zimbra-memcached zimbra-proxy "
EOF
touch /tmp/zcs/installZimbra-keystrokes
cat <<EOF >/tmp/zcs/installZimbra-keystrokes
y
y
y
y
y
n
y
y
y
y
y
y
n
n
n
y
EOF
# Download from https://www.zimbra.com/downloads/zimbra-collaboration-open-source/
if [[ $(lsb_release -rs) == "18.04" ]]; then
echo "Downloading Zimbra Collaboration 8.8 for Ubuntu 18.04"
wget https://files.zimbra.com/downloads/8.8.15_GA/zcs-8.8.15_GA_3869.UBUNTU18_64.20190918004220.tgz -O zcs-8.8_GA.tgz
tar xzvf zcs-*
echo "Installing Zimbra Collaboration just the Software"
cd /tmp/zcs/zcs-* && ./install.sh -s < /tmp/zcs/installZimbra-keystrokes
echo "Installing Zimbra Collaboration injecting the configuration"
/opt/zimbra/libexec/zmsetup.pl -c /tmp/zcs/installZimbraScript
fi
rm -rf /tmp/zcs
su - zimbra -c 'zmupdateauthkeys'
su - zimbra -c 'zmcontrol restart'
echo "You can access now to your Zimbra Collaboration Server"
echo "Admin Console: https://${CONTAINERIP4}:7071"
echo "Web Client: https://${CONTAINERIP4}"
echo "Password: ${PASSWORD}"
su - zimbra -c "/opt/zimbra/libexec/zmdkimkeyutil -a -d $DOMAIN"
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment