Last active
July 9, 2021 08:40
-
-
Save firstval/e52abdd02a8dc2dbdf3d5d00725fab98 to your computer and use it in GitHub Desktop.
HOW TO SETUP ZIMBRA WITH LET'S ENCRYPT
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| yum -y update && yum -y upgrade | |
| yum -y install unzip net-tools sysstat openssh-clients perl-core libaio nmap-ncat libstdc++.so.6 wget | |
| getenforce | |
| setenforce 0 | |
| getenforce | |
| vim /etc/selinux/config | |
| >> Make sure "SELINUX=disabled" | |
| hostnamectl set-hostname mail | |
| echo "<server_ip> <TLD_domain> mail " >> /etc/hosts | |
| cat /etc/hosts | |
| nmtui-edit | |
| >> Set DNS to 8.8.8.8 and 8.8.4.4 and "search domains" to TLD domain | |
| wget https://files.zimbra.com/downloads/8.8.6_GA/zcs-8.8.6_GA_1906.RHEL7_64.20171130041047.tgz | |
| tar xfz zcs-8.8.6_GA_1906.RHEL7_64.20171130041047.tgz | |
| cd zcs-8.8.6_GA_1906.RHEL7_64.20171130041047 | |
| ./install.sh | |
| Do you agree with the terms of the software license agreement? [N] Y | |
| The system will be modified. Continue? [N] Y | |
| Main menu | |
| 1) Common Configuration: | |
| 2) zimbra-ldap: Enabled | |
| 3) zimbra-logger: Enabled | |
| 4) zimbra-mta: Enabled | |
| 5) zimbra-dnscache: Enabled | |
| 6) zimbra-snmp: Enabled | |
| 7) zimbra-store: Enabled | |
| +Create Admin User: yes | |
| +Admin user to create: admin@yourdomain.com | |
| ******* +Admin Password UNSET | |
| +Anti-virus quarantine user: virus-quarantine.1eeo5ynyer@yourdomain.com | |
| +Enable automated spam training: yes | |
| +Spam training user: spam.juo5u70j@yourdomain.com | |
| +Non-spam(Ham) training user: ham.ttqv5clysd@yourdomain.com | |
| +SMTP host: yourdomain.com | |
| +Web server HTTP port: 8080 | |
| +Web server HTTPS port: 8443 | |
| +Web server mode: https | |
| +IMAP server port: 7143 | |
| +IMAP server SSL port: 7993 | |
| +POP server port: 7110 | |
| +POP server SSL port: 7995 | |
| +Use spell check server: yes | |
| +Spell server URL: http://hackworld.co:7780/aspell.php | |
| +Enable version update checks: TRUE | |
| +Enable version update notifications: TRUE | |
| +Version update notification email: admin@hackworld.co | |
| +Version update source email: admin@hackworld.co | |
| +Install mailstore (service webapp): yes | |
| +Install UI (zimbra,zimbraAdmin webapps): yes | |
| 8) zimbra-spell: Enabled | |
| 9) zimbra-proxy: Enabled | |
| 10) Default Class of Service Configuration: | |
| s) Save config to file | |
| x) Expand menu | |
| q) Quit | |
| Address unconfigured (**) items (? - help) 7 | |
| Store configuration | |
| 1) Status: Enabled | |
| 2) Create Admin User: yes | |
| 3) Admin user to create: admin@hackworld.co | |
| ** 4) Admin Password UNSET | |
| 5) Anti-virus quarantine user: virus-quarantine.1eeo5ynyer@yourdomain.com | |
| 6) Enable automated spam training: yes | |
| 7) Spam training user: spam.juo5u70j@yourdomain.com | |
| 8) Non-spam(Ham) training user: ham.ttqv5clysd@yourdomain.com | |
| 9) SMTP host: hackworld.co | |
| 10) Web server HTTP port: 8080 | |
| 11) Web server HTTPS port: 8443 | |
| 12) Web server mode: https | |
| 13) IMAP server port: 7143 | |
| 14) IMAP server SSL port: 7993 | |
| 15) POP server port: 7110 | |
| 16) POP server SSL port: 7995 | |
| 17) Use spell check server: yes | |
| 18) Spell server URL: http://yourdomain.com:7780/aspell.php | |
| 19) Enable version update checks: TRUE | |
| 20) Enable version update notifications: TRUE | |
| 21) Version update notification email: admin@yourdomain.comyourdomain.com | |
| 22) Version update source email: admin@yourdomain.com | |
| 23) Install mailstore (service webapp): yes | |
| 24) Install UI (zimbra,zimbraAdmin webapps): yes | |
| Select, or 'r' for previous menu [r] 4 | |
| Password for admin@yourdomain.com (min 6 characters): [JkURld04] <yourpassword> | |
| Store configuration | |
| 1) Status: Enabled | |
| 2) Create Admin User: yes | |
| 3) Admin user to create: admin@hackworld.co | |
| 4) Admin Password set | |
| 5) Anti-virus quarantine user: virus-quarantine.1eeo5ynyer@yourdomain.com | |
| 6) Enable automated spam training: yes | |
| 7) Spam training user: spam.juo5u70j@yourdomain.com | |
| 8) Non-spam(Ham) training user: ham.ttqv5clysd@yourdomain.com | |
| 9) SMTP host: yourdomain.com | |
| 10) Web server HTTP port: 8080 | |
| 11) Web server HTTPS port: 8443 | |
| 12) Web server mode: https | |
| 13) IMAP server port: 7143 | |
| 14) IMAP server SSL port: 7993 | |
| 15) POP server port: 7110 | |
| 16) POP server SSL port: 7995 | |
| 17) Use spell check server: yes | |
| 18) Spell server URL: http://yourdomain.com:7780/aspell.php | |
| 19) Enable version update checks: TRUE | |
| 20) Enable version update notifications: TRUE | |
| 21) Version update notification email: admin@yourdomain.com | |
| 22) Version update source email: admin@yourdomain.com | |
| 23) Install mailstore (service webapp): yes | |
| 24) Install UI (zimbra,zimbraAdmin webapps): yes | |
| Select, or 'r' for previous menu [r] r | |
| Main menu | |
| 1) Common Configuration: | |
| 2) zimbra-ldap: Enabled | |
| 3) zimbra-logger: Enabled | |
| 4) zimbra-mta: Enabled | |
| 5) zimbra-dnscache: Enabled | |
| 6) zimbra-snmp: Enabled | |
| 7) zimbra-store: Enabled | |
| 8) zimbra-spell: Enabled | |
| 9) zimbra-proxy: Enabled | |
| 10) Default Class of Service Configuration: | |
| s) Save config to file | |
| x) Expand menu | |
| q) Quit | |
| *** CONFIGURATION COMPLETE - press 'a' to apply | |
| Select from menu, or press 'a' to apply config (? - help) a | |
| Save configuration data to a file? [Yes] | |
| Save config in file: [/opt/zimbra/config.18252] | |
| Saving config in /opt/zimbra/config.18252...done. | |
| The system will be modified - continue? [No] Yes | |
| firewall-cmd --permanent --zone=public --add-port=80/tcp --add-port=995/tcp --add-port=110/tcp --add-port=993/tcp --add-port=143/tcp --add-port=443/tcp --add-port=7071/tcp --add-port=25/tcp | |
| Zimbra: Redirect http to https | |
| Filed under: Linux,Security,Server Administration — Tags: http, https, redirect, ssl, zimbra — Christopher Kramer @ 11:15 | |
| Zimbra without Proxy (pre 8.5) | |
| That’s the easy way how you can enforce https encrpytion by redirecting http to https: | |
| su – zimbra | |
| zmtlsctl redirect | |
| zmcontrol stop | |
| zmcontrol start | |
| Works at least on Zimbra 8.0 and I think should also work on 7 | |
| Zimbra with Proxy (required from 8.5+) | |
| With Zimbra 8.5+, a Proxy is required. This makes the configuration a little different. To configure the proxy to redirect http to https, run: | |
| su - zimbra | |
| ~/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x both -H `zmhostname` | |
| # if your proxy is local: | |
| zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect | |
| # if your proxy is proxy.server.name | |
| zmprov ms proxy.server.name zimbraReverseProxyMailMode redirect | |
| exit | |
| sudo systemctl stop postfix | |
| su - zimbra | |
| zmcontrol restart | |
| GENERATING LET's ENCRYPT CERTIFICATE | |
| su - zimbra | |
| zmproxyctl stop | |
| zmmailboxdctl stop | |
| su | |
| yum group list | |
| yum groupinstall "Development Tools" -y | |
| git clone https://github.com/letsencrypt/letsencrypt | |
| cd letsencrypt | |
| ./letsencrypt-auto certonly --standalone -d <yourdomain.com> | |
| echo " | |
| -----BEGIN CERTIFICATE----- | |
| MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ | |
| MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT | |
| DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow | |
| PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD | |
| Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB | |
| AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O | |
| rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq | |
| OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b | |
| xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw | |
| 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD | |
| aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV | |
| HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG | |
| SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 | |
| ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr | |
| AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz | |
| R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 | |
| JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo | |
| Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ | |
| -----END CERTIFICATE----- | |
| " >> /etc/letsencrypt/live/<yourdomain.com>/chain.pem | |
| mkdir /opt/zimbra/ssl/letsencrypt | |
| cp /etc/letsencrypt/live/<yourdomain.com>/* /opt/zimbra/ssl/letsencrypt/ | |
| chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/* | |
| ######### VERIFYING CERTIFICATE | |
| su - zimbra | |
| cd /opt/zimbra/ssl/letsencrypt/ | |
| /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem | |
| ################ DEPLOYING THE SSL CERTIFICATE | |
| cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") | |
| cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key | |
| cd /opt/zimbra/ssl/letsencrypt/ | |
| /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem | |
| zmcontrol restart | |
| PORT OPEN | |
| 80, 995, 110, 993, 143, 443, 7071, 25 | |
| Resources: | |
| https://www.tecmint.com/install-zimbra-collaboration-suite-on-centos-rhel/ | |
| https://blog.christosoft.de/2015/06/zimbra-redirect-http-to-https/ | |
| https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate | |
| https://www.zimbra.com/downloads/zimbra-collaboration-open-source/ | |
| https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC | |
| https://www.zimbra.com/docs/os/6.0.10/administration_guide/A_app-command-line.13.03.html | |
| https://www.spfwizard.net/ | |
| https://wiki.zimbra.com/wiki/Anti-spam_Strategies | |
| https://wiki.zimbra.com/wiki/Improving_Anti-spam_system | |
| https://wiki.zimbra.com/wiki/Irfan-Notes#Rejecting_Emails_at_SMTP_Level | |
| http://www.datanethosting.com/kb/zimbra/how-to-change-the-zimbra-servers-hostname-using-zmsetservername | |
| https://wiki.zimbra.com/wiki/ZmSetServerName | |
| firewalld.org | |
| Example SPF Record: | |
| hackworld.co. IN TXT "v=spf1 mx a include:mail.hackworld.co ~all" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment