Fix Zimbra 9.0.0 GA 4325 for RHEL8 x86_64 20220629074359 NETWORK edition, Patch 9.0.0_P28-32 issues

zimbra-9.0.0.bugfixes.md

Zimbra 9.0.0 GA 4325 Patch 28-32 Bugfixes

cat /etc/os-release

NAME="Rocky Linux"
VERSION="8.7 (Green Obsidian)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="8.7"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Rocky Linux 8.7 (Green Obsidian)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:8:GA"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-8"
ROCKY_SUPPORT_PRODUCT_VERSION="8.7"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="8.7"

Zimbra is crap! Especially this "patchset"...

sudo -iuzimbra zmcontrol -v

Release 9.0.0_GA_4325.RHEL8_64_20220629074359 RHEL8_64 NETWORK edition, Patch 9.0.0_P28.

Fix OpenLDAP (slapd) not starting

OpenLDAP can't start because it can't bind to it's port under the Zimbra user (which is, by the way, pretty OK because LDAP port is priviliged).

To resolve this issue you have to add sudo configuration make slapd start as root and then drop it's privileges to the zimbra user and group. To achieve it, do the following...

1. Patch the /opt/zimbra/bin/ldap script:

   sed -i 's|/opt/zimbra/libexec/zmslapd|sudo /opt/zimbra/libexec/zmslapd -u zimbra -g zimbra|' /opt/zimbra/bin/ldap

   Explanation: The /opt/zimbra/libexec/zmslapd is the actual OpenLDAP binary Zimbra tries to start to get LDAP service.

2. Let the sudo(1) work in the bin/ldap script

   tee /etc/sudoers.d/99_zimbra-slapd-bugfix <<- EOT
   %zimbra ALL=NOPASSWD:/opt/zimbra/libexec/zmslapd
   EOT

Fix IPv6 for proxy service

To enable IPv6 ("dual-stack") for Zimbra 9.0.0 do the following:

1. Configure IP mode to both (the other value is ipv6 for IPv6 only and there is no ipv4 variant):

   sudo -iuzimbra zmprov ms `sudo -iuzimbra zmhostname` zimbraIPMode both

   Warning: Zimbra (or at least LDAP) should be running first, otherwise the above command fails!

2. Fix broken templates for Nginx (the Zimbra's proxy service) by removing ipv6only=off from all listen directives in templates that are used by the /opt/zimbra/libexec/zmiptool to generate Nginx configuration files in /opt/zimbra/conf/nginx/includes:

   1. Do not forget to backup the files first so that you can restore them if something get screwed!

      find /opt/zimbra/conf/nginx/templates -name nginx.conf.\* -exec cp {} {}~ \;

   2. Patch the files:

      sed -i 's/ ipv6only=off//' /opt/zimbra/conf/nginx/templates/nginx.conf.*

   Explanation: If the directive ipv6only is set for the listen directive Nginx assumes that there is something already listening effectively causing Zimbra proxy service to bail out Nginx error messages on it's start like this one:

   sudo -iuzimbra zmcontrol start
   

   ---snip---
   nginx: [emerg] bind() to [::]:143 failed (98: Address already in use)
   ---snip---
   nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)
   ---snip---
   

3. Regenerate Nginx configuration:

   sudo -iuzimbra /opt/zimbra/libexec/zmiptool

4. Restart all Zimbra services

   sudo -iuzimbra zmcontrol restart

After these steps you should see Nginx listening on the configured ports on both IPv4 and IPv6 as you see below.

lsof -PniTCP -sTCP:LISTEN -auzimbra -acnginx

COMMAND     PID   USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
   ---snip---
nginx   2908390 zimbra    6u  IPv4 23356495      0t0  TCP *:143 (LISTEN)
nginx   2908390 zimbra    7u  IPv6 23356496      0t0  TCP *:143 (LISTEN)
   ---snip---
nginx   2908390 zimbra   14u  IPv4 23356503      0t0  TCP *:443 (LISTEN)
nginx   2908390 zimbra   15u  IPv6 23356504      0t0  TCP *:443 (LISTEN)
   ---snip---