Bitbull Tech Notes - home of free minds ...

Zimbra upgrade from 8.6.0 to 8.7.1

This Zimbra upgrade drove me crazy:

- You need memchache and reverse proxy installed and active

- zimbraReverseProxySSLToUpstreamEnabled is enforced
  if ssl cert is not matching server name, ldaps querys fail
  no useable infos on zimbra page for single server instances (do they really need ssl for localhost querys :)

hope this helps ... looks so easy ... took me hours :-(

cheers

 

ssh -lroot mail01
vi /etc/rc.local
------
/sbin/iptables -I INPUT 1 -s 10.1.12.111 -j ACCEPT # my workstation
/sbin/iptables -I INPUT 2 -s 10.1.1.101 -j ACCEPT  # this mailserver 
/sbin/iptables -I INPUT 3 -s 10.1.1.24 -j ACCEPT   # monitoring
/sbin/iptables -I INPUT 4 -s 127.0.0.0/8 -j ACCEPT # guess
/sbin/iptables -I INPUT 5 -p tcp -m multiport --destination-ports 25,110,143,443,587,993,995 -j REJECT # block other traffic 
------

# start it now
/sbin/iptables -I INPUT 1 -s 10.1.12.111 -j ACCEPT # my workstation
/sbin/iptables -I INPUT 2 -s 10.1.1.101 -j ACCEPT  # this mailserver 
/sbin/iptables -I INPUT 3 -s 10.1.1.24 -j ACCEPT   # monitoring
/sbin/iptables -I INPUT 4 -s 127.0.0.0/8 -j ACCEPT # guess
/sbin/iptables -I INPUT 5 -p tcp -m multiport --destination-ports 25,110,143,443,587,993,995 -j REJECT # block other traffic 

# create VM snapshot

root@mail01:~/update/zcs-NETWORK-8.6.0_GA_1153.UBUNTU12_64.20141215195643# dpkg -i ./packages/zimbra-memcached_8.6.0.GA.1153.UBUNTU12.64_amd64.deb ./packages/zimbra-proxy_8.6.0.GA.1153.UBUNTU12.64_amd64.deb
root@mail01:~/update/zcs-NETWORK-8.6.0_GA_1153.UBUNTU12_64.20141215195643# su - zimbra
zimbra@mail01:~$ zmcontrol restart

zimbra@mail01:~$ zmprov gs mail01.domain.ch zimbraReverseProxySSLToUpstreamEnabled
# name mail01.domain.com
zimbraReverseProxySSLToUpstreamEnabled: TRUE

zimbra@mail01:~$ ./libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x both  -H `zmhostname`
zimbra@mail01:~$ zmproxyctl restart


root@mail01:~/update/zcs-NETWORK-8.7.1_GA_1670.UBUNTU12_64.20161025050804# lsof -i :443
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   16695 zimbra   11u  IPv4 356460      0t0  TCP *:https (LISTEN)
...


root@mail01:~/update/zcs-NETWORK-8.7.1_GA_1670.UBUNTU12_64.20161025050804# lsof -i :80
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   16695 zimbra   10u  IPv4 356459      0t0  TCP *:http (LISTEN)
...


root@mail01:~/update/zcs-NETWORK-8.7.1_GA_1670.UBUNTU12_64.20161025050804# su - zimbra
zimbra@mail01:~$ zmprov ms `zmhostname` +zimbraServiceEnabled memcached
zimbra@mail01:~$ zmcontrol restart


root@mail01:~/update/zcs-NETWORK-8.7.1_GA_1670.UBUNTU12_64.20161025050804# lsof -i :11211
   COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
   memcached 2383 zimbra   26u  IPv4 451107      0t0  TCP *:11211 (LISTEN)
   ...

# ldap can not be accessed after upgrade:
# Unable to start TLS: hostname verification failed when connecting to ldap master
# do this before upgrade
zimbra@mail01:~$ zmprov ms  `zmhostname` zimbraReverseProxySSLToUpstreamEnabled FALSE

root@mail01:~/update/zcs-NETWORK-8.7.1_GA_1670.UBUNTU12_64.20161025050804#
    cd ~/update/zcs-NETWORK-8.7.1_GA_1670.UBUNTU12_64.20161025050804
   ./install.sh --skip-activation-check --skip-upgrade-check

Exclude messages from rsyslog

Zimbra is logging a lot of crap between useful information pieces.

This was my way go get them away from our centralized syslog server:

 

/etc/rsyslog.d/syslog-server.conf

if $programname == 'zimbramon' and $syslogseverity >= '6' then ~
:msg, contains, "SSL_accept error from monitoring" ~
:msg, contains, "connect from monitoring" ~
:msg, contains, "lost connection after CONNECT from monitoring" ~

*.* @syslog.mydomain.local:2514
service rsyslog restart

Restrict Zimbra Senders to Distribution List

Recently I had some spam on internal distribution lists.
That was too bad, because it was a first class credit card fake :-)
So I searched and found a simple way to only allow domain sender address to send email to distribution lists.
That solved my problem.

Here is how I did it:

zmprov modifyConfig zimbraMilterServerEnabled TRUE
zmmilterctl restart
zmmilterctl status

ZDOMAIN=mydomain.ch
zmprov gadl $ZDOMAIN | while read dl_email
do
   echo "---- deny all senders to $dl_email"
   zmprov grr dl $dl_email pub -sendToDistList
   echo "---- allow $ZDOMAIN senders to $dl_email"
   zmprov grr dl $dl_email dom $ZDOMAIN sendToDistList
done

zmmtactl reload

This is a good site to read more details:

https://wiki.zimbra.com/wiki/Enabling_and_administering_the_Zimbra_milter

 

 

Zimbra v 8.x DNS Blacklists

Since v8 Zimbra does not implement DNS Blacklists on their default config.

Here are my notes to get it back.

Check configuration:

zimbra@mail01:~$ zmprov gacf | grep zimbraMtaRestriction
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_unknown_sender_domain

Now add the blacklists:

zmprov mcf +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_client dbl.spamhaus.org"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org"   
zmprov mcf +zimbraMtaRestriction "reject_rbl_client bl.spamcop.net"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client dnsbl.sorbs.net"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client sbl.spamhaus.org"

Check configuration again:

zimbra@mail01:~$ zmprov gacf | grep zimbraMtaRestriction
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_unknown_sender_domain
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rhsbl_client dbl.spamhaus.org
zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org
zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
zimbraMtaRestriction: reject_rbl_client sbl.spamhaus.org

Test it:

[root@proxy1 ~]# telnet mail.mydomain.com 25
Trying 8.2.1.2...
Connected to mail.mydomain.com.
Escape character is '^]'.
220 mail.mydomain.com ESMTP Postfix
ehlo yahoo.com
250-mail.mydomain.com
250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: gugu@yahoo.com
250 2.1.0 Ok
rcpt to: chris@mydomain.com
554 5.7.1 Service unavailable; Client host [8.7.5.1] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=8.7.5.1
quit
221 2.0.0 Bye
Connection closed by foreign host.

Check logs:

root@mail01:~# /usr/local/bin/dnsblcount /var/log/zimbra.log
zen.spamhaus.org 1
=================================
Total DNSBL rejections: 1

 

 

 

Home