Zimbra mail server installation

Christian Lathion, 2009-12-15

Switzernet

 

 

 

This document presents the installation of the zimbra collaboration suite on a dedicated OVH server. It also presents basic configuration for our usage, and a tool (imapsync) for migrating emails from one mailbox or server to another.

 

Keep in mind that Zimbra is a complete suite made of different software, including email, wiki, antispam, antivirus, etc. Here we only present the required steps to make it working as a mail server.

 

 

Zimbra mail server installation. 1

Server configuration. 1

Partitioning. 1

Linux configuration. 2

Zimbra installation. 2

Configuration particularities. 6

GRSEC.. 6

Clear text logins. 8

Maximum message size. 11

Number of connections per user 14

Misc. 16

Zimbra restart breaks terminal 16

Startup error: ldap_url and ldap_master_url cannot be the same on an ldap replica. 16

Imapsync. 17

Examples of usage. 17

 

Server configuration

Installation was made on Debian Linux 5.0, 64bits. The Zimbra version is 6.0.1.

 

Hardware is a dedicated OVH server. We found out that Zimbra is very demanding on resources, especially on RAM. Recommended configurations can be found on the following page: [link]. In our case, 4GB RAM is required for efficient operation. CPU should be as fast as possible; our current Zimbra servers use quad or dual CPU Intel processors.

Partitioning

Partition for the root (/) partition to be as large as possible:

 

Linux configuration

Start by changing the server root password. Configure the hostname, in this case mail3.switzernet.com:

 

ns366977:~# passwd

ns366977:~# vi /etc/hostname

ns366977:~# hostname mail3.switzernet.com

ns366977:~# vi /etc/hosts

ns366977:~# grep $(hostname) /etc/hosts

  94.23.22.98     mail3.switzernet.com

Zimbra installation

Download the Zimbra installation archive to the server, and check that its md5 is correct:

 

ns354959:~/090918-zimbra-install# wget http://h.yimg.com/lo/downloads/6.0.1_GA/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141.tgz

ns354959:~/090918-zimbra-install# wget http://h.yimg.com/lo/downloads/6.0.1_GA/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141.tgz.md5

ns354959:~/090918-zimbra-install# md5sum zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141.tgz

d6c41070510585087943f8a142950aa8  zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141.tgz

ns354959:~/090918-zimbra-install# cat zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141.tgz.md5

d6c41070510585087943f8a142950aa8  zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141.tgz

 

Extract the archive, and go to the resulting directory:

 

mail3:~/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141# tar xzf zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141.tgz

mail3:~/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141# cd zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141

 

Launch the installation script. On the first run, it should abort due to missing dependencies:

 

mail3:~/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141# ./install.sh

 

Checking for prerequisites...

     FOUND: NPTL

     MISSING: sudo

     FOUND: libidn11-1.8+20080606-1

     MISSING: libpcre3

     FOUND: libgmp3c2-2:4.2.2+dfsg-3

     MISSING: libexpat1

     FOUND: libstdc++6-4.3.2-1.1

     MISSING: libstdc++5

     MISSING: libperl5.10

Checking for suggested prerequisites...

    FOUND: perl-5.10.0

    MISSING: sysstat does not appear to be installed.

 

###WARNING###

 

The suggested version of one or more packages is not installed.

This could cause problems with the operation of Zimbra.

 

Install the required dependencies using aptitude, the Debian packet manager. The packages to install may vary depending on the Debian installation or Zimbra version. In this case, repeat the process (you have to identify which packages to install to fill the dependencies requirements):

 

mail3:~/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141# aptitude update

mail3:~/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141# aptitude install sudo libpcre3 libexpat1 libstdc++5 libperl5.10 sysstat

 

Launch the installation script again:

 

mail3:~/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141#./install.sh

 

Checking for prerequisites...

     FOUND: NPTL

     FOUND: sudo-1.6.9p17-2

     FOUND: libidn11-1.8+20080606-1

     FOUND: libpcre3-7.6-2.1

     FOUND: libgmp3c2-2:4.2.2+dfsg-3

     FOUND: libexpat1-2.0.1-4

     FOUND: libstdc++6-4.3.2-1.1

     FOUND: libstdc++5-1:3.3.6-18

     FOUND: libperl5.10-5.10.0-19lenny2

Checking for suggested prerequisites...

    FOUND: perl-5.10.0

    FOUND: sysstat

Prerequisite check complete.

 

The following error will appear if you are installing zimbra before having configured the MX DNS records. You can safely ignore it if the domain is correct and you are planning to configure MX records later:

 

DNS ERROR resolving MX for mail3.switzernet.com

It is suggested that the domain name have an MX record configured in DNS

Change domain name? [Yes] No

 

Apart from the domain name and the admin password that you will have to set during the installation, keep the default settings. A log of the installation process for mail3.switzernet.com is available: [txt].

 

After successful installation, you can connect to Zimbra via your browser. http://mail3.switzernet.com leads to the user login:

 

 

https://mail3.switzernet.com:7071 leads to the login of the Administration console. This will issue a certificate error, since we did not generate an https certificate. You can ignore the error:

 

 

Except of what is shown in this document, all administration (accounts creation and configuration) is made through the Administration console.

Configuration particularities

GRSEC

Grsecurity is a set of security patches and tools for the Linux kernel. It appears to cause problems with java, possibly because of the memory operations that java does. As result, it tries to kill the java process. In such case, the following errors will appear in your logs:

 

grsec: From 213.186.50.100: signal 11 sent to /opt/zimbra/jdk1.6.0_16/bin/java[java:22383] uid/euid:1000/1000 gid/egid:106/106, parent /bin/bash[sh:22210] uid/euid:1000/1000 gid/egid:106/106

grsec: From 213.186.50.100: signal 11 sent to /opt/zimbra/jdk1.6.0_16/bin/java[java:22383] uid/euid:1000/1000 gid/egid:106/106, parent /bin/bash[sh:22210] uid/euid:1000/1000 gid/egid:106/106

grsec: From 212.147.8.99: signal 11 sent to /opt/zimbra/jdk1.6.0_16/bin/java[java:22806] uid/euid:1000/1000 gid/egid:106/106, parent /bin/bash[sh:22632] uid/euid:1000/1000 gid/egid:106/106

grsec: From 212.147.8.99: signal 11 sent to /opt/zimbra/jdk1.6.0_16/bin/java[java:22806] uid/euid:1000/1000 gid/egid:106/106, parent /bin/bash[sh:22632] uid/euid:1000/1000 gid/egid:106/106

 

By default, OVH servers appear to use a grsec kernel by default. The command uname -a displays information on the kernel in use. By default, we have a grsec version:

 

mail2:/opt/zimbra/log# uname -a

Linux mail2.switzernet.com 2.6.27.10-grsec-xxxx-grs-ipv4-64 #7 SMP Wed Sep 9 22:07:04 UTC 2009 x86_64 GNU/Linux

 

As solution, we decide to use a Linux kernel without the grsecurity patches. We could have use OVH netboot feature, allowing to boot from a remote kernel located on OVH network. The inconvenient is that in case OVH updates its netboot kernel, or if the netboot is unavailable, our server could be made unbootable. To solve this, we choose to install a local Linux kernel.

 

The most direct way would be to install a standard Linux kernel using the Debian package manager (e.g. aptitude install linux-image-2.6-amd64). But the installation fails because of ovh setup particularities (all in-kernel, no modules, no /proc/modules, lilo as boot manager, etc.). Assuming that ovh’s custom kernels would be better suited (possibly including patches for their hardware and tested in depth before release), we choose to manually install an ovh kernel:

 

mail2:~# cd /boot/

mail2:/boot#

mail2:/boot# wget ftp://ftp.ovh.net/made-in-ovh/bzImage/System.map-2.6.28.4-xxxx-std-ipv4-64

mail2:/boot# wget ftp://ftp.ovh.net/made-in-ovh/bzImage/bzImage-2.6.28.4-xxxx-std-ipv4-64

mail2:/boot# vi /etc/lilo.conf //Update the configuration to enable the new kernel by default

mail2:/boot# uname -a

Linux mail2.switzernet.com 2.6.27.10-grsec-xxxx-grs-ipv4-64 #7 SMP Wed Sep 9 22:07:04 UTC 2009 x86_64 GNU/Linux

mail2:/boot# lilo

Added Linux *

mail2:/boot# reboot

 

After reboot, reissue a uname -a. You must now see the new kernel version, without grsec:

 

mail2:~# uname -a

Linux mail2.switzernet.com 2.6.28.4-xxxx-std-ipv4-64 #4 SMP Wed Sep 9 22:08:40 UTC 2009 x86_64 GNU/Linux

Clear text logins

By default, Zimbra does not accept clear text logins, but forces TLS. This caused login errors with our default Thunderbird setup. We modify this in the Global settings. First in the MTA configuration:

 

 

Then in the IMAP configuration:

 

 

And in the POP configuration:

 

 

Check that the settings applied to each server in the three concerned tabs (MTA, IMAP and POP). If the server tab was open when you did changes in the general settings, close and reopen the server tab to see the changes:

 

 

You should now be able to login without using TLS.

Maximum message size

We increase the maximal message size. This not only influences the limit for sending or receiving emails, but also the limit for importing emails from our previous email servers. The limit is set to 30MB, it should be decreased in the future. The modification takes place in two different places of Global settings:

 

 

 

A restart of Zimbra is required for the changes to be applied. For all operations on the Zimbra server, do not forget to login as user zimbra (su zimbra). Operating as root can cause problems (see Startup error: ldap_url and ldap_master_url cannot be the same on an ldap replica):

 

mail3:~# su zimbra

zimbra@mail3:/root$ /opt/zimbra/bin/zmcontrol stop

Host mail3.switzernet.com

        Stopping stats...Done.

        Stopping mta...Done.

        Stopping spell...Done.

        Stopping snmp...Done.

        Stopping archiving...Done.

        Stopping antivirus...Done.

        Stopping antispam...Done.

        Stopping imapproxy...Done.

        Stopping memcached...Done.

        Stopping mailbox...Done.

        Stopping logger...Done.

        Stopping ldap...Done.

zimbra@mail3:/root$ /opt/zimbra/bin/zmcontrol start

Host mail3.switzernet.com

        Starting ldap...Done.

        Starting logger...Done.

        Starting mailbox...Done.

        Starting antispam...Done.

        Starting antivirus...Done.

        Starting snmp...Done.

        Starting spell...Done.

        Starting mta...Done.

        Starting stats...Done.

zimbra@mail2:/root$ /opt/zimbra/bin/zmcontrol status

Host mail2.switzernet.com

        antispam                Running

        antivirus               Running

        ldap                    Running

        logger                  Running

        mailbox                 Running

        mta                     Running

        snmp                    Running

        spell                   Running

        stats                   Running

zimbra@mail3:/root$ exit

exit

mail3:~#

Number of connections per user

By default, zimbra accepts 5 simultaneous IMAP connections per user. Above this limit, earlier connections are closed (starting from the oldest). In such case, the following errors appear in the /opt/zimbra/log/mailbox.log log file:

 

mail2:~# grep "java.net.SocketException" /opt/zimbra/log/mailbox.log | tail

2009-10-19 18:08:13,092 INFO  [ImapServer-16151] [ip=87.241.186.151;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed

2009-10-19 18:08:14,362 INFO  [ImapServer-16133] [ip=87.241.176.132;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed

2009-10-19 18:08:35,195 INFO  [ImapServer-16155] [ip=87.241.186.151;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed

2009-10-19 18:08:52,900 INFO  [ImapServer-16114] [ip=87.241.176.132;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed

2009-10-19 18:08:58,637 INFO  [ImapServer-16154] [ip=90.46.223.141;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed

2009-10-19 18:09:00,241 INFO  [ImapServer-16096] [ip=87.241.174.28;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed

2009-10-19 18:09:06,163 INFO  [ImapServer-16159] [ip=87.241.176.132;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed

2009-10-19 18:09:20,413 INFO  [ImapServer-16167] [ip=87.241.176.132;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed

2009-10-19 18:09:43,668 INFO  [ImapServer-16168] [ip=87.241.176.132;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed

2009-10-19 18:09:47,734 INFO  [ImapServer-16169] [ip=87.241.176.132;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed

 

To solve the problem, change the maximal allowed number of connections and restart zimbra with the following commands. For all operations on the Zimbra server, do not forget to login as user zimbra (su zimbra). Operating as root can cause problems (see Startup error: ldap_url and ldap_master_url cannot be the same on an ldap replica):

 

mail2:~# su zimbra

 

zimbra@mail2:/root$ /opt/zimbra/bin/zmlocalconfig -e zimbra_session_limit_imap=50

 

zimbra@mail2:/root$ /opt/zimbra/bin/zmcontrol stop

Host mail2.switzernet.com

        Stopping stats...Done.

        Stopping mta...Done.

        Stopping spell...Done.

        Stopping snmp...Done.

        Stopping archiving...Done.

        Stopping antivirus...Done.

        Stopping antispam...Done.

        Stopping imapproxy...Done.

        Stopping memcached...Done.

        Stopping mailbox...Done.

        Stopping logger...Done.

        Stopping ldap...Done.

 

zimbra@mail2:/root$ /opt/zimbra/bin/zmcontrol start

Host mail2.switzernet.com

        Starting ldap...Done.

        Starting logger...Done.

        Starting mailbox...Done.

        Starting antispam...Done.

        Starting antivirus...Done.

        Starting snmp...Done.

        Starting spell...Done.

        Starting mta...Done.

        Starting stats...Done.

 

zimbra@mail2:/root$ /opt/zimbra/bin/zmcontrol status

Host mail2.switzernet.com

        antispam                Running

        antivirus               Running

        ldap                    Running

        logger                  Running

        mailbox                 Running

        mta                     Running

        snmp                    Running

        spell                   Running

        stats                   Running

 

zimbra@mail2:/root$ exit

exit

Misc

Zimbra restart breaks terminal

After a restart of Zimbra, you can find your terminal broken. In such case, you don’t see what you are typing, and newline does not work. It happens at least using PuTTY:

 

mail3:~/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141# mail3:~# mail3:~# mail3:~#

 

Press Ctrl-C, type the command reset (you won’t see it as you type) and press Enter. This will reinitialize your terminal.

Startup error: ldap_url and ldap_master_url cannot be the same on an ldap replica

This problem appeared with no clear reason on a zimbra restart. The startup process hanged on the following error, linked to ldap:

 

ldap_url and ldap_master_url cannot be the same on an ldap replica

 

This type of error seems to be usually caused by an erroneous DNS or hosts file configuration. In this case, both were correct. When trying to restart, the following appeared:

 

zimbra@mail3:/root$ /opt/zimbra/bin/zmcontrol start

Host localhost

 

Instead of:

 

zimbra@mail3:/root$ /opt/zimbra/bin/zmcontrol start

Host mail3.switzernet.com

 

The file ownership of the file /opt/zimbra/conf/localconfig.xml had changed to user root, making it unreadable for ldap which runs under user zimbra:

 

zimbra@mail3:/root$ ls -l /opt/zimbra/conf/localconfig.xml

-rw-r----- 1 root root 3370 2009-10-15 15:43 /opt/zimbra/conf/localconfig.xml

 

Changing back the ownership of the file to zimbra solved the problem:

 

mail3:~# chown zimbra:zimbra /opt/zimbra/conf/localconfig.xml

 

zimbra@mail3:/root$ ls -l /opt/zimbra/conf/localconfig.xml

-rw-r----- 1 zimbra zimbra 3370 2009-10-15 15:43 /opt/zimbra/conf/localconfig.xml

 

 This bug was caused by running the script /opt/zimbra/bin/zmlocalconfig as root. Always log with user zimbra for performing Zimbra administration tasks.

Imapsync

This section briefly describes the usage of imapsync to synchronize IMAP mailboxes between different servers. Short help from the imapsync documentation:

 

While working on imapsync parameters please run imapsync in dry mode (no modification induced) with the --dry option. Nothing bad can be done this way.

To synchronize the imap account "buddy" on host "imap.src.fr" to the imap account "max" on host "imap.dest.fr" (the passwords are located in two files "/etc/secret1" for "buddy", "/etc/secret2" for "max") :

imapsync --host1 imap.src.fr  --user1 buddy --passfile1 /etc/secret1 --host2 imap.dest.fr --user2 max   --passfile2 /etc/secret2

Then, you will have max's mailbox updated from buddy's mailbox.

 

Always start in dry mode. Examine carefully the output and result produced by imapsync after transfer. Folders can be created in a wrong place, some emails can be skipped during import (only seems to be the case when there were connection limitations on the source mailbox). By default, imapsync will not transfer duplicates from the source mailbox to the destination. Keep this in mind when comparing the results between source and destination.

 

Following are examples of imapsync commands used when migrating our mailboxes to Zimbra. Don’t use them as-is:

Examples of usage

This example only copies the structure (folders) of the mailbox:

 

mail3:~# imapsync --subscribed --subscribe --justfolders --host1 mail.switzernet.com --user1 billing@switzernet.com --password1 "XXX" --authmech1 PLAIN --host2 127.0.0.1 --user2 billing@mail3.switzernet.com --password2 "YYY" --authmech2 PLAIN

 

This example is a full synchronization example, excluding or including folders. It also deletes emails from the destination mailbox if they don’t exist on the source:

 

mail2:~# imapsync --subscribed --subscribe --include 'INBOX' --exclude '2007|2008|Sent' --host1 mail.switzernet.com --user1 support@switzernet.com --password1 "XXX" --authmech1 PLAIN --host2 127.0.0.1 --user2 support@mail2.switzernet.com --password2 "YYY" --authmech2 PLAIN --delete2

 

This example is a synchronization of two specific folders:

 

mail3:~# imapsync --folder 'INBOX.2008.081101-invoices' --folder 'INBOX.2008.081201-invoices' --host1 mail.switzernet.com --user1 billing@switzernet.com --password1 "XXX" --authmech1 PLAIN --host2 127.0.0.1 --user2 billing@mail3.switzernet.com --password2 "YYY" --authmech2 PLAIN --prefix2 'INBOX/Archive/'

 

This example synchronizes the Sent folder between two servers:

 

mail2:~# imapsync --folder 'INBOX.Sent' --host1 mail.switzernet.com --user1 contracts@switzernet.com --password1 "XXX" --authmech1 PLAIN --host2 127.0.0.1 --user2 contracts@mail2.switzernet.com --password2 "YYY" --authmech2 PLAIN

 

 

* * *