This document is applicable for Zimbra Daffodil versions 10.0 and 10.1.0.
License
Synacor, Inc., 2024-2025
© 2024-2025 by Synacor, Inc. Zimbra Collaboration Administrator Guide
This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License unless another license agreement between you and Synacor, Inc. provides otherwise. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/4.0 or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.
Synacor, Inc., 2024-2025
505 Ellicott Street, Suite A39
Buffalo, NY 14203
US
Introduction
Zimbra Collaboration is a full-featured messaging and collaboration solution that includes email, address book, calendaring, tasks, and Web document authoring.
Zimbra Daffodil (v10.1) introduced a new license service with significant changes in licensing management. Please refer to Licensing section for more details |
Audience
This guide is for system administrators responsible for installing, maintaining, and supporting the server deployment of Zimbra Collaboration.
Readers of this guide should have the following recommended knowledge and skill sets:
-
Familiarity with the associated technologies and standards
-
Linux operating system and open source concepts
-
Industry practices for mail system management
Third-Party Components
Where possible, Zimbra Collaboration adheres to existing industry standards and open source implementations for backup management, user authentication, operating platform, and database management. However, it only supports the specific implementations described in the Zimbra Collaboration architecture overview in the Product Overview chapter as officially tested and certified. This document might occasionally note when other tools are available in the marketplace, but such mention does not constitute an endorsement or certification.
Support and Contact Information
-
Contact Zimbra Sales to purchase Zimbra Daffodil (v10).
-
Zimbra Collaboration customers can contact support at support@zimbra.com.
-
Explore the Zimbra Forums for answers to installation or configuration problems.
-
Join the Zimbra Community Forum, to participate and learn more about Zimbra Collaboration.
-
Send an email to feedback@zimbra.com to let us know what you like about the product and what you would like to see in the product. If you prefer, post your ideas to the Zimbra Forum.
For additional product information, the following resources are available:
Product Life Cycle
This chapter provides information about the Product Life Cycle stages of Zimbra components.
Component Deprecation Statements
Component | Deprecation Statement |
---|---|
Zextras/NG modules |
HSM, Backup, Mobile, ABQ, Drive, Docs, Auth, Connect and Admin have been removed. |
IMAPD |
Removed |
Product Overview
This chapter provides a system overview of Zimbra components.
Architectural Overview
The Zimbra Collaboration architecture is built with well-known open source technologies and standards-based protocols. The architecture consists of client interfaces and server components that can run as a single node configuration or be deployed across multiple servers for high availability and increased scalability.
The architecture includes the following core advantages:
Core Advantage | Components/Description |
---|---|
Open source integrations |
Linux®, Jetty, Postfix, MariaDB, OpenLDAP® |
Industry-standard open protocols |
SMTP, LMTP, SOAP, XML, IMAP, POP |
Modern technology Design |
HTML5, Javascript, XML, and Java |
Scalability |
Each Zimbra mailbox server includes its own mailbox accounts and associated message store and indexes. The Zimbra platform scales vertically (by adding more system resources) and horizontally (by adding more servers) |
Browser-based client interface |
Easy, intuitive access to Zimbra Collaboration features, using a standard web platform. |
Browser-based Administration Console |
Core Email, Calendar and Collaboration Functionality
Zimbra Collaboration is an innovative messaging and collaboration application that offers the following state-of-the-art solutions that are accessed through the browser based web client.
-
Intuitive message management, search, tagging, and sharing.
-
Personal, external, and shared calendar.
-
Personal and shared Address Books and Distribution Lists.
-
Personal and Shared Task lists.
Zimbra Components
Zimbra architecture includes open-source integrations using industry standard protocols. The third-party software listed in Third-Party Software is bundled with Zimbra software and installed as part of the installation process. These components have been tested and configured to work with the software.
3rd-Party Component | Description |
---|---|
Jetty |
Web application server that runs Zimbra software. |
Postfix |
Open source mail transfer agent (MTA) that routes mail messages to the appropriate Zimbra server |
Open LDAP software |
Open source implementation of the Lightweight Directory Access Protocol (LDAP) that stores Zimbra system configuration, the Zimbra Global Address List, and provides user authentication. Zimbra can also work with GAL and authentication services provided by external LDAP directories such as Active Directory |
MariaDB |
Database software |
Lucene |
Open source full-featured text and search engine |
Third-party source that converts certain attachment file types to HTML |
|
Anti-virus/anti-spam |
Open source components that include:
|
Apache JSieve |
Manages filters for email |
LibreOffice |
High fidelity document preview |
OnlyOffice |
Collaborative document editing |
Zimbra Application Packages
Zimbra Collaboration provides the application packages listed in Application Packages.
Package | Description |
---|---|
Zimbra Core |
The libraries, utilities, monitoring tools, and basic configuration
files. |
Zimbra Modern Web Client |
The assets required for Zimbra Modern Web App. This package is automatically installed on each server. |
Zimbra Store |
The components for the mailbox server (including Jetty). The Zimbra mailbox server includes the following components:
|
Zimbra LDAP |
Zimbra Collaboration uses the OpenLDAP® software, which is an open source LDAP directory server. User authentication, the Zimbra Global Address List, and configuration attributes are services provided through OpenLDAP. Note that the Zimbra GAL and authentication services can be provided by an external LDAP Directory such as Active Directory. |
Zimbra MTA |
Postfix is the open source mail transfer agent (MTA) that receives email via SMTP and routes each message to the appropriate Zimbra mailbox server using Local Mail Transfer Protocol (LMTP). The Zimbra MTA also includes the anti-virus and anti-spam components. |
Zimbra Proxy |
Zimbra Proxy is a high-performance reverse proxy service for passing IMAP[S]/POP[S]/HTTP[S] client requests to other internal Zimbra services.This package is normally installed on the MTA server(s) or on its own independent server(s). When the zimbra-proxy package is installed, the proxy feature is enabled by default. Installing the Zimbra Proxy is highly recommended, and required if using a separate web application server. |
Zimbra Memcached |
Memcached is automatically selected when the zimbra-proxy is installed. At least one server must run zimbra-memcached when the proxy is in use. You can use a single memcached server with one or more Zimbra proxies. zimbra-memcached is required if using a separate web application server. |
Zimbra SNMP (Optional) |
If you choose to install zimbra-SNMP for monitoring, this package should be installed on every Zimbra server. |
Zimbra Logger (Optional) |
If used, this is installed on one mailbox server, and must be installed at the same time as the mailbox server.The Zimbra Logger installs tools for syslog aggregation and reporting. If you do not install Logger, the server statistics section of the Administration Console will not display. |
Zimbra Spell (Optional) |
Aspell is the open source spell checker used on the Zimbra Classic Web App. When Zimbra-Spell is installed, the Zimbra-Apache package is also installed. |
Zimbra Apache |
This package is installed automatically when Zimbra Spell or Zimbra Convertd is installed. |
Zimbra Convertd |
This package is installed on the zimbra-store server. Only one Zimbra-convertd package needs to be present in the Zimbra Collaboration environment. The default is to install one zimbra-convertd on each zimbra-store server. When Zimbra-Convertd is installed, the Zimbra-Apache package is also installed. |
Zimbra Archiving (Optional) |
Archiving and Discovery offers the ability to store and search all messages delivered to, or sent by the Zimbra Collaboration Server. This package includes the cross mailbox search function which can be used for both live and archive mailbox searches. Note: Using Archiving and Discovery can trigger additional mailbox license usage. To find out more about Zimbra Archiving and Discovery, contact Zimbra sales. |
Zimbra OnlyOffice |
This package installation is required for collaborative document editing of documents which is powered by Onlyoffice and enables collaborative editing of the documents stored in Briefcase. This package can be installed and setup on a Proxy server, Mailbox server or as a separate Document server. |
License Daemon Service (LDS) |
With the introduction of the new license service within Zimbra Daffodil (v10.1) a new license service has been added named License Daemon Service (LDS) to allow enhanced and flexible license management. The LDS is a required service to support the management of the license. |
Mail Flow — Multi-Server Configuration
The configuration for each deployment is dependent on numerous variables such as the number of mailboxes, mailbox quotas, performance requirements, existing network infrastructure, IT policies, security methodologies, spam filtering requirements, and more. In general, deployments share common characteristics for incoming traffic and user connectivity, as depicted in the following diagram. Alternate methods for configuring numerous points within the network are also possible.
The numbered sequences are described below:
-
Inbound Internet mail goes through a firewall and load balancing to the edge MTA for spam filtering.
-
The filtered mail then goes through a second load balancer.
-
An external user connecting to the messaging server also goes through a firewall to the second load balancer.
-
The inbound Internet mail goes to any of the Zimbra Collaboration MTA servers and goes through spam and virus filtering.
-
The designated Zimbra Collaboration MTA server looks up the addressee’s directory information from the Zimbra Collaboration LDAP replica server.
-
After obtaining the user’s information from the Zimbra Collaboration LDPA server, the MTA server sends the mail to the appropriate Zimbra Collaboration server.
-
Internal end-user connections are made directly to any Zimbra Collaboration server that then obtains the user’s directory information from Zimbra Collaboration LDAP and redirects the user, as needed.
-
The backups from the Zimbra Collaboration servers can be processed to a mounted disk.
Zimbra System Directory Tree
The following table lists the main directories created by the Zimbra
installation packages. The directory organization is identical for any
server in the Zimbra Collaboration, when installing under (parent) /opt/zimbra
.
The directories not listed in the following table are libraries used for building the core Zimbra software or miscellaneous third-party tools. |
File | Description |
---|---|
|
Backup target contains full and incremental backup data |
|
Zimbra Collaboration application files, including the utilities described in Command-Line Utilities |
|
Policy functions, throttling |
|
Clam AV application files for virus and spam controls |
|
Configuration information |
|
Third-party scripts for conveyance |
|
Convert service |
|
SASL AUTH daemon |
|
Includes data directories for LDAP, mailboxd, postfix, amavisd, clamav |
|
Data Store |
|
SOAP txt files and technical txt files |
|
Server extensions for different authentication types |
|
Server extensions for different network version authentication types |
|
Contains the Apache Web server. Used for both aspell and convertd as separate processes |
|
Index store |
|
Contains Java application files |
|
mailboxd application server instance. In this directory, the
|
|
Libraries |
|
Internally used executables |
|
Local logs for Zimbra Collaboration server application |
|
RRD and SQLite data files for logger services |
|
MariaDB database files |
|
Used for collecting statistics |
|
OpenLDAP server installation, pre-configured to work |
|
Postfix server installation, pre-configured to work with Zimbra Collaboration |
|
Contains current transaction logs for the Zimbra Collaboration server |
|
SNMP monitoring files |
|
Certificates |
|
Message store |
|
Contains control scripts and Perl modules |
|
Contains Zimlet |
|
Contains Zimlets that are available with the Zimbra Classic Web App |
|
Contains Zimlet |
|
mailboxd statistics, saved as |
Zimbra Web Apps
Zimbra offers multiple Web App types for the use of Zimbra features. The Web Apps provide mail, calendar, address book, and task functions.
Client Type | Description |
---|---|
Modern Web App |
Uses modern technologies, UI design, and offers same user experience across devices like Desktop, Mobile and Tablet. |
Classic Web App |
Includes Ajax capability and offers a full set of web collaboration features. Supports desktop web browsers only; does not provide a user experience adapted to smaller screens, touch capabilities, or gestures. |
Users may select the Web App before they sign in, from the 'Version' drop-down on the login page. The admin can set the Default Web App to either Classic Web App or the Modern Web App, for a COS. Users can override this Default:
-
In the Modern Web App, users can go to Settings→General to change the value of default Web App they login to
-
In the Classic Web App, users can go to Preferences→General→Sign in to change the value of default Web App they login to
It is recommended that admins set the Default to the Modern Web App.
Web Services and Desktop Clients
In addition to using a web browser or mobile device to connect to Zimbra Collaboration, connection is available using a web service, such as Exchange Web Services (EWS), or a desktop client such as Zimbra Connector to Microsoft Outlook. The following are supported:
-
Exchange Web Services (EWS) provides client access to enable Zimbra Collaboration to communicate with the Exchange Server when using Microsoft Outlook on a Mac device. To enable EWS client access, see the Class of Service section. EWS is a separately licensed add-on feature.
-
Messaging Application Programming Interface (MAPI) synchronizes to supported versions of Microsoft Outlook with full delegate, offline access and support for S/MIME. Use the Zimbra Connector for Outlook to connect to Zimbra Collaboration when using Microsoft Outlook on a Windows device. To enable MAPI (Microsoft Outlook) Connector, see the Class of Service section.
-
Support for all POP3, IMAP4, Calendaring Extensions to Web Distributed Authoring and Versioning (CalDAV), and vCard Extensions to Web Distributed Authoring and Versioning (CardDAV) clients.
Offline Mode
For Classic Web App, Offline mode is no longer supported for Chrome versions 85 and above (affects Kepler9-Patch9 onwards). Users can still continue to use Offline mode in previous browser versions. |
Zimbra Offline Mode allows access to data — without network connectivity — when using the Zimbra Modern Web App.
For example, if there is no server connectivity or if server connectivity is lost, the Web App automatically transitions to “offline mode”. When server connectivity is restored, the Web App automatically reverts to “online mode”.
This offline mode uses the caching capability provided by HTML5 in modern browsers.
Security Measures
The coordinated use of multiple security measures, targeted to increase the security of the whole system, is one of the best approaches to securing your information infrastructure. These measures are implemented in the Zimbra Collaboration platform as a result of defense mechanisms summarized in the following topics:
To view current and detailed security news and alerts, please refer to Security Center on the Zimbra Wiki. |
Identity and Access Management
Key functions built into the system for user identity management are summarized in the following table:
Function | Description |
---|---|
Identity Lifecycle Management |
The leveraging of LDAP directory for all Create, Read, Update, and Delete (CRUD) functions associated to user administration with Zimbra Collaboration. LDAP usage is optional but all attributes specific to Zimbra Collaboration are stored and managed through the native LDAP directory. |
First Factor Authentication |
The combined user name and password primarily employed by authorized users when attempting to access the system. These credentials are retained in the user store: the passwords are stored as salted hash that is compared against that of the entered password, for rejection (no match) or acceptance (matched). If external directory (LDAP or Active Directory) is preferred, the appropriate login credentials can be stored in this external LDAP directory. See also Zimbra LDAP Service for more details. |
Two Factor Authentication |
A second layer of identity security that is configured at the Admin Console to enable or disable passcode generation to mobile devices associated with Zimbra Collaboration. When enabled, user or COS accounts must use the generated passcode to gain access to their client services. See also About 2 Factor Authentication and Two Factor Authentication. |
Authorized Access |
User accounts are defined by various attributes, permission levels, and policies to allow or disallow what data can be viewed and which functions can be performed. Admin Console administrators can create groups and assign access permissions to support targeted business objectives. |
Information Security and Privacy
Functions built into the system to secure data are summarized in the following table:
Key Concept | Description |
---|---|
Management of security, integrity, and privacy |
Zimbra Collaboration supports the use of S/MIME certificates (provided by publicly trusted Certification Authority (CA), as well as internal PKI; DomainKeys Identified Mail (DKIM); Domain-based Message Authentication, Reporting and Conformance (DMARC); Amavisd-new, which is housed in the Mail Transfer Agent (MTA) to manage incoming and out going DMARC policies. |
Encryption methods: |
|
In-transit |
Secure connections between endpoints and services use TLS in addition to various other protocols: SMTP, LMTP+STARTTLS, HTTPS, IMAPS/IMAP+STARTTLS, POP3S/POP3+STARTTLS. |
At-rest |
With S/MIME for end-to-end encryption, data stored in a Zimbra Collaboration message store is encrypted until decryption occurs with the appropriate private key. |
Anti-virus and Anti-spam |
Both malware and spam are challenged by the Zimbra Collaboration native functionality and third-party plugins: Amavisd-new, ClamAV, and Spam Assassin. |
This feature is supported only in the Classic Web App. |
System Logs
The Zimbra Collaboration system logs — generated by SNMP triggers — can be used to record data such as user and administrator activity, login failures, slow queries, mailbox activity, mobile synchronization activity, and data based errors. Events, alerts and traps can be forwarded to log management and event correlation system to create centralized polices and notifications based on your security and compliance requirements.
Function | Description |
---|---|
Incident response |
Administrators can use remote device wiping and/or account lockout in the event of a malicious or accidental activities (such as stolen user account credential, or lost smart phone). |
Archiving and discovery |
This optional feature allows administrators to select specific user email messages for archival and application of retention policies, which can be used for both archived and live mailboxes. |
Zimbra Daffodil (v10.1) Licensing
Zimbra Daffodil (v10.1) introduced an automated licensing and entitlement system for better flexibility in managing licenses and allows for future growth.
With the introduction of the new license service within Zimbra Daffodil (v10.1) a new license service has been added named License Daemon Service (LDS) to allow enhanced and flexible license management.
Please see License Daemon Service section for more information on LDS and how to setup. |
A Zimbra Collaboration license is required to enable license features and create accounts.
Following are the Zimbra Daffodil (v10.1) licensing updates:
-
A new license daemon is part of the Zimbra installation. It gets displayed as
zimbra-license-daemon
in the modules list and required for the normal functioning of Zimbra. -
An 18-26 alphanumeric character key is required which replaces the older license.xml file.
-
Zimbra Collaboration licenses are restrictive to the entitlement defined within the license and do not support multiple activations.
-
Once the Zimbra Collaboration license is activated no future license management by the user is required. License management is real-time and is managed by Zimbra.
-
An offline license server has been introduced to support environments that don’t have access to the public network.
-
All data gathered is based on license requirements and total usage which meets GDPR and other legal regulations.
The LDAP and LDS hostname are recorded for license registration and activation. -
Independent lab licenses are available. Contact Zimbra Sales or Support team.
Following is the architecture view:
LDAP Attributes
Following are the new attributes for Zimbra Daffodil (v10.1) licensing:
-
zimbraNetworkRealtimeLicense - Stores the license key required for both online and offline activation.
-
zimbraNetworkRealtimeActivation - Contains activation details, activated product version, features of activated license.
-
zimbraOfflineNetworkRealtimeLicense - Stores the network key required for offline activation.
-
zimbraFeatureActualUsageCount - Storing the Reporting and enforced feature’s over usage count.
License Features
Zimbra Collaboration licensing gives administrators visibility and control of the licensed features they plan to deploy. You can monitor usages and manage the following license features.
Zimbra Daffodil (v10.1) introduced a detailed view of licensed and unlicensed features for better management within the Admin UI or command line. The following are tracked licensed features:
Feature | Licensed Attributes | Description | Feature Code |
---|---|---|---|
Accounts |
AccountsLimit |
Accounts you can create. |
AL |
ZCO |
MAPIConnectorAccountsLimit |
Accounts that can use Zimbra Connector for Microsoft Outlook (ZCO). |
MCAL |
EWS |
EwsAccountsLimit |
Accounts that can use EWS for connecting to an Exchange server. EWS is a separately licensed add-on feature. |
EAL |
Zimbra Mobile |
MobileSyncAccountsLimit |
Accounts that can use ActiveSync protocol to access emails on their mobile devices. |
MSAL |
S/MIME |
SMIMEAccountsLimit |
Accounts that can use S/MIME feature. |
SMAL |
Archiving |
ArchivingAccountsLimit |
Allowed archive accounts. The archive feature installation is required. |
AAL |
Zimbra Office |
DocumentEditingAccountsLimit |
Document collaboration feature which enables to create/edit/share the documents within the organization. OnlyOffice installation is required. |
DEAL |
Sharing |
SharingAccountsLimit |
Control the Sharing & Delegation feature for the users. |
SHAL |
Briefcase |
BriefcaseAccountsLimit |
Control the Briefcase feature for the users. |
BAL |
Backup & Restore |
BackupEnabled |
Allows the admin to use Backup & Restore Feature |
BE |
Storage Management (Internal Volumes) |
StorageManagementEnabled |
Allows the admin to use Storage Management feature and create volumes using internal stores. |
SME |
Storage Management (External(S3) Volumes) |
ObjectStoreSupportEnabled |
Allows the admin to use Storage Management feature and create volumes using external S3 providers (e.g. AWS, Ceph). |
OSSE |
Attachment Indexing |
AttachmentIndexingEnabled |
Allows indexing of the attachment contents |
AIE |
Calendar |
CalenderAccountsLimit |
Enabling calendar feature for the users |
CALAL |
Conversation |
ConversationEnabledAccountsLimit |
Enabling conversation feature for the users |
CNEAL |
CrossMailboxSearch |
CrossMailboxSearchEnabled |
Allows doing searches for content across live and archive mailboxes. |
CMBSE |
Delegated Admin |
DelegatedAdminAccountsLimit |
Delegated Admin Accounts you can create |
DAAL |
Group Calendar |
GroupCalenderAccountsLimit |
Enables you to see multiple calendars at the same time |
GCAL |
Tag |
TaggingEnabledAccountsLimit |
Enabling tagging feature for the users |
TEAL |
Task |
TaskEnabledAccountsLimit |
Enabling task feature for the users |
TKEAL |
HTML View of attachements |
ViewInHtmlEnabledAccountsLimit |
View email attachments in HTML format |
VHEAL |
Zimlets |
ManageZimletsEnabledAccountsLimit |
User accounts that can manage Zimlets |
MZEAL |
Multi Factor Auth |
MultiFactorAuthEnabled |
Control the two factor authentication feature for the users. |
MFAE |
The short codes can be used to check the status of the individual service using the zmlicense command. Please refer to zmlicense section for more details.
|
Zimbra Daffodil (v10.1) License Requirements
You require a Zimbra’s license to create accounts in Zimbra Collaboration and to use the Modern Web App. |
Trial License is limited to one email address and an extension can be requested by contacting Zimbra Sales. |
To try out Zimbra Collaboration, you can obtain a trial version free of charge. Once your system is installed in a production environment, you will need to purchase a subscription or a perpetual license.
License Types | Description |
---|---|
Trial |
You can obtain a free Trial license from the Zimbra website, at https://www.zimbra.com → Product → Download → Get Trial License. The trial license allows you to create up to 50 users. It expires in 60 days. |
Subscription |
A Zimbra Subscription license can only be obtained through purchase. This license is valid for a specific Zimbra Collaboration system, is encrypted with the number of Zimbra accounts (seats) you have purchased, the effective date, and the expiration date of the subscription license. |
Perpetual |
A Zimbra Perpetual license can only be obtained through purchase. This license is similar to a subscription license. It is valid for a specific Zimbra Collaboration system, is encrypted with the number of Zimbra accounts (seats) you have purchased, the effective date, and an expiration date of 2099-12-31. When you renew your support agreement, you receive no new perpetual license, but your Account record in the system gets updated with your new support end date. |
License Usage by Zimbra Collaboration Account Type
An account assigned to a person, including an account created for archiving, requires a mailbox license. Distribution lists, aliases, locations, and resources do not count against the license.
Below is a description of types of Zimbra Collaboration accounts and if they impact your license limit.
License Account Type | Description |
---|---|
System account |
System accounts are specific accounts used by Zimbra Collaboration. They include the spam filter accounts for junk mail (spam and ham), the virus quarantine account for email messages with viruses, and the GALsync account if you configure GAL for your domain. Do not delete these accounts! These accounts do not count against your license. |
Administrator account |
Administrator and delegated administrator accounts count against your license. |
User account |
User accounts count against your license account limit. When you delete an account, the license account limit reflects the change. |
Alias account |
These types do not count against your license. |
Distribution list |
|
Resource account |
License Activation
All Zimbra Daffodil (v10.1) installations require license activation and continues to support the Automatic and Manual license methods. In Daffodil (v10.1), the terms has been changed to Online Activation and Offline Activation.
The Admin Console has been enhanced with a more intuitive and easy-to-follow UI where all the operations related to license deployment are on a single screen.
The activation of the Zimbra Daffodil (v10.1) License can be done during the installation, upgrade, or after the installation. No future license management is required on the server once the license has been activated.
Without activating the license, the Zimbra services will not start.
Online License Activation
Licenses are automatically activated if the Zimbra Collaboration server has a connection to the Internet and can communicate with the Zimbra License server.
Following are the applicable activation rules for an online license:
-
Account should have valid support end date.
-
License should be Valid (should not be expired).
-
License can be switched, provided new license limit is greater than or equal to current license usage.
-
Activation of trial license over any existing license (trial, regular, perpetual) is not allowed.
Following are the steps to activate the license:
Admin Console
-
Login to Admin Console and go to Home → Get Started → Install Licenses → Online Activation
-
In the Key text box, specify the 18-26 alphanumeric character license key and click on Activate.
-
After successful activation, you will see a success message - Your license is successfully activated.
Command Line
You can also activate your license from the command line interface.
-
As a
zimbra
user, run the command:
zmlicense -a <license_key>
-
After successful activation, you will see a success message - Your license is successfully activated.
Upgraded Zimbra Collaboration versions require an immediate activation to maintain network feature functionality. |
If you are unable to activate your license automatically, see the next section on Offline License Activation.
Offline License Activation
The method of generating and activating an Offline License in Zimbra Daffodil (v10.1) has changed. As a pre-requisite, a new package
has to be installed on the server that is running the license daemon service. After installing the package, an offline daemon service is started which acts as a locally run license manager.zimbra-nalpeiron-offline-daemon
The Offline License activation will not work if the package is not installed or the offline daemon service is not running. |
The Offline Daemon service is a critical and important service for the functioning of a Offline License and its management. You are recommended to have a service monitoring setup to check the state of the service. |
The offline license may take upto 48 hours to be issued. |
Following is the architectural view of the Offline License process:
Pre-requisites
Following are the pre-requisites to be completed before installing the offline daemon packages:
Disable FIPS
FIPS should be disabled on the system before installing the offline daemon packages.
Following are the steps to disable FIPS. Execute the commands as root
user:
-
For RHEL/CentOS/Rocky Linux systems:
sudo fips-mode-setup --disable sudo reboot
-
Verify FIPS is disabled. Check the /proc/sys/crypto/fips_enabled file. If disabled, following will be the output:
$ cat /proc/sys/crypto/fips_enabled 0
-
-
For Ubuntu systems:
sudo ua disable fips sudo reboot
-
Verify FIPS is disabled. Check the /proc/sys/crypto/fips_enabled file. If disabled, following will be the output:
$ cat /proc/sys/crypto/fips_enabled 0
-
Disable SELinux
SELinux should be disabled on the system before installing the offline daemon packages. You will have to reboot the system to make the changes effective.
Following are the steps to disable SELinux. Execute the commands as root
user:
-
For RHEL/CentOS/Rocky Linux systems:
-
Check the SELinux status. If the status appears
enabled
, execute the further steps to disable:$ sestatus| grep 'SELinux status\|Current mode' SELinux status: enabled Current mode: enforcing
-
Edit
/etc/sysconfig/selinux
:vi /etc/selinux/config
-
Change the SELINUX directive to disabled.
SELINUX=disabled
-
Save and exit the file. Reboot the system:
reboot
-
After the reboot, check the status. SELinux should appear disabled:
$ sestatus| grep 'SELinux status' SELinux status: disabled
-
-
For Ubuntu systems:
-
Check the SELinux status. If the status appears
enabled
, execute the further steps to disable:$ sestatus| grep 'SELinux status\|Current mode' SELinux status: enabled Current mode: enforcing
-
Edit
/etc/selinux/config
:vi /etc/selinux/config
-
Change the SELINUX directive to disabled.
SELINUX=disabled
-
Save and exit the file. Reboot the system:
reboot
-
After the reboot, check the status. SELinux should appear disabled:
$ sestatus| grep 'SELinux status' SELinux status: disabled
-
Add locale en_US.utf8
Locale en_US.utf-8
is required for the offline daemon packages.
Following are the steps to check and add the locale. Execute the commands as root
user:
-
For RHEL/CentOS/Rocky/Ubuntu Linux systems:
-
Check if the required locale
en_US.utf8
is available on the system. If available, it will display as following:$ locale -a |grep 'en_US.utf8' en_US.utf8
-
If not available, add the locale:
$ localedef -i en_US -f UTF-8 en_US.UTF-8
-
Install offline daemon packages
Following are the steps to install the offline daemon packages. Execute the commands as a root
user:
-
For RHEL/CentOS/Rocky Linux systems:
yum clean metadata yum check-update yum install zimbra-nalpeiron-offline-daemon
-
For Ubuntu systems:
apt-get update apt-get install zimbra-nalpeiron-offline-daemon
-
Verify the nalpdaemon service is active:
$ systemctl status nalpdaemon ● nalpdaemon.service - Nalpeiron Licensing Daemon Loaded: loaded (/usr/lib/systemd/system/nalpdaemon.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2024-06-08 02:03:37 EDT; 1s ago
In case the service is not active, restart the service:
$ systemctl restart nalpdaemon
As a zimbra
user, restart the LDS and configdctl service:
$ su - zimbra $ zmlicensectl --service restart $ zmconfigdctl restart
Requesting and Activating Offline license
The method is supported through Admin Console and CLI.
Following are the steps:
Admin Console
-
Contact the Support team to get the Network Key and License Key.
-
Login to Admin Console and go to Home → Get Started → Install Licenses → Offline Activation
-
Under Step 1, specify the Network Key and License Key and click on Generate Activation Request.
-
After the network and product activation files are generated successfully, Download button will appear next to the text box.
-
Click on Download button next to the text box and save the files. The name and filetype will be pre-populated when saving - network_activation_fingerprint, product_activation_fingerprint.
-
Login to Support Portal and select the License tab.
-
Select Generate an Offline License Activation file for versions 10.1 or greater.
-
Specify the Product License Key and Network License Key.
-
Copy the contents of network_activation_fingerprint.txt file and paste in the Network Activation Fingerprint text box.
-
Copy the contents of product_activation_fingerprint.txt file and paste in Product Activation Fingerprint text box.
-
Specify the product version in Product Verstion text box.
-
Click on Generate License Certificate
-
Save the generated License Activation XML file.
-
Go back to the Admin Console License page.
-
Under Offline Activation → Step3, upload the License Activation XML file and click on Activate.
-
After successful activation, you will see a success message - Your license is successfully activated.
Command Line
-
Contact Sales and get the Network Key and License Key.
-
As a
zimbra
user, runzmlicense
command to generate Network Key and License Keyzmlicense --offlineActivationRequestCert --network <network_key> --product <product_key>
-
Save the certificates printed on the screen as network_activation_fingerprint.txt, and product_activation_fingerprint.txt.
-
Login to Support Portal and select the License tab.
-
Select Generate an Offline License Activation file for versions 10.1 or greater.
-
Specify the Product License Key and Network License Key.
-
Copy the contents of network_activation_fingerprint.txt file and paste in the Network Activation Fingerprint text box.
-
Copy the contents of product_activation_fingerprint.txt file and paste in Product Activation Fingerprint text box.
-
Specify the product version in Product Verstion text box.
-
Click on Generate License Certificate
-
Save the generated License Activation XML file on the server.
-
As a
zimbra
user, runzmlicense
command to activate the offline licensezmlicense -A /path_to_XML/activation_file.xml
-
After successful activation, you will see a success message - Your license is successfully activated.
If you have problems accessing the Support Portal or facing any issues when activating the Offline License, contact Zimbra Sales or Support.
When Licenses are not Installed or Activated
If you fail to install or activate your Zimbra Collaboration server license, the following scenarios describe how your Zimbra Collaboration server will be impacted.
License Condition | Description/Impact |
---|---|
Not installed |
With no installed license, the Zimbra Collaboration server defaults to single user mode where all license-limited features are limited to one user. |
Not valid |
If the license file appears forged or fails validation for other reasons, the Zimbra Collaboration server defaults to single-user mode. |
Not activated |
A license activation grace period is 10 days. If this period passes without activation, the Zimbra Collaboration server defaults to single-user mode. |
For future date |
If the license starting date is in the future, the Zimbra Collaboration server defaults to single-user mode. |
In grace period |
Zimbra Daffodil (v10.1) onwards, the Grace Period functionality has been changed. For more details, please refer to the Grace Period section in the Admin Guide. |
Expired |
If the license ending date has passed, the 30 day grace period has expired, and users decide not to obtain a new license, following functions stop working - All the network features, Account operations (create,edit,delete), Modern UI. Normal email operations will continue to work. |
Renewal |
If the license is renewed within the grace period or after expiry, the network features will be functional including account operations and Modern UI. Mailbox service restart is required after successful license activation. |
Obtaining a License
Go to the Zimbra Website https://www.zimbra.com → Product → Download → Get Trial License to obtain a trial license. Contact Zimbra sales to extend the trial license, or to purchase a subscription license or perpetual license, by emailing sales@zimbra.com or calling 1-972-407-0688.
The subscription and perpetual license can only install on the Zimbra Collaboration system identified during purchase. Only one Zimbra license is required for your Zimbra Collaboration environment. This license sets the maximum number of accounts on the system.
Current license information, including the number of accounts purchased, the number of accounts used, and the expiration date, can be viewed in the Admin Console.
- Admin Console:
-
Home → Get Started → Install Licenses → Current License Information.
License Reconciliation and Data Collection Notice
By consenting to the End-User License Agreement, you grant Synacor Inc. and its certain licensees, permission to collect licensing and non-personally-identifiable usage data from your Zimbra Collaboration server. |
During installation, upgrades, and periodically while in use, the Zimbra Collaboration server transmits information for reconciliation of billing and license data.
Permission for this data collection is granted under sections 11.4 and 11.6 of the End User License Agreement for Zimbra Collaboration. Copies of the license can be found at https://www.zimbra.com/legal/licensing/.
The data that is being collected consists of elements of the current license information and is governed by Synacor’s Privacy Policy, which can be found at https://www.synacor.com/privacy-policy/.
Admin Console Enhancements
The License Management UI has been enhanced and made it a more intuitive and easy-to-follow UI where all the operations related to license deployment are on a single screen.
The License Management page can be accessed in 2 ways:
-
Login to Admin Console and go to Home → Get Started → Install Licenses
-
Login to Admin Console and go to Home → Configure → Global Settings → License
Overview
All the license operations are now available on a single screen. Following are the details of the section:
Current License Information
Displays the details of the license, status of the features, and usage for each feature.
Online Activation
Prior to Zimbra Daffodil (v10.1), this method was known as Automatic Activation.
If your server has direct connection to internet, you can use the Online method of activating the license.
Specify the 18-26 alphanumeric character license key and click on Activate to activate your license. After successful activation, you will see a success message - Your license is successfully activated
Offline Activation
Prior to Zimbra Daffodil (v10.1), this method was known as Manual Activation.
If your server do not have a direct connect to internet, you can use the Offline method of activating the license.
Please refer to the Offline License Activation section for detailed steps on generating the Offline License.
License check for Storage Management feature
Zimbra Daffodil (v10.1) onwards, the licenses are divided into two parts for the Storage Management feature:
-
StorageManagementEnabled - Attribute to enable/disable the Storage Management feature and to allow/disallow create volumes on internal storage.
-
ObjectStoreSupportEnabled - Attribute to allow/disallow creating volumes on external storage.
ObjectStoreSupportEnabled attribute is dependent on StorageManagementEnabled attribute. So you cannot enable ObjectStoreSupportEnabled without enabling StorageManagementEnabled for the license. |
Admin Console updates
Depending upon which attributes are enabled in the licenses, following will be the behavior:
StorageManagementEnabled = FALSE or license expired
-
If you try to access the Storage Management tab Home → Configure → <Server> → <Server_Name> → Storage Management, an error dialog gets displayed - Your license for this feature has expired or is not valid. Please see Configure - Global Settings - License for more information.
-
If you try to access the Storage Management tab under Global Settings Home → Configure → Global Settings → Storage Management an error dialog gets displayed - Your license for this feature has expired or is not valid. Please see Configure - Global Settings - License for more information.
StorageManagementEnabled = TRUE and ObjectStoreSupportEnabled = FALSE
If ObjectStoreSupportEnabled is false and StorageManagementEnabled is true:
-
If you try to access the Storage Management tab Home → Configure → <Server> → <Server_Name> → Storage Management, the banner is displayed at the top of the page - You are not currently licensed for external volumes. Please see Configure - Global settings - License for more information.
-
When trying to add a volume, the selection of the external volumes will be disabled.
-
You cannot execute the SM session. The Start button appears disabled. You can execute it through CLI.
-
You cannot schedule an SM session. The scheduling appears disabled.
-
You will be able to create new policies.
-
If you try to access the Storage Management tab under Global Settings Home → Configure → Global Settings → Storage Management, you will not be able to view the bucket information.
-
When setting up volumes, if there were previously created external volumes, they will not appear in the list.
StorageManagementEnabled = TRUE and ObjectStoreSupportEnabled = TRUE
-
All functionality of Storage Management feature is available.
-
You can create internal and external volumes.
Grace Period
Zimbra Daffodil (v10.1) onwards, the mailbox server will enter into the Grace Period in the following two scenarios:
-
Unavailability of LDS / third-party license server.
-
License expiry.
Unavailability of LDS / third-party license server
If the connection from the mailbox server/s to the LDS node or the third-party license server is lost for approximately 30 minutes, the mailbox server/s enters the Grace Period.
The server/s will continue to run in the grace period until the connection is established to the LDS / third-party license server or till the expiry date of the license.
License expiry
When a license expires, the mailbox server/s enters the Grace Period. The server/s will continue to run in the grace period for 30 days.
Administrator will continue to see the license renewal prompts. When the admin login to the Admin Console, a message baner will be displayed on the home screen with a message - The license is in grace period and will expire in N days (N days are the days remaining for license expiry)
Functionality in Grace Period
Following functionality is available when the system is in Grace Period:
-
Email Operations - All the email operations will continue to function and there will be no impact or interruption for the end users.
-
Account modification - Users can modify any of the settings for their account. E.g. creating signatures or filters, changing password, etc.
-
Network features - All the network features will continue to function except restoring of an account.
Following functionality is not available when the system is in Grace Period:
-
Account operations:
-
You cannot create a new user or delete an existing user.
-
You cannot modify/update the following features for the existing users - EWS, SMIME, ActiveSync & ZCO
-
You cannot restore the account from a backup.
-
License Expiration
If you do not renew the license within the 30 days grace period, the license will expire and all the network features will stop functioning.
Feature in Grace Period
Zimbra Daffodil (v10.1.1) onwards, if the feature usage exceeds the allowed licensed limit, the feature enters the Grace Period for 10 days. During this time, periodic notifications are sent to the admin for 10 days to notify them of the feature/s in the grace period.
When the feature is in grace period, it cannot be enabled for the new/existing accounts.
If the feature remains in the grace period, then after 10 days, the correction process is triggered, and the overused feature/s are disabled at the account level. The notification emails contain information about the accounts where the feature is disabled.
The following features will go in the grace period after the limit is exceeded:
-
SMIME - Licensed Attribute SMIMEAccountsLimit
-
EWS - Licensed Attribute EwsAccountsLimit
-
MAPI (ZCO) - Licensed Attribute MAPIConnectorAccountsLimit
-
Zimbra Mobile - Licensed Attribute MobileSyncAccountsLimit
Following are the corrective actions to be taken when the feature goes in a grace period:
-
Disable the feature at the account or COS level: For example, the S/MIME feature limit is 10 and the used count is 21. The admin should disable the feature for 11 or more users to get the feature out of the grace period and within licensed limit. Once the feature is within the licensed limit, it will return to a normal state within 24 hours.
-
Increase the license limit: For example, if MAPI’s limit is 10 and the used count is 25, you can contact our sales team and request to increase the licensed limit by 15. Once the limit is updated, the feature will be back to a normal state within 24 hours.
Following are the scenarios where the feature/s can go in grace period:
-
Upgrade to Zimbra Daffodil (v10.1.1) or later:
-
After upgrading to Zimbra Daffodil (v10.1.1) or later, if the feature/s limit exceeds the licensed accounts, the feature will go in grace period.
-
-
Downgrading the licensed limit:
-
If the licensed limit is lowered which causes the feature to exceed the limit, the feature will go in grace period. E.g. The license had a SMIME limit of 100 accounts and you enabled it for 100 accounts. If this limit is lowered to 50 accounts, then the feature will go in grace period.
-
-
Restoring account/s:
-
If you restore the account/s which had feature/s enabled, it may cause to exceed the licensed limit.
-
Notifications
By default, the admin account provided during the installation of the server is set as the notification email. The notification email address is stored in the LDAP attribute zimbraLicenseNotificationEmail
and can be changed.
-
As a zimbra user, execute the following:
zmprov mcf zimbraLicenseNotificationEmail newemail@domain.com
The notifications are sent in following scenarios:
-
When the feature limit is exceeded and enters in a grace period.
-
When there is no action taken on the grace period feature and it is disabled for accounts.
-
If the feature is disabled for more than 100 accounts, then the account list is attached in the notification email.
Following is the sample notification email when the feature limit exceeds and it goes in a grace period:
Subject: Zimbra System Alert: Feature(s) usage limit exceeded The licensed number of accounts has been reached or exceeded for the following features: MobileSyncAccountsLimit: - Licensed users:10 - Current users:20 - Usage Exceeded on: 29-August 2024 MAPIConnectorAccountsLimit: - Licensed users:10 - Current users:21 - Usage Exceeded on: 29-August 2024 SMIMEAccountsLimit: - Licensed users:10 - Current users:20 - Usage Exceeded on: 29-August 2024 EwsAccountsLimit: - Licensed users:10 - Current users:20 - Usage Exceeded on: 29-August 2024 You can either reduce the usage of the existing users or increase the feature license limit. To increase the feature license limit, please contact Zimbra Sales at sales@zimbra.com To manage account feature allocation, please sign in to the Admin Portal. Please note the following: 1. You will continue to receive the notification for 10 days from the usage exceeded date. 2. You will not be able to enable the overused feature for any accounts. 3. If you do not take any action on the overused feature, the feature would be disabled for the users to get it under the licensed limit. Regards, Zimbra Support
Following is the sample notification email when no action is taken for a feature/s during grace period and it is disabled for less than 100 accounts:
Subject: Zimbra System Alert: Feature(s) disabled due to exceeded usage The licensed number of accounts has been exceeded and automatically adjusted at the account level for the following features: MobileSyncAccountsLimit - Licensed Users : 10 - Current Users : 14 - Users reduced by : 4 Feature disabled for the following accounts: test10@domain.com test11@domain.com test13@domain.com test14@domain.com EwsAccountsLimit - Licensed Users : 10 - Current Users : 15 - Users reduced by : 5 Feature disabled for the following accounts: test10@domain.com test11@domain.com test12@domain.com test13@domain.com test14@domain.com MAPIConnectorAccountsLimit - Licensed Users : 10 - Current Users : 15 - Users reduced by : 5 Feature disabled for the following accounts: admin@domain.com test10@domain.com test11@domain.com test12@domain.com test13@domain.com To increase the number of licenses, please visit the Zimbra Support Portal. To manage allocation of licenses to accounts, please sign in to the Admin Portal. Regards, Zimbra Support
Following is the sample notification email no action is taken for a feature/s during grace period and it is disabled for more than 100 accounts. The account list is attached in the notification email:
Subject: Zimbra System Alert: Feature(s) disabled due to exceeded usage The licensed number of accounts has been exceeded and automatically adjusted at the account level for the following features: SMIMEAccountsLimit - Licensed Users : 10 - Current Users : 211 - Users reduced by : 201 MAPIConnectorAccountsLimit - Licensed Users : 10 - Current Users : 211 - Users reduced by : 201 To increase the number of licenses, please visit the Zimbra Support Portal. To manage allocation of licenses to accounts, please sign in to the Admin Portal. Regards, Zimbra Support
Usage Prevention
When enabling a feature for an account or a cos, the Usage Prevention module prevents administrators from over provisioning of the features.
The Usage Prevention will be executed for the following features:
-
SMIME - Licensed Attribute SMIMEAccountsLimit
-
EWS - Licensed Attribute EwsAccountsLimit
-
MAPI (ZCO) - Licensed Attribute MAPIConnectorAccountsLimit
-
Zimbra Mobile - MobileSyncAccountsLimit
The Usage Prevention will be executed when doing following actions:
-
Create Account.
-
Modify Account.
-
Modify COS.
Following diagram explains the flow:
Following are the scenarios and their outcome which will be encountered when enabling the feature for an account or a COS:
-
Enabling overused feature - If you want to enable the SMIME feature on a cos that has 120 accounts and the licensed limit for the SMIME feature is 100. The operation will not be allowed as the license limit is exceeded. You will see the following error:
-
COS:
-
Cos Modification Failed : Please disable over used features to proceed, features list : zimbraFeatureSMIMEEnabled
-
Account:
Account Modification Failed : Exceeded limit for following feature(s): zimbraFeatureSMIMEEnabled
-
Enabling non-licensed feature - If you try to enable a feature for a COS/Account which is not licensed, you will see the following error:
-
COS:
-
Cos Modification Failed : Please disable features which are not licensed to use : zimbraFeatureMobileSyncEnabled
-
For Account:
Account Modification Failed : Features are not licensed to use, following feature(s) : zimbraFeatureMobileSyncEnabled
-
Enabling overused and non-licensed feature - When trying to enable a overused feature along with the non-licensed feature for a COS/Account, you will see the following error:
-
COS:
-
Cos Modification Failed : Please disable over used features to proceed, features list : zimbraFeatureSMIMEEnabled Please disable features which are not licensed to use : zimbraFeatureMobileSyncEnabled
-
Account:
Account Modification Failed : Exceeded limit for following feature(s): SMIME Features are not licensed to use, following feature(s) : zimbraFeatureMobileSyncEnabled
Enhanced zmlicense
command
Zimbra Daffodil (v10.1) onwards, the License management is real-time and provides the administrator with the overall usage view of the features.
Following are some enhancements along with the existing features of the command
Activate Online License key - zmlicense -a
-
As a zimbra user, execute
zmlicense -a
:
$ zmlicense -a <activation-key>
If the activation key is valid, a success message will be displayed else error is displayed.
Activate Offline License XML File - zmlicense -A
-
As a zimbra user, execute
zmlicense -A
:
$ zmlicense -A <license-activation-XML>
If the activation key is valid, a success message will be displayed else error is displayed.
Print License Details - zmlicense -p
-
As a zimbra user, execute
zmlicense -p
:
$ zmlicense -p Current activated license : 512345113142067890 Activated Product Version : 10.1.0_GA_4629 LDS Device Id : KgQIAuHG5gjU2kKo3VBk Feature : AccountsLimit Status: Authorized for use Max Limit: 10 Used Limit: 1 Feature : ArchivingAccountsLimit Status: Authorized for use Max Limit: 10 Used Limit: 0 Feature : AttachmentIndexingEnabled Status: Authorized for use . . .
Following are the details of the output:
-
Feature : Name of the licensed feature.
-
Status : Whether the licensed feature is entitled for the use or not:
-
Authorized for use - The feature is licensed for use.
-
Not authorized for use - The feature is not licensed for use.
-
-
Max Limit - Maximum number of accounts the feature can be enabled for.
-
Used Limit - The utilized limit of the feature.
Check License status - zmlicense -c
-
As a zimbra user, execute
zmlicense -c
:
$ zmlicense -c checking license status. . . Current license code : 53944123451399294, Activation status: License is OK
If the license is valid, a success message will be displayed else error is displayed.
Check individual feature status - zmlicense -fc <feature-code>
Please see the table in License Feature section for feature codes.
-
As a zimbra user, execute
zmlicense -fc
:
$ zmlicense -fc AL Feature AccountsLimit[AL] Status: Feature authorized for use
$ zmlicense -fc SHAL Feature SharingAccountsLimit[SHAL] Status: Feature not authorized, contact zimbra support for help.
Refresh license cache - zmlicense -rc
To refresh the license cache on the mailbox (reloading data from the license daemon service), you can use rc
option:
-
As a zimbra user, execute
zmlicense -rc
:
$ zmlicense -rc refreshing the license cache.. Cache refreshed status : true
License Daemon Service [LDS]
The License Daemon Service (LDS) is a new service that communicates with the Zimbra License Server in online mode and the LAN daemon (local installation) in offline mode.
LDS is responsible for managing license information with Zimbra License Server. During Install/Upgrade, it gets displayed as zimbra-license-daemon
in the modules list and is a required service. All real-time licensing operations are carried out through the LDS.
The license daemon service is a critical and important service for normal functioning of Zimbra and license management. You are recommended to have a service monitoring setup to check the state of the service. |
Overview
-
LDS is a simple Java service that is included when you install Zimbra.
-
It offers an API for managing licenses, like activating them, allocating features for accounts, or releasing them.
-
It is secure because it uses TLS Authentication, and only mailstores can access it.
-
It keeps a local cache of licenses.
-
The LDS is a required service to support the management of the license.
-
If the license daemon service is not installed or not running, Zimbra’s network features will not be able to validate and will be disabled which will affect license functionality and account management.
-
You can use the
zmlicensectl
command to manage the service.
Following is the architecture view:
System Requirements
LDS is not a resource intensive (CPU / Memory) service.
If it is deployed on a dedicated node, below minimum configurations are required: If deploying on a dedicated node, following are the minimum system requirements:
-
Processor Family: Intel/AMD w/ PassMark CPU Mark > 7,000
-
vCPU count: 2
-
RAM (GB): 8
Ports
Following ports on LDS node should be internally accessible from Mailbox:
Process | Port |
---|---|
LDS |
8081 |
Offline LAN daemon |
80 |
Offline pg daemon |
16700 |
Following ports should be externally accessible from LDS to my.nalpeiron.com and license.zimbra.com host:
Process | Port |
---|---|
Http |
80 |
Https |
443 |
Installing a separate License Daemon Service node
To separate the license daemon service from rest of the Zimbra services, you can setup a dedicated LDS node. You need to setup this node after upgrading the LDAP server and before you begin to upgrade the Mailbox servers.
The package zimbra-license-daemon
gets installed by default during Zimbra installation unless the administrator marks N for the package during Zimbra installation.
Type y and press Enter to install the zimbra-license-daemon
package.
Install zimbra-license-daemon [Y]
Installing the zimbra-license-daemon
package on a separate server
Unpack the Zimbra Daffodil (v10.1) and execute the installer script ./install.sh
.
Type y and press Enter to install the zimbra-license-daemon
package.
Select the packages to install Install zimbra-ldap [Y] N Install zimbra-logger [Y] N Install zimbra-mta [Y] N Install zimbra-dnscache [Y] N Install zimbra-snmp [Y] N Install zimbra-license-daemon [Y] Y Install zimbra-store [Y] N Install zimbra-apache [Y] N Install zimbra-spell [Y] N Install zimbra-convertd [Y] N Install zimbra-memcached [Y] N Install zimbra-proxy [Y] N Install zimbra-archiving [N] N Install zimbra-onlyoffice [Y] N Install zimbra-patch [Y] N Install zimbra-mta-patch [Y] N Install zimbra-proxy-patch [Y] N
Complete the rest of the installation.
Setting up Mailbox Server
After the installation of the LDS Node is successfully completed, you can now install/upgrade the Mailbox servers.
Unpack the Zimbra Daffodil (v10.1) and execute the installer script ./install.sh
.
If upgrading an existing mailbox server, provide a valid license key when prompted and continue till the package selection step.
ZCS upgrade from 8.8.15 to 10.1.0 will be performed. Validating whether an existing license is expired or not and checking if it qualifies for an upgrade Please enter the license key (an alphanumeric string of 18-24 characters without any special characters):5332567329720607741 SUCCESS: License valid License is valid and supports this upgrade. Continuing. Validating ldap configuration
You can also specify the license key with the ./install.sh
command. If the validation is successful, the installer will continue:
./install.sh --licensekey 5332567329720607741
If installing a new mailbox server, continue till the package selection step.
-
Following are the steps to setup mailbox server to use the dedicated LDS node:
-
Select
forN
option.Install zimbra-license-daemon
Install zimbra-license-daemon [Y] N
-
Installer will show the following prompt. Enter Y
Have you installed zimbra-license-daemon package on different node [N] Y
-
Installer will prompt to enter the host where the LDS is installed. Specify the LDS hostname:
Please enter the zimbra-license-daemon host [] <LDS_Hostname>
-
If LDS is running on server, the installation will continue.
-
In case the server failed to connect the LDS, the installer will display the
license-daemon should be running and healthy
and abort the installation. Please review the connection to the server and restart the installation. Refer to Troubleshooting section for common errors and its solution.
-
LDS Management command zmlicensectl
A new command zmlicensectl
has been introduced to manage the various operations for LDS.
Since the license daemon service is a critical and important service, this is not managed through the zmcontrol command. The zmcontrol command will show the status but you cannot start/stop/restart the LDS.
|
Following are the details on the options:
Operations | Parameter | Description |
---|---|---|
Display Help |
--help |
Display Help |
Service Management |
--service <arg> |
Manage various operations |
--service start, restart, stop, status |
Start, Restart, Stop or Check the service status |
|
--service setLogLevel=INFO,DEBUG,ERROR,WARN |
Set the various log levels. Helpful for debugging. |
|
--service setOfflineMode=true,false |
Enable/disable the offline mode |
|
Offline Service Management |
--nalpeiron <arg> |
When Offline License mode is enabled, this parameters is used to manage the offline service |
--nalpeiron start, restart, stop, status |
Start, Restart, Stop or Check the offline service status |
|
Export offline Data |
--exportOfflineLicenseData |
Extracts offline license usage data for analysis and billing |
Clear license directory |
--clearLicenseWorkDir |
A troubleshooting option for resolving potential license caching issues on LDS |
Example:
-
To restart the LDS, execute the command as
zimbra
user:
zmlicensectl --service restart
-
To set the log level in debug mode, execute the command as
zimbra
user:
zmlicensectl --service setLogLevel=DEBUG
-
To change the license mode from Online to Offline, execute the command as
zimbra
user:
zmlicensectl --service setOfflineMode=true
-
To restart the LAN daemon required for offline mode, execute the command as
zimbra
user:
zmlicensectl --nalpeiron restart
-
To export the Offline Usage data (required only for BSP’s), execute the command as
zimbra
user:
zmlicensectl --exportOfflineLicenseData
Troubleshooting
Logging
Following are the logs where all the licensing operations are logged:
-
Mailstore Logs:
-
Contains logs for the mailstore operations
-
Location: /opt/zimbra/log/mailbox.log
-
-
License Daemon Service logs
-
Contains logs relate to API communication between mailstore and LDS
-
Location: /opt/zimbra/log/license-daemon-service.log
-
-
Native Library Logs
-
Contains library errors occurred while communicating to nalpeiron server.
-
Location: /opt/zimbra/license/work/15xx.log
-
License Daemon Service logs
The file logging mechanism for LDS has been enhanced with a rolling policy that manages log files based on size and time. This ensures that logs are stored efficiently and that older logs are archived or deleted based on defined criteria.
Following are the details:
-
File Location: /opt/zimbra/log/license-daemon-service.log
-
Log Format: Logs include timestamp, thread name, log level, and message. e.g.
2024-08-01 10:11:03 [main] INFO c.zimbra.license.service.Application - The following 1 profile is active: "dev"
-
History Management: Maintains a history of log files for a specified number of days. Log files are retained for up to 15 days. Files older than 15 days are automatically deleted to adhere to the retention policy.
-
Size Cap: The total size of all log files combined will not exceed 5 gigabytes (GB). Once this limit is reached, older log files will be deleted to make room for new ones.
-
Size-Based Rolling: Log files are rotated when they reach a specified maximum size(max limit: 500 MB).This means each log file will be limited to 500 MB before a new file is created.
-
Time-Based Rolling: The time-based rolling configuration ensures that log files are organized by date and that a new log file is created for each day.
-
Time-Size Based Rolling
-
Daily Files:
-
Daily Creation: Each day, a new log file is created with the base name license-daemon-service.log. For example, logs for September 1, 2024, will be saved in a file named license-daemon-service.log.
-
End of Day Rolling: At the end of the day, the log file is rolled over and renamed with a date stamp in the format YYYY-MM-DD. For instance, the logs for September 1, 2024, will be saved as license-daemon-service-2024-09-01.0.log. If the file is rolled over multiple times within the day, subsequent files will be numbered sequentially, e.g., license-daemon-service-2024-09-01.1.log, license-daemon-service-2024-09-01.2.log, etc.
Accessing Logs:
-
Current Day Logs: To access the log file for the current day, you can use the command tail -f /opt/zimbra/log/license-daemon-service.log.
-
Previous Day Logs: To access logs from the previous day, you should use the date-stamped log file. For instance, logs from September 1, 2024, would be accessed with cat /opt/zimbra/log/license-daemon-service-2024-09-01.0.log.
File Indexing:
-
Sequential Numbering: If multiple log files are generated within the same day due to exceeding the maximum file size (maxFileSize), the files are sequentially numbered. For example,
license-daemon-service-2024-09-01.0.log license-daemon-service-2024-09-01.1.log license-daemon-service-2024-09-01.2.log
Error conditions/codes
There might be scenarios where you encounter various license errors/code or specific errors.
Following are some of the common scenarios and their resolution:
License Activation Failed:
-
license-daemon should be running and healthy
error when mailstore trying to connect to LDS:-
Make sure LDS is up and running.
-
Check status -
zmlicensectl --service status
-
If not running, Restart the service -
zmlicensectl --service restart
-
-
Failed to activate License:
-
Make sure LDS node have internet access.
-
-
Invalid License error with code “4001”:
-
Verify license is not expired.
-
-
Invalid license error with code “-10116”:
-
Check Account has valid support end date.
-
-
Invalid license error with code “-5000”:
-
Support end date might be empty.
-
-
Invalid license error with code “-401”:
-
License activation restricted or license inactive.
-
-
Invalid license error with error code “4000”:
-
License usage are not valid. May happen if you are trying to change the license.
-
-
Invalid license error with code “4002”:
-
Trial cannot be activated on regular license setup.
-
Feature Check Failed:
-
Make sure LDS is up and running -
zmlicensectl --service status
-
If not running, restart the LDS service -
zmlicensectl --service restart
-
-
Failed to use server level features such as Backup Restore, Storage Management, etc.
-
Make sure feature is authorized to use -
zmlicense -fc <feature_code>
** If it is enabled, then restart the mailbox -zmmailboxdctl restart
-
-
Failed to enabled feature on account/cos:
-
Make sure feature is authorized to use -
zmlicense -fc <feature_code>
-
If feature is of type limit, then make sure you have sufficient limit available -
zmlicense -p | grep -E '(EwsAccountsLimit)' -A3
-
If feature is of type limit, then make sure you have sufficient limit available -
zmlicense -p | grep -E '(EwsAccountsLimit)' -A3
-
Zimbra Mailbox Server
The Zimbra mailbox server is a dedicated server that manages all the mailbox content, including messages, contacts, calendar, and attachments.
The Zimbra mailbox server has dedicated volumes for backup and log files. Each Zimbra mailbox server can see only its own storage volumes. Zimbra mailbox servers cannot see, read, or write to another server.
Mailbox Server
Each account is configured on one mailbox server, and this account is associated with a mailbox that contains email messages, attachments, calendar, contacts and collaboration files for that account.
Each mailbox server has its own standalone message store, data store, and index store for the mailboxes on that server. The following is an overview of each store and their directory location.
Message Store
All email messages are stored in MIME format in the Message Store, including the message body and file attachments.
By default, the message store is located on each mailbox server under
/opt/zimbra/store
. Each mailbox has its own directory named after its
internal mailbox ID. Mailbox IDs are unique per server, not system-wide.
Messages with multiple recipients are stored as a single -copy on the message store. On UNIX systems, the mailbox directory for each user contains a hard link to the actual file.
When Zimbra Collaboration is installed, one index volume and one message volume are configured on each mailbox server. Each mailbox is assigned to a permanent directory on the current index volume. When a new message is delivered or created, the message is saved in the current message volume.
To manage your email storage resources, you can configure storage volumes for older messages by implementing a Storage Management (SM) policy. See Managing Configuration.
Data Store
The Data Store is a SQL database where internal mailbox IDs are
linked with user accounts. All the message metadata including tags,
conversations, and pointers indicate where the messages are stored in
the file system. The SQL database files are located in
/opt/zimbra/db
.
Each account (mailbox) resides only on one server. Each server has its own standalone data store containing data for the mailboxes on that server.
-
The data store maps the mailbox IDs to the users' LDAP accounts. The primary identifier within the Zimbra Collaboration database is the mailbox ID, rather than a user name or account name. The mailbox ID is only unique within a single mailbox server.
-
Metadata including user’s set of tag definitions, folders, contacts, calendar appointments, tasks, Briefcase folders, and filter rules are in the data store database.
-
Information about each mail message, including whether it is read or unread, and which tags are associated is stored in the data store database.
Index Store
The index and search technology is provided through Apache Lucene. Each
email message and attachment is automatically indexed when the message
arrives. An index file is associated with each account. Index files are
located in /opt/zimbra/index
.
The tokenizing and indexing process is not configurable by administrators or users.
The process is as follows:
-
The Zimbra MTA routes the incoming email to the mailbox server that contains the account’s mailbox.
-
The mailbox server parses the message, including the header, the body, and all readable file attachments such as PDF files or Microsoft Word documents, in order to tokenize the words.
-
The mailbox server passes the tokenized information to Lucene to create the index files.
Tokenization is the method for indexing by each word. Certain common patterns, such as phone numbers, email addresses, and domain names are tokenized as shown in the Message Tokenization illustration. |
Web Application Server
The Jetty web application server runs web applications (webapps) on any store server. It provides one or more web application services.
Mailstore Services
Mailstore services provides the back-end access to mailbox/account data. Webapps for the mailstore include:
-
Mailstore (mail server) =
/opt/zimbra/jetty/webapps/service
-
Zimlets =
/opt/zimbra/jetty/webapps/zimlet
User Interface Services
User Interface services provide front-end user interface access to the mailbox account data and Administration Console, including:
-
Web Apps =
/opt/zimbra/jetty/webapps/zimbra
-
Zimbra administrator console =
/opt/zimbra/jetty/webapps/zimbraAdmin
-
Zimlets =
/opt/zimbra/jetty/webapps/zimlet
Backing Up the Mailbox Server
Zimbra Collaboration includes a configurable backup manager that resides on
every Zimbra Collaboration server and performs both backup and restore
functions. You do not have to stop the Zimbra Collaboration server in order
to run the backup process. The backup manager can be used to restore a
single user, rather than having to restore the entire system in the event
that one user’s mailbox becomes corrupted. Full and incremental backups are
in /opt/zimbra/backup
.
See Backup and Restore.
Each Zimbra mailbox server generates redo logs that contain current and archived transactions processed by the message store server since the last incremental backup. When the server is restored, after the backed up files are fully restored, any redo logs in the archive and the current redo log in use are replayed to bring the system to the point before the failure.
Mailbox Server Logs
A Zimbra Collaboration deployment consists of various third-party
components with one or more mailbox servers. Each of the components may
generate its own logging output. Local logs are in /opt/zimbra/log
.
Selected Zimbra Collaboration log messages generate SNMP traps, which you can capture using any SNMP monitoring software. See Monitoring Zimbra Servers.
System logs, redo logs, and backup sessions should be on separate disks to minimize the possibility of unrecoverable data loss in the event that one of those disks fails. |
IMAP
Zimbra Collaboration has a built-in IMAP server which is installed by default and is part of zimbra-mailboxd process (Zimbra Mailbox Server).
Common IMAP Configuration settings
The following global and server level configuration attributes are available to control and tune the IMAP service.
-
zimbraImapServerEnabled. When set to TRUE, in-process IMAP server is enabled. When set to FALSE, in-process IMAP server is disabled. Default value is TRUE.
-
zimbraImapSSLServerEnabled. When set to TRUE, in-process IMAP SSL server is enabled. When set to FALSE, in-process IMAP SSL server is disabled. Default value is TRUE
-
zimbraImapBindAddress (can be set only on server level). Specifies interface address on which in-process IMAP server should listen; if empty, binds to all interfaces.
-
zimbraImapBindPort. Specifies port number on which in-process IMAP server should listen. Default value is 7143.
-
zimbraImapSSLBindAddress (can be set only on server level). Specifies interface address on which in-process IMAP SSL server should listen; if empty, binds to all interfaces.
-
zimbraImapSSLBindPort. Specifies port number on which in-process IMAP SSL server should listen on. Default value is 7993.
-
zimbraImapNumThreads. Specifies number of threads in IMAP handler’s thread pool. Zimbra Collaboration uses IMAP NIO by default, which allows each IMAP handler thread to handle multiple connections. The default value of 200 is sufficient to handle up to 10,000 active IMAP clients.
-
zimbraImapCleartextLoginEnabled. Specifies whether or not to allow cleartext logins over a non SSL/TLS connection. Default value is FALSE.
-
zimbraImapProxyBindPort. Specifies port number on which IMAP proxy server should listen. Default value is 143. See Zimbra Proxy Components for more information.
-
zimbraImapSSLProxyBindPort. Specifies port number on which IMAP SSL proxy server should listen. Default value is 993. See Zimbra Proxy Components for more information.
-
zimbraImapMaxRequestSize. Specifies maximum size of IMAP request in bytes excluding literal data. Note: this setting does not apply to IMAP LOGIN requests. IMAP LOGIN requests are handled by IMAP Proxy (Zimbra Proxy Components) and are limited to 256 characters.
-
zimbraImapInactiveSessionCacheMaxDiskSize. Specifies the maximum disk size of inactive IMAP cache in Bytes before eviction. By default this value is 10GB. This is a rough limit, because due to internals of Ehcache actual size on disk will often exceed this limit by a modest margin.
-
zimbraImapInactiveSessionEhcacheSize. Specifies the maximum heap size of the inactive session cache in Bytes before eviction. By default this value is 1 megabyte. This is a rough limit, because due to internals of Ehcache actual size in memory will often exceed this limit by a modest margin.
-
zimbraImapActiveSessionEhcacheMaxDiskSize. Specifies the maximum amount of disk space the imap active session cache will consume in Bytes before eviction. By default this value is 100 gigabytes. This is a rough limit, because due to internals of ehcache actual size in memory will often exceed this limit by a modest margin.
Zimbra LDAP Service
LDAP directory services provide a centralized repository for information about users and devices that are authorized to use your Zimbra service. The central repository used for Zimbra’s LDAP data is the OpenLDAP directory server.
Zimbra Collaboration supports integration with Microsoft’s Active Directory Server. Contact support for information on specific directory implementation scenarios. |
The LDAP server is installed when Zimbra is installed. Each server has its own LDAP entry that includes attributes specifying operating parameters. In addition, a global configuration object sets defaults for any server whose entry does not specify every attribute.
A subset of these attributes can be modified through the Zimbra administration console and others through the zmprov commands.
LDAP Traffic Flow
The LDAP Directory Traffic figure shows traffic between the Zimbra-LDAP directory server and the other servers in the Zimbra Collaboration system. The Zimbra MTA and the Zimbra Collaboration mailbox server read from, or write to, the LDAP database on the directory server.
The Zimbra clients connect through the Zimbra server, which connects to LDAP.
LDAP Directory Hierarchy
LDAP directories are arranged in an hierarchal tree-like structure with two types of branches, the mail branches and the config branch. Mail branches are organized by domain. Entries belong to a domain, such as accounts, groups, aliases, are provisioned under the domain DN in the directory. The config branch contains admin system entries that are not part of a domain. Config branch entries include system admin accounts, global config, global grants, COS, servers, mime types, and Zimlets.
The Zimbra LDAP Hierarchy figure shows the Zimbra LDAP hierarchy. Each type of entry (object) has certain associated object classes.
An LDAP directory entry consists of a collection of attributes and has a
globally unique distinguished name (dn
). The attributes allowed for an
entry are determined by the object classes associated with that entry.
The values of the object class attributes determine the schema rules the
entry must follow.
An entry’s object class that determines what kind of entry it is, is called a structural object class and cannot be changed. Other object classes are called auxiliary and may be added to or deleted from the entry.
Use of auxiliary object classes in LDAP allows for an object class to be combined with an existing object class. For example, an entry with structural object class inetOrgPerson, and auxiliary object class zimbraAccount, would be an account. An entry with the structural object class zimbraServer would be a server in the Zimbra system that has one or more Zimbra packages installed.
Zimbra Collaboration LDAP Schema
At the core of every LDAP implementation is a database organized using a schema.
The Zimbra LDAP schema extends the generic schema included with OpenLDAP software. It is designed to coexist with existing directory installations.
All attributes and object classes specifically created for Zimbra Collaboration
are prefaced by “zimbra”, such as zimbraAccount
object class or
zimbraAttachmentsBlocked
attribute.
The following schema files are included in the OpenLDAP implementation:
-
core.schema
-
cosine.schema
-
inetorgperson.schema
-
zimbra.schema
-
amavisd.schema
-
dyngroup.schema
-
nis.schema
You cannot modify the Zimbra schema. |
Zimbra Collaboration Objects
Object | Description | Object class | ||
---|---|---|---|---|
Accounts |
Represents an account on the Zimbra mailbox server that can be logged into.
Account entries are either administrators or user accounts.
The object class name is zimbraAccount.
This object class extends the zimbraMailRecipient object class.
|
zimbraAccount |
||
Class of Service (COS) |
Defines the default attributes an account has and what features are allowed or denied. The COS controls features, default preference settings, mailbox quotas, message lifetime, password restrictions, attachment blocking, and server pools for creation of new accounts. |
zimbraCOS |
||
Domains |
Represents an email domain such as example.com or example.org. A domain must exist before email addressed to users in that domain can be delivered. |
zimbraDomain |
||
Distribution Lists |
Also known as mailing lists, are used to send mail to all members of a list by sending a single email to the list address. |
zimbraDistributionList |
||
Dynamic Groups |
Are like distribution lists. The difference is members of a dynamic group are dynamically computed by a LDAP search. The LDAP search filter is defined in an attribute on the dynamic group entry.
|
zimbraGroup |
||
Servers |
Represents a particular server in the Zimbra system that has one or more of the Zimbra software packages installed. Attributes describe server configuration information, such as which services are running on the server. |
zimbraServer |
||
Global Configuration |
Specifies default values for the following objects: server and domain. If the attributes are not set for other objects, the values are inherited from the global settings. Global configuration values are required and are set during installation as part of the Zimbra core package. These become the default values for the system. |
zimbraGlobalConfig |
||
Alias |
Represents an alias of an account, distribution list or a dynamic group. The zimbraAliasTarget attribute points to target entry of this alias entry. |
zimbraAlias |
||
Zimlet |
Defines Zimlets that are installed and configured in Zimbra. |
zimbraZimletEntry |
||
Calendar Resource |
Defines a calendar resource such as conference rooms or equipment that can be selected for a meeting. A calendar resource is an account with additional attributes on the zimbraCalendarResource object class. |
zimbraCalendarResource |
||
Identity |
Represents a persona of a user. A persona contains the user’s identity such as display name and a link to the signature entry used for outgoing emails. A user can create multiple personas. Identity entries are created under the user’s LDAP entry in the DIT. |
zimbraIdentity |
||
Data Source |
Represents an external mail source of a user. Two examples of data source are POP3 and IMAP. A data source contains the POP3/IMAP server name, port, and password for the user’s external email account. The data source also contains persona information, including the display name and a link to the signature entry for outgoing email messages sent on behalf of the external account. Data Source entries are created under the user’s LDAP entry in the DIT. |
zimbraDataSource |
||
Signature |
Represents a user’s signature. A user can create multiple signatures. Signature entries are created under the user’s LDAP entry in the DIT. |
zimbraSignature |
Account Authentication
Supported authentication mechanisms are Internal, External LDAP, and
External Active Directory. The authentication method type is set on a
per-domain basis. If zimbraAuthMech
attribute is not set, the default is
to use internal authentication.
The internal authentication method uses the Zimbra schema running on the OpenLDAP server.
The zimbraAuthFallbackToLocal
attribute can be enabled so that the system
falls back to the local authentication if external authentication fails.
The default is FALSE.
Internal Authentication Mechanism
The internal authentication method uses the Zimbra schema running on the
OpenLDAP directory server. For accounts stored in the OpenLDAP server, the
userPassword
attribute stores a salted-SHA512 (SSHA512) digest of the user’s
password. The user’s provided password is computed into the SSHA digest
and then compared to the stored value.
External LDAP and External AD Authentication Mechanism
External LDAP and external Active Directory authentication can be used if the email environment uses another LDAP server or Microsoft Active Directory for authentication and Zimbra LDAP for all other Zimbra Collaboration related transactions. This requires that users exist in both OpenLDAP and in the external LDAP server.
The external authentication methods attempt to bind to the specified LDAP server using the supplied user name and password. If this bind succeeds, the connection is closed and the password is considered valid.
The zimbraAuthLdapURL
and zimbraAuthLdapBindDn
attributes are required
for external authentication.
-
zimbraAuthLdapURL
attributeldap://ldapserver:port/
identifies the IP address or host name of the external directory server, and port is the port number. You can also use the fully qualified host name instead of the port number.For example:
ldap://server1:3268 ldap://exch1.acme.com
If it is an SSL connection, use
ldaps:
instead ofldap:
. The SSL certificate used by the server must be configured as a trusted certificate. -
zimbraAuthLdapBindDn
attribute is a format string used to determine which DN to use when binding to the external directory server.During the authentication process, the user name starts out in the format: user@example.com
The user name might need to be transformed into a valid LDAP bind
DN
(distinguished name) in the external directory. In the case of Active Directory, that binddn
might be in a different domain.
Custom Authentication
You can implement a custom authentication to integrate external authentication to your proprietary identity database. When an authentication request comes in, Zimbra checks the designated auth mechanism for the domain. If the auth mechanism is set to custom authentication, Zimbra invokes the registered custom auth handler to authenticate the user.
To set up custom authentication, prepare the domain for the custom auth and register the custom authentication handler.
Preparing a domain for custom auth
To enable a domain for custom auth, set the domain attribute, zimbraAuthMech to custom:{registered-custom-auth-handler-name}.
In the following example, "sample" is the name under which custom authentication is registered.
zmprov modifydomain {domain|id} zimbraAuthMech custom:sample
Register a custom authentication handler
To register a custom authentication handler, invoke:
ZimbraCustomAuth.register( handlerName, handler )
in the init method of the extension.
-
Class: com.zimbra.cs.account.ldap.ZimbraCustomAuth
-
Method:
public synchronized static void register (String handlerName, ZimbraCustomAuth handler)
Definitions:
-
handlerName is the name under which this custom auth handler isregistered to Zimbra’s authentication infrastructure. This name is set in the domain’s zimbraAuthMech attribute of the domain.
-
handler is the object on which the authenticate method is invoked forthis custom auth handler. The object has to be an instance of
ZimbraCustomAuth
(or subclasses of it).
-
public class SampleExtensionCustomAuth implements ZimbraExtension {
public void init() throws ServiceException {
/*
* Register to Zimbra's authentication infrastructure
* custom:sample should be set for domain attribute zimbraAuthMech
*/
ZimbraCustomAuth.register("sample", new SampleCustomAuth());
}
...
}
How Custom Authentication Works
When an authentication request comes in and the domain is specified to use custom authentication, the authenticating framework invokes the authenticate method on the ZimbraCustomAuth
instance passed as the handler parameter to ZimbraCustomAuth.register()
.
The account object for the principal to be authenticated and the clear-text password entered by the user are passed to ZimbraCustomAuth.authenticate()
.
All attributes of the account can be retrieved from the account object.
Kerberos5 Authentication Mechanism
Kerberos5 Authentication Mechanism authenticates users against an external Kerberos server.
-
Set the domain attribute
zimbraAuthMech
tokerberos5
. -
Set the domain attribute
zimbraAuthKerberos5Realm
to the Kerberos5 realm in which users in this domain are created in the Kerberos database. When users log in with an email password and the domain,zimbraAuthMech
is set tokerberos5
, the server constructs the Kerberos5 principal by{localpart-of-the-email}@{value-of-zimbraAuthKerberos5Realm}
and uses that to authenticate to the kerberos5 server.
To specify Kerberos5 for an individual account set the account’s
zimbraForeignPrincipal
as kerberos5:{kerberos5-principal}
. For
example: kerberos5:user1@MYREALM.COM.
Global Address List
The Global Address List (GAL) is a company directory of users, usually within the organization itself, that is available to all users of the email system. Zimbra Collaboration uses the company directory to look up user addresses from within the company.
For each Zimbra Collaboration domain you can configure GAL to use:
-
External LDAP server
-
Zimbra Collaboration internal LDAP server
-
Both external LDAP server and Zimbra Collaboration LDAP in GAL searches
The Zimbra Collaboration Web Client can search the GAL. When the user searches
for a name, that name is turned into an LDAP search filter similar to the
following example, where the string %s
is the name the user is searching
for.
(|(cn = %s*)(sn=%s*)(gn=%s*)(mail=%s*))
(zimbraMailDeliveryAddress = %s*)
(zimbraMailAlias=%s*)
(zimbraMailAddress = %s*)
GAL Attributes in Zimbra Collaboration
The Attributes Mapped to Zimbra Collaboration Contact table maps generic GAL search attributes to their Zimbra Collaboration contact fields.
LDAP attributes are mapped to GAL entry fields. For example, the LDAP
attribute displayName
and cn
can be mapped to GAL entry field fullName
.
The mapping is configured in the zimbraGalLdapAttrMap
attribute.
Standard LDAP Attribute | Zimbra Collaboration Contact Field |
---|---|
|
workCountry |
|
Company |
|
firstName |
|
lastName |
|
fullName |
|
initials |
|
workCity |
|
workStreet |
|
workPostalCode |
|
workPhone |
|
mobile |
|
pager |
|
faxNumber |
|
workState |
|
jobTitle |
|
|
|
thumbnailPhoto |
|
Not currently mapped |
Zimbra Collaboration GAL Search Parameters
GAL is configured on a per-domain basis. To configure the attributes, you can run the GAL Configuration Wizard from the Administration Console.
Modifying Attributes
Additions, changes and deletions to the GAL attributes are made through the
Zimbra Administration Console or from the zmprov
commands.
Users can modify attributes for their account in the directory. When users change their options from the Zimbra Classic Web App, they also modify the attributes when they change their preferences.
Flushing LDAP Cache
When you modify the following type of entries in the Zimbra LDAP server, you might need to flush the LDAP cache to make the change available on the server.
-
Themes
-
Locales
-
Account
-
Groups
-
COS
-
Domains
-
Global configuration
-
Server
-
Zimlet configuration
Flush the Cache for Themes and Locales
When you add or change theme (skin) property files and locale resource files for Zimbra on a server, you must flush the cache to make the new content available.
zmprov flushCache skin
zmprov flushCache locale
Flush Accounts, Groups, COS, Domains, and Servers
When you modify the account, COS, groups, domain, and server attributes, the change is effective immediately on the server to which the modification is done. On the other servers, the LDAP entries are automatically updated after a period of time if the attributes are cached.
The default Zimbra setting to update the server is 15 minutes. The caching period is configured on local config key.
zmlocalconfig ldap_cache_<object>_maxage
zmprov flushCache {account|cos|domain|group|server|...} [name|id]...
If you do not specify a name or ID along with the type, all entries in cache for that type are flushed and the cache is reloaded.
Some server attributes require a server restart even after the cache is flushed. For example, settings like bind port or number of processing threads. |
Flush Global Attributes
When you modify global config attributes, the changes are effective immediately on the server to which the modification is done. On other mailbox servers, you must flush the cache to make the changes available or restart the server. LDAP entries for global config attributes do not expire.
Some global config attributes are computed into internal representations only once per server restart. For efficiency reasons, changes to those attributes are not effective until after a server restart, even after the cache is flushed. Also, some global configuration settings and server settings that are inherited from global config are only read once at server startup, for example port or number of processing threads. Modifying these types of attributes requires a server restart.
To flush the cache for global config changes on all servers:
-
Modify the setting on the local server
zmprov mcf zimbraImapClearTextLoginEnabled TRUE
The change is performed via the server identified by the localconfig keys
zimbra_zmprov_default_soap_server
andzimbra_admin_service_port
. -
To flush the global config cache on all other servers,
zmprov flushCache
must be issued on all servers, one at a time (or usezmprov flushCache -a
).For example:
zmprov –s server2 flushCache config zmprov –s server3 flushCache config
-
To determine if the action requires a restart
zmprov desc -a <attributename>
The
requiresRestart
value is added to the output if a restart is required.
Zimbra Mail Transfer Agent
The Zimbra MTA (Mail Transfer Agent) receives mail via SMTP and routes each message using Local Mail Transfer Protocol (LMTP) to the appropriate Zimbra mailbox server.
You can set MTA parameters with the Admin Console and the CLI. However, it is highly recommended that you use the CLI for MTA configuration to ensure the best results. |
The Zimbra MTA server includes the following programs:
MTA Server Programs | Purpose/Description |
---|---|
Postfix MTA |
Mail routing, mail relay, and attachment blocking |
Clam Anti-Virus |
Scanning email messages and attachments in email messages for viruses |
Spam Assassin |
Identify unsolicited commercial email (spam) |
Amavisd-New |
Interface between Postfix and ClamAV / SpamAssassin |
Zimbra Milter Server |
Enforce restrictions on which addresses can send to distribution lists and adds Reply-To and X-Zimbra-DL headers to messages sent from distribution lists |
Zimbra policy server |
Aid in protecting Alias Domains from Backscatter Spam |
Cluebringer |
Policy daemon/cbpolicyd used to enforce actions, such as rate limiting. For more information, see https://wiki.zimbra.com/wiki/Postfix_Policyd |
Opendkim |
Sign outgoing email if it has been configured to do so. For more information, see https://wiki.zimbra.com/wiki/Configuring_for_DKIM_Signing |
In the Zimbra Collaboration configuration, mail transfer and delivery are distinct functions: Postfix acts as a MTA, and the Zimbra mail server acts as a Mail Delivery Agent (MDA).
The MTA configuration is stored in LDAP. The zmconfigd
process polls the
LDAP directory every two minutes for modifications and updates the
Postfix configuration files with the changes.
Incoming Mail Routing Overview
The Zimbra mailbox server receives the messages from the Zimbra MTA server and passes them through any filters that have been created.
The MTA server receives mail via SMTP and routes each mail message to the appropriate mailbox server using LMTP. As each mail message arrives, its contents are indexed so that all elements can be searched.
Zimbra MTA Deployment
Zimbra includes a precompiled version of Postfix to route and relay mail and manage attachments. Postfix receives inbound messages via SMTP, performs anti-virus and anti-spam filtering and hands off the mail messages to the Zimbra Collaboration server via LMTP.
Postfix also plays a role in transferring outbound messages. Messages composed from the Zimbra Classic Web App are sent by the Zimbra server through Postfix, including messages sent to other users on the same server.
The Edge MTA can be any edge security solution for mail. You might already deploy such solutions for functions such as filtering. Some filtering might be duplicated between an edge MTA and the Zimbra MTA. |
Postfix Configuration Files
Zimbra modified Postfix files — main.cf and master.cf — specifically to work with Zimbra:
-
main.cf — Modified to include the LDAP tables. The
zmconfigd
in the Zimbra MTA pulls data from the Zimbra LDAP and modifies the Postfix configuration files. -
master.cf — Modified to use Amavisd-New.
Changes made to postfix configuration files will be overwritten with every upgrade and should be well documented. If possible, try to implement any necessary configuration changes using Zimbra defined parameters. |
SMTP Authentication
SMTP authentication allows authorized mail clients from external networks to relay messages through the Zimbra MTA. The user ID and password is sent to the MTA when the SMTP client sends mail so that the MTA can verify if the user is allowed to relay mail.
The user ID and password is sent to the MTA when the SMTP client sends mail. This ensures that the MTA can verify if the user is allowed to relay mail, by checking the associated credentials with the LDAP account.
User authentication is provided through the Zimbra LDAP directory server, or if implemented, through the Microsoft Active Directory Sever. |
SMTP Restrictions
You can enable restrictions so that messages are not accepted by Postfix when non-standard or other disapproved behavior is exhibited by an incoming SMTP client. These restrictions provide some protection against spam senders. By default, clients that do not greet with a fully qualified domain name are restricted. DNS based restrictions are also available.
Understand the implications of these restrictions before you implement them. You might have to compromise on these checks to accommodate people outside of your system who have poorly implemented mail systems. |
Sending Non Local Mail to a Different Server
You can configure Postfix to send nonlocal mail to a different SMTP server, commonly referred to as a relay or smart host.
A common use case for a relay host is when an ISP requires that all your email be relayed through a designated host, or if you have filtering SMTP proxy servers.
The relay host setting must not be confused with Web mail MTA setting. Relay host is the MTA to which Postfix relays non-local email. Webmail MTA is used by the Zimbra server for composed messages and must be the location of the Postfix server in the Zimbra MTA package.
To use the Administration Console to configure Relay MTA for external delivery:
- Admin Console:
-
Home → Configure → Global Settings → MTA → Network
To prevent mail loops, use caution when setting the relay host. |
Anti-Virus and Anti-Spam Protection
The Amavisd-New utility is the interface between the Zimbra MTA and Clam Anti-Virus (ClamAV) and SpamAssassin scanners.
Anti-Virus Protection
ClamAV software is the virus protection engine enabled for each Zimbra server.
The anti-virus software is configured to put messages that have been identified as having a virus to the virus quarantine mailbox. By default, the Zimbra MTA checks every two hours for any new anti-virus updates from ClamAV.
You can change anti-virus settings at the Administration Console.
- Admin Console:
-
Home → Configure → Global Settings → AS/AV → Anti-virus Settings
Updates are obtained via HTTP from the ClamAV website. |
Scanning Attachments in Outgoing Mail
You can enable real-time scanning of attachments in outgoing emails sent using the Zimbra Classic Web App. If enabled, when an attachment is added to an email, it is scanned using ClamAV prior to sending the message. If ClamAV detects a virus, it will block attaching the file to the message. By default, scanning is configured for a single node installation.
To enable scanning, using a single node:
zmprov mcf zimbraAttachmentsScanURL clam://localhost:3310/
zmprov mcf zimbraAttachmentsScanEnabled TRUE
To enable scanning in a multi-node environment:
-
Designate the MTA nodes to handle ClamAV scanning.
-
Enable, as follows:
zmprov ms <mta_server> zimbraClamAVBindAddress <mta_server> zmprov mcf zimbraAttachmentsScanURL clam://<mta_server>:3310/ zmprov mcf zimbraAttachmentsScanEnabled TRUE
Anti-Spam Protection
Zimbra uses SpamAssassin to identify unsolicited commercial email (spam) with learned data stored in either the Berkeley DB database or a MariaDB database. You can also use the Postscreen function to provide additional protection against mail server overload. Both strategies are described in the following topics:
Spam Assassin Methods for Avoiding Spam
Usage guidelines are provided in the following topics:
For information about how to customize SpamAssassin, see https:// wiki.zimbra.com/wiki/Anti-spam_strategies. |
Managing the Spam Assassin Score: SpamAssassin uses predefined rules as well as a Bayes database to score messages with a numerical range. Zimbra uses a percentage value to determine “spaminess” based on a SpamAssassin score of 20 as 100%. Any message tagged between 33%-75% is considered spam and delivered to the user’s junk folder. Messages tagged above 75% are always considered spam and discarded.
You can change the spam percentage settings, and the subject prefix at the Administration Console.
- Admin Console:
-
Home → Configure → Global Settings → AS/AV → Spam checking Settings
By default, Zimbra uses the Berkeley DB database for spam training. You can also use a MariaDB database.
To use the MariaDB method on the MTA servers:
zmlocalconfig -e antispam_mysql_enabled=TRUE
When this is enabled, Berkeley DB database is not enabled.
Training the Spam Filter — The effectiveness of the anti-spam filter is dependent on user input to differentiate spam or ham. The SpamAssassin filter learns from messages that users specifically mark as spam by sending them to their junk folder or not spam by removing them from their junk folder. A copy of these marked messages is sent to the appropriate spam training mailbox.
At installation, a spam/ham cleanup filter is configured on only the
first MTA. The Zimbra spam training tool, zmtrainsa
, is configured to
automatically retrieve these messages and train the spam filter. The
zmtrainsa
script empties these mailboxes each day.
New installations of Zimbra limit spam/ham training to the first
MTA installed. If you uninstall or move this MTA, you will need to
enable spam/ham training on another MTA, as one host should have this
enabled to run To set this on a new MTA server:
|
Initially, you might want to train the spam filter manually to quickly
build a database of spam and non-spam tokens, words, or short character
sequences that are commonly found in spam or ham. To do this, you can
manually forward messages as message/rfc822 attachments to the spam and
non-spam mailboxes. When zmtrainsa
runs, these messages are used to teach
the spam filter. Make sure you add a large enough sampling of messages to
get accurate scores. To determine whether to mark messages as spam at least
200 known spams and 200 known hams must be identified.
SpamAssassin’s sa-update
tool is included with SpamAssassin. This tool
updates SpamAssassin rules from the SA organization. The tool is
installed into /opt/zimbra/common/bin
.
Configuring Final Destination for Spam — You can configure Amavis behavior to handle a spam item’s final destination by using the following attribute:
zimbraAmavisFinalSpamDestiny
The default is D_DISCARD
(which will not deliver the email to the
addressee).
Setting final spam destiny attributes:
zmprov mcf "zimbraAmavisFinalSpamDestiny" D_PASS
zmprov ms serverhostname.com D_PASS
Value | Description |
---|---|
|
Deliver the email to the recipient. The email is likely to be placed in the recipient’s junk folder (although some sites disable junk). |
|
The email is bounced back to the sender. Because this setting can create backscatter — as the "sender" is not the person who actually sent the email — it is not advised. |
|
Reject the email. This setting reduces the chance of backscatter:
|
|
The email is silently discarded (not delivered). |
Setting Up Trusted Networks: The Zimbra configuration allows relaying only for the local network, but you can configure trusted networks that are allowed to relay mail. You set the MTA trusted networks as a global setting, but you can configure trusted networks as a server setting. The server setting overrides the global setting.
To use the Administration Console to set up MTA trusted networks as a global setting:
- Admin Console:
-
Home → Configure → Global Settings → MTA → Network
When using the Administration Console to set up MTA trusted networks on a per server basis, first ensure that MTA trusted networks have been set up as global settings.
- Admin Console:
-
Home → Configure → Servers → server → MTA → Network
Enter the network addresses separated by commas and/or a space. Continue long lines by starting the next line with space, similar to the following examples:
127.0.0.0/8, 168.100.189.0/24 127.0.0.0/8 168.100.189.0/24 10.0.0.0/8 [::1]/128 [fe80::%eth0]/64
Enabling a Milter Server: Milter server can be enabled to enforce restrictions on which addresses can send to distribution lists and add Reply-To and X-Zimbra-DL headers to messages sent from distribution lists. This can be enabled globally or for specific servers from the Administration Console.
Only enable a Milter Server on a server where an MTA is running. |
For global configuration, enable the milter server from the Administration Console:
- Admin Console:
-
Home → Configure → Global Settings → MTA → Milter Server
Use the Administration Console to enable a specific milter server, and to set bind addressing for individual servers.
- Admin Console:
-
Home → Configure → Servers → server → MTA → Milter Server
Postscreen Methods for Avoiding Spam
Zimbra Postscreen is the 8.7 enhancement to the Zimbra Collaboration anti-spam strategy, to provide additional protection against mail server overload. By design, Postscreen is not an SMTP proxy. Its purpose is to keep spambots away from Postfix SMTP server processes, while minimizing overhead for legitimate traffic. A single Postscreen process handles multiple inbound SMTP connections and decides which clients may communicate to a Post-fix SMTP server process. By keeping spambots away, Postscreen frees up SMTP server processes for legitimate clients, and delays the onset of server overload conditions.
In a typical deployment, Postscreen handles the MX service on TCP port 25, while MUA clients submit mail via the submission service on TCP port 587, which requires client authentication. Alternatively, a site could set up a dedicated, non-Postscreen, “port 25” server that provides submission service and client authentication without MX service.
Postscreen should not be used on SMTP ports that receive mail from end-user clients (MUAs). |
Zimbra Collaboration Postscreen maintains a temporary white-list for clients that have passed a number of tests. When an SMTP client IP address is whitelisted, Postscreen immediately passes the connection to a Postfix SMTP server process. This minimizes the overhead for legitimate mail.
In a typical scenario that uses Postscreen service, it is reasonable to expect potentially malicious email entities — such as bots and zombies — to be mixed in with friendly candidates in email loads. This concept is illustrated in the following diagram, in which undesirable entities are depicted in red; good email candidates are green.
Postscreen performs basic checks and denies connection(s) that are clearly from a bot or zombie. If the connection is not in the temporary whitelist, Postscreen passes the email to the local Anti-SPAM and Anti-Virus engines, which can either accept it or deny it. Good connections are accepted via Postscreen security, then allowed to talk directly with the SMTP daemon, which scans the Email (as usual) with the AS/AV. By default, all bots or zombies are rejected.
Use Zimbra CLI attributes to set parameters for Postscreen operations. For any Postscreen Attributes that provide the ignore, enforce, or drop instruction, use guidelines as follows:
-
ignore — Ignore this result. Allow other tests to complete. Repeat this test with subsequent client connections. This is the default setting, which is useful for testing and collecting statistics without blocking mail.
-
enforce — Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the hello/sender/recipient information. Repeat this test with subsequent client connections.
-
drop — Drop the connection immediately with a 521 SMTP reply. Repeat this test with subsequent client connections.
Postscreen Attributes:
Go to the zmprov mcf
prompt (release 8.7+) to use Postscreen commands.
You can see example usages of these attributes in
Enabling Postscreen.
-
zimbraMtaPostscreenAccessList
— Default = permit_mynetworksPostconf
postscreen_access_list
setting, which is the permanent white/ blacklist for remote SMTP client IP addresses. Postscreen(8) searches this list immediately after a remote SMTP client connects. Specify a comma- or whitespace -separated list of commands (in upper or lower case) or lookup tables. The search stops upon the first command that fires for the client IP address. -
zimbraMtaPostscreenBareNewlineAction
— Default = ignoreThe action that postscreen(8) is to take when a remote SMTP client sends a bare newline character, that is, a newline not preceded by carriage return — as either ignore, enforce, or drop.
-
zimbraMtaPostscreenBareNewlineEnable
— Default = noEnable (yes) or disable (no) “bare newline” SMTP protocol tests in the postscreen(8) server. These tests are expensive: a remote SMTP client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.
-
zimbraMtaPostscreenBareNewlineTTL
— Default = 30dThe amount of time allowable for postscreen(8) to use the result of a successful “bare newline” SMTP protocol test. During this time, the client IP address is excluded from this test. The default setting is lengthy because a remote SMTP client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.
Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-
zimbraMtaPostscreenBlacklistAction
— Default = ignoreThe action that postscreen(8) is to take when a remote SMTP client is permanently blacklisted with the
postscreen_access_list
parameter, as either ignore, enforce, or drop. -
zimbraMtaPostscreenCacheCleanupInterval
— Default = 12hThe amount of time allowable between postscreen(8) cache cleanup runs. Cache cleanup increases the load on the cache database and should therefore not be run frequently. This feature requires that the cache database supports the “delete” and “sequence” operators. Specify a zero interval to disable cache cleanup.
After each cache cleanup run, the postscreen(8) daemon logs the number of entries that were retained and dropped. A cleanup run is logged as “partial” when the daemon terminates early after
postfix reload
,postfix stop
, or no requests for$max_idle
seconds.Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-
zimbraMtaPostscreenCacheRetentionTime
— Default = 7dThe amount of time that postscreen(8) is allowed to cache an expired temporary whitelist entry before it is removed. This prevents clients from being logged as “NEW” just because their cache entry expired an hour ago. It also prevents the cache from filling up with clients that passed some deep protocol test once and never came back.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-
zimbraMtaPostscreenCommandCountLimit
— Default = 20Value to set the limit on the total number of commands per SMTP session for postscreen(8)'s built-in SMTP protocol engine. This SMTP engine defers or rejects all attempts to deliver mail, therefore there is no need to enforce separate limits on the number of junk commands and error commands.
-
zimbraMtaPostscreenDnsblAction
— Default = ignoreThe action that postscreen(8) is to take when a remote SMTP client’s combined DNSBL score is equal to or greater than a threshold (as defined with the
postscreen_dnsbl_sites
andpostscreen_dnsbl_threshold
parameters), as either ignore, enforce, or drop. -
zimbraMtaPostscreenDnsblSites
Optional list of DNS white/blacklist domains, filters and weight factors. When the list is non-empty, the dnsblog(8) daemon will query these domains with the IP addresses of remote SMTP clients, and postscreen(8) will update an SMTP client’s DNSBL score with each non-error reply.
When postscreen rejects mail, it replies with the DNSBL domain name. Use the postscreen_dnsbl_reply_map
feature to hide “password” information in DNSBL domain names.When a client’s score is equal to or greater than the threshold specified with
postscreen_dnsbl_threshold
, postscreen(8) can drop the connection with the remote SMTP client.Specify a list of
domain=filter*weight
entries, separated by comma or whitespace.-
When no
=filter
is specified, postscreen(8) will use any non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL replies that match the filter. The filter has the formd.d.d.d
, where each d is a number, or a pattern inside[]
that contains one or more “;”-separated numbers or number..number ranges. -
When no
*weight
is specified, postscreen(8) increments the remote SMTP client’s DNSBL score by 1. Otherwise, the weight must be an integral number, and postscreen(8) adds the specified weight to the remote SMTP client’s DNSBL score. Specify a negative number for whitelisting. -
When one
postscreen_dnsbl_sites
entry produces multiple DNSBL responses, postscreen(8) applies the weight at most once.
Examples:
To use example.com as a high-confidence blocklist, and to block mail with example.net and example.org only when both agree:
postscreen_dnsbl_threshold = 2 postscreen_dnsbl_sites = example.com*2, example.net, example.org
To filter only DNSBL replies containing 127.0.0.4:
postscreen_dnsbl_sites = example.com=127.0.0.4
-
-
zimbraMtaPostscreenDnsblThreshold
— Default = 1Value to define the inclusive lower bound for blocking a remote SMTP client, based on its combined DNSBL score as defined with the
postscreen_dnsbl_sites
parameter. -
zimbraMtaPostscreenDnsblTTL
— Default = 1hThe amount of time allowable for postscreen(8) to use the result from a successful DNS-based reputation test before a client IP address is required to pass that test again.
Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-
zimbraMtaPostscreenDnsblWhitelistThreshold
— Default = 0Allow a remote SMTP client to skip “before” and “after 220 greeting” protocol tests, based on its combined DNSBL score as defined with the
postscreen_dnsbl_sites
parameter.Specify a negative value to enable this feature. When a client passes the
postscreen_dnsbl_whitelist_threshold
without having failed other tests, all pending or disabled tests are flagged as completed with a time-to-live value equal topostscreen_dnsbl_ttl
. When a test was already completed, its time-to-live value is updated if it was less thanpostscreen_dnsbl_ttl
. -
zimbraMtaPostscreenGreetAction
— Default = ignoreThe action that postscreen(8) is to take when a remote SMTP client speaks before its turn within the time specified with the
postscreen_greet_wait
parameter, as either ignore, enforce, or drop. -
zimbraMtaPostscreenGreetTTL
— Default = 1dThe amount of time allowed for postscreen(8) to use the result from a successful PREGREET test. During this time, the client IP address is excluded from this test. The default is relatively short, because a good client can immediately talk to a real Postfix SMTP server.
Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-
zimbraMtaPostscreenNonSmtpCommandAction
— Default = dropThe action that postscreen(8) takes when a remote SMTP client sends non-SMTP commands as specified with the
postscreen_forbidden_
commands parameter, as either ignore, enforce, or drop. -
zimbraMtaPostscreenNonSmtpCommandEnable
— Default = noEnable (yes) or disable (no) "non- SMTP command" tests in the postscreen(8) server. These tests are expensive: a client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.
-
zimbraMtaPostscreenNonSmtpCommandTTL
— Default = 30dThe amount of time allowable for postscreen(8) to use the result from a successful “non_smtp_command” SMTP protocol test. During this time, the client IP address is excluded from this test. The default is long because a client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.
Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-
zimbraMtaPostscreenPipeliningAction
— Default = enforceThe action that postscreen(8) is to take when a remote SMTP client sends multiple commands instead of sending one command and waiting for the server to respond, as either ignore, enforce, or drop.
-
zimbraMtaPostscreenPipeliningEnable
— Default = noEnable (yes) or disable (no) “pipelining” SMTP protocol tests in the postscreen(8) server. These tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.
-
zimbraMtaPostscreenPipeliningTTL
— Default = 30dTime allowable for postscreen(8) to use the result from a successful “pipelining” SMTP protocol test. During this time, the client IP address is excluded from this test. The default is lengthy because a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.
Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-
zimbraMtaPostscreenWatchdogTimeout
— Default = 10sTime allowable for a postscreen(8) process to respond to a remote SMTP client command, or to perform a cache operation, before it is terminated by a built-in watchdog timer. This is a safety mechanism that prevents postscreen(8) from becoming non-responsive due to a bug in Postfix itself or in system software. To avoid false alarms and unnecessary cache corruption this limit cannot be set under 10s.
Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-
zimbraMtaPostscreenWhitelistInterfaces
A list of local postscreen(8) server IP addresses where a non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary whitelist status. This status is required before the client can talk to a Postfix SMTP server process. By default, a client can obtain postscreen(8)'s whitelist status on any local postscreen(8) server IP address.
When postscreen(8) listens on both primary and backup MX addresses, the
postscreen_whitelist_interfaces
parameter can be configured to give the temporary whitelist status only when a client connects to a primary MX address. Once a client is whitelisted it can talk to a Postfix SMTP server on any address. Thus, clients that connect only to backup MX addresses will never become whitelisted, and will never be allowed to talk to a Postfix SMTP server process.Specify a list of network addresses or network/netmask patterns, separated by commas and/or whitespace. The netmask specifies the number of bits in the network part of a host address. Continue long lines by starting the next line with whitespace.
You can also specify
/file/name
ortype:table
patterns. A/file/name
pattern is replaced by its contents; atype:table
lookup table is matched when a table entry matches a lookup string (the lookup result is ignored).The list is matched left to right, and the search stops on the first match. Specify
!pattern
to exclude an address or network block from the list.IPv6 address information must be specified inside []
in thepostscreen_whitelist_interfaces
value, and in files specified with/file/name
. IP version 6 addresses contain the “:” character, and would otherwise be confused with atype:table
pattern.Example:
/etc/postfix/main.cf: # Don't whitelist connections to the backup IP address. postscreen_whitelist_interfaces = !168.100.189.8, static:all
-
zimbraMtaPostscreenDnsblMinTTL
— Default = 60sThe minimum amount of time that postscreen(8) is allowed — resulting from a successful DNS -based reputation test — before a client IP address is required to pass that test again. If the DNS reply specifies a larger TTL value, that value will be used unless it would be larger than
postscreen_dnsbl_max_ttl
.Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-
zimbraMtaPostscreenDnsblMaxTTL
— Default = postscreen dnsbl ttlThe maximum amount of time allowable for postscreen(8) to use the result from a successful DNS-based reputation test before a client IP address is required to pass that test again. If the DNS reply specifies a shorter TTL value, that value will be used unless it would be smaller than
postscreen_dnsbl_min_ttl
.Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
Note that the default setting is backwards-compatible with Postscreen versions earlier than 3.1.
Enabling Postscreen:
The example in this section demonstrates settings appropriate for a global configuration with medium-to-high level Postscreen protection.
zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks zmprov mcf zimbraMtaPostscreenBareNewlineAction ignore zmprov mcf zimbraMtaPostscreenBareNewlineEnable no zmprov mcf zimbraMtaPostscreenBareNewlineTTL 30d zmprov mcf zimbraMtaPostscreenBlacklistAction ignore zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h zmprov mcf zimbraMtaPostscreenCacheRetentionTime 7d zmprov mcf zimbraMtaPostscreenCommandCountLimit 20 zmprov mcf zimbraMtaPostscreenDnsblAction enforce zmprov mcf \ zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2_7' \ zimbraMtaPostscreenDnsblSites 'dnsbl.inps.de=127.0.0.2*7' \ zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[10;11]*8' \ zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[4..7]*6' \ zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.3*4' \ zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.2*3' \ zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].0*-2' \ zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].1*-3' \ zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].2*-4' \ zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].3*-5' \ zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.2*5' \ zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.[10;11;12]*4' \ zimbraMtaPostscreenDnsblSites 'wl.mailspike.net=127.0.0.[18;19;20]*-2' \ zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.10*8' \ zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.5*6' \ zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.7*3' \ zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.8*2' \ zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.6*2' \ zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.9*2' zmprov mcf zimbraMtaPostscreenDnsblTTL 5m zmprov mcf zimbraMtaPostscreenDnsblThreshold 8 zmprov mcf zimbraMtaPostscreenDnsblTimeout 10s zmprov mcf zimbraMtaPostscreenDnsblWhitelistThreshold 0 zmprov mcf zimbraMtaPostscreenGreetAction enforce zmprov mcf zimbraMtaPostscreenGreetTTL 1d zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable no zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 30d zmprov mcf zimbraMtaPostscreenPipeliningAction enforce zmprov mcf zimbraMtaPostscreenPipeliningEnable no zmprov mcf zimbraMtaPostscreenPipeliningTTL 30d zmprov mcf zimbraMtaPostscreenWatchdogTimeout 10s zmprov mcf zimbraMtaPostscreenWhitelistInterfaces static:all
Testing Postscreen:
Testing uses Postscreen to view results without taking any action. In a testing scenario, you instruct Postscreen to log email connections without taking action on them. Once you are satisfied with the results, you can set Postscreen values to enforce or drop emails, as required.
-
Set up the DNS-based Blackhole List (DNSBL).
-
Set Postscreen to ignore.
The following real-world example demonstrates return of a 550 error from Postscreen during a test session:
Mar 1 02:03:26 edge01 postfix/postscreen[23154]: DNSBL rank 28 for [112.90.37.251]:20438 Mar 1 02:03:26 edge01 postfix/postscreen[23154]: CONNECT from [10.210.0.161]:58010 to [10.210.0.174]:25 Mar 1 02:03:26 edge01 postfix/postscreen[23154]: WHITELISTED [10.210.0.161]:58010 Mar 1 02:03:27 edge01 postfix/postscreen[23154]: NOQUEUE: reject: RCPT from [112.90.37.251]:20438: 550 5.7.1 Service unavailable; client [112.90.37.251] blocked using zen.spamhaus.org; from=<hfxdgdsggfvfg@gmail.com>, to=<support@zimbra.com>, proto=ESMTP, helo=<gmail.com> Mar 1 02:03:27 edge01 postfix/postscreen[23154]: DISCONNECT [112.90.37.251]:20438
Receiving and Sending Mail
The Zimbra MTA delivers the incoming and the outgoing mail messages. For outgoing mail, the Zimbra MTA determines the destination of the recipient address. If the destination host is local, the message is passed to the Zimbra server for delivery. If the destination host is a remote mail server, the Zimbra MTA must establish a communication method to transfer the message to the remote host. For incoming messages, the MTA must be able to accept connection requests from remote mail servers and receive messages for the local users.
To send and receive email, the MTA must be configured in DNS with both an A record and an MX Record. For sending mail, the MTA uses DNS to resolve hostnames and email-routing information. To receive mail, the MX record must be configured correctly to route messages to the mail server.
You must configure a relay host if you do not enable DNS.
Message Queues
When the Zimbra MTA receives mail, it routes the mail through a series of queues to manage delivery; incoming, active, deferred, hold, and corrupt.
The incoming message queue holds the new mail that has been received. Each message is identified with a unique file name. Messages are moved to the active queue when there is room. If there are no problems, message move through this queue very quickly.
The active message queue holds messages that are ready to be sent. The MTA sets a limit to the number of messages that can be in the active queue at any one time. From here, messages are moved to and from the anti-virus and anti-spam filters before being delivered to another queue.
Messages that cannot be delivered are placed in the deferred queue. The reasons for the delivery failures are documented in a file in the deferred queue. This queue is scanned frequently to resend the message. If the message cannot be sent after the set number of delivery attempts, the message fails and is bounced back to the original sender. You can choose to send a notification to the sender that the message has been deferred.
The hold message queue keeps mail that could not be processed. Messages stay in this queue until the administrator moves them. No periodic delivery attempts are made for messages in the hold queue.
The corrupt queue stores damaged unreadable messages.
You can monitor the mail queues for delivery problems from the Administration Console. See Monitoring Zimbra Servers.
Message banner for mails from external domains
A message banner in the mails can be added for the mails coming from external domains. This will help users to identify the mails originating outside their organization. The feature is controlled by a localconfig attribute and by default it is disabled.
Following are the details of the attributes:
-
zimbra_external_email_warning_enabled
- Attribute to enable/disable the feature. -
zimbra_external_email_warning_message
- Attribute to customize the message to be displayed in the mails.
Following are the instructions to be executed as zimbra user:
-
Enabling the feature:
su - zimbra zmlocalconfig -e zimbra_external_email_warning_enabled=true
-
Restart mailbox service:
zmmailboxdctl restart
When a user receives mail from an external domain, the message banner will get displayed at the top of the message body.
Modifying the message
The message for external domains can also be modified.
Following are the instructions:
-
Edit the localconfig attribute
zimbra_external_email_warning_message
with the new message:zmlocalconfig -e zimbra_external_email_warning_message="The external domain warning has been edited"
-
Restart mailbox service:
zmmailboxdctl restart
When a user receives mail from an external domain, the edited message banner will get displayed at the top of the message body.
Zimbra Proxy Server
Zimbra Proxy is a high-performance proxy server that can be configured as a POP3/IMAP/HTTP proxy used to reverse proxy IMAP/POP3 and HTTP client requests to a set of backend servers.
The Zimbra Proxy package is installed and configured during the Zimbra Collaboration installation. You can install this package on a mailbox server, MTA server, or on its own independent server. When the Zimbra Proxy package is installed, the proxy feature is enabled. In most cases, no modification is necessary.
Benefits of Using Zimbra Proxy
Benefits for using Zimbra Proxy include:
-
Zimbra proxy centralizes access to Mailbox servers
-
Load Balancing
-
Security
-
Authentication
-
SSL Termination
-
Caching
-
Centralized Logging and Auditing
-
URL Rewriting
-
Strict Server Name Enforcement (optional)
For more information, see the wiki page Zimbra_Proxy_Guide.
Zimbra Proxy Components
Zimbra Proxy is designed to provide a HTTP/POP/IMAP proxy that is quick, reliable, and scalable. Zimbra Proxy includes the following:
Component | Description |
---|---|
Nginx |
High performance HTTP/IMAP/POP3 proxy server that handles all incoming HTTP/POP/IMAP requests. |
Memcached |
High performance distributed memory object caching system in which routing information is cached to enable increased performance. |
Zimbra Proxy Route Lookup Handler |
Servelet—located on the Zimbra mailbox server—that handles queries for the user account route information. This routing information consists of the server and port number where the user account resides. |
Proxy Architecture and Flow
This section describes the architecture and flow sequence of Zimbra proxy.
-
End clients connect to Zimbra Proxy using HTTP/HTTPS/POP/IMAP ports.
-
When Zimbra Collaboration Proxy receives an incoming connection, the Nginx component sends an HTTP request to Zimbra Collaboration Proxy Route Lookup Handler component.
-
Zimbra Collaboration Proxy Route Lookup Handler locates the route information for the account being accessed and returns this to Nginx.
-
The Memcached component stores the route information for the configured period of time (the default is one hour). Nginx uses this route information instead of querying the Zimbra Collaboration Proxy Route Lookup Handler until the default period of time has expired.
-
Nginx uses the route information to connect to Zimbra Collaboration Mailbox.
-
Zimbra Collaboration Proxy connects to Zimbra Collaboration Mailbox and initiates the web/mail proxy session. The end client behaves as if it is connecting directly to Zimbra Collaboration Mailbox.
Changing the Zimbra Proxy Configuration
When Zimbra proxy is configured, the Zimbra proxy config performs keyword substitution as necessary with values from the LDAP configuration and localconfig.
If changes are required after the Zimbra Proxy is set up, modify the Zimbra
LDAP attributes or localconfig values and run zmconfigd to generate the
updated Zimbra Proxy configuration. The Zimbra proxy configuration file is
in /opt/zimbra/conf/nginx.conf
. The nginx.conf includes the main config,
memcache config, mail config, and web config files.
Common changes to Zimbra Proxy configuration are IMAP/POP configuration changes from the original default setup
-
HTTP reverse proxy configuration changes from the original default setup
-
GSSAPI authentication for Kerberos. In this case you manually identify the location of the Kerberos Keytab file, including Zimbra Proxy password
Zimbra Proxy
Zimbra Proxy allows end users to access their Zimbra Collaboration account using clients such as Microsoft Outlook, Mozilla Thunderbird, or other POP/IMAP end-client software. End users can connect using POP3, IMAP, POP3S (Secure POP3), or IMAPS (Secure IMAP).
For example, proxying allows users to enter imap.example.com as their IMAP server. The proxy running on imap.example.com inspects their IMAP traffic, does a lookup to determine which backend mailbox server a user’s mailbox lives on and transparently proxies the connection from user’s IMAP client to the correct mailbox server.
Zimbra Proxy Ports
The following ports are used either by Zimbra Proxy or by Zimbra Mailbox (if Proxy is not configured). If you have any other services running on these ports, turn them off.
End clients connect directly to Zimbra Proxy, using the Zimbra Proxy Ports. Zimbra Proxy connects to the Route Lookup Handler or Zimbra Mailbox using the Zimbra Mailbox Ports.
Zimbra Proxy Ports (External to Zimbra) | Port |
---|---|
HTTP |
80 |
HTTPS |
443 |
POP3 |
110 |
POP3S (Secure POP3) |
995 |
IMAP |
143 |
IMAPS (Secure IMAP) |
993 |
Zimbra Mailbox Ports (Internal to Zimbra) |
Port |
Route Lookup Handler |
7072 |
HTTP Backend (if Proxy configured) |
8080 |
HTTPS Backend (if Proxy configured) |
8443 |
POP3 Backend (if Proxy configured) |
7110 |
POP3S Backend (if Proxy configured) |
7995 |
IMAP Backend (if Proxy configured) |
7143 |
IMAPS Backend (if Proxy configured) |
7993 |
Strict Server Name Enforcement
Zimbra Proxy has the ability to strictly enforce which values are allowed in the Host
header
passed in by the client.
This is enabled by default on new installations but left disabled for upgrades from previous versions unless toggled during the installation.
The functionality may be altered by setting the zimbraReverseProxyStrictServerNameEnabled
boolean configuration
option followed by restarting the proxy server.
-
TRUE - strict server name enforcement enabled
-
FALSE - strict server name enforcement disabled
zmprov mcf zimbraReverseProxyStrictServerNameEnabled TRUE
When the strict server name functionality is enabled, additional valid server names may be specified
using the zimbraVirtualHostName
and zimbraVirtualIPAddress
configuration items at the domain level.
zmprov md example.com zimbraVirtualHostName mail.example.com zimbraVirtualIPAddress 1.2.3.4
Only one virtual ip address is needed per domain although more than one is acceptable. |
Setting Up IMAP and POP Proxy After HTTP Proxy Installation
IMAP proxy is installed with Zimbra Collaboration and set up during installation from the configuration menus. To set up the HTTP proxy, the proxy must be installed on the identified proxy nodes in order to set up HTTP proxy. No other configuration is usually required.
If you need to, set up IMAP/POP proxy after you have already installed HTTP proxy, and set up the mailbox server and the proxy node.
You can run the command as zmproxyconfig -r , to run against a remote
host. This requires the server to be properly configured in the LDAP
master.
|
Set Up IMAP/POP Proxy with Separate Proxy Node
Use steps in this section if your configuration includes a separate proxy server.
-
On each Zimbra mailbox server that you want to proxy with, enable the proxy for IMAP/POP proxy.
/opt/zimbra/libexec/zmproxyconfig -e -m -H mailbox.node.service.hostname
This configures the following:
Port Attributes Setting zimbraImapBindPort
7143
zimbraImapProxyBindPort
143
zimbraImapSSLBindPort
7993
zimbraImapSSLProxyBindPort
993
zimbraPop3BindPort
7110
zimbraPop3ProxyBindPort
110
zimbraPop3SSLBindPort
7995
zimbraPop3SSLProxyBindPort
995
zimbralmapCleartextLoginEnabled
TRUE
zimbraReverseProxyLookupTarget
TRUE
zimbraPop3CleartextLoginEnabled
TRUE
-
Restart services on the proxy and mailbox servers.
zmcontrol restart
Set Up the Proxy Node
On each proxy node that has the proxy service installed, enable the proxy for the web.
/opt/zimbra/libexec/zmproxyconfig -e -m -H proxy.node.service.hostname
This configures the following:
Port Attribute | Setting |
---|---|
|
7143 |
|
143 |
|
7993 |
|
993 |
|
7110 |
|
110 |
|
7995 |
|
995 |
|
TRUE |
Set Up a Single Node
Use steps in this section if Zimbra proxy is installed with Zimbra Collaboration on the same server.
-
Enable the proxy for the web.
/opt/zimbra/libexec/zmproxyconfig -e -m -H mailbox.node.service.hostname
This configures the following:
Port Attribute Setting zimbraImapBindPort
7143
zimbraImapProxyBindPort
143
zimbraImapSSLBindPort
7993
zimbraImapSSLProxyBindPort
993
zimbraPop3BindPort
7110
zimbraPop3ProxyBindPort
110
zimbraPop3SSLBindPort
7995
zimbraPop3SSLProxyBindPort
995
zimbraImapCleartextLoginEnabled
TRUE
zimbraReverseProxyLookupTarget
TRUE
zimbraPop3CleartextLoginEnabled
TRUE
zimbraReverseProxyMailEnabled
TRUE
-
Restart services on the proxy and mailbox servers.
zmcontrol restart
Configuring Zimbra HTTP Proxy
Zimbra Proxy can also reverse proxy HTTP requests to the right back-end server.
For example, users can use a web browser to connect to the proxy server at https://mail.example.com
. The connection from users whose mailboxes live on mbs1.example.com is proxied to mbs1.example.com by the proxy running on the mail.example.com server. The proxy also supports REST and CalDAV clients, Zimbra Connector for Outlook, and Zimbra Mobile Sync devices.
HTTP reverse proxy routes requests as follows:
-
If the requesting URL can be examined to determine the user name, then the request is routed to the backend mailbox server of the user in the URL. REST, CalDAV, and Zimbra Mobile Sync are supported through this mechanism.
-
If the request has an auth token cookie (ZM_AUTH_TOKEN), the request is routed to the backend mailbox server of the authenticated user.
-
If the above methods do not work, the IP hash method is used to load balance the requests across the backend mailbox servers which are able to handle the request or do any necessary internal proxying.
Setting Up HTTP Proxy
To set up HTTP proxy, Zimbra Proxy must be installed on the identified nodes.
You can run the command as /opt/zimbra/libexec/zmproxyconfig -r , to run
against a remote host. Note that this requires the server to be properly
configured in the LDAP master.
|
Setting Up HTTP Proxy as a Separate Proxy Node
Use steps in this section if your configuration includes a separate proxy server.
-
On each Zimbra mailbox server that you want to proxy with, enable the proxy for the web.
/opt/zimbra/libexec/zmproxyconfig -e -w -H mailbox.node.service.hostname
This configures the following:
Attribute Setting zimbraMailReferMode
reverse-proxied.
zimbraMailPort
8080 (to avoid port conflicts)
zimbraMailSSLPort
8443 (to avoid port conflicts)
zimbraReverseProxyLookupTarget
TRUE
zimbraMailMode
HTTP
-
Restart services on the proxy and mailbox servers.
zmcontrol restart
-
Configure each domain with the public service host name to be used for REST URLs, email, and Briefcase folders.
zmprov modifyDomain <domain.com> zimbraPublicServiceHostname <hostname.domain.com>
Setting Up Proxy Node
On each proxy node that has the proxy service installed, enable the proxy for the web.
/opt/zimbra/libexec/zmproxyconfig -e -w -H proxy.node.service.hostname
This configures the following:
Attribute | Setting |
---|---|
|
reverse-proxied. To set the proxy server mail mode, add the -x option to the command, with the specific mode as either http, https, both, redirect, or mixed. |
|
80 (to avoid port conflicts). |
|
443 (to avoid port conflicts). |
|
TRUE (to indicate that Web proxy is enabled). |
|
HTTP (default) |
To set the proxy server mail mode, add the -x
option to the command
with the specific mode: http, https, both, redirect, mixed.
Setting Up a Single Node for HTTP Proxy
Use steps in this section if Zimbra proxy is installed along with Zimbra on the same server.
-
On each zimbra mailbox server that you want to proxy with, enable the proxy for the web.
/opt/zimbra/libexec/zmproxyconfig -e -w -H mailbox.node.service.hostname
This configures the following:
Attribute Setting zimbraMailReferMode
reverse-proxied.
zimbraMailPort
8080 (to avoid port conflicts)
zimbraMailSSLPort
8443 (to avoid port conflicts)
zimbraReverseProxyLookupTarget
TRUE
zimbraMailMode
HTTP (the only supported mode)
zimbraMailProxyPort
80 (to avoid port conflicts)
zimbraMailSSLProxyPort
443 (to avoid port conflicts)
zimbraReverseProxyHttpEnabled
TRUE (to indicate that Web proxy is enabled)
zimbraReverseProxyMailMode
HTTP (default)
To set the proxy server mail mode, add the
-x
option to the command with the specific mode: http, https, both, redirect, mixed. -
Restart services on the proxy and mailbox servers.
zmcontrol restart
Configure each domain with the public service host name to be used for REST URLs, email and Briefcase folders.
zmprov modifyDomain <domain.com> zimbraPublicServiceHostname <hostname.domain.com>
Set Up Proxy to use Clear Text for Upstream Connections
When setting up the proxy to use clear text for upstream connections, set
zimbraReverseProxySSLToUpstreamEnabled
to FALSE.
This attribute defaults to TRUE. In an "out of the box" proxy set up, the upstream communication defaults to SSL.
REST URL Generation
For REST URL, you set the host name, service protocol, and services port globally or for a specific domain from the following attributes.
-
zimbraPublicServiceHostname
-
zimbraPublicServiceProtocol
-
zimbraPublicServicePort
When generating REST URL’s:
-
If
domain.zimbraPublicServiceHostname
is set, usezimbraPublicServiceProtocol
+zimbraPublicServiceHostname
+zimbraPublicServicePort
-
Otherwise it falls back to the server (account’s home server) attributes:
-
protocol is computed from
server.zimbraMailMode
-
hostname is
server.zimbraServiceHostname
-
-
port is computed from the protocol.
About using zimbraMailReferMode - In earlier versions, a local config
variable — zimbra_auth_always_send_refer — determined which action the
back-end server took when a user’s mailbox did not reside on the server
that the user logged in to. The default value of FALSE redirected the user
if the user was logging in on the incorrect backend host.
|
On a multiserver Zimbra, if a load balanced name was needed to create a
friendly landing page, a user would always have to be redirected. In that
case, zimbra_auth_always_send_refer
was set to TRUE.
Now with a full-fledged reverse proxy, users do not need to be
redirected. The localconfig variable zimbraMailReferMode
is used with
nginx reverse proxy.
Setting Proxy Trusted IP Addresses
When a proxy is configured with Zimbra, each proxy server’s IP
address must be configured in LDAP attribute zimbraMailTrustedIP
to
identify the proxy addresses as trusted when users log in through the
proxy. The proxy IP address is added to the X-Forwarded-For
header
information. The X-Forwarded-For
header is automatically added to the
localconfig zimbra_http_originating_ip
header attribute. When a user logs
in, this IP address and the user’s address are verified in the Zimbra
mailbox log.
Set each proxy IP address in the attribute. For example, if you have two proxy servers:
zmprov mcf +zimbraMailTrustedIP {IP of nginx-1} +zimbraMailTrustedIP {IP of nginx-2}
To verify that X-Forwarded-For was correctly added to the localconfig, type
You should see
|
Configuring Zimbra Proxy for Kerberos Authentication
Use steps in this section if you use the Kerberos5 authenticating mechanism, and want to configure it for the IMAP and POP proxy.
Make sure that your Kerberos5 authentication mechanism is correctly configured. See Zimbra LDAP Service |
-
On each proxy node, set the zimbraReverseProxyDefaultRealm server attribute to the realm name corresponding to the proxy server. For example:
zmprov ms [DNS name.isp.net] zimbraReverseProxyDefaultRealm [ISP.NET]
-
Each proxy IP address where email clients connect must be configured for GSSAPI authentication by the mail server. On each proxy node for each of the proxy IP addresses:
zmprov mcf +zimbraReverseProxyAdminIPAddress [IP address]
-
On each proxy server:
zmprov ms [proxyexample.net] zimbraReverseProxyImapSaslGssapiEnabled TRUE zmprov ms proxyl.isp.net zimbraReverseProxyPop3SaslGssapiEnabled TRUE
-
Restart the proxy server
zmproxyctl restart
Zimbra Administration Console
The Zimbra Administration Console is a browser-based user interface for the central management of Zimbra servers and user accounts.
Administrator Accounts
When you log in to the Administration Console, the tasks you are authorized to perform show up on the Navigation pane. These tasks depend on the rights assigned to your administrator role.
You can create two types of administrator accounts to manage Zimbra Collaboration:
-
Global Administrators have full privileges to manage servers, global settings, domains, and accounts as well as create other administrators. One global administrator account gets created automatically during software installation. Create additional global administrator accounts anytime later. You can perform administration tasks from the Administration Console or the command line.
-
Delegated Administrators are granted customized administrator roles by the global administrator to manage different tasks from the Administration Console. See Delegated Administration for more details.
Logging into the Administration Console
-
To launch the Administration Console in a typical installation, use the following URL pattern.
https://server.domain.com:7071/
Parameter Description server.domain.com
The Zimbra server name or IP address.
7071
The default HTTP listen port.
-
At the login screen, enter the complete administrator address - e.g., admin@domain.com - and the password configured for it during server installation of Zimbra Collaboration.
Modifying Administrator Passwords
You can change the password - from either the Administration Console or the CLI - at any time.
From the Administration Console, use the Change Password screen to set the new password string, and to define the policy for user password modifications.
- Admin Console:
-
Home → Manage → Accounts
Double click select user account or from the Gear icon, select Change Password from the popup menu.
zmprov sp adminname@domain.com password
Customizing the Login and Logout Pages
A different login and logout page can be configured either as a global setting or as a domain setting.
To specify a URL to redirect administrators to if their login fails authentication, or if their authentication has expired:
Global:
zmprov mcf zimbraAdminConsoleLoginURL <https://example.com>
Domain:
zmprov md <domain> zimbraAdminConsoleLoginURL <https://example.com>
To specify a URL to redirect administrators to, for logging out:
Global:
zmprov mcf zimbraAdminConsoleLogoutURL <https://example.com>
Domain:
zmprov md <domain> zimbraAdminConsoleLogoutURL <https://example.com>
Managing Tasks
Most Zimbra tasks - such as creating accounts and Classes of Service, Server Status Monitoring, Domain management, Backup Scheduling, and Session management - can be managed from the Administration Console.
Other configuration and maintenance tasks require the use of the Zimbra CLI because you cannot perform them in the Administration Console. For example: starting and stopping services and managing the local server configuration.
At the Administration Console, if you need to view the attribute associated with a particular function, you can click on the text labels of the currently visible configuration page to open the information in a popup. Guide text is also provided from these popups, as demonstrated in the following illustration.
Click the field label to view the Attribute popup. |
|
With the attribute popup in view, click More to view guidetext about the field. |
Navigating the User Interface
The organization of the Zimbra Collaboration Administration Console provides quick navigation to the configuration and monitoring tools and views associated with your login privileges. It also provides easy access to various types of Help and the on-screen guide text.
After logging in to the Administration Console, the Home page provides status information and options you can select to navigate to the configuration and viewing options described in this user guide.
<1> Go to Previous or Next page <2> Current Location/Path <3> Search <4> Screen Refresh <5> Current User and Logout Option <6> Help <7> Gear Icon <8> Status Pane <9> Viewing Pane <10> Navigation Pane
The displays and options in the navigation pane and viewing pane change according to your selections. Other portions of the UI — arrow buttons, search field, screen refresh, current location/path, current login, and Help — always remain in view.
The Gear Icon is displayed with some screens, to enable quick access to functions associated with the functions provided in the screens. For more information about the Gear icon, see Using the Gear icon
Home Navigation Pane
The options provided in the Home navigation pane get categorized under the Home directory. Some of the options lead to configuration pages; others lead to pages containing reports, as associated with your selections.
The illustration at right is an expanded view of the options currently supported in the Navigation Pane.
The upper bar of the in-view page always displays your current position in the hierarchy, and you can use multiple options for dismissing the current view:
-
To return to a previous page or go to the next page, click the left or right arrows.
-
To return to a specific portion of the UI, select an option from the Home dropdown.
-
To go directly to a specific option, click through the hierarchy in the Navigation Pane.
The Navigation pane options are described in the following topics:
Home UI
The Home screen is the default, login view, which provides the Home navigation pane and the Home page. This page provides a snapshot view of system status and a series of quick-access links for essential tasks.
<1> Go to Previous or Next page <2> Search <3> Screen Refresh <4> Current User and Logout Option <5> Help <6> System Status <7> Status Pane <8> Quick Start <9> Navigation Pane
Topic | Description |
---|---|
Summary |
Displays the version of Zimbra Collaboration currently running and in view, and the detected number of servers, account, domains, and classes of service associated with this session. |
Maintenance |
Displays the most recent software backup performed. |
Runtime |
Displays the runtime statistics for Service, Active Session, and Queue Length. |
1 Get Started |
Displays the steps essential to getting started with your Zimbra Collaboration operations, and provides quick links to the functions in this UI:
|
2 Set up Domain |
Displays the steps you use to establish the domain(s) to be managed by the Collaborator. Each step is a link to the function in this UI:
|
3 Add Accounts |
Displays the steps for adding accounts for management by the Collaborator. Each step is a link to the function in this UI:
|
Monitor UI
The Monitor screen provides the Monitor navigation pane and the Monitor pages, which display various itemizations about servers monitored by the Collaborator.
<1> Go to Previous or Next page <2> Search <3> Screen Refresh <4> Current User and Logout Option <5> Help <6> Status Pane <7> Navigation Pane
Monitor Navigation Pane and Pages
The options provided in the Monitor pages provide various methods- dynamic charts, or tables-for viewing the individual or system-wide monitored servers and services listed in the following table.
Adobe Flash Player must be activated to enable views of the dynamic charts. |
Option | Description |
---|---|
Server Status |
Server, Service, and Time details for each server monitored by the Collaborator. |
Advanced Statistics |
System-wide Information page for Advanced Statistics, which allows you to set up a new monitoring chart using parameters from the selection fields available from this page: Server, Group, Start, end, and Counters. From this Advanced Statistics page, you can also elect to perform the following operations:
|
Message Count |
System-wide Information page, for Message Counts, to examine charts depicting counts over the last 48, 30, 60, and 365 days. The information summarizes the number of recipients of messages using either SMTP or LMTP. The polling intervals for the counts are posted directly beneath each chart. |
Message Volume |
System-wide Information page, for Message Volume, to view charts depicting the number of recipients of messages using either SMTP or LMTP, and associated message sizes. These counts get summarized in periods over the last 48, 30, 60, and 365 days. The polling intervals for the counts are posted directly beneath each chart. |
Anti-Spam/Anti-Virus |
System-wide Information page, for Anti-Spam/Anti-Virus |
Activity |
Activity, depicting the number of unique messages processed by the AS/AC system over the last 48, 30, 60, and 365 days. The polling intervals for the counts are posted directly beneath each chart. |
Server Statistics |
Access to statistics for a selected Service Host. You can view information for a selected host, as follows:
For the selected Server, the Server Statistics navigation pane provides options to view Disk, Session, Mailbox Quota, Message Count, Message Volume, and Anti- Spam/Anti-Virus Activity. |
Mail Queues |
Tab pages from which to view counts of Deferred, Incoming, Active, Held, and Corrupt statistics for detected mail queues. Each tab page provides summary filtering information and Message details. |
Manage UI
The Manage screen provides the Manage navigation pane, and the Manage pages, which display the tables categorically provided as Accounts, Aliases, Distribution Lists, and Resources that are currently managed by Collaborator.
<1> Go to Previous or Next page <2> Search <3> Screen Refresh <4> Current User and Logout Option <5> Help <6> Gear Icon <7> Status Pane <8> Navigation Pane
Option | Description |
---|---|
Accounts (count) |
Table of accounts managed by the Collaborator. Actions you can perform:
|
Aliases (count) |
Table of Aliases managed by the Collaborator. Each alias is an email address that forwards all email to a specified account. Actions you can perform:
|
Distribution Lists (count) |
Table of Distribution Lists managed by the Collaborator. A Distribution List is a group of mail addresses contained in a list, with a mail address for the list. When you send a message to a distribution list, you are sending it implicitly to everyone whose address appears in the list. The To: address line displays the distribution list address. Actions you can perform:
|
Resources (count) |
Table of Resources managed by the Collaborator. A Resource is a location or a piece of equipment that supports scheduling for meetings. Actions you can perform:
|
Configure UI
The Configure screen provides the Configure navigation pane, and the Configure pages, which enable configurations for individual or global components.
<1> Go to Previous or Next page <2> Search <3> Screen Refresh <4> Help <5> Gear Icon <6> Status Pane <7> Configure Navigation Pane
Option | Description |
---|---|
Class of Service |
Displays the COSs managed from this AdministrationConsole.
|
Domains |
Displays the domains managed from this Administration Console.
|
Servers |
Displays the servers managed from this Administration Console.
|
Global Settings |
Provides access to tools you use to set various global parameters for your Zimbra Collaboration. Gear Icon: Save, Download, Update License, Activate License, Manually Activate License |
Zimlets |
Displays the Zimlets managed from this Administration Console.
|
Admin Extensions |
Displays the Admin Extensions managed from this Administration Console.
|
Certificates |
Displays the Certificates managed from this Administration Console.
|
Rights |
Displays the various Rights applicable to this Administration Console.
|
Global ACL |
Displays the Global Access Control Lists managed from this Administration Console.
|
Global Settings UI
Global Settings define the default global values for servers, accounts, COS, and domains. These default values and parameters apply when no specific values and parameters for particular items are in their settings.
You configure the defaults for Global Settings during installation. You can change the settings at any time from Global Settings at the Administration Console.
Option | Description |
---|---|
General Information |
For more information, see General Information Configuration |
Attachments |
For more information, see Attachments Configuration. |
MTA |
For more information, see MTA Configuration. |
IMAP |
Enable IMAP service. Changes to these settings do not take effect until the server restarts. |
POP |
Enable POPS3 Service. Changes to these settings do not take effect until the server restarts. |
AS/AV |
Set anti-spam and anti-virus rules. Changes to the Spam-check settings do not take effect until the server restarts. |
Themes |
Changes to the theme settings require flushing of the server theme cache by using Flush Cache on the toolbar in Server settings. For more information, see Color and Logo Management. |
Advanced |
|
Retention Policy |
Set up a retention and deletion time threshold for items in user folders. You can configure retention and deletion policies as a global setting, or configure COS-level policies instead of inheriting from the global settings. |
Proxy |
Set parameters for Web Proxy and Mail Proxy. There are also tools provided for setting Advanced Proxy parameters. |
S/MIME |
(Secure Multipurpose Internet Mail Extensions): Configure the LDAP settings on the S/MIME tab (if S/MIME feature is enabled). Users retrieve private keys from LDAP servers. |
ACL |
(Access Control List): Go to ACE (Access Control Entry) configuration for delegated administration rights granted on selected target(s), to add, edit, or delete an ACE. |
Backup/Restore |
Set parameters for backup-for standard or auto- grouped mode. For more information see Backup and Restore. |
SM |
(storage management): Configure the aging of messages before they move to the secondary volume. |
License |
|
Tools and Migration UI
The Tools and Migration screen provides the Tools and Migration navigation pane, for access to system software management and system backup/restore. Administrators can access and download specific wizards and tools from this page.
<1> Go to Previous or Next page <2> Search <3> Screen Refresh <4> Current User and Logout Option <5> Help <6> Status Pane <7> _Tools and Migration_ Navigation Pane
Option | Description |
---|---|
Downloads |
Access Zimbra utilities, which provides downloadable |
Software Updates |
Find out if your system needs a Zimbra Server update or not, and use this page to view polling and email contact information pertinent to software updates for your system. See also Checking for Zimbra Collaboration Software Updates. |
Account Migration |
View tabular details about account migrations, as detected by your system. This page lists total imports and the status of each. This page also provides the name(s) of the owners for each account migration listed. See also Migrating Accounts from a Zimbra Server. |
Client Upload |
Use this page to browse for the latest version of software to be uploaded to your system. After selecting the image, you can use Upload on this page to complete the software upload. |
Backups |
Access a summary view of current free and total space (MB) based on the most recent system backup. You can also choose an administrator from this navigation pane to view their backup history. The history lists labels, start and end times, and success or failure for each backup occurrence. Each of these listings is associated with an identical displayed directory path to the backup target. The section Backup and Restore provides additional information. |
Downloadable Wizards and Connectors
Use the Tools and Migration screen Downloads option to get the tools described in this section.
Zimbra Collaboration Migration Wizard for Exchange/PST (32 bit) |
Get
|
||
Zimbra Collaboration Migration Wizard for Domino |
|
||
Legacy Zimbra Collaboration Migration Wizard for Exchange |
|
||
Zimbra Connector for Outlook MSI Customizer |
Present text file containing functions you can use to customize the standard ZCO MSI. The server name, port, and other variables particular to an organization can be customized. |
||
Zimbra Connector for Outlook Branding MSI |
Get the Windows Visual Basic Script Edition (VBScript Script File) to customize the standard ZCO MSI. Customization replaces all instances of the Zimbra product name and logo. |
Zimbra Connector for Outlook (32 bits) |
This application enables Outlook to synchronize calendar, contacts, and mail with the Zimbra server and access Zimbra Collaboration’s business features. Address books, Contacts, Calendars, Tasks, and mail are synced directly with the Zimbra Collaboration server. |
||
(Legacy) Microsoft Outlook PST Import Tool |
|
||
(Legacy) Migration Wizard for Microsoft Exchange |
|
||
General Migration Wizard |
This tool imports data within Microsoft Exchange servers and Outlook PST files to the Zimbra Server.
|
Search UI
The Search screen displays the Search results from queries made in the Search field in the Administration Console header.
-
When you open this page without entering a search query, All Results is the default search, which displays accounts, domains, and distribution lists in the Content pane.
-
The auto-completion function allows you to enter a partial name, then select a searchable name from the displayed list of matched strings.
-
You can also use the Zimbra mailbox ID number to search for an account. However, to return a search from a mailbox ID, the complete ID string must be entered in the search.
<1> Go to Previous or Next page <2> Search Options <3> Search <4> Screen Refresh <5> Current User and Logout Option <6> Help <7> Gear Icon <8> Status Pane <9> Search Navigation Pane
Option | Description |
---|---|
All Result |
View the count and table of all search results. |
Accounts |
View the count and table resulting from a query for Accounts. |
Domains |
View the count and table resulting from a query for Domains. |
Distribution Lists |
View the count and table resulting from a query for Distribution Lists. |
Basic Attributes |
Search for a user by first name, last name, display name, or account ID number. You can search for administrators or delegated administrators only. |
Status |
Search for an account by status: Active, Closed, Locked, Logout, Pending, or Maintenance. |
Last Login Time |
Search for accounts by the last login time. You can specify a date range to search. |
External Email Address |
Search for an account with an external email address. |
COS |
Search for objects by COS or for objects that are not assigned a COS. |
Server |
Search for accounts on selected servers. |
Domains |
Search for accounts on selected domains. |
Saved Searches |
By default, this section includes predefined common search queries. You can also create and save your queries. After you enter the query syntax, click Save Search and provide a name for the search. The search is then added to this Saved Searches section. |
Setting Up a Simple Search
-
At the Search field, use search options from the drop-down selector to define the type of search, as either accounts, distribution lists, aliases, resources, domains, class of service, or all objects.
For accounts, you can search by display name, first/last name, the first part of an email address, alias, delivery address, or mailbox ID.
-
Type the search string into the Search field.
Partial entries are allowed as search criteria, but a search based on mailbox ID must include the complete ID string.
-
Click Search.
The Search page appears, containing results of the search based on your criteria.
-
View the total number of results at the Navigation pane, in Search> All Results.
Help Center UI
The Help Center is a reference of resources available from the online help and documentation, which you can access with the links provided in the Help Center screen. Use this page, also, to access community forums and to view expert responses to the top migration questions.
<1> Go to Previous or Next page <2> Search <3> Screen Refresh <4> Current User and Logout Option <5> Help <6> Status Pane <7> Help Center Navigation Pane
Tools in Collaborator Tables
The selection of a category from the Navigation pane typically results in a tabular display of all managed objects for the selected category. All tables display labeled columns in which to view information such as email addresses, display names, status, last logins, and descriptions (if configured).
Each row in a table enables actions you can perform if you require additional information or access to the configuration for the selected table entry.
Action at Table Row | Result | |
---|---|---|
Hold cursor |
Display ID details for the selection, similar to the example at right (invoked from an Accounts row). |
|
Right-click |
Access the popup menu for a selected table row. The popup menus from a typical table may differ from row to row, as demonstrated in the following examples. |
Accounts and Aliases: Dist Lists and Resources: |
Message of the Day
Global administrators can create the message- or messages-of-the-day (MOTD) that administrators view when logging into the Administration Console.
The MOTD displays during administrative login at the top-left of the Administration Console, similar to the example below.
The message can be closed, replaced, or removed.
Closing a Message of the Day
To remove a message from view, click Close located alongside the message content.
Creating Message(s) of the Day
Use the zimbraAdminConsoleLoginMessage
attribute, with guidelines in this section, to create a single message of the day, or to create multiple messages to be displayed.
When creating a message with your command entry, always place double-quote marks at the beginning and end of the message to be displayed. |
Creating a global message or domain-specific message.
zmprov md <domain> zimbraAdminConsoleLoginMessage "message to display"
Creating a multiple-message display:
zmprov md <domain> +zimbraAdminConsoleLoginMessage "second message to display"
Removing Message(s) of the Day
Use the zimbraAdminConsoleLoginMessage
attribute, with guidelines in this section, to delete a single message of the day, or to delete multiple messages.
When removing a message with your command entry, use the following guidelines for individual and multiple deletions: |
-
Place a minus sign (-) before the attribute, and double quote marks at the beginning and end of an individual message-id for deletion.
-
Use single quote marks with the attribute to remove all messages.
Removing a specific message:
zmprov md <domain> -zimbraAdminConsoleLoginMessage "message to display"
Removing all messages:
zmprov md <domain> zimbraAdminConsoleLoginMessage ''
Functional Reference
This section provides birds-eye views of the functions you can use when navigating the Administration Console, in the following topics:
GUI Roadmap
The following illustration provides a high-level view of the Administration Console UI.
Popup Menu Options
You can select options to perform on a selected entity from the navigation pane from the Gear icon or a topical popup menu.
Using the Gear icon
The Gear icon is always located at the upper-right edge of the page view if pertinent to selectable items in the displayed page.
To view the available options, highlight a topic at the navigation pane or in the page view: In the popup, the options that do not apply to your selection are disabled — the remaining enabled options are valid with your selection. The following example demonstrates Gear options based on the selection of a navigation bar topic, versus a table row entry from within the same page view.
The following table provides a high-level view of the operations derived from the Gear icon, which varies for particular functions.
Navigation Pane Topic | Selections | Options |
---|---|---|
Home Monitor |
Server Statistics |
View |
Mail Queues |
Flush |
|
Manage |
Accounts |
New, New Administrator, Edit, Delete, Change Password, Invalidate Sessions, View Mail, Move Mailbox, View Rights, Configure Grants |
Aliases |
New, New Administrator, Edit, Delete, Move Alias, Invalidate Sessions, View Mail, Move Mailbox, View Rights, Configure Grants |
|
Distribution Lists |
New, New Administrator, Edit, Delete, View Mail, View Rights, Configure Grants |
|
Resources |
New, New Administrator, Edit, Delete, View Mail, View Rights, Configure Rights |
|
Configure |
Class of Service |
New, Delete, Edit, Duplicate |
Domains |
New, Delete, Edit, Configure GAL, Configure Authentication, View Accounts, Add a Domain Alias, Configure Grants |
|
Servers |
Edit, Flush Cache, Enable Proxy, Disable Proxy |
|
Global Settings |
Save, Download, Update License, Activate License, Manually Activate License |
|
Zimlets |
Deploy, Undeploy, Toggle Status |
|
Admin Extensions |
Deploy, Undeploy |
|
Certificates |
Install Certificate, View Certificate |
|
Voice/Chat Service |
New, Delete, Edit, Generate Session ID |
|
Rights |
View |
|
Global ACL |
Add, Delete, Edit |
|
Tools and Migration |
Account Migration |
Delete Task, Refresh, Migration Wizard |
Software Updates |
Save, Check Now |
|
Backups |
View, Backup, Restore, Configure, Refresh |
|
Search |
All Result |
Delete, Edit, Change Password, View Mail, Move Alias, Invalidate Sessions, Move Mailbox, Download |
Accounts |
||
Aliases |
||
Domains |
||
Distribution Lists |
Using the Topical Popup Menus
You can elect to access options to perform on a selection by using popup menus:
There are no popup menus in the Navigation Pane. |
The following example demonstrates the popup options provided by a specific selection in the page view.
Containers
The Administration Console logically groups a wide range of Configuration options into containers. Applicable configuration options inside these containers are listed in the High-level View of Administration Console UI
By default, all containers on a page are opened (expanded). You can opt to close (collapse) containers - which can free up additional space in a page view - by clicking on collapse/expand located at the upper-left edge of the container.
Managing Configuration
The Zimbra components are configured during the initial installation of the software. After the installation, you can manage the following components from either the Administration Console or using the CLI utility.
Help is available from the Administration Console about how to perform tasks from the Administration Console. If the task is only available from the CLI, see Zimbra CLI Commands for a description of how to use the CLI utility.
Global Configuration
Global Settings apply to all accounts in the Zimbra servers. They are initially set during installation. You can modify the settings from the Administration Console.
Configurations set in Global Settings define inherited default values for the following objects: server, account, COS, and domain. If these attributes are set in the server, the server settings override the global settings.
- Admin Console:
-
To configure global settings, navigate to:
Home → Configure → Global Settings
Configured global settings are:
-
Default domain
-
Maximum number of results returned for GAL searches. Default = 100.
-
User views of email attachments and attachment types not permitted.
-
Configuration for authentication process, Relay MTA for external delivery, DNS lookup, and protocol checks.
-
Spam check controls and anti-virus options to check messages received.
-
Free/busy scheduling across a mix of Zimbra Collaboration servers and third party email servers.
-
Customization of themes: modify colors and add your logo.
-
Configuration of company name display for external guest log on, when viewing a shared Briefcase folder.
-
Backup default directory and backup notification information.
-
Global SM schedule that defines when messages should be moved to a secondary storage space.
-
View of current Zimbra license information, license updating, and view the number of accounts created.
General Information Configuration
- Admin Console:
-
Home → Configure → Global Settings
Use the General Information screen to view and set global parameters for servers that have been installed and enabled.
Settings defined at the server(s) override those configured in the General Information screen. |
-
Modify parameters, as appropriate for your requirements.
-
From the Gear icon, select Save to use your settings.
Option | Description | ||
---|---|---|---|
Most results returned by GAL search |
The maximum number of GAL results returned from a user search. This value
can be set by domain: the domain setting overrides the global setting. |
||
Default domain |
Domain that users' logins are authenticated against. |
||
Number of scheduled tasks that can run simultaneously |
Number of threads used to fetch content from remote data
sources.
* If set too low, users do not get their mail from external sources pulled down often enough.
* If set too high, the server may be consumed with downloading this mail and not servicing "main" user requests. |
||
Sleep time between subsequent mailbox purges |
The duration of time that the server should "rest" between purging
mailboxes. If the message purge schedule is set to 0, messages are not
purged, even if the mail, trash and spam message life time is set. |
||
Maximum size of an uploaded file for Briefcase files (KB) |
The maximum size of a file that can be uploaded into Briefcase.
|
||
Admin Help URL |
To use the Zimbra Collaboration Help, you can designate the URL that is linked from the Administration Console Help |
Attachments Configuration
Setting Up Email Attachment Rules
Global email attachment settings allow you to specify global rules for handling attachments to an email message. You can also set rules by COS and for individual accounts. When attachment settings are configured in Global Settings, the global rule takes precedence over COS and Account settings.
- Admin Console:
-
Home → Configure → Global Settings → Attachments
See
Blocking Email Attachments by File type
for information about this section of the screen.
Option | Description |
---|---|
Attachments cannot be viewed regardless of COS |
Users cannot view any attachments. This global setting can be set to prevent a virus outbreak from attachments, as no mail attachments can be opened. |
Attachments are viewed in HTML regardless of COS |
Email attachments can only be viewed in HTML. The COS may have another setting but this global setting overrides the COS setting. |
Attachments are viewed according to COS |
This global setting states the COS sets the rules for how email attachments are viewed |
Send blocked extension notification to recipient |
Blocking Email Attachments by File Type
You can also reject messages with certain types of files attached. You select which file types are unauthorized from the Common extensions list. You can also add other extension types to the list. Messages with those type of files attached are rejected. By default the recipient and the sender are notified that the message was blocked.
If you do not want to send a notification to the recipient when messages are blocked, you can disable this option.
- Admin Console:
-
Home → Configure → Global Settings → Attachments
MTA Configuration
Use options from the MTA page to enable or disable authentication and configure a relay hostname, the maximum message size, enable DNS lookup, protocol checks, and DNS checks.
- Admin Console:
-
Home → Configure → Global Settings → MTA
Option | Description | ||
---|---|---|---|
Authentication |
|
||
Network |
|
||
Milter Server |
|
||
Archiving |
|
||
Messages |
|
||
Policy Service |
|
||
Protocol checks |
|
||
DNS checks |
|
Global IMAP and POP Configuration
Use the IMAP and POP pages to enable global access.
- Admin Console:
-
Home → Configure → Global Settings → IMAP
Home → Configure → Global Settings → POP
When you make changes to the IMAP or POP settings, you must restart Zimbra Collaboration before the changes take effect. |
IMAP and POP3 polling intervals can be set from the Administration Console
COS Advanced page.
Default = No polling interval.
If IMAP/POP proxy is set up, ensure that the port numbers are configured correctly. |
With POP3, users can retrieve their mail stored on the Zimbra server and download new mail to their computer. The user’s POP configuration in their Preference → Mail page determines how their messages are downloaded and saved.
Working With Domains
One domain is identified during the installation process. You can add domains after installation. From the Administration Console you can manage the following domain features.
-
Global Address List
-
Authentication
-
Virtual hosts for the domain to establish a default domain for a user login
-
Public service host name that is used for REST URLs, commonly used in sharing.
-
Maximum number of accounts that can be created on the domain
-
Free/Busy Interop settings for use with Microsoft Exchange.
-
Domain SSL certificates
A domain can be renamed and all account, distribution list, alias and resource addresses are changed to the new domain name. The CLI utility is used to changing the domain name. See Renaming a Domain.
Domain settings override global settings. |
Domain General Information Configuration
Use the New Domain Wizard to set options described in this section.
- Admin Console:
-
Home → 2 Set up Domain → 1. Create Domain…
Option | Description | ||
---|---|---|---|
Domain name * |
Enter the host name of the REST URL. This is commonly used for sharing. See Setting up a Public Service Host |
||
Public service protocol |
Select HTTP or HTTPS from the drop-down field. |
||
Public service port |
|||
Inbound SMTP host name |
If your MX records point to a spam-relay or any other external non-Zimbra server, enter the name of the server here. |
||
Description |
|||
Default Class of Service |
This COS (for the domain) is automatically assigned to accounts created on the domain if another COS is not set. |
||
Status |
The domain status is active in the normal state. Users can log in and mail is delivered. Changing the status can affect the status for accounts on the domain also. The domain status is displayed on the Domain → General page. Domain status can be set as follows:
|
Setting up a Public Service Host Name
You can configure each domain with the public service host name to be used for REST URLs. This is the URL that is used when sharing email folders and Briefcase folders, as well as sharing task lists, address books, and calendars.
When users share a Zimbra Collaboration folder, the default is to create
the URL with the Zimbra server hostname and the Zimbra service host
name. This is displayed as https://server.domain.com/service/home/username/sharedfolder
. The
attributes are generated as follows:
-
Hostname is server.zimbraServiceHostname
-
Protocol is determined from server.zimbraMailMode
-
Port is computed from the protocol
When you configure a public service host name, this name is used instead of
the server/service name, as https://publicservicename.domain.com/home/username/sharedfolder
. The
attributes to be used are:
-
zimbraPublicServiceHostname
-
zimbraPublicServiceProtocol
-
zimbraPublicServicePort
You can use another FQDN as long as the name has a proper DNS entry to point at 'server' both internally and externally.
Global Address List (GAL) Mode Configuration
The Global Address List (GAL) is your company-wide listing of users that is available to all users of the email system. GAL is a commonly used feature in mail systems that enables users to look up another user’s information by first or last name, without having to know the complete email address.
GAL is configured on a per-domain basis. The GAL mode setting for each domain determines where the GAL lookup is performed.
Use the GAL Mode Settings tool with your domain configuration to define the Global Address List.
- Admin Console:
-
Home → 2 Set up Domain → 1 Create Domain… → GAL Mode Settings
Option | Description |
---|---|
GAL Mode |
|
Most results returned by GAL search |
Maximum number of search results that can be returned in one GAL search.
If this value is undefined here, the system will use the value defined in
Global Settings. |
GAL sync account name* |
Read-only field that displays the galsync name and associated domain. |
Datasource name for internal GAL |
Read-only field that displays the name of the internal GAL. |
Internal GAL polling interval |
Define how often — as days, hours, minutes, or seconds — the GAL sync account is to sync with the LDAP server. With the first sync to the LDAP server, all GAL contacts from the LDAP are added to the galsync account’s address book. On subsequent syncs, the account is updated with information about new contacts, modified contacts, and deleted contacts. |
Using GAL sync accounts for faster access to GAL
A GAL sync account is created for the domain when an internal or external GAL is created, and if you have more than one mailbox server, you can create a GAL sync account for each mailbox server in the domain. Using the GAL sync account gives users faster access to auto complete names from the GAL.
When a GAL sync account is created on a server, GAL requests are directed to the server’s GAL sync account instead of the domain’s GAL sync account. The GalSyncResponse includes a token which encodes the GAL sync account ID and current change number. The client stores this and then uses it in the next GalSyncRequest. Users perform GAL sync with the GAL sync account they initially sync with. If a GALsync account is not available for some reason, the traditional LDAP-based search is run.
The GAL sync accounts are system accounts and do not use a Zimbra license. |
When you configure the GAL sync account, you define the GAL datasource and the contact data is synced from the datasource to the GAL sync accounts' address books. If the mode Both is selected, an address book is created in the account for each LDAP data source.
The GAL polling interval for the GAL sync determines how often the GALsync account syncs with the LDAP server. The sync intervals can be in x days, hours, minutes, or seconds. The polling interval is set for each data source.
When the GAL sync account syncs to the LDAP directory, all GAL contacts from the LDAP are added to the address book for that GAL. During the sync, the address book is updated with new contact, modified contact and deleted contact information. You should not modify the address book directly. When the LDAP syncs the GAL to the address book, changes you made directly to the address book are deleted.
You create GALsync accounts from the Administration Console. The CLI associated with this feature is zmgsautil.
Creating Additional GALsync Accounts
When Zimbra is configured with more than one server, you can add an additional GAL sync account for each server.
- Admin Console:
-
Home → Configure → Domains
-
Select the domain to add another GAL sync account.
-
In the Gear icon, select Configure GAL.
-
Click Add a GAL account.
-
In the GAL sync account name field, enter the name for this account. Do not use the default name.
-
Select the mailbox server that this account will apply to.
-
Enter the GAL datasource name. If the GAL mode is BOTH, enter the data source name for both the internal GAL and the external GAL.
-
Set the GAL polling interval to how often the GAL sync account should sync with the LDAP server to update.
-
Click Finish.
-
Changing GAL sync account name
The default name for the GAL sync account is galsync. When you configure the GAL mode, you can specify another name. After the GAL sync account is created, you cannot rename the account because syncing the data fails.
To change the account name, delete the existing GAL sync account and configure a new GAL for the domain.
- Admin Console:
-
Home → Configure → Domains
-
Select the domain where you want to change the GAL sync account name.
-
In the Gear icon, select Configure GAL to open the configuration wizard and change the GAL mode to internal. Do not configure any other fields. Click Finish.
-
In the domain’s account Content pane, delete the domain’s galsync account.
-
Select the domain again and select Configure GAL to reconfigure the GAL. In the GAL sync account name field, enter the name for the account. Complete the GAL configuration and click Finish. The new account is displayed in the Accounts Content pane.
-
Authentication Modes
Authentication is the process of identifying a user or a server to the directory server and granting access to legitimate users based on user name and password information provided when users log in.
Set the authentication method on a per-domain basis.
- Admin Console:
-
Home → 2 Set up Domain → 1 Create Domain… → Authentication Mode
Option | Description |
---|---|
Authentication mechanism |
|
Virtual Hosts
Virtual hosting allows you to host more than one domain name on a server. The general domain configuration does not change.
When you create a virtual host, this becomes the default domain for user login; users can log in without having to specify the domain name as part of their user name.
- Admin Console:
-
Home → 2 Set up Domain → 1 Create Domain… → Virtual Hosts
Option | Description |
---|---|
Add virtual host |
Alphanumeric string to identify the virtual host(s) for this domain. The virtual host requires a valid DNS configuration with an A record. To delete a virtual host from the domain, click Remove alongside the host name displayed in this wizard screen. |
To open the Zimbra Classic Web App log in page, users enter the virtual host
name as the URL address. For example, https://mail.company.com
.
When the Zimbra login screen displays, users enter only their user name and password. The authentication request searches for a domain with that virtual host name. When the virtual host is found, the authentication is completed against that domain.
Setting Account Limits
You can limit the number of accounts that can be provisioned on a domain. The maximum number of accounts that can be provisioned for the domain can be set when the domain is created. You can also edit the domain configuration to add or change the number.
In the Administration Console this is set for a domain in the Account Limits page. If this page is not configured, no limits on the domain are set.
Resources, spam, and ham accounts are not counted against this limit.
You cannot exceed the account limit set by the Zimbra Collaboration license. |
When multiple Classes of Service (COS) are available, you can select which classes of service can be configured and how many accounts on the domain can be assigned to the COS. This is configured in the domain’s Account Limits page. The number of COS account types used is tracked. The limits for all COSs cannot exceed the number set for the maximum accounts for the domain.
The number of COS assigned to accounts is tracked. You can see the number assigned/number remaining from any account’s General Information page.
Renaming a Domain
When you rename a domain you are actually creating a new domain, moving all accounts to the new domain and deleting the old domain. All account, alias, distribution list, and resource addresses are changed to the new domain name. The LDAP is updated to reflect the changes.
Before you rename a domain
-
Make sure MX records in DNS are created for the new domain name
-
Make sure you have a functioning and current full backup of the domain
After the domain has been renamed
-
Update external references that you have set up for the old domain name to the new domain name. This may include automatically generated emails that were sent to the administrator’s mailbox such as backup session notifications. Immediately run a full backup of the new domain:
zmprov -l rd [olddomain.com] [newdomain.com]
Domain Rename Process
When you run this zmprov
command, the domain renaming process goes
through the following steps:
-
The status of the old domain is changed to an internal status of shutdown, and mail status of the domain is changed to suspended. Users cannot login, their email is bounced by the MTA, and accounts, calendar resources and distribution lists cannot be created, deleted or modified.
-
The new domain is created with the status of shutdown and the mail status suspended.
-
Accounts, calendar resources, distribution lists, aliases, and resources are all copied to the new domain.
-
The LDAP is updated to reflect the new domain address.
-
The old domain is deleted.
-
The status for the new domain is changed to active. The new domain can start accepting email messages.
Adding a Domain Alias
A domain alias allows different domain names to direct to a single domain
address. For example, your domain is domain.com
, but you want users to have
an address of example.com
, you can create example.com
as the alias for the
domain.com
address. Sending mail to user@example.com
is the same as sending
mail to user@domain.com
.
A domain alias is a domain name just like your primary domain name. You must own the domain name and verify your ownership before you can add it as an alias. |
- Admin Console:
-
Home → Configure → Domains, from the Gear icon select, Add a Domain Alias.
Enabling Support for Domain Disclaimers
Disclaimers are set per-domain. When upgrading, an existing global disclaimer is converted to domain specific disclaimers on every domain to preserve behavior with previous releases.
Per domain disclaimer support can be enabled using the following steps:
-
Create a new domain (e.g.
example.com
) and account (e.g.user2@example.com
).$ zmprov cd example.com cb9a4846-6df1-4c18-8044-4c1d4c21ccc5 $ zmprov ca user2@example.com test123 95d4caf4-c474-4397-83da-aa21de792b6a $ zmprov -l gaa user1@example.com user2@example.com
-
Enable the use of disclaimers
$ zmprov mcf zimbraDomainMandatoryMailSignatureEnabled TRUE $ zmprov gcf zimbraDomainMandatoryMailSignatureEnabled zimbraDomainMandatoryMailSignatureEnabled: TRUE
-
Add disclaimers to the new domain
$ zmprov md example.com zimbraAmavisDomainDisclaimerText "text disclamer" zimbraAmavisDomainDisclaimerHTML "HTML disclaimer" $ zmprov gd example.com zimbraAmavisDomainDisclaimerText zimbraAmavisDomainDisclaimerHTML # name example.com zimbraAmavisDomainDisclaimerHTML: HTML disclaimer zimbraAmavisDomainDisclaimerText: text disclamer $ zmprov gd eng.example.com # name eng.example.com zimbraAmavisDomainDisclaimerText zimbraAmavisDomainDisclaimerHTML
-
On the first MTA:
/opt/zimbra/libexec/zmaltermimeconfig -e example.com Enabled disclaimers for domain: example.comm Generating disclaimers for domain example.com.
-
On all additional MTAs:
/opt/zimbra/libexec/zmaltermimeconfig
-
To test, send an email from the account (e.g.
user2@example.com
) in html and plain text format -
To verify, check emails received with correct HTML disclaimer and plain text disclaimer.
-
To disable for the domain example.com
-
On the first MTA, as the Zimbra user:
/opt/zimbra/libexec/zmaltermimeconfig -d example.com
-
On all additional MTAs:
/opt/zimbra/libexec/zmaltermimeconfig
-
-
-
Disabling Disclaimers for Intra-domain Emails
You can enable the option for emails between individuals in the same domain to not have a disclaimer attached.
Set the attribute attachedzimbraAmavisOutboundDisclaimersOnly
to TRUE
.
To preserve backward-compatibility, this attribute defaults to FALSE
.
Disabling the Disclaimer Feature
It is possible to completely remove support for disclaimers by setting the
related attribute to FALSE
.
zmprov mcf zimbraDomainMandatoryMailSignatureEnabled FALSE
Zimlets on the Domain
All Zimlets that are deployed are displayed in the domain’s Zimlets page. If you do not want all the deployed Zimlets made available for users on the domain, select from the list the Zimlets that are available for the domain. This overrides the Zimlet settings in the COS or for an account.
Managing Server Settings
A server is a machine that has one or more of the Zimbra service packages installed. During the installation, the Zimbra server is automatically registered on the LDAP server.
In the Administration Console, you can view the current status of all the servers that are configured with Zimbra software, and you can edit or delete existing server records. You cannot add servers directly to LDAP. The Zimbra Collaboration installation program must be used to add new servers because the installer packages are designed to register the new host at the time of installation.
The server settings that can be viewed from the Administration Console, Configure Servers link for a specific server include:
-
General information about the service host name, and LMTP advertised name and bind address, and the number of threads that can simultaneously process data source imports.
-
A list of enabled services. You can disable and enable the services.
-
Authentication types enabled for the server, setting a Web mail MTA host-name different from global. Setting relay MTA for external delivery, and enabling DNS lookup if required. Enable the Milter Server and set the bind address.
-
Enabling POP and IMAP and setting the port numbers for a server. If IMAP/POP proxy is set up, making sure that the port numbers are configured correctly.
-
Index and message volumes configuration. Setting SM policies.
-
IP Address Bindings. If the server has multiple IP addresses, IP Address binding allows you to specify which interface to bind to.
-
Proxy settings if proxy is configured.
-
Backup and Restore configuration for the server. When backup and restore is configured for the server, this overrides the global backup and restore setting.
Servers inherit global settings if those values are not set in the server configuration. Settings that can be inherited from the Global configuration include MTA, SMTP, IMAP, POP, anti-virus, and anti-spam configurations.
General Server Settings
The General Information page includes the following configuration information:
-
Server display name and a description field
-
Server hostname
-
LMTP information including advertised name, bind address, and number of threads that can simultaneously process data source imports.
Default = 20 threads. -
Purge setting: The server manages the message purge schedule. You configure the duration of time that the server should "rest" between purg-ing mailboxes from the Administration Console, Global settings or Server settings, or General Information page.
Default = message purge is scheduled to run each minute.
When installing a reverse proxy the communication between the proxy server and the backend mailbox server must be in plain text. Checking This server is a reverse proxy lookup target automatically sets the following parameters:
zimbraImapCleartextLoginEnabled TRUE zimbraReverseProxyLookupTarget TRUE zimbraPop3CleartextLoginEnabled TRUE
The Notes text box can be used to record details you want to save.
Change MTA Server Settings
- Admin Console:
-
Home → Configure → Servers → server → MTA
The MTA page show the following settings:
-
Authentication enabled.
Enables SMTP client authentication, so users can authenticate. Only authenticated users or users from trusted networks are allowed to relay mail. TLS authentication when enabled, forces all SMTP auth to use Transport Layer Security (successor to SSL) to avoid passing passwords in the clear.
-
Network settings, including Web mail MTA hostname, Web mail MTA time-out, the relay MTA for external delivery, MTA trusted networks ID, and the ability to enable DNS lookup for the server.
-
Milter Server.
If Enable Milter Server is checked, the milter enforces the rules that are set up for who can send email to a distribution list on the server.
Setting Up IP Address Binding
If the server has multiple IP addresses, you can use IP address binding to specify which specific IP addresses you want a particular server to bind to.
- Admin Console:
-
Home → Configure → Servers → server → IP Address Bindings
Option | Description |
---|---|
Web Client Server IP Address |
Interface address on which the HTTP server listens |
Web Client Server SSL IP Address |
Interface address on which the HTTPS server listens |
Web Client Server SSL Client Cert IP Address |
Interface address on which HTTPS server accepting the client certificates listen |
Administration Console Server IP Address |
Administrator console Interface address on which HTTPS server listens |
Managing SSL Certificates for Zimbra
A certificate is the digital identity used for secure communication between different hosts or clients and servers. Certificates are used to certify that a site is owned by you.
Two types of certificates can be used - self-signed and commercial certificates.
-
A self-signed certificate is an identity certificate that is signed by its own creator.
You can use the Certificate Installation Wizard to generate a new self-signed certificate. This is useful when you use a self-signed certificate and want to change the expiration date. Self-signed certificates are normally used for testing.
Default = 1825 days (5 years) -
A commercial certificate is issued by a certificate authority (CA) that attests that the public key contained in the certificate belongs to the organization (servers) noted in the certificate.
When Zimbra Collaboration is installed, the self-signed certificate is automatically installed and can be used for testing Zimbra Collaboration. You should install the commercial certificate when Zimbra Collaboration is used in your production environment.
ZCO users in a self-signed environment will encounter warnings about connection security unless the root CA certificate is added to the client’s Window Certificate Store. See the Zimbra Wiki article ZCO Connection Security for more information. |
Installing Certificates
To generate the Certificate Signing Request (CSR) you complete a form with details about the domain, company, and country, and then generate a CSR with the RSA private key. You save this file to your computer and submit it to your commercial certificate authorizer.
To obtain a commercially signed certificate, use the Zimbra Certificates Wizard in the Administration Console to generate the RSA Private Key and CSR.
- Admin Console:
-
Home → 1 Get Started → 2. Install Certificates
Use guidelines from the Install Certificates table to set parameters for your certificates.
Option | Description |
---|---|
Common Name (CN) |
Exact domain name that should be used to access your Web site securely. Are you going to use a wildcard common name? If you want to manage multiple sub domains on a single domain on the server with a single certificate, check this box. An asterisk (*) is added to the Common Name field. |
Country Name (C) |
Country name you want the certificate to display as our company location |
State/Province (ST) |
State/province you want the certificate to display as your company location. |
City (L) |
City you want the certificate to display as your company location. |
Organization Name (O) |
Your company name |
Organization Unit (OU) |
Unit name (if applicable) |
Subject Alternative Name (SAN) |
If you are going to use a SAN, the input must be a valid domain name. When SAN is used, the domain name is compared with the common name and then to the SAN to find a match. You can create multiple SANs. When the alternate name is entered here, the client ignores the common name and tries to match the server name to one of the SAN names. |
Download the CSR from the Zimbra server and submit it to a Certificate Authority, such as VeriSign or GoDaddy. They issue a digitally signed certificate.
When you receive the certificate, use the Certificates Wizard a second time to install the certificate on Zimbra Collaboration. When the certificate is installed, you must restart the server to apply the certificate.
Viewing Installed Certificates
You can view the details of certificates currently deployed. Details include the certificate subject, issuer, validation days and subject alternative name.
- Admin Console:
-
Home → Configure → Certificates → zmhostname
Certificates display for different Zimbra services such as LDAP, mailboxd, MTA and proxy.
Maintaining Valid Certificates
It is important to keep your SSL certificates valid to ensure clients and environments work properly, as the Zimbra system can become non-functional if certificates are allowed to expire. You can view deployed SSL certificates from the Zimbra administrator console, including their validation days. It is suggested that certificates are checked periodically, so you know when they expire and to maintain their validity.
Install a SSL Certificate for a Domain
You can install an SSL certificate for each domain on a Zimbra Collaboration server. Zimbra Proxy must be installed on Zimbra Collaboration and correctly configured to support multiple domains. For each domain, a virtual host name and Virtual IP address are configured with the virtual domain name and IP address.
Each domain must be issued a signed commercial certificate that attests that the public key contained in the certificate belongs to that domain.
Configure the Zimbra Proxy Virtual Host Name and IP Address.
zmprov md <domain> +zimbraVirtualHostName {domain.example.com} +zimbraVirtualIPAddress {1.2.3.4}
The virtual domain name requires a valid DNS configuration with an A record. |
Edit the certificate for the domain:
- Admin Console:
-
Home → 1 Get Started → 2. Install Certificates
Copy the domain’s issued signed commercial certificates and private key files to the Domain Certificate section for the selected domain.
-
Copy the root certificate and the intermediate certificates in descending order, starting with your domain certificate. This allows the full certificate chain to be validated.
-
Remove any password (passphrase) from the private key before the certificate is saved.
See your commercial certificate provider for details about how to remove the password.
-
Click Upload.
The domain certificate is deployed to
/opt/zimbra/conf/domaincerts
Using DKIM to Authenticate Email Message
Domain Keys Identified Mail (DKIM) defines a domain-level authentication mechanism that lets your organization take responsibility for transmitting an email message in a way that can be verified by a recipient. Your organization can be the originating sending site or an intermediary. Your organization’s reputation is the basis for evaluating whether to trust the message delivery.
You can add a DKIM digital signature to outgoing email messages, associating the message with a domain name of your organization. You can enable DKIM signing for any number of domains that are being hosted by Zimbra. It is not required for all domains to have DKIM signing enabled for the feature to work.
DKIM defines an authentication mechanism for email using
-
A domain name identifier
-
Public-key cryptography
-
DNS-based public key publishing service.
The DKIM signature is added to the email message header field. The header information is similar to the following example.
DKIM-Signature a=rsa-sha1; q=dns; d=example.com; i=user@eng.example.com; s=jun2021.eng; c=relaxed/simple; t=1117574938; x=1118006938; h=from:to:subject:date; b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR
Receivers who successfully validate a DKIM signature can use information about the signer as part of a program to limit spam, spoofing, phishing, or other undesirable behavior.
Configure Zimbra Collaboration for DKIM Signing
DKIM signing to outgoing mail is done at the domain level.
To set up DKIM you must run the CLI zmdkimkeyutil to generate the DKIM keys and selector. You then update the DNS server with the selector which is the public key.
-
Log in to the Zimbra server and as zimbra:
/opt/zimbra/libexec/zmdkimkeyutil -a -d <example.com>
The public DNS record data that must be added for the domain to your DNS server is displayed. The public key DNS record appears as a DNS TXT-record that must be added for the domain to your DNS server.
Optional. To specify the number of bits for the new key, include
-b
in the command line,-b <####>
. If you do not add the-b
, the default setting is 2048 bits.DKIM Data added to LDAP for domain example.com with selector B534F5FC-EAF5-11E1-A25D-54A9B1B23156 Public signature to enter into DNS: B534F5FC-EAF5-11E1-A25D-54A9B1B23156._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+ycHjGL/mJXEVlRZnxZL/VqaN/Jk9VllvIOTkKgwLSFtVsKC69kVaUDDjb3zkpJ6qpswjjOCO+0eGJZFA4aB4BQjFBHbl97vgNnpJq1sV3QzRfHrN8X/gdhvfKSIwSDFFl3DHewKDWNcCzBkNf5wHt5ujeavz2XogL8HfeL0bTwIDAQA B" ; ----- DKIM B534F5FC-EAF5-11E1-A25D-54A9B1B23156 for example.com
The generated DKIM data is stored in the LDAP server as part of the domain LDAP entry.
-
Work with your service provider to update your DNS for the domain with the DKIM DNS text record.
-
Reload the DNS and verify that the DNS server is returning the DNS record.
-
Verify that the public key matches the private key. See the Identifiers table for
-d
,-s
, and-x
descriptions./opt/zimbra/common/sbin/opendkim-testkey -d <example.com> -s <0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB> -x /opt/zimbra/conf/opendkim.conf
Table 30. Identifiers Parameter Description -d
Domain name
-s
Selector name
-x
Configuration file name.
Update DKIM Data for a Domain
When the DKIM keys are updated, the DNS server must be reloaded with the new TXT record.
Good practice is to leave the previous TXT record in DNS for a period of time so that email messages that were signed with the previous key can still be verified.
Log in to the Zimbra server and as zimbra:
/opt/zimbra/libexec/zmdkimkeyutil -u -d <example.com>
Optional. To specify the number of bits for the new key, include -b in
the command line, -b <####>
. If you do not add the -b
, the default
setting is 2048 bits.
-
Work with your service provider to update your DNS for the domain with the DKIM DNS text record.
-
Reload the DNS and verify that the DNS server is returning the DNS record.
-
Verify that the public key matches the private key: See the Identifiers table for
-d
,-s
, and-x
descriptions./opt/zimbra/common/sbin/opendkim-testkey -d <example.com> -s <0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB> -x /opt/zimbra/conf/opendkim.conf
Remove DKIM Signing from Zimbra
Removing DKIM signing deletes the DKIM data from LDAP, and new email messages are no longer signed for the domain. When you remove DKIM from the domain, it is a good practice to leave the previous TXT record in DNS for some time so that email messages that were signed with the previous key can still be verified.
Use the following command syntax to remove the file:
/opt/zimbra/libexec/zmdkimkeyutil -r -d example.com
Retrieve DKIM Data for a Domain
Use the following command syntax to view the stored DKIM information for the domain, selector, private key, public signature and identity:
/opt/zimbra/libexec/zmdkimkeyutil -q -d example.com
Anti-spam Settings
Zimbra uses SpamAssassin to control spam. SpamAssassin uses predefined rules as well as a Bayes database to score messages. Zimbra evaluates spam as a percentage value. Messages tagged between 33%-75% spam are delivered to the user’s junk folder. Messages tagged above 75% are not sent to the user and are discarded.
You can change the anti-spam settings.
- Admin Console
-
Home → Configure → Global Settings → AS/AV
-
At the Anti-Spam fields, enter parameters, as appropriate for your requirements.
-
From the Gear icon, select Save to use your settings.
Table 31. Anti-Spam Option Description Kill percent
Percent that scored mail to be considered as spam, and therefore not to be delivered.
Default = 75%Tag percent
Percent that scores mail to be considered as spam, which should be delivered to the Junk folder.
Default = 33%Subject prefix
Text string to be added to the subject line for messages tagged as spam.
When a message is tagged as spam, the message is delivered to the recipient’s junk folder. Users can view the number of unread messages that are in their junk folder and can open the junk folder to review the messages marked as spam. If you have the anti-spam training filters enabled, when users add or remove messages in the junk folder, their action helps train the spam filter.
RBL (Real time black-hole lists) can be turned on or off in SpamAssassin from the Zimbra CLI.
Anti-Spam Training Filters
The automated spam training filter is enabled by default and two feedback system mailboxes are created to receive mail notification.
-
Spam Training User for mail that was not marked as spam but should be.
-
Non-spam (referred to as ham) training user for mail that was marked as spam but should not have been.
The mailbox quota and attachment indexing is disabled for these training accounts. Disabling quotas prevents bouncing messages when the mailbox is full.
How well the anti-spam filter works depends on recognizing what is considered spam. The SpamAssassin filter learns from messages that users specifically mark as spam by sending them to their junk folder or not spam by removing them from their junk folder. A copy of these marked messages is sent to the appropriate spam training mailbox.
When Zimbra is installed, the spam/ham cleanup filter is configured on only the first MTA. The Zimbra spam training tool, zmtrainsa, is configured to automatically retrieve these messages and train the spam filter. The zmtrainsa script is enabled through a crontab job to feed mail to the SpamAssassin application, allowing SpamAssassin to 'learn' what signs are likely to mean spam or ham. The zmtrainsa script empties these mailboxes each day.
New installs of Zimbra limit spam/ham training to the first MTA installed. If
you uninstall or move this MTA, you will need to enable spam/ham training
on another MTA, as one host should have this enabled to run To set this on a new MTA server
|
Disabling the Spam Training Mailboxes
The Zimbra default is that all users can give feedback when they add or remove items from their junk folder.
If you do not want users to train the spam filter you can disable this function.
-
Modify the global configuration attributes,
ZimbraSpamIsSpamAccount
andZimbraSpamIsNotSpamAccount
-
Remove the account addresses from the attributes.
zmprov mcf ZimbraSpamIsSpamAccount '' zmprov mcf ZimbraSpamIsNotSpamAccount ''
When these attributes are modified, messages marked as spam or not spam are not copied to the spam training mailboxes.
Manually Training Spam Filters
Initially, you might want to train the spam filter manually to quickly build a database of spam and non-spam tokens, words, or short character sequences that are commonly found in spam or ham. To do this, you can manually forward messages as message/rfc822 attachments to the spam and non-spam mailboxes.
When zmtrainsa
runs, these messages are used to teach the spam filter.
Make sure you add a large enough sampling of messages to get accurate
scores. To determine whether to mark messages as spam at least 200 known
spams and 200 known hams must be identified.
Protect Alias Domains from Backscatter Spam
To reduce the risk of backscatter spam, you can run a service that runs a Zimbra Access Policy Daemon that validates RCPT To: content specifically for alias domains.
For information about creating domain aliases, see the Zimbra wiki article Managing Domains. |
-
Set the Postfix LC key.
zmlocalconfig -e postfix_enable_smtpd_policyd=yes
-
Define the MTA restriction.
zmprov mcf +zimbraMtaRestriction "check_policy_service unix:private/policy"
The postfix_policy_time_limit
key is set because by default the Postfix
spawn(8) daemon kills its child process after 1000 seconds. This is too
short for a policy daemon that might run as long as an SMTP client is
connected to an SMTP process.
Disabling Postfix Policy Daemon
Disable the SMTPD policy.
zmlocalconfig -e postfix_enable_smtpd_policyd=no
- Admin Console:
-
Home → Configure → Global Settings → MTA
Define the policy restriction.Setting Email Recipient RestrictionsRealtimeBlackhole Lists and Realtime Right-Hand Side Blocking/Black Lists can be turned on or off in the MTA.
For protocol checks, the following three RBLs can be enabled:
-
tname
-
Client must greet with a fully qualified hostname -
reject_non_fqdn_hostname
-
Sender address must be fully qualified - reject_non_fqdn_sender
Hostname in greeting violates RFC - reject_invalid_host
zmprov mcf -zimbraMtaRestriction "check_policy_service unix:private/policy"
The following RBLs can also be set.
-
reject_rbl_client cbl.abuseat.org
-
reject_rbl_client bl.spamcop.net
-
reject_rbl_client dnsbl.sorbs.net
-
reject_rbl_client sbl.spamhaus.org
As part of recipient restrictions, you can also use the
reject_rbl_client <rbl hostname>
option.
- Admin Console:
-
Home → Configure → Global Settings → MTA → DNS Checks
Use the DNS tools in MTA configuration to define the restriction lists.
For a list of current RBL’s, see the Comparison of DNS blacklists article.
Adding RBLs with the CLI
-
View the current RBLs.
zmprov gacf zimbraMtaRestriction
-
Add new RBLs: list the existing RBLs and the new Add, in the same command entry. For 2-word RBL names, surround the name with quotes in your entry.
zmprov mcf zimbraMtaRestriction [RBL type]
zmprov mcf \
zimbraMtaRestriction reject_invalid_hostname \
zimbraMtaRestriction reject_non-fqdn_hostname \
zimbraMtaRestriction reject_non_fqdn_sender \
zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org" \
zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" \
zimbraMtaRestriction "reject_rbl_client dnsbl.sorbs.net" \
zimbraMtaRestriction "reject_rbl_client sbl.spamhaus.org"
Setting Global Rule for Messages Marked as Both Spam and Whitelist
When you use a third-party application to filter messages for spam before messages are received by Zimbra, the Zimbra global rule is to send all messages that are marked by the third-party as spam to the junk folder. This includes messages that are identified as spam and also identified as whitelisted.
If you do not want messages that are identified as whitelisted to be sent
to the junk folder, you can configure zimbraSpamWhitelistHeader
and
zimbraSpamWhitelistHeaderValue
to pass these messages to the user’s
mailbox. This global rule is not related to the Zimbra MTA spam filtering
rules. Messages are still passed through a user’s filter rules.
To search the message for a whitelist header:
zmprov mcf zimbraSpamWhitelistHeader <X-Whitelist-Flag>
To set the value:
zmprov mcf zimbraSpamWhitelistHeaderValue <value_of_third-party_white-lists_messages>
Anti-virus Settings
Anti-virus protection is enabled for each server when the Zimbra software is installed. The anti-virus software is configured to send messages that have been identified as having a virus to the virus quarantine mailbox. An email notification is sent to recipients letting them know that a message has been quarantined. The quarantine mailbox message lifetime is set to 7 days.
From the Admin Console, you can specify ho aggressively spam is to be filtered in your Zimbra Collaboration.
- Admin Console:
-
Home → Configure → Global Settings → AS/AV
-
At the Anti-Virus fields, enter parameters, as appropriate for your requirements.
-
From the Gear icon, select Save to use your settings.
Option | Description |
---|---|
Definition update frequency |
By default, the Zimbra MTA checks every two hours for any new anti-virus updates from ClamAV. The frequency can be set between 1 and 24 hours. |
Block encrypted archives |
Restrict encrypted files, such as password protected zipped files. |
Send notification to recipient |
To alert that a mail message had a virus and was not delivered. |
During Zimbra Collaboration installation, the administrator notification address for anti- virus alerts is configured. The default is to set up the admin account to receive the notification. When a virus has been found, a notification is automatically sent to that address.
Updates are obtained via HTTP from the ClamAV website. |
Zimbra Free/Busy Calendar Scheduling
The Free/Busy feature allows users to view each other’s calendars for efficiently scheduling meetings. You can set up free/busy scheduling across Zimbra and Microsoft Exchange servers.
Zimbra can query the free/busy schedules of users on supported Microsoft Exchange servers and also can propagate the free/busy schedules of Zimbra users to the Exchange servers.
To set free/busy interoperability, the Exchange systems must be set up as described in the Exchange Setup Requirements section, and the Zimbra Collaboration Global Config, Domain, COS and Account settings must be configured. The easiest way to configure Zimbra Collaboration is from the Administration Console.
Exchange Setup Requirements
The following is required to set up the free/busy feature:
-
Either a single Active Directory (AD) must be in the system or the global catalog must be available.
-
The Zimbra Collaboration server must be able to access the HTTP(S) port of IIS on at least one of the Exchange servers.
-
Web interface to Exchange public folders needs to be available via IIS. (
http://server/public/
) -
Zimbra Collaboration users must be provisioned as a contact on the AD using the same administrative group for each mail domain. This is required only for Zimbra to Exchange free/busy replication.
-
For Zimbra Collaboration to Exchange free/busy replication, the Exchange user email address must be provisioned in the account attribute zimbra-ForeignPrincipal for all Zimbra Collaboration users.
Configuring Free/Busy on Zimbra Collaboration
To set Free/Busy Interoperability up from the Administration Console, the global config, Domain, COS and Account settings must be configured as described here.
-
Configure the Exchange server settings, either globally or per-domain.
-
Microsoft Exchange Server URL. This is the Web interface to the Exchange.
-
Microsoft Exchange Authentication Scheme, either Basic or Form.
-
Basic is authentication to Exchange via HTTP basic authentication.
-
Form is authentication to Exchange as HTML form based authentication.
-
-
Microsoft Exchange Server Type, either WebDav or ews
-
Select WebDAV to support free/busy with Exchange 2003 or Exchange 2007.
This is for information only, as these versions of Exchange are no longer supported. -
Select ews (Exchange Web Service) to support free/busy with Exchange 2010 SP1 and newer.
-
-
-
Include the Microsoft Exchange user name and password. This is the name of the account in Active Directory and password that has access to the public folders. These are used to authenticate against the Exchange server on REST and WebDAV interfaces.
-
Add the o and ou values that are configured in the legacyExchangeDN attribute for Exchange on the Global Config Free/Busy Interop page, the Domain Free/Busy Interop page or on the Class of Service (COS) Advanced page. Set at the global level this applies to all accounts talking to Exchange.
-
In the Account’s Free/Busy Interop page, configure the foreign principal email address for the account. This sets up a mapping from the Zimbra Collaboration account to the corresponding object in the AD.
To find these settings on the Exchange server, you can run the Exchange
ADSI Edit tool and search the legacyExchangeDN attribute for the o= ,
ou= , and cn= settings.
|
Zimbra Collaboration to Zimbra Collaboration Free/Busy Interoperability
You can set up free/busy interoperability between Zimbra servers. Free/Busy interoperability is configured on each server.
Each server must be running Zimbra Collaboration 8.0.x or later. |
-
Enter the server host names and ports.
zmprov mcf zimbraFreebusyExternalZimbraURL http[s]://[user:pass@]host:port
If the user:pass is not included, the server runs an anonymous free/busy lookup.
-
Restart the server.
zmcontrol restart
-
Repeat these steps at all other servers.
Setting Up S/MIME
S/MIME is a standard to send secure email messages. S/MIME messages use digital signature to authenticate and encrypt messages.
Currently, there are two different methods for providing the S/MIME feature
-
The old client based solution which requires Java 1.6 SE deployed on the client machine
-
The new server based solution which does not require Java on the client machine. The server performs all the cryptographic operations. (Recommended)
This feature is supported only in the Classic Web App. |
Setting up for using the S/MIME feature using the client based solution
Prerequisites
-
To use S/MIME, users must have a PKI certificate and a private key. The private key must be installed in the user’s local certificate store on Windows and Apple Mac and in the browser certificate store if they use the Firefox browser. See the appropriate computer or browser documentation for how to install certificates.
-
Users can use any of the following browsers:
-
Mozilla Firefox 4 or later
-
Internet Explorer 8, 9
-
Chrome 12 or later
-
-
Users computers must have Java 1.6 SE deployed to use S/MIME. If they do not, they see an error asking them to install it.
S/MIME License
You must have a Zimbra license that is enabled for S/MIME.
Enable S/MIME Feature
- Admin Console:
-
Home → Configure → Class of Service → COS → Features
Home → Manage → Accounts → account → Features
The S/MIME feature can be enabled from either the COS or Account FeaturesTab.
-
Select the COS or account to edit.
-
In the Features tab S/MIME features section, check Enable S/MIME.
-
Click Save.
Importing S/MIME Certificates
Users can send encrypted messages to recipients if they have the recipients' public-key certificate stored in one of the following:
-
Recipient’s contact page in their Address Book.
-
Local OS or browser keystore.
-
External LDAP directory.
The certificates should be published into the LDAP directory so that they can be retrieved from the GAL. The format of the S/MIME certificates must be X.509 Base64 encoded DER.
Configure External LDAP Lookup for Certificates
If you use an external LDAP to store certificates, you can configure the Zimbra server to lookup and retrieve certificates from the external LDAP, on behalf of the client.
- Admin Console:
-
Home → Configure → Global Settings → S/MIME
Home → Configure → Domains → domain → S/MIME
You can configure the external LDAP server settings from either the Global Settings → S/MIME tab or the Domains → S/MIME tab.
Global Settings override Domain settings |
-
Edit the global settings page or select a domain to edit. Open the S/MIME tab.
-
In the Configuration Name field, enter a name to identify the external LDAP server. Example,
companyLDAP_1
-
In the LDAP URL field, enter the LDAP server’s URL. Example,
ldap://host.domain:3268
-
To use DN to bind to the external server, in the S/MIME LDAP Bind DN field, enter the bind DN. Example,
administrator@domain
If you want to use anonymous bind, leave the Bind ND and Bind password fields empty.
-
In the S/MIME Ldap Search Base field, enter the specific branch of the LDAP server that should be searched to find the certificates.
Example,
ou=Common Users, DC=host, DC=domain
Or, check Automatically discover search base to automatically discover the search base DNs. For this to work, the S/MIME Search Base field must be empty.
-
In the S/MIME Ldap filter field, enter the filter template for the search. The filter template can contain the following conversion variables for expansion:
-
%n
- search key with@
(or without, if no@
was specified) -
%u
- with@
removed (For example,mail=%n
)
-
-
In the S/MIME Ldap Attribute field, enter attributes in the external LDAP server that contain users' S/MIME certificates. Multiple attributes can be separated by a comma (
,
).Example, "userSMIMECertificate, UserCertificate"
-
Click Save.
To set up another external LDAP server, click Add Configuration.
Setting up for using the S/MIME feature using the server based solution
Prerequisites
Same as for the client based S/MIME solution except that Java is not required on the client machine. The private key is also not required to be on the client machine’s local/browser certificate store.
S/MIME License
Same as for the client based S/MIME solution
Enable S/MIME Feature
Same as for the client based S/MIME solution
Importing S/MIME Certificates
Same as for the client based S/MIME solution except that the recipients' public-key certificate no longer needs to be stored in the Local OS or browser keystore. The certificate can be published to all other places mentioned in previous S/MIME version.
List of LDAP attributes introduced to support the server based S/MIME solution
-
zimbraSmimeOCSPEnabled
-
Used by server at the time of validating the user as well as public certificates
-
If
TRUE
, the revocation check will be performed during certificate validation -
If
FALSE
, the revocation check will not be performed during certificate validation
-
-
zimbraSmimePublicCertificateExtensions
-
The supported public certificate file extensions separated by commas
-
Contains the list of supported formats for the
userCertificate
LDAP attribute -
Default values:
cer
,crt
,der
,spc
,p7b
,p7r
,sst
,sto
,pem
-
Zimbra Classic Web App retrieves the supported file formats or extensions for uploading public certificate from the server
-
-
zimbraSmimeUserCertificateExtensions
-
The supported public certificate file extensions separated by commas
-
Contains the list of supported formats for the userSmimeCertificate LDAP attribute
-
Default values:
p12
,pfx
-
Zimbra Classic Web App retrieves the supported file formats or extensions for uploading public certificate from the server
-
Process for Adding the CA certificate to the mailbox truststore for S/MIME
S/MIME uses the mailbox trust store path and its password which are defined in localconfig.xml
The key names are:
-
mailboxd_truststore
-
mailboxd_truststore_password
If the mailboxd_truststore key is not defined in localconfig.xml, by default the value of mailboxd_truststore is:
-
<zimbra_java_home>/jre/lib/security/cacerts
A CA certificate can be imported to the mailbox trust store by executing the following command:
keytool -import -alias -keystore <mailboxd_truststore path> -trustcacerts -file <CA_Cert>
Email Retention Management
You can configure retention policies for user account’s email, trash, and junk folders. The basic email retention policy is to set the email, trash and spam message lifetime in the COS or for individual accounts.
You can set up specific retention policies that users can enable for the Inbox and other email folders in their account. Users can also create their own retention policies.
You can enable the dumpster feature to save messages that are deleted from Trash. When a message reaches the end of its retention lifetime, based on email lifetime rules or deletion policies, the message is moved to the dumpster if enabled. Users can recover deleted items from the dumpster until the threshold set in the Visibility lifetime in dumpster for end user setting.
If dumpster is not enabled, messages are purged from the server when the email retention lifetime is reached.
You can also set up a legal hold on an account to prevent messages from being deleted.
Configuring Email Lifetime Rules
You can configure when email messages should be deleted from an accounts folders, and the trash and junk folders by COS or for individual accounts.
Email Lifetime Option | Description |
---|---|
Email message lifetime |
Number of days a message can remain in a folder before it is purged. This
includes data in RSS folders. |
Trashed message lifetime |
Number of days a message remains in the Trash folder before it is purged. |
Spam message lifetime |
Number of days a message can remain in the Junk folder before it is purged. |
Purging Email Messages
By default, the server purges email messages that have exceeded their lifetime every minute. You can change the duration of time that the server should "rest" between purging mailboxes.
Use the global Sleep Time setting to define duration, in minutes, between mailbox purges.
- Admin Console:
-
Home → Configure → Global Settings → General Information
For example, if the purge interval is set to 1 minute, the server purges mailbox1
, waits for 1 minute, and then begins to purge mailbox2.
If the message purge schedule is set to 0, messages are not purged even if the mail, trash and spam message lifetime is set.
Because users cannot view message lifetime settings, you will need to apprise them of your purge policies. |
Configuring Message Retention and Deletion Policies
Retention and deletion policies can be configured as a global setting or as a COS setting. Users can select these policies to apply to their message folders in their account. They can also set up their own retention and deletion policies. Users enable a policy you set up or create their own policies from their folders' Edit Properties dialog box.
Global Retention Policy
System wide retention and deletion policies can be managed from the Administration Console.
Use the global Retention Policy page to set global retention or deletion policies.
- Admin Console:
-
Home → Configure → Global Settings → Retention Policy
COS Retention Policy
Use the COS Retention Policy page to set retention or deletion for the selected COS.
- Admin Console:
-
Home → Configure → Class of Service → COS → Retention Policy
Ensure that the Enable COS-level policies instead of inheriting from the policy defined in Global Settings is enabled.
The retention policy is not automatically enforced on a folder. If users option an item in a folder that has not met the threshold of the retention policy, the following message is displayed, You are deleting a message that is within its folder’s retention period. Do you wish to delete the message?
When the threshold for the deletion policy is reached, items are deleted from the account. They are not sent to the Trash folder. If the dumpster feature is enabled, they are sent to the dumpster, if it is not enabled, they are purged from the server.
How Lifetime and Retention/Deletion Policies Work Together
If the Email Message Lifetime is set to a value other than zero (0), this setting applies in addition to the disposal or retention policy values applied to a folder. For example:
Email Message Lifetime is set to 120 days
-
Folder A has a policy with a disposal threshold of 360 days. Messages in Folder a are disposed of in 120 days.
-
Folder B has a policy with disposal threshold of 90 days. Messages in Folder B are disposed of in 90 days.
-
Folder C has a policy with retention range of 150 days. Messages in Folder C are disposed of in 120 days.
Managing the Dumpster
When a message, trash or spam lifetime has been reached, the message is moved to the dumpster if the feature is enabled. When users right-click on Trash, they can click Recover deleted items to retrieve items from their trash that have been deleted in the last x days. This threshold is based on the Visibility lifetime in dumpster for end user setting.
The Retention lifetime in dumpster before purging setting sets retention lifetime for items in dumpster. Items in dumpster older than the threshold are purged and cannot be retrieved.
Administrators can access the individual dumpster’s content, including spam, and they can delete data at any time before the message lifetime is reached.
Searching for an item in the dumpster folder
zmmailbox -z -m <user@example.com> search --dumpster -l <#> --types <message,contact,document> <search-field>
The search field can be a date range: 'before:mm/dd/yyyy and after:mm/dd/yyyy' or emails from or to a particular person: 'from:Joe', etc.
Deleting items in the dumpster folder
Items in the dumpster folder can be deleted with the CLI or from the Administration Console:
zmmailbox -z -m <user@example.com> -A dumpsterDeleteItem <item-ids>
- Admin Console:
-
Home → Configure → Class of Service → COS → Features → General Features
-
Enable (check) the Dumpster folder checkbox.
-
To set Visibility lifetime in dumpster for end user, go to the Timeout Policy section on COS' Advanced page
-
To set Retention lifetime in dumpster before purging, go to the COS’s Advanced page, Email Retention Policy section.
-
Configure Legal Hold on an Account
If the dumpster folder feature is enabled, you can set up a legal hold to preserve all items in user accounts.
When dumpster is enabled, Can purge dumpster folder is also enabled. Disabling this feature turns off purging of items in the user’s dumpster. This can be set on a COS or for individual accounts. When Can purge dumpster folder is enabled, any deletion policies set up on the accounts' folders are ignored.
Configure legal hold:
- Admin Console:
-
Home → Configure → Class of Service → COS → Features
Home → Manage → Accounts → account → Features
Deselect Can purge dumpster folder on the Features page.
Customized Admin Extensions
Developers can create and add custom modules to the Zimbra Administration Console user interface, to provide new views, manage new data objects, extend existing objects with new properties, and customize existing views.
For the most up-to-date and comprehensive information about how to create an extended Administration Console UI module, go to the Zimbra wiki Extending Admin UI article located at Extending_Admin_UI.
All Zimbra extensions currently incorporated at the Administration Console UI are listed in the content pane as view only.
Only those created by you can be removed (see also Removing Admin Extension Modules).
Deploying New Administration Console UI Modules
- Admin Console:
-
Home → Configure → Admin Extensions
Save the module zip
file to the computer you use to access the
Administration Console.
-
From the Gear icon, select Deploy to present the Deploying a Zimlet or an extension dialog.
-
Browse to the custom module
zip
file you need to upload. -
Click Deploy.
The file is uploaded and the extension is immediately deployed on the server.
Removing An Admin Extension Module
Deleting an Admin Extension results in removal of the selected extension
and all associated files. This action does not delete the originating zip
file.
- Admin Console:
-
Home → Configure → Admin Extensions
Use steps in this section to remove custom Admin Extensions.
-
Select the module to remove, and select Undeploy from the Gear icon. A confirmation query is presented.
-
At the confirmation query, click Yes to proceed.
Ephemeral Data
There are 3 main types of ephemeral data stored in LDAP during normal operation of Zimbra Collaboration.
-
Last Logon Time Stamps (
zimbraLastLogonTimestamp
) -
Auth Tokens (
zimbraAuthTokens
) -
CSRF Tokens (
zimbraCsrfTokenData
)
On small systems, storage of these types of ephemeral data may be done in the LDAP Server. However, mail systems with large numbers of active users have been found to overload LDAP for short-lived data storage. Therefore, the preferred option is to store this ephemeral data using an external server.
This document does not cover how to install and maintain the ephemeral storage server. |
Configuring the storage location of ephemeral data is done through the following LDAP attribute:
Attribute |
Format |
Description |
zimbraEphemeralBackendURL |
[backend name]:[params] |
Ephemeral Backend URL Configuration |
The two currently supported Ephemeral Data backends are:
Backend |
Format |
Description |
LDAP |
ldap://default |
Default configuration |
SSDB |
ssdb:127.0.0.1:8888 |
SSDB server and port |
Frequent authentication requests place a high load on Ephemeral Data storage backend. See the following Zimbra wiki pages for results of authentication-based load tests:
Configuring a Running Zimbra Collaboration to Use SSDB
Configuring an already running Zimbra Collaboration installation
to utilize SSDB
instead of LDAP
for short-lived data storage is done through the following process:
-
Install
SSDB
and note the IP address and port configured since you will need this data for the next steps. Refer to Overview of Configuration Options for more information. -
Migrate any existing short-lived data to
SSDB
using the/opt/zimbra/bin/zmmigrateattrs
command. -
Configure Zimbra Collaboration to utilize
SSDB
.
Migration Procedure
-
Access the command prompt on one of the machines in the installation.
-
Migrate existing ephemeral data to the
SSDB
backend using thezmmigrateattrs
utility
sudo su - zimbra /opt/zimbra/bin/zmmigrateattrs ssdb:<ip address|hostname>:port # substituting your server values
You may use either an IP address or a hostname for the host portion of the destination URL. Either way, you will need to ensure it resolves to the proper IP address on all machines in the cluster. If the provided SSDB address does not resolve to a functioning backend, the migration process will terminate.
-
Configure Zimbra Collaboration to use
SSDB
:
sudo su - zimbra zmprov mcf zimbraEphemeralBackendURL ssdb:<ip address|hostname>:port # substituting your server values
As with migration, the host and port must resolve to a functioning SSDB backend. Otherwise,
the value of zimbraEphemeralBackendURL
will not be changed.
Migration Details
Migration Info
Information about the latest migration process can be viewed by running the command zmmigrateattrs --status
.
If the migration is currently in progress, this command may have to be run from a new terminal window.
This command will output three pieces of information:
-
The status of the migration: one of IN_PROGRESS, COMPLETED or FAILED
-
The URL of the SSDB backend acting as the destination
-
A timestamp of when the migration process was initiated
The migration info can be reset with the command zmmigrateattrs --clear
. This should only be done if
the status does not reflect the true state of the system.
Changing the Ephemeral Backend URL
When the value of zimbraEphemeralBackendURL
is modified, Zimbra Collaboration checks the status of the last known migration.
This can result in one of several scenarios:
-
If the migration is completed and the URL of this migration matches the newly provided value,
zimbraEphemeralBackendURL
is changed to the new value and the migration info is reset. This is the expected use case. -
If a migration is currently in progress,
zimbraEphemeralBackendURL
will not be changed. -
If no migration info is available, the migration has failed, or the new URL does not match the migration URL,
zimbraEphemeralBackendURL
will be changed; however, a warning will be logged stating that data is not guaranteed to have been migrated.
Forwarding Ephemeral Data
During the migration process, and until the backend URL is changed, Zimbra Collaboration will store new ephemeral data
both in LDAP and SSDB
; this keeps the two backends from getting out of sync. If the new value of zimbraEphemeralBackendURL
is changed to match the migration URL, migration info is reset and the forwarding mechanism is turned off.
If the values do not match, migration info is not reset, and forwarding remains in place.
Note that this means that migration only needs to be run once, even if there is a gap between the initial migration
and URL change. As long as the target backend is never taken offline, it will stay up-to-date. However, if SSDB
is
taken offline between the end of the migration and the backend URL change, migration will need to be re-run.
These scenarios are demonstrated below:
Advanced Migration Options
The zmmigrateattrs
tool provides several migration options, to be used with careful consideration:
-
The
-r
or--dry-run
option outputs the changes to be made for each account to the console, without actually performing the migration. -
The
-n
or--num-threads
option specifies how many threads will be used for migration. Omitting this will result in migration happening synchronously. -
The
-a
or--account
option allows for migration of a comma-separated list of specific accounts. This should be used only for testing or debugging. -
The
-d
or--debug
option enables debug logging.
If no attribute names are explicitly passed in as arguments, migration will occur for all known ephemeral attributes, as in the example above.
Migration Limitations
Ephemeral data migration is a one-way process. The zmmigrateattrs
script does not support migrating data from SSDB
back into LDAP, nor does it support migrating data between different instances of SSDB
. This means that if the value of
zimbraEphemeralBackendURL
is reverted back to LDAP after migration, prior authentication data will become inaccessible,
and all user sessions will be invalidated. If migration to a new SSDB
backend becomes necessary, the data should be
replicated to the new location prior to changing the value of zimbraEphemeralBackendURL
.
There is one exception to this is: the backend can be safely reverted back to LDAP immediately after the switch to
SSDB
with minimal loss of data. This is because the original values are retained in LDAP during migration; switching
the backend to SSDB
leaves a "snapshot" of ephemeral data in LDAP at the time of the switch. The migration utility
does not currently provide a way to delete this data to free up space; however, it allows for the backend to be reverted.
The more time passes between the initial change and the reversion, the less the LDAP snapshot will reflect the true state
of ephemeral data.
Changes to zmprov
Due to changes in the way multi-valued ephemeral data is stored, the attributes zimbraAuthTokens
and zimbraCsrfTokenData
are no longer returned as part of the zmprov ga <account>
response. The value of zimbraLastLogonTimestamp
is returned
as before, although only if the -l flag is not used, as adding the -l flag will restrict the server to accessing attributes
in LDAP only. It is still possible to modify these attributes using the zmprov ma <account>
command, regardless of the
ephemeral backend. In order to do this, the provided attribute value must match its LDAP format: tokenId|expiration|serverVersion
for auth tokens; data:crumb:expiration
for CSRF tokens.
Migration CSV Output
Each run of zmmigrateattrs
generates a CSV file in the /opt/zimbra/data/tmp/
folder. The file contains migration info
for every migrated account, such as the number of attributes migrated. Note that it is possible for this to be zero,
which can happen if all ephemeral data for an account is already present in the destination store.
If any migrations fail, a cutdown CSV file report detailing only the errors is also created in the same directory. The name(s) of the file(s) are logged at the end of the run.
Account Deletion Behavior
Ephemeral data deletion behavior differs slightly between SSDB and LDAP backends. With SSDB as the backend, account deletion
results in the zimbraLastLogonTimestamp
attribute being explicitly deleted from SSDB. zimbraAuthTokens
and zimbraCsrfTokenData
,
however, are left to be expired by SSDB when the token lifetimes are reached (default of 2 days). Conversely, ephemeral data
in LDAP is wiped immediately as part of the account deletion process.
SSDB Installation and Configuration
Installation
Zimbra Collaboration packages do not include SSDB server and Zimbra Collaboration installation and configuration utilities do not alter SSDB configuration. To install the latest version of SSDB, follow instructions provided by SSDB developer community in SSDB Installation Documentation. Please note, that Zimbra Collaboration has been tested with SSDB version 1.9.5. In order to install SSDB 1.9.5, download stable-1.9.5.zip instead of master.zip when following SSDB installation instructions.
SSDB does not have encryption or authentication support, this means you have to protect access to it at the network level. |
Overview of Configuration Options
The purpose of this guide is to discuss some of the options available
with SSDB
, specifically with regards to:
-
High-availability via master-slave replication
-
High-availability via master-master replication
-
Horizontal scaling, with high-availability, via multi-master configuration.
This guide is not meant to be an exhaustive treatment of the subject.
Also, as of the time of this writing, SSDB
and any related packages
must be installed and configured by the system administrator prior to
updating zimbraEphemeralBackendURL
and migrating attributes.
SSDB
is compatible with Redis clients and
Zimbra Collaboration currently uses a Redis
-compatible client for
communication with SSDB
, so many of the concepts described herein
are applicable with a Redis
backend.
High-availability with Master-Slave replication
Normal Operation
The method described in this document to implement master-slave
replication makes use of Keepalived to
maintain a configured virtual IP address that is bound to the master
SSDB
instance under normal conditions.
Fail-over
If Keepalived
detects a failure of the master instance, then the
backup instance is promoted to master by re-binding the virtual IP
address to the backup.
High-availability with Master-Master replication
This differs from master-slave replication in that both SSDB
instances are online and accessible. Each replicates changes from the
other. In the example set-up described later, we use
HAProxy as a front-end. Keep in mind that,
for production, you must use a proxy service that is, itself, highly-available.
Horizontal Scaling via Multi-Master Configuration
Normally, both SSDB
and Redis
contain the entire key-space in a
single instance. It is possible to front-end multiple instances using
a service such as twemproxy. It
supports various hashing modes such that the data associated with a
particular key is always stored on the same server. This allows for
horizontal scaling with very large installations.
By configuring each SSDB
instance in master-slave configuration, you
get both horizontal scaling and high-availability.
Master-Slave Replication
One way to ensure that SSDB
remains highly-available is to set-up
master-slave replication and configure a system that will allow the
backup SSDB
instance to automatically take-over in the event that
the primary instance goes down. This document will describe one
technique for accomplishing that goal.
Overview
SSDB
will be installed on two servers. It will be configured such
that one server is the designated master and the other server is the
designated slave, or backup, that will constantly replicate changes
from the master server.
Keepalived
will also be installed on these two servers. Each
Keepalived
instance will monitor the other. In the event that the
master server goes down, Keepalived
will detect that failure and
promote the slave, or backup, server to master. Keepalived
will
maintain a Virtual
IP address bound to whichever server is the current master.
Zimbra Collaboration will be configured such that the
zimbraEphemeralBackendURL
will bind to the Virtual IP address that is
being maintained by Keepalived
.
Once the installation and configuration of both the SSDB
master-slave setup and Zimbra Collaboration have been completed, follow the
instructions in Ephemeral Data to update the
zimbraEphemeralBackendURL
accordingly.
The example documented here was done on servers running Ubuntu 16.04.
Required Packages
Prerequisites
Install SSDB
and Keepalived
on two servers in accordance with the
procedure that is applicable to the Linux distribution that you are
using.
Configuration
The following configuration steps assume that you have installed
SSDB
to /var/lib/ssdb
and that all SSDB
configuration files are
located in that same directory. It further assumes that the internal
host addresses are on the 192.168.56/24
network.
-
192.168.56.111
- This is IP address of the initial masterSSDB
server -
192.168.56.112
- This is the IP address of the initial slaveSSDB
server -
192.168.56.120
- This is the virtual IP address that will be maintained byKeepalived
.
SSDB Configuration, Designated (Initial) Master
The IP address of this machine is 192.168.56.111
.
/var/lib/ssdb/ssdb_master.conf
The key configuration items in the following block are:
-
server/ip
- Binding to all available IP addresses -
server/port
- Binding to standardSSDB
port -
server/deny
,server/allow
- RestrictSSDB
access tolocalhost
and the internal (host) addresses.`
Only the configuration items related to master-slave replication are shown here.
# ssdb-server config # MUST indent by TAB! # relative to path of this file, directory must exists work_dir = ./var pidfile = ./var/ssdb.pid server: ip: 0.0.0.0 port: 8888 deny: all allow: 127.0.0.1 allow: 192.168.56 replication: binlog: yes # Limit sync speed to *MB/s, -1: no limit sync_speed: -1 slaveof: # sync|mirror, default is sync #type: sync
/var/lib/ssdb/ssdb_slave.conf
The key configuration items in the following block are:
-
server/ip
- Binding tolocalhost
-
server/port
- Binding to standardSSDB
port -
slaveof/type
-sync
-
slaveof/host
-192.168.56.112
is the otherSSDB
server -
slaveof/port
-8888
- The standardSSDB
port
Again, only the configuration items related to master-slave replication are show.
# ssdb-server config # relative to path of this file, must exist work_dir = ./var_slave pidfile = ./var_slave/ssdb.pid server: ip: 127.0.0.1 port: 8888 replication: binlog: yes # Limit sync speed to *MB/s, -1: no limit sync_speed: -1 slaveof: # sync|mirror, default is sync type: sync # Can use host: <hostname> with SSDB 1.9.2 or newer ip: 192.168.56.112 port: 8888
SSDB Configuration, Designated (Initial) Slave
The IP address of this machine is 192.168.56.112
.
The ssdb_master.conf
file is identical to that of the designated
master server.
The ssdb_slave.conf
file is almost identical to that of the
designated master server. Only the following items differ;
-
slaveof/ip (or host)
-192.168.56.111
is the otherSSDB
server
Keepalived configuration, Designated (Initial) Master
/etc/keepalived/keepalived.conf
The key configuration items to note are:
-
state
- State is set toBACKUP
for both the designated (initial) master and backup servers. In this scenario, thepriority
is used to negotiate which server will assumeMASTER
status initially. -
nopreempt
- In the event that the master server fails and the backup server is promoted to master, this configuration directive will keep the original master from reclaiming that role should it come back online automatically. This is required because it will likely be stale. In this case, when it comes back up, it will remain in backup mode and will begin replicating information from the new master. Note: Human intervention may be required to bring a failed master back into service. -
interface
- In this example,enp0s8
is the interface identifier for which thevirtual_ipaddress
will be defined. You will choose a value that is appropriate to your installation. -
priority
- The designated initial master must have a higher priority than the designated initial backup. -
advert_int
- For the purposes of this documentation, the default value of 1 second was use. If you installKeepalived
1.2.21
or newer, you can specify a floating-point value here; e.g.,0.1
(seconds). This will allowKeepalived
to detect a master failure more rapidly. -
notify
- This is the path to a script that will be called for state transitions. The full contents of the script is shown below -
virtual_ipaddress
- This is the virtual IP address that is maintained byKeepalived
.
vrrp_instance VRRP1 { state BACKUP nopreempt interface enp0s8 virtual_router_id 41 priority 200 advert_int 1 notify /var/lib/ssdb/notify.sh authentication { auth_type PASS auth_pass 1234 } virtual_ipaddress { 192.168.56.120 dev enp0s8 label enp0s8:vip } }
/var/lib/ssdb/notify.sh
This is the script that is called by Keepalived
during state
transitions. Note that the value assigned to USER
should be the
username that owns the SSDB
process.
#!/bin/bash
# This must be run as root.
ENDSTATE=$3
NAME=$2
TYPE=$1
LOG=/var/log/keepalived-state-transition.log
LOG_ERROR=0
LOG_WARNING=1
LOG_INFO=2
LOG_DEBUG=3
LOG_LEVEL=$LOG_INFO
KPCFG=/etc/keepalived/keepalived.conf
USER=<SSDB-user-name>
PREFIX=/var/lib/ssdb
function log {
lvl=$1
msg="$2"
if [ $lvl -le $LOG_LEVEL ]
then
now=$(date)
echo "$now [$lvl] $msg" >> $LOG
fi
}
function log_error {
log $LOG_ERROR "$1"
}
function log_warning {
log $LOG_WARNING "$1"
}
function log_info {
log $LOG_INFO "$1"
}
function log_debug {
log $LOG_DEBUG "$1"
}
function backup {
log_info "Transitioning to BACKUP state"
runuser -l $USER -c "${PREFIX}/ssdb-server ${PREFIX}/ssdb.conf -s stop"
runuser -l $USER -c "cp ${PREFIX}/ssdb_slave.conf ${PREFIX}/ssdb.conf"
runuser -l $USER -c "${PREFIX}/ssdb-server -d ${PREFIX}/ssdb.conf"
}
function fault {
log_error "keepalived is in FAULT state"
}
function master {
log_info "Transitioning to MASTER state"
runuser -l $USER -c "${PREFIX}/ssdb-server ${PREFIX}/ssdb.conf -s stop"
runuser -l $USER -c "cp ${PREFIX}/ssdb_master.conf ${PREFIX}/ssdb.conf"
runuser -l $USER -c "${PREFIX}/ssdb-server -d ${PREFIX}/ssdb.conf"
}
case $ENDSTATE in
"BACKUP") # Perform action for transition to BACKUP state
backup
exit 0
;;
"FAULT") # Perform action for transition to FAULT state
fault
exit 0
;;
"MASTER") # Perform action for transition to MASTER state
master
exit 0
;;
*) echo "Unknown state ${ENDSTATE} for VRRP ${TYPE} ${NAME}"
exit 1
;;
esac
Keepalived configuration, Designated (Initial) Backup
/etc/keepalived/keepalived.conf
This file is almost identical to the same file on the master node. Exceptions:
-
priority
- It is given a lower initial priority. -
It does not contain the
nopreempt
option. Once the backup server has become master due to a failure of the original master, the system should allow for some human intervention before restoring the original server to master status.
vrrp_instance VRRP1 { state BACKUP interface enp0s8 virtual_router_id 41 priority 100 advert_int 1 notify /var/lib/ssdb/notify.sh authentication { auth_type PASS auth_pass 1234 } virtual_ipaddress { 192.168.56.120 dev enp0s8 label enp0s8:vip } }
The /var/lib/ssdb/notify.sh
for the backup server is identical to
the master.
Master-Master Replication
Overview
Another way to ensure that SSDB
remains highly-available is to set-up
master-master replication and configure a proxy that understands
Redis
protocol in front of the two SSDB
servers. The proxy is
responsible for monitoring the health of the two servers and removing
a failed server from the poop.
The following simplified example uses a single HAProxy
instance in
front of two SSDB
servers.
Required Packages
Prerequisites
Install SSDB
on two servers in accordance with the
procedure that is applicable to the Linux distribution that you are
using. Install HAProxy
on an additional server. Note that
Keepalived can be used to configure a
highly-available pool of HAProxy
servers.
Configuration
SSDB Configuration, First Master
Notes:
-
Only the configuration related to master-master replication is shown.
# ssdb-server config ## ssdb-server config MUST indent by TAB! # relative to path of this file, directory must exists work_dir = ./var pidfile = ./var/ssdb.pid server: ip: 0.0.0.0 port: 8888 deny: all allow: 127.0.0.1 # e.g., 192.168.56 allow: <ip-address-prefix> replication: binlog: yes # Limit sync speed to *MB/s, -1: no limit sync_speed: -1 slaveof: id: svc_2 type: mirror host: <hostname-of-other-master> port: 8888
SSDB Configuration, Second Master
Notes:
-
Only the configuration related to master-master replication is shown.
# ssdb-server config # MUST indent by TAB! # relative to path of this file, directory must exists work_dir = ./var pidfile = ./var/ssdb.pid server: ip: 0.0.0.0 port: 8888 deny: all allow: 127.0.0.1 # e.g., 192.168.56 allow: <ip-address-prefix> replication: binlog: yes # Limit sync speed to *MB/s, -1: no limit sync_speed: -1 slaveof: id: svc_1 type: mirror host: <hostname-of-other-master> port: 8888
HAProxy Configuration
Notes:
-
Only the configuration related to
SSDB
is shown. -
SSDB
supportsRedis
network protocol. You can useRedis
clients to connect to anSSDB
server and operate on it. This is what Zimbra Collaboration does.
defaults REDIS mode tcp timeout connect 4s timeout server 30s timeout client 30s frontend ft_redis bind <published-ip-address>:8888 name redis default_backend bk_redis backend bk_redis option tcp-check server R1 <first-master-ip-address>:8888 check inter 1s server R2 <second-master-ip-address>:8888 check inter 1s
Multi-Master Scaling / Replication
Overview
The details of multi-master configuration will not be covered in this
document. In essence, you will install and configure multiple
independent SSDB
master-slave pairs using the instructions included
above. Each pair will be responsible for storing a subset of the total
key-space.
As in the master-master configuration, all of the pairs in the pool of SSDB
servers will be front-ended by a proxy service that understands
Redis
protocol. It must also be capable of consistently hashing the
data keys that are presented such that all requests relating to a
particular key always get routed to the same master-slave pair.
LDAP Attributes
The the SSDB backend makes use of a resource pool to manage access to the
SSDB
server; threads attempting ephemeral data operations must first
acquire a resource from this pool. To that end, two LDAP attributes have
been introduced to control the pool configuration.
zimbraSSDBResourcePoolSize
controls the size of the pool. This determines
how many client threads can simultaneously perform ephemeral API operations.
By default this is set to 0, which results an unlimited pool size.
zimbraSSDBResourcePoolTimeout
controls the amount of time a thread will
wait for a resource before throwing an exception. The default is 0,
which results in no timeout. This attribute has no effect when the pool size
is 0, as threads will never have to wait for resources to be freed in order
to perform ephemeral data operations.
A non-zero timeout value is recommended when the pool size is finite.
Otherwise, a lost SSDB
connection may cause mailboxd threads to remain
blocked indefinitely, even after the connection is re-established.
In general, the resource pool should be sized such that the mailbox server
is not starved for resources.
Invalidate all user sessions
Depending on your environment, running this command will take some time, there will not be a progress indication. Use the cd command to change into the SSDB installation directory:
./ssdb-cli -h 127.0.0.1 -p 8888 flushdb
SSDB replication may be affected, so it is best to first break replication and run this command on a single master of SSDB and then resume SSDB replication.
Scaling SSDB for Production Load with Zimbra Collaboration
The main characteristics of Zimbra Collaboration production load that affects load on SSDB server are the frequency of authentication requests and frequency of SOAP requests sent by Zimbra Collaboration Web Client and 3rd party SOAP clients. Each authentication request results in a 2 or 3 write operations for SSDB. The write operations update zimbraLastLogonTimestamp, zimbraAuthTokens and zimbraCsrfTokenData values. Note, that zimbraCsrfTokenData is updated only when using a CSRF-enabled SOAP client such as Zimbra Collaboration Web Client. Each authenticated SOAP request results in 2 read operations for SSDB.
Minimum Recommended SSDB Configuration
We recommend that your SSDB server has at least 2GB RAM and 1 CPU. If you plan on running additional tools, such as monitoring and configuration management on your SSDB server, consider increasing memory and adding one more CPU core to accommodate additional software. Check out Zimbra and SSDB Authentication Load Tests for more information.
Conclusion
For installations whose ephemeral data storage requirements will fit
in a single instance, simple master-slave replication is the easiest
to implement and requires the fewest resources. Master-master
replication does allow requests to be load-balanced across both
masters; however, each master is also constantly replicating from the
other, so SSDB
must do additional work to maintain
consistency.
Class of Service and Accounts
The Class of Service (COS) assigned to an account determines the default attributes for user accounts, and the features to be enabled or denied. Each account is assigned a COS. The COS controls mailbox quotas, message lifetime, password restrictions, attachment blocking, and server pool usage.
A COS is a global object and is not restricted to a particular domain or set of domains.
You can create and edit the classes of services from the Administration Console:
- Admin Console:
-
Home → Configure → Class of Service → COS
Managing Features and Settings with a COS
A default COS is created when Zimbra Collaboration is installed. You can modify the default COS and create new ones.
From a COS, you can manage the following functions:
-
Features and preferences that users can access.
-
Themes and Zimlets that users can access.
-
Advanced settings including attachment settings, quotas, and password login policies.
-
Web App Versions (Modern Web App and Classic Web App).
-
Web Services and Desktop Clients (EWS, MAPI and more).
-
Offline Mode.
-
Retention policies.
As an example, you could create an Executive COS that is configured to enable all features, provide unlimited mailbox quotas, and never purges messages. Another General-Employee COS may also be created, which enables only the mail feature, sets the mailbox quota, and purges messages every 60 days. Grouping accounts to a specific COS allows you update or change account features in bulk. As such, when the COS is changed, all accounts assigned to the COS are changed.
If a COS is not explicitly set for a new account, or if the COS assigned to a user no longer exists, the default COS is automatically assigned.
You can create a COS and assign that as a default COS for all accounts that are created on that domain. You can create different COSs and specify which ones are available for the domain. If a domain does not have a COS defined, and you do not specify a COS, the original default COS is automatically assigned when an account is created.
Some COS settings can be overridden either by global settings or by user settings. For example:
-
Whether outgoing messages are saved to Sent can be changed from the Zimbra Classic Web App in the user’s preferences.
-
Attachment blocking set as a global setting can override the COS setting.
Some COS settings assigned to an account are not enforced for IMAP clients. |
Selecting Features and Preferences
All the features available for a COS are displayed in its Features page. From there, you can select or deselect the features you do not want included in the COS.
Changes made at the account level override the rules in the COS assigned to the account. |
You can define the initial preferences for saving and viewing messages, in the Preferences page. You can also select a specific locale for the Classic Web App and Modern Web App. If a locale is not specified, the browser locale is the default.
For a description of the features and preferences, see Customizing Accounts.
Disabling Preferences
By default, Preferences are enabled, and your users can modify the default preferences that are configured for their accounts.
As the Administrator, you can disable Preferences. As a result, the Preferences page will not display in users mailboxes: they therefore cannot modify the default configuration for features that are set up for their accounts.
A user can change their Preferences in the Modern Web App under Settings. Disabling Preferences does not have any impact on the Modern Web App. |
Setting Default Time Zone
When using the Classic Web App or the Modern Web App, the time zone setting on the computer is used as the time stamp for displaying received messages and for calendar activities.
The Time Zone value in Calendar settings is used only to identify where the Working Hours start and end times are anchored, and how they appear in Free / Busy information.
Using Server Pools
In an environment with multiple mailbox servers, the COS is used to assign a new account to a mailbox server. When you configure the COS, you select which servers to add to the server pool. Within each pool of servers, a random algorithm assigns new mailboxes to any available server.
You can assign an account to a particular mailbox server when you create an account in the New Account Wizard, Server field. Uncheck auto and enter the mailbox server in the Server field.
Setting Account Quota
An account quota is the storage limit allowed for an account. Email messages, address books, calendars, tasks, and Briefcase files contribute to the volume of the quota. Account quotas can be set for a COS or for individual accounts from the Administration Console.
If you set the quota to 0, accounts do not have a quota.
Viewing Account Quotas
To view account quotas for all accounts on a domain:
- Admin Console:
-
Home → Configure → Domains → domain → Mailbox Quota
Notifying Users When Maximum Quota is Near
Users can be notified that their mailboxes are nearing their quota. The quota percentage can be set and the warning message text can be modified: Go to the Quotas container for a specified Class of Service:
- Admin Console:
-
Home → Configure → Class of Service → COS → Advanced → Quotas
When the displayed/configured threshold is reached, a quota warning message is sent to the user.
Setting Quotas in Domains
You can set a maximum mailbox quota for a domain. The default for the domain mailbox quota is unlimited. The domain quota is the maximum amount of storage that can be used by all mailboxes within the domain.
You can set an aggregate quota as well. The sum of the quotas for all accounts in the domain can exceed the size of the aggregate.
An aggregate quota policy for how to handle messages that are sent or received once the aggregate quota has been reached can be set up. The policy options include:
-
Continue to allow messages to be sent and received as usual.
-
Do not allow messages to be sent.
-
Do not allow messages to be sent or received.
Notifications can be automatically sent when the quota is within a configured percentage of the aggregate quota. A cron tab job runs daily to check the aggregate quota percentage and if the percentage has been reached, the quota warning email is sent.
When a domain quota is set, the effective quota for an account is the minimum quota setting of either the domain or account. |
To configure domain quotas, go to the Domain Quota Setting container for a specified domain:
- Admin Console:
-
Home → Configure → Domains → domain → Advanced → Domain Quota Setting
Managing Excess Quota
You can set how message delivery is handled when a user’s mailbox exceeds the configured quota. The default behavior is for the MTA to temporarily send the message to the deferred queue. When the mailbox has sufficient space, the message is delivered. You can change this behavior to either have messages bounce back to the sender instead of being sent to the deferred queue first or you can configure to send the message to the mailbox even if the quota has been exceeded.
To bounce messages instead of sending them to the deferred queue:
zmprov mcf zimbraLmtpPermanentFailureWhenOverQuota TRUE
To send the message to the mailbox even if the quota has been exceeded:
zmprov mc {cos-name} zimbraMailAllowReceiveButNotSendWhenOverQuota TRUE
When this attribute is set to TRUE, a mailbox that exceeds its quota is still allowed to receive new mail and calendar invites. This quote bypass is only implemented for messages. All other mail items are still affected by the quota.
Managing Passwords
If you use internal authentication, you can quickly change an account’s password from the Account’s toolbar. The user must be told the new password to log on.
If Microsoft Active Directory (AD) is used for user authentication, you must disable the Change Password feature in the COS. The AD password policy is not managed by Zimbra. |
If you want to make sure users change a password that you create, you can enable Must Change Password for the account. The user must change the password the next time he logs on.
Password restrictions can be set either at the COS level or at the account level. You can configure settings to require users to create strong passwords and change their passwords regularly, and you can set the parameters to lock out accounts when incorrect passwords are entered.
Directing Users to Your Change Password Page
If authentication is configured as external auth, you can configure Zimbra Collaboration to direct users to your password change page when users change their passwords. You can either set this URL as a global setting or a per domain setting.
Set the zimbraChangePasswordURL
attribute to the URL of your password change page.
Change Password in the Classic Web App under Preferences → General links to this URL, and when passwords expire, users are sent to this page. In the Modern Web App, Change Password appears under the account avatar menu, and it will also link to the provided URL.
Modifying the password for the domain:
zmprov md example.com zimbraChangePasswordURL https://auth.example.com
Configuring a Password Policy
If internal authentication is configured for the domain, you can require users to create strong passwords to guard against simple password harvest attacks. Users can be locked out of their accounts if they fail to sign in after the maximum number of attempts configured.
To set password policy, use the Password container for a specified Class of Service:
- Admin Console:
-
Home → Configure → Class of Service → COS → Advanced → Password
The password settings that can be configured are listed below.
Password Options | Description |
---|---|
Minimum/Maximum password length |
Specifies the required length of a password. The default minimum and maximum are 6 and 64 characters, respectively. |
Minimum/Maximum password age |
Configures the password expiration date. Users can change their passwords at any time between the minimum and maximum. They must change it when the maximum password age is reached. |
The following settings require users to add complexity to their passwords. |
|
Minimum upper case characters |
Uppercase A - Z |
Minimum lower case characters |
Lowercase a - z |
Minimum punctuation symbols |
Non-alphanumeric, for example !, $, #, &, % |
Minimum numeric characters |
Base 10 digits 0 - 9 |
Minimum numeric characters or punctuation |
Combined Non-alphanumeric and digits |
Minimum number of unique passwords history |
Number of unique new passwords that a user must create before an old password can be reused. |
Minimum password age (Days) |
Minimum days between password changes |
Maximum password age (Days) |
Maximum days between password changes |
Password locked |
Users cannot change their passwords. This should be set if authentication is external. |
Must change password |
User is required to change password at first sign in. |
Change password |
When enabled, users can change their password at any time within the password age settings from their account Preferences tab. |
Block Common Passwords
Block Common Passwords feature enables an organization to restrict the use of the commonly used passwords when creating users. The list of the common passwords is maintained on the server which is referred to when an administrator tries to create a user with a commonly used password.
The feature is controlled by a local config attribute zimbra_block_common_passwords_enabled
and the default value is set to FALSE
.
When this feature is enabled, it will also prevent end users from setting their password to a commonly used password via these options:
-
Profile → Change Password in Modern Web App at the top right corner.
-
Forgot Password option on the Login page. (If the Forgot Password feature is enabled for the user).
Enabling Block Common Passwords feature
-
Login as
zimbra
user:
su - zimbra
-
Set the localconfig
zimbra_block_common_passwords_enabled
value toTRUE
:
zmlocalconfig -e zimbra_block_common_passwords_enabled=TRUE
-
Restart mailbox service:
zmmailboxdctl restart
After enabling this feature, if you try to create a user, Password is invalid error is displayed and the user is not created.
Managing Login Policies
You can set the maximum number of failed login attempts before the account is locked out for the specified lockout time. This type of policy is used to prevent password attacks.
To set user login policy, use the Filed Login Policy container for a specified Class of Service:
- Admin Console:
-
Home → Configure → Class of Service → COS → Advanced → Failed Login Policy
Login Policy Options | Description |
---|---|
Enable failed login lockout |
This enables "failed login lockout" feature. You can configure the following settings. |
Number of consecutive failed logins allowed |
Number of failed login attempts before the account is locked out. The default is 10. If set to 0, the account is never locked out. |
Time to lockout the account |
Amount of time the account is locked out. If this is set to 0, the account is locked out until the correct password is entered, or the administrator manually changes the account status and creates a new password. The default is 1 hour. |
Time window in which the failed logins must occur to lock the account |
Duration of time after which the number of consecutive failed login attempts is cleared from the log. If this is set to 0, the user can continue attempts to authenticate, no matter how many consecutive failed login attempts have occurred. The default is 1 hour. |
About 2 Factor Authentication
With the 2 Factor Authentication (FA) feature you can apply additional security policies to COS and/or user accounts to provide another layer of authentication during attempts to access the system. This feature must be enabled or disabled in the Admin Console, to manage 2FA functions applicable to user mailboxes.
For more information, see 2 Factor Authentication.
Managing Session Timeout Policies
You can set the period of time to allot for user sessions based on various conditions.
To set the session timeout policy use the Timeout Policy container for a specified Class of Service:
- Admin Console:
-
Home → Configure → Class of Service → COS → Advanced → Timeout Policy
Session Timeout Policy Options | Description |
---|---|
Admin console auth token lifetime |
Sets a browser cookie that contains the admin auth token. Administrators can open the Administration Console without having to log on again until the auth token expires. The default is 12 hours. |
Auth token lifetime |
Sets a browser cookie that contains the Web App auth token. User can open the Classic Web App or Modern Web App without having to log on again until the auth token expires. The default is 2 days. When it expires, the login page is displayed and the user must log on to continue. |
Session idle lifetime |
How long a user session remains active, if no activity occurs. Activity includes any clickable mouse action, such as viewing folder contents or clicking a button. The default is unlimited. |
You can manually expire a user’s web client session from the Administration Console Expire Sessions link. This forces the current session of the account to expire immediately.
Managing Default External COS
The defaultExternal
COS is assigned to external virtual accounts that are created when external users accepts a Zimbra provisioned users'
invitation to share their calendar or briefcase items.
This account is not provisioned on the server, but the external user can sign in to the Classic Web App, create a display name and set a password to view the shared items. The only folders available are for the content they have access to.
The defaultExternal
COS is configured with the following general features:
Change password, Change UI themes, HTML compose, Export and Search.
None of the major features are configured.
The Modern Web App does not currently support login by external users. |
Customizing Accounts
This chapter describes the features and user preferences that can be configured for an account, either from the assigned COS or in an individual account.
Mailbox features are enabled for Zimbra Classic Web App users. When IMAP or POP clients are used, users might not have these features available. |
Some features mentioned in the following sections may not be currently available for the Modern Web App. |
For Classic Web App, Offline mode is no longer supported for Chrome versions 85 and above. Users can still continue to use Offline mode in previous browser versions. |
Messaging and Collaboration Applications
Your COS configuration and assignment of a COS to accounts determines the default settings for account features and the restrictions to be applied to groups of accounts. Individual accounts can be configured differently, and any changes you make override the COS setting. When you update the COS, the changes are not reflected in accounts that have COS overrides.
Email Messaging Features
You configure which email messaging features are enabled. Users can then manage many of the enabled features as preferences.
By default, users manage their own preferences, but you can administratively elect not to allow user modifications to their account preferences. Currently supported Web App Email Messaging Features are listed and described in Email Features.
Email Messaging Feature | Description | ||
---|---|---|---|
Enables the email application. Enabled by default. See COS → Features → Major Features container in the Admin Console. |
|||
Conversations |
Messages can be grouped into conversations by a common thread. The default is to thread messages in a conversation by the References header. If there is no References header, the Subject is used to determine the conversation thread. To change the default, update attribute If this feature is enabled, conversation view is the default. You can change the default on the COS Preferences page. Users can also change the default. See COS → Features → Mail Features container in the Admin Console. |
||
HTML compose |
Users can compose email messages with an HTML editor. They can specify default font settings as a preference. See COS → Preferences → Composing Mail container in the Admin Console. |
||
Draft auto save interval |
Frequency of saving draft messages. The default is every 30 seconds. Users cannot change the frequency, but they can turn off the save draft feature. See COS → Preferences → Composing Mail container in the Admin Console. |
||
Mail send later |
When enabled, users can choose Send Later to send a message at a later time. The user configures the data and time for sending. Messages are saved in the Draft folder. See COS → Features → Mail Features container in the Admin Console. |
||
Message priority |
When enabled, users can set the priority of the message. The recipient viewing from the Web App sees the priority flag if it is high or low. See COS → Features → Mail Features container in the Admin Console. |
||
Enable Attachment indexing |
Attachments are indexed. Indexed attachments can be searched. See COS → Advanced → Attachment Settings container in the Admin Console. |
||
Allow the user to specify a forwarding address |
You can specify a default forwarding address that the user can use. Users can change the forwarding address from their account Preferences tab. You can also specify forwarding addresses that are hidden from the user. A copy of a message sent to the account is immediately forwarded to the designated forwarding address. See COS → Features → Mail Features container in the Admin Console. |
||
Out of office reply |
Users can create an email message that automatically replies to incoming messages. By default a message is sent to each recipient only once every seven days, regardless of how many messages that person sends to the address. This setting can be changed in the COS Preferences page, Out of office cache lifetime field. See COS → Features → Mail Features container in the Admin Console. |
||
New mail notification |
Allows users the option to specify an address to be notified of new mail. They can turn this feature on or off and designate an address from their account Preferences tab.
See COS → Features → Mail Features container in the Admin Console. |
||
Persona |
When enabled, users can create additional account names to manage different roles.
Account aliases can be selected for the From name of messages sent from that persona account and a specific signature can be set for the persona account.
The number of personas that can be created is configurable depending on your requirements.
The minimum is 0, and the default is 20 (
See COS → Features → Mail Features container in the Admin Console. |
||
Maximum length of mail signature |
The maximum number of characters that can be in a signature. The default is 1024 characters. The number of signatures users can create is configured in See COS → Preferences → Composing Mail container in the Admin Console. |
||
Advanced search |
Allows users to build a complex search by date, domain, status, tags, size, attachment, Zimlets, and folders. See COS → Features → Search Features container in the Admin Console. |
||
Saved searches |
Users can save a search that they have previously executed or built. See COS → Features → Search Features container in the Admin Console. |
||
Initial search preference |
When enabled, the default search mailbox can be changed. See COS → Features → General Options container in the Admin Console. |
||
External POP access |
When enabled, users can retrieve their POP accounts' email messages directly from their Zimbra account. They add the external account address to their account settings. See COS → Features → Mail Features container in the Admin Console. |
||
External IMAP Access |
When enabled, users can retrieve their IMAP accounts' email messages directly from their Zimbra account. They can add the external account address to their account settings. See COS → Features → Mail Features container in the Admin Console. |
||
Aliases for this account |
You can create aliases for the account. Users cannot change this. |
||
Mail filters |
Users can define a set of rules and corresponding actions to apply to incoming and outgoing mail and calendar appointments. When an incoming email message matches the conditions of a filter rule, the corresponding actions associated with that rule are applied.
See COS → Features → Mail Features container in the Admin Console. |
||
Flagging |
Users can create flags and assign them to messages, contacts, and files in Briefcase folders. (This feature is supported only in the Classic Web App.) See COS → Features → Mail Features container in the Admin Console. |
||
Enable keyboard shortcuts |
Users can use keyboard shortcuts within their mailbox. The shortcut list can be viewed in the Classic Web App from the Username drop-down menu. Keyboard shortcuts are always available in the Modern Web App. The shortcut list can be viewed by typing Ctrl-Q. See COS → Preferences → General Options container in the Admin Console. |
||
Global Address List (GAL) access |
Users can access the company directory to find names for their email messages. See COS → Features → General Features container in the Admin Console. |
||
Autocomplete from GAL |
When enabled, users enter a few letters in their compose header and names listed in the GAL are displayed ranked by usage. See also Autocomplete Ranks Names. See COS → Features → General Features container in the Admin Console. |
||
Offline support for Web App |
When enabled, users can use the offline mode to access their data without network connectivity when using the Zimbra Modern Web App. See also Offline Mode. See COS → Features → General Features container in the Admin Console. |
||
IMAP access |
Users can use third party mail applications to access their mailbox using the IMAP protocol. You can set the polling interval from the COS or Account Advanced page, Data Source → IMAP polling interval section. The polling interval is not set by default. See COS → Features → Mail Features container in the Admin Console. |
||
POP3 access |
Users can use third party mail applications to access their mailbox using the POP protocol. When they retrieve their POP email messages, the messages and attachments are saved on the Zimbra server. Users can configure from their Preferences → Mail page
You can set the polling interval from the COS or Account Advanced page, Data Source → POP3 polling interval section. The polling interval is not set by default. See COS → Features → Mail Features container in the Admin Console. |
Autocomplete Ranks Names
The autocomplete feature displays names ranked with the most frequently recalled contact listed at the top. If the contact name that appears first should not be listed at the top, the user can click Forget and the contact names are re-ranked. (Classic Web App only.)
Email Preferences that Users Manage
The default behavior for many of the preferences listed in this section can be set from either the COS or the Accounts Preferences page. Users can modify the following mail preferences from their account Preferences or Settings in the Classic Web App or Modern Web App.
-
How often, in minutes, that the Web Client checks for new messages:
Check for new mail every…
-
Set or change email message alerts. Alerts can be set up to play a sound, highlight the Mail tab when a message arrives, and flash the browser, depending on which Web App they use.
-
Set the display language for the Classic Web App and Modern Web App. If more than one language locale is installed on Zimbra Collaboration, users can select a locale that is different from the browser language settings.
The Modern Web App currently supports a subset of the languages available in the Classic Web App, and will fallback to US English if the user’s language locale is not yet supported. |
-
Whether to save copies of outbound messages to the Sent folder.
-
Whether to save a local copy of a message that is forwarded or to have it deleted from their mailbox. (Only the Classic Web App can manage this setting currently.)
-
Whether to compose messages in a separate window. (This feature is supported only in the Classic Web App.)
-
Whether to view mail as HTML for messages that include HTML or to view messages as plain text. (This feature is supported only in the Classic Web App.)
-
Whether to send a read receipt when it is requested.
-
Adjust the default font size for printed messages. The default is 12 points. (This feature is supported only in the Classic Web App.)
-
Users can set up their own Spam mail options of whitelist and blacklist email addresses that are used to filter incoming message from their Preferences Mail folder. The default maximum number of whitelist and blacklist addresses is 100 on each list. This value can be changed using CLI
zmprov
for accounts and COS. The attributes arezimbraMailWhitelistMaxNumEntries
andzimbraMailBlacklistMaxNumEntries
. -
Users can modify the following mail preferences under Signatures:
-
Whether to automatically append a signature to outgoing messages.
-
Preferences for how signatures are applied to messages that are replied to or forwarded.
-
Using Import and Export to Save User’s Data
From the Preferences Import/Export page in the Classic Web App or under Accounts → Primary account in the Modern Web App users may export all of their account data, including mail, contacts, calendar, and tasks. By selecting export options, they can export specific items in their account and save the data to their computer.
The account data is saved as a tar-gzipped (.tgz
) archive file so that it can be imported to restore their account.
Individual contacts are saved as .csv
files, and individual calendar files are saved as .ics
files.
The data are copied, not removed from the user’s account.
The exported account data file can be viewed with an archive program such as WinZip. Any of these files can be imported into their account from the same page.
You can turn the Import/Export feature off from the COS or Account Features page, General Features section.
Setting Up RSS Polling Intervals
Users can subscribe to Websites that provide RSS and podcast feeds and receive updated information directly to their mailboxes. The maximum number of feeds that can be returned is 50. RSS feeds count against users' account quota.
The default is to update the RSS data every 12 hours. Users can right-click on an RSS feed folder to manually load new feed.
You can change the polling interval from the Administration Console the COS or Account Advanced page, Data Source → RSS polling interval section.
Contacts Features
Zimbra Contacts allows users to create multiple contact lists and add contact names automatically when mail is received or sent. Users can import contacts into their Address Book.
To allow users to share their mail folders, address books, and calendars, enable Sharing on the General Features container: Home → Configure → Class of Service → COS → Features → General Features |
Feature | Description | COS/Account Tabs |
---|---|---|
Address Book |
Users can create personal contacts lists. By default, a "Contacts" list and "Emailed Contacts" list are created. |
Features |
Address book size limit |
Maximum number of contacts a user can have in all address books.
|
Advanced |
Users can modify the following Address Book preferences from their account Preferences Address Book page.
To set default behavior:
- Admin Console:
-
Home → Configure → Class of Service → COS → Preferences
Home → Manage → Accounts → account → Preferences-
Enable auto adding of contacts to automatically add contacts to their Emailed Contact list when they send an email to a new address.
-
Enable the ability to use the Global Access List when using the contact picker to look up names.
-
Enable the options to include the GAL addresses and names in shared address books when using autocomplete to address a message.
-
Calendar Features
Zimbra Calendar lets users schedule appointments and meetings, establish recurring activities, create multiple calendars, share calendars with others, and delegate manager access to their calendars. They can subscribe to external calendars and view their calendar information from the Zimbra Classic Web App or Modern Web App. They can also use search for appointments in their calendars.
To allow users to share their calendars, address books, and Briefcase files, enable Sharing in the General Features container. |
- Admin Console:
-
Home → Configure → Class of Service → COS → Features → General Features
Calendar Feature | Description | COS/Account Tabs | ||
---|---|---|---|---|
Calendar |
Lets users maintain their calendar, schedule meetings, delegate access to their calendar, create multiple personal calendars, and more. |
Features |
||
Group Calendar |
When Group Calendar is not checked, users can create personal appointments and accept invitations to meetings only. The Find Attendees, Schedule and Find Resources tabs are not displayed.
|
Features |
||
Nested Calendars |
Calendars can be nested within Zimbra folders like Mail, Contact, and Calendar folders. The administrator creates a nested list of calendars using CLI. A nested calendar grouping can be imported through migration as well. See example below.
|
|||
Time zone |
Sets the time zone to use for Calendar scheduling. Domain admins set this in the Accounts, General Information page. |
Preferences |
||
Forward calendar invitation to specific addresses |
You can specify email addresses to forward a user’s calendar invitations. Users can also specify forwarding address from the Preferences Calendar folder.
The account the invitation is forwarded to must have admin privileges on the shared calendar to reply to the invitation. |
Accounts Forwarding |
Create a calendar nested under the "Calendar Name" folder:
zmmailbox -z -m user1 cf -V appointment "/Calendar Name/Sub Calendar"
Troubleshooting Calendar Appointment Problems
Use the zmcalchk
command to check for discrepancy between different users' calendars for the same meeting, and send an email notification regarding the discrepancies.
You can also use this command to notify the organizer and/or all attendees when an appointment is out of sync.
Changing Remote Calendar Update Interval
Remote calendars are updated every 12 hours, by default. The frequency can be modified at the Admin Console.
To modify the frequency of calendar updates in the Admin Console go to the desired COS or Account Advanced page, Data Source → Calendar polling interval field.
Disabling Attendee Edits to Appointments
Attendees can edit appointments in their calendars, but their changes do not affect anyone else.
If the appointment organizer makes changes, these changes overwrite the attendees edits.
You can modify the COS attribute zimbraPrefCalendarApptAllowAtendeeEdit
to prevent attendees from editing appointments in their calendar.
zmprov mc <cosname> zimbraPrefCalendarApptAllowAtendeeEdit FALSE
This feature is supported only in the Classic Web App. |
Setting Other User Calendar Preferences
Users can modify the Calendar preferences listed in the Calendar Preference table. You can set the default behavior in the COS or Accounts Preferences page.
Calendar Preference | Description | ||
---|---|---|---|
Time zone |
Time zone displayed in the user’s Preferences. See Setting Default Time Zone. If the time zone is configured in the COS, the time zone configured in the domain is ignored. |
||
Number of minutes before an appointment to show reminder |
Sets the minutes before the meeting to send a reminder notice. |
||
Initial calendar view |
Sets the default view. Options are Day, Work Week, 7-Day Week, Month, List, or Schedule. |
||
First day of the week |
Sets the default first day of a user’s work week. |
||
Default appointment visibility |
Options are Public or Private. Sets the default visibility options on the new appointment page. The default is Public, appointments details can be viewed by others. When the default is Private, all incoming calendar invites are marked as private on the user’s calendar and details are hidden when the calendar is shared. |
||
Use iCal delegation model for shared calendars for CalDAV |
Apple iCal can be configured to access users' calendars using the CalDAV protocol. When enabled, shared calendars are displayed in users' iCal account’s Delegation tab and they can delegate access to their calendars. For automatic polling, the polling interval can be set up in the COS or Account Advanced page, Data Source → CalDAV polling interval field. |
||
Enable past due reminders |
Users log into the Classic Web App or Modern Web App, the reminder notifications for the last two weeks pop up for meeting reminders that were not dismissed. When this is disabled, Zimbra Collaboration silently dismisses the old reminders. |
||
Enable toaster notification for new calendar events |
A popup displays in the Classic Web App when new calendar events are received.
|
||
Allow sending cancellation email to organizer |
When users receive an invitation they cannot attend at the scheduled time, they have the option to click Propose New Time and select another time. The meeting organizer receives an email with the proposed time.
|
||
Automatically add invites with PUBLISH method |
A calendar invitation email should have |
||
Automatically add forwarded invites to calendar |
Invites that have been forwarded to users are automatically added to the forwarded recipient’s calendar. |
||
Flash browser title on appointment reminder |
When appointment reminders pop up, the browser flashes until the user closes the pop-up.
|
||
Enable audible appointment notification |
When an appointment reminder pops up, users can be notified by a beep on their computer. Users must have either QuickTime or Windows Media installed.
|
||
Auto-decline invites from users who are denied from inviting this user |
Users can configure who can send them calendar invites. When enabled, an auto-reply message is sent to those users to let them know they do not have permission to invite the user.
|
||
Automatically add appointments when invited |
When enabled, appointments are automatically added to user’s Primary calendar.
|
||
Show declined meetings |
When enabled, declined appointments display on the Classic Web App calendar in a faded view.
|
||
Notify of changes made via delegated access |
Users that delegated their calendar are notified of changes made to an appointment by a delegated access grantee.
|
||
Always show the mini-calendar |
The mini-calendar automatically displays in the Calendar view.
|
||
Use the QuickAdd dialog when creating new appointments |
When is enabled, the QuickAdd dialog displays when users double-click or drag on the calendar in the Zimbra Classic Web App. QuickAdd is always available in the Modern Web App. |
||
Show time zone list in appointment view |
When enabled, a time zones list displays in the event editor along with event time, giving them the opportunity to change time zones while making appointments. |
Setting Up Zimbra Tasks
Zimbra Tasks lets users create to-do lists and manage tasks through to completion.
To allow users to share their Task lists, enable Sharing in the Features page. Task lists can be shared with individuals, groups, and the public. |
This feature is supported only in the Classic Web App. |
To enable or disable the Tasks feature:
- Admin Console:
-
Home → Configure → Class of Service → COS → Features
Home → Manage → Accounts → account → Features
Zimbra Classic Web App User Interface Themes
The appearance of the Zimbra Classic Web App user interface can be changed. A number of Zimbra themes are included with Zimbra, and you can create others. You can select a theme to be the default and the themes that users can select to customize their user experience. To develop themes, see Color and Logo Management.
This feature is supported only in the Classic Web App. |
The following theme usage options can be configured either from COS or by individual accounts.
-
Limit users to one theme
On the Features page, remove the check mark from Change UI Themes. The Classic Web App theme is the theme listed in Current UI theme field on the Themes page.
-
Let users access any of the installed Zimbra themes
If the Change UI Themes is checked, users can access any of the themes that are listed in the Available UI themes list.
Two Factor Authentication
The Two Factor Authentication (2FA) function allows you to configure a secondary set of security requirements that may be applicable to any or all critical mailboxes or users in the environment. You can set 2FA for user accounts and/or class of service.
2FA for New User Account
In the Wizard setup for a new user account, you will find settings for 2FA with other Advanced options.
- Admin Console:
-
Home → 3 Add Accounts → 1. Add Account
— Next until Advanced, scroll down to Two Factor Authentication
See Two Factor Authentication Parameters for parameter descriptions.
2FA for Existing User Account
For an existing user account, you can apply 2FA settings from the Advanced options.
- Admin Console:
-
Home → Manage → Accounts
Locate the Two Factor Authentication container within the editable configurations for an account:
-
Select an account from the list of accounts.
-
Select Edit from the Gear icon.
— The General Information for the account is now displayed.
-
Select Advanced from the left panel.
-
Scroll down to the Two Factor Authentication container in the main panel.
See Two Factor Authentication Parameters for parameter descriptions.
2FA for Class of Service
Parameters you can use to set up 2FA for a Class of Service are included with other Advanced features.
To apply 2FA to a class of service, use the Two Factor Authentication container to set parameters.
- Admin Console:
-
Home → Configure → Class of Service → COS → Advanced → Two Factor Authentication
See Two Factor Authentication Parameters for parameter descriptions.
Parameters | Description |
---|---|
Enable two factor authentication |
Enable (check) or disable (un-check) this function for the selected COS account. |
Require two-step authentication |
Enable (check) or disable (un-check) mandatory use of this function for the selected COS account. |
Number of one-time codes to generate |
Value to assign maximum number of 6-digit passcodes that may be viewed/used by the account when attempting to access the system. The passcode is presented to the account once the initial login credentials are accepted. Each passcode has a 15-second life cycle. |
Enable application passcodes |
Users can generate exception codes for legacy applications that do not support two-factor authentication. |
Email as an Additional Factor in Two-Factor Authentication
The Email as an Additional Factor in Two-Factor Authentication feature allows users to use their recovery email as an additional authentication factor. This feature enhances account security by adding an extra layer of verification.
Features
-
Email as 2FA Setup: Users can configure their recovery email to be used as an additional factor for authentication.
-
Verification Process: The system prompts users to verify their recovery email even if it is already verified.
-
Fallback Options: Users can use alternative 2FA methods if they are unable to access their recovery email.
-
Preference Selection: Users can select their preferred 2FA method between email and an authenticator app.
-
Administrative Control: Admins can view and manage 2FA preferences for users and reset 2FA settings if needed.
Configuring Email as 2FA
To configure email as a 2FA method:
-
Navigate to Security Settings:
-
Go to the Zimbra Admin Console.
-
Access the security settings for the user or Class of Service (COS).
-
-
Enable Email as 2FA:
-
Ensure that the recovery email field is set up and verified. If not, prompt the user to configure and verify their recovery email.
-
Enable the email option as a valid 2FA method.
-
When the "Status of password reset feature" (zimbraFeatureResetPasswordStatus ) is not enabled, a user can directly configure "Email as 2FA". The user is asked to enter an email address (recovery address) during the setup.
|
Admins can access this feature at: Account or COS setting > Features > "Status of password reset feature" in the admin console.
Verification Process
The system sends a verification code to the user’s recovery email. Upon verification, the email becomes an active 2FA method. Users need to verify a recovery address every time "Email as 2FA" is configured.
Fallback Options
Users can use other configured 2FA methods like an authenticator app if they cannot access their recovery email.
Managing User Preferences
-
View User 2FA Preferences:
-
In the Admin Console, navigate to the user’s account settings.
-
View the active 2FA methods and the user’s preferred method.
-
-
Override User 2FA Preferences:
-
Admins can reset or override 2FA settings for users. This is useful in cases of security breaches or for administrative purposes.
-
Use Command-Line Options
-
Enable Email as 2FA for Users:
'zmprov ma user@example.com zimbraTwoFactorAuthEnabled TRUE zimbraTwoFactorAuthMethodAllowed email' 'zmprov ma user@example.com zimbraTwoFactorAuthEnabled TRUE zimbraTwoFactorAuthMethodAllowed app'
If no 2FA method is configured yet and internal secrets data for the user has not been generated, the command `zmprov ma zimbraTwoFactorAuthEnabled TRUE` does not work.
-
Related attributes:
-
zimbraFeatureTwoFactorAuthAvailable
– controls whether a user can configure and use 2FA. -
zimbraTwoFactorAuthEnabled
– controls whether a user has enabled 2FA (app and/or email method). -
zimbraTwoFactorAuthMethodAllowed
– controls which methods are available as 2FA methods for a user. -
zimbraTwoFactorAuthMethodEnabled
– controls what method has been enabled (configured) by a user (app and/or email).
-
Mandate Specific 2FA Methods
Admins can mandate specific 2FA methods for groups of users using Class of Service (COS) settings:
-
Navigate to COS settings in the Admin Console.
-
Update the 2FA Settings:
-
Enable specific 2FA methods (Email or Authenticator App).
-
Save the changes.
-
When Upgrading
-
If 2FA using an authenticator app was used before the upgrade,
zimbraTwoFactorAuthMethodAllowed
must have "app" after the upgrade. An empty value is regarded as "app". -
If 2FA using an authenticator app was used before the upgrade and the administrator wants to allow users to use both app and email methods,
zimbraTwoFactorAuthMethodAllowed
must have both "app" and "email". -
If 2FA using an authenticator app was used before the upgrade and the administrator wants to allow users to use the email method only:
-
2FA needs to be disabled on all accounts.
-
Then
zimbraTwoFactorAuthMethodAllowed
must be set to "email".
-
Other Configuration Settings for Accounts
Enable Sharing
When the Sharing feature is enabled, users can share any of their folders, including their mail folders, calendars, address books, task lists, and Briefcase folders.
A users specifies the type of access permissions to give the grantee. They can share with internal users who can be given complete manager access, external guests who must use a password to view the folder content, as well as public access so that anyone who has the URL can view the folder’s content.
When internal users share a mail folder, a copy of the shared folder is put in the grantee’s folder list on the Overview pane. Users can manage their shared folders from their Classic Web App Preferences Sharing page.
At this time, the Modern Web App supports share management from folder and calendar context menus only.
Configure SMS Notification
The Classic Web App Preferences → Notification page lets users configure an email address or SMS alert to their mobile device to receive a reminder message for a task or a meeting on their calendar. Notification by SMS is disabled by default.
SMS notification can be configured by domain, COS or for individual accounts. SMS notification set in a COS overrides SMS notifications set on a domain. In the Administration Console, this is set on the domain, COS or account’s Feature page.
Users select a region and a carrier when setting up their SMS alert. The list of SMS/email gateways is in ZmSMS.properties. You can customize this list to add SMS/email gateways that are not listed.
This feature is supported only in the Classic Web App. |
Configure Attachment Viewing
You can set attachment viewing rules as a global setting, by COS, or for a specific account. The global setting takes precedence over COS and account Settings. You can select from four options.
The Modern Web App always provides Hi-Def Attachment Previews, with no user settings required. |
Feature Name | Description | COS/Account Tabs | ||
---|---|---|---|---|
Disable attachment viewing from web mail UI |
Attachments cannot be viewed. This can also be set as a global setting. |
Advanced |
||
Attachments can be viewed in HTML only |
Attachments received in another format are opened in HTML view. |
Advanced |
||
Attachments can be viewed in their original format only |
|
Advanced |
||
Attachments can be viewed in HTML and their original format |
Users can select to open either in the original format or as HTML. |
Advanced |
Display a Warning When Users Try to Navigate Away
Users can click the Back and Forward arrows in the browser, or close their browser without logging out of their account.
-
If this preference is checked, users are asked to confirm that they want to navigate away from their account.
-
If this preference is not checked, the question is not asked.
This setting is not provided in the Modern Web App. |
Enabling the Check Box for the Web Client
If Show selection checkbox for selecting email, contact, voicemail items in a list view for batch operations is enabled, when users view email messages,contacts, and tasks lists in the Content pane, a check box displays for each item. Users can select items and then perform an action such as mark as read/unread, move to a specific folder, drag and drop to a folder, delete, and tag for all those selected items.
Checkboxes are enabled by default on the Modern Web App. |
Preferences Import/Export
From the Preferences Import/Export page in the Classic Web App or under Accounts → Primary account in the Modern Web App users may export all of their account data, including mail, contacts, calendar, and tasks. By selecting export options, they can export specific items in their account and save the data to their computer.
The account data is saved as a tar-gzipped (.tgz
) archive file so that it can be imported to restore their account.
Individual contacts are saved as .csv
files, and individual calendar files are saved as .ics
files.
The data are copied, not removed from the user’s account.
The exported account data file can be viewed with an archive program such as WinZip. Any of these files can be imported into their account from the same page.
You can turn the Import/Export feature off from the COS or Account Features page, General Features section.
Adding Words to Spell Dictionary
If Classic Web App users frequently use words, abbreviations or acronyms that are marked as spelling errors during a Classic Web App spell check, you can update the COS or domain attribute zimbraPrefSpellIgnoreWord
with the words that should be ignored when spell check is run.
To configure words to ignore for a domain:
zmprov md example.com +zimbraPrefSpellIgnoreWord <word> +zimbraPrefSpellIgnoreWord <word2>
This feature is supported only in the Classic Web App. |
Hierarchical Address Book (HAB) in Zimbra
What is a HAB?
The hierarchical address book (HAB) allows users to look for recipients in their address book using organizational hierarchy. Typically, users only see the default global address list (GAL) whose structure doesn’t help understand who reports to whom or to identify one John Doe from another. Being able to customize a HAB, which maps to your organization’s unique business structure, provides your users with an efficient method for locating internal recipients.
Using Hierarchical Address Book
In a Hierarchical Address Book (HAB), your root organization (e.g., Zimbra) is the top-level tier. Under this top-level tier, you can add several child tiers to create a customized HAB that is segmented by division, department, or any other organizational level you want to specify. The following figure illustrates a HAB for Zimbra with the following structure:
-
The top-level tier represents the root organization — Zimbra.
-
The second-level child tiers represent the business divisions within Zimbra — Corporate Office, Engineering, Product Support, and Sales & Marketing.
-
The third-level child tiers represent departments within the Corporate Office division — Human Resources, Accounts, and Administration.
Seniority Index
Seniority Index provides an additional level in the hierarchy. When creating a HAB, use this parameter to rank individuals or organizational groups by seniority within these organizational tiers. This ranking specifies the order in which HAB displays recipients or groups. A higher seniority index ensures that a user or group appears above another with a lower seniority index.
-
100
for Vice President -
50
for Administration Operations Manager -
25
for Business Administrator
If the Seniority Index parameter isn’t set or is equal for two or more users, the HAB sorting order lists the users and groups in ascending alphabetical order. |
Configuring hierarchical address books
Create an organizational unit (OU)
Format
zmprov createHABOrgUnit <domain name of OU> <OU Name>
Example
zmprov createHABOrgUnit example.com ZimbraOU
Explanation
ZimbraOU as an organizational unit created.
Create groups within this OU
You have to create a group and assign an email address for each department.
Format
zmprov createHABGroup <name of the group> <name of OU> <group email address>
Example
In this series of commands, we create 8 HAB groups — as per the Example Hierarchy.
zmprov createHABGroup Zimbra ZimbraOU zimbra@example.com
zmprov createHABGroup CorporateOffice ZimbraOU CorpOffice@example.com
zmprov createHABGroup Engineering ZimbraOU eng@example.com
zmprov createHABGroup ProdSupport ZimbraOU prodsupport@example.com
zmprov createHABGroup SalesAndMarketing ZimbraOU sales-mark@example.com
zmprov createHABGroup HumanResources ZimbraOU hr@example.com
zmprov createHABGroup Accounts ZimbraOU accounts@example.com
zmprov createHABGroup Administration ZimbraOU administration@example.com
Create Hierarchy
Each of these groups (except Zimbra) needs to be assigned a parent group to create a hierarchy.
Format
zmprov addHABGroupMember ParentGroupEmailAddress ChildGroupEmailAddress
In this series of commands, we designate 7 HAB groups — except Zimbra because it is root — as per the hierarchy in the figure Example Hierarchy.
For this, we add Human Resources, Accounts, and Administration to Corporate Office; and add Corporate Office, Engineering, Product Support, and Sales & Marketing to Zimbra.
zmprov addHABGroupMember CorpOffice@example.com hr@example.com
zmprov addHABGroupMember CorpOffice@example.com accounts@example.com
zmprov addHABGroupMember CorpOffice@example.com administration@example.com
zmprov addHABGroupMember zimbra@example.com CorpOffice@example.com
zmprov addHABGroupMember zimbra@example.com eng@example.com
zmprov addHABGroupMember zimbra@example.com prodsupport@example.com
zmprov addHABGroupMember zimbra@example.com sales-mark@example.com
Get Zimbra ID
zimbraId
is a unique identifier associated with an email address. It is used to assign users to groups and to specify a group as root.
For this example, and everywhere else we have used a placeholder (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) for zimbraId .
|
Format
zmprov gdl <group email address> zimbraId
Example
zmprov gdl zimbra@example.com zimbraId
Example Output
# distributionList zimbra@example.com memberCount=4 zimbraId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Explanation
zimbra@example.com is the email address of the group which is to become root.
Add users to Groups
This example adds the users Jane Doe and John Smith to the group named CorporateOffice without affecting other existing members.
Format
zmprov addHABGroupMember <group email address> <user's email address>
Example
zmprov addHABGroupMember hr@example.com jane.doe@example.com
zmprov addHABGroupMember accounts@example.com john.smith@example.com
Set Sort Order
Configure the sort order for groups in the HAB. Groups with higher seniority index appear above groups with lower seniority index.
Format
zmprov modifyHABGroupSeniority <zimbra ID> <seniority index>
Example
To have Engineering appear above CorporateOffice — irrespective of their names and alphabetical order, get Zimbra ID, decide on a number in place of SeniorityIndexNumber
, and run the below command.
Assign CorporateOffice a seniority index of 90
zmprov modifyHABGroupSeniority xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 90
Assign Engineering a seniority index of 100
zmprov modifyHABGroupSeniority xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 100
Commands used to set seniority index for groups also set Seniority Index for users. |
Specify the root organization for the HAB
A group needs to be specified as root so that other groups can be added as child groups to comply with the organizational hierarchy. Run below command to make zimbra@example.com as root.
Format
zmprov md <domain name> zimbraHierarchicalAddressBookRoot <ZimbraID of the group to be made root>
Example
zmprov md 'example.com' zimbraHierarchicalAddressBookRoot xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Example Output
# distributionList zimbra@example.com memberCount=4 zimbraId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Did it work?
-
Log in to Zimbra client.
-
Click New Message.
-
In the Compose window, click the To field.
-
On Select Addresses window, locate the Show Names from: drop-down on the top right corner.
-
Choose Organizational Address Book.
-
The address book in a hierarchical format appears in the left pane.
-
Click any group to view and select users of that group.
Manage Organisational Units (OUs)
List Organisational Units (OUs)
There can be multiple organizational units in a domain. This command lists all the OUs in a specified domain.
Format
zmprov listHABOrgUnit <domain name of OU>
Example
zmprov listHABOrgUnit example.com ZimbraOU
Explanation
All OUs in example.com listed.
Rename Organisational Units (OUs)
This command renames the specified OU in a domain.
Format
zmprov renameHABOrgUnit <domain name of OU> <OU Name> <New name for OU>
Example
zmprov renameHABOrgUnit example.com ZimbraOU ZMXOU
Explanation
ZimbraOU renamed to ZMXOU.
Rename Organisational Units (OUs)
This command deletes the specified OU in a domain.
Format
zmprov renameHABOrgUnit <domain name of OU> <OU Name>
Example
zmprov renameHABOrgUnit example.com ZimbraOU
Explanation
ZimbraOU deleted.
Provisioning User Accounts
When an account is provisioned, you create the mailbox, assign the primary account email address, and assign a class of service (COS) to enable Zimbra Collaboration applications and features.
You can configure one account at a time or migrate multiple existing accounts from a server.
Creating a Single User Accounts
Before adding a user account, determine which features and access privileges should be assigned. You can either assign a class of service (COS) with the features enabled when you create the account or you can configure the features for the individual accounts. For a description of the features, see Class of Service and Accounts.
If the COS you assign has the correct functionality for the account, you do not need to perform any additional configuration.
Creating an account sets up the appropriate entries on the Zimbra LDAP directory server. When the user logs in for the first time or when an email is delivered to the user’s account, the mailbox is created on the mailbox server.
Basic user account setup:
- Admin Console:
-
Home → 3 Add Accounts → 1. Add Account
-
In the Account Name section, enter the account name and the last name as a minimum to configure the account.
The default COS is assigned to the account.
-
Click Finish to create the account.
-
You can continue to configure features and functionality for the individual account. Changes you make to the account override the COS that is assigned to the account.
Migrating Accounts and Importing Account Email
Zimbra Collaboration Account Migration within the Zimbra Admin UI is no longer supported, with End of Technical Guidance set for 17 December 2019. We recommend Audriga’s self-service migration solution as a preferred alternative for all account migrations. |
You can provision multiple accounts at one time using the Account Migration Wizard from the Administration Console. You can import accounts from either a generic IMAP server or from another Zimbra server.
Only accounts on Zimbra Collaboration 7.2 or later can be migrated to Zimbra Collaboration 8. |
You can also import account names to provision from an XML file that you create.
You can run the migration wizard one time to provision accounts and import data or you can run the migration wizard the first time to provision the accounts and then run the wizard again to import the provisioned accounts' data.
Whether you get the account records from an LDAP directory or use an XML file, you need to set the password requirements for the newly provisioned accounts. The options are to have Zimbra randomly create passwords for each account or to set the same password on each account. You have the option to force users to change the password when they sign in the first time.
When the provisioning is complete, the wizard generates a .csv
file with a
list of new accounts. This includes the passwords that are generated. You
should download this file for future reference. Choose a secure location
to store the file as it can contain password information for the user
accounts you provisioned.
If you’re running a split-domain configuration, you can set the SMTP host and port in the wizard. For more information about split domains, see the wiki article about split domains at https://wiki.zimbra.com/wiki/Split_Domain.
Migrating Accounts from a Zimbra Server
To migrate accounts from a server running Zimbra Collaboration 7.2 or later to Zimbra Collaboration 8.
- Admin Console:
-
Home → 3 Add Accounts → 3. Migration and Co-existence
-
In the Type of mail server field, select Zimbra Collaboration.
-
If you are provisioning accounts, select Yes to import the account’s records. If you are not going to import the data at this time, in the Would you like to import mail, select No.
-
Click Next.
-
On the Overview dialog, Import from another Zimbra LDAP directory is selected. Click Next.
-
On the Bulk provisioning options page, select whether to generate random passwords or to assign the same password for each account.
Table 42. Bulk Provisioning Features Bulk Provisioning Feature Description Generate random password
If you select Generate a random password for each account, set the length for the password. The password can be from 6 to 64 characters.
Default = 8 characters
If you select to generate a random password, you must download the
.csv
file that is created so that you can give the password information to each user.Use same password
If you select Use same password for all new accounts, enter the password to use.
Require users to change password after first login
It is recommended that this is checked to force users to change their passwords when they log on the first time.
SMTP Host / SMTP Port
For split domain configurations, set the SMTP Host name and port.
-
Click Next.
-
On the Directory connection dialog enter the information to connect to the server.
Table 43. Directory Connection Options Directory Connection Options Description Automatically create missing domains
Enable this option to create a domain when an account is imported and the domain they were on is not created.
If you do not enable this, accounts from domains that do not exist on the server are not created. Disabling this option makes it easy to import accounts from specific domains that have been pre-created.
Maximum records to fetch
Enter the maximum number of accounts to import at one time. The default is 0, which means that no limits are set.
Server name, LDAP URL, Port, and Use of SSL
-
The LDAP URL is entered as:
ldap://<ldapdirectory.example.com>
-
The default port is 389, but you can change this.
-
Check SSL if this is used.
Bind DN
The Zimbra setting is in the field by default as
uid=zimbra,cn=admins,cn=zimbra
Bind password
Enter the password for the server.
LDAP filter
In this field enter the LDAP search filter to run. Here you can define search criteria to collect the type of account information you want to import. The default filter in the field is (objectclass=zimbraAccount). This filter includes the email address, the account ID, and attributes for the account.
LDAP search base
Configure the subsections of the LDAP forest to search.
-
-
Click Next.
The Account Migration Wizard connects to the directory server and generates a report showing the number of domains found; number of accounts found on the server and how many of those accounts are already created on Zimbra. This dialog also shows the password options you configured.
-
Review the report generated and then click Next. The accounts are provisioned on the Zimbra Collaboration server.
-
Download the
.csv
file that lists the provisioned accounts and their passwords. The.csv
file is deleted when you close the wizard. If you do not download the file, you cannot access the report later.
Migrating Accounts from Generic IMAP Servers
Use steps in this section to provision accounts on the Zimbra server.
- Admin Console:
-
Home → 3 Add Accounts → 3. Migration and Co-existence
-
In the Type of mail server field, select Generic IMAP Server.
-
If you are provisioning accounts, select Yes to import the account’s records. If you are not going to import the data at this time, in the Would you like to import mail, select No.
-
Click Next.
-
On the Overview dialog, Import from another LDAP directory is selected. Click Next.
-
On the Bulk provisioning options page, select whether to generate random passwords or to assign the same password for each account.
Table 44. Bulk Provisioning Features Bulk Provisioning Feature Description Generate random password
If you select Generate a random password for each account, set the length for the password. The password can be from 6 to 64 characters.
Default = 8 characters
If you select to generate a random password, you must download the
.csv
file that is created so that you can give the password information to each user.Use same password
If you select Use same password for all new accounts, enter the password to use.
Require users to change password after first login
It is recommended that this is checked to force users to change their passwords when they log on the first time.
SMTP Host / SMTP Port
For split domain configurations, set the SMTPHost name and port.
-
Click Next.
-
On the Directory connection dialog enter the information to connect to the server.
Table 45. Directory Connection Options Directory Connection Options Description Automatically create missing domains
Enable this option to create a domain when an account is imported and the domain they were on is not created.
If you do not enable this, accounts from domains that do not exist on the server are not created. Disabling this option makes it easy to import accounts from specific domains that have been pre-created.
Maximum records to fetch
Enter the maximum number of accounts to import at one time. The default is 0, which means that no limits are set.
Server name, LDAP URL, Port, and Use of SSL
-
The LDAP URL is entered as:
ldap://<ldapdirectory.example.com>
-
The default port is 389, but you can change this.
-
Check SSL if this is used.
Bind DN
The Zimbra setting is in the field by default as
uid=zimbra,cn=admins,cn=zimbra
Bind password
Enter the password for the server.
LDAP filter
In this field enter the LDAP search filter to run. Here you can define search criteria to collect the type of account information you want to import. The default filter in the field is (objectclass=zimbraAccount). This filter includes the email address, the account ID, and attributes for the account.
LDAP search base
Configure the subsections of the LDAP forest to search.
-
-
Click Next.
The Migration Wizard connects to the directory server and generates a report showing the number of domains found; number of accounts found on the server and how many of those accounts are already created on Zimbra. This dialog also shows the password options you configured.
-
Review the report generated and then click Next. The accounts are provisioned on the Zimbra Collaboration server.
-
Download the
.csv
file that lists the provisioned accounts and their passwords. The.csv
file is deleted when you close the wizard. If you do not download the file, you cannot access the report later.
Migrating Accounts using an XML File
Use steps in this section to create an XML file with the account information and save it to a computer you can access.
- Admin Console:
-
Home → 3 Add Accounts → 3. Migration and Co-existence
-
In the Type of mail server field, select the type of server your are migrating from.
-
If you are provisioning accounts, select Yes to import the account’s records. If you are not going to import the data at this time, in the Would you like to import mail, select No.
-
Click Next.
-
On the Overview dialog, select Import from an XML file.
-
Click Next.
-
The Review options dialog displays the number of domains; number of accounts and the password options configured in the XML file.
-
If this information is correct, click Next. If this information is not correct, fix your XML file before proceeding.
If you clicked Next, the accounts are provisioned on the Zimbra Collaboration server.
-
Download the
.csv
file that lists the provisioned accounts and their passwords. The.csv
file is deleted when you close the wizard. If you do not download the file, you cannot access the report later.
Importing Email for Selected Accounts
Use steps in this section to specify the list of accounts whose mail you want to import by either selecting the accounts to import data or by using an XML file to select the accounts.
Ensure that accounts are provisioned on the Zimbra server before attempting this procedure. |
- Admin Console:
-
Home → 3 Add Accounts → 3. Migration and Co-existence
-
In the Type of mail server field, select the type of server your are importing the data from.
-
In the Would you like to import account records menu, select No.
-
In the Would you like to import mail menu, select Yes.
-
Click Next.
-
On the Import options dialog box, select which way you are going to specify the accounts whose mail is being imported.
-
Click Next.
If you are selecting accounts, go to step 7. If you are using an XML file go to step 9.
-
If you are selecting the accounts to import, on the Selected Accounts dialog box, search for the accounts to add. You can search by domain or user name. If you click Search without entering text, all accounts are returned.
Add the accounts to the Accounts for data import column.
-
Click Next.
-
If you are using an XML file with the accounts listed, browse to the XML file to use.
-
Click Next.
-
In the IMAP Connection details dialog box, enter the information necessary to connect to the exporting server’s IMAP, this includes the IMAP host name, port and administrator login information.
-
Click Next.
-
Review the data import options. If the information is correct, click Next.
XML File Examples
This section contains three examples of the XML file structure to provision accounts and import data.
The following example shows an XML file that is used to provision multiple email accounts without importing mail:
<?xml version="1.0" encoding="UTF-8"?>
<ZCSImport>
<ImportUsers>
<User>
<sn>Sample</sn>
<givenName>Sam</givenName>
<displayName>Sam Sample</displayName>
<RemoteEmailAddress>ssample@example.com</RemoteEmailAddress>
<password>test123</password>
<zimbraPasswordMustChange>TRUE</zimbraPasswordMustChange>
</User>
<User>
<sn>Zackry</sn>
<givenName>Zak</givenName>
<displayName>Zak Zackry</displayName>
<RemoteEmailAddress>zzackry@example.com</RemoteEmailAddress>
<password>test123</password>
<zimbraPasswordMustChange>TRUE</zimbraPasswordMustChange>
</User>
</ImportUsers>
</ZCSImport>
The following example shows an XML file that is used to provision multiple email accounts for externally hosted domain without importing mail.
In this example, the zimbraMailTransport
attribute of newly provisioned
accounts will be set to point to external SMTP server instead of the Zimbra
server.
<?xml version="1.0" encoding="UTF-8"?>
<ZCSImport>
<SMTPHost>smtp.example.com</SMTPHost>
<SMTPPort>25</SMTPPort>
<ImportUsers>
<User>
<sn>Sample</sn>
<givenName>Sam</givenName>
<displayName>Sam Sample</displayName>
<RemoteEmailAddress>sam@example.com</RemoteEmailAddress>
</User>
<User>
<sn>Zackry</sn>
<givenName>Zak</givenName>
<displayName>Zak Zackry</displayName>
<RemoteEmailAddress>zzackry@example.com</RemoteEmailAddress>
</User>
</ImportUsers>
</ZCSImport>
The following example shows an XML file that is used to import email for one account via IMAP from a gmail account without provisioning the email account in Zimbra. The account must be provisioned on Zimbra before running this type of XML file.
<?xml version="1.0" encoding="UTF-8"?>
<ZCSImport>
<IMAPHost>imap.gmail.com</IMAPHost>
<IMAPPort>993</IMAPPort>
<ConnectionType>ssl</ConnectionType>
<UseAdminLogin>0</UseAdminLogin>
<ImportUsers>
<User>
<sn>Sample</sn>
<givenName>Sam</givenName>
<displayName>Sam Sample</displayName>
<RemoteEmailAddress>sam@example.com</RemoteEmailAddress>
<RemoteIMAPLogin>sam@example.com</RemoteIMAPLogin>
<remoteIMAPPassword>test123</remoteIMAPPassword>
</User>
</ImportUsers>
</ZCSImport>
Auto Provisioning New Accounts from External LDAP
Auto provisioning of new accounts from external LDAP is supported via the CLI. This section describes the supported CLI attributes and auto provisioning methods.
Overview
When an external LDAP authentication mechanism - such as external LDAP authentication, preauth, or SPNEGO - is configured for a Zimbra domain, you can set up Zimbra to automatically create user accounts on Zimbra. Primary email address and account attributes are mapped from an external directory. You can configure how and when new accounts should be created from the external directory data.
Three modes are supported for auto-provisioning configuration.
Mode | Description |
---|---|
Eager |
Zimbra polls the external directory for accounts to auto provision. For this mode, you configure how often the external directory is polled for new users, the maximum number of users to process at each interval, and which domains are scheduled for account auto provision on specified servers. Guidelines are provided in Eager Mode Configuration. |
Lazy |
If a user logs into the Classic Web App the first time through one of the authentication mechanisms supported for auto provisioning, and if the user does not exist in the Zimbra directory, a new account is automatically created in Zimbra for this user. Guidelines are provided in Lazy Mode Configuration. |
Manual |
Auto provisioning does not occurs: instead, the administrator manually searches from the configured external auto-provisioning LDAP source and selects an entry from the search result to create the corresponding Zimbra account for the external entry. Guidelines are provided in Manual Mode Configuration. |
When an account is created, the account name (consisting of the characters
alongside the @ symbol) is mapped from a user attribute on the external
directory that you define in zimbraAutoProvAccountNameMap
. Other account
information, such as first and last name, phone numbers, and address, is
populated from the attributes mapped from the external directory based on
zimbraAutoProvAttrMap
. You can review the external directory’s
attributes to determine those that should be mapped to a Zimbra attribute.
The COS assignment for auto-provisioned accounts is identical to the way that COS is determined for manually provisioned accounts:
-
If a COS is defined for the domain, this COS is assigned to the accounts that are created.
-
If a domain COS is not defined, the Zimbra default COS is assigned.
You can configure a Welcome email message to be sent to newly created
accounts. The subject and body of this email can be configured with
AutoProvNotification
attributes on the domain.
Auto-Provisioning Attributes
The attributes listed in this section can be used with the zmprov
command
to configure auto provisioning of new accounts with an external LDAP
directory.
zimbraAutoProvMode
-
Set auto provision mode as either EAGER, LAZY, and/or MANUAL. Multiple auto-provisioning modes can be enabled on a domain.
zimbraAutoProvAuthMech
-
Set type of authentication mechanism - as either LDAP, PREAUTH, KRB5, or SPNEGO - to enable for LAZY mode. Once a user authenticates via the specified authentication mechanism, and if the user account does not yet exist in the Zimbra directory, an account will be automatically created in the Zimbra directory.
zimbraAutoProvLdapURL
-
Set the LDAP URL of the external LDAP source for auto provisioning
zimbraAutoProvLdapStartTlsEnabled
-
Enable (TRUE) or disable (FALSE) the StartTLS protocol when accessing the external LDAP server for auto provisioning.
Default = FALSE. zimbraAutoProvLdapAdminBindDn
-
Defines the LDAP search bind DN for auto provisioning.
zimbraAutoProvLdapAdminBindPassword
-
Set the LDAP search admin bind password for auto provisioning.
zimbraAutoProvLdapSearchBase
-
Set the LDAP search base for auto provisioning, used in conjunction with zimbra
zimbraAutoProvLdapSearchFilter
.
If not set, LDAP root DSE will be used. zimbraAutoProvLdapSearchFilter
-
Defines the LDAP search filter template for account auto provisioning. For LAZY mode, either
zimbraAutoProvLdapSearchFilter
orzimbraAutoProvLdapBindDn
must be set.If both are set,
zimbraAutoProvLdapSearchFilter
will take precedence. See Placeholders for supported placeholders. zimbraAutoProvLdapBindDn
-
Defines the LDAP external DN template for account auto provisioning. For LAZY mode, either
zimbraAutoProvLdapSearchFilter
orzimbraAutoProvLdapBindDn
must be set.If both are set,
zimbraAutoProvLdapSearchFilter
will take precedence. See Placeholders for supported placeholders. zimbraAutoProvAccountNameMap
-
Defines the attribute name in the external directory that contains local part of the account name. This is the name used to create the Zimbra account. If this is not specified, the local part of the account name is the principal user used to authenticated to Zimbra.
zimbraAutoProvAttrMap
-
Defines the attribute map for mapping attribute values from the external entry to Zimbra account attributes. Values are in the format of
{external attribute}={zimbra attribute}
. If this is not set, no attributes from the external directory are populated in Zimbra account.Invalid mapping configuration will cause the account creation to fail. Bad mapping may be due to conditions such as:
-
Invalid external attribute name.
-
Invalid Zimbra attribute name.
-
External attribute contains multiple values; the Zimbra attribute contains only a single value.
-
Syntax violation (such as external attribute=string, but Zimbra attribute=integer).
-
zimbraAutoProvNotificationFromAddress
-
Defines the email address to put in the From header for the Welcome email sent to the newly created account. If not set, no notification email is sent to the newly created account.
zimbraAutoProvNotificationSubject
-
Template used to construct the subject of the notification message sent to the user when the user’s account is auto provisioned.
Supported variables:
${ACCOUNT_ADDRESS}
,${ACCOUNT_DISPLAY_NAME}
zimbraAutoProvNotificationBody
-
Template used to construct the body of the notification message sent to the user when the user’s account is auto provisioned.
Supported variables:
${ACCOUNT_ADDRESS}
,${ACCOUNT_DISPLAY_NAME}
zimbraAutoProvListenerClass
-
Domain setting to define the class name of auto provision listener. The class must implement the
com.zimbra.cs.account.Account.AutoProvisionListener
interface. The singleton listener instance is invoked after each account is auto created in Zimbra. Listener can be plugged in as a server extension to handle tasks like updating the account auto provision status in the external LDAP directory.At each eager provision interval, Zimbra does an LDAP search based on the value configured in
zimbraAutoProvLdapSearchFilter
. Returned entries from this search are candidates to be auto provisioned in this batch. ThezimbraAutoProvLdapSearchFilter
should include an assertion that will only hit entries in the external directory that have not yet been provisioned in Zimbra, otherwise it’s likely the same entries will be repeated pulled in to Zimbra. After an account is auto provisioned in Zimbra,com.zimbra.cs.account.Account.AutoProvisionListener.postCreate (Domain domain, Account acct, String external DN)
will be called by the auto provisioning framework. Customer can implement the AutoProvisionListener interface in a Zimbra server extension and get theirAutoProvisionListener.postCreate()
get called. The implementation of customer’s post Create method can be, for example, setting an attribute in the external directory on the account just provisioned in Zimbra. The attribute can be included as a condition in thezimbraAutoProvLdapSearchFilter
, so the entry won’t be returned again by the LDAP search in the next interval. zimbraAutoProvBatchSize
-
Domain | Global setting to define the maximum number of accounts to process in each interval for EAGER auto provision.
zimbraAutoProvScheduledDomains
-
Server attribute that lists the domains scheduled for EAGER auto provision on this server. Scheduled domains must have EAGER mode enabled in
zimbraAutoProvMode
. Multiple domains can be scheduled on a server for EAGER auto provision. Also, a domain can be scheduled on multiple servers for EAGER auto provision. zimbraAutoProvPollingInterval
-
Domain | Global setting to define the interval between successive polling and provisioning accounts in EAGER mode. The actual interval might take longer since it can be affected by two other factors:
zimbraAutoProvBatchSize
and number of domains configured inzimbraAutoProvScheduledDomains
.At each interval, the auto provision thread iterates through all domains in
zimbraAutoProvScheduledDomains
and auto creates accounts up todomain.zimbraAutoProvBatchSize
. If that process takes longer thanzimbraAutoProvPollingInterval
than the next iteration starts immediately instead of waiting forzimbraAutoProvPollingInterval
amount of time.-
If set to 0 when server starts up, the auto provision thread will not start.
-
If changed from a non-0 value to 0 while server is running, the auto provision thread will be shutdown.
-
If changed from 0 to a non-0 value while server is running, the auto provision thread will be started.
-
Placeholders
Tag | Description | Result |
---|---|---|
%/n |
User name and the @ symbol |
This returns user1@example.com |
%u |
User name without the @ symbol |
This returns user1. |
%d |
Domain |
This returns example.com |
%D |
Domain as dc |
This returns example,dc=com |
Eager Mode Configuration
With Eager mode, Zimbra polls the external directory for accounts to auto provision. You configure how often the external directory is polled for new users, the maximum number of users to process at each interval, and the domains to be scheduled for account auto-provisioning on specified servers.
-
Log in to the Zimbra server as zimbra and type
zmprov
at the command prompt.zmprov
-
Enable EAGER mode on the domain.
md <example.com> zimbraAutoProvMode EAGER
-
Set the maximum number of accounts to process in each interval
md <example.com> zimbraAutoProvBatchSize <#>
-
Configure the interval (in minutes) between polling and provisioning of accounts. This must be set to a non-0 value for the auto provisioning thread to start. Default = 15 minutes.
ms <server.com> zimbraAutoProvPollingInterval <x minutes>
-
Select the domains to be scheduled for auto provisioning. Multiple domains can be scheduled on the server.
A domain can be scheduled on multiple servers.
ms <server.com> +zimbraAutoProvScheduledDomains <domain1.com> \ +zimbraAutoProvScheduledDomains <domain2.com>
-
Configure the external LDAP settings:
-
LDAP URL
md <example.com> zimbraAutoProvLdapURL "ldap://xxx.xxx.xxx.xxx:<port>"
The LDAP port is typically 389.
-
(Optional) Enable StartTls.
md <example.com> zimbraAutoProvLdapStartTlsEnabled TRUE
-
LDAP admin bind DN for auto provision:
md <example.com> zimbraAutoProvLdapAdminBindDn "cn=admin, dc=autoprov, dc=company, dc=com"
-
Administrator’s LDAP search bind password for auto provision.
md <example.com> zimbraAutoProvLdapAdminBindPassword <password>
-
Search template to use when searching for users to auto provision.
Example using the LDAP search filter:
md <example.com> zimbraAutoProvLdapSearchFilter "(uid=<%placeholder>)"
Refer to Placeholders for supported placeholders.
-
LDAP search base for auto provisioning
This is the location in the directory from which the LDAP search begins. This is used with
zimbraAutoProvLdapSearchFilter
. If this is not set, the LDAP directory root,rootDSE
, is the starting point.md <example.com> zimbraAutoProvLdapSearchBase "dc=autoprov,dc=company,dc=com" md <example.com> zimbraAutoProvLdapBindDn <"placeholder1">
Refer to Placeholders for supported placeholders.
-
-
(Optional) Define the attribute name that is mapped to the local part of the account name on the external directory. This is used to define the account name on Zimbra. If this is not specified, the local part of the account name is the principal user name used to authenticate to Zimbra.
md <example.com> zimbraAutoProvAccountNameMap <value>
-
(Optional) Map the attribute values from the external entry to the Zimbra account attributes. If this is not set up, no attributes from the external directory are populated in the Zimbra directory. The value is mapped in the form of
{external attribute}={zimbra attribute}
.Invalid mapping configuration will cause the account creating to fail. To map the "sn" value on the external entry to "displayName" on the Zimbra account and map description value on the external entry to description on the Zimbra account, type
md <example.com> +zimbraAutoProvAttrMap sn=displayName +zimbraAutoProvAttrMap description=description
-
(Optional) If you want to send a Welcome email to new accounts, enter the from address of the originator.
md <example.com> zimbraAutoProvNotificationFromAddress <name@example.com>
-
To exit zmprov, type
exit
Lazy Mode Configuration
Lazy mode auto provisioning automatically creates a new account after a user authenticates from an external authentication mechanisms (LDAP, preauth, Kerberos 5, and/or SPNEGO).
-
Log in to the Zimbra server as zimbra and type
zmprov
at the command prompt. -
Enable LAZY mode,
md <example.com> zimbraAutoProvMode LAZY
-
Select the external authentication mechanism for the LAZY mode: LDAP, PREAUTH, KRB5, SPNEGO. You can specify multiple authentication mechanisms.
md <example.com> zimbraAutoProvAuthMech <type> +zimbraAutoProvAuthMech <type2>
-
Configure the external LDAP settings
-
LDAP URL:
md <example.com> zimbraAutoProvLdapURL "ldap://xxx.xxx.xxx.xxx:<port>"
The LDAP port is usually 389.
-
(Optional) Enable StartTls
md <example.com> zimbraAutoProvLdapStartTlsEnabled TRUE
-
LDAP Admin bind DN for auto provision in the format
cn=<LDAPadmin_name>, dc=autoprov, dc=<company_name>, dc=<com>
md <example.com> zimbraAutoProvLdapAdminBindDn <"bindDN">
For example,
"cn=admin, dc=autoprov, dc=company, dc=com"
-
Administrator’s LDAP search bind password for auto provision.
md <example.com> zimbraAutoProvLdapAdminBindPassword <password>
-
(Optional) Search template to use when searching for users to auto provision.
Example: using LDAP search filter:
md <example.com> zimbraAutoProvLdapSearchFilter <"placeholder">
Refer to Placeholders for supported placeholders.
zimbraAutoProvLdapSearchFilter or zimbraAutoProvLdapBindDn MUST be configured for LAZY mode. -
LDAP search base for auto provision. This is the location in the directory from which the LDAP search begins. This is used with
zimbraAutoProvLdapSearchFilter
. If this is not set, the LDAP directory root,rootDSE
, is the starting point.md <example.com> zimbraAutoProvLdapSearchBase <"location">
For example,
"dc=autoprov,dc=company,dc-com"
-
(Optional) Define the LDAP external DN template for account provisioning.
md <example.com> zimbraAutoProvLdapBindDn "uid=%<placeholder1>, %<placeholder2>"
Refer to Placeholders for supported placeholders.
-
-
(Optional) Identify the attribute name on the external entry that contains the local part of the account name to be provisioned in Zimbra. If this is not specified, the local part of the account name is the principal user used to authenticate to Zimbra.
md <example.com> zimbraAutoProvAccountNameMap <value>
-
(Optional) Map the attribute values from the external entry to the Zimbra account attributes. If this is not set up, no attributes from the external directory are populated in the Zimbra directory. Value is in the form of
{external attribute}={zimbra attribute}
.To map the sn value on the external entry to displayName on the Zimbra account and map description value on the external entry to description on the Zimbra account, type as
md <example.com> +zimbraAutoProvAttrMap sn=displayName +zimbraAutoProvAttrMap description=description
-
(Optional) If you want to send a Welcome email to new accounts, enter the from address of the originator.
md <example.com> zimbraAutoProvNotificationFromAddress <name@example.com>
-
Exit zmprov, type
exit
.
Manual Mode Configuration
Use the Manual Mode setting to disable auto provisioning with an external LDAP server.
-
Log in to the Zimbra server as zimbra and type
zmprov
at the command prompt. -
Enable MANUAL mode:
md <example.com> zimbraAutoProvMode MANUAL
Managing Resources
A resource is a location or equipment that can be scheduled for a meeting. Each meeting room location and other non-location specific resources such as AV equipment is set up as a resource account. The Manage → Resources section in the Administration Console shows all resources that are configured for Zimbra Collaboration.
User accounts with the Calendar feature can select these resources for their meetings. The resource accounts automatically accept or reject invitations based on availability.
Administrators do not need to monitor these mailboxes on a regular basis. The contents of the resource mailboxes are purged according to the mail purge policies.
A Resource Wizard guides you through the resource configuration. You can configure the account with the following details about the resource:
-
Type of resource, either location or equipment
-
Scheduling policy
-
Forwarding address to receive a copy of the invite
-
Description of the resource
-
Contact information, which can be a person to contact if there are issues
-
Location information, including room name, specific building location including building and address, and room capacity
-
Customize auto response message and signatures to be used in the reply email messages
When you create a resource account, a directory account is created in the LDAP server.
To schedule a resource, users invite the equipment resource and/or location to a meeting. When they select the resource, they can view the description of the resource, contact information and free/busy status for the resource, if these are set up.
When the meeting invite is sent, an email is sent to the resource account, and, based on the scheduling policy, if the resource is free the meeting is automatically entered in the resource’s calendar and the resource is shown as Busy.
Set Up the Scheduling Policy
The scheduling policy establishes how the resource’s calendar is maintained. The following resource scheduling values can be set up:
-
Auto decline all recurring appointments — This value is enabled when the resource can be scheduled for only one meeting at a time. No recurring appointments can be scheduled for this resource.
-
Auto accept if available, auto-decline on conflict — When this option is selected, the resource account automatically accepts appointments unless the resource is already scheduled. The free/busy times can be viewed. You can modify the auto-decline rule to accept some meetings that conflict.
-
Manual accept, auto decline on conflict — When this option is selected, the resource account automatically declines all appointments that conflict. Appointment requests that do not conflict are marked as tentative in the resource calendar and must be manually accepted. If you set this up, configure the forwarding address so a copy of the invite is sent to the account that can manually accept the invitation. You can modify the auto-decline rule to accept some meetings that conflict.
-
Auto accept always — The resource account automatically accepts all appointments that are scheduled. In this case, free/busy information is not maintained, thus more than one meeting could schedule the resource at the same time. Because the resource always accepts the invitation, the suggested use for this policy would be for a frequently used location off premises that you want the location address to be included in the invite to attendees.
-
No auto accept or decline — The resource account is manually managed. A delegated user must log into the resource account and accept or decline all requests.
Conflict Rules — For accounts that include the auto decline on conflict value, you can set up a threshold, either as a number of conflicts or as a percentage of all the recurring appointments to partially accept recurring appointments.
Maximum allowed number of conflicts and/or Maximum allowed percent of conflicts are configured to allow a recurring resource to be scheduled even if it is not available for all the requested recurring appointment dates.
The resource accepts appointments even if there are conflicts until either the number of conflicts reaches the maximum allowed or the maximum percentage of conflicts allowed. In order for partial acceptance of a series to work, both fields must be set to nonzero values.
Manage Resource Accounts
You can log on to the resource account and set preferences for the resource. The Resource Accounts Preference → Calendar can be configured to let users manage the Resource’s Calendar. You can configure the following options to manage the resource.
-
An address to forward invites. If the forwarding address was set up when the account was provisioned, you can change the address
-
Who can use this resource. In the Permissions section, Invites, select Allow only the following internal users to invite me to meetings and add the appropriate users' email addresses to the list.
You can share the resource calendar with a user and give the user Manager rights. Users delegated as Manager have full administrative rights for that calendar. They can view, edit, add, remove, accept or decline the invites.
Managing User Accounts
Status of User Accounts
- Admin Console:
-
Home → Manage → Accounts
The status of an account determines whether a user can log in and receive mail. The account status is displayed on the Accounts pane of the Administration Console.
Status | Description |
---|---|
Active |
The normal state for a mailbox account. Mail is delivered and users can log in to the client interface. |
Maintenance |
Logging is disabled and any mail addressed to this account is queued at the MTA. Note that this state is automatically set for the account during a backup or when importing/exporting/ restoring the account. |
Pending |
Assignment for an account when it is created but not yet ready to become active. While pending, the login is disabled and messages are bounced. |
Locked |
The user cannot log in but mail continues to be delivered to the account. The locked state can be set if you suspect that a mail account has been compromised (used in an unauthorized manner). |
Closed |
Login is disabled and messaged are bounced. This status is used to soft-delete the account before deleting it from the server. A closed account does not change the account license. |
LockOut |
The automatic state that occurs if the user attempts to log in with an incorrect password. A LockOut cannot be administratively assigned but will occur after the number of user attempts exceeds the configured number of attempts allowed. The duration of the lockout is also configurable. The administrator can remove the locked out status at any time. |
Deleting an Account
- Admin Console:
-
Home → Manage → Accounts
You can delete accounts from the Administration Console. This removes the account from the server, deletes the messages in the message store, and changes the number of accounts used against your license.
Before you delete an account, run a full backup of that account to save the account information. See also Backup and Restore. |
Viewing an Accounts Mailbox
You can view a selected account’s mailbox content, including all folders, calendar entries, and tags from the Administration Console.
- Admin Console:
-
Home → Manage → Accounts → account
Select an account, from the Gear icon select View Mail. The user’s Zimbra account opens in a new browser window.
This feature can be used to assist users who are having trouble with their mail account as you and the account user can be logged on to the account at the same time.
Any View Mail action to access an account is logged to the audit.log
file.
Using an Email Alias
An email alias is an email address that redirects all mail to a specified mail account. An alias is not an email account. Each account can have unlimited numbers of aliases.
When you select Aliases from the Manage Aliases navigation pane, all aliases that are configured are displayed in the content pane. You can create an alias, view the account information for a specific alias, move the alias from one account to another, and delete the alias.
Hide Alias in GAL
10.1.1 release onwards, you can hide the aliases in GAL. Once hidden, they will not appear in autocomplete when composing mail or searching inbox.
The feature can be controlled on account level. By default, the feature is disabled.
The feature can be controlled through following ways:
-
Admin Console
-
Login to Admin Console.
-
Go to Home → Manage → Accounts → <account_name> → General Information → Account Name → Hide aliases in GAL
-
A checkbox to enable/disable the feature is available.
-
-
Command Line
A new LDAP attribute zimbraHideAliasesInGal
is added to control the feature.
-
As a
zimbra
user, execute the following command to enable the feature for an account:zmprov ma <account_name> zimbraHideAliasesInGal TRUE
-
As a
zimbra
user, execute the following command to force sync the changes and make the changes effective:zmgsautil forceSync -a <galsync@domain.com> -n InternalGAL
Working with Distribution Lists
A distribution list is a group of email addresses contained in a list with a common email address. When users send to a distribution list, they are sending the message to everyone whose address is included in the list. The address line displays the distribution list address; the individual recipient addresses cannot be viewed.
You can create distribution lists that require an administrator to manage the member list and you can create dynamic distribution lists that automatically manages adding and deleting members in the list. For more information about dynamic distribution lists, see Using Dynamic Distribution Lists.
You can see which distribution lists a user is a member of from the user’s account "Member of" page. When a Zimbra user’s email address is added to a distribution list, the user’s account Member Of page is updated with the distribution list name. When a distribution list is deleted, the distribution list name is automatically removed from the account’s "Member Of" page.
Setting Subscription Policies for Distribution Lists
Subscription policies can be set up to manage a distribution list’s membership. Owners of the list manage the subscription policy from the Properties page of a distribution list.
Distribution Option | Description |
---|---|
New Subscription Requests |
|
Unsubscription Requests |
|
Management Options for Owners of Distribution Lists
You can add owners to distribution lists and they manage the list from their Zimbra account’s Address Book, Distribution List folder. Owners of a list can right-click a distribution list and click the Edit Group link to edit a list.
Besides adding and deleting members, distribution list properties that owners can configure include:
-
Marking the list as private so it is hidden in the Global Address List
-
Managing who can send messages to the list
-
Setting a member subscription policy
-
Adding additional owners
Creating a Distribution List
Use steps in this section to create a distribution list:
- Admin Console:
-
Home → Manage → Distribution Lists
-
From the Gear icon, click New.
-
On the Members page, add the distribution list name. Do not use spaces. The other fields are optional.
-
Find members to add to the distribution list in the right column. Select the members to add and click Add Selected. If you want to add all addresses on the page, click Add This Page. If you want to add members that are not in the company list, in the Or enter addresses below section, type a complete mail address.
-
Click Next to configure the Properties page.
Table 48. Distribution Properties Options Distribution Properties Options Description Can receive mail
Enabled by default. If this distribution list should not receive mail select this box.
Hide user in GAL
Enable to create distribution lists that do not display in the Global Address List (GAL). You can use this feature to limit the exposure of the distribution list to only those that know the address.
Mail Server
This is set to auto by default. To select a specific mail server, uncheck auto and select a specific server from the list.
Dynamic Group
If you check this box, the Member URL field displays and you create a dynamic distribution list.
New Subscription Requests
Select from:
-
Automatically accept
-
Require list owner approval
-
Automatically reject
Unsubscription Requests
Select from:
-
Automatically accept
-
Require list owner approval
-
Automatically reject
-
-
In the Members Of page, select distribution lists that should be direct or indirect members of the list.
-
If the distribution list should have an alias, create it.
-
If this distribution list can be managed by other users, enter these email addresses in the Owners page.
-
Set how messages received to the distribution list should be replied to.
-
Click Finish. The distribution list is enabled and the URL is created.
-
Managing Access to Distribution Lists
After a distribution list is created, you can manage who can view members of a distribution list and who can send messages to a distribution list. The default is all users have access to all distribution lists. This section describes how to use the CLI to manage access.
To limit who can access distribution lists, grant rights to individual users on a domain or if you want only members of a domain to access distribution lists, you can grant rights on the domain. When you grant the right on the domain, all distribution lists on the domain inherit the grant.
You can grant the right on individual distribution lists and configure specific users that are allowed to access the distribution list.
You can restrict access to a distribution list from the CLI zmprov grantRight
(grr
) command.
For more information about how granting rights works, see Delegated Administration. |
Who Can View Members of a Distribution List
The default is that all users can view members addresses in a distribution list. A distribution list address displays a + in the address bubble. Users can click on this to expand the distribution list. A list of the addresses in the distribution list is displayed. Users can select individual addresses from the expanded list.
Restricting who can view addresses in a distribution list to individuals or to a domain:
-
For individual users:
zmprov grr domain <domain_name> usr <user1@example.com> viewDistList
-
For all users in a domain:
zmprov grr domain <domain_name> dom <example.com> viewDistList
-
To grant rights on a distribution list and let specific users view the list:
zmprov grr dl <dll_name@example.com> usr <user1@example.com>
Who Can Send to a Distribution List
The default is that all users can send messages to all distribution lists. You can grant rights to a distribution list or to a domain that defines who can send messages to a distribution list. When users attempt to send to a distribution list that they are not authorized to use, a message is sent stating that they are not authorized to send messages to the recipient distribution list.
The Milter Server must be enabled from Home → Configure → Global Settings → MTA. |
Restricting who can send messages to a distribution list to individuals or to a domain:
-
Granting rights to an individual user in a domain to send messages to all distribution lists.
zmprov grr domain <domain_name> usr <user1@example.com> sendToDistList
-
Granting rights to all users in a domain to send messages to all distribution lists.
zmprov grr domain <domain_name> dom <example.com> sendToDistList
Restricting access and to remove the restriction to individual distribution lists for different user types.
-
Access to specific internal users:
zmprov grr dl <dlname@example.com> usr <username@example.com> sendToDistList
Revoke access
zmprov rvr dl <dlname@example.com> usr <username@example.com> sendToDistList
-
Access only to members of the distribution list:
zmprov grr dl <dlname@example.com> grp <dlname2@example.com> sendToDistList
Revoke access
zmprov rvr dl <dlname@example.com> grp <dlname2@example.com> sendToDistList
-
Access only to all users in a domain:
zmprov grr dl <dlname@example.com> dom <example.com> sendToDistList
Revoke access
zmprov rvr dl <dlname@example.com> dom <example.com> sendToDistList
-
Access only to all users in an external domain:
zmprov grr dl <dlname@example.com> edom <example.com> sendToDistList
Revoke access
zmprov rvr dl <dlname@example.com> edom <example.com> sendToDistList
-
Access only to internal users:
zmprov grr dl <dlname@example.com> all sendToDistList
Revoke access
zmprov rvr dl <dlname@example.com> all sendToDistList
-
Access only to all public email addresses:
zmprov grr dl <dlname@example.com> pub sendToDistList
Revoke access
zmprov rvr dl <dlname@example.com> pub sendToDistList
-
Access only to specific external email address:
zmprov grr dl <dlname@example.com> gst <someone@foo.com> "" sendToDistList
Revoke access
zmprov rvr dl <dlname@example.com> gst <someone@foo.com> "" sendToDistList
Enabling View of Distribution List Members for AD Accounts
To view Active Directory distribution list members in messages or in the address book, the GAL group handler for Active Directory must be configured in the Zimbra GALsync account for each Active Directory.
Use steps in this section to update the GALsync account for each Active Directory. This configuration requires that you know the GALsync account name and all data sources on that GALsync account.
-
Display the Zimbra ID of the GAL sync account:
zmprov gd {domain} zimbraGalAccountId
To find the name:
zmprov ga {zimbraId-of-the-GAL-sync-account} name
-
Display data sources for the GALsync account:
zmprov gds {gal-sync-account-name-for-the-domain}
-
Enable the group handler for the Active Directory:
zmprov mds {gal-sync-account-name-for-the-domain} {AD-data-source-name} \ zimbraGalLdapGroupHandlerClass com.zimbra.cs.gal.ADGalGroupHandler
Using Dynamic Distribution Lists
Dynamic distribution lists automatically manage their membership. Users are added and removed from the distribution list automatically. When you create a dynamic distribution list, a member URL is specified. This member URL is used to identify who should be members of the list. You can view this URL from the Administration Console distribution list’s Properties page.
You can create dynamic distribution lists from the Administration Console or from the CLI. In the URL, you specify specific object classes that identify the type of users to be added to the dynamic distribution list. For example, you can configure a dynamic distribution list with the object class= zimbraAccount. In this case, when accounts are provisioned or accounts are deleted, the dynamic distribution list is updated.
You can create dynamic distribution lists for all mobile users or POP/IMAP users.
You can modify a distribution list to change the filter rules. When you modify a distribution list, the members in the list are changed to reflect the new rule.
Create Dynamic Distribution Lists
You can create a dynamic distribution list with the admin console or with the CLI, as described in this section.
- Admin Console:
-
Home → Manage → Distribution Lists.
-
From the Gear icon, click New.
-
On the Members page, add the dynamic distribution list name. Do not use spaces. Do not add members to the list.
-
Click Next to configure the Properties page.
Table 49. Dynamic Distribution Lists Options Option Description Can receive mail
Enabled by default. If this distribution list should not receive mail select this box.
Hide user in GAL
Enable to create distribution lists that do not display in the Global Address List (GAL). You can use this feature to limit the exposure of the distribution list to only those that know the address.
Mail Server
This is set to auto by default. To select a specific mail server, uncheck auto and select a specific server from the list.
Dynamic Group
Check this box.
Can be used in right management
Uncheck this box.
Member URL
The Member URL is an LDAP-type URL defining a filter that determines which users are added to and removed from the list.
Type the URL for this list. In the command,
ldap://??sub?
is the URL. You can add any combination of filters to this to create different types of dynamic distribution lists.Example 10. All users, GAL account names, and spam/ham account listldap:///??sub?(objectClass=zimbraAccount)
Example 11. Delegated administrators listldap:///??sub?(&(objectClass=zimbraAccount)(zimbraIsDelegatedAdminAccount=TRUE))
Example 12. All active accountsldap:///??sub?(&(objectClass=zimbraAccount)(ZimbraAccountStatus=active))
Example 13. All users with the title managerThe title is taken from the account’s Contact Information Job Title field. In this example, this field would be set to "Manager".
ldap:///??sub?(&(objectClass=zimbraAccount)(title=Manager))
New Subscription Requests
Select Automatically reject.
Unsubscription Requests
Select Automatically reject.
-
If the dynamic distribution list should have an alias, create it.
-
If this dynamic distribution list can be managed by other users, enter these email addresses in the Owners page.
-
If you want to set up a reply to address, enter it here. Any replies to this distribution list are sent to this address.
-
Click Finish. The dynamic distribution list is created.
-
Users are added automatically to the list based on the filter you specified. If you add or delete users, the list is updated.
If you use the CLI to modify a dynamic distribution list originally created on the Administration Console, you must set zimbraIsACLGroup FALSE for that dynamic distribution list.
|
Use the CLI zmprov
command to manage dynamic distribution lists.
In the command, ldap:///??sub?
is the URL.
You can add any combination of filters to this to create different types of dynamic distribution lists.
-
Creating a dynamic distribution list of all new and existing accounts
All users, GAL account names, and spam/ham account names are included. When user accounts are deleted, they are removed from the list.
zmprov cddl <all@domain.com> zimbraIsACLGroup FALSE \ memberURL 'ldap:///??sub?(objectClass=zimbraAccount)'
-
Creating a COS and Assign Users
If you create COSs and assign users to the COS based on specific criteria, such as all managers, you can quickly modify a dynamic distribution list to be used for a specific COS.
Example 14. A dynamic distribution list that includes all users that have active accounts in a specific COSzmprov cddl <allusers@domain.com> zimbraIsACLGroup FALSE \ memberURL 'ldap:///??sub?(&(objectClass-zimbraAccount) (zimbraCOSId=513e02e-9abc-4acf-863a-6dccf38252e3) (zimbraAccountStatus=active))'
Example 15. A dynamic distribution list that includes all users based on job titlesTo use this, the account’s Contact Information Job Title field must include the title. In this example it would be set to "Manager".
zmprov cddl <allmanagers@domain.com> zimbraIsACLGroup FALSE' \ memberURL ldap:///??sub?(&(objectClass-zimbraAccount) (zimbraCOSId=513e02e-9abc-4acf-863a-6dccf38252e3) (title=Manager))'
Example 16. A dynamic distribution list for all delegated administratorszmprov cddl <alldelegatedadmins@domain.com> zimbraIsACLGroup FALSE \ memberURL 'ldap:///??sub?(&(objectClass-zimbraAccount) (zimbraCOSId=513e02e-9abc-4acf-863a-6dccf38252e3) (zimbraIsDelegatedADminAccount=TRUE))'
Moving a Mailbox
Mailboxes can be moved between Zimbra servers that share the same LDAP server.
You can move a mailbox from either the Administration Console or use the CLI command zmmboxmove
to reposition a mailbox from one server to another, without taking down the servers.
The destination server manages the mailbox move process. The move runs in the background and the account remains in active mode until most of the data has been moved. The account is locked briefly to move the last data and then returned to active mode.
The mailbox move process goes through the following steps:
-
Mailbox blobs are moved to the new server
-
When most of the content has been moved, the account is put into maintenance mode
-
Database tables, index directories, and any changed blobs are moved
-
The account is put back into active mode
After the mailbox is moved to a new server, a copy still remains on the older server, but the status of the old mailbox is closed. Users cannot log on and mail is not delivered. Check to see that all the mailbox content was moved successfully before purging the old mailbox.
-
Moving a mailbox to a new server
zmmboxmove -a <email@address> --from <servername> --to <servername>
-
Purging the mailbox from the old server
zmpurgeoldmbox -a <email@address> -s <servernamee>
Global Configuration Options for Moving Mailboxes
Global configuration options for moving a mailbox can be set to exclude search indexes, blobs, and SM blobs when mailboxes are moved. The following configuration options can be set on either the exporting server or the destination server:
-
zimbraMailboxMoveSkipSearchIndex
— If you do not include the search index data, the mailbox will have to be reindexed after the move. -
zimbraMailboxMoveSkipBlobs
— Blobs associated with the mailbox, including primary and secondary volumes (SM) are excluded. -
zimbraMailboxMoveSkipHsmBlobs
— This is useful when SM blobs already exist for the mailbox being moved. Set this ifzimbraMailboxMoveSkipBlobs
is not configured, but you want to skip blobs on SM volumes.
Monitoring Zimbra Servers
The Zimbra Collaboration (Zimbra) includes the following to help you monitor the Zimbra servers, usage, and mail flow:
-
Zimbra Logger package to capture and display server statistics and server status, and to create nightly reports
-
Mailbox quota monitoring
-
MTA mail queue monitoring
-
Log files
Also, selected error messages generate SNMP traps, which can be monitored using an SNMP tool.
Checking the overall health of the system as a whole is beyond the scope of this document. |
Zimbra Logger
The Logger includes tools for syslog aggregation and reporting. Installing the Logger is optional, but if you do not install it, server statistics and server status information are not captured.
In environments with more than one Zimbra Collaboration server, Logger is enabled on one mailbox server only. This server is designated as the monitor host. The Zimbra Collaboration monitor host is responsible for checking the status of all the other Zimbra Collaboration servers and presenting this information on the Zimbra administration console. Real-time service status, MTA, spam, virus traffic and performance statistics can be displayed. The Logger creates a daily report about mail activity, such as the number of messages, average delivery delay, and errors generated.
In a multi-server installation, you must set up the syslog configuration files on each server to enable Logger to display the server statistics on the Administration Console, and you must enable the Logger host. If you did not configure this when you installed Zimbra Collaboration, do so now. |
Enabling Server Statistics
Enable server statistics to show both system- wide and server specific data about the inbound message volume, inbound message count, anti-spam/anti-virus activity and disk usage for messages processed in the last 48 hours, 30 days, 60 days, and the last year.
-
On each server, as root, type
/opt/zimbra/libexec/zmsyslogsetup
. This updates the syslog configuration to enable gathering server statistics. -
On the logger monitor host, you must configure syslog to accept syslog messages from remote machines. See https://wiki.zimbra.com/wiki/Configuring-Logger-Host for details.
These steps are not necessary for a single-node installation. |
Reviewing Server Status
- Admin Console:
-
Home → Monitor
The Server Status page lists all servers and services, their status, and when the server status was last checked. The servers include the MTA, LDAP, and mailbox server. The services include MTA, LDAP, Mailbox, SNMP, Anti-Spam, Anti-Virus, Spell checker, and Logger.
To start a server if it is not running, use the zmcontrol
CLI command. You
can stop and start services from the Administration Console.
Enabling or Disabling Server Services
- Admin Console:
-
Home → Configure → Servers → server
Server services are enabled or disabled from the Servers → server page. Select Services in the Navigation pane and select to enable or disable services.
Viewing Server Performance Statistics
If the Logger package is installed on a Zimbra mailbox server, Server Statistics shows bar graphs of the message count, message volume, anti-spam, and anti-virus activity. The information is displayed for the last 48 hours, and 30 days, 60 days, and 365 days.
When Server Statistics is selected in the Navigation pane, consolidated statistics for all mailbox servers is displayed. Selecting a specific server in the expanded view shows statistics for that server only. Server specific information also includes disk usage, session information, and mailbox quota details.
The following display system-wide information:
-
Message Count — counts message transactions. A transaction is defined as either the SMTP receipt of a message per person (by Postfix) or a LMTP delivery of it (by mailboxd) per person. For example, if a message is sent to three people, six transactions are displayed. Three for SMTP to Postfix and three for LMTP to mailboxd. The message count is increased by six.
-
Message Volume — displays the aggregate size in bytes of transactions sentand received per hour and per day. Graphs show the total inbound data by volume in bytes.
-
Anti-Spam/Anti-Virus Activity — displays the number of messages that werechecked for spam or viruses and the number of messages that were tagged as spam or deemed to contain a virus. The AS/AV count is increased by one per message scanned. One message sent to three people counts as only one message processed by AS/AV.
The Message Count and the Anti-spam/Anti-virus Activity graphs display a different message count because:
-
Outbound messages may not go through the Amavisd filter, as the system architecture might not require outbound messages to be checked.
-
Messages are received and checked by Amavisd for spam and viruses before being delivered to all recipients in the message. The message count shows the number of recipients who received messages.
-
Server-specific statistics also include the following details:
-
Disk — for a selected server displays the disk used and the disk space available. The information is displayed for the last hour, day, month, and year.
-
Session — displays information about the active Web client, administrator and IMAP sessions. You can see how many active sessions are opened, who is logged on, when the session was created and the last time the session was accessed.
-
Mailbox Quota — displays information about each account sorted by mailbox size in descending order. See Monitoring Mailbox Quotas.
Configuring Logger Mail Reports
The Logger generates a report about mail activity daily at 11:30 p.m. and sends it to the administrator’s email address.
You can configure the number of accounts to include in the report. The default is 25 sender and 25 recipient accounts.
-
Changing the number of recipients to add to the report:
zmlocalconfig -e zimbra_mtareport_max_recipients=<number>
-
Changing the number of senders to add to the report:
zmlocalconfig -e zimbra_mtareport_max_senders=<number>
Configuring Disk Space Notifications
You should regularly review your disk capacity and when disks are getting full, take preventative measures to maintain service. A warning alert email notification is sent to the administrator account when disk space is low. The default is to send a warning alert when the threshold reaches 85% and a critical alert when the threshold reaches 95%.
You can change these values. Use zmlocalconfig
to configure the
disk warning thresholds.
-
Warning alerts
zmdisklog_warn_threshold
-
Critical alert:
zmdisklog_critical_threshold
When starting services with zmcontrol
, if the threshold is exceeded a
warning is displayed before the services are started. You should clean up
your disk to free up space.
Monitoring Servers
The Zimbra Collaboration server collects many performance related statistics that can help you diagnose problems and load issues.
- Admin Console:
-
Home → Monitor → Advanced Statistics
The Advanced Statistics page includes advanced graphing options that lets you generate various charts based on statistical information for the CPU, IO, mailboxd, MTA queue, MariaDB and other components.
To chart the graphics in Advanced Statistics, select one of these groups and then select from the list of specific counters for the type of information to display.
The information covers a wide array of data:
-
cpu.csv — CPU utilization. This group contains counters to keep track ofCPU usage (iowait, idle, system, user, time etc.). CPU information can be tracked both at the server level and the process level.
-
df.csv — Captures disk usage. Disk utilization is tracked for each diskpartition.
-
fd.csv — file descriptor count. Keeps track of system file descriptor usageover time. This is primarily used to track down "out-of-file descriptor" errors.
-
mailboxd.csv — Zimbra Collaboration server and JVM statistics. Mailboxdstores almost all of its statistics here. Interesting numbers to keep track of are heap_used, heap_free, imap_conn, soap_sessions, pop_conn, db_conn_count.
-
mtaqueue.csv — Postfix queue. This measures the mail queue size innumber of messages and the size in bytes.
-
proc.csv — Process statistics for Zimbra processes. For example mailboxd/java, MariaDB, OpenLDAP, etc.)
-
soap.csv — SOAP request processing time.
-
threads.csv — JVM thread counts. Counts the number of threads with acommon name prefix.
-
vm.csv — Linux VM statistics (from the vmstat command).
-
io-x.csv and io.csv — store data from the
iostat(1)
command (io-x.csv
withiostat -x
).
Configuring Denial of Service Filter Parameters
The denial-of-service filter (DoSFilter) limits exposure to requests flooding over HTTP/HTTPS. The DoSFilter throttles clients sending a large number of requests over a short period of time.
DosFilter is only applied to HTTP and HTTPS requests, in other words, it does not affect requests for any other protocols like POP3, IMAP or SMTP. You can modify the configuration to accommodate your specific environmental needs. DoSFilter is enabled by default on Zimbra. Disabling the DoSFilter is not recommended. For information on preventing multiple failed login attempts see Password Policy
Identifying False Positives
Sometimes Zimbra Connector for Outlook (ZCO), mobile ActiveSync clients, or
running some zmprov
commands trigger the DoSFilter. When this happens, the
Zimbra mailbox service is unavailable. You can review the following logs
to see if the DoSFilter was applied.
-
/opt/zimbra/log/sync.log
.
sync.log
entry showing the DoSFilter2021-01-15 15:52:20,426 WARN [qtp1635701107-91:https://x.x.x.x/
Microsoft-Server-ActiveSync?User=zsupport2&DeviceId=Appl5ddddd3NR&DeviceType=iPhone&Cmd=FolderSync][name=zsupport2@domain.com;mid=64;ip=10.1.2.3;Cmd=FolderSync;DeviceID=Appl5K0113UN3NR;Version=12.1;] sync - Service exception com.zimbra.common.service.ServiceException: error while proxying request to target server: HTTP/1.1 503 Service Unavailable
ExceptionId:qtp1635701107-91:https://10.10.0.54:443/Microsoft-Server-ActiveSync?User=zsupport2&DeviceId=Appl5K0113UN3NR&DeviceType=iPhone&Cmd=FolderSync:1358286740426:c5ca7f36bb0a038f Code:service.PROXY_ERROR Arg:(url, STR,"http://mail.domain.com:80/service/soap/SyncRequest"
-
/opt/zimbra/log/zmmailboxd.out
zmmailboxd.out
entry showing the DoSFilter2021-01-15 15:57:32.537:WARN:oejs.DoSFilter:DOS ALERT:ip=127.0.1.1,session=null,user=null
Customizing DoSFilter Configuration
The following attributes are used with zmprov
to configure the DoSFilter.
These attributes can be configured as global settings and as server
settings. If these attributes are set in the server, the server settings
override the global settings.
You can modify these settings, but the default configuration is recommended.
Attribute | Description |
---|---|
DoSFilter Delay |
The delay given to all requests over the rate limit before they are considered. The default is -1.
|
DoSFilter Maximum Requests Per Second |
The maximum number of requests from a connection per second. Requests in excess of this are throttled. The default is 30 and the minimum is 1.
|
DoSFilter IP Addresses Whitelist |
IP addresses to ignore when applying the DosFilter. This attribute does not have a default value, however the following loopback IPs are whitelisted by default.
The IP addresses should be comma separated.
|
A mailbox server restart is required after modifying these attributes. Type:
zmmailboxdctl restart
Tuning Considerations for Zimbra Collaboration 8.0.3 and later
-
Zimbra Member Servers — Zimbra servers under the control of a single masterLDAP server are automatically whitelisted by IP address. These hosts are discovered using a GetAllServersRequest. Type as
zmprov gas
. -
External Provisioning Hosts/SOAP API — External provisioning hosts can be added to the IP whitelist to ensure that the DoSFilter does not block some requests. For example, a mailbox reindex might make several calls per second that can trigger the DoSFilter.
Working with Mail Queues
When the Zimbra MTA receives mail, it routes the mail through a series of queues to manage delivery; incoming, active, deferred, held, and corrupt.
The incoming message queue holds the new mail that has been received. Each message is identified with a unique file name. Messages are moved to the active queue when there is room. If there are no problems, message move through this queue very quickly.
The active message queue holds messages that are ready to be sent. The MTA sets a limit to the number of messages that can be in the active queue at any one time. From here, messages are moved to and from the anti-virus and anti-spam filters before being delivered to another queue.
Messages that cannot be delivered are placed in the deferred queue. The reasons for the delivery failures are documented in a file in the deferred queue. This queue is scanned frequently to resend the message. If the message cannot be sent after the set number of delivery attempts, the message fails. The message is bounced back to the original sender. The default for the bounce queue lifetime is five days.
The held message queue keeps mail that could not be processed. Messages stay in this queue until the administrator moves them. No periodic delivery attempts are made for messages in the held queue.
The corrupt queue stores damaged unreadable messages.
Change the Bounce Queue Lifetime
-
The MTA server’s bounce queue lifetime is set for five days. To change the default queue lifetime setting
zmlocalconfig -e bounce_queue_lifetime={#}
-
To permanently have messages bounced back to the sender, instead of being sent to the deferred queue first
zmlocalconfig -e zimbraLmtpPermanentFailureWhenOverQuota=TRUE
Notifying Senders of Bounced Messages
Before the bounce queue lifetime sends the message back to the sender, senders can be notified that the message they sent is in the deferred queue and has not been delivered.
Configure the following attributes to send a warning message to the sender.
-
Configure the time after which the sender receives the message headers of email that is still queued.
zmlocalconfig -c postfix_delay_warning_time=0h
-
Configure the recipient of postmaster notifications with the message headers of mail that the MTA did not deliver.
zmlocalconfig -c postfix_bounce_notice_recipient=postmaster
-
Configure the list of error classes that are reported to the postmaster.
zmlocalconfig -c postfix_notify_classes=resource,software
See Postfix documentation for details on the impact of changes to these Postfix attributes. |
You can monitor the mail queues for delivery problems from the Administration Console.
Viewing Mail Queues
- Admin Console:
-
Home → Monitor → Mail Queues
If you are having problems with mail delivery, you can view the mail queues from the Mail Queues page in the Administration Console to see if you can fix the mail delivery problem. When you open mail queues, the content of the deferred, incoming, active, hold, and corrupt queues at that point in time can be viewed. You can view the number of messages and where they are coming from and going to.
For each queue, the Summary pane shows a summary of messages by receiver domain, origin IP, sender domain, receiver address, sender address, and for the deferred queue, by error type. You can select any of the summaries to see detailed envelope information by message in the Messages pane.
The Messages pane displays individual message envelope information for search filters selected from the Summary pane.
The following mailbox queue functions can be performed for all the messages in a queue:
-
Hold to select a set of messages that you want to hold. Incoming, active,deferred, and corrupt messages can be moved to the Held queue. Messages stay in this queue until the administrator moves them.
-
Release to remove all message from the Held queue. Messages are moved to the Deferred queue.
-
Requeue all messages in the queue being viewed. Requeuing messages can be used to send messages that were deferred because of a configuration problem that has been fixed. Messages are re-evaluated and earlier penalties are forgotten.
-
Delete all messages in the queue being viewed.
The Zimbra MTA, Postfix queue file IDs are reused. If you requeue or delete a message, note the message envelope information, not the queue ID. It is possible that when you refresh the mail queues, the queue ID could be used on a different message.
Flushing Message Queues
You can flush the server of all messages. When you click Flush on the Mail Queue toolbar, delivery is immediately attempted for all messages in the Deferred, Incoming and Active queues.
Monitoring Mailbox Quotas
Mailbox quotas apply to email messages, attachments, calendar appointments, and tasks in a user’s account. When an account quota is reached, all mail messages are rejected. Users must delete mail from their account to get below their quota limit - this includes emptying their Trash, or you can increase their quota.
Viewing Quota
You can check mailbox quotas for individual accounts from Server Statistics on the Administration Console. Mailbox Quota gives you an instant view of the Mailbox Size and Quota Used information for each account.
- Admin Console:
-
Home → Monitor → Server Statistics
-
Select the server for which you want to view statistics.
-
In the Navigation pane, select Mailbox Quota. The Mailbox Quota page displays with the following information:
-
Quota column shows the mailbox quota allocated to the account. Quotas are configured either in the COS or by account.
-
Mailbox Size column shows the disk space used.
-
Quota Used column shows what percentage of quota is used.
-
Increase or Decrease Quota
From a COS or Account, you can configure a quota threshold that, when reached, sends a message alerting users that they are about to reach their mailbox quota.
- Admin Console:
-
Home → Configure → Class of Service → COS → Advanced
Home → Manage → Accounts → account → Advanced
-
Scroll down to the Quota section.
-
Modify the quota settings.
-
Click Save.
Viewing MobileSync Statistics
The MobileSync Statistics page in the Monitor section in the admin console displays the number of currently connected ActiveSync devices that are on the Zimbra Collaboration system.
Monitoring Authentication Failures
To protect against dictionary-based and distributed attacks, you can
configure the zmauditwatch
. The script attempts to detect more advanced
attacks by looking at where the authentication failures are coming from and
how frequently they are happening for all accounts on a Zimbra mailbox
server and sends an email alert to the administrator’s mailbox.
The types of authentication failures checked include:
-
IP/Account hash check — The default is to send an email alert if 10authenticating failures from an IP/account combination occur within a 60 second window.
-
Account check — The default is to send an email alert if 15 authentication failures from any IP address occur within a 60 second window. This check attempts to detect a distributed hijack based attack on a single account.
-
IP check — The default is to send an email alert if 20 authentication failures to any account occur within a 60 second window. This check attempts to detect a single host based attack across multiple accounts.
-
Total authentication failure check — The default is to send an email alert if1000 auth failures from any IP address to any account occurs within 60 seconds. The default should be modified to be 1% of the active accounts on the mailbox server.
The default values that trigger an email alert are changed in the following
zmlocalconfig
parameters:
-
IP/Account value, change
zimbra_swatch_ipacct_threshold
-
Account check, change
zimbra_swatch_acct_threshold
-
IP check, change
zimbra_swatch_ip_threshold
-
Total authentication failure check, change
zimbra_swatch_total_threshold
Configure zimbra_swatch_notice_user
with the email address that should
receive the alerts.
Viewing Log Files
Zimbra Collaboration logs its activities and errors to a combination of system logs through the syslog daemon as well as Zimbra specific logs on the local file system. The logs described below are the primary logs that are used for analysis and troubleshooting.
Local logs containing Zimbra Collaboration activity are in the /opt/zimbra/log
directory.
-
audit.log — This log contains authentication activity of users and administrators and login failures. In addition, it logs admin activity to be able to track configuration changes.
-
clamd.log — This log contains activity from the anti-virus application clamd.
-
freshclam.log — This log contains log information related to the updating of the clamd virus definitions.
-
mailbox.log — This log is a mailboxd log4j server log containing the logs from the mailbox server. This includes the mailbox store, LMTP server, IMAP and POP servers, and Index server.
-
myslow.log — This slow query log consists of all SQL statements from the mailbox server that took more then
long_query_time
seconds to execute.long_query_time
is defined in/opt/zimbra/conf/my.cnf
. -
spamtrain.log — This log contains output from
zmtrainsa
during regularly scheduled executions from the cron. -
sync.log — This log contains information about Zimbra Collaboration mobilesync operations.
Other logs include:
-
/opt/zimbra/jetty/logs/ — This is where Jetty-specific activity is logged.
-
/opt/zimbra/db/data/<hostname>.err — This is the message store database error log.
-
/opt/zimbra/logger/db/data/<hostname>.err — This is the Logger database error log.
Zimbra Collaboration activity logged to System syslog
-
/var/log/zimbra.log — The Zimbra syslog details the activities of the ZimbraMTA (Postfix, amavisd, anti-spam, anti-virus), Logger, Authentication (cyrus-sasl), and Directory (OpenLDAP). By default LDAP activity is logged to
zimbra.log
.
Syslog
Zimbra Collaboration modifies the systems syslog daemon to capture data from the mail and
local syslog facility to /var/log/zimbra.log
. This allows syslogd to
capture data from several Zimbra Collaboration components including
Postfix, Amavis, ClamAV, mailboxd, zmconfigd, and logger. The SNMP module
uses the data from the log file to generate traps for critical errors. The
zmlogger daemon also collects a subset of the data in this file to provide
statistics on the utilization of Zimbra Collaboration via the
Administration Console.
By default, mailboxd is configured to log its output to
/opt/zimbra/log/mailbox.log
. You can enable mailboxd to take advantage
of a centralized syslogd infrastructure by enabling the following either
globally or by server:
zmprov mcf zimbraLogToSysLog TRUE
Using log4j to Configure Logging
The Zimbra Collaboration server uses log4j
, a Java logging package as the
log manager. By default, the Zimbra Collaboration server has log4j
configured to log to the local file system. You can configure log4j
to
direct output to another location. Go to the
Log4j website for information about
using log4j
.
Zimbra does not check the log4j changes. To remove all account loggers and
reloads in /opt/zimbra/conf/log4j.properties
, use the zmprov
resetAllLoggers
command.
Logging Levels
The default logging level is set to include logs that are generated for INFO, WARNING, ERROR and FATAL. When problems start to occur, you can turn on the DEBUG or TRACE log levels.
To change the logging levels, edit the log4j
properties,
log4j.properties
, log4j.logger.zimbra
.
When enabling DEBUG, you can specify a specific category to debug. For
example, to see debug details for POP activity, you would type
logger.zimbra.pop=DEBUG
.
The following categories are predefined in log4j
:
|
Account operations |
|
ACL operations |
|
Backup and restore |
|
Inmemory cache operations |
|
Calendar operations |
|
DAV operations |
|
Database connection tracing |
|
Server extension loading |
|
Mail filtering |
|
GAL operations |
|
IMAP protocol operations |
|
Index operations |
|
Filesystem operations |
|
LDAP operations |
|
LMTP operations (incoming mail) |
|
General mailbox operations |
|
Miscellaneous |
|
Changes to mailbox state |
|
POP protocol operations |
|
Redo log operations |
|
Security events |
|
User session tracking |
|
SMTP operations (outgoing mail) |
|
SOAP protocol |
|
SQL tracing |
|
Mail store disk operations |
|
Sync client operations |
|
Startup/shutdown and other system messages |
|
Wiki operations |
|
Zimlet operations |
Changes to the log level take affect immediately. |
Level | Local? | Syslog | SNMP Trap | When Used |
---|---|---|---|---|
FATAL |
Y |
Y |
Y |
Designates very severe error events that the application to abort or impact a large number of users. For example, being unable to contact the MariaDB database. |
ERROR |
Y |
Y |
N |
Designates error events that might still allow the application to continue running or impact a single user. For example, a single mailbox having a corrupt index or being unable to delete a message from a mailbox. |
WARN |
Y |
N |
N |
Designates potentially harmful situations but are usually recoverable or can be ignored. For example, user log in failed. |
INFO |
Y |
N |
N |
Designates information messages that highlight the progress of the application, basic transaction-level logging. For example, server start-ups, mailbox creation/deletion, account creation. |
DEBUG |
Y |
N |
N |
Events that would generally be useful to help a customer debug problems. |
(*) A few non-critical messages such, as service startup messages, will generate traps.
Protocol Trace
Protocol trace is available in the following logging categories:
zimbra.smtp zimbra.lmtp zimbra.soap zimbra.imap zimbra.imap-client zimbra.pop zimbra.pop-client
Reviewing mailbox.log Records
The mailbox.log
file contains every action taken on the mailbox server,
including authentication sessions, LMTP, POP3, and IMAP servers, and Index
server. Review the mailbox.log
to find information about the health of
your server and to help identify problems.
mailbox.log
records valid and invalid login attempts, account activity
such as opening email, deleting items, creating items, indexing of new
mail, server activities including start and stop. The progress of an
activity on the mail server is logged as INFO. If the expected results of
the activity fails and errors occurs, an exception is written to the log.
You can set up logging options for a single account in order to trace
account activity for one user without filling up mailbox.log with log
messages for unrelated accounts. See Command-Line
Utilities, the zmprov
miscellaneous section.
Log pattern
by default log entries in mailbox.log
have the following Log4j pattern:
%d %-5p [%t] [%z] %c{1} - %m%n
This pattern consists of 6 blocks of data:
-
Date and time (e.g.:
2021-01-22 19:23:07,100
) -
Log level (e.g.
INFO
) -
Thread name (e.g.
[qtp1043351526-547:https:https://localhost:7071/service/admin/soap/DeleteAccountRequest]
,[Index-9]
, etc.) -
Zimbra Collaboration context
-
Component name (e.g.
soap
,mailbox
,mbxmgr
, etc.) -
Log message. Note: the log message section may span multiple lines. When a log message contains an exception, the stack trace will always start on a new line below the error message.
You can read more about Log4j patterns in Log4j PatternLayout documentation.
Thread name in mailbox.log
Thread names in mailbox.log are prefixed to identify internal components. Most threads have one of the following naming convention: "{thread prefix}-{thread number}" or "{thread prefix}-{thread number}:{url}".
The following {thread prefix} values are currently used for thread names in Zimbra Collaboration: btpool
, pool
, LmtpServer
, ImapServer
,ImapSSLServer
, Pop3Server
, Pop3SSLServer
, ScheduledTask
, Timer
, AnonymousIoService
, CloudRoutingReaderThread
, GC
, SocketAcceptor
, Thread
, qtp
.
Threads with prefix qtp
are created by Jetty QueuedThreadPool
and have the following naming convention: "qtp{hash code}-{thread number}:{url}" where {hash code}` is the hash code value of the instance of QueuedThreadPool
that owns the thread (see Object::hashCode in Java platform documentation).
{thread number} in thread names is an integer that monotonically increases within each thread factory. Thread numbers are reset when mailboxd
process is stopped or restarted.
Log records reported by threads that serve SOAP requests will usually contain URL of the request being served in {url} part of thread name, as in the following example:
Due to a known bug in Zimbra Collaboration {url} part of the thread name may contain duplicate protocol identifier, as in the following example:
[qtp1043351526-547:https:https://localhost:7071/service/admin/soap/DeleteAccountRequest]
Zimbra Collaboration Context in mailbox.log
[%z]
section in the log pattern describes Zimbra Collaboration context and consists of key-value pairs in the format key=value
, separated by semi-colons (;). In cases where a value contains a semi-colon, the semi-colon is replaced with a double semi-colon (;;). E.g., browser UserAgent strings often include semi-colons, such as this one "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36". In mailbox.log, this UserAgent string will appear as following:
The following key value pairs are currently supported and may be recorded in log entries in any order and any combination:
-
ip
— IP of the TCP/IP client making a request -
oip
— originating IP address. When a request is made through NGINX proxy, this value will contain the IP address of the client application, whileip
value will contain the IP address of the proxy server -
cid
— connection id of a server that is monotonically increasing - useful for tracking individual connections -
id
— ID of the target account -
name
— name of the target account (email address) -
aid
— ID of the authenticated account. Only present if target account is different then authenticated account -
aname
— name of the authenticated account. Only present if target account is different then authenticated account -
mid
— ID of requested mailbox. Only present if request is dealing with a mailbox -
ua
— name of the client application (i.e. User Agent) -
via
— list of IP addresses and user-agents of the request’s proxy chain -
soapId
— ID assigned to a SOAP request to track proxied hops for a particular request -
msgid
— value of Message-ID header of the message being operated on -
ds
— name of the Data Source being operated on -
port
— server port to which the client connected -
oport
— originating port number of request -
oproto
— originating protocol of request. This can be passed by internal components that make SOAP requests on behalf of a user (e.g. MTA)
The example below is a record showing that
on October 25, 2021, 28 minutes after midnight, a POP3 client with IP address 222.173.186.17
has contacted the Zimbra Collaboration server and that the request was proxied through a local proxy server with IP 10.1.1.136
.
The following example shows a record of a failed IMAP STATUS
request sent by user1@mydomain.com
using AquaMail mobile app. The user’s device has IP address 72.83.144.255
(as reported in oip
field). The request came to IMAP server via Zimbra Collaboration nginx proxy, which has IP address 10.4.4.138
(as reported in ip
and via
fields).
The following example shows a record of LMTP server delivering a message. The IP address in this log message most likely belongs to Zimbra Collaboration MTA running on local network.
The next example shows a record of MailboxPurge
thread purging message with ID 462 from the mailbox of test@mydomain.net
. This log message does not have ip
, oip
, port
or via
fields, because it originates from an internal process rather than from an external request.
Handler Exceptions and Stack Traces
If an error occurs during the progress of an activity, a handler exception is added to the end of the log record to notify you that an event occurred during the execution of the process that disrupted the normal flow. This signals that some type of error was detected.
007-06-25 00:00:10,379 INFO [btpool0-1064] [name=nriers@example.com;mid=228;ip=10.2.3.4;ua=zimbra Desktop/0.38;] SoapEngine - handler exception
Sometimes a stack trace is displayed after the exceptions notification. A stack trace reports the threads and monitors in Zimbra’s mailboxd service. This information aids in debugging, because the trace shows where the error occurred. The last few entries in the stack often indicate the origin of the problem. When the caused by descriptor is included in the log line, this is the root of the error. In the example below, the error was caused by 501, bad address syntax.
com.example.cs.mailbox.MailServiceException: Invalid address: Jon R
at com.example.cs.mailbox.MailServiceException.internal_SEND_FAILURE (MailServiceException.java:412)
at com.example.cs.mailbox.MailServiceException.SEND_ABORTED_ADDRESS_FAILURE MailServiceException.java:416)
...
at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
Caused by: com.example.cs.mailbox.MailSender$SafeSendFailedException: 501 Bad address syntax; chained exception is: com.sun.mail.smtp.SMTPAddressFailedException: 501 Bad address syntax
at com.sun.mail.smtp.SMTPTransport.rcptTo(SMTPTransport.java:1196)
at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:584)
at javax.mail.Transport.send0(Transport.java:169)
at javax.mail.Transport.send(Transport.java:98)
at com.example.cs.mailbox.MailSender.sendMessage(MailSender.java:409)
at com.example.cs.mailbox.MailSender.sendMimeMessage(MailSender.java:262)
... 30 more
Mailbox log files
The mailbox.log
files rotate daily. The mailbox log files are saved in
/opt/zimbra/log
. Previous mailbox.log
file names include the date the
file was made. The log without a date is the current log file. You can
back up and remove these files.
Troubleshooting Mail Problems
To review the mailbox.log
for errors, search for the email address or the
service that is experiencing the problem. Also, search for WARN or ERROR
log levels, read the text of the message. When you find the error, review
the records, tracing the events that happened before the problem was
recorded.
System Crashing
When your system crashes, locate the startup message and then look for errors before the startup message date. This example shows an out-of-memory error on June 17, 2021.
2021-06-25 01:56:18,725 INFO [main] [] soap - Servlet SoapServlet starting up
Look for errors before the startup message.
2021-06-17 20:11:34,194 FATAL [btpool0-3335] [name=samd@example.com;aname=abcadmin@example.com;mid=142;ip=10.3.4.5;ua=zimbraConnectorForBES/5.0.207;] system - handler exception java.lang.OutOfMemoryError: PermGen space
Mail Delivery Problem
Locate the "LmtpServer" service. This example includes a stack trace report with a caused by explanation that the recipient address was rejected as the address must be a fully-qualified address.
2021-06-25 10:47:43,008 INFO [LmtpServer-250]
[name=bigen@example.com;mid=30;msgid=<1291804360.35481182793659172.JavaMail.root@example.com>;] lmtp - rejecting message bigen@example.com: exception occurred
com.zimbra.cs.mailbox.MailServiceException: redirect to too failed
at com.zimbra.cs.mailbox.MailServiceException.internal_SEND_FAILURE (MailServiceException.java:412)
at com.zimbra.cs.mailbox.MailServiceException.SEND_FAILURE(MailServiceException.java:424)
at com.zimbra.cs.filter.zimbraMailAdapter.executeActions(zimbraMailAdapter.java:286)
at org.apache.jsieve.SieveFactory.evaluate(SieveFactory.java:151)
at com.zimbra.cs.filter.RuleManager.applyRules(RuleManager.java:177)
at com.zimbra.cs.lmtpserver.zimbraLmtpBackend.deliverMessageToLocalMailboxes(zimbraLmtpBackend.java:325)
at com.zimbra.cs.lmtpserver.zimbraLmtpBackend.deliver(zimbraLmtpBackend.java:140)
at com.zimbra.cs.lmtpserver.LmtpHandler.doDATA(LmtpHandler.java:441)
at com.zimbra.cs.lmtpserver.LmtpHandler.processCommand(LmtpHandler.java:205)
at com.zimbra.cs.tcpserver.ProtocolHandler.processConnection(ProtocolHandler.java:231)
at com.zimbra.cs.tcpserver.ProtocolHandler.run(ProtocolHandler.java:198)
at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Thread.java:619)
Caused by:
com.zimbra.cs.mailbox.MailSender$SafeSendFailedException: 504 <too>: Recipient address rejected: need fully-qualified address ;
chained exception is: com.sun.mail.smtp.SMTPAddressFailedException: 504 <too>: Recipient address rejected: need fully-qualified address
at com.sun.mail.smtp.SMTPTransport.rcptTo(SMTPTransport.java:1196)
at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:584)
at javax.mail.Transport.send0(Transport.java:169)
at javax.mail.Transport.send(Transport.java:120)
at com.zimbra.cs.filter.zimbraMailAdapter.executeActions(zimbraMailAdapter.java:281)
... 10 more
Account Error - Login error
mailbox.log
logs any successful or unsuccessful login attempts from IMAP,
POP3 or ZWC. When you are looking for a login error, start by looking for
"Auth." This example shows that someone from IP address 10.4.5.6 was
trying to log in as admin on the Zimbra Classic Web App, using Firefox in a
Windows OS. Permission was denied because it was not an admin account.
2021-06-25 09:16:11,483 INFO [btpool0-251] [ip=10.4.5.6;ua=zimbraWebClient - FFX.X (Win);] SoapEngine - handler exception
com.zimbra.common.service.ServiceException: permission denied: not an admin account
at com.zimbra.common.service.ServiceException.PERM_DENIED(ServiceException.java:205)
at com.zimbra.cs.service.admin.Auth.handle(Auth.java:103)
Account Errors - IMAP or POP related
When you are looking for a log because of an IMAP or POP issue, look for "ImapServer/Pop3Server." This example shows a fatal IMAP server error occurred while trying to connect siress@example.com.
mailbox.log.2021-06-19:2021-06-19 15:33:56,832 FATAL [ImapServer-2444] [name=sires@example.com;ip=127.0.0.1;] system - Fatal error occurred while handling connection
Reading a Message Header
Each email message includes a header that shows the path of an email from its origin to destination. This information is used to trace a message’s route when there is a problem with the message. The Zimbra email message header can be viewed from the Zimbra Classic Web App Message view. Right-click on a message and select Show Original.
The following lines are in the message header:
-
Date — The date and time the message was sent. When you specify time, you can specify range by adding start and stop time to search for messages.
-
From — The name of the sender and the email address
-
To — The name of the recipient and the email address. Indicates primary recipients.
-
Message-ID — Unique number used for tracing mail routing
-
In-Reply-To — Message ID of the message that is a reply to. Used to link related messages together.
-
Received: from — The name and IP address the message was sent from. The header displays Received: from information from the MTA to the LMTP and from the local host.
Fixing Corrupted Mailbox Index
Mail messages and attachments are automatically indexed before messages are deposited in a mailbox. Each mailbox has an index file associated with it. This index file is required to retrieve search results from the mailbox.
If a mailbox’s index file becomes corrupt or is accidentally deleted, you can re-index the messages in the mailbox from the Administration Console.
Text searches on an account might or might not fail with errors when the index is corrupt. You cannot count on a user reporting a failed text search to identify that the index is corrupt. You must monitor the index log for messages about corrupt indexes. If the server detects a corrupt index, a message is logged to the Zimbra mailbox.log at the WARN logging level. The message starts with Possibly corrupt index. When this message is displayed, the administrator must correct the problem. In many cases correcting the problem might mean reindexing the mailbox.
Reindexing a mailbox’s content can take some time, depending on the number of messages in the mailbox. Users can still access their mailbox while reindexing is running, but because searches cannot return results for messages that are not indexed, searches may not find all results.
Checking for Index Corruption
Run a sanity check on a specific mailbox index using the zmprov
verifyIndex
command.
zmprov verifyIndex <user@example.com>
If problems are detected, a failure status is returned and a repair can be performed on the index.
Repairing and Reindexing a Corrupt Index
Use the reIndexMailbox
command to repair and reindex a corrupt index.
zmprov reIndexMailbox <user@example.com> start
This returns a status of started.
SNMP Monitoring and Configuration
SNMP Monitoring Tools
You will probably want to implement server monitoring software in order to monitor system logs, CPU and disk usage, and other runtime information.
Zimbra Collaboration uses swatch to watch the syslog output to generate SNMP traps.
SNMP Configuration
Zimbra Collaboration includes an installer package with SNMP monitoring. This package should be run on every server (Zimbra Collaboration, OpenLDAP, and Postfix) that is part of the Zimbra Collaboration configuration.
The only SNMP configuration is the destination host to which traps should be sent.
Errors Generating SNMP Traps
The Zimbra Collaboration error message generates SNMP traps when a service is stopped or is started. You can capture these messages using third-party SNMP monitoring software and direct selected messages to a pager or other alert system.
Checking MariaDB
The MariaDB database is automatically checked weekly to verify the health of the database. This check takes about an hour. If any errors are found, a report is sent to the administrator’s account. The report name that runs the MariaDB check is zmbintegrityreport, and the crontab is automatically configured to run this report once a week.
When the MariaDB database is checked, running this report can consume a significant amount of I/O. This should not present a problem, but if you find that running this report does affect your operation, you can change the frequency with which zmbintegrityreport is run. See Zimbra Crontab Jobs. |
Checking for Zimbra Collaboration Software Updates
When Zimbra Collaboration is installed, the Zimbra Collaboration software update utility is automatically configured to check for the latest Zimbra Collaboration version once a day and if there is an update, to send notification to the address that is configured in the Administration Console’s Server Updates.
The dates and times Zimbra Collaboration checked for updates is saved to the Updates tab and an email notification is sent out until you update the Zimbra version. If you do not want to receive an email notification of updates, disable Send notification email when updates are available.
You can configure the following:
-
Server that checks for updates — Available servers are listed and only one server is configured. The selected server checks for updates and the result of the update response from www.zimbra.com is stored in LDAP.
-
Check for updates every x — The default is to check once a day. You can change the frequency interval to check every x hours, minutes, or seconds. A cron job is configured to check for new updates. If the frequency interval is less than 2 hours, the crontab file must be modified.
-
Updates URL — This address is the URL that the server connects to when checking for updates. When a Zimbra Collaboration server checks for updates, it transmits its version, platform, and build number to Zimbra. Normally, this URL is not changed.
-
To be notified of updates, check the Send notification email when updates are available and enter the send to and send from addresses. The default address is the administrator’s address.
-
A generic email is created. The subject and content of the email can be changed.
-
When a server polls the URL specified, the response is displayed.
Updating Zimbra Connector for Microsoft Outlook
The Zimbra Connector for Microsoft Outlook (ZCO) msi file is available from
the Zimbra Utilities Downloads page on the Administration Console. When a
newer version of ZCO is released before a new version of Zimbra, you can
upload the newer ZCO msi file to the Zimbra server from the Administration
Console. The file is uploaded to the
/opt/zimbra/jetty/webapps/zimbra/downloads
folder.
- Admin Console:
-
Home → Tools and Migration → Client Upload
-
Download the new ZCO file to a computer that you can access from Client Upload in the Administration Console
-
Click Browse to locate the ZCO file to upload.
-
Restart Zimbra:
zmcontrol restart
or run
/opt/zimbra/libexec/zmupdatedownload
-
The downloads/index.html
file is updated with the latest ZCO client
version. This new file can be downloaded from the ZCO link on the
Administration Console Home → Tools and Migration → Download page.
If you do not restart the server, the ZCO download link on the Zimbra Utilities Download page does not select the newer version to download. |
Notifications and Alerts Sent by Zimbra Collaboration
Service status change notification
This notification is sent when service are stopped or restarted.
Server Start Notification Message
Subject: Service <service_name> started on <zimbra_host> Service status change: <zimbra_host> <service> changed from stopped to running
Server Stop Notification Message
Subject: Service <service_name> stopped on <zimbra_host> Service status change: <zimbra_host> <service> changed from running to stopped
Disk usage notification
A warning alert email notification is sent to the admin account when disk space is low. The default is to send a warning alert when the threshold reaches 85% and a critical alert when the threshold reaches 95%
Subject: Disk <volume> at ##% on <zimbra_host> Disk warning: <zimbra_host> <volume> on device <device_name> at ##%
Duplicate mysqld processes running notification
A script is executed to see if mysqld process is running to detect cases where corruption is likely to be caused. An email is generated if it finds more than 1 mysqld process running.
Subject: ZCS: Duplicate mysqld processes detected! PID:$pid PPID:$ppid PGRP:$pgrp CMD: $cmdline More then $maxcnt mysqld processes are running Parent processes include: $procs This should be investigated immediately as it may lead to database corruption
SSL certificates expiration notification
A report runs on the first of each month and warns of certificates expiring with the next 30 days.
Subject: ZCS: SSL Certificates approaching expiration! The Administration Console and CLI Certificate Tools guide provides instructions on how to replace you self-signed or commercial certificate. https://wiki.zimbra.com/index.php?title=Administration_Console_and_CLI_Certificate_Tools SSL Certificate expiration checked with $0 on <zimbra_host>.
Daily report notification
When the logger package is installed, a daily mail report is automatically scheduled in the crontab. The report is sent daily to the administrator’s mailbox.
Subject: Daily mail report for <day> <daily report data>
Database integrity check notification
The MariaDB database can be checked by running the zmdbintegrityreport automatically scheduled in the crontab to run on a weekly basis. A report is sent to the administrator’s mailbox.
Subject: Database Integrity check report for <zimbra_host> Generating report can't run $cmd: $! Database errors found. $cmd --password=XXXXXXXX <cmd output> No errors found command failed $!
Backup completion notification
When configuring the type of backups that should be run, you can set up to receive notification about the results of a backup session.
Subject: ZCS BackupReport:SUCCESS Server: <server> Type: incremental Status: completed Started: Fri, 2021/07/13 01:00:05.488 PDT Ended: Fri, 2021/07/13 01:10:09.842 PDT Redo log sequence range: 2 .. 2 Number of accounts: 500
Archiving and Discovery
Zimbra Archiving and Discovery is an optional feature that enables archiving of messages that were delivered to or sent by Zimbra Collaboration and to search across mailboxes.
The installation of the archiving feature provides the Zimbra Collaboration discovery tool (also known as cross mailbox search) and sets the attributes that allow archiving to be enabled on the Zimbra MTAs.
Archiving is configured on a per account basis. Each account enabled for archiving requires a Zimbra archive license. When archiving is enabled for an account, a copy of all email from or to that account is forked at the MTA and a copy of the message is delivered to a predefined archive mailbox. The archiving process is transparent to account users.
Discovery allows you to conduct a search for email messages across live and archived mailboxes and copy the results to a specified mailbox.
How Archiving Works
When a message is sent or received by a user, the message is always routed through the Postfix MTA. The Postfix MTA allows integrating software that can perform actions on messages that are in flight. When archiving is enabled for the sender or the recipient of messages, Zimbra Archiving integrates with an MTA hook and the Amavisd-New utility to fork a copy of the message.
The “does recipient or sender have archiving enabled” check is performed on the SMTP standard envelope and not on the From or To/Cc headers. Since checks are performed on the envelope, Bcc copies and messages sent to distribution lists are captured.
For example, if User A sends a message to User B, and if User B has archiving enabled, the MTA delivers two messages — one to User B’s mailbox and one to User B’s archive mailbox. The message received in User B’s mailbox looks normal, as shown in the following example:
Received: from localhost (localhost.localdomain [127.0.0.1])… From: userA@example.com To:userB@example.com Subject: New License Key Message-ID: <015f01c717fe$70f042d1$b1d6f61d@thom> Date: Mon, 04 Nov 2021 23:48:18 -0000 Hi B, Can you send me the license key for the software again? Thanks, A
The message received in User B’s archive mailbox contains additional X-Envelope-From and X-Envelope-To headers. These headers show the real email address the message was sent from and each of the email addresses that the message was sent to.
Received: from localhost (localhost.localdomain [127.0.0.1])… From: userA@example.com To:userB@example.com Subject: New License Key Message-ID: <015f01c717fe$70f042d1$b1d6f61d@thom> X-Envelope-From: userA@example.com X-Envelope-To: userB@example.com Date: Mon, 04 Nov 2021 23:48:18 -0000 Hi B, Can you send me the license key for the software again? Thanks, A
Zimbra archiving can be set up to create archiving accounts that are maintained within Zimbra Collaboration or to work with third-party archiving systems using SMTP forwarding to send messages to a third-party archive server. For third-party archiving, Zimbra Collaboration is configured to act as the forwarding agent.
How Discovery Works
The discovery feature of Archiving and Discovery is used to search across live* and archive mailboxes for email messages and attachments. The discovery tool can be run from the Administration Console and the results are copied to a target mailbox that you specify.
* A live mailbox is an account on the system other than archive accounts and system accounts.
You can search outgoing and incoming email by date, from, to, cc, subject, keywords, and attachments. You can also create queries to search by name, dates and time ranges, distribution list, aliases.
Search results are placed in a target mailbox. You can organize your search results by creating different target mailboxes or by creating individual folders within a target mailbox for each search you run. X-zimbra-Source header information is added to each message header that is copied to the targeted mailbox. This header label includes the account ID, the account name, and the server that the account resides on.
You can see the results of the search by logging on to the target mailbox address.
Installing the Archiving Package
You can install the archiving package on an existing single-server deployment or on a multi-server deployment.
If the mailbox server and the MTA server reside on the same node, you
configure and enable archiving as a single process. If your mailbox and MTA
servers are on separate nodes, the zimbra-archive
package is installed
first on at least one mailbox server and then the archiving component is
enabled on each MTA in the deployment.
Installing zimbra-archiving
in a Single-Server Environment
The following scenario assumes that the LDAP, MTA, mailstore and archiving servers are on the same node.
-
Refer to the Zimbra Collaboration Single Server Installation Guide to open an SSH connection to the Zimbra Collaboration server. Log on to the server as root and run the
./install.sh
command to begin the upgrade process. -
Accept the license agreement and type Yes to run the upgrade.
-
Type Yes for
zimbra-archiving
when presented with the packages to be installed.
The upgrade process begins and the archiving package is installed. At this point, the Discovery feature is installed and can be used.
To enable archiving, switch to the zimbra user and enable archiving on the MTA server.
zmprov ms <zmhostname> +zimbraServiceEnabled archiving
Restart the server.
zmcontrol restart
Installing zimbra-archiving
in a Multi-Server Environment
The following upgrade scenario is adding a new server that is dedicated as an archiving server to your Zimbra Collaboration environment.
Before beginning the install process, record the following information.
You need this information when you install the archiving server. Run the
zmlocalconfig -s
command to find the information.
LDAP Admin Password _____________________ LDAP Hostname _____________________ LDAP Port _____________________
Refer to the Multiple-Server Installation chapter in the Zimbra Collaboration Multi-Server Installation guide for detailed steps on installing the packages.
-
Open an SSH connection to the mailbox server that is being configured for archiving. Log on to the server as root and unpack the Zimbra software. Run the
./install.sh
command to begin the install process. -
Type y and press Enter to install the following packages:
-
zimbra-store
-
zimbra-archiving
The
zimbra-core
package is installed by default.
-
-
Type y and press Enter to modify the system.
-
The Main menu displays the default entries for the Zimbra component you are installing. To expand the menu, type x and press Enter.
-
Select the Common Configuration menu and configure the LDAP Hostname, LDAP password, and LDAP port.
-
Select the zimbra-store menu and configure the Admin password and the License file location.
Complete the installation process following the steps in the Multi-server Installation guide, under Installing Zimbra Mailbox Server.
At this point, the Discovery feature is installed and can be used.
Manage Archiving From the Administration Console
After Archiving is installed, you can set up archiving and manage it from the Administration Console.
Enable Archiving
- Admin Console:
-
Home → Configure → Global Settings → MTA, from Archiving Configuration check Enable archiving
Restart Zimbra from the command line
zmcontrol restart
Creating a Dedicated Archive COS
You can configure attributes in the COS to set mailbox features, quotas, and passwords, turn off spam and virus checks, and hide the archive accounts from GAL.
- Admin Console:
-
Home → Configure → Class of Service, from the Gear icon select New
-
Change Features and Preferences as required for an Archiving COS.
-
If you have a dedicated archive server, in the Server Pool page, deselect the archiver server from the list. In a multi-server deployment with a dedicated archive server, the server should be removed from the COS server pool so that the archive server is not randomly assigned to new accounts.
These steps to remove the server from the server pool are not done in a single-server deployment. Creating a dedicated archiving COS is a good idea as this makes it easy to create archive mailboxes that are configured the same. -
Modify the options on the Advanced page if required.
-
In the Archiving page, check the Enable archiving box to make this COS an archiving cos.
-
If you want to change the format for the naming scheme for archive accounts, modify the two template fields. See the Setting Up an Archive Account Name section for more information.
-
Click Finish.
-
Setting Up an Archive Account Name
You use attributes to create and manage the naming scheme for archive accounts. You can set up these attributes either by COS or by account. For COS, these attributes can be changed from the Administration Console, COS or individual account’s Archiving page.
-
Account date template. Sets the date format used in the name template. The default is
yyyyMMdd
. Adding the date to the account name makes it easier to roll off older data from the system to backups. -
Account name template. Sets up how the archive mailbox name is created. The default value is
${USER} ${DATE}@${DOMAIN}.archive
.
The archive account address would be similar to the following example:
user-20210510@example.com.archive
If you change the default value, you must use syntax that creates a valid
email address. We recommend that you add .archive
to all archive accounts
to create archive mailboxes in a non-routable domain to prevent spoofing of
the archives.
When the template based on the zimbraArchiveAccountDateTemplate
attribute
is set up, amavisArchiveQuarantineAccount
is updated to the new template
name when zmconfigarchive
is run.
Administering the archive server
The amavisd-new
server process controls account archiving as well as
antivirus and anti-spam processes. The zmarchivectl
command can be used to
start, stop, restart or obtain the status of the amavisd-new
server process
that controls account archiving. Caution should be taken when starting or
stopping the archiving process as it is a shared server process between
archiving, antivirus, and anti-spam processes. Performing actions on any of
them affect any of the other services that may be enabled in your
deployment.
If you want to disable archiving but not antivirus or anti-spam services, disable the respective service either through the CLI or through the Administration Console.
Set Up Archiving for a Users Mailbox
Four attributes are related to the archive feature for accounts. Two that configure a mailbox and two template attributes to construct the archive account names.
To set up archiving for a mailbox two attributes are configured on the primary user’s mailbox. One attributed enables archiving and the second shows where messages are being archived.
-
Currently archived to — The current archive address. Archiving is to a single account. If this is unset, archiving is not enabled.
-
Archived accounts — Any previous and current archive addresses that this mailbox was archived to. containing all the accounts that have been archived for the given account.
Archive Mailboxes
You can create an archive mailbox with or without an assigned COS. You can also forward archive email to a third-party.
Accounts with archiving enabled are counted against the number of
Zimbra licenses purchased for archiving. Archive mailboxes are listed
in the Administration Console along with the live accounts. To see
current license information, go to the Administration Console: Home → Configure → Global Settings → License. |
Creating an archive mailbox and assigning a COS
Archive accounts are created based on the Zimbra Archive name templates.
-
The attribute —
zimbraIsSystemResource
— is added to the archive account and set to TRUE. -
The archive account is displayed in the Administration Console.
-
When a message is received in a mailbox with archiving enabled, a copy of the message is sent to the archive mailbox.
Log on as zimbra
, and use the zmarchiveconfig
command:
zmarchiveconfig enable <account@example.com> archive-cos <archive>
Creating an Archive Mailbox with No COS or Password
If the archive account is not assigned a COS, the following settings are set by default.
-
Mailbox quota is set to 0, unlimited quota.
-
Spam and virus checks are disabled.
-
Hide user in GAL is enabled, so the archive account does not display in the GAL
Log on as zimbra
, and use the zmarchiveconfig
command:
zmarchiveconfig enable <user@example.com>
Enabling Archive Forwarding to a Third-party Archiving Server
If the archive account is not maintained within Zimbra Collaboration, you do not need to set a password, COS, or other attributes.
Log on as zimbra
, and use the zmarchiveconfig
command:
zmarchiveconfig enable <account@example.com> \
archive-address account-archive@offsite.com \
archive-create false
Searching Across Mailboxes
When the archiving and discovery feature is installed, you can search across mailboxes either from the Administration Console or through the command line interface.
You do not need to have any archive mailboxes configured to search across mailboxes, but the Archive package must be installed. |
You can assign a user to run the mailbox searches from the Administration Console by creating a delegated administrator with rights to access the mailbox search tool.
Cross Mailbox Search from the Administration Console
The discovery tool, Search Mail, is added to Tools and Migration on the Navigation pane when the archiving package is added. To set up a cross-mailbox search you configure the following information.
- Admin Console:
-
Home → Tools and Migration → Search Mail, from the Gear icon select New
-
Server name. The server name to be searched.
-
Target mailbox and folders. One target mailbox and folder are created automatically. You can use this mailbox for all your search results and create new folders for each search, or you can create a new target mailbox for each separate search.
A target mailbox is like any other mailbox and can have any features or preferences that are defined by the COS or by account. Target mailboxes are listed in the Administration Console Accounts list. You might want to give the target mailboxes account names that identify them as target mailboxes for cross-mailbox searches and configure a COS specific for target mailboxes to be able to manage access.
-
Limit the number of messages returned by the search. The default is 500 results.
-
You can select to send an email notification when the search is completed. The email notification includes the search task ID and status on the subject line and you can specify the type of information to include in the message, such as the number of messages found, the list of addresses resulting from the search and the search query used.
-
Select which mailboxes to search. When you check Select accounts to search, you select which account addresses to search.
-
Create the search query. You can search outgoing and incoming email by date, from, to, cc, subject, keywords, and attachments. Advanced can be used to quickly create a query to search by name, dates and time ranges, distribution list, aliases.
When searching archive messages, you can search by the envelope address using the envfrom and envto query language extensions.
-
As the search runs, the Search Mailbox Content pane lists the search and the status. Click Refresh to update this page.
Delete the search task when it is completed because it occupies server memory. When the server is restarted, past searches are deleted.
When you use the discovery feature in the Administration Console, the tool makes copies of messages in the target mailbox you create. The messages occupy server space, increasing the size of your server. You might want to delete these messages from the target mailbox when they are no longer needed.
Legal Requests for Information
The Legal Intercept feature makes copies of email messages sent, received, or saved as drafts from targeted accounts and sends these messages to a designated “shadow” email address.
Legal Intercept can be configured to send the complete content of the message or to send only the header information. When a targeted account sends, receives, or saves a draft message, an intercept message is automatically created to forward copies of the messages as attachments to the specified email address.
Legal Intercept Settings
The Legal Intercept feature can be configured either for a Class of Service or an individual account.
The feature is configured from the CLI, using zmprov
.
The only required configuration to set up Legal Intercept is to enable the feature — zimbraInterceptAddress
— on target accounts or COS.
You can enable the attribute zimbraInterceptSendHeadersOnly
to send only the header information of the email message instead of sending the complete message.
Setting Up Legal Intercept
Specify the intercept address to receive intercepted messages.
-
If enabling intercept by COS:
zmprov mc <cosname> zimbraInterceptAddress <account@intercept.example.com>
-
If enabling Intercept for an account:
zmprov ma <accountname@example.com> zimbraInterceptAddress <account@intercept.example.com>
If you are going to use the default intercept message template and From address (postmaster@<yourdomain.com>`
), a Legal Intercept is set up.
Setting Up Legal Intercept to Forward the Message Header
To forward the header information, instead of the complete message for an account:
zmprov ma <accountname@example.com> zimbraInterceptSendHeadersOnly TRUE
Modifying the Intercept Cover Email Message
An email message is automatically created to forward copies of the intercepted messages as attachments. The default message includes:
-
From address is “postmaster@<yourdomain.com>”
-
Subject line “Intercept message for <account@yourdomain.com> <interceptedmessage subject>”
-
Message “Intercept message for <account@yourdomain.com>.
Operation=<type of message>, folder=<foldername>, folder ID=<#>”.
The cover email message can be modified. Use the following parameters to modify the email message.
ACCOUNT_DOMAIN |
Domain of the account being intercepted. |
ACCOUNT_ADDRESS |
Address being intercepted |
MESSAGE_SUBJECT |
Subject of the message being intercepted. |
OPERATION |
Operation that the user is performing, “add message”, “send message”, or “save draft”. |
FOLDER_NAME |
Name of the folder to which the message was saved. |
FOLDER_ID |
ID of the folder to which the message was saved. |
NEWLINE |
Used for formatting multi-line message bodies. |
Use steps in this section to change the from-name, the subject line, or text in the message body:
-
To change the From name:
zmprov ma <accountname@example.com> zimbraInterceptFrom '<newname@example.com>'
-
To change the text of the Subject line:
zmprov ma <accountname@example.com> zimbraInterceptSubject \ '<Intercepted message subject text> parameter <text> parameter'
-
To change the text in the message body:
zmprov ma <accountname@example.com> zimbraInterceptBody \ '<Intercepted message text> parameter <text> parameter'
To modify by COS, type zmprov mc {cosname} … .
|
Creating Mailbox Snapshots for Legal Discovery
You can create a query for the user’s mailbox using the REST URL format to search for specific types of email messages and attachments and have these messages zipped and saved to your computer.
This zip
file can be forwarded to a requesting law enforcement agency.
The email message appears as an .eml
file name after the subject line.
The attachments get saved in the format that they were delivered.
Creating a Mailbox Snapshot zip
File
You must be logged into the Zimbra Administration Console to create the zip
file. You create a query for one account at a time.
-
In the Administration Console address field of the browser, after the port number 7071/, type:
home/<username>?fmt=zip&query=<searchquerystring>
For example:
In the above example, the search query is requesting a
zip
file of all accounts calleduser1
.You can use any search operators supported for searching in Zimbra. For example, you can search by folder (
in:folder_name
), by sender’s name (from:<someone>
), and you can use multiple search terms. See the Search Tips wiki page for keyword examples, https://wiki.zimbra.com/wiki/Search_Tips. -
Press Enter or the arrow to create the zip. A Confirm box displays, asking if you want to navigate away from this page.
-
Click OK.
-
Choose where you want to save the
zip
file. Thiszip
file is ready to be delivered.
Color and Logo Management
You can change the logo and base colors of the Zimbra Classic Web App themes without having to customize individual Zimbra Collaboration themes. This can be done from the administration console or the CLI.
Changing Theme Color and Logos on the Zimbra Classic Web App
This sections deals with customizations related to Classic Web App. For customizations related to the Modern Web App, refer to Customizing Modern Web App |
Base colors for themes, and custom logos can be configured as a global setting or as a domain setting.
-
When the global settings are changed, the changes apply to themes on all servers.
-
When the domain settings are changed, the base color and logos for themes on the domain are changed.
If global settings and domain-level settings for theme base colors or logos are not identical, the domain values are displayed for the domain.
If the logo and base colors are customized in multi-domain Zimbra Collaboration environments, you must set a virtual host as the base color: logo attributes are displayed based on the Host header sent by the browser. |
Various themes are included with Zimbra Collaboration. Some of these themes - such as lemongrass, Hot Rod, and Waves - have been designed with graphics or color codes that do not change when you modify the base color. You might want to disable those themes from user’s Theme preferences selection. |
Customizing Base Theme Colors
The following base colors in Zimbra Classic Web App themes can be changed:
-
The primary background color displayed in the client. This color is the background of the page. Variants of the color are used for buttons, background color of the Content and panes, tabs, and selection highlight. In the following image, the background color displays with the logo, the variant of the background color displays in the login area.
-
The secondary color is the color used for the toolbar.
-
The selection color is the color displayed for a selected item such as a message or an item in the Overview pane.
-
The foreground color is the text color displayed. The default text color is black. The text color usually does not need to be changed.
Replacing the Classic Web App Logo
You can replace the logo with your company’s logo globally or per domain.
Graphics to Replace
The following logo files can be changed. Your logos must be the same size as specified here or the image might not display correctly. These graphic files can be saved on another server or in a directory that is not overwritten when Zimbra Collaboration is upgraded.
-
Company logo that displays on the login and splash screens for Zimbra Classic Web App and the Zimbra Collaboration administration console. The dimension of the graphic must be exactly 300 x 30.
-
Small company logo in the upper-left of the Zimbra Classic Web App application and the administration console. The dimension of the graphic must be exactly 170 x 35.
-
Company Web address that links from the company logos.
Graphics not replaced
The icon that displays in the Advanced search toolbar and the favicon.ico
that displays in the URL browser address field cannot be changed at this time.
Using the Admin Console to Modify Theme Colors and Logo
On the administration console, the Global Settings and the Domains settings include a Themes page that can be configured to customize the color scheme and to add a company logo and logo URL. You upload your company logo to be used on the Zimbra Classic Web App and administration console pages.
Changing Base Theme Colors
You can either select colors from popup view of predefined colors, or enter the six-digit hexadecimal color value for an exact color match to set theme colors for the following categories:
-
Foreground, which is the text color.
-
Background, which is the primary background color displayed in the client.
-
Secondary, which is the color used for the toolbar and selection headers in the pane.
-
Selection, which is the color displayed for a selected item such as a message, right-click, or drop down menu selection.
Changes to theme settings require the server theme cache to be flushed. To flush a server, go to Home → Configure → Servers to get the list of servers. Right-click on a server and select Flush Cache from the popup menu. |
Use the Customize the theme colors container to set colors for your theme categories:
- Admin Console:
-
Home → Configure → Global Settings → Themes or
Home → Configure → Domains → domain → Themes-
Click on the field alongside the theme category to be modified, then use the popup color selector to define the color for your selection.
You can either click directly on a color, or use the entry field to write the hexadecimal value of the color. In either case, your selection will be displayed in the field. If you opt out of your color selections, click reset all theme colors to discard your settings.
-
Navigating away from this page results in query for save of the settings.
Click Yes (to save) or No (to discard your settings).
-
Adding Your Logo
You can replace the Zimbra Collaboration logo with your company’s logo globally or per domain from the appropriate Themes page. Your logos must be the same size as specified in the Graphics to Replace section or the images might not display correctly. The graphic files are saved on another server or in a directory that is not overwritten when Zimbra Collaboration is upgraded.
When you configure the Customize the logo of the themes section in the Global Settings → Theme page, all fields in this section must be completed to display the graphics correctly. |
The Zimlet icon that displays in the Advanced search toolbar and the favicon.ico that displays in the URL browser address field are not changed.
Use the Customize the logo of the themes container to a logo to accompany the theme:
- Admin Console:
-
Home → Configure → Global Settings → Themes or
Home → Configure → Domains → domain → Themes
Option | Description |
---|---|
Logo URL of the themes |
The company web address to be linked from the logo. |
Application logo banner URL of the themes |
The company logo that displays on the login and splash screens for the Zimbra Classic Web App and admin console. the dimension of the graphic must be exactly 450x100. |
Application logo banner preview (200x35) |
The company logo in the upper-left of the Zimbra Classic Web App application and the administration console. the dimension of the graphics must be exactly 120x35. |
Login logo banner URL of the themes |
|
Login logo banner preview (440x60) |
Using the CLI to Change Theme Colors and Logo
To change the Zimbra Classic Web App theme base colors and logos, use the zmprov command. The following attributes are configured either as a global config setting or as a domain settings. Color values are entered as a six-digit hexadecimal codes.
Attribute | Description |
---|---|
|
The hex color value for the primary background color displayed in the client. |
|
The hex color value for the toolbar and selected tabs. |
|
The hex color value for the color of the selected item. |
|
The hex color value for the text. This usually does not need to be changed as the default is black. |
Changing base colors for themes
Before you begin, identify the six-digit hexadecimal base color values for the various elements you are changing. You will be using these in your command entries.
zmprov modifyConfig <attribute-name> [“#HEX_6digit_colorcode”]
zmprov modifyDomain <domain> <attribute-name> [“#HEX_6digit_colorcode”]
Modifying a domain
The example in this section demonstrates how to change to the following base colors:
-
Background color = Coral, #FF7F50
-
Secondary color = turquoise, #ADEAEA
-
Selection color = yellow, #FFFF00
-
Specify the skin colors: Log in as the
zimbra
user and usezmprov
to modify the domain:zmprov modifyDomain example.com \ zimbraSkinBackgroundColor "#FF7F50" \ zimbraSkinSecondaryColor "#ADEAEA" \ zimbraSkinSelectionColor "#FFFF00"
The quote marks,
""
, are required so the use of the#
sign does not comment out the text that follows. -
Use the zmmailboxdctl command to apply the changes by restarting the mailbox server process:
zmmailboxdctl restart
Reload the Classic Web App, and Zimbra Collaboration themes for that domain should now display these colors.
-
Adding Your Logos
You add the company logo information and URL by modifying these the following attributes for logos:
Attribute | Description |
---|---|
|
The company Web address that you want linked from the logo. |
|
The company logo file name that is displayed on the login and splash screens for the Classic Web App and the Zimbra Collaboration administration console. |
|
The logo graphic file name for the graphic in the upper-left of the Classic Web App application and the administration console. |
To add logos for a domain
If logo files are saved in the Zimbra Collaboration server, they must be
in a subdirectory of /opt/zimbra/jetty/webapps/zimbra
.
If the logos are hosted on another machine, enter the full URL when identifying the logo.
Use steps in this section to update the logo(s) displayed over a domain:
-
Change the URL link:
zmprov modifyDomain zimbraSkinLogoURL https://url.example.com/
-
Modify the logo display:
To change the logo displayed in the login and splash screens:
zmprov modifyDomain zimbraSkinLogoLoginBanner /zimbra/loginlogo.png
To change the logo displayed on the Zimbra Classic Web App main page:
zmprov modifyDomain zimbraSkinLogoAppBanner /zimbra/applogo.png
-
Stop/start the server:
zmcontrol restart
Not currently supported: Logo modification for the Zimbra Classic Web App. |
Customizing Modern Web App
This section is applicable only for Modern Web App.
In this section, we guide you through customizing Modern Web App and deploying your customization. We’re going to address customization by overriding dynamic layouts.
Review your organization’s branding guidelines for icons and colors to use in the Zimbra’s Modern Web App. |
What can be customized
As a general rule, you can customize the following within the branding framework:
-
Logos
-
Color and border of various widgets such as Buttons, links, and Tabs
-
Text fonts, colors, and sizes
-
The basic appearance of the Modern Web App
What cannot be customized
There are several sections of the Modern Web App user interface that require a significant amount of Javascript coding to change. Customizing these segments is beyond the scope of this document:
-
Changing the behavior of something (e.g., a button)
-
Order of application tabs
-
Order of toolbar buttons
-
Adding new toolbar buttons
-
Adding search locations to the Search toolbar
Setup
Before we start customizing the Modern Web App, we need to create an empty Modern Web App bundle.
You should also have the following knowledge and skillsets:
-
Familiarity with usage of linux terminal and commands
-
Familiarity with basic HTML and CSS concepts and associated terminologies
-
Familiarity with terms like font, font size, and line-height
-
Familiarity with logos, images, color codes, and other styling elements
-
Familiarity with your organization’s branding guidelines
Creating an Empty Bundle
We first create an empty folder and its contents locally. Once done, we copy the folder to the Zimbra server.
Folder Name
Naming the folder is a crucial first step.
-
Keeping the folder name same as the hostname, the customizations reflect on all domains and, by extension, all the accounts on those domains.
-
If the folder name is the same as the domain name, the customizations appear on all accounts on that domain.
-
In case there is a virtual host setup, the folder name must be the domain name on which you have configured the virtual host.
For Example, consider a domain named
example.com
that has a virtual hostmail.example.com
; in such a case, you must create a folder mail.example.com.- Finding hostname
-
-
Log in using
ssh
to your Zimbra server. -
Switch to user
zimbra
.su - zimbra
-
Run this command to get the hostname.
zmhostname
-
- Finding Domain Name
-
-
Log in using
ssh
to your Zimbra server. -
Switch to user
zimbra
.su - zimbra
-
Run this command to get the domain name(s).
zmprov gad
-
For this document, we consider mail.example.com
as the folder name.
Folder contents
The folder (mail.example.com
in our case) must have the following hierarchy and contents.
Use mkdir to create new directories and touch to create new files.
|
mail.example.com ├── config.json ├── index.css ├── palette.css ├── assets │ ├── favicon.ico │ ├── icon.png │ ├── icon.svg │ ├── login-page-background.png │ └── logo.svg └── pwa ├── manifest.json └── icons ├── icon_300x300.svg ├── ios │ ├── icon_16x16.png │ ├── icon_32x32.png │ ├── icon_57x57.png │ ├── icon_72x72.png │ ├── icon_114x114.png │ └── icon_180x180.png └── non-ios ├── icon_16x16.png ├── icon_32x32.png ├── icon_36x36.png ├── icon_48x48.png ├── icon_72x72.png ├── icon_96x96.png ├── icon_144x144.png ├── icon_150x150.png ├── icon_192x192.png ├── icon_256x256.png └── icon_512x512.png
Customize Logos
The Zimbra’s Modern Web App uses the primary logo of your organization unless you specify a secondary logo.
-
Save the primary logo as
logo.svg
. -
Save the secondary logo as
secondarylogo.svg
.
Along with the logo, you also need your organization’s emblem to use it as an icon.
Create multiple icons — of different sizes — using this emblem. Refer to the below table for the file name, size, and destination of each icon.
Icon File name | Icon Size (in px) | Destination Folder |
---|---|---|
|
48x48 |
|
|
512x512 |
|
|
NA |
|
|
NA |
|
|
NA |
|
|
16x16x |
|
|
32x32x |
|
|
57x57 |
|
|
72x72 |
|
|
114x114 |
|
|
180x180 |
|
|
16x16x |
|
|
32x32x |
|
|
36x36 |
|
|
48x48 |
|
|
72x72 |
|
|
96x96 |
|
|
144x144 |
|
|
150x150 |
|
|
192x192 |
|
|
256x256 |
|
|
512x512 |
|
Customizable Segments
Consider the below Zimbra’s Modern Web App screenshot.
This labeled screenshot shows the customizable segments of Modern Web App.
-
Title
-
Navigation bar containing the links
-
Left-side links on the navigation bar
-
Right-side links on the navigation bar
-
Left Sidebar
-
Right Sidebar
-
Header
The items marked 1, 2, 3, and 4 are text and links. Instructions to change them are in the section Customize Text & Links.
The colors for items marked 5, 6, and 7 are customizable. Instructions to change these, and other colors, are in Customize Colors & Sizes.
Customize Text & Links
-
Copy and paste Sample config.json in
mail.example.com/config.json
-
To change the title text ( marked 1 in Customizable components) edit the value against
"title"
in Sample config.json. -
To replace the text Zimbra with your organization’s name (
"Example"
in this case) throughout the application, change the value against`"clientName"` in Sample config.json. -
To hide and remove the Forgot Password link, set
"disableForgotPassword"
as"true"
in Sample config.json. -
To insert links and hypertext in the navigation bar (2) edit
"left"
(3) and"right"
(4) under"nav"
in Sample config.json.-
To remove the navigation bar altogether remove the below snippet:
-
"nav": { . . . }
{
"title": "Example Mail",
"version": "1",
"clientName": "Example",
"userHelpPath": "https://www.example.com/userguide/",
"nav": {
"left": [
{
"name": "Example Link 1",
"href": "https://www.example.com/1"
},
{
"name": "Example Link 2",
"href": "https://www.example.com/2"
}
],
"right": [
{
"name": "Example Link 1",
"href": "https://www.example.com/1"
},
{
"name": "Example Link 2",
"href": "https://www.example.com/2"
}
]
}
}
Customize Colors & Sizes
This section handles colors and sizes of fonts, logos, and sidebars — among other things.
Palette.css
This file helps you to create a palette of colors to use throughout the application.
-
Navigate to palette generator and enter the hex code for Primary, Secondary and Tertiary colors.
-
Specify hex code for colors associated with Success, Informative, Warning, and Danger messages.
-
Click Generate.
-
A ready styling template with color codes appears.
-
Click Copy.
-
Paste the contents generated in
mail.example.com/palette.css
.
Index.css
Copy the below segment and paste as is in the mail.example.com/index.css
file.
Change the values to change various aspects of the Modern Web App as it appears to the user.
:root {
--sidebar-bg-color: var(--gray-lightest);
--rightbar-bg-color: var(--gray-lightest);
--line-height-base: 1.42857143;
--link-color: var(--brand-primary-500);
--link-hover-color: var(--brand-primary-800);
--link-hover-decoration: underline;
--logo-height: 32px;
--logo-max-width: 200px;
--header-bg: var(--gray-lightest);
--header-fg: var(--gray-darker);
--external-header-bg: var(--brand-tertiary-700);
--external-header-fg: #FFFFFF;
}
The various variable names used are self-explanatory. However, the below table offers a brief description. The number against some of the variables refer to the figure Customizable components.
Parameters | Description |
---|---|
|
Changes the background color of the pane that lists email and contact folders. |
|
Change the background color of the right sidebar. |
|
Change the base line-height that changes the line-height everywhere in the application. |
|
Change the link color. |
|
Change the link color on mouse hover. |
|
Change the way link behaves (underline, overline, or strikethrough) when mouse hovers. |
|
Change the logo height. This value cannot be more than 72px. |
|
Change the maximum width of the logo. |
|
Change the header background color. |
|
Change header’s text color. |
|
Change the navigation bar’s background color. |
|
Change the navigation bar’s text color. |
Make all color customizations (overrides) in index.css and not in palette.css to avoid palette overwrites.
|
Customizing the PWA
This section helps customize certain aspects of Progressive Web App (PWA). For more information on PWAs, refer What is a Progressive Web App.
{
"icons": [
{
"src": "/pwa/icons/icon_300x300.svg",
"sizes": "300x300",
"type": "image/svg+xml"
},
{
"src": "/pwa/icons/non-ios/icon_512x512.png",
"sizes": "512x512",
"type": "image/png"
},
{
"src": "/pwa/icons/non-ios/icon_256x256.png",
"sizes": "256x256",
"type": "image/png"
},
{
"src": "/pwa/icons/non-ios/icon_192x192.png",
"sizes": "192x192",
"type": "image/png"
},
{
"src": "/pwa/icons/non-ios/icon_150x150.png",
"sizes": "150x150",
"type": "image/png"
},
{
"src": "/pwa/icons/non-ios/icon_144x144.png",
"sizes": "144x144",
"type": "image/png"
},
{
"src": "/pwa/icons/non-ios/icon_96x96.png",
"sizes": "96x96",
"type": "image/png"
},
{
"src": "/pwa/icons/non-ios/icon_72x72.png",
"sizes": "72x72",
"type": "image/png"
},
{
"src": "/pwa/icons/non-ios/icon_48x48.png",
"sizes": "48x48",
"type": "image/png"
},
{
"src": "/pwa/icons/non-ios/icon_36x36.png",
"sizes": "36x36",
"type": "image/png"
},
{
"src": "/pwa/icons/non-ios/icon_32x32.png",
"sizes": "32x32",
"type": "image/png"
},
{
"src": "/pwa/icons/non-ios/icon_16x16.png",
"sizes": "16x16",
"type": "image/png"
},
{
"src": "/pwa/icons/ios/icon_180x180.png",
"sizes": "180x180",
"type": "image/png"
},
{
"src": "/pwa/icons/ios/icon_114x114.png",
"sizes": "114x114",
"type": "image/png"
},
{
"src": "/pwa/icons/ios/icon_72x72.png",
"sizes": "72x72",
"type": "image/png"
},
{
"src": "/pwa/icons/ios/icon_57x57.png",
"sizes": "57x57",
"type": "image/png"
},
{
"src": "/pwa/icons/ios/icon_32x32.png",
"sizes": "32x32",
"type": "image/png"
},
{
"src": "/pwa/icons/ios/icon_16x16.png",
"sizes": "16x16",
"type": "image/png"
}
],
"name": "Example Mail",
"short_name": "Example Mail",
"orientation": "portrait",
"display": "standalone",
"start_url": "/",
"background_color": "#ffffff",
"theme_color": "#e92d28"
}
-
Copy and paste Sample manifest.json in
mail.example.com/pwa/manifest.json
. -
Edit all instances of
mail.example.com
to the folder name as decided in the section Folder Name. -
Edit
"name"
and"short_name"
to have the same value as"title"
from Sample config.json.-
"name"
represents the name of the web application as it appears to users in list of mobile applications. -
"short_name"
represents the name of the web application as it appears to users if there is not enough space to display"name"
.
-
-
Set the
"background_color"
tobackground-color
in Palette.css. -
Set the
"theme_color"
to the same value as primary color in Palette.css.
Do not change the values of "orientation" , "display" and "start_url" .
|
Customizing the Login Page
This section helps you change the way Zimbra Modern Web App login page appears to users.
Before you begin login (or ssh
) on the Zimbra server.
Changing the Background Image
-
Copy a background image to
/opt/zimbra/jetty_base/webapps/zimbra/img/
-
Open and edit
/opt/zimbra/jetty_base/webapps/zimbra/skins/_base/base3/skin.properties
-
Locate the entry
LoginScreen
. -
Replace
new-back-ground-image.png
with the file name of the image you just copied.
Changing the Logo
The Modern Web App references the logo it uses from :
/opt/zimbra/jetty_base/webapps/zimbra/img/new-logo.png
You have to overwrite this file with the logo you prefer to use.
To keep provisions for reverting to the default logo, rename the above file (add .old to the filename).
|
-
Rename your organization’s logo that you have as
new-logo.png
. -
Copy this file to :
/opt/zimbra/jetty_base/webapps/zimbra/img/
Deployment Instructions
-
Navigate to and open the
mail.example.com
folder. -
Edit
config.json
to change theversion
. Do not use a previously used value.-
Enter a unique positive number.
-
Use a new value every time for your customizations to reflect on users' Modern Web App.
-
Enclose the text in quotes.
-
-
Save the file.
All instances of mail.example.com
should be replaced with the folder name as decided in the section Folder Name. -
Copy
mail.example.com
to/opt/zimbra/jetty/webapps/zimbra/modern/clients/
on Zimbra server.
Restart Zimbra mailbox server
To apply the changes you have made, restart Zimbra’s mailbox server.
-
Login to your Zimbra installation as
root
. -
Switch to user
zimbra
.su - zimbra
-
Restart Zimbra’s mailbox server.
zmmailboxdctl restart
-
Refresh Zimbra’s Modern Web App login page to see the changes
You might need to clear the cache if the changes do not appear. |
Storage Management
Storage Management (SM) feature is where you configure storage volumes for primary, secondary data stores and indexing. SM supports local and external storage for the following providers (Amazon S3, Ceph, EMC, Netapp StorageGrid, Scality, OpenIO). SM through the scheduler also provides the ability to move older data from primary higher cost to secondary lower cost storage based on age at the scheduled time. In most instances, end users will not experience any performance differences when accessing the data stored on external storage.
Storage Management can be managed within the Administrator UI within the global and server level or from the command line.
Unified Storage
From Daffodil 10.0.5 Patch onwards, support for Unified Storage has been added in the Storage Management module.
Unified Storage is designed to streamline data management by consolidating data from multiple mailbox servers under the same directory structure within a single S3 bucket. This approach simplifies storage, enhances accessibility, and reduces operational complexity.
Unified Storage feature is suitable for you if:
-
Your environment is a multi-server environment with more than 1 mailbox server.
-
Your organization has substantial data storage and access needs benefit from the centralized, scalable approach.
Structure
In the following example, the mailbox server’s - Mailbox-1, Mailbox-2, Mailbox-3 use the same bucket on the external storage. The users - d8bd3037-38d0-4c45-ade4-a6866f2912bd, 91fee523-4841-400f-9dc9-0d1e41f4c61b, and a8bd3037-4841-400f-ade4-bf1e41f4c61h use the same directory structure irrespective of on which Mailbox server the account is hosted.
|-- Mailbox-1
|-- Mailbox-2
|-- Mailbox-3
\
|-- /BucketName/DestinationPath/Prefix/
\
|-- d8bd3037-38d0-4c45-ade4-a6866f2912bd
\
|-- D3S78JHDD8BD303738D04C45ADE4A6866F2912BD000001BD
|-- AD87H7YD8BD303738D04C45ADE4A6866F2912BD000001BD
|-- 91fee523-4841-400f-9dc9-0d1e41f4c61b
\
|-- 5D5D494CD8BD303738D04C45ADE4A6866F2912BD000001BD
|-- 2BF41B87D8BD303738D04C45ADE4A6866F2912BD000001BD
|-- 1CC67854D8BD303738D04C45ADE4A6866F2912BD000001BD
|-- 90AA2503D8BD303738D04C45ADE4A6866F2912BD000001BD
|-- 73AC6101D8BD303738D04C45ADE4A6866F2912BD000001BD
|-- a8bd3037-4841-400f-ade4-bf1e41f4c61h
\
|-- F3545DA7D8BD303738D04C45ADE4A6866F2912BD000001BD
|-- DB88EE7BD8BD303738D04C45ADE4A6866F2912BD000001BD
|-- 4CC67854D8BD303738D04C45ADE4A6866F2912BD000001BD
|-- 2D5D494CD8BD303738D04C45ADE4A6866F2912BD000001BD
|-- 1D5D494CD8BD303738D04C45ADE4A6866F2912BD000001BD
|-- 3CC67854D8BD303738D04C45ADE4A6866F2912BD000001BD
Advantages of using Unified Storage
Following are some of the advantages of using Unified Storage:
-
Mailbox movement: Since the data from multiple mailbox servers are stored under a single S3 bucket, it becomes easier to move user’s mailboxes from one server to another without moving the data stored in S3.
-
Simplified Data Management: Unified Storage eliminates the need to manage multiple storage locations for mailbox servers. All data is consolidated into a single S3 bucket, making it easier to manage, and maintain.
-
Scalability: The unified approach allows for easier scaling as the organization grows, reducing the complexity of data expansion.
Limitations of using Unified Storage
-
Support only S3 providers: Unified Storage is only supported on S3 providers.
-
Message duplication: Message duplication is lost and is not supported when data is moved to external S3.
How to setup Unified Storage
The Unified Storage based volume can be created through Administrator UI or CLI.
To optimize the utilization of the feature, when creating an external volume with S3, it is essential to ensure that the same volume path (same volumePrefix) is consistently set across all mailbox servers.
Administrator UI
When creating volumes through Home → Configure → Server → Storage Management → Manage Volumes → Add, select Unified Storage checkbox which will enable Unified Storage feature.
Please refer to External Storage Type section for detailed steps on creating volumes through Administrator UI.
CLI
An option --unified or -un can be used with zmvolume
command to enable Unified Storage feature.
Please refer to External volume for S3 section for detailed steps on creating S3 volumes through CLI
Volume Management
On a server’s Storage management page you can manage storage volumes on each Zimbra Mailbox server:
Home → Configure → Server → Storage Management
When Zimbra Collaboration Server is installed, one index volume and one message volume are configured on each mailbox server.
-
The Index volume is /opt/zimbra/index
-
The Message volume is /opt/zimbra/store
Within the Storage Management location, you can add new volumes, set the volume type, and set the compression threshold.
Index Volume
Each Zimbra mailbox server is configured with one current index volume. Each mailbox is assigned to a permanent directory on the current index volume. When an account is created, the current index volume is automatically defined for the account. You cannot change which index volume the account is assigned.
As volumes become full, you can create a new current index volume for new accounts. You can add new volumes, set the volume type, and set the compression threshold.
Index volumes not marked current are still actively in use for the accounts assigned to them. Any index volume that is referenced by a mailbox as its index volume cannot be deleted.
Message Volume
When a new message is delivered or created, the message is saved in the current message volume. Message volumes can be created, but only one is configured as the current volume where new messages are stored. When the volume is full, you can configure a new current message volume. The current message volume receives all new messages. New messages are never stored in the previous volume.
A current volume cannot be deleted, and message volumes that have messages referencing the volume cannot be deleted.
Admin Console: Storage Management Page
The Storage Management page contains five sections:
-
Manage Volumes section shows all configured and allows the Admin the ability to create, edit and delete volumes.
-
Volume Name is the name that is assigned to each volume. The initial volumes are named index1 and message1.
-
Volume Root Path is the location in the file system where volume data is stored.
-
Volume Type defines the type of volume that was set when the volume was created. It can be set to index, primary or secondary and once set, it can not be changed.
-
Compress Blobs When this box is checked, message blobs whose size is above the compression threshold are compressed. If blob compression is turned on, the disk space used is decreased. Note: Turning on blob compression also increases memory requirements for the server.
-
Compression Threshold. Messages larger than the threshold are compressed. The default threshold is 4096 bytes.
-
Current defines which volume is currently set to default with a check mark.
-
-
Assign Current Volumes section is the location where you will set which volume will be currently used for primary message, secondary message, or index volume’s.
-
Current primary message volume The current primary volume name. New messages are saved in this current message volume.
-
Current secondary message volume The current secondary message volume name. Older data is stored on the secondary message volume.
-
Current index volume. The current index volume name. As volumes become full, you can create a new current index volume for new accounts
-
-
Storage Management Policies Section:
-
SM Session Scheduling gives the Admin the ability to enable and schedule when the SM policy will occur on a daily bases.
-
Manage SM Session gives the Admin the ability to manually execute the Storage Management policies.
-
-
Item to Move section defines the SM policies used to manage when data is migrated from the primary to secondary store. SM policies can be set at the global or on each mailbox server.
-
Types of items to move. You can select messages, tasks, appointments, contacts, and briefcase items to move from a primary volume to the current secondary volume.
-
If you are using an external storage provider for Secondary storage, please exclude the Documents from the policy as it appears garbled after it is moved to external storage. |
-
Move items older than. The default global SM policy is to move messages and files more than 30 days old to the secondary volume. The age of items to be moved can be specified by a number of days, months, weeks, hours, or minutes.
-
Policy String. You can use the search query language to set up other SM policies. For example, if you wanted all messages marked as junk to be included in messages moved to the current secondary volume, you would add the following to the policy: message:in:junk before:-[x] days.
Types Of Volumes
Zimbra provides two types of volume that can be configured and linked for data storage.
-
Internal
-
External
Internal Storage Type
Internal Storage Type is the store located on the zimbra Servers.
For adding the Internal storage volume follow the below steps:
-
Go to Home → Configure → Server → Storage Management
-
Scroll to Manage Volumes, then click on Add button.
-
Select Volume as Internal. Click Next.
-
Select the appropriate volume type i.e. Primary, Secondary, or Index.
-
Enter the volume name and volume root path.
-
If you want to compress blobs, check Compress Blobs and set the Compression Threshold.
-
Use custom store manager is the optional field. Do not click on Enable checkbox if you want to use the default zimbra store manager.
-
Compress Blobs: When this box is checked, message blobs whose size is above the compression threshold is compressed. If blob compression is turned on, the disk space used is decreased.
Turning on blob compression will increase the memory requirements for the Servers. -
Compression Threshold: Messages that exceed the defined threshold are compressed. The default threshold is 4096 bytes.
-
Click Finish.
External Storage Type
External storage type is storage that is accessible locally but which is hosted externally from the mailbox server. Currently Zimbra supports the following providers:
-
Amazon S3.
-
Ceph.
-
Custom S3 - Option to create any unsupported external storage.
-
EMC.
-
NetApp StorageGrid.
-
OpenIO.
-
Scality.
Amazon S3
Following are the steps to add the Amazon S3 Storage:
-
Go to Home → Configure → Servers.
-
Select the server, right-click and select Edit.
-
Go to Storage Management → Manage Volumes page and click on Add button.
-
Select provider Amazon S3. Click Next.
-
Select the Volume Type. i.e. Primary or Secondary.
There is no support for the Index volume on External Stores. -
Enter the Volume Name, Volume Prefix.
-
For add an S3 compatible bucket. Click on Create a new bucket.
-
Enter the Bucket name, Access key, Secret, Destination path and URL
AWS services are accessed using the Access Key Id and Secret Key. These are available through the AWS Management Console. -
Select the appropriate Region and click Next.
All the above fields must be filled correctly to validate the bucket. The Next button will be disabled till all the credentials are entered correctly. The bucket credentials will be validated after cliking the Next button. An error will be displayed in case any errors encountered with the credentials. -
The bucket will be created once it is validated successfully.
-
-
Select the created bucket from the S3 compatible bucket dropdown.
-
Use custom store manager is the optional field. Do not click on Enable checkbox if you want to use the default zimbra store manager.
-
Select the checkbox to enable the Infrequent access. Enter the threshold for infrequent access. Optionally you can select the checkbox to enable the Intelligent tiering.
Infrequent Access: S3 Standard-IA is for data accessed less frequently but requires rapid access when needed.
Infrequent Access Threshold: The threshold is used to set any file larger than the Infrequent Access Threshold value for this storage class.
Intelligent Tiering: This will set the appropriate Intelligent Tiering flag on all files of the volume.
The official Amazon S3 documentation on Infrequent Access and Intelligent Tiering. To enable Unified Storage support on this volume, select the Unified Storage checkbox. -
Click Finish to add the Amazon S3 storage type.
NOTE:
Ceph
Following are the steps to add the Ceph Storage:
-
Go to Home → Configure → Servers.
-
Select the server, right-click and select Edit.
-
Go to Storage Management → Manage Volumes page and click on Add button.
-
Select provider Ceph. Click Next.
-
Select the Volume Type. i.e. Primary or Secondary
-
Enter the Volume Name, Volume Prefix.
-
For add an S3 compatible bucket. Click on Create a new bucket.
-
Enter the Bucket name, Access key, Secret, Destination path and URL
-
Click Next.
-
The bucket will be created once it is validated successfully.
-
-
Select the created bucket from the S3 compatible bucket dropdown.
-
Use custom store manager is the optional field. Do not click on Enable checkbox if you want to use the default zimbra store manager.
To enable Unified Storage support on this volume, select the Unified Storage checkbox. -
Click Finish to add the Ceph storage.
Custom S3
Following are the steps to add the Custom S3 Storage:
-
Go to Home → Configure → Servers.
-
Select the server, right-click and select Edit.
-
Go to Storage Management → Manage Volumes page and click on Add button.
-
Select provider Custom S3. Click Next.
-
Select the Volume Type. i.e. Primary or Secondary
-
Enter the Volume Name, Volume Prefix.
-
For add an S3 compatible bucket. Click on Create a new bucket.
-
Enter the Bucket name, Access key, Secret, Destination path and URL
-
Click Next.
-
The bucket will be created once it is validated successfully.
-
-
Select the created bucket from the S3 compatible bucket dropdown.
-
Use custom store manager is the optional field. Do not click on Enable checkbox if you want to use the default zimbra store manager.
To enable Unified Storage support on this volume, select the Unified Storage checkbox. -
Click Finish to add the Custom S3 storage.
EMC
Following are the steps to add the EMC Storage:
-
Go to Home → Configure → Servers.
-
Select the server, right-click and select Edit.
-
Go to Storage Management → Manage Volumes page and click on Add button.
-
Select provider EMC. Click Next.
-
Select the Volume Type. i.e. Primary or Secondary
-
Enter the Volume Name, Volume Prefix.
-
For add an S3 compatible bucket. Click on Create a new bucket.
-
Enter the Bucket name, Access key, Secret, Destination path and URL
-
Click Next.
-
The bucket will be created once it is validated successfully.
-
-
Select the created bucket from the S3 compatible bucket dropdown.
-
Use custom store manager is the optional field. Do not click on Enable checkbox if you want to use the default zimbra store manager.
To enable Unified Storage support on this volume, select the Unified Storage checkbox. -
Click Finish to add the EMC storage.
NetApp StorageGrid
Following are the steps to add the NetApp StorageGrid:
-
Go to Home → Configure → Servers.
-
Select the server, right-click and select Edit.
-
Go to Storage Management → Manage Volumes page and click on Add button.
-
Select provider NetApp StorageGrid. Click Next.
-
Select the Volume Type. i.e. Primary or Secondary
-
Enter the Volume Name, Volume Prefix.
-
For add an S3 compatible bucket. Click on Create a new bucket.
-
Enter the Bucket name, Access key, Secret, Destination path and URL
-
Click Next.
-
The bucket will be created once it is validated successfully.
-
-
Select the cretaed bucket from the S3 compatible Bucket dropdown.
-
Use custom store manager is the optional field. Do not click on Enable checkbox if you want to use the default zimbra store manager.
To enable Unified Storage support on this volume, select the Unified Storage checkbox. -
Click Finish to add the NetApp StorageGrid storage.
OpenIO
Unified Storage is not supported for OpenIO provider. |
Following are the steps to add the OpenIO storage:
-
Go to Home → Configure → Servers.
-
Select the server, right-click and select Edit.
-
Go to Storage Management → Manage Volumes page and click on Add button.
-
Select Volume Type as OpenIO. Click Next.
-
Select the Volume Type. i.e. Primary or Secondary
-
Enter the Volume Name, URL, Account, Namespace, Proxy Port and Account Port.
-
Use custom store manager is the optional field. Do not click on Enable checkbox if you want to use the default zimbra store manager.
-
Click Finish to add the OpenIO storage.
Scality
Following are the steps to add the Scality Storage:
-
Go to Home → Configure → Servers.
-
Select the server, right-click and select Edit.
-
Go to Storage Management → Manage Volumes page and click on Add button.
-
Select provider Scality. Click Next.
-
Select the Volume Type. i.e. Primary or Secondary
-
Enter the Volume Name, Volume Prefix.
-
For add an S3 compatible bucket. Click on Create a new bucket.
-
Enter the Bucket name, Access key, Secret, Destination path and URL
-
Click Next.
-
The bucket will be created once it is validated successfully.
-
-
Select the created bucket from the S3 compatible bucket dropdown.
-
Use custom store manager is the optional field. Do not click on Enable checkbox if you want to use the default zimbra store manager.
To enable Unified Storage support on this volume, select the Unified Storage checkbox. -
Click Finish to add the Scality storage.
How to Assign a Volume as a Secondary Volume
Before you can assign an SM volume, the volume must exist. Please refer to Adding a New Storage Volume to the Servers for an overview on adding volumes. Once the volume has been created, follow the below steps:
-
Go to Home → Configure → Server → Storage Management
-
Scroll to Assign Current Volumes section
-
Click the dropdown list for Current secondary message volume and select the appropriate volume.
-
Click Save.
-
The selected volume is now configured as the Secondary message volume.
After the new volume has been set to Secondary Message volume, messages will be moved to the secondary storage volume based on the SM policy.
Adding a New Storage Volume to the Servers
Each Zimbra mailbox Servers is configured with one primary message volume and an index volume. Refer to Volume Management section for more details. Additionally the Zimbra Data Store configuration allows the creation of new primary, secondary and index stores.
To access the volume page, follow the below steps.
-
Go to Home → Configure → Server → Storage Management
-
By default, the Index and Primary Data volumes are configured.
Storage Management Policies
Storage Management Policy is a process of moving older data to a secondary storage device. To manage your email storage resources, you can implement an SM policy that defines what items are moved and at what age they should be moved. Messages and attachments are moved from a primary volume to the current secondary volume based on the age of the message. The messages are still accessible. Users are not aware of any change and do not see any noticeable differences when opening older items that have been moved.
You can implement the SM policy globally or at the server level.
Home → Configure → Global Settings → Storage Management
Home → Configure → Sever → Storage Management
The policy configured within individual servers overrides the global policy.
The default global SM policy moves messages and briefcase files (over 30 days from the date of receipt) to the secondary volume. Also, you can move the tasks, appointments, contacts, and notes manually.
You can change the 30-day age policy to a specific age of months, weeks, hours, or minutes.
Setup or Editing SM Policies
Within the storage management window within the Global or Server level, scroll to Items to Move and edit or create a new rule by:
-
Selecting on the existing rule then clicking Edit or clicking Add.
-
Select or modify the policies you wish to assign.
-
Click Save
The following are the rules that can be configured when creating or editing a policy rule.
Option | Description |
---|---|
Types of items to move |
The default is to move messages briefcase files, but you can select other items |
Options |
If you want to include items in the junk and trash folder, check the box. |
Move items older than |
Select the time frame to move older items. |
Policy string |
This shows the policy string that you have configured. |
Delete the Existing Policy
Deleting an existing policy will remove the rule from future runs of SM Sessions.
-
To delete an existing policy, select the policy you want to delete.
-
Click the Delete button.
-
Select Yes.
If a rule was accidentally deleted, recreating the rule will be applied to all data within the define configuration at the next SM session. If an SM session is initiated manually, please be aware there could be higher server and IO load.
Storage Management CLI Utilities
Manage Global S3 Configurations using zms3config
CLI
The zms3config
is the CLI utility to manage the Global S3 buckets which can be shared across mailstore nodes. Bucket configurations can be created from any node and it is available across the nodes.
The Global S3 Buckets can be deleted from the Administration Console at Home → Configure → Global Settings → Storage Management. |
Here are some of the important aspects of S3 Global Configurations:
-
The bucket name should be unique within the provider.
-
The same bucket can be used for multiple volumes, just follow different paths (check volume prefix option in
zmvolume
command) for each volume. -
Following providers are supported: Amazon AWS, Ceph, Custom S3, EMC, NetApp-StorageGrid, OpenIO and Scality
Syntax:
zms3config {-a | -d | -l | -h} <options>
Options
Operations | Long Name | Short Name | Description |
---|---|---|---|
Display Help |
--help |
-h |
Display Help |
Add new S3 config |
--add |
-a |
Create a new S3 bucket with further options. |
--storeProvider |
-t |
Store Provider to add s3BucketConfig, Valid Values are: AWS_S3, CEPH_S3, CUSTOM_S3, EMC_S3, STORAGE_GRID_S3, SCALITY_S3. |
|
--bucketName |
-bn |
Name of the bucket |
|
--accessKey |
-ak |
Access key |
|
--secretKey |
-sk |
Secret key |
|
--destPath |
-dp |
Destination path, root path in S3 bucket for storing volume data. |
|
--region |
-r |
S3 bucket region |
|
--url |
-url |
Endpoint URL for S3 bucket |
|
Delete S3 bucket |
--delete |
-d |
Delete S3 bucket |
--bucketID |
-bid |
Id of a bucket, which is used to delete the S3 bucket. |
|
List Bucket |
--list |
-l |
List all buckets |
Add S3 Configuration
-
To create an AWS bucket configuration with long option names, use the command:
zms3config --add --storeProvider AWS_S3 --bucketName <bucket_name> --accessKey <secret_key> --destPath <destination_path> --region <valid_aws_region> --url <aws_valid_endpoint_url>
-
To create a Ceph bucket configuration with short option names, use the command:
zms3config -a -t CEPH_S3 -bn <bucket_name> -ak <secret_key> -dp <destination_path> --url <valid_endpoint_url>
-
To create a Custom S3 bucket configuration with short option names, use the command:
zms3config -a -t CUSTOM_S3 -bn <bucket_name> -ak <secret_key> -dp <destination_path> --url <valid_endpoint_url>
-
To create a EMC bucket configuration with short option names, use the command:
zms3config -a -t EMC_S3 -bn <bucket_name> -ak <secret_key> -dp <destination_path> --url <valid_endpoint_url>
-
To create a StorageGrid bucket configuration with short option names, use the command:
zms3config -a -t STORAGE_GRID_S3 -bn <bucket_name> -ak <secret_key> -dp <destination_path> --url <valid_endpoint_url>
-
To create a Scality bucket configuration with short option names, use the command:
zms3config -a -t SCALITY_S3 -bn <bucket_name> -ak <secret_key> -dp <destination_path> --url <valid_endpoint_url>
List S3 bucket configuration
List all the S3 buckets which are configured on the setup.
zms3config -l
Delete S3 Configuration
Be careful when performing this operation since the bucket is used on global level and can be referred in multiple volumes across the nodes. |
zms3config -d -bid <bucket_unique_id>
Managing Internal and External Volumes using zmvolume
CLI
The zmvolume
command is used to create, edit and delete storage volumes. It supports creating Internal and External volumes. Internal volume is the default storage which is located on server directory whereas external volume uses S3 buckets/OpenIO setup provided by external store providers.
Syntax:
zmvolume {-a|-d|-l|-e|-dc|-sc} [options]
Description
Operation | Long Name | Short Name | Description |
---|---|---|---|
Add new volume |
--add |
-a |
Adds a volume. |
--account |
-acc |
<arg> Name of Account for OpenIO Volume. |
|
--accountPort |
-ap |
<arg> Account Port for OpenIO Volume. It should be a numeric value. |
|
--bucketId |
-bid |
<arg> S3 Bucket ID. Note the bucket should be created globally and fetched by using |
|
--compress |
-c |
<arg> Compress BLOBs value is either true or false. The default value is false. |
|
--compressionThreshold |
-ct |
<arg> Compression threshold. The default value is 4KB. |
|
--name |
-n |
<arg> Volume name. It can contain only alphanumeric characters, _ (underscore), - (hyphen), and . (period) but can start with a begin with a letter or number. |
|
--nameSpace |
-ns |
<arg> Namespace for OpenIO Volume. |
|
--path |
-p |
<arg> Root path. |
|
--proxyPort |
-pp |
<arg> Proxy port for OpenIO Volumehttp://port.it[.] It should be a numeric value. |
|
--storageType |
-stp |
<arg> Name of the store provider (S3, OPENIO) |
|
--storeType |
-st |
<arg> Store type: internal or external |
|
--storeManagerClass |
-smc |
<arg> Optional parameter to specify non-default store manager classpath.Available only for S3 providers. |
|
--type |
-t |
<arg> Volume type (primaryMessage, secondaryMessage, or index) |
|
--url |
-url |
<arg> Endpoint URL for OpenIO Volume. |
|
--useIntelligentTiering |
-uit |
<arg> Use Intelligent tiering storage class only for AWS. The default value is false. |
|
--useInFrequentAccess |
-ufa |
<arg> Use Infrequent access storage class only for AWS. |
|
--useInFrequentAccThreshold |
-ufat |
<arg> Use Infrequent access storage class blob size threshold. The default value is 64KB. |
|
--volumePrefix |
-vp |
<arg> Volume Prefix. It must start with "/" and cannot contain other special characters except "-" and "/". |
|
--unified |
-un |
<arg> Parameter to enable Unified Storage support for the volume. If not specified, the default value is false. |
|
Delete a Volume |
--delete |
-d |
Deletes a volume. Provide volume ID as well. |
--id |
-id |
<arg> Volume ID. |
|
Display Current Volume |
--displayCurrent |
-dc |
Displays the current volume. |
Edit a Volume |
--edit |
-e |
Edits the volume w.r.t the provided volume ID (-id). Any of the options listed under "-a" can also be specified to have its value modified for vole type Internal. Note that only the Volume name can be edited for external volumes. |
Help option |
--help |
-h |
Shows the help for the usage options for this tool. |
List Volume |
--list |
-l |
Lists all the volumes. |
--server |
-s |
<arg> Mail server hostname. The default is localhost. |
|
Set volume as current volume |
--setCurrent |
-sc |
Set the current volume. |
Turn off the secondary volume |
--turnOffSecondary |
-ts |
Turns off the current secondary message volume. |
Add New Volume
Internal volume
To create Internal volume the required parameters are -n, -t, and -p, and the optional parameters are -c, -ct, and -st.
zmvolume -a -n <volumeName> -t <storageType> -p <pathOfVolume>
External volume for OpenIO
To create a primary or secondary OpenIO volume, execute the following command:
zmvolume -a -n <volumeName> -t <storageType> -vp <volumePrefix> -st external -stp OPENIO -pp <proxyPort> -ap <accountPort> -url <URL> -acc <accountName> -ns <nameSpace>
External volume for S3
To create a primary or secondary S3 (Amazon S3, NetApp StorageGrid, Ceph) volume, execute the following command:
zmvolume -a -n <volumeName> -t <storageType> -vp <volumePrefix> -st external -stp S3 -bid <bucketId>
To create a primary or secondary S3 (Amazon S3, NetApp StorageGrid, Ceph) volume with Unified Storage support, execute the following command:
zmvolume -a -n <volumeName> -t <storageType> -vp <volumePrefix> -st external -stp S3 -bid <bucketId> -un true
Edit a Volume
Internal volume
Admin can edit all the parameters of the internal volumes used when creating it:
zmvolume -e -id <volumeId> -n <volumeName> -p <volumePath> -t <type> -c <compress> -ct <compressionThreshold>
External volume
Only the name of the external volume can be edited:
zmvolume -e -id <volumeId> -n <volumeName>
List Volume
To list all the volumes created:
zmvolume -l
Delete a Volume
Be careful when deleting the volume as it may cause data loss: |
zmvolume -d -id <volumeId>
Set current volume
Sets the volume id as the current volume to be used as per the configured volume type:
zmvolume -sc -id <volumeId>
Display current volume:
Display Primary and Secondary volume details set as current:
zmvolume -dc
Turn off secondary
To disable the secondary volume:
zmvolume -ts
Help section
To display the help section:
zmvolume -h
Manage scheduling of the policies using zmschedulesmpolicy
CLI
The zmschedulesmpolicy
command is used for scheduling a Storage Management poilcy execution. To track the progress of the SM session, use the zmhsm -u
command.
-
The scheduler supports a single SM session which can contain a single or multiple policies. If a new SM session is scheduled, it will override the existing session, if one exists.
-
The scheduled SM policy will execute once a day at the scheduled time and will execute every day until it is removed.
-
The time format used for scheduling a session is a 24-hour format. Minutes can not be specified while scheduling the SM session.
-
Even if the admin hasn’t defined any policy, a default global policy i.e. message, document:before:-30days will be executed while starting an SM session manually.
Syntax
zmschedulesmpolicy [-l|-h|-f|-e { <hours:00> } ]
Options
Operations | Long Name | Short Name | Description |
---|---|---|---|
Help |
--help |
-h |
Get help about zmschedulesmpolicy (default command). |
List schedule |
--list |
-l |
Print existing scheduled SM policy. |
Flush/Cancel schedule |
--flush |
-f |
Remove current schedule (cancel all the scheduled SM policy execution) |
Add/Edit schedule |
--edit |
-e |
Edit current scheduled time with a specified time. If there is no existing scheduled policy then it will schedule a new SM policy at a given time. |