Zimbra Help

For Administrators

Based on Our experiments and experiences with Zimbra Open Source Email & Collaboration Server.

We have been implementing Zimbra from the last 10 years and are one of the oldest Zimbra implementers in India. We have exceeded the expectations of our clients, spread across multiple industries, on a daily basis, and continue to deliver high-quality services. We can provide a turnkey Zimbra implementation for your company either hosted or on-premise.

If you have an existing Zimbra setup or if you don’t need external help for set up, you can’t ignore the need for ongoing support. If your IT department already has enough on its plate, you could always sign up with us. We act as an extended arm of your IT team to liaison with the OEM, help in commissioning the solutions and also provide training to your administrator / users. Apart from this, we also offer a helpdesk facility, letting your IT department offload routine user support tasks.

Here we provide answers to some common problems and situations we have come across in Zimbra

Setting maximum mail recipients in zimbra

To adjust:

su - zimbra

postconf -e 'smtpd_recipient_limit = 1000'

To apply settings:

postfix reload

To check current settings:

postconf | grep smtpd_recipient_limit

It may prove helpful to also adjust:

smtpd_client_connection_rate_limit (default: 0)- The maximal number of

connection attempts any client is allowed to make to this service per

time unit. The time unit is specified with the anvil_rate_time_unit

configuration parameter.

smtpd_client_message_rate_limit (default: 0) - The maximal number of

message delivery requests that any client is allowed to make to this

service per time unit, regardless of whether or not Postfix actually

accepts those messages. The time unit is specified with the

anvil_rate_time_unit configuration parameter.

Password must Change across domain

su - zimbra

for each in `zmprov -l gaa | grep mydomain.com`;

do zmprov ma $each zimbraPasswordMustChange TRUE; done

Bypass amavisd for local domains

Tested in Zimbra 7, relavent changes need to be made in Zimbra 8.

cd /opt/zimbra/conf

Create a file.

[root@mail conf]# vim amavis_senderbypass

Add below lines.

127.0.0.1 FILTER smtp-amavis:[127.0.0.1]:10025

132.0.0.3 FILTER smtp-amavis:[127.0.0.1]:10025

Save the file.

chown zimbra.zimbra /opt/zimbra/conf/amavis_senderbypass

Now edit, /opt/zimbra/conf/postfix_recipient_restrictions.cf

Add below line

check_client_access hash:/opt/zimbra/conf/amavis_senderbypass

so that file should look as shown below.

check_recipient_access hash:/opt/zimbra/conf/special_groups

check_sender_access hash:/opt/zimbra/conf/restricted_senders

check_client_access hash:/opt/zimbra/conf/amavis_senderbypass

%%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:127.0.0.1:10031%%

reject_non_fqdn_recipient

permit_sasl_authenticated

permit_mynetworks

reject_unauth_destination

reject_unlisted_recipient

check_policy_service inet:127.0.0.1:10023

%%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%

%%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%

%%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%

%%contains VAR:zimbraMtaRestriction reject_unknown_client%%

%%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%

%%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%

%%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%

%%contains VAR:zimbraMtaRestriction check_policy_service unix:private/policy%%

permit

Restart Zimbra services.

Password expiry email notification

This script can be handled in multi-domain setups.

Usage

su - zimbra

/usr/local/bin/zm_password_notify.sh example.com example.net ...

Scripts

zm_password_notify.sh

Code:

#!/bin/bash

for i in $@; do

domain=$(echo $i | sed -e 's/$.*$\./dc=\1,dc=/')

ldapsearch -w `zmlocalconfig -s zimbra_ldap_password | awk '{print $3}'` \

-D uid=zimbra,cn=admins,cn=zimbra -x -h mail.example.com \

-b ou=people,${domain} \

"(&(objectclass=zimbraAccount)(!(objectclass=zimbraCalendarResource)))" \

zimbraMailDeliveryAddress \

zimbraPasswordModifiedTime \

displayName | awk -f /usr/local/bin/zm_password_notify.awk

done

zm_password_notify.awk

Code:

BEGIN {OFS=";";

max_age=30

warn_age=25

curtime=systime();

one_day=24 * 60 * 60

mail_msg="/tmp/password_change_notification.msg"

logfile="/tmp/zimbra_password_change.log"

}

/^dn: / {++no}

/zimbraMailDeliveryAddress:/ {email[no]=$2}

/zimbraPasswordModifiedTime:/ {datescalc($2)}

/displayName:/ {name[no]=substr($0,14)}

END{

for (x = 1; x <= no; x++) {

days_to_change[x]=pass_change_limit[x] - curtime;

if (curtime < trigger_date[x]) {

status[x]="no need to notify yet";

}else

if (curtime <= pass_change_limit[x]) {

send_mail()

status[x]="send notification email"

}else

{days_to_change[x]="overdue";

status[x]="too late to notify"}

# unhash for debugging

#status_log()

}

function datescalc (field) {

lc_yyyy[no]=substr($2,1,4);

lc_mm[no]=substr($2,5,2);

lc_dd[no]=substr($2,7,2);

lc_epoch[no]=mktime(lc_yyyy[no]" "lc_mm[no]" "lc_dd[no]" 00 00 00")

trigger_date[no]=lc_epoch[no] + warn_age * one_day

pass_change_limit[no]=lc_epoch[no] + max_age * one_day

}

function send_mail(field) {

# get domain

domain=email[x];

sub(/.*@/, "", domain);

message[x]="From: Password Change Reminder <it-support@"domain">\n" \

"User-Agent: Zimbra\n" \

"MIME-Version: 1.0\n" \

"To: "name[x]" <"email[x]">\n" \

"Subject: Password change reminder (Automatic notification)\n\n" \

"Dear " name[x]",\n\nYour current password will expire on " strftime("%d %B %Y

",pass_change_limit[x])".\n" \

"When you have a free minute, please login to https://mail."domain",\n" \

"enter your current username and password, and change your password to a new one.\n\n" \

"You have "strftime("%-j",days_to_change[x])" day(s) left.\n\n\n" \

"Regards,\nIT-Support"

print message[x] > "/tmp/password_change_notification.msg"

system ("zmlmtpinject -r " email[x] " -s it-support@"domain " " mail_msg " > /dev/null")

close (mail_msg)

}

function status_log(field) {

print "Action: "status[x] "\nName: "name[x] "\nEmail: "email[x]

print "LastChangeDate: " strftime("%Y %m %d", lc_epoch[x]) "\nLastChangeDateEpoch: " lc_epoch[x]

print "Current time: " strftime("%Y %m %d", curtime) "\nCurrent time epoch: " curtime

print "Trigger time: " strftime("%Y %m %d", trigger_date[x]) "\nTrigger time epoch: "

trigger_date[x]

print "PassChange Limit: " strftime("%Y %m %d", pass_change_limit[x]) "\nPassChange Limit: "

pass_change_limit[x]

print "Time till change: " strftime("%-j",days_to_change[x]) "\nTime till change epoch: "

days_to_change[x]

print "\n\n\n"

}

Zimbra support tricks

know running services list

zmprov gs `zmhostname` zimbraServiceEnabled

displaying service

Disable the built-in spam and virus services

zmprov -l ms `zmhostname` -zimbraServiceEnabled antivirus

zmprov -l ms `zmhostname` -zimbraServiceEnabled antispam

-zimbraServiceEnabled 'minus' here implies to disable, similarly 'plus' would mean enabling the

service.

version of spamassasin in zimbra

su - zimbra

perl -MMail::SpamAssassin -e 'print $Mail::SpamAssassin::VERSION."\n";'

how to treat/test email containing words as spam

check correctness of spamassassin

su - zimbra

cd /opt/zimbra/zimbramon/bin

./spamassassin --lint

./spamassassin --lint -D

testing from commandline

./spamassassin -D < /opt/zimbra/zimbramon/bin/sample_sa_1.txt

list or number of emails in queue

su - zimbra

mailq | grep Requests

mailq

to supress AWL test in spamassasin (actually amavisd)

vim /opt/zimbra/conf/sapmassassin/local.cf

use_auto_whitelist 0

default is 1

reset admin password

zmprov sp admin@radix.in <password>

Change the smtp port 25 to another

/opt/zimbra/postfix/conf/master.cf.in and also in /opt/zimbra/postfix/conf/master.cf

or modify smtpd line of master.cf as follows:

#smtp inet n - n - - smtpd

26 inet n - n - - smtpd

zmcontrol stop && zmcontrol start

zmprov mcf zimbraSmtpPort 26

zmprov ms assp.spamfilter zimbraSmtpPort 26

assp.spamfilter is the server name

and again

zmcontrol stop && zmcontrol start

How to do domain forwarding in Zimbra

(on 200.0.100.242 the assp machine where even zimbra also exists... need to create radix.in domain

and forward it to one on 245 machine

zmprov md openradix.in zimbraMailCatchAllAddress @radix.in

zmprov md openradix.in zimbraMailCatchAllForwardingAddress @radix.in

zmprov md openradix.in zimbraMailTransport smtp:200.0.100.245

Remove an mx entry from dns bind

vim /var/named/chroot/etc/named.conf

$service named status

... shows some number of zones

$dig icofp.org mx

... gives some answer section with local dns entry

comment the zone section to remove mx of.

$service named status

... should show 1 less number of zone

$dig icofp.org mx

...should not show the local dns entry

$ service named restart

OTHER COMMANDS for bind (could not use it properly)

named-checkconf -v -t /var/named/chroot/etc/ named.conf

named-checkzone

get all accounts in example.com domain (default accounts : wiki ham spam assp-spam assp-notspam

admin galsync support?)

zmprov -l gaa | grep example.com

get number of accounts in example.com domain

zmprov -l gaa | grep example.com | wc -l

get all dls

zmprov gadl | grep everyone@example.com

delete the dl

zmprov ddl everyone@example.com

create dl again

zmprov cdl everyone@example.com displayName 'Example_ID'

get number of members in the list

zmprov gdl everyone@example.com | grep zimbraMailForwardingAddress | wc -l

add members to the dl

zmprov adlm everyone@example.com test1@example.com

zmprov adlm everyone@example.com test2@example.com

zmprov adlm everyone@example.com test3@example.com

get number of members in the list

zmprov gdl everyone@example.com | grep zimbraMailForwardingAddress | wc -l

To get domain information

zmprov gd example.com

Use grep with gd

[zimbra@mail ~]$ zmprov gd example.com | grep zimbraMailTransport

zimbraMailTransport: smtp:200.0.100.245

To get user attributes using grep

[zimbra@email ~]$ zmprov ga santosh.kalap@example.com | grep smtp

zimbraMailTransport: smtp:200.0.100.245

Some log reading tips

tail -100000 /var/log/zimbra.log | egrep -i ': to=<charithra\.hegde@example\.co\.in>,'

tail -100000 /var/log/zimbra.log | egrep ': BDE7761C2D1: '

egrep 'qmgr.*(panic|fatal|error|warning):' /var/log/zimbra.log

egrep -i ': from=<noreply@exampleabcindia\.com>' /var/log/zimbra.log

egrep -i 'DBD6AB8D8006:' /var/log/zimbra.log

Finding mails that are queued for a specific users Execute as zimbra

mailq | grep "support@example.com"

... would give some thing like this

A27DB3B9839C 4299522 Tue Feb 14 11:27:39 support@example.com

ACBCC3B982EF 4299522 Mon Feb 13 12:31:20 support@example.com

AE95E3B980C9 4299521 Mon Feb 13 15:08:01 support@example.com

0254E5B88036 4299521 Mon Feb 13 15:24:32 support@example.com

06A213B98092 4299521 Mon Feb 13 11:31:58 support@example.com

032B23B980BD 4299522 Mon Feb 13 11:57:00 support@example.com

As root

/opt/zimbra/postfix/sbin/postsuper -d 032B23B980BD would delete the last mailq

To set poll interval for external account

[zimbra@email ~]$ zmprov gds abc@example.com

[zimbra@email ~]$ zmprov mds abc@example.com ABC zimbraDataSourcePollingInterval 2m

To delete trash folder emails in zimbra via cli

[zimbra@email ~]$ zmmailbox -z -m ******@example.com emptyFolder /Trash

Out of office via cli

Did zimbraPrefOutOfOfficeCacheDuration somehow get set to 0? Which would send an out-of-office

notification in response to every email received. (Default is 7 days.)

Intended functionally: Duplicate away messages will not be sent to the same user in the given

interval of x days. On day x+1, if they send that account an email, they would again get back

another notification.

CLI:

zmprov gc COSname | grep OutOfOffice

zmprov mc COSname zimbraPrefOutOfOfficeCacheDuration 7d

and:

zmprov ga user@domain.com | grep OutOfOffice

zmprov ma user@domain.com zimbraPrefOutOfOfficeCacheDuration 7d

ldap query using zmporv to retrive attributes.

[zimbra@mail ~]$ zmprov sa -v zimbraMailForwardingAddress=* | grep -e "uid" -e

"zimbraMailForwardingAddress" >> /tmp/forward.txt

Maildir to Zimbra import

#!/bin/bash

# Maildir to Zimbra import

# Drop in your user root and run as superuser.

domain="example.com" # change to your domain!

for user in `ls -d1 */|sed s/\\\///`

echo

echo "User $user"

echo

find $user -maxdepth 10 -type d -name cur | while read line;

folder=`echo ${line}|cut -f3 -d"/"|sed s/\\\.//`

line2=`echo ${line/%cur/new}`

echo "FOLDER $folder"

if [ "$folder" = "cur" ]

then

/opt/zimbra/bin/zmmailbox -z -m $user@$domain addMessage Inbox $PWD/$user/Maildir/cur >> $user.log

/opt/zimbra/bin/zmmailbox -z -m $user@$domain addMessage Inbox $PWD/$user/Maildir/new >> $user.log

else

if [ "$folder" != "Sent" ] && [ "$folder" != "Drafts" ] && [ "$folder" != "Junk" ] && [ "$folder"

!= "Trash" ]

then

/opt/zimbra/bin/zmmailbox -z -m $user@$domain createFolder "/$folder"

/opt/zimbra/bin/zmmailbox -z -m $user@$domain addMessage "/$folder" "${PWD}/${line}" >> $user.log

/opt/zimbra/bin/zmmailbox -z -m $user@$domain addMessage "/$folder" "${PWD}/${line2}" >> $user.log

done

Extend MTA Queue Lifetime

Summary

It may be necessary to hold incoming mail in queue on a Zimbra MTA for an extended period of time

for events like mailstore outages, migrations, extended maintenance or upgrades. Holding mail in

the MTA queue for an extended period will prolong the amount of time the Postfix MTA deems messages

undeliverable which ultimately results in bounced mail.

MTA Queue Lifetime

The default MTA queue lifetime for Zimbra is 5 days and is controlled by the Postfix parameter

maximal_queue_lifetime. To extend the amount of time messages will be held in the Postfix deferred

queue, increase maximal_queue_lifetime using the postconf command. The maximal_queue_lifetime

parameter is not stored anywhere else in Zimbra's configuration.

Modifying the queue lifetime affects all messages in queue. For example, if the oldest message in

queue is 4 days old and the queue lifetime was increased to 15 days, then the message will expire

in 11 days unless it is delivered.

Get the current value

su - zimbra

postconf maximal_queue_lifetime

maximal_queue_lifetime = 5d

Set the new value

postconf -e maximal_queue_lifetime=15d

postfix reload

Delaying Queue Runs

By default, the Zimbra Postfix MTA runs the deferred queue every 5 minutes. If messages are not

deliverable during the queue run, then they become subject to backoff intervals so Postfix is not

retrying the same messages over and over every 5 minutes. The specifics of the backoff algorithm

will not be discussed here, however, increasing the time between queue runs may be desired if the

queue lifetime must be set to a very long period of time. Use the Postfix queue_run_delay

parameter. The queue_run_delay is stored in Zimbra's local configuration (localconfig.xml) and is

managed by the zmlocalconfig command.

Get the current value The default is 300s.

zmlocalconfig postfix_queue_run_delay

postfix_queue_run_delay = 300s

Set the new value

zmlocalconfig -e postfix_queue_run_delay=1d

postfix reload

MTA Hold Queue

Messages currently in any MTA queue can be placed into the hold queue where they become exempt from

expiration regardless of age. Postfix will not attempt delivery of any message in the hold queue

until they have been released.

Retrieve the number of messages in all queues

sudo ~/libexec/zmqstat

hold=0

corrupt=0

deferred=2

active=0

incoming=0

Use the mailq command to retrieve a queue listing.

mailq

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------

84E151500C2* 356 Tue Aug 3 12:38:29

sender@domain.com

admin@zmb.moc

C29F915010A 976 Tue Aug 3 12:38:01 sender@domain.com

(connect to mb100.zmb.moc[192.168.5.51]:7025: Connection

refused)

admin@zmb.moc

-- 2 Kbytes in 2 Requests.

Move current messages to the hold queue

sudo postsuper -h ALL

postsuper: Placed on hold: 2 messages

Retrieve the queue listing. Note queue ids containing the "!" symbol are in the hold queue.

mailq

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------

84E151500C2! 356 Tue Aug 3 12:38:29 sender@domain.com

(connect to mb100.zmb.moc[192.168.5.51]:7025: Connection

refused)

admin@zmb.moc

C29F915010A! 976 Tue Aug 3 12:38:01 sender@domain.com

(connect to mb100.zmb.moc[192.168.5.51]:7025: Connection

refused)

admin@zmb.moc

-- 2 Kbytes in 2 Requests.

Retrieve a queue count

sudo ~/libexec/zmqstat

hold=2

corrupt=0

deferred=0

active=0

incoming=0

Release held messages

Releasing held messages will place messages into the deferred queue until the next queue run.

sudo postsuper -H ALL

Flush the queue to start immediate queue processing

sudo postsuper -f

Enabling Subject in Zimbra log

Edit zmmta.cf

Add highlighted line under below function as mentioned and save the file.

if VAR zimbraMtaBlockedExtensionWarnRecipient

POSTCONF header_checks

regexp:/opt/zimbra/conf/header_checks

Create file /opt/zimbra/conf/header_checks and add below line and save the file.

chown zimbra.zimbra /opt/zimbra/conf/header_checks

/^Subject:/ WARN

Mailboxes By Distribution List

One of our domains has about 100 distribution lists for each of their departments/offices, and

requested a way to get a breakdown of all of their users, and which distribution lists they were

in.

I saved this file in /opt/zimbra/backup/scripts/ as userbreakdown.sh, owned by zimbra.zimbra chmod

755 userbreakdown.sh

#!/bin/bash

output="/tmp/distlistbreakdownfile"

domain="yourdomainnamehere.com"

SendTo="zimbra_reports@$domain"

rm -f $output

touch $output

for i in `/opt/zimbra/bin/zmprov -l gaa | grep $domain|sort`

echo "$i" >> $output

zmprov gam $i|while read line; do echo " $line" >> $output; done

done

cat $output | mail @SendTo -s"User/Distribution list Breakdown for $domain"

Then I just setup a cronjob (crontab -e as zimbra user) to run this at 4:01 every monday morning,

and email it to them.

1 4 * * 1 /opt/zimbra/backup/scripts/userbreakdown.sh

You could easily modify this to run through each domain on your server, and send a report to each

domain, if you wanted (just add another for loop)

The output looks something like this (alphabetically for all users)

user1@yourdomainnamehere.com

admin@yourdomainnamehere.com

allemployees@yourdomainnamehere.com

all_southern@yourdomainnamehere.com (via southern@yourdomainnamehere.com)

southern@yourdomainnamehere.com (via northern@yourdomainnamehere.com)

all_employees@yourdomainnamehere.com (via admin@yourdomainnamehere.com)

northern@yourdomainnamehere.com

user2@yourdomainnamehere.com

allemployees@yourdomainnamehere.com

all_southern@yourdomainnamehere.com (via southern@yourdomainnamehere.com)

southern@yourdomainnamehere.com (via northern@yourdomainnamehere.com)

northern@yourdomainnamehere.com

etc

They then can at a quick glance, see if there are any users in NO distribution lists, for example,

without having to go through each user one by one, or each distribution list! :)

Testing spamassassin

Copy your salocal.cf file to /opt/zimbra/conf/spamassassin

cp /opt/zimbra/conf/salocal.cf /opt/zimbra/conf/spamassassin/abc.cf

chown zimbra.zimbra /opt/zimbra/conf/spamassassin/abc.cf

Copy show original mail header of the mail which is to be tested to a file in

/opt/zimbra/zimbramon/bin/

touch /opt/zimbra/zimbramon/bin/sample_spam1.txt

Paste email headers in it.

su - zimbra

cd /opt/zimbra/zimbramon/bin/

./spamassassin -C /opt/zimbra/conf/spamassassin --test-mode < sample_spam1.txt

Output

[zimbra@mail bin]$ ./spamassassin -C /opt/zimbra/conf/spamassassin --test-mode < sample_spam1.txt

Jul 7 11:47:19.720 [13670] warn: config: cannot create user preferences file

/opt/zimbra/.spamassassin/user_prefs: No such file or directory

Jul 7 11:47:19.720 [13670] warn: config: failed to create default user preference file

/opt/zimbra/.spamassassin/user_prefs

Received: from localhost by mail.cms.co.in

with SpamAssassin (version 3.3.2);

Sat, 07 Jul 2012 11:47:23 +0530

From: Zimbra Team <s.habibzadeh@arums.ac.ir>

To: undisclosed-recipients:;

Subject: *SPAM* ******* Newsletter

Date: Fri, 29 Jun 2012 20:08:39 +0430 (IRDT)

Message-Id: <17997240.6795.1340984319539.JavaMail.root@arums.ac.ir>

X-Spam-Flag: YES

X-Spam-Status: Yes, score=8.0 required=5.0 tests=OTHER_FROM,OTHER_WORDS,

SPF_HELO_PASS,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=no version=3.3.2

X-Spam-Level: *******

X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.cms.co.in

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="----------=_4FF7D473.6B271BAF"

This is a multi-part message in MIME format.

------------=_4FF7D473.6B271BAF

Content-Type: text/plain; charset=iso-8859-1

Content-Disposition: inline

Content-Transfer-Encoding: 8bit

Spam detection software, running on the system "mail.cms.co.in", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Zimbra Account Warning This mail is from Zimbra Administrator;

we wish to bring to your notice the Condition of your email account. We have

just noticed that you have exceeded your email Database limit of 500 MB quota

and your email IP is causing conflict because it is been accessed in different

server location. You need to Upgrade and expand your Zimbra webmail quota

limit before you can continue to use your email. [...]

Content analysis details: (8.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

4.0 OTHER_FROM Restricted words in From

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover

relay

domain

0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines

4.0 OTHER_WORDS BODY: Restricted words

------------=_4FF7D473.6B271BAF

Content-Type: message/rfc822; x-spam-type=original

Content-Description: original message before SpamAssassin

Content-Disposition: inline

Content-Transfer-Encoding: 8bit

Return-Path: s.habibzadeh@arums.ac.ir

Received: from mail.efensys.com (LHLO mail.efensys.com) (192.168.1.2) by

mail.efensys.com with LMTP; Fri, 29 Jun 2012 20:12:54 +0530 (IST)

Received: from localhost (localhost.localdomain [127.0.0.1])

by mail.efensys.com (Postfix) with ESMTP id 115773B98118;

Fri, 29 Jun 2012 20:12:54 +0530 (IST)

X-Virus-Scanned: amavisd-new at efensys.com

X-Spam-Flag: NO

X-Spam-Score: -1.912

X-Spam-Level:

X-Spam-Status: No, score=-1.912 tagged_above=-10 required=6.6

tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01]

autolearn=ham

Received: from mail.efensys.com ([127.0.0.1])

by localhost (mail.efensys.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 43M6pDXKdA1Q;

Fri, 29 Jun 2012 20:12:49 +0530 (IST)

Received: from zimail.arums.ac.ir (zimail.arums.ac.ir [78.38.27.8])

by mail.efensys.com (Postfix) with ESMTP id 237813B980C7; Fri, 29 Jun 2012 20:12:46 +0530 (IST)

Received: from localhost (localhost [127.0.0.1])

by zimail.arums.ac.ir (Postfix) with ESMTP id 3E818D9574; Fri, 29 Jun 2012 20:08:45 +0430 (IRDT)

X-Virus-Scanned: amavisd-new at zimail.arums.ac.ir

Received: from zimail.arums.ac.ir ([127.0.0.1])

by localhost (zimail.arums.ac.ir [127.0.0.1]) (amavisd-new, port

10024)

with ESMTP id Dk-VdU6nglcU; Fri, 29 Jun 2012 20:08:44 +0430 (IRDT)

Received: from zimail.arums.ac.ir (zimail.arums.ac.ir [78.38.27.8])

by zimail.arums.ac.ir (Postfix) with ESMTP id 86111D93E2; Fri, 29 Jun 2012 20:08:39 +0430 (IRDT)

Date: Fri, 29 Jun 2012 20:08:39 +0430 (IRDT)

From: Zimbra Team <s.habibzadeh@arums.ac.ir>

Reply-To: noreply@zimbra.com

Message-ID: <17997240.6795.1340984319539.JavaMail.root@arums.ac.ir>

Subject: Newsletter

MIME-Version: 1.0

Content-Type: text/plain; charset=utf-8

Content-Transfer-Encoding: quoted-printable

X-Originating-IP: [101.221.156.180]

X-Mailer: Zimbra 7.2.0_GA_2669 (zclient/7.2.0_GA_2669)

To: undisclosed-recipients:;

Zimbra Account Warning

This mail is from Zimbra Administrator; we wish to bring to your notice the=

Condition of your email account.

=20

We have just noticed that you have exceeded your email Database limit of 50=

0 MB quota and your email IP is causing conflict because it is been accesse=

d in different server location. You need to Upgrade and expand your Zimbra =

webmail quota limit before you can continue to use your email.

=20

Update your email quota limit to 2.6 GB, use the below web link:=20

https://docs.google.com/spreadsheet/viewform?formkey=3DdG9vQlJqa1phRnMyQWQ1=

QW9ySzFUa0E6MQ

and login your full email address. Example joe@yourdomain.com and password

=20

Failure to do this will result to email deactivation within 24hours

=20

Thank you for your understanding.

------------=_4FF7D473.6B271BAF--

Spam detection software, running on the system "mail.cms.co.in", has

identified this incoming email as possible spam. The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email. If you have any questions, see

@@CONTACT_ADDRESS@@ for details.

Content preview: Zimbra Account Warning This mail is from Zimbra Administrator;

we wish to bring to your notice the Condition of your email account. We have

just noticed that you have exceeded your email Database limit of 500 MB quota

and your email IP is causing conflict because it is been accessed in different

server location. You need to Upgrade and expand your Zimbra webmail quota

limit before you can continue to use your email. [...]

Content analysis details: (8.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

4.0 OTHER_FROM Restricted words in From

-0.0 SPF_HELO_PASS SPF: HELO matches SPF record

-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover

relay

domain

0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines

4.0 OTHER_WORDS BODY: Restricted words

How To Install dnsmasq

==========Configuring dnsmasq on the Zimbra Server======================

dnsmasq is a very powerful tool that can provide basic dns services/caching, act as dhcp server and

also as tftp server. It's also easy to setup. So you can use dnsmasq INSTEAD of bind following

these instructions. Install dnsmasq on Debian GNU/Linux

aptitude install dnsmasq

Edit the /etc/dnsmasq.conf file

Let's say that upstream dns are 8.8.8.8 and 208.67.222.222. Put only these lines in the config

file:

server=8.8.8.8

server=208.67.222.222

domain=yourdomain.com

mx-host=yourdomain.com,mail.yourdomain.com,5

listen-address=127.0.0.1

Edit the /etc/hosts file

You need a line to resolve the IP of mail.yourdomain.com to the private IP of the zimbra server, so

make sure you have: 192.168.1.30 mail.yourdomain.com mail

Edit the /etc/resolv.conf file

To have the host resolv through dnsmasq, you have to set your localhost (127.0.0.1) as nameserver

search yourdomain.com

nameserver 127.0.0.1

Restart dnsmasq

To have the settings take effect, you have to restart dnsmasq

/etc/init.d/dnsmasq restart

Making GAL's visible cross-domain

Old Method:

You could use both internal & 'external' GAL lookups against yourself so that A<>B and B<>A (use

the GAL wizard):

DomainA: GAL: both Server type: LDAP LDAP url: ldap://serverwithldapservice.domain.com:389 LDAP

filter: (uid=%u) parenthesis included Autocomplete filter: It should autofill with

externalLdapAutoComplete, but doesn't always do so the first round of setting up; though it will

show up after you apply. (but you could add it now if wanted/if it requires you to in an error at

the end) LDAP search base: dc=domainB,dc=com ("" might coax search across all domains) Bind DN:

shouldn't need to bother - but you could always do something like cn=admin,dc=domain,dc=com

DomainB: GAL: both Server type: LDAP LDAP url: ldap://serverwithldapservice.domain.com:389 ssl 636

if desired LDAP filter: (uid=%n) parenthesis included Autocomplete filter: ignore unless you can't

click finish/test gives error/error in mailbox.log then enter externalLdapAutoComplete LDAP search

base: dc=domainA,dc=com Bind DN: ignore

LDAP Filter notes: (uid=%u) - The user has a uid attribute value in the external directory equal to

the user portion of the Zimbra user account. (uid=%n) - Entire Zimbra user account is used to

identify user in the external directory. or even (&(|(cn=*%s*)(sn=*%s*)(gn=*%s*)(mail=*%s*)(zimbraM

ailDeliveryAddress=*%s*) (zimbraMailAlias=*%s*)(zimbraMailAddress=*%s*))(|(

objectclass=zimbraAccount)(objectclass=zimbraDistr ibutionList)))

New Method: Suitable for Zimbra 8.5+

1. Create a GAL sync account for all the domains for that are configured in the mail server. 2.

While setting the GAL sync account, ensure that the gal sync period is set to 1 Day. After the

below mentioned commands have been run, the results will be updated after this specified period

selected. 3. Now, run the following commands: zmprov mcf zimbraGalInternalSearchBase ROOT and

zmprov mcf zimbraGalSyncLdapSearchBase ROOT

After 1 day, the GAL results will be updated.

Antivirus zimbra

CLI Options

Status

[zimbra@server]$ zmclamdctl status

Usage: /opt/zimbra/bin/zmclamdctl start|stop|kill|restart|status

Virus Definitions Update Frequency

Virus definitions update automatically every 2h by default:

zmprov mcf zimbraVirusDefinitionsUpdateFrequency 2h

ClamAV - Reset Defs DB

Template:ZC Template:Article InfoboxSometimes ClamAV will download a virus update, and the update

will not download correctly. This causes an error in its checksum. If this happens, ClamAV usually

goes down and the system suspends delivery. Downloading fresh definition files can correct this

problem.

Symptoms

You will experience the following symptoms if ClamAV fails to correctly download a virus update:

The definitions are corrupt if in /var/log/zimbra.log:

ClamAV isn't running

postfix/qmgr errors out at delivery temporarily suspended

And in /opt/zimbra/log/clamd.log:

There are log error messages, like malformed database

zmclamdctl status shows clamd as down.

The following symptoms may occur if you stop & restart Zimbra services (using zmcontrol stop and

zmcontrol start):

Antivirus may fail to start with the error (among others) clamd failed to start

Note: The WARNING: Your ClamAV installation is OUTDATED! error may also appear, but this is not

indicative of a corrupt clamd database. This error simply occurs because ClamAV has a more recent

release available than the one that ships with Zimbra. Updating your ClamAV installation to a

version not included with a released ZCS product is not recommended and is not supported. Zimbra

updates the ClamAV engine to latest with every release of ZCS. Users who wish to upgrade ClamAV

independently from ZCS at their own risk can find directions here: ClamAV - Updating Version Out of

cycle updates RFE is Bug 15137

Note: ClamAV Virus definitions update automatically every 2h by default

(zimbraVirusDefinitionsUpdateFrequency attribute).

Fix

To fix this issue, you can delete the definitions and try again:

su - zimbra

mkdir /tmp/clamdb

(in versions prior to 5.0.3)

mv /opt/zimbra/clamav/db/* /tmp/clamdb

(in version 5.0.3 or later)

mv /opt/zimbra/data/clamav/db/* /tmp/clamdb

zmprov ms `zmhostname` +zimbraServiceEnabled antivirus

/opt/zimbra/clamav/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.conf

zmantivirusctl stop

zmantivirusctl start

Note: zmantivirusctl incorporates zmclamdctl/zmamavidsctl/zmmtaconfigctl though you can just

restart ClamAV individually.

Verify

Verify by running:

/opt/zimbra/clamav/bin/clamscan -d /opt/zimbra/data/clamav/db/

In releases prior to 5.0.3, this command will be:

/opt/zimbra/clamav/bin/clamscan -d /opt/zimbra/clamav/db/

Global Disclaimer

Tried on Zimbra 7 and zimbra 8

Setting System-wide Signatures

To create a system wide mandatory signature, enter the following:

zmprov mcf zimbraDomainMandatoryMailSignatureEnabled TRUE

zmprov mcf zimbraDomainMandatoryMailSignatureText <“some text”>

zmprov mcf zimbraDomainMandatoryMailSignatureHTML "<html><body>some html text</body></html>”

Restart Amavis to apply the configuration and global signature files. Type:

/opt/zimbra/bin/zmamavisdctl restart

Check /opt/zimbra/conf/amavis.conf, and see if the following lines are still commented out:

# Mandatory Signatures

#$altermime='/opt/zimbra/altermime/bin/altermime';

#@altermime_args_disclaimer = qw(--verbose --disclaimer=/opt/zimbra/data/altermime/_OPTION_.txt

--disclaimer- html=/opt/zimbra/data/altermime/_OPTION_.html );

#$defang_maps_by_ccat{+CC_CATCHALL} = ['disclaimer'];

If they're still commented, try doing "zmmtactl restart"

For attaching the signature only to outgoing mails...

The change is at line 11129 in the file /opt/zimbra/amavisd/sbin/amavisd - but the line number will

obviously change from release to release.

1. Save a copy of the original amavisd, 2. Edit amavisd and search for "will not add disclaimer,

originator not local" with the quotes. In 7.2.0 this will be line 11128.

You should find the following lines Code:

if (!grep { defined($_) && $_ ne &&

lookup2(0,$_, ca('local_domains_maps')) }

unique_list( (!$rf ? () : @$rf), (!$rs ? () : @$rs),

@rfc2822_from, $rfc2822_sender, $sender)) {

$to_be_mangled = 0; # not for foreign 'Sender:' or 'From:'

do_log(5,"will not add disclaimer, originator not local");

}

The change required is to insert 2 lines Code:

} else {

$to_be_mangled = 0 if $r->recip_is_local;

before the closing brace so that the code looks like the following.

Code:

if (!grep { defined($_) && $_ ne &&

lookup2(0,$_, ca('local_domains_maps')) }

unique_list( (!$rf ? () : @$rf), (!$rs ? () : @$rs),

@rfc2822_from, $rfc2822_sender, $sender)) {

$to_be_mangled = 0; # not for foreign 'Sender:' or 'From:'

do_log(5,"will not add disclaimer, originator not local");

} else {

$to_be_mangled = 0 if $r->recip_is_local;

}

The else - $to_be_mangled ... is the part that skips the disclaimer for local recipients.

Restrict Users from Sending to Certain Domains

This will allow a group of users to send emails to only specified domains. All other domains would

be blocked.

Everything I am doing here as Zimbra user.

1. Enter following in the file “/opt/zimbra/conf/postfix_recipient_restrictions.cf”. Make sure it

is entered at the top of the file.

vi /opt/zimbra/conf/postfix_recipient_restrictions.cf

check_sender_access hash:/opt/zimbra/conf/restricted_senders

2. Enter following in "/opt/zimbra/conf/zmmta.cf"

vi /opt/zimbra/conf/zmmta.cf

POSTCONF smtpd_restriction_classes local_only

POSTCONF local_only FILE postfix_check_recipient_access.cf

3. Create a file "/opt/zimbra/conf/postfix_check_recipient_access.cf"

vi /opt/zimbra/conf/postfix_check_recipient_access.cf

check_recipient_access hash:/opt/zimbra/postfix/conf/local_domains, reject

4. Create a file "/opt/zimbra/postfix/conf/restricted_senders" and list all the users, whom you

want to restrict. Follow this syntax:

vi /opt/zimbra/postfix/conf/restricted_senders

user@yourdomain.com local_only

5. Create a file "/opt/zimbra/postfix/conf/local_domains" and list all the domains where

"restricted users" allowed to sent mails. Please follow this syntax:

vi /opt/zimbra/postfix/conf/local_domains

yourdomain.com OK

otheralloweddomain.com OK

6. Run following commands:

postmap /opt/zimbra/postfix/conf/restricted_senders

postmap /opt/zimbra/postfix/conf/local_domains

zmmtactl stop

zmmtactl start

After these settings, all the users listed in "/opt/zimbra/postfix/conf/restricted_senders" are

restricted to send mails only to domain which are defined in

"/opt/zimbra/postfix/conf/local_domains", other are fully allowed to send mails anywhere. These

settings will not survive Zimbra upgrades, please make sure that you backup of all these settings

while performing upgrades.

Important Note if you need to undo this configuration

Remove the two lines that were added to the zmmta.cf file. Make sure the Postfix setting

smtpd_restriction_classes has nothing set.

postconf -e smtpd_restriction_classes=' '

zmmtactl reload

How to use zmprov?

ZCS 6.0.x

Bug 23920 - a new CLI command, zmprov desc, prints all attribute names.

Bug 32321 - zmprov usage for gaa now requires -l in the command so that account information is

retrieved via LDAP.

Important: When upgrading - If you created a script using zmprov gaa to retrieve all accounts, you

will need to modify the script to include -l in the command.

Bug 33973 - A new option was added to the zmprov CLI to force the command to use the value of

ldap_master_url when retrieving information (zmprov -l -m)

zmprov (Provisioning)

The zmprov tool performs all provisioning tasks in Zimbra LDAP, including creating accounts,

aliases, domains, COS, distribution lists, and calendar resources. Each operation is invoked

through command-line options, each of which has a long name and a short name.

The syntax for modify can include the prefix “+” or “-” so that you can make changes to the

attributes affected and do not need to reenter attributes that are not changing.

Use + to add a new instance of the specified attribute name without changing any existing

attributes.

Use - to remove a particular instance of an attribute.

Syntax

zmprov [cmd] [argument]

The following objects use this syntax:

ModifyAccount

ModifyDomain

ModifyCos

ModifyServer

ModifyConfig

ModifyDistributionList

ModifyCalendarResource

The following example would add the attribute zimbraZimletUserProperties with the value “blue” to

user 1 and would not change the value of any other instances of that attribute.

zmprov ma user1 +zimbraZimletUserProperties "com_company_testing:favoriteColor:blue"

Description

The commands in the following table are divided into the tasks types - General, Account, Calendar

Resources, Config, COS, Distribution List, Documents, Domain, Server, and Miscellaneous.

Long Name Short Name Description

General Options

--help -h display usage

--file -f use file as input stream

--server -s {host}[:{port}] server hostname and optional port

--ldap -l provision via LDAP instead of SOAP

--log property file -L log 4j property file, valid only with -l

--account {name} -a account name to auth as

--password {pass} -p password for account

--passfile {file} -P read password from file

--zadmin -z use Zimbra admin name/password from localconfig for admin/password

--authtoken (authtoken) -y use auth token string (has to be in JSON format) from command

line

--authtoken (authtoken file) -Y use auth token string (has to be in JSON format) from

command line

--verbose -v verbose mode (dumps full exception stack trace)

--debug -d/ debug mode (dumps SOAP messages)

--master -m use LDAP master. This only valid with -l

Account Provisioning Commands

addAccountAlias aaa {name@domain|id|adminName} {alias@domain}

zmprov aaa joe@domain.com joe.smith@engr.domain.com

checkPasswordStrength cps Syntax: {name@domain|id} {password}

Note: This command does not check the password age or history.

zmprov cps joe@domain.com test123

createAccount ca Syntax:{name@domain} {password} [attribute1 value1 etc]

Type on one line.

zmprov ca joe@domain.com test123 displayName JSmith

createDataSource cds {name@domain} {ds-type} {ds-name} [attr1 value1 [attr2 value2...]]

createIdentity cid {name@domain} {identity-name} [attr1 value1 [attr2 value2...]]

createSignature csig {name@domain} {signature-name} [attr1 value1 [attr2 value2...]]

deleteAccount da Syntax:{name@domain|id|adminName}

zmprov da joe@domain.com

deleteDataSource dds {name@domain|id} {ds-name|ds-id}

deleteIdentity did {name@domain|id} {identity-name}

deleteSignature dsig {name@domain|id} {signature-name}

getAccount ga Syntax:{name@domain|id|adminName}

zmprov ga joe@domain.com

getAccountMembership gam {name@domain|id}

getAllAccounts gaa Syntax: [-v] [{domain}]

zmprov -l gaa

zmprov gaa -v domain.com

getAllAdminAccounts gaaa Syntax: gaaa

zmprov gaaa

getDataSources gds {name@domain | id} [arg 1 [arg 2...]]

getIdentities gid {name@domain | id} [arg 1 [arg 2...]]

getSignatures gsig {name@domain | id} [arg 1 [arg 2...]]

modifyAccount ma {name@domain|id|adminName} [attribute1 value1 etc]

zmprov ma joe@domain.com zimbraAccountStatus maintenance

modifyDataSource mds {name@domain | id} {ds-name |ds-id} [attr 1 value 1 [attr2 value

2...]]

modifyIdentity mid {name@domain |id} {identity-name} [attr 1 value 1 [attr 2 value 2...]]

modifySignature msig {name@domain |id} {signature-name | signature-id} [attr 1 value 1

[attr 2 value 2...]]

removeAccountAlias raa {name@domain|id|adminName} {alias@domain}

zmprov raa joe@domain.com joe.smith@engr.domain.com

renameAccount ra {name@domain|id} {newname@domain}

zmprov ra joe@domain.com joe23@domain.com

Note: After you rename an account, you should run a full backup for that account.

zmbackup -f - <servername.com> -a <newaccountname@servername.com>

setAccountCOS sac {name@domain|id|adminName} {cos-name|cos-id}

zmprov sac joe@domain.com FieldTechnician

setPassword sp {name@domain|id|adminName} {password}

Note: Passwords cannot included accented characters in the string. Example of accented characters

that cannot be used: ã, é, í, ú, ü, ñ.

zmprov sp joe@domain.com test321

Calendar Resource Provisioning Commands

createCalendarResource ccr {name@domain} [attr1 value1 [attr2 value2...]]

deleteCalendarResource dcr {name@domain|id}

getAllCalendarResources gacr [-v] [{domain}]

getCalendarResource gcr {name@domain|id}

modifyCalendarResource mcr {name@domain|id} [attr1 value1 {attr2 value2...]]

renameCalendarResource rcr {name@domain|id} {newName@domain}

searchCalendarResources scr [-v] domain attr op value {attr op value...]

Free Busy Commands

getAllFbp gafbp [-v]

getFreebusyQueueInfo gfbqi [{provider-name}]

pushFreebusy pfb {domain | account-id} [account-id...]

Domain Provisioning Commands

countAccount cta {domain|id}

This lists each COS, the COS ID and the number of accounts assigned to each COS

createAliasDomain cad {alias-domain-name} {local-domain-name|id} [attr1 value1 [attr2

value2...]]

createDomain cd {domain} [attribute1 value1 etc]

zmprov cd mktng.domain.com zimbraAuthMech zimbra

deleteDomain dd {domain|id}

zmprov dd mktng.domain.com

getDomain gd {domain|id}

zmprov gd mktng.domain.com

getDomainInfo gdi name|id|virtualHostname {value} [attr1 [attr2...]]

getAllDomains gad [-v]

modifyDomain md {domain|id} [attribute1 value1 etc]

zmprov md domain.com zimbraGalMaxResults 500

Note:Do not modify zimbraDomainRenameInfo manually. This is automatically updated when a domain is

renamed.

renameDomain rd {domain|id} {newDomain}

Note: renameDomain can only be used with “zmprov -l/--ldap”.

COS Provisioning Commands

copyCos cpc {src-cos-name|id} {dest-cos-name}

createCos cc {name} [attribute1 value1 etc]

zmprov cc Executive zimbraAttachmentsBlocked FALSE zimbraAuthTokenLifetime 60m zimbraMailQuota 100M

zimbraMailMessageLifetime 0

deleteCos dc {name|id}

zmprov dc Executive

getCos gc {name|id}

zmprov gc Executive

getAllCos gac [-v]

zmprov gac -v

modifyCos mc {name|id} [attribute1 value1 etc]

zmprov mc Executive zimbraAttachmentsBlocked TRUE

renameCos rc {name|id} {newName}

zmprov rc Executive Business

Server Provisioning Commands

createServer cs {name} [attribute1 value1 etc]

deleteServer ds {name|id}

zmprov ds domain.com

getServer gs {name|id}

zmprov gs domain.com

getAllServers gas [-v]

zmprov gas

getAllReverseProxyBackends garpb

modifyServer ms {name|id} [attribute1 value1 etc]

zmprov ms domain.com zimbraVirusDefinitionsUpdateFrequency 2h

getAllReverseProxyURLs garpu Used to publish into nginx.conf what servers should be used

for reverse proxy lookup.

getAllMtaAuthURLs gamau Used to publish into saslauthd.conf what servers should be used for

saslauthd.conf MTA auth

getAllMemcachedServers gamcs Used to list memcached servers (for nginix use).

Config Provisioning Commands

getAllConfig gacf [-v]

All LDAP settings are displayed

getConfig gcf {name}

modifyConfig mcf attr1 value1

Modifies the LDAP settings.

Distribution List Provisioning Commands

createDistributionList cdl {list@domain}

zmprov cdl needlepoint-list@domain.com

addDistributionListMember adlm {list@domain|id} {member@domain}

zmprov adlm needlepoint-list@domain.com singer23@mail.free.net

removeDistributionListMember rdlm {list@domain|id}

zmprov rdlm needlepoint-list@domain.com singer23@mail.free.net

getAlldistributionLists gadl [-v]

get DistributionListmembership gdlm {name@domain|id}

getDistributionList gdl {list@domain|id}

zmprov gdl list@domain.com

modifyDistributionList mdl {list@domain|id} attr1 value1 {attr2 value2...}

zmprov mdl list@domain.com

deleteDistributionList ddl {list@domain|id}

addDistributionListAlias adla {list@domain|id} {alias@domain}

removeDistributionListAlias rdla {list@domain|id} {alias@domain}

renameDistributionList rdl {list@domain|id} {newName@domain}

Zimbra Documents Provisioning Commands

importNotebook impn {name@domain} {directory} {folder}

Before importing files, any file that will become a Documents page (wiki-style page), must be

renamed to include the extension “.wiki”. If not it is imported as a file, accessed either as an

attachment or an image.

impn joe@domain.com /opt/zimbra/wiki/template template

initNotebook in [{name@domain}]

in joe@domain.com

initDomainNotebook idn {domain} [{name@domain}]

Creates the domain Documents account

idn domain.com domainwiki@domain.com

UpdateTemplates ut [-h host] {template-directory}

Mailbox Commands

getMailboxInfo--- gmi {account}

getQuotaUsage--- gqu {server}

reIndexMailbox rim {name@domain|id} {action} [{reindex-by} {value1} [value2...]]

RecalculateMailboxCounts rmc {name@domain|id}

When unread message count and quota usage are out of sync with the data in the mailbox, use this

command to immediately recalculate the mailbox quota usage and unread messages count.

Important:Recalculating mailbox quota usage and message count should be schedule to run in off peak

hours and used on one mailbox at a time.

selectMailbox sm {account-name} [{zmmailbox commands}]

Logs

addAccount Logger aal {name@domain|id} {logging-category} {debug|info|warn|error}

Creates custom logging for a single account

getAccountLoggers gal [-s/--server hostname] {name@domain|id} {logging-category}

{debug|info|warn|error}

getAllAccountLoggers gaal [-s/--server hostname]

Shows all individual custom logger account

removeAccountLogger ral [-s/ --server hostname] {name@domain|id} {logging-category}

When name@domain is specified, removes the custom logger created for the account otherwise removes

all accounts all account loggers from the system.

See the zmprov Log Categories for a list of logging categories.

searchGAL sg {domain} {name}

zmprov sg joe

autoCompleteGal acg {domain} {name}

searchAccounts sa [-v] {ldap-query} [limit] [offset] [sortBy {attribute} [sortAscending

0|1] [domain {domain}]

Share Provisioning Commands

For a GUI view of results, see Distribution List Shares tab on the administration console

getPublishedDistributionListShareInfo gpdlsi {dl-name|dl-id} [{owner-name|owner-id}]

getShareInfo gsi {owner-name|owner-id}

publishDistribtionListShareInfo pdlsi {+|-} {dl-name@domain|id} {owner-name|owner-id}

[{folder-path|folder-id}]

Miscellaneous Provisioning Commands

describe desc [[-v] [-ni] [{entry-type}]] | [-a {attribute-name}]

Prints all attribute names (account, domain, COS, servers, etc.).

generateDomainPreAuthKey gdpak {domain|id}

Generates a pre-authentication key to enable a trusted third party to authenticate to allow for

single-sign on. Used in conjunction with GenerateDomainPreAuth.

generateDomainPreAuth gdpa {domain|id} {name} {name|id|foreignPrincipal} {timestamp|0}

{expires|0}

Generates preAuth values for comparison.

syncGal syg {domain} [{token}]

flushCache fc [skin|local|account|config|cos|domain|server|zimlet} [name1|id]

Flush cached LDAP entries for a type. See Flushing LDAP Cache

getAccountLogger gal [-s /--server hostname] {name@domain | id}

Commands specific to Zimbra IMAP/POP proxy

getAllReverseProxyURLs garpu Used to publish into nginx.conf what servers should be used

for reverse proxy lookup.

getAllMtaAuthURLs gamau Used to publish into saslauthd.conf what servers should be used for

saslauthd.conf MTA auth

getAllMemcachedServers gamcs Used to list memcached servers (for nginix use).

Examples

Create one account with a password that is assigned to the default COS.

zmprov ca name@domain.com password

Create one account with a password that is assigned to a specified COS. You must know the COS ID

number. To find a COS ID, type zmprov gc <COSname>.

zmprov ca name@domain.com password zimbraCOS cosIDnumberstring

Create one account when the password is not authenticated internally.

zmprov ca name@domain.com ‘’

Note: The empty single quote is required and indicates that there is no local password.

Using a batch process to create accounts, see the Managing the Zimbra Collaboration Suite chapter

in the Zimbra Administration Guide for the procedure.

Add an alias to an account.

zmprov aaa accountname@domain.com aliasname@domain.com

Create distribution list. The ID of the distribution list is returned.

zmprov cdl listname@domain.com

Add a member to a distribution list.

Tip: You can add multiple members to a list from the administration console.

zmprov adlm listname@domain.com member@domain.com

Change the administrator’s password. Use this command to change any password. Enter the address of

the password to be changed.

zmprov sp admin@domain.com password

Create a domain that authenticates against zimbra OpenLDAP.

zmprov cd marketing.domain.com zimbraAuthMech zimbra

Set the default domain.

zmprov mcf zimbraDefaultDomain domain1.com

To list all COSs and their attribute values.

zmprov gac -v

To list all user accounts in a domain (domain.com)

zmprov gaa domain.com

To list all user accounts and their configurations

zmprov gaa -v domain.com

To enable logger on a single server

zmprov +zimbraServiceEnabled logger

Then type zmloggerctl start, to start the logger.

To modify the purge interval, set zimbraMailPurgeSleepInterval to the duration of time that the

server should “sleep” between every two mailboxes. Type:

zmprov ModifyServer <server-name> zimbraMailPurgeSleepInterval <Xm>

X is the duration of time between mailbox purges; m represents minutes. You could also set <xh> for

hours.

Modify zimbraNewMailNotification to customize the notification email template. A default email is

sent from Postmaster notifying users that they have received mail in another mailbox. To change the

template, you modify the receiving mailbox account. The variables are:

${SENDER_ADDRESS}

${RECIPIENT_ADDRESS}

${RECIPIENT_DOMAIN}

${NOTIFICATION_ADDRESSS}

${SUBJECT}

${NEWLINE}

You can specify which of the above variables appear in the Subject, From, or Body of the email. The

following example is changing the appearance of the message in the body of the notification email

that is received at name@domain.com. You can also change the template in a class of service, use

zmprov mc. The command is written on one line.

zmprov ma name@domain.com zimbraNewMailNotificationBody ‘Important message from

${SENDER_ADDRESS}.${NEWLINE}Subject:${SUBJECT}’

ZCS 5.0

ZCS Administrator's Guide Network Edition 5.0 > Appendix A Command-Line Utilities > zmprov

(Provisioning)

Bug 30948 - Documents wiki templates on all domains can be upgraded at once using zmprov ut. This

updates the Notebook templates for all Notebook system accounts including domain Notebook accounts.

This is upgraded on a per server basis. -h is used to specify the target host for zmprov ut.

How to locate and change the SRP ID and SRP Authentication Key?

If the current Server Routing Protocol Identifier (SRP ID) for the BlackBerry Enterprise Server

expires, the BlackBerry Enterprise Server services are unable to communicate with the BlackBerry®

Infrastructure and cannot start. The SRP ID and SRP authentication key must be changed.

This article explains how to locate and change the SRP ID and SRP authentication key using

BlackBerry Manager, BlackBerry Enterprise Server Management console, or the BlackBerry

Administration Service.

To identify other locations where the SRP ID and SRP authentication key are stored, see KB02632

(Microsoft® Exchange only).

To locate the SRP ID on the BlackBerry smartphone, see KB05508.

Use the appropriate methods according to the version of the BlackBerry Enterprise Server software

being used.

BlackBerry Enterprise Server 5.0

To change the SRP ID and the SRP authentication key using the BlackBerry Administration Service,

complete the following steps:

1. Open the BlackBerry Administration Service.

2. In the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain >

Component view > BlackBerry Enterprise Server.

3. Click the name of the BlackBerry Enterprise Server.

4. Click Edit instance.

5. In the SRP Information section, remove the old SRP ID and authentication key and type the new

information in.

6. Click Save All.

BlackBerry Enterprise Server 4.1

The SRP ID and the SRP authentication key are located in the BlackBerry Configuration Database. To

locate the SRP ID and SRP authentication key using BlackBerry Manager, complete the following

steps:

1. Open BlackBerry Manager.

2. Select BlackBerry Domain.

3. Select the Servers tab and then select the BlackBerry Enterprise Server name on the list.

4. Click Edit Properties.

5. The SRP ID and SRP authentication key are displayed on the General tab.

To change the SRP ID and SRP authentication key, complete the following steps:

6. Confirm that the BlackBerry Enterprise Server services are started on the Windows® Services.

7. On the General tab, type the new SRP ID and SRP authentication key values in the appropriate

fields. The SRP authentication key must include the hyphen ( - ).

Note: If using Microsoft SQL authentication for the BlackBerry Configuration Database, the

authentication password must be specified to complete these steps. BlackBerry Enterprise Server 4.0

The SRP ID and the SRP authentication key are located in the BlackBerry Configuration Database. To

locate the SRP ID and SRP authentication key using BlackBerry Manager, complete the following

steps:

1. Open BlackBerry Manager.

2. Click BlackBerry Domain.

3. Click the Server List tab and select the BlackBerry Enterprise Server name on the list.

4. Click Edit Properties.

5. Confirm that the BlackBerry Enterprise Server services are started on the Windows Services.

6. On the General tab, type the new SRP ID and SRP authentication key values in the appropriate

fields. The SRP authentication key must include the hyphen ( - ).

Note: If using Microsoft SQL authentication for the BlackBerry Configuration Database, the

authentication password must be specified to complete these steps. BlackBerry Enterprise Server

3.6

The SRP ID and the SRP authentication key are located in the BlackBerry Configuration Database. To

locate the SRP ID and SRP authentication key using the BlackBerry Enterprise Server Management

console, complete the following steps:

1. Open the BlackBerry Enterprise Server Management console.

2. Right-click the BlackBerry Enterprise Server name.

3. Click BlackBerry Server Properties.

4. The SRP Identifier and SRP authentication key are displayed on the General tab.

To change the SRP ID and SRP authentication key, complete the following steps:

5. Confirm that the BlackBerry Enterprise Server services are started on the Windows Services.

6. On the General tab, type the new SRP ID and SRP authentication key values in the appropriate

fields. The SRP authentication key must include the hyphen ( - ).

Note: If using Microsoft SQL authentication for the BlackBerry Configuration Database, the

authentication password must be specified to complete these steps. BlackBerry Enterprise Server 2.0

and 2.2 for IBM Lotus Domino

The SRP ID and the SRP authentication key are located in the notes.ini file, which is located in

C:\winnt\ for IBM® Lotus® Domino® 4 and in C:\Lotus\Domino\ in IBM Lotus Domino 5 and 6.

To locate the SRP ID and SRP authentication key using the BlackBerry Enterprise Server Management

console, complete the following steps:

1. Open the BlackBerry Enterprise Server Management console.

2. Click File and select Connect.

3. Enter the IBM Lotus Domino Server or Host Name and click OK.

4. On the Tools menu, click License Manager.

5. The SRP ID is located in the Server UID field and the SRP authentication key is located in the

Server Key field.

When changing the SRP ID of a BlackBerry Enterprise Server for IBM Lotus Domino, consider the

following criteria:

* This change must be implemented using the BESAdmin utility.

* This change requires restarting the BlackBerry Enterprise Server add-in task.

To change the SRP ID and SRP authentication key, complete the following steps:

1. On the License Manager screen, type the new values in the appropriate fields, then click OK.

2. Click Yes to accept the changes.

A BESAdmin warning dialog box appears stating that all BlackBerry smartphones associated with the

BlackBerry Enterprise Server will be disabled until they are connected to a computer.

3. Click OK to confirm the warning.

Another warning appears stating that changes to the License Manager will not take effect until the

BlackBerry Enterprise Server is restarted.

4. Click OK to confirm the warning.

5. Close the BlackBerry Enterprise Server Management console.

6. Type tell bes quit in the IBM Lotus Domino console and wait for the BlackBerry Enterprise Server

add-in task to shut down.

7. Type load bes in the Lotus Domino console.

All BlackBerry smartphone users must connect their BlackBerry smartphones to their computers and

generate new encryption keys for message redirection to occur.

* Back to top

CollapseEnvironment

* BlackBerry® Enterprise Server 2.0 to 5.0

* Microsoft® SQL Server®

* Back to top

CollapseAdditional Information Information regarding versions of BlackBerry Device Software

* BlackBerry smartphones running BlackBerry® Device Software 4.0 to 5.0 automatically receive

service book updates wirelessly

* BlackBerry smartphones running earlier versions than BlackBerry Device Software 4.0 must be

connected to the computer and receive updated service book information through the BlackBerry®

Desktop Manager

* The BlackBerry Enterprise Server services must be running during the process and should not be

restarted for at least 4 hours afterward to allow the process enough time to complete

* Back to top

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

(a) that the terms of use for the documents found at

http://www.blackberry.com/support/knowledgebase/disclaimer.shtml apply to your use or reference to

these documents; and

(b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without

the express written consent of RIM.

Visit the BlackBerry Technical Solution Center at http://www.blackberry.com/btsc.

Hot Backup / Restore

efnbkpose

Hot Backup / Restore for ZCS Open Source

Mails

Contacts

Calendars

Tasks

Briefcase Documents

This tool DOES NOT DO disaster recovery.

It can run from any host in the net, which means that it can be set on a backup server already

existent.

It was concepted after Zimbra released ZCS 5.0.12, where a new import/export feature was exposed to

user can be able to do his archiving.

From that point it was clear for me that I just need to write a code to automatically get all user

data from server, remotely via HTTP SOAP. Plus LDAP data.

So, it is possible to run full backups and restore even deleted accounts.

In the version 1.0.0 of efnbkpose, the tool provides:

Full backup of all accounts.

Full backup of any account.

Incremental backup of all accounts.

Incremental backup of any account.

Lists all backup sessions done.

Restore all contents (mail, contacts, appointments...) to any account.

Restore deleted accounts back to directory and all of its contents.

Restore only account attributes, like password, class of service, etc

To run efnbkpose it is necessary

Install ldap-utils e curl utils

Create /etc/efnbkpose

Config /etc/efnbkpose/efnbkpose.conf file (bellow)

Create the script from code bellow, giving execute permissions

To see efnbkpose syntax, type just efnbkpose

Config and Scripts files from efnbkpose

/etc/efnbkpose/efnbkpose.conf

# Privileged user that will run efnbkpose and write in the work directory

BACKUPUSER=

# Work directory where will be the backup sessions (all user data)

# # Keep the directory access strict to the backup user as long as it contains all user data.

WORKDIR=

# Must have be filled with an administrator account

# Hint: If you have deleted admin, or missed its password, you can create a new admin directly from

command line:

# # zmprov ca newadmin@exemplo.com password

# # zmprov ma newadmin@exemplo.com zimbraIsAdminAccount TRUE

ADMINUSER=

# Must be filled with ADMINUSER password

ADMINPASS=

# Must be filled with ldap url from Zimbra-LDAP master host

# Example: ldap://hostname:389

LDAPMASTERSERVER=

# Must be filled with zimbra_ldap_userdn key's value

# Hint: To get this value, at Zimbra's server, run:

# # zmlocalconfig zimbra_ldap_userdn

LDAPZIMBRADN=

# Must be filled with zimbra_ldap_password key's value

# Hint: To get this value, at Zimbra's server, run:

# # zmlocalconfig -s zimbra_ldap_password

LDAPZIMBRAPASS=

# Log file location. It must to have write permission to BACKUPUSER

LOGFILE=

/usr/local/efnbkpose

#!/bin/bash

# efnbkpose

# Bash script to hot backup and hot restore Zimbra Collaboration Suite Opensource

# Version: 1.0.0

show_help ()

{

echo "Uses:

efnbkpose -f

Starts a full backup of all accounts.

efnbkpose -f mail1,mail2,...,mailn

Starts a full backup of any account specified at command line.

efnbkpose -i

Starts an incremental backup of all accounts.

It needs a previous full backup.

efnbkpose -i mail1,mail2,...,mailn

Starts an incremental backup of any account specified at command line.

A full account backup will run if it doesnt have any previous full backup.

efnbkpose -l

Lists all backup sessions done.

efnbkpose -r mail1,mail2,...,mailn session_name

Restore all contents (mail, contacts, appointments...) to any account from session specifieds at

command line.

If session is not specified, all sessions will be restored from oldest to newest session. It may

take longer.

efnbkpose -restoreAccount mail1,mail2,...,mailn

Restore deleted accounts back to directory and all of its contents from oldest to newest session.

It may take longer.

efnbkpose -restoreAccount mail1,mail2,...,mailn --LDAPOnly session_name

Restore only account attributes, like password, class of service, etc; from specified

session.

HINT: It may be necessary to flush server's cache to apply imediatelly recovered attributes. So at

Zimbra server, run:

zmprov fc account account_name

exit 0

}

all_accounts_backup ()

{

ACCOUNTSLIST=$(mktemp)

$(which ldapsearch) -x -H $LDAPMASTERSERVER -D $LDAPZIMBRADN -w $LDAPZIMBRAPASS -b " " -LLL

"(objectclass=zimbraAccount)" zimbraMailDeliveryAddress zimbraMailHost | grep ^zimbraMail | awk

'{print $2}' > "$ACCOUNTSLIST"

SESSION="full-"$(date +%Y%m%d%H%M%S)

echo "SESSION: $SESSION started at $(date)" >> $WORKDIR/sessions.txt

TEMPDIR=$(mktemp -d $WORKDIR/XXXX)

for MAIL in $(grep @ $ACCOUNTSLIST); do

MAILHOST=$(grep -A1 $MAIL $ACCOUNTSLIST| grep -v @)

$(which ldapsearch) -x -H $LDAPMASTERSERVER -D $LDAPZIMBRADN -w $LDAPZIMBRAPASS -b " " -LLL

"(zimbraMailDeliveryAddress=$MAIL)" > $TEMPDIR/$MAIL.ldiff

$(which curl) -k -u $ADMINUSER:$ADMINPASS https://$MAILHOST:7071/home/$MAIL/?fmt=tgz >

$TEMPDIR/$MAIL.tgz

echo $SESSION:$MAIL:$(date +%m/%d/%y) >> $WORKDIR/sessions.txt

done

mv "$TEMPDIR" "$WORKDIR/$SESSION" && rm -rf "$TEMPDIR"

echo "SESSION: $SESSION ended at $(date)" >> $WORKDIR/sessions.txt

exit 0

}

all_accounts_incremental ()

{

FULLSESSIONLABEL=$(grep "SESSION: full-" $WORKDIR/sessions.txt | tail -1 | awk '{print $2}')

if ! [ -z "$FULLSESSIONLABEL" ]; then

if ! [ -d "$WORKDIR/$FULLSESSIONLABEL" ]; then

echo "$WORKDIR/$FULLSESSIONLABEL directory doesnt exist. Impossible to proceed."

exit 0

else

echo "No full backups found. Impossible to proceed."

exit 0

INCFROM=$(grep INCFROM: $WORKDIR/sessions.txt | tail -1 | awk '{print $2}')

ACCOUNTSLIST=$(mktemp)

$(which ldapsearch) -x -H $LDAPMASTERSERVER -D $LDAPZIMBRADN -w $LDAPZIMBRAPASS -b " " -LLL

"(objectclass=zimbraAccount)" zimbraMailDeliveryAddress zimbraMailHost | grep ^zimbraMail | awk

'{print $2}' > "$ACCOUNTSLIST"

SESSION="inc"-$(date +%Y%m%d%H%M%S)

echo "SESSION: $SESSION started at $(date)" >> $WORKDIR/sessions.txt

TEMPDIR=$(mktemp -d $WORKDIR/XXXX)

for MAIL in $(grep @ $ACCOUNTSLIST); do

EXISTFULL=$(grep $MAIL $WORKDIR/sessions.txt | grep ^full)

if [ -z $EXISTFULL ]; then

echo "$MAIL doesnt have any previous full backup. Running now..."

account_backup $MAIL

else

INCFROM=$(grep $MAIL $WORKDIR/sessions.txt | grep -v ^WARN | tail -1 | awk -F: '{print

$3}')

if [ "$INCFROM" = "$(date +%m/%d/%y)" ]; then

echo "WARN: $MAIL was already backed up today. Nothing to do." | tee -a

$WORKDIR/sessions.txt

else

MAILHOST=$(grep -A1 $MAIL $ACCOUNTSLIST| grep -v @)

$(which ldapsearch) -x -H $LDAPMASTERSERVER -D $LDAPZIMBRADN -w $LDAPZIMBRAPASS -b " " -LLL

"(zimbraMailDeliveryAddress=$MAIL)" > $TEMPDIR/$MAIL.ldiff

$(which curl) -k -u $ADMINUSER:$ADMINPASS

https://$MAILHOST:7071/home/$MAIL/?fmt=tgz\&query=after:\"$INCFROM\" >

$TEMPDIR/$MAIL.tgz

echo $SESSION:$MAIL:$(date +%m/%d/%y) >> $WORKDIR/sessions.txt

done

mv "$TEMPDIR" "$WORKDIR/$SESSION" && rm -rf "$TEMPDIR"

echo "SESSION: $SESSION ended at $(date)" >> $WORKDIR/sessions.txt

exit 0

}

account_backup ()

{

if [ -z $SESSION ]; then

SESSION="full-"$(date +%Y%m%d%H%M%S)

echo "SESSION: $SESSION started at $(date)" >> $WORKDIR/sessions.txt

TEMPDIR=$(mktemp -d $WORKDIR/XXXX)

else

SUBSESSION="$SESSION"

SESSION="full-"$(date +%Y%m%d%H%M%S)

K=1

while true; do

MAIL=$(echo $1, | cut -d, -f$K)

if [ -z $MAIL ]; then

break

$(which ldapsearch) -x -H $LDAPMASTERSERVER -D $LDAPZIMBRADN -w $LDAPZIMBRAPASS -b " " -LLL

"(zimbraMailDeliveryAddress=$MAIL)" > $TEMPDIR/$MAIL.ldiff

MAILHOST=$(grep ^zimbraMailHost $TEMPDIR/$MAIL.ldiff | awk '{print $2}')

$(which curl) -k -u $ADMINUSER:$ADMINPASS https://$MAILHOST:7071/home/$MAIL/?fmt=tgz >

$TEMPDIR/$MAIL.tgz

echo $SESSION:$MAIL:$(date +%m/%d/%y) >> $WORKDIR/sessions.txt

((K = K+1))

unset MAIL

sleep 1

done

if [ -z $SUBSESSION ]; then

mv "$TEMPDIR" "$WORKDIR/$SESSION" && rm -rf "$TEMPDIR"

echo "SESSION: $SESSION ended at $(date)" >> $WORKDIR/sessions.txt

exit 0

else

SESSION="$SUBSESSION"

}

account_incremental ()

{

SESSION="inc-"$(date +%Y%m%d%H%M%S)

echo "SESSION: $SESSION started at $(date)" >> $WORKDIR/sessions.txt

TEMPDIR=$(mktemp -d $WORKDIR/XXXX)

K=1

while true; do

MAIL=$(echo $1, | cut -d, -f$K)

if [ -z $MAIL ]; then

break

else

EXISTFULL=$(grep $MAIL $WORKDIR/sessions.txt | grep ^full)

if [ -z $EXISTFULL ]; then

echo " $MAIL doesnt have any previous full backup. Running now..."

account_backup $MAIL

((K = K+1))

else

$(which ldapsearch) -x -H $LDAPMASTERSERVER -D $LDAPZIMBRADN -w $LDAPZIMBRAPASS -b " " -LLL

"(zimbraMailDeliveryAddress=$MAIL)" > $TEMPDIR/$MAIL.ldiff

INCFROM=$(grep $MAIL $WORKDIR/sessions.txt | grep -v ^WARN | tail -1 | awk -F: '{print

$3}')

if [ "$INCFROM" = "$(date +%m/%d/%y)" ]; then

echo "WARN: $MAIL was already backed up today. Nothing to do." | tee -a

$WORKDIR/sessions.txt

((K = K+1))

else

MAILHOST=$(grep ^zimbraMailHost $TEMPDIR/$MAIL.ldiff | awk '{print $2}')

$(which curl) -k -u $ADMINUSER:$ADMINPASS

https://$MAILHOST:7071/home/$MAIL/?fmt=tgz\&query=after:\"$INCFROM\" >

$TEMPDIR/$MAIL.tgz

echo $SESSION:$MAIL:$(date +%m/%d/%y) >> $WORKDIR/sessions.txt

((K = K+1))

unset MAIL

done

mv "$TEMPDIR" "$WORKDIR/$SESSION" && rm -rf "$TEMPDIR"

echo "SESSION: $SESSION ended at $(date)" >> $WORKDIR/sessions.txt

exit 0

}

list_sessions ()

{

grep SESSION: $WORKDIR/sessions.txt| grep started | awk '{print $2}'

exit 0

}

account_restore ()

{

ACCOUNTBKPS=$(mktemp)

K=1

while true; do

MAIL=$(echo $1, | cut -d, -f$K)

if [ -z $MAIL ]; then

break

grep $MAIL $WORKDIR/sessions.txt | grep -v ^WARN: > $ACCOUNTBKPS

if ! [ -s $ACCOUNTBKPS ]; then

echo "$MAIL: No backups found. Impossible to restore"

((K = K+1))

else

if [ -z $2 ]; then

echo "Not Implemented."

# Complete restore from oldest to newest

((K = K+1))

else

ACCOUNTSESSION=$(grep $2 $WORKDIR/sessions.txt | tail -1 | awk '{print $2}')

if [ -z $ACCOUNTSESSION ]; then

echo "$MAIL: $2 session doesnt exists. Impossible to proceed..."

break

else

ACCOUNTINSESSIO=$(grep $MAIL $ACCOUNTBKPS | grep $ACCOUNTSESSION)

if [ -z $ACCOUNTINSESSIO ]; then

echo "$MAIL not found in session $ACCOUNTSESSION. Impossible to restore."

((K = K+1))

else

MAILHOST=$(grep ^zimbraMailHost $WORKDIR/$ACCOUNTSESSION/$MAIL.ldiff | awk '{print

$2}')

$(which curl) -k --data-binary @$WORKDIR/$ACCOUNTSESSION/$MAIL.tgz -u $ADMINUSER:$ADMINPASS

https://$MAILHOST:7071/home/$MAIL/?fmt=tgz

((K = K+1))

unset MAIL

done

exit 0

}

LDAP_content_restore ()

{

ACCOUNTBKPS=$(mktemp)

K=1

while true; do

MAIL=$(echo $1, | cut -d, -f$K)

if [ -z $MAIL ]; then

break

if [ -z $2 ]; then

EXIST=$($(which ldapsearch) -x -H $LDAPMASTERSERVER -D $LDAPZIMBRADN -w $LDAPZIMBRAPASS -b " " -LLL

"(&(objectclass=zimbraAccount)(zimbraMailDeliveryAddress=$MAIL))" uid)

if ! [ -z "$EXIST" ]; then

echo "$MAIL account exists. Run efnbkpose -r $MAIL session_name."

((K = K+1))

else

grep $MAIL $WORKDIR/sessions.txt | grep -e ^inc- -e ^full- > $ACCOUNTBKPS

if ! [ -s $ACCOUNTBKPS ]; then

echo "$MAIL: No backups found. Impossible to restore"

((K = K+1))

else

echo "Sessions found

$(cat $ACCOUNTBKPS | awk -F: '{print $1}')"

for ACCOUNTSESSION in $(cat $ACCOUNTBKPS | awk -F: '{print $1}'); do

echo "Restoring from $ACCOUNTSESSION"

MAILHOST=$(grep ^zimbraMailHost $WORKDIR/$ACCOUNTSESSION/$MAIL.ldiff | awk '{print

$2}')

$(which ldapdelete) -r -x -H $LDAPMASTERSERVER -D $LDAPZIMBRADN -c -w $LDAPZIMBRAPASS $(grep ^dn:

$WORKDIR/$ACCOUNTSESSION/$MAIL.ldiff | awk '{print $2}') 2>/dev/null

$(which ldapadd) -x -H $LDAPMASTERSERVER -D $LDAPZIMBRADN -c -w $LDAPZIMBRAPASS -f

$WORKDIR/$ACCOUNTSESSION/$MAIL.ldiff

$(which curl) -k --data-binary @$WORKDIR/$ACCOUNTSESSION/$MAIL.tgz -u $ADMINUSER:$ADMINPASS

https://$MAILHOST:7071/home/$MAIL/?fmt=tgz

echo "$MAIL restored from $ACCOUNTSESSION"

done

((K = K+1))

unset MAIL

else

ACCOUNTSESSION=$(grep $2 $WORKDIR/sessions.txt | grep $MAIL | tail -1 | awk -F: '{print

$1}')

if [ -z $ACCOUNTSESSION ]; then

echo "$MAIL: Session $2 doesnt exist or not found. Impossible to restore..."

((K = K+1))

else

USERDN=$(grep ^dn: $WORKDIR/$ACCOUNTSESSION/$MAIL.ldiff | awk '{print $2}')

$(which ldapdelete) -r -x -H $LDAPMASTERSERVER -D $LDAPZIMBRADN -c -w $LDAPZIMBRAPASS

$USERDN

$(which ldapadd) -x -H $LDAPMASTERSERVER -D $LDAPZIMBRADN -c -w $LDAPZIMBRAPASS -f

$WORKDIR/$ACCOUNTSESSION/$MAIL.ldiff

echo "User profile and settings restored from $ACCOUNTSESSION"

((K = K+1))

unset MAIL

done

exit 0

}

# Loading config file

source /etc/efnbkpose/efnbkpose.conf

if ! [ -z "$BACKUPUSER" ]; then

if [ "$(id -u)" != "$(id -u $BACKUPUSER)" ]; then

echo "You must be $BACKUPUSER to run this script"

exit 0

else

echo "You must set BACKUPUSER"

exit 0

if ! [ -z "$WORKDIR" ]; then

if ! [ -d "$WORKDIR" ]; then

echo "$WORKDIR doesnt exist"

exit 0

else

echo "You must set WORKDIR"

exit 0

if [ -z "$ADMINUSER" ]; then

echo "You must set ADMINUSER"

exit 0

if [ -z "$ADMINPASS" ]; then

echo "You must set ADMINPASS"

exit 0

if [ -z "$LDAPMASTERSERVER" ]; then

echo "You must set LDAPMASTERSERVER"

exit 0

if [ -z "$LDAPZIMBRADN" ]; then

echo "You must set LDAPZIMBRADN"

exit 0

if [ -z "$LDAPZIMBRAPASS" ]; then

echo "You must set LDAPZIMBRAPASS"

exit 0

if [ -z "$LOGFILE" ]; then

echo "You must set LOGFILE"

exit 0

# Criticar os parametros passados na linha de comando

case "$1" in

"-f" )

if [ -z "$2" ]; then

all_accounts_backup

else

if [ -z "$3" ]; then

account_backup $2

echo "Incorrect parameters $@. See help."

show_help

;;

"-i" )

if [ -z "$2" ]; then

all_accounts_incremental

else

if [ -z "$3" ]; then

account_incremental $2

echo "Incorrect parameters $@. See help."

show_help

;;

"-l" )

if [ -z "$2" ]; then

list_sessions

else

echo "Incorrect parameters $@. See help."

show_help

;;

"-r" )

if [ -z "$2" ]; then

echo "Incorrect parameters $@. See help."

show_help

else

if [ -z "$4" ]; then

account_restore $2 $3

else

echo "Incorrect parameters $@. See help."

show_help

;;

"-restoreAccount" )

if [ -z "$2" ]; then

echo "Incorrect parameters $@. See help."

show_help

else

if [ -z "$3" ]; then

LDAP_content_restore $2

else

if [ "$3" = "--LDAPOnly" ]; then

LDAP_content_restore $2 $4

else

echo "Incorrect parameters $@. See help."

show_help

;;

* )

echo "Incorrect parameters $@. See help."

show_help

;;

esac

exit 0

How to use zmbhel?

zmbhel is a bash script to hot backup and hot restore Zimbra Collaboration Suite Opensource.

zmbhel provides, Full backup of all accounts; Full backup of any account; Incremental backup of all

accounts; Incremental backup of any account; Lists all backup sessions done; Restore all contents

(mail, contacts, appointments...) for any account; Restore deleted accounts back to directory and

all of its contents; Restore only account attributes, like password, class of service;

Full backup of all accounts

zmbhel -f

Starts a full backup of all accounts.

Example: [root@mail local]# ./zmbhel -f

Full backup of any account

zmbhel -f mail1,mail2,...,mailn

Starts a full backup of any account specified at command line.

Example: [root@mail local]# ./zmbhel -f paul@bhelhyd.co.in,sandeep@bhelhyd.co.in

Incremental backup of all accounts

zmbhel -i

Starts an incremental backup of all accounts. It needs a previous full backup.

Example: [root@mail local]# ./zmbhel -i

Incremental backup of any account

zmbhel -i mail1,mail2,...,mailn

Starts an incremental backup of any account specified at command line. A full account backup will

run if it doesnt have any previous full backup.

Example: root@mail local]# ./zmbhel -i paul@bhelhyd.co.in,sandeep@bhelhyd.co.in

Lists all backup sessions done

zmbhel -l

Lists all backup sessions done.

Example: [root@mail local]# ./zmbhel -l

Restore all contents (mail, contacts, appointments...) to any account

zmbhel -r mail1,mail2,...,mailn session_name

Restore all contents (mail, contacts, appointments...) for any account from session specified at

command line.

Example: [root@mail local]# ./zmbhel -r paul@bhelhyd.co.in,sandeep@bhelhyd.co.in

full-20111103121824

Note: If session is not specified, all sessions will be restored from oldest to newest session. It

may take longer.

Restore deleted accounts back to directory and all of its contents

zmbhel -restoreAccount mail1,mail2,...,mailn

Restore deleted accounts back to directory and all of its contents from oldest to newest session.

It may take longer.

Example: [root@mail local]# ./zmbhel -restoreAccount paul@bhelhyd.co.in

Restore only account attributes, like password, class of service

zmbhel -restoreAccount mail1,mail2,...,mailn --LDAPOnly session_name

Restore only account attributes, like password, class of service, etc; from specified session.

Example: [root@mail local]# ./zmbhel -restoreAccount paul@bhelhyd.co.in --LDAPOnly

full-20111029230002

Connecting to Zimbra ldap

This is how you do ldapsearch

ldapsearch -x -ZZ -v -H 'ldap://email.efensys.com' -b 'dc=efensys,dc=com' -D

'uid=zimbra,cn=admins,cn=zimbra' -w <password>

ldapsearch -x -ZZ -v -H 'ldap://email.efensys.com' -b 'dc=efensys,dc=com' -D

'uid=zimbra,cn=admins,cn=zimbra' -w <password> -x "mail=kaustubh@efensys.com"

<password> can be found in /opt/zimbra/conf/localconfig.xml or run command "zmlocalconfig -s

zimbra_ldap_password" as zimbra user

This is how you add an entry ldapadd

ldapadd -f <ldif file> -H 'ldap://email.efensys.com' -D 'uid=zimbra,cn=admins,cn=zimbra' -w

Sample ldif file for user creation

dn: uid=support1,ou=people,dc=beamshospitals,dc=com

zimbraMailTransport: smtp:203.122.55.101:25

zimbraAccountStatus: active

zimbraMailDeliveryAddress: support1@beamshospitals.com

givenName: support1

sn: support1

zimbraMailStatus: enabled

userPassword: {SSHA}f3VcSYvhHtfHDw/7+BTTFydJPRan1nyv

zimbraId: a1c3f564-cb5d-4cae-900d-000000000002

mail: support1@beamshospitals.com

displayName: support1

uid: support1

objectClass: organizationalPerson

objectClass: zimbraAccount

objectClass: amavisAccount

cn: support1

zimbraMailHost: server1.beamshospitals.com

ldapdelete -H 'ldap://email.efensys.com' -D 'uid=zimbra,cn=admins,cn=zimbra' -w <password> <dn>

sample dn - "cn=abc2newgroup,ou=groups,dc=efensys,dc=com"

Syncing Zimbra with Gmail (imap)

For downloading mails, for each user write a shell script with the below contents

while [ 1 ]

while ! imapsync --buffersize 18192000 --nofoldersizes --nosyncacls --subscribe --syncinternaldates

--noauthmd5 --host1 imap.gmail.com --user1 niraj@efensys.com --password1 efensysmail --host2

200.0.100.200 --user2 niraj@efensys.com --password2 efensys -authuser2 admin@efensys.com

--authmech2 PLAIN --ssl1 --ssl2 --skipsize --allowsizemismatch --useheader 'Message-ID'

--regextrans2 "s/\[Gmail\]\/Sent Mail/Sent/" --exclude "\[Gmail\]/All Mail" --exclude "\[Gmail

\]/Trash" --exclude "\[Gmail\]/Spam"; do

echo imapsync not complete

done

sleep 1

done

For routing local mails through google - for each user do the following

zmprov ma kaustubh@efensys.com zimbraMailTransport smtp:smtp.gmail.com:587

NOTE

-authuser2 admin@efensys.com --authmech2 PLAIN and password2 is of admin

You may authenticate as one user (typically an admin user), but be authorized as someone else,

which means you don’t need to know every user’s personal

password. Specify --authuser1 "adminuser" to enable this on host1. In this case, --authmech1

PLAIN will be used by default since it is the only way to go for now. So don’t use --authmech1

SOMETHING with --authuser1 "adminuser", it will not work. Same behavior with the --authuser2

option

SMTP Relay (authenticated way)

User as zimbra do the following

For sender dependent authentication

Entries in /opt/zimbra/conf/relayhost_map

#per sender provider

person1@example.com [smtp.gmail.com]:587

person2@example.com [smtp.gmail.com]:587

person3.sawant@example.com [smtp.gmail.com]:587

Entries in /opt/zimbra/conf/relay_password

person2@example.com person2@example.com:password

person1@example.com person1@example.com:password

person3.sawant@example.com person3.sawant@example.com:password

Then execute the following steps

postconf -e smtp_sender_dependent_authentication=yes

postconf -e sender_dependent_relayhost_maps=hash:/opt/zimbra/conf/relayhost_map

postconf -e smtp_sasl_auth_enable=yes

postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password

postmap /opt/zimbra/conf/relayhost_map

postmap /opt/zimbra/conf/relay_password

postconf -e smtp_cname_overrides_servername=no

postconf -e smtp_use_tls=yes

postconf -e smtp_sasl_security_options=noanonymous

postfix reload

For single user authentication

/opt/zimbra/conf/relayhost_map not needed

From admin panel, add relay host ip and port number

Entries in /opt/zimbra/conf/relay_password

110.234.84.160 person2@example.com:password

Then execute the following steps as Zimbra user:

postconf -e smtp_sasl_auth_enable=yes

postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password

postmap /opt/zimbra/conf/relay_password

postconf -e smtp_cname_overrides_servername=no

postconf -e smtp_use_tls=yes

postconf -e smtp_sasl_security_options=noanonymous

postfix reload

Set the smtp relay entry to smtp.gmail.com port is 587 in Zimbra admin console MTA settings

Zimbra 8 authenticated relay

From admin panel, add relay host ip and port number

Entries in /opt/zimbra/conf/relay_password

110.234.84.160 person2@example.com:password

chown zimbra.zimbra /opt/zimbra/conf/relay_password

As Zimbra user :

postmap /opt/zimbra/conf/relay_password

Then execute the following steps as Zimbra user:

zmlocalconfig -e postfix_smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password

zmlocalconfig -e postfix_smtp_sasl_auth_enable=yes

zmlocalconfig -e postfix_smtp_cname_overrides_servername=no

zmlocalconfig -e postfix_smtp_use_tls=yes

postconf -e smtp_use_tls=yes

zmlocalconfig -e postfix_smtp_sasl_security_options=noanonymous

postfix reload

Zimbra 8.5 authenticated relay

ZCS 8.5 does not support hash maps, but lmdb maps. You need to account for that as well as the fact

the keys got moved from localconfig to LDAP.

postmap lmdb:/opt/zimbra/conf/relay_password

zmprov md mydomain.net zimbraMailCatchAllAddress @mydomain.net

zmprov md mydomain.com zimbraMailCatchAllAddress @mydomain.com

echo - Forward

zmprov md mydomain.net zimbraMailCatchAllForwardingAddress @mydomain.net

zmprov md mydomain.com zimbraMailCatchAllForwardingAddress @mydomain.com

echo - Mail Transport

zmprov md mydomain.net zimbraMailTransport smtp:mail.server.com:587

zmprov md mydomain.com zimbraMailTransport smtp:mail.server.com:587

echo - RelayHost

zmprov mcf zimbraMtaRelayHost mail.server.com:587

zmprov mcf zimbraMtaDnsLookupsEnabled FALSE

echo - Postfix

zmprov ms `zmhostname` zimbraMtaSmtpSaslPasswordMaps lmdb:/opt/zimbra/conf/relay_password

zmprov ms `zmhostname` zimbraMtaSmtpSaslAuthEnable yes

zmprov ms `zmhostname` zimbraMtaSmtpCnameOverridesServername no

zmprov ms `zmhostname` zimbraMtaTlsSecurityLevel may

zmprov ms `zmhostname` zimbraMtaSmtpSaslSecurityOptions noanonymous

echo Restart Zimbra

zmcontrol restart

http://community.zimbra.com/collaboration/f/1886/t/1092556

Zimbra Mail Server Relay Access Denied & ISP Relay with Authentication

Below are a common mail server problems that might be hit you if you wish to move and use your mail

server as production server without full & complete check :

1. Relay access denied because you have a dynamic public IP Address

2. Email from your mail server delivered to spam box on Gmail or Yahoo mail

3. Some of your outbound mail being deferred while trying to send to certain domain/recipient

The problem occurred for many reason. It can be a dynamic IP that blacklisted as an open relay mail

server; Your IP got trapped and blacklisted on some RBLhost; The destination mail server could not

look up your defined host and/or ip address; a missing PTR records or Reverse DNS Zone on your DNS

Server and much more.

These are some tips & tricks to solved the problem. If you have no public-static IP address for

your mail server, or your mail server behind a NAT service, or you may have no authority to modify

the DNS zone, ISP relay may the answer for your problem.

ISP relay means that our mail server will not deliver the outbound mails to the destination mail

server. Our mail server will deliver all outbound mails into ISP server (ISP domain & hosting,

where our domain resides) and then the ISP server send the message to final destination. It’s means

that our mail server will only act as a gateway to the ISP relay.To prevent an open relay hijack

from spammer, ISP server usually need an authentication before allows the email delivery.

ISP relays solved the above problem. Any DNS lookup, blacklisted IP or Reverse DNS zone will be

asked to ISP mail server. With the reputation of ISP, their mail server should be passed any

security check.

Below are a step by step how to configure your Zimbra Mail Server to get an ISP relay

authentication. I’m using vavai.co.id as a sample domain with a user name rivai%vavai.co.id and

password : passwordku. Public domain & hosting for vavai.co.id stored on hosting server (ISP

server). I’ve also setting up Zimbra with default domain vavai.co.id on local server.

Let’s configure Zimbra to use ISP relay with authentication to send outbound mail message.

1. Get a canonical name for public domain

view sourceprint?

1.# nslookup mail.vavai.co.id

2.Non-authoritative answer:

3.mail.vavai.co.id canonical name = vavai.co.id.

4.Name: vavai.co.id

5.Address: 75.126.137.80

2. Open Zimbra Admin Console (https://hostaddress:7071/zimbraAdmin/)

3. Go to Global Setting | MTA

4. Write the public canonical name on “Relay MTA for external delivery:” option.

5. Open Konsole/Terminal, Log in as Zimbra Admin

view sourceprint?

1.# su - zimbra

6. Create postfix look up table

view sourceprint?

1.# echo mail.vavai.co.id rivai@vavai.co.id:passwordku > /opt/zimbra/conf/relay_password

2.# postmap /opt/zimbra/conf/relay_password

7. Test the mapping

view sourceprint?

1.# postmap -q mail.vavai.co.id /opt/zimbra/conf/relay_password

8. The response should similar as below : username%domain.tld:password

9. Configure Zimbra Postfix to use the ISP/SMTP Relay with authentication

view sourceprint?

1.# postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password

2.# postconf -e smtp_sasl_auth_enable=yes

3.# postfix reload

10. Test your Zimbra mail server

Note :

If you found an error or deferred queue as below :

(Authentication failed: cannot SASL authenticate to server …: no mechanism available)

It seems that smtp-sasl_security option do not allows the plain text on ISP relay setting. Checked

it with the following command : view sourceprint?

1.# postconf smtp_sasl_security_options

If you get the error message :smtp_sasl_security_options = noplaintext, noanonymous

Change the sasl security setting to allow the plaintext password usage : view sourceprint?

1.# postconf -e smtp_sasl_security_options=noanonymous

2.# postfix reload

Restart the Zimbra service and test the email server.

If you would not prefer with the plain text password on configuration setting, consider to use SMTP

use TLS.

Restricting users to send mails to certain domains

This document describes how to restrict a list of users for sending emails to limited domains.

Other users can send mails anywhere. Everything I am doing here as Zimbra user. Restricting users

to send mails to certain domains

1. Enter following in the file “/opt/zimbra/conf/postfix_recipient_restrictions.cf”. Make sure it

is entered at the top of the file.

vi /opt/zimbra/conf/postfix_recipient_restrictions.cf check_sender_access

hash:/opt/zimbra/postfix/conf/restricted_senders

2. Enter following in "/opt/zimbra/conf/zmmta.cf"

vi /opt/zimbra/conf/zmmta.cf POSTCONF smtpd_restriction_classes local_only POSTCONF local_only FILE

postfix_check_recipient_access.cf

3. Create a file "/opt/zimbra/conf/postfix_check_recipient_access.cf"

vi /opt/zimbra/conf/postfix_check_recipient_access.cf check_recipient_access

hash:/opt/zimbra/postfix/conf/local_domains, reject

4. Create a file "/opt/zimbra/postfix/conf/restricted_senders" and list all the users, whom you

want to restrict. Follow this syntax:

vi /opt/zimbra/postfix/conf/restricted_senders user@yourdomain.com local_only

5. Create a file "/opt/zimbra/postfix/conf/local_domains" and list all the domains where

"restricted users" allowed to sent mails. Please follow this syntax:

vi /opt/zimbra/postfix/conf/local_domains yourdomain.com OK otheralloweddomain.com OK

6. Run following commands:

postmap /opt/zimbra/postfix/conf/restricted_senders postmap /opt/zimbra/postfix/conf/local_domains

zmmtactl stop zmmtactl start

After these settings, all the users listed in "/opt/zimbra/postfix/conf/restricted_senders" are

restricted to send mails only to domain which are defined in

"/opt/zimbra/postfix/conf/local_domains", other are fully allowed to send mails anywhere. These

settings will not survive Zimbra upgrades, please make sure that you backup of all these settings

while performing upgrades.

Important Note if you need to undo this configuration

Remove the two lines that were added to the zmmta.cf file. Make sure the Postfix setting

smtpd_restriction_classes has nothing set.

postconf -e smtpd_restriction_classes=' '

zmmtactl reload

RestrictPostfixRecipients

Contents

* 1 Restrict Postfix Recipients

o 1.1 Steps

o 1.2 Test it out

* 2 Additional Resources

Restrict Postfix Recipients

* This will show how you can modify postfix to restrict who can send to certain addresses in your

domain such as distribution lists like

all@mydomain.com

* These changes will most likely not persist between upgrades! (UPDATE: Just updated to 4.0.4 and

the only thing that was wiped out was the change

to /opt/zimbra/conf/postfix_recipient_restrictions.cf. Also, permissions on files created in

/opt/zimbra/postfix/conf got changed.)

* This method can be spoofed by forging the MAIL FROM: header (so mail appears to originate from

within the domain), so it isn't foolproof,

but it works for basic needs.

Steps

* Create a 'permitted senders' list (as user zimbra) - This is your list of domains and/or users

who can email your protected email addresses:

vi /opt/zimbra/postfix/conf/permitted_senders

[paste in contents below editing as required]

localhost OK

mydomain.com OK

zimbra.mydomain.com OK

okuser@externaldom.com OK

* Create a 'protected recipients' list (as user zimbra) - This is your list of email addresses that

may only receive email from 'permitted senders'

vi /opt/zimbra/postfix/conf/protected_recipients

[paste in contents below editing as required]

test-dist-list@mydomain.com permitted_senders_list

protected-user@mydomain.com permitted_senders_list

* Create a simple bash script to create postfix DB files (as user zimbra):

vi /opt/zimbra/postfix/conf/update_protected_recipients

[paste in contents below editing as required]

#!/bin/bash

echo "rebuild permitted_senders..."

postmap /opt/zimbra/postfix/conf/permitted_senders

echo "rebuild protected_recipients..."

postmap /opt/zimbra/postfix/conf/protected_recipients

* Make new script executable, then run it

chmod 755 /opt/zimbra/postfix/conf/update_protected_recipients

/opt/zimbra/postfix/conf/update_protected_recipients

* You should now see permitted_senders.db and protected_recipients.db in the directory

* Add necessary settings to /opt/zimbra/postfix/conf/main.cf

vi /opt/zimbra/postfix/conf/main.cf

[add these items to the file - note permitted_senders_list must match value in

protected_recipients]

permitted_senders_list = check_sender_access hash:/opt/zimbra/postfix/conf/permitted_senders,

reject

smtpd_restriction_classes = permitted_senders_list

**Note this change to the main.cf won't survive upgrades. Be sure to save a copy of your main.cf

file**

* Now add your new restriction to the top of postfix_recipient_restrictions.cf

vi /opt/zimbra/conf/postfix_recipient_restrictions.cf

[paste this into the first line of the file, above any other settings]

check_recipient_access hash:/opt/zimbra/postfix/conf/protected_recipients

* Reload postfix to activate settings:

postfix reload

Note 3 from talk: files ownership should be set to root:postfix before reloading postfix. This

avoids annoying warning messages in logfile.

Test it out

* Test your settings via telnet:

Enter command:

telnet zimbra.mydomain.com 25

You will see:

Trying 192.168.1.1...

Connected to zimbra.mydomain.com.

Escape character is '^]'.

220 zimbra.mydomain.com ESMTP Postfix

Enter command:

HELO test.com

You will see:

250 zimbra.mydomain.com

Enter command:

MAIL FROM: jdoe@test.com

You will see:

250 Ok

Enter command:

RCPT TO: test-dist-list@mydomain.com

You will see:

554 <test-dist-list@mydomain.com>: Recipient address rejected: Access denied

QUIT

221 Bye

Connection closed by foreign host.

* That's it. If you need to protect new distribution lists or emails, or add new senders, just edit

and re-run the update script, then reload postfix.

Email migration using imapsync

http://wiki.zimbra.com/index.php?title=Guide_to_imapsync

http://wiki.zimbra.com/index.php?title=Mail_Migration#using_imapsync_.28Recommended_Method.29

http://wiki.zimbra.com/index.php?title=Category:Migration

yum install imapsync

Before you start migration using imap sync, you should know passwords of email accounts that are

going to be migrated in Zimbra. This can be achieved by resetting password of email account on old

mail server.

Make sure imap is enabled on both zimbra & old mail server.

Command used to migrate email account is

imapsync --buffersize 8192000 --nosyncacls --subscribe --syncinternaldates --ssl1 --authmech1 LOGIN

--host1 192.168.6.26 --user1 it@welingkar.org --password1 year2010 --host2 192.168.6.7 --ssl2

--authmech2 LOGIN --user2 it@welingkar.org --password2 year2010

Example:

[zimbra@example ~]$ imapsync --buffersize 8192000 --nosyncacls --subscribe --syncinternaldates

--ssl1 --authmech1 LOGIN --host1 192.168.6.26

--user1 sneha.shah@welingkar.org --password1 year2010 --host2 192.168.6.7 --ssl2 --authmech2

--user2 sneha.shah@welingkar.org --password2 year2010

Here, host1: IP address of old email server

user1: email id on old email server

password1: password of user1

host2: IP address of zimbra server

user2: email id on zimbra server

password1: password of user2

Avoiding mail looping in split domain (zimbra as secondary mail server)

Configuring Zimbra as the Secondary System

$ zmprov md example.com zimbraMailCatchAllAddress @example.com

$ zmprov md example.com zimbraMailCatchAllForwardingAddress @example.com

$ zmprov md example.com zimbraMailTransport smtp:mail.example.com

Avoiding Loops in Delivery where Exchange as primary server

The exchange gets all the email first, all email that exchange didn't have will be catchall sent to

the zimbra. Then zimbra will accept all emails local to it and if catch all is enabled, all

non-local-to-exchange and non-local-to-zimbra will be forward again back to the exchange, creating

a loop.

Backup file postfix_recipient_restrictions

cp /opt/zimbra/conf/postfix_recipient_restrictions.cf

/opt/zimbra/conf/postfix_recipient_restrictions.cf.backup

Edit /opt/zimbra/conf/postfix_recipient_restrictions.cf and add below lines.

permit_inet_interfaces

permit_sasl_authenticated

Finally your file will look like:

%%contains VAR:zimbraServiceEnabled cbpolicyd, check_policy_service inet:127.0.0.1:10031%%

reject_non_fqdn_recipient

permit_sasl_authenticated

permit_inet_interfaces

check_recipient_access ldap:/opt/zimbra/conf/ldap-emails.cf, reject

permit_mynetworks

reject_unauth_destination

reject_unlisted_recipient

%%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%

%%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%

%%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%

%%contains VAR:zimbraMtaRestriction reject_unknown_client%%

%%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%

%%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%

%%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%

%%contains VAR:zimbraMtaRestriction check_policy_service unix:private/policy%%

permit

cp /opt/zimbra/conf/ldap-vam.cf /opt/zimbra/conf/ldap-emails.cf

chown zimbra.postfix /opt/zimbra/conf/ldap-emails.cf

Edit newly created file /opt/zimbra/conf/ldap-emails.cf and make changes as shown below. In

result_attribute remove zimbraMailCatchAllAddress Add result_filter = OK

Your file should look like:

server_host = ldap://mail.example.com:389

server_port = 389

search_base =

query_filter =

(&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))

result_attribute =

zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress

result_filter = OK

version = 3

start_tls = yes

tls_ca_cert_dir = /opt/zimbra/conf/ca

bind = yes

bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra

bind_pw = ssdeasaXZ

timeout = 30

Restart zimbra services via zmcontrol.

Global Disclaimer in Zimbra

'''Altermime'''

* 1) Download altermime from http://www.pldaniels.com/altermime/

* 2) Compile

make

(note: on some 64-bit systems, like CentOS 64-bit, there are problems compiling the source. For me the quick&dirty solution is to edit the Makefile end erase the "-Werror" option.)

* 3) Install altermime

cp altermime /usr/bin/

chown root.root /usr/bin/altermime

chmod 755 /usr/bin/altermime

* 4) Add a "filter" user

useradd -r -c "Postfix Filters" -d /var/spool/filter filter

* 5) Create a filter directory

mkdir /var/spool/filter

chown filter.filter /var/spool/filter

chmod 750 /var/spool/filter

'''Postfix'''

* 6) Backup you master.cf file

cp /opt/zimbra/postfix/conf/master.cf /opt/zimbra/postfix/conf/master.cf.orig

* 6.A) For zimbra >6 Backup your master.cf.in file

cp /opt/zimbra/postfix/conf/master.cf.in /opt/zimbra/postfix/conf/master.cf.in.orig

* 7) Modify /opt/zimbra/postfix/conf/master.cf (/opt/zimbra/postfix/conf/master.cf.in for version > 5.0.10)

'''su - zimbra'''

vim /opt/zimbra/postfix/conf/master.cf.in

modify line

smtp inet n - n - - smtpd

'''-o content_filter=dfilt:'''

Add a line at the bottom of /opt/zimbra/postfix/conf/master.cf (/opt/zimbra/postfix/conf/master.cf.in for version > 5.0.10)

dfilt unix - n n - - pipe

flags=Rq user=filter argv=/opt/zimbra/postfix/conf/disclaimer -f ${sender} -- ${recipient}

Note: flags come in the next line

* 8) Create a disclaimer file in /opt/zimbra/postfix/conf/disclaimer.txt and disclaimer.html

Note: disclaimer files will have to be edited by '''root'''

[root@mail conf]# chmod 644 disclaimer.txt

[root@mail conf]# chmod 644 disclaimer.html

[root@mail conf]# chown root.postfix disclaimer.txt

[root@mail conf]# chown root.postfix disclaimer.html

For example:

/opt/zimbra/postfix/conf/disclaimer.txt

_____________________________________________________________________

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.

If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely

those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for

the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

Company X, Suite# 1, Street, City, Country, www.company.com

/opt/zimbra/postfix/conf/disclaimer.html

_____________________________________________________________________

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.

If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely

those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for

the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

Company X, Suite# 1, Street, City, Country, <a href="http://www.company.com">www.company.com</a>

* 9) Create disclaimer script in /opt/zimbra/postfix/conf/disclaimer

#!/bin/sh

INSPECT_DIR=/var/spool/filter

SENDMAIL=/opt/zimbra/postfix/sbin/sendmail

FOLDER_DISCLAIMER=/opt/zimbra/postfix/conf

# Exit codes from <sy***its.h>

EX_TEMPFAIL=75

EX_UNAVAILABLE=69

# Clean up when done or when aborting.

trap "rm -f in.$$" 0 1 2 3 15

# Start processing.

cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }

TEXT_DISCLAIMER=`grep "[a|A-z|Z]" ${FOLDER_DISCLAIMER}/disclaimer.txt | grep -v "_" | tail -2 | head -1`

cat > in.$$ || { echo Cannot save mail to file; exit $EX_TEMPFAIL; }

nohup grep "${TEXT_DISCLAIMER}" in.$$ > /dev/null 2>&1

if [ ! "$?" = 0 ]; then

/usr/bin/altermime --input=in.$$ --disclaimer=${FOLDER_DISCLAIMER}/disclaimer.txt --disclaimer-html=${FOLDER_DISCLAIMER}/disclaimer.html --xheader="X-Copyrighted-Material: Please visit http://www.company.com/privacy.htm" || { echo Message content rejected; exit $EX_UNAVAILABLE; }

$SENDMAIL -i "$@" < in.$$

exit $?

* 10) Set permissions

chgrp filter /opt/zimbra/postfix/conf/disclaimer

chmod 750 /opt/zimbra/postfix/conf/disclaimer

* 11) Restart Zimbra postfix

su - zimbra

zmmtactl stop

zmmtactl start

Change zimbra's lmtp to other server

1. Create corresponding accounts on the Zimbra system for all the accounts that will live on the secondary system. Note that bar@example.com is not migrating, and lives on the secondary.

$ zmprov ca bar@example.com <some_random_password>

2. Configure mail routing for this account so email flows to the secondary system for this account:

$ zmprov ma bar@example.com zimbraMailTransport smtp:mail.example.com:25

Note that we are not using any catch all (akin to “luser_relay”) tricks here. Primary needs to be authoritative, and if it forwards unknown accounts, then we would have a mail loop.

3. Change your MX record so mail from the internet flows into the Zimbra MTA first. (This is the last step! You will bounce mail if you make this change before configuring the entire system and testing that mail flow is working as desired.)

When you are ready to move a user from the old system to the new system just run this command (where zimbra.example.com is the name of your Zimbra server):

$ zmprov ma bar@example.com zimbraMailTransport lmtp:zimbra.example.com:7025

Zimbra Postgrey Integration

'''INSTALLATION'''

get the rpmforge.repo in yum.repos.d

yum install postgrey --nogpgcheck

ps ax | grep postgrey

vim /etc/init.d/postgrey

# OPTIONS="--unix=$SOCKET"

OPTIONS="--whitelist-clients=/etc/postfix/postgrey_whitelist_clients --whitelist-recipients=/etc/postfix/postgrey_whitelist_recipients --inet=10023 --unix=$SOCKET"

vim /opt/zimbra/conf/postfix_recipient_restrictions.cf

# add below line above any lines starting with %%

check_policy_service inet:127.0.0.1:10023

/etc/init.d/postgrey start

/sbin/chkconfig postgrey on

'''NOTES'''

The sender from local network will not be greyisted. But any outside network sender will be greylisted for 5 min (default)

Monitoring Incoming and Outgoing mails

Edit main.cf

[root@map007]# vim /opt/zimbra/postfix/conf/main.cf

Add following line to get a bcc copy to your email id when some one send a mail :-

sender_bcc_maps = hash:/opt/zimbra/conf/sender_bcc

Add following line to get a bcc copy to your email id when some one receive a mail :-

recipient_bcc_maps = hash:/opt/zimbra/conf/recipient_bcc

Create two files in /opt/zimbra/conf directory

touch /opt/zimbra/conf/sender_bcc

touch /opt/zimbra/conf/recipient_bcc

chown zimbra.zimbra /opt/zimbra/conf/sender_bcc

chown zimbra.zimbra /opt/zimbra/conf/recipient_bcc

Edit these files and add entry like this :-

support@efensys.com sandeep@efensys.com

After this I will get in/out mail’s copy of support@efensys.com email account to sandeep@efensys.com email id.

As zimbra user, run following commands :-

su - zimbra

postmap /opt/zimbra/conf/sender_bcc

postmap /opt/zimbra/conf/recipient_bcc

postfix reload

Zimbra LDAP as PDC - with Clients on Fedora / Ubuntu

'''Part 1'''

1. zmlocalconfig -s zimbra_ldap_password

2. Installing custom ldap schema 6.0 (http://wiki.zimbra.com/wiki/Installing_custom_ldap_schema_6.0)

ls /opt/zimbra/data/ldap/config/cn\=config/cn\=schema

ldap stop

Killing slapd with pid 3261 done.

cp /opt/zimbra/openldap/etc/openldap/schema/nis.ldif /opt/zimbra/data/ldap/config/cn\=config/cn\=schema/cn\=\{10\}nis.ldif

cd /opt/zimbra/data/ldap/config/cn\=config/cn=\schema

vim cn\=\{10\}nis.ldif

Then modify it so that the following lines are changed from:

dn: cn=nis,cn=schema,cn=config

objectClass: olcSchemaConfig

cn: nis

dn: cn={10}nis

objectClass: olcSchemaConfig

cn: {10}nis

Then

chmod 600 cn\=\{10\}nis.ldif

ldap start

3. Converting and installing schema with the new LDIF format (http://wiki.zimbra.com/wiki/Installing_custom_ldap_schema_6.0)

NOTE: skipped because in the first cut we dont want samba working

4. Adding custom LDAP Indices (http://wiki.zimbra.com/wiki/Adding_ldap_indices_6.0)

ldapmodify -x -H ldapi:/// -D cn=config -W

enter ldap_root_password from step 1

NOTE: it will show as if command is hung but its not... continue with the commands below

dn: olcDatabase={2}hdb,cn=config

changetype:modify

add: olcDbIndex

olcDbIndex: uidNumber eq

olcDbIndex: gidNumber eq

olcDbIndex: memberUid eq

Press Control-D to finish the modification.

gives this as return message... modifying entry "olcDatabase={2}hdb,cn=config"

5. restart Zimbra services and make sure that they started successfully

6. Now you will need to create two new users for the local posix and samba processes to use to access the information from the LDAP server:

/opt/zimbra/openldap/sbin/slappasswd -s zimbra

{SSHA}Z4RLASlTryx7f8dUa0og+9zuILmxuTKE

/opt/zimbra/openldap/sbin/slappasswd -s zimbratoo

{SSHA}9tDXLLvtGWRXQYxhBsptMy+NfTUc5lbR

vim /tmp/posixusers.ldif

dn: uid=zmposix,cn=appaccts,cn=zimbra

uid: zmposix

objectClass: zimbraAccount

objectClass: organizationalPerson

cn: zmposix

sn: zmposix

zimbraAccountStatus: active

zimbraIsSystemResource: TRUE

zimbraId: 59BC2282-98CC-11DE-9492-C023E3CEB16B

description: The zimbra posix account

userPassword: {SSHA}Z4RLASlTryx7f8dUa0og+9zuILmxuTKE

dn: uid=zmposixroot,cn=appaccts,cn=zimbra

uid: zmposixroot

objectClass: zimbraAccount

objectClass: organizationalPerson

cn: zmposixroot

sn: zmposixroot

zimbraAccountStatus: active

zimbraIsSystemResource: TRUE

zimbraId: 6ED47B38-98CC-11DE-AAC1-9F159BA35B33

description: The zimbra posix root account

userPassword: {SSHA}9tDXLLvtGWRXQYxhBsptMy+NfTUc5lbR

Note: Change userpassword with the one generated above.

Now add these two new users to the LDAP master...

ldapadd -f /tmp/posixusers.ldif -x -H ldapi:/// -D cn=config -W

Enter LDAP Password:

adding new entry "uid=zmposix,cn=appaccts,cn=zimbra"

adding new entry "uid=zmposixroot,cn=appaccts,cn=zimbra"

You need to adjust the LDAP acls so that these new users can read the data necessary from the LDAP server...

Be sure to replace dc=efensys,dc=com with your actual domain.

vim /tmp/acl.ldif

dn: olcDatabase={2}hdb,cn=config

changetype:modify

delete: olcAccess

olcAccess: {9}

add: olcAccess

olcAccess: {9}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by * read

dn: olcDatabase={2}hdb,cn=config

changetype:modify

add: olcAccess

olcAccess: {10}to dn.subtree="dc=efensys,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none

olcAccess: {11}to dn.subtree="ou=machines,dc=efensys,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none

olcAccess: {12}to dn.subtree="ou=groups,dc=efensys,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none

olcAccess: {13}to dn.subtree="ou=people,dc=efensys,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none

Now apply this ACL modification to the LDAP server:

ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W

Enter LDAP Password:

modifying entry "olcDatabase={2}hdb,cn=config"

Run the following zmprov commands as user zimbra: (note we are not running sambaSamAccount thing yet)

zmprov mcf +zimbraAccountExtraObjectClass posixAccount

#zmprov mcf +zimbraAccountExtraObjectClass sambaSamAccount

'''Part 2'''

mkdir -p /home/sysadmin/zimlets/

cp /opt/zimbra/zimlets-admin-extra/zimbra_posixaccount.zip /home/sysadmin/zimlets/zimbra_posixaccount

cd /home/sysadmin/zimlets/

unzip zimbra_posixaccount.zip

mv *.xml *.js *.properties zimbra_posixaccount

cd zimbra_posixaccount

vim config_template.xml

zip zimbra_posixaccount *.*

mv zimbra_posixaccount.zip /opt/zimbra/zimlets-admin-extra/zimbra_posixaccount.zip

chown zimbra:zimbra /opt/zimbra/zimlets-admin-extra/zimbra_posixaccount.zip

chmod 664 zimbra_posixaccount.zip

Exit and get back as zimbra user

scp /opt/zimbra/zimlets-admin-extra/zimbra_posixaccount.zip root@200.0.100.73:/home/asaik/Desktop/

https://200.0.100.200:7071/

and using admin extensions.. undeloy and deploy the new zip file

'''Fedora 13 client machine 200.0.100.73'''

vim /etc/hosts

add 200.0.100.200 email.efensys.com

yum install sssd monit

Backup current files

cp /etc/pam.d/fingerprint-auth-ac /home/asaik/Desktop/toputinalfresco/mybackupfiles/

cp /etc/pam.d/gdm-password /home/asaik/Desktop/toputinalfresco/mybackupfiles/

cp /etc/pam.d/system-auth-ac /home/asaik/Desktop/toputinalfresco/mybackupfiles/

cp /etc/nsswitch.conf /home/asaik/Desktop/toputinalfresco/mybackupfiles/

cp /etc/sssd/sssd.conf /home/asaik/Desktop/toputinalfresco/mybackupfiles/

cp /etc/monit.conf /home/asaik/Desktop/toputinalfresco/mybackupfiles/

Move the latest files

cp /home/asaik/Desktop/toputinalfresco/sssd/fingerprint-auth-ac /etc/pam.d/

cp /home/asaik/Desktop/toputinalfresco/sssd/gdm-password /etc/pam.d/

cp /home/asaik/Desktop/toputinalfresco/sssd/system-auth-ac /etc/pam.d/

cp /home/asaik/Desktop/toputinalfresco/sssd/nsswitch.conf /etc/

cp /home/asaik/Desktop/toputinalfresco/sssd/sssd.conf /etc/sssd/

cp /home/asaik/Desktop/toputinalfresco/sssd/monit.conf /etc/

vim /etc/ldap.secret

add content as "zimbratoo"

Modify /etc/ldap.conf appropriately

Note the TLS_CACERT /home/asaik/Desktop/ca.pem entry

Visit https://200.0.100.200:7071/zimbraAdmin/ and then in firefox browser security lock and view the certificate and then export it to /home/asaik/Desktop/ca.pem

Modify /etc/sssd/sssd.conf appropriately

To add posixAccount attributes to the previously established users (before ldap schema change) you can run command:

zmprov ma kaustubh@efensys.com +objectClass posixAccount uidNumber 10102 gidNumber 10102 homeDirectory /home/kaustubh loginShell /bin/bash

Log-in the system using kaustubh/<password>

NOTE: NO NEED TO MAKE ANY USER ENTRY IN /etc/passwd

NOTE: also make sure that the network connection is set to start automatically and is available to all users of the system

NOTE: make sure chkconfig sssd on and chkconfig monit on and reboot the machine

Following files are available in efensys alfresco:

ca.pem

gdm-password

ldap.secret

nsswitch.conf

system-auth-ac

fingerprint-auth-ac

ldap.conf

monit.conf

sssd.conf

'''Part 3'''

'''Ubuntu 10.04 Client Machine 200.0.100.91'''

'''U1'''. sudo -s

'''U2'''. Edit /etc/nsswitch.conf file. Replace these two lines:

passwd: compat

group: compat

with these lines:

passwd: files sss

shadow: files ldap

group: files sss

'''U3'''. using synaptic package manager install

sssd and 3 libraries

chkconfig

monit

'''U4'''. Correctly copy or modify the following files

common-account, common-auth, common-password, common-session

Just changed pam_ldap to pam_sss and did bit more in common-sesion. Unlike in fedora in common-session the skel=/etc/skel umask=0077 is important

These files are available in efensys alfresco: under /Efensys/Technical/zimbraaspdc/ubuntu_10_04_desktop

'''U5'''. paste the correct sssd.conf and monit.conf

vim /etc/default/monit

change startup to 1 in /etc/default/monit

mv /etc/monit.conf /etc/monit/monitrc

NOTE: in monit.conf change "/sbin/service" to only "service"

'''U6'''. chkconfig monit on

chkconfig sssd on fails ... ignore...

'''U7'''. NOTE: also make sure that the network connection is set to start automatically and is available to all users of the system

NOTE: make sure chkconfig sssd on and chkconfig monit on and reboot the machine

NOTE: vim /etc/hosts and add entry 200.0.100.200 email.efensys.com

NOTE: the ca.pem entry in sssd.conf needs to be checked and also the same should be available on every desktop

'''Part 4'''

'''Quick Note on having centralized homeDirectory'''

nfs depends on rpcbind... rpcbind should start before nfs

if any problem... ''/etc/init.d/rpcbind start'' or restart and then ''service nfs restart''

also on client ''service autofs restart''...

Log into zimbra as admin and change the homedirectory to /net/200.0.100.84/home/kaustubh for say kaustubh@efensys.com account

Now when kaustubh logs in to his fedora desktop, he would get the desktop of /net/200.0.100.84/home/kaustubh/Desktop and not the local /home/kaustubh

How to renew certificate after 365 days

Error you get ...

Unable to determine enabled services from ldap.

Enabled services read from cache. Service list may be inaccurate.

Starting logger...Failed.

Starting logswatch...ERROR: service.FAILURE (system failure: ZimbraLdapContext) (cause: javax.net.ssl.SSLHandshakeException sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed)

zimbra logger service is not enabled! failed.

'''Solution is:'''

as su - zimbra

zmcontrol stop

as root

cd /opt/zimbra/bin

./zmcertmgr createcrt -new -days 365

./zmcertmgr deploycrt self

./zmcertmgr viewdeployedcrt

cd /opt/zimbra/libexec

./zmfixperms

Zimbra ldap backup /restore

'''To backup LDAP data:'''

mkdir /ldapbackup

As root, type

chown zimbra.zimbra /ldapbackup

As zimbra user, type

/opt/zimbra/libexec/zmslapcat /ldapbackup

As root, take backup of

/opt/zimbra/data/ldap/hdb/db/DB_CONFIG

'''To restore the LDAP data.'''

''' Prepare the server and install ZCS.'''

* The ZCS installation on the new server must be configured exactly as the ZCS configuration on the original server.

* You go through the complete menu driven installation process, making changes to the configuration setting to match the settings

on the original server.

* Follow the directions in the ZCS single server installation guide to install ZCS.

* Make sure that you configure the same domain, hostname, passwords as on the old server.

* Make sure DNS is configured for the domain.

''' During ZCS install, the following settings must be changed to match the original server settings:'''

* Zimbra LDAP Server - For Domain to create - identify the same default domain as on the original server.

* Zimbra Mailbox Server - An administrator's account is automatically created.

* Make sure that the account name for Admin user to create is the same name as on the original server.

* Set the admin password.

* Change the Spam training user and the Non-spam (HAM) training user account names to be the same as the spam account names on the original server.

* Global Document Account - Change the Global Document Account name to be the same account name as on the original server.

* Change any other settings on the new server to match the configuration on the original server.

ZCS is installed. To continue:

* Stop the ZCS services, type zmcontrol stop.

Restore the LDAP data to the 64-bit server.

As zimbra, type

a. rm -rf /opt/zimbra/data/ldap/hdb/*

b. If this is an ldap master with replicas: rm -rf /opt/zimbra/data/ldap/accesslog/*

c. mkdir -p /opt/zimbra/data/ldap/hdb/db /opt/zimbra/data/ldap/hdb/logs

d. If this is an ldap master with replicas: mkdir -p /opt/zimbra/data/ldap/accesslog/db /opt/zimbra/data/accesslog/logs

e. Copy the file /opt/zimbra/data/ldap/hdb/db/DB_CONFIG from old server to /opt/zimbra/data/ldap/hdb/db on the new server.

Note: If this file does not exist, or is empty, creating it may improve ldap performance.

f. Type chown -R zimbra:zimbra /opt/zimbra/data/ldap

g. Copy from the old server to the new server the /ldapbackup/ldap.bak file.

h. Type /opt/zimbra/openldap/sbin/slapadd -q -b "" -F /opt/zimbra/data/ldap/config -cv -l /ldapbackup/ldap.bak

k. Start the ZCS services, type zmcontrol start.

Syncing Zimbra with Gmail (imap)

For downloading mails, for each user write a shell script with the below contents

----

while [ 1 ]

while ! imapsync --buffersize 18192000 --nofoldersizes --nosyncacls --subscribe --syncinternaldates --noauthmd5 --host1 imap.gmail.com --user1 niraj@efensys.com --password1 xxx --host2 200.0.100.200 --user2 niraj@efensys.com --password2 xxxx -authuser2 adm@efensys.com --authmech2 PLAIN --ssl1 --ssl2 --skipsize --allowsizemismatch --useheader 'Message-ID' --regextrans2 "s/\[Gmail\]\/Sent Mail/Sent/" --exclude "\[Gmail\]/All Mail" --exclude "\[Gmail \]/Trash" --exclude "\[Gmail\]/Spam"; do

echo imapsync not complete

done

sleep 1

done

----

For routing local mails through google - for each user do the following

zmprov ma kaustubh@efensys.com zimbraMailTransport smtp:smtp.gmail.com:587

* '''NOTE'''

-authuser2 adm@efensys.com --authmech2 PLAIN and password2 is of admin

You may authenticate as one user (typically an admin user), but be authorized as someone else, which means you don’t need to know every user’s personal

password. Specify --authuser1 "admuser" to enable this on host1. In this case, --authmech1 PLAIN will be used by default since it is the only way to go for now. So don’t use --authmech1 SOMETHING with --authuser1 "admuser", it will not work. Same behavior with the --authuser2 option

SMTP Relay (authenticated way)

User as '''zimbra''' do the following

For '''sender dependent authentication'''

Entries in '''/opt/zimbra/conf/relayhost_map'''

#per sender provider

niraj@efensys.com [smtp.gmail.com]:587

kaustubh@efensys.com [smtp.gmail.com]:587

sandeep.sawant@efensys.com [smtp.gmail.com]:587

Entries in '''/opt/zimbra/conf/relay_password'''

kaustubh@efensys.com kaustubh@efensys.com:password

niraj@efensys.com niraj@efensys.com:password

sandeep.sawant@efensys.com sandeep.sawant@efensys.com:password

Then execute the following steps

postconf -e smtp_sender_dependent_authentication=yes

postconf -e sender_dependent_relayhost_maps=hash:/opt/zimbra/conf/relayhost_map

postconf -e smtp_sasl_auth_enable=yes

postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password

postmap /opt/zimbra/conf/relayhost_map

postmap /opt/zimbra/conf/relay_password

postconf -e smtp_cname_overrides_servername=no

postconf -e smtp_use_tls=yes

postconf -e smtp_sasl_security_options=noanonymous

postfix reload

For '''single user authentication'''

'''/opt/zimbra/conf/relayhost_map''' not needed

Entries in '''/opt/zimbra/conf/relay_password'''

<mail_server_ip> kaustubh@efensys.com:password

Then execute the following steps

postconf -e smtp_sasl_auth_enable=yes

postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password

postmap /opt/zimbra/conf/relay_password

postconf -e smtp_cname_overrides_servername=no

postconf -e smtp_use_tls=yes

postconf -e smtp_sasl_security_options=noanonymous

postfix reload

Set the smtp relay entry to '''smtp.gmail.com''' port is '''587''' in Zimbra admin console MTA settings

''' Persistence across Zimbra restarts'''

In my experience with ZCS 6.0.2 the postconf commands did not stick across restarts which resulted in mail getting queued up or bounced for many hours before I noticed. After much frustration and Googling I discovered the answer is to use zmlocalconfig either instead of or in addition to postconf. Postconf & postfix reload will apply the settings immediately but not persist across restarts. zmlocalconfig requires a full Zimbra restart using 'zmcontrol stop' and 'zmcontrol start' or 'service zimbra restart'.

zmlocalconfig -e postfix_smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password

zmlocalconfig -e postfix_smtp_sasl_security_options=noanonymous

zmlocalconfig -e postfix_smtp_use_tls=yes

zmlocalconfig -e postfix_smtp_cname_overrides_servername=no

With the above settings in addition to the settings in #Enabling SMTP authentication I am able to keep settings across restarts. Keeps my users happy and my sanity intact.

Restricting users to send mails to certain domains

This document describes how to restrict a list of users for sending emails to limited domains. Other users can send mails anywhere. Everything I am doing here as Zimbra user.

Restricting users to send mails to certain domains

1. Enter following in the file “/opt/zimbra/conf/postfix_recipient_restrictions.cf”. Make sure it is entered at the top of the file.

vi /opt/zimbra/conf/postfix_recipient_restrictions.cf

check_sender_access hash:/opt/zimbra/postfix/conf/restricted_senders

2. Enter following in "/opt/zimbra/conf/zmmta.cf"

vi /opt/zimbra/conf/zmmta.cf

POSTCONF smtpd_restriction_classes local_only

POSTCONF local_only FILE postfix_check_recipient_access.cf

3. Create a file "/opt/zimbra/conf/postfix_check_recipient_access.cf"

vi /opt/zimbra/conf/postfix_check_recipient_access.cf

check_recipient_access hash:/opt/zimbra/postfix/conf/local_domains, reject

4. Create a file "/opt/zimbra/postfix/conf/restricted_senders" and list all the users, whom you want to restrict. Follow this syntax:

vi /opt/zimbra/postfix/conf/restricted_senders

user@yourdomain.com local_only

5. Create a file "/opt/zimbra/postfix/conf/local_domains" and list all the domains where "restricted users" allowed to sent mails. Please follow this syntax:

vi /opt/zimbra/postfix/conf/local_domains

yourdomain.com OK

otheralloweddomain.com OK

6. Run following commands:

postmap /opt/zimbra/postfix/conf/restricted_senders

postmap /opt/zimbra/postfix/conf/local_domains

zmmtactl stop

zmmtactl start

After these settings, all the users listed in "/opt/zimbra/postfix/conf/restricted_senders" are restricted to send mails only to domain which are defined in "/opt/zimbra/postfix/conf/local_domains", other are fully allowed to send mails anywhere. These settings will not survive Zimbra upgrades, please make sure that you backup of all these settings while performing upgrades.

Important Note if you need to undo this configuration

Remove the two lines that were added to the zmmta.cf file. Make sure the Postfix setting smtpd_restriction_classes has nothing set.

postconf -e smtpd_restriction_classes=' '

zmmtactl reload