Zimbra mail server installation
Christian Lathion, 2009-12-15
Switzernet
This document presents the installation of the zimbra collaboration suite on a dedicated OVH server. It also presents basic configuration for our usage, and a tool (imapsync) for migrating emails from one mailbox or server to another.
Keep in mind that Zimbra is a complete suite made of different software, including email, wiki, antispam, antivirus, etc. Here we only present the required steps to make it working as a mail server.
Zimbra mail server installation
Number of connections per user
Zimbra restart breaks terminal
Startup error: ldap_url and ldap_master_url cannot be the same on an ldap replica
Installation was made on Debian Linux 5.0, 64bits. The Zimbra version is 6.0.1.
Hardware is a dedicated OVH server. We found out that Zimbra is very demanding on resources, especially on RAM. Recommended configurations can be found on the following page: [link]. In our case, 4GB RAM is required for efficient operation. CPU should be as fast as possible; our current Zimbra servers use quad or dual CPU Intel processors.
Partition for the root (/) partition to be as large as possible:
Start by changing the server root password. Configure the hostname, in this case mail3.switzernet.com:
ns366977:~# passwd
ns366977:~# vi /etc/hostname
ns366977:~# hostname mail3.switzernet.com
ns366977:~# vi /etc/hosts
ns366977:~# grep $(hostname) /etc/hosts
94.23.22.98 mail3.switzernet.com
Download the Zimbra installation archive to the server, and check that its md5 is correct:
ns354959:~/090918-zimbra-install# wget http://h.yimg.com/lo/downloads/6.0.1_GA/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141.tgz
ns354959:~/090918-zimbra-install# wget http://h.yimg.com/lo/downloads/6.0.1_GA/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141.tgz.md5
ns354959:~/090918-zimbra-install# md5sum zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141.tgz
d6c41070510585087943f8a142950aa8 zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141.tgz
ns354959:~/090918-zimbra-install# cat zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141.tgz.md5
d6c41070510585087943f8a142950aa8 zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141.tgz
Extract the archive, and go to the resulting directory:
mail3:~/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141# tar xzf zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141.tgz
mail3:~/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141# cd zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141
Launch the installation script. On the first run, it should abort due to missing dependencies:
mail3:~/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141# ./install.sh
Checking for prerequisites...
FOUND: NPTL
MISSING: sudo
FOUND: libidn11-1.8+20080606-1
MISSING: libpcre3
FOUND: libgmp3c2-2:4.2.2+dfsg-3
MISSING: libexpat1
FOUND: libstdc++6-4.3.2-1.1
MISSING: libstdc++5
MISSING: libperl5.10
Checking for suggested prerequisites...
FOUND: perl-5.10.0
MISSING: sysstat does not appear to be installed.
###WARNING###
The suggested version of one or more packages is not installed.
This could cause problems with the operation of Zimbra.
Install the required dependencies using aptitude, the Debian packet manager. The packages to install may vary depending on the Debian installation or Zimbra version. In this case, repeat the process (you have to identify which packages to install to fill the dependencies requirements):
mail3:~/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141# aptitude update
mail3:~/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141# aptitude install sudo libpcre3 libexpat1 libstdc++5 libperl5.10 sysstat
Launch the installation script again:
mail3:~/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141#./install.sh
Checking for prerequisites...
FOUND: NPTL
FOUND: sudo-1.6.9p17-2
FOUND: libidn11-1.8+20080606-1
FOUND: libpcre3-7.6-2.1
FOUND: libgmp3c2-2:4.2.2+dfsg-3
FOUND: libexpat1-2.0.1-4
FOUND: libstdc++6-4.3.2-1.1
FOUND: libstdc++5-1:3.3.6-18
FOUND: libperl5.10-5.10.0-19lenny2
Checking for suggested prerequisites...
FOUND: perl-5.10.0
FOUND: sysstat
Prerequisite check complete.
The following error will appear if you are installing zimbra before having configured the MX DNS records. You can safely ignore it if the domain is correct and you are planning to configure MX records later:
DNS ERROR resolving MX for mail3.switzernet.com
It is suggested that the domain name have an MX record configured in DNS
Change domain name? [Yes] No
Apart from the domain name and the admin password that you will have to set during the installation, keep the default settings. A log of the installation process for mail3.switzernet.com is available: [txt].
After successful installation, you can connect to Zimbra via your browser. http://mail3.switzernet.com leads to the user login:
https://mail3.switzernet.com:7071 leads to the login of the Administration console. This will issue a certificate error, since we did not generate an https certificate. You can ignore the error:
Except of what is shown in this document, all administration (accounts creation and configuration) is made through the Administration console.
Grsecurity is a set of security patches and tools for the Linux kernel. It appears to cause problems with java, possibly because of the memory operations that java does. As result, it tries to kill the java process. In such case, the following errors will appear in your logs:
grsec: From 213.186.50.100: signal 11 sent to /opt/zimbra/jdk1.6.0_16/bin/java[java:22383] uid/euid:1000/1000 gid/egid:106/106, parent /bin/bash[sh:22210] uid/euid:1000/1000 gid/egid:106/106
grsec: From 213.186.50.100: signal 11 sent to /opt/zimbra/jdk1.6.0_16/bin/java[java:22383] uid/euid:1000/1000 gid/egid:106/106, parent /bin/bash[sh:22210] uid/euid:1000/1000 gid/egid:106/106
grsec: From 212.147.8.99: signal 11 sent to /opt/zimbra/jdk1.6.0_16/bin/java[java:22806] uid/euid:1000/1000 gid/egid:106/106, parent /bin/bash[sh:22632] uid/euid:1000/1000 gid/egid:106/106
grsec: From 212.147.8.99: signal 11 sent to /opt/zimbra/jdk1.6.0_16/bin/java[java:22806] uid/euid:1000/1000 gid/egid:106/106, parent /bin/bash[sh:22632] uid/euid:1000/1000 gid/egid:106/106
By default, OVH servers appear to use a grsec kernel by default. The command uname -a displays information on the kernel in use. By default, we have a grsec version:
mail2:/opt/zimbra/log# uname -a
Linux mail2.switzernet.com 2.6.27.10-grsec-xxxx-grs-ipv4-64 #7 SMP Wed Sep 9 22:07:04 UTC 2009 x86_64 GNU/Linux
As solution, we decide to use a Linux kernel without the grsecurity patches. We could have use OVH netboot feature, allowing to boot from a remote kernel located on OVH network. The inconvenient is that in case OVH updates its netboot kernel, or if the netboot is unavailable, our server could be made unbootable. To solve this, we choose to install a local Linux kernel.
The most direct way would be to install a standard Linux kernel using the Debian package manager (e.g. aptitude install linux-image-2.6-amd64). But the installation fails because of ovh setup particularities (all in-kernel, no modules, no /proc/modules, lilo as boot manager, etc.). Assuming that ovh’s custom kernels would be better suited (possibly including patches for their hardware and tested in depth before release), we choose to manually install an ovh kernel:
mail2:~# cd /boot/
mail2:/boot#
mail2:/boot# wget ftp://ftp.ovh.net/made-in-ovh/bzImage/System.map-2.6.28.4-xxxx-std-ipv4-64
mail2:/boot# wget ftp://ftp.ovh.net/made-in-ovh/bzImage/bzImage-2.6.28.4-xxxx-std-ipv4-64
mail2:/boot# vi /etc/lilo.conf //Update the configuration to enable the new kernel by default
mail2:/boot# uname -a
Linux mail2.switzernet.com 2.6.27.10-grsec-xxxx-grs-ipv4-64 #7 SMP Wed Sep 9 22:07:04 UTC 2009 x86_64 GNU/Linux
mail2:/boot# lilo
Added Linux *
mail2:/boot# reboot
After reboot, reissue a uname -a. You must now see the new kernel version, without grsec:
mail2:~# uname -a
Linux mail2.switzernet.com 2.6.28.4-xxxx-std-ipv4-64 #4 SMP Wed Sep 9 22:08:40 UTC 2009 x86_64 GNU/Linux
By default, Zimbra does not accept clear text logins, but forces TLS. This caused login errors with our default Thunderbird setup. We modify this in the Global settings. First in the MTA configuration:
Then in the IMAP configuration:
And in the POP configuration:
Check that the settings applied to each server in the three concerned tabs (MTA, IMAP and POP). If the server tab was open when you did changes in the general settings, close and reopen the server tab to see the changes:
You should now be able to login without using TLS.
We increase the maximal message size. This not only influences the limit for sending or receiving emails, but also the limit for importing emails from our previous email servers. The limit is set to 30MB, it should be decreased in the future. The modification takes place in two different places of Global settings:
A restart of Zimbra is required for the changes to be applied. For all operations on the Zimbra server, do not forget to login as user zimbra (su zimbra). Operating as root can cause problems (see Startup error: ldap_url and ldap_master_url cannot be the same on an ldap replica):
mail3:~# su zimbra
zimbra@mail3:/root$ /opt/zimbra/bin/zmcontrol stop
Host mail3.switzernet.com
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping imapproxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping ldap...Done.
zimbra@mail3:/root$ /opt/zimbra/bin/zmcontrol start
Host mail3.switzernet.com
Starting ldap...Done.
Starting logger...Done.
Starting mailbox...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
zimbra@mail2:/root$ /opt/zimbra/bin/zmcontrol status
Host mail2.switzernet.com
antispam Running
antivirus Running
ldap Running
logger Running
mailbox Running
mta Running
snmp Running
spell Running
stats Running
zimbra@mail3:/root$ exit
exit
mail3:~#
By default, zimbra accepts 5 simultaneous IMAP connections per user. Above this limit, earlier connections are closed (starting from the oldest). In such case, the following errors appear in the /opt/zimbra/log/mailbox.log log file:
mail2:~# grep "java.net.SocketException" /opt/zimbra/log/mailbox.log | tail
2009-10-19 18:08:13,092 INFO [ImapServer-16151] [ip=87.241.186.151;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed
2009-10-19 18:08:14,362 INFO [ImapServer-16133] [ip=87.241.176.132;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed
2009-10-19 18:08:35,195 INFO [ImapServer-16155] [ip=87.241.186.151;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed
2009-10-19 18:08:52,900 INFO [ImapServer-16114] [ip=87.241.176.132;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed
2009-10-19 18:08:58,637 INFO [ImapServer-16154] [ip=90.46.223.141;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed
2009-10-19 18:09:00,241 INFO [ImapServer-16096] [ip=87.241.174.28;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed
2009-10-19 18:09:06,163 INFO [ImapServer-16159] [ip=87.241.176.132;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed
2009-10-19 18:09:20,413 INFO [ImapServer-16167] [ip=87.241.176.132;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed
2009-10-19 18:09:43,668 INFO [ImapServer-16168] [ip=87.241.176.132;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed
2009-10-19 18:09:47,734 INFO [ImapServer-16169] [ip=87.241.176.132;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Socket closed
To solve the problem, change the maximal allowed number of connections and restart zimbra with the following commands. For all operations on the Zimbra server, do not forget to login as user zimbra (su zimbra). Operating as root can cause problems (see Startup error: ldap_url and ldap_master_url cannot be the same on an ldap replica):
mail2:~# su zimbra
zimbra@mail2:/root$ /opt/zimbra/bin/zmlocalconfig -e zimbra_session_limit_imap=50
zimbra@mail2:/root$ /opt/zimbra/bin/zmcontrol stop
Host mail2.switzernet.com
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping imapproxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping ldap...Done.
zimbra@mail2:/root$ /opt/zimbra/bin/zmcontrol start
Host mail2.switzernet.com
Starting ldap...Done.
Starting logger...Done.
Starting mailbox...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
zimbra@mail2:/root$ /opt/zimbra/bin/zmcontrol status
Host mail2.switzernet.com
antispam Running
antivirus Running
ldap Running
logger Running
mailbox Running
mta Running
snmp Running
spell Running
stats Running
zimbra@mail2:/root$ exit
exit
After a restart of Zimbra, you can find your terminal broken. In such case, you don’t see what you are typing, and newline does not work. It happens at least using PuTTY:
mail3:~/zcs-6.0.1_GA_1816.DEBIAN5_64.20090911184141# mail3:~# mail3:~# mail3:~#
Press Ctrl-C, type the command reset (you won’t see it as you type) and press Enter. This will reinitialize your terminal.
This problem appeared with no clear reason on a zimbra restart. The startup process hanged on the following error, linked to ldap:
ldap_url and ldap_master_url cannot be the same on an ldap replica
This type of error seems to be usually caused by an erroneous DNS or hosts file configuration. In this case, both were correct. When trying to restart, the following appeared:
zimbra@mail3:/root$ /opt/zimbra/bin/zmcontrol start
Host localhost
Instead of:
zimbra@mail3:/root$ /opt/zimbra/bin/zmcontrol start
Host mail3.switzernet.com
The file ownership of the file /opt/zimbra/conf/localconfig.xml had changed to user root, making it unreadable for ldap which runs under user zimbra:
zimbra@mail3:/root$ ls -l /opt/zimbra/conf/localconfig.xml
-rw-r----- 1 root root 3370 2009-10-15 15:43 /opt/zimbra/conf/localconfig.xml
Changing back the ownership of the file to zimbra solved the problem:
mail3:~# chown zimbra:zimbra /opt/zimbra/conf/localconfig.xml
zimbra@mail3:/root$ ls -l /opt/zimbra/conf/localconfig.xml
-rw-r----- 1 zimbra zimbra 3370 2009-10-15 15:43 /opt/zimbra/conf/localconfig.xml
This bug was caused by running the script /opt/zimbra/bin/zmlocalconfig as root. Always log with user zimbra for performing Zimbra administration tasks.
This section briefly describes the usage of imapsync to synchronize IMAP mailboxes between different servers. Short help from the imapsync documentation:
While working on imapsync parameters please run imapsync in dry mode (no modification induced) with the --dry option. Nothing bad can be done this way.
To synchronize the imap account "buddy" on host "imap.src.fr" to the imap account "max" on host "imap.dest.fr" (the passwords are located in two files "/etc/secret1" for "buddy", "/etc/secret2" for "max") :
imapsync --host1 imap.src.fr --user1 buddy --passfile1 /etc/secret1 --host2 imap.dest.fr --user2 max --passfile2 /etc/secret2
Then, you will have max's mailbox updated from buddy's mailbox.
Always start in dry mode. Examine carefully the output and result produced by imapsync after transfer. Folders can be created in a wrong place, some emails can be skipped during import (only seems to be the case when there were connection limitations on the source mailbox). By default, imapsync will not transfer duplicates from the source mailbox to the destination. Keep this in mind when comparing the results between source and destination.
Following are examples of imapsync commands used when migrating our mailboxes to Zimbra. Don’t use them as-is:
This example only copies the structure (folders) of the mailbox:
mail3:~# imapsync --subscribed --subscribe --justfolders --host1 mail.switzernet.com --user1 billing@switzernet.com --password1 "XXX" --authmech1 PLAIN --host2 127.0.0.1 --user2 billing@mail3.switzernet.com --password2 "YYY" --authmech2 PLAIN
This example is a full synchronization example, excluding or including folders. It also deletes emails from the destination mailbox if they don’t exist on the source:
mail2:~# imapsync --subscribed --subscribe --include 'INBOX' --exclude '2007|2008|Sent' --host1 mail.switzernet.com --user1 support@switzernet.com --password1 "XXX" --authmech1 PLAIN --host2 127.0.0.1 --user2 support@mail2.switzernet.com --password2 "YYY" --authmech2 PLAIN --delete2
This example is a synchronization of two specific folders:
mail3:~# imapsync --folder 'INBOX.2008.081101-invoices' --folder 'INBOX.2008.081201-invoices' --host1 mail.switzernet.com --user1 billing@switzernet.com --password1 "XXX" --authmech1 PLAIN --host2 127.0.0.1 --user2 billing@mail3.switzernet.com --password2 "YYY" --authmech2 PLAIN --prefix2 'INBOX/Archive/'
This example synchronizes the Sent folder between two servers:
mail2:~# imapsync --folder 'INBOX.Sent' --host1 mail.switzernet.com --user1 contracts@switzernet.com --password1 "XXX" --authmech1 PLAIN --host2 127.0.0.1 --user2 contracts@mail2.switzernet.com --password2 "YYY" --authmech2 PLAIN
* * *