Skip to content

Instantly share code, notes, and snippets.

@firstval
Last active July 9, 2021 08:40
Show Gist options
  • Select an option

  • Save firstval/e52abdd02a8dc2dbdf3d5d00725fab98 to your computer and use it in GitHub Desktop.

Select an option

Save firstval/e52abdd02a8dc2dbdf3d5d00725fab98 to your computer and use it in GitHub Desktop.
HOW TO SETUP ZIMBRA WITH LET'S ENCRYPT
yum -y update && yum -y upgrade
yum -y install unzip net-tools sysstat openssh-clients perl-core libaio nmap-ncat libstdc++.so.6 wget
getenforce
setenforce 0
getenforce
vim /etc/selinux/config
>> Make sure "SELINUX=disabled"
hostnamectl set-hostname mail
echo "<server_ip> <TLD_domain> mail " >> /etc/hosts
cat /etc/hosts
nmtui-edit
>> Set DNS to 8.8.8.8 and 8.8.4.4 and "search domains" to TLD domain
wget https://files.zimbra.com/downloads/8.8.6_GA/zcs-8.8.6_GA_1906.RHEL7_64.20171130041047.tgz
tar xfz zcs-8.8.6_GA_1906.RHEL7_64.20171130041047.tgz
cd zcs-8.8.6_GA_1906.RHEL7_64.20171130041047
./install.sh
Do you agree with the terms of the software license agreement? [N] Y
The system will be modified. Continue? [N] Y
Main menu
1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-logger: Enabled
4) zimbra-mta: Enabled
5) zimbra-dnscache: Enabled
6) zimbra-snmp: Enabled
7) zimbra-store: Enabled
+Create Admin User: yes
+Admin user to create: admin@yourdomain.com
******* +Admin Password UNSET
+Anti-virus quarantine user: virus-quarantine.1eeo5ynyer@yourdomain.com
+Enable automated spam training: yes
+Spam training user: spam.juo5u70j@yourdomain.com
+Non-spam(Ham) training user: ham.ttqv5clysd@yourdomain.com
+SMTP host: yourdomain.com
+Web server HTTP port: 8080
+Web server HTTPS port: 8443
+Web server mode: https
+IMAP server port: 7143
+IMAP server SSL port: 7993
+POP server port: 7110
+POP server SSL port: 7995
+Use spell check server: yes
+Spell server URL: http://hackworld.co:7780/aspell.php
+Enable version update checks: TRUE
+Enable version update notifications: TRUE
+Version update notification email: admin@hackworld.co
+Version update source email: admin@hackworld.co
+Install mailstore (service webapp): yes
+Install UI (zimbra,zimbraAdmin webapps): yes
8) zimbra-spell: Enabled
9) zimbra-proxy: Enabled
10) Default Class of Service Configuration:
s) Save config to file
x) Expand menu
q) Quit
Address unconfigured (**) items (? - help) 7
Store configuration
1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: admin@hackworld.co
** 4) Admin Password UNSET
5) Anti-virus quarantine user: virus-quarantine.1eeo5ynyer@yourdomain.com
6) Enable automated spam training: yes
7) Spam training user: spam.juo5u70j@yourdomain.com
8) Non-spam(Ham) training user: ham.ttqv5clysd@yourdomain.com
9) SMTP host: hackworld.co
10) Web server HTTP port: 8080
11) Web server HTTPS port: 8443
12) Web server mode: https
13) IMAP server port: 7143
14) IMAP server SSL port: 7993
15) POP server port: 7110
16) POP server SSL port: 7995
17) Use spell check server: yes
18) Spell server URL: http://yourdomain.com:7780/aspell.php
19) Enable version update checks: TRUE
20) Enable version update notifications: TRUE
21) Version update notification email: admin@yourdomain.comyourdomain.com
22) Version update source email: admin@yourdomain.com
23) Install mailstore (service webapp): yes
24) Install UI (zimbra,zimbraAdmin webapps): yes
Select, or 'r' for previous menu [r] 4
Password for admin@yourdomain.com (min 6 characters): [JkURld04] <yourpassword>
Store configuration
1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: admin@hackworld.co
4) Admin Password set
5) Anti-virus quarantine user: virus-quarantine.1eeo5ynyer@yourdomain.com
6) Enable automated spam training: yes
7) Spam training user: spam.juo5u70j@yourdomain.com
8) Non-spam(Ham) training user: ham.ttqv5clysd@yourdomain.com
9) SMTP host: yourdomain.com
10) Web server HTTP port: 8080
11) Web server HTTPS port: 8443
12) Web server mode: https
13) IMAP server port: 7143
14) IMAP server SSL port: 7993
15) POP server port: 7110
16) POP server SSL port: 7995
17) Use spell check server: yes
18) Spell server URL: http://yourdomain.com:7780/aspell.php
19) Enable version update checks: TRUE
20) Enable version update notifications: TRUE
21) Version update notification email: admin@yourdomain.com
22) Version update source email: admin@yourdomain.com
23) Install mailstore (service webapp): yes
24) Install UI (zimbra,zimbraAdmin webapps): yes
Select, or 'r' for previous menu [r] r
Main menu
1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-logger: Enabled
4) zimbra-mta: Enabled
5) zimbra-dnscache: Enabled
6) zimbra-snmp: Enabled
7) zimbra-store: Enabled
8) zimbra-spell: Enabled
9) zimbra-proxy: Enabled
10) Default Class of Service Configuration:
s) Save config to file
x) Expand menu
q) Quit
*** CONFIGURATION COMPLETE - press 'a' to apply
Select from menu, or press 'a' to apply config (? - help) a
Save configuration data to a file? [Yes]
Save config in file: [/opt/zimbra/config.18252]
Saving config in /opt/zimbra/config.18252...done.
The system will be modified - continue? [No] Yes
firewall-cmd --permanent --zone=public --add-port=80/tcp --add-port=995/tcp --add-port=110/tcp --add-port=993/tcp --add-port=143/tcp --add-port=443/tcp --add-port=7071/tcp --add-port=25/tcp
Zimbra: Redirect http to https
Filed under: Linux,Security,Server Administration — Tags: http, https, redirect, ssl, zimbra — Christopher Kramer @ 11:15
Zimbra without Proxy (pre 8.5)
That’s the easy way how you can enforce https encrpytion by redirecting http to https:
su – zimbra
zmtlsctl redirect
zmcontrol stop
zmcontrol start
Works at least on Zimbra 8.0 and I think should also work on 7
Zimbra with Proxy (required from 8.5+)
With Zimbra 8.5+, a Proxy is required. This makes the configuration a little different. To configure the proxy to redirect http to https, run:
su - zimbra
~/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x both -H `zmhostname`
# if your proxy is local:
zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
# if your proxy is proxy.server.name
zmprov ms proxy.server.name zimbraReverseProxyMailMode redirect
exit
sudo systemctl stop postfix
su - zimbra
zmcontrol restart
GENERATING LET's ENCRYPT CERTIFICATE
su - zimbra
zmproxyctl stop
zmmailboxdctl stop
su
yum group list
yum groupinstall "Development Tools" -y
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --standalone -d <yourdomain.com>
echo "
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
" >> /etc/letsencrypt/live/<yourdomain.com>/chain.pem
mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/<yourdomain.com>/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
######### VERIFYING CERTIFICATE
su - zimbra
cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
################ DEPLOYING THE SSL CERTIFICATE
cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
zmcontrol restart
PORT OPEN
80, 995, 110, 993, 143, 443, 7071, 25
Resources:
https://www.tecmint.com/install-zimbra-collaboration-suite-on-centos-rhel/
https://blog.christosoft.de/2015/06/zimbra-redirect-http-to-https/
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate
https://www.zimbra.com/downloads/zimbra-collaboration-open-source/
https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC
https://www.zimbra.com/docs/os/6.0.10/administration_guide/A_app-command-line.13.03.html
https://www.spfwizard.net/
https://wiki.zimbra.com/wiki/Anti-spam_Strategies
https://wiki.zimbra.com/wiki/Improving_Anti-spam_system
https://wiki.zimbra.com/wiki/Irfan-Notes#Rejecting_Emails_at_SMTP_Level
http://www.datanethosting.com/kb/zimbra/how-to-change-the-zimbra-servers-hostname-using-zmsetservername
https://wiki.zimbra.com/wiki/ZmSetServerName
firewalld.org
Example SPF Record:
hackworld.co. IN TXT "v=spf1 mx a include:mail.hackworld.co ~all"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment