This document is applicable for Zimbra Daffodil versions 10.0 and 10.1.0.

License

CC BY-SA Synacor, Inc., 2024-2025

© 2024-2025 by Snacor, Inc. Zimbra Daffodil (v10) Multi-Server Installation Guide

This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License unless another license agreement between you and Synacor, Inc. provides otherwise. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0 or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.

Synacor, Inc., 2024-2025
505 Ellicott Street, Suite A39
Buffalo, NY 14203
US

IMPORTANT: Zimbra Daffodil (v10.1) Licensing Changes

  1. Zimbra Daffodil (v10.1) introduced a new license service with significant changes in licensing management.

  2. Before attempting the install, please see the Daffodil v10.1 Licensing section for detailed information.

  3. Zimbra Daffodil (v10.1) introduced changes to the installer. Before attempting the install, please see Daffodil v10.1 Installer changes section for more information.

Introduction

Information in this guide is intended for people responsible for installing Zimbra Collaboration Daffodil (v10). This guide will help you plan and perform all installation procedures necessary to deploy a fully functioning email system based on Zimbra Collaboration’s messaging technology.

Audience

This installation guide assumes you have a thorough understanding of system administration concepts and tasks and are familiar with email communication standards, security concepts, directory services, and database management.

For More Information

Zimbra Collaboration documentation, including a readme text file, the administrator guide, and other Zimbra 10 guides are copied to the servers during the installation. The major documentation types are listed below. You can access all the documents on the Zimbra 10 website, https://www.zimbra.com and from the administration console, Help Desk page.

Administrator Guide

This guide describes product architecture, server functionality, administration tasks, configuration options, and backup and restore procedures.

Administrator Help

The administrator Help provides instructions about how to add and maintain your servers, domains, and user accounts from the admin console.

Web Client Help

The Web Client Help provides instructions on how to use the Zimbra 10 Web Client features.

Migration Wizard Guides

These guides describe how to migrate users that are on Microsoft Exchange or Lotus Domino systems to the Zimbra Collaboration Daffodil (v10).

Support and Contact Information

  • Contact Zimbra 10 Sales to purchase Zimbra Daffodil (v10).

  • Zimbra Collaboration customers can contact support at support@zimbra.com.

  • Explore the Zimbra 10 Forums for answers to installation or configuration problems.

  • Join the Zimbra 10 Community Forum, to participate and learn more about Zimbra Collaboration.

  • Send an email to feedback@zimbra.com to let us know what you like about the product and what you would like to see in the product. If you prefer, post your ideas to the Zimbra 10 Forum.

Zimbra 10 Port Mapping

External access

These are ports typically available to mail clients.

Port

Protocol

Zimbra 10 Service

Description

25

smtp

mta

incoming mail to postfix

80

http

mailbox / proxy

web mail client (disabled by default in 8.0)

110

pop3

mailbox / proxy

POP3

143

imap

mailbox / proxy

IMAP

443

https

mailbox / proxy - web mail client

HTTP over TLS

465

smtps

mta

Incoming mail to postfix over TLS (Legacy Outlook only. If possible, use 587 instead)

587

smtp

mta

Mail submission over TLS

993

imaps

mailbox / proxy

IMAP over TLS

995

pop3s

mailbox / proxy

POP3 over TLS

3443

https

proxy

User Certificate Connection Port (optional)

5222

xmpp

mailbox

Default server port

5223

xmpp

mailbox

Default legacy SSL port

9071

https

proxy admin console

HTTP over TLS (optional)

Internal access

These are ports typically only used by the Zimbra 10 system itself.

Port

Protocol

Zimbra 10 Service

Description

389

ldap

ldap

LC(ldap_bind_url)

636

ldaps

ldaps

if enabled via LC(ldap_bind_url)

3310

-

mta/clamd

zimbraClamAVBindAddress

5269

xmpp

mailbox

Server-to-Server communications between servers on the same cluster.

7025

lmtp

mailbox

local mail delivery; zimbraLmtpBindAddress

7026

milter

mailbox

zimbra-milter; zimbraMilterBindAddress

7047

http

conversion server

Accessed by localhost by default; binds to '*'

7071

https

mailbox

admin console HTTP over TLS; zimbraAdminBindAddress

7072

http

mailbox

Zimbra 10 nginx lookup - backend http service for nginx lookup/authentication

7073

http

mailbox

Zimbra 10 saslauthd lookup - backend http service for SASL lookup/authentication (added in Zimbra Collaboration 8.7)

7110

pop3

mailbox

Backend POP3 (if proxy configured); zimbraPop3BindAddress

7143

imap

mailbox

Backend IMAP (if proxy configured); zimbraImapBindAddress

7171

-

zmconfigd

configuration daemon; localhost

7306

mysql

mailbox

LC(mysql_bind_address); localhost

7307

mysql

logger

logger (removed in Zimbra Collaboration 7)

7780

http

mailbox

spell check

7993

imaps

mailbox

Backend IMAP over TLS (if proxy configured); zimbraImapSSLBindAddress

7995

pop3s

mailbox

Backend POP3 over TLS (if proxy configured); zimbraPop3SSLBindAddress

8080

http

mailbox

Backend HTTP (if proxy configured on same host); zimbraMailBindAddress

8443

https

mailbox

Backend HTTPS (if proxy configured on same host); zimbraMailSSLBindAddress

8465

milter

mta/opendkim

OpenDKIM milter service; localhost

10024

smtp

mta/amavisd

to amavis from postfix; localhost

10025

smtp

mta/master

opendkim; localhost

10026

smtp

mta/amavisd

"ORIGINATING" policy; localhost

10027

smtp

mta/master

postjournal

10028

smtp

mta/master

content_filter=scan via opendkim; localhost

10029

smtp

mta/master

"postfix/archive"; localhost

10030

smtp

mta/master

10032; localhost

10031

milter

mta/cbpolicyd

cluebringer policyd

10032

smtp

mta/amavisd

(antispam) "ORIGINATING_POST" policy

10663

-

logger

LC(logger_zmrrdfetch_port); localhost

23232

-

mta/amavisd

amavis-services / msg-forwarder (zeromq); localhost

23233

-

mta/amavisd

snmp-responder; localhost

11211

memcached

memcached

nginx route lookups, mbox cache (calendar, folders, sync, tags); zimbraMemcachedBindAddress

8081

-

license daemon service

Internally accessible from Mailbox to LDS

80

http

Offline daemon

When using Offline method, internally accessible from Mailbox to LDS

16700

-

Offline PG daemon service

When using Offline method, internally accessible from Mailbox to LDS

System Access and Intra-Node Communication

In a multi-node environment the typical communication between nodes required includes:

Destination

Source(s)

Description

ALL

22

ALL

SSH (system & zmrcd): host management

udp/53

ALL

DNS (system ¦ dnscache): name resolution

Logger

udp/514

ALL

syslog: system and application logging

LDAP

389

ALL

all nodes talk to LDAP server(s)

MTA

25

ldap

sent email (cron jobs)

25

mbox

sent email (web client, cron, etc.)

antivirus

3310

mbox

zimbraAttachmentsScanURL (not set by default)

memcached

11211

mbox

mbox metadata data cache

11211

proxy

backend mailbox route cache

Mailbox (mbox)

80

proxy

backend proxy http

110

proxy

backend proxy pop3

143

proxy

backend proxy imap

443

proxy

backend proxy https

993

proxy

backend proxy imaps

995

proxy

backend proxy pop3s

7025

mta

all mta talk to any mbox (LMTP)

7047

mbox

localhost by default; zimbraConvertdURL

7071

mbox

all mbox talk to any mbox (Admin)

7072

proxy

zmlookup; zimbraReverseProxyLookupTarget

7073

mta

sasl auth; zimbraMtaAuthTarget (since Zimbra Collaboration 8.7)

License Daemon Service (LDS)

8081

mbox

LDS

80

mbox

Offline Daemon

16700

mbox

Offline Daemon

You cannot have any other web server, database, LDAP, or MTA server running, when you install Zimbra Collaboration. If you have installed any of those applications before you install Zimbra 10 software, disable them. During Zimbra Collaboration installation, Zimbra 10 makes global system changes that may break applications that are on your server.

Planning for the Installation

This chapter describes the components that are installed and reviews the configuration options that you can make when installing Zimbra Collaboration.

Zimbra 10 Application Packages

Zimbra 10 architecture includes open-source integrations using industry-standard protocols. The third-party software has been tested and configured to work with the Zimbra 10 software.

The following describes the Zimbra Collaboration application packages that are installed.

Zimbra 10 Core

This package includes the libraries, utilities, monitoring tools, and basic configuration files. Zimbra 10 Core is automatically installed on each server.

Zimbra 10 LDAP

User authentication is provided through OpenLDAP® software. Each account on the Zimbra server has a unique mailbox ID that is the primary point of reference to identify the account. The OpenLDAP schema has been customized for Zimbra Collaboration.

The Zimbra 10 LDAP server must be configured before any other servers.

You can set up LDAP replication, configuring a master LDAP server and replica LDAP servers.

Zimbra 10 Store

This package includes the components for the mailbox server, including Jetty, which is the servlet container the Zimbra 10 software runs within. The Zimbra 10 mailbox server includes the following components:

Data store

The data store is a MariaDB® database.

Message store

The message store is where all email messages and file attachments reside.

Index store

Index and search technology is provided through Lucene. Index files are maintained for each mailbox.

Web application services

The Jetty web application server runs web applications (webapps) on any store server. It provides one or more web application services.

Zimbra 10 MTA

Postfix is the open source mail transfer agent (MTA) that receives email via SMTP and routes each message to the appropriate Zimbra 10 mailbox server using Local Mail Transfer Protocol (LMTP). The Zimbra 10 MTA also includes anti-virus and anti-spam components.

Zimbra 10 Proxy

Zimbra 10 Proxy is a high-performance reverse proxy service for passing IMAP[S]/POP[S]/HTTP[S] client requests to other internal Zimbra Collaboration services using nginx. This package is normally installed on the MTA server(s) or on its own independent server(s). When the zimbra-proxy package is installed, the proxy feature is enabled by default.

By default Zimbra 10 Proxy is configured to perform strict server name enforcement of the HTTP 'Host' header sent by clients for new installs. Strict server name enforcement may be disabled during the post-install configuration process in the Zimbra 10 Proxy configuration section or using the zimbraReverseProxyStrictServerNameEnabled configuration option. Please see the Zimbra 10 Proxy section of the administration guide for more details.
Zimbra 10 Modern Web App

This package includes the assets of the Zimbra 10 Modern Web App. This package is automatically installed on each server.

Zimbra 10 Memcached

This package is automatically selected when the Zimbra 10-Proxy package is installed and provides access to Memcached.

At least one server must run zimbra-memcached when the Zimbra 10 Proxy service is in use. You can use a single memcached server with one or more Zimbra 10 proxies.
Zimbra 10 SNMP

Installing this package is optional.

If you choose to install Zimbra 10-SNMP for monitoring, this package should be installed on every Zimbra 10 server.
Zimbra 10 Logger

Installing this package is optional. It is installed on one mailbox server. It provides tools for syslog aggregation and reporting.

  • If you do not install Zimbra 10 Logger, the server statistics section of the administration console will not display.

  • The Zimbra 10 Logger package must be installed at the same time as the Zimbra 10 Store package.

Zimbra 10 Spell

This package is optional. It provides the open source spell checker Aspell used by the Zimbra 10’s web app.

Zimbra 10 Apache

This package is installed automatically when Zimbra 10 Spell or Zimbra 10 Convertd is installed.

Zimbra 10 Convertd

This package should be installed on at least one Zimbra 10-Store server. Only one Zimbra 10-Convertd package needs to be present in the Zimbra Collaboration environment. The default is to install one Zimbra 10-Convertd on each Zimbra 10-Store server.

Zimbra 10 Archiving

The Zimbra 10 Archiving and Discovery feature is an optional feature for Zimbra Collaboration. Archiving and Discovery offers the ability to store and search all messages that were delivered to or sent by Zimbra Collaboration. This package includes the cross mailbox search function which can be used for both live and archive mailbox searches.

Using Archiving and Discovery can trigger additional mailbox license usage. To find out more about Zimbra 10 Archiving and Discovery, please refer to Zimbra Daffodil Administration Guide.
Zimbra 10 OnlyOffice

This package installation is required for collaborative document editing of documents which is powered by Onlyoffice and enables collaborative editing of the documents stored in Briefcase. This package can be installed and setup on a Proxy server, Mailbox server or as a separate Document server.

Zimbra Daffodil (v10.1) License Daemon

With the introduction of the new license service within Zimbra Daffodil (v10.1) a new license service has been added named License Daemon Service (LDS) to allow enhanced and flexible license management. The LDS is a required service to support the management of the license. Refer to Admin guide sections of Licensing and LDS for more details.

The Zimbra 10 server configuration is menu driven. The installation menu shows you the default configuration values. The menu displays the logical host name and email domain name [mailhost.example.com] as configured on the computer. You can change any of the values. For single server installs, you must define the administrator’s password, which you use to log on to the administration console, and you specify the location of the Zimbra 10 license xml file.

Configuration Examples

Zimbra Collaboration can be easily scaled for any size of email environment, from very small businesses with fewer than 25 email accounts to large businesses with thousands of email accounts. Contact Zimbra Sales for more information about setting up your environment.

Downloading the Zimbra Software

For the latest Zimbra Collaboration software download, go to https://www.zimbra.com/downloads/. Save the Zimbra Collaboration download file to the computer from which you will install the software.

When Zimbra Collaboration is installed, the following Zimbra applications are saved to the Zimbra server.

You can access these download files from your Administration Console
Tools and Migration > Download page.

Instruction guides are available from the Help Center page or from https://www.zimbra.com/support/.

Zimbra Daffodil (v10.1) Licensing

Zimbra Daffodil (v10.1) introduced an automated licensing and entitlement system for better flexibility in managing licenses and allows for future growth.

With the introduction of the new license service within Zimbra Daffodil (v10.1) a new license service has been added named License Daemon Service (LDS) to allow enhanced and flexible license management.

A Zimbra Collaboration license is required to enable license features and create accounts.

Following are the Zimbra Daffodil (v10.1) licensing updates:

  1. A new license daemon is part of the Zimbra installation. It gets displayed as zimbra-license-daemon in the modules list and required for the normal functioning of Zimbra.

  2. An 18-26 alphanumeric character key is required which replaces the older license.xml file.

  3. Zimbra Collaboration licenses are restrictive to the entitlement defined within the license and do not support multiple activations.

  4. Once the Zimbra Collaboration license is activated no future license management by the user is required. License management is real-time and is managed by Zimbra.

  5. An offline license server has been introduced to support environments that don’t have access to the public network.

  6. All data gathered is based on license requirements and total usage which meets GDPR and other legal regulations.

    The LDAP and LDS hostname are recorded for license registration and activation.
  7. Independent lab licenses are available. Contact Zimbra Sales or Support team.

License Features

Zimbra Collaboration licensing gives administrators visibility and control of the licensed features they plan to deploy. You can monitor usages and manage the following license features.

Zimbra Daffodil (v10.1) introduced a detailed view of licensed and unlicensed features for better management within the Admin UI or command line. The following are tracked licensed features:

Feature Licensed Attributes Description Feature Code

Accounts

AccountsLimit

Accounts you can create.

AL

ZCO

MAPIConnectorAccountsLimit

Accounts that can use Zimbra 10 Connector for Microsoft Outlook (ZCO).

MCAL

EWS

EwsAccountsLimit

Accounts that can use EWS for connecting to an Exchange server. EWS is a separately licensed add-on feature.

EAL

Zimbra Mobile

MobileSyncAccountsLimit

Accounts that can use ActiveSync protocol to access emails on their mobile devices.

MSAL

S/MIME

SMIMEAccountsLimit

Accounts that can use S/MIME feature.

SMAL

Archiving

ArchivingAccountsLimit

Allowed archive accounts. The archive feature installation is required.

AAL

Zimbra Office

DocumentEditingAccountsLimit

Document collaboration feature which enables to create/edit/share the documents within the organization. OnlyOffice installation is required.

DEAL

Sharing

SharingAccountsLimit

Control the Sharing & Delegation feature for the users.

SHAL

Briefcase

BriefcaseAccountsLimit

Control the Briefcase feature for the users.

BAL

Backup & Restore

BackupEnabled

Allows the admin to use Backup & Restore Feature

BE

Storage Management (Internal Volumes)

StorageManagementEnabled

Allows the admin to use Storage Management feature and create volumes using internal stores.

SME

Storage Management (External(S3) Volumes)

ObjectStoreSupportEnabled

Allows the admin to use Storage Management feature and create volumes using external S3 providers (e.g. AWS, Ceph).

OSSE

Attachment Indexing

AttachmentIndexingEnabled

Allows indexing of the attachment contents

AIE

Calendar

CalenderAccountsLimit

Enabling calendar feature for the users

CALAL

Conversation

ConversationEnabledAccountsLimit

Enabling conversation feature for the users

CNEAL

CrossMailboxSearch

CrossMailboxSearchEnabled

Allows doing searches for content across live and archive mailboxes.

CMBSE

Delegated Admin

DelegatedAdminAccountsLimit

Delegated Admin Accounts you can create

DAAL

Group Calendar

GroupCalenderAccountsLimit

Enables you to see multiple calendars at the same time

GCAL

Tag

TaggingEnabledAccountsLimit

Enabling tagging feature for the users

TEAL

Task

TaskEnabledAccountsLimit

Enabling task feature for the users

TKEAL

HTML View of attachements

ViewInHtmlEnabledAccountsLimit

View email attachments in HTML format

VHEAL

Zimlets

ManageZimletsEnabledAccountsLimit

User accounts that can manage Zimlets

MZEAL

Multi Factor Auth

MultiFactorAuthEnabled

Control the two factor authentication feature for the users.

MFAE

Zimbra Daffodil (v10.1) License Requirements

You require a Zimbra 10’s license to create accounts in Zimbra Collaboration and to use the Modern Web App.
Trial License is limited to one email address and an extension can be requested by contacting Zimbra Sales.

To try out Zimbra Collaboration, you can obtain a trial version free of charge. Once your system is installed in a production environment, you will need to purchase a subscription or a perpetual license.

License Types Description

Trial

You can obtain a free Trial license from the Zimbra website, at https://www.zimbra.com → Product → Download → Get Trial License. The trial license allows you to create up to 50 users. It expires in 60 days.

Subscription

A Zimbra 10 Subscription license can only be obtained through purchase. This license is valid for a specific Zimbra Collaboration system, is encrypted with the number of Zimbra 10 accounts (seats) you have purchased, the effective date, and the expiration date of the subscription license.

Perpetual

A Zimbra 10 Perpetual license can only be obtained through purchase. This license is similar to a subscription license. It is valid for a specific Zimbra Collaboration system, is encrypted with the number of Zimbra 10 accounts (seats) you have purchased, the effective date, and an expiration date of 2099-12-31. When you renew your support agreement, you receive no new perpetual license, but your Account record in the system gets updated with your new support end date.

License Usage by Zimbra Collaboration Account Type

An account assigned to a person, including an account created for archiving, requires a mailbox license. Distribution lists, aliases, locations, and resources do not count against the license.

Below is a description of types of Zimbra Collaboration accounts and if they impact your license limit.

License Account Type Description

System account

System accounts are specific accounts used by Zimbra Collaboration. They include the spam filter accounts for junk mail (spam and ham), the virus quarantine account for email messages with viruses, and the GALsync account if you configure GAL for your domain.

Do not delete these accounts! These accounts do not count against your license.

Administrator account

Administrator and delegated administrator accounts count against your license.

User account

User accounts count against your license account limit.

When you delete an account, the license account limit reflects the change.

Alias account

These types do not count against your license.

Distribution list

Resource account

License Activation

All Zimbra Daffodil (v10.1) installations require license activation and continues to support the Automatic and Manual license methods. In Daffodil (v10.1), the terms has been changed to Online Activation and Offline Activation.

The Admin Console has been enhanced with a more intuitive and easy-to-follow UI where all the operations related to license deployment are on a single screen.

The activation of the Zimbra Daffodil (v10.1) License can be done during the installation, upgrade, or after the installation. No future license management is required on the server once the license has been activated.

Without activating the license, the Zimbra services will not start.

Online License Activation

Licenses are automatically activated if the Zimbra Collaboration server has a connection to the Internet and can communicate with the Zimbra 10 License server.

Following are the applicable activation rules for an online license:

  • Account should have valid support end date.

  • License should be Valid (should not be expired).

  • License can be switched, provided new license limit is greater than or equal to current license usage.

Following are the steps to activate the license:

Admin Console
  1. Login to Admin Console and go to Home → Get Started → Install Licenses → Online Activation

  2. In the Key text box, specify the 18-26 alphanumeric character license key and click on Activate.

  3. After successful activation, you will see a success message - Your license is successfully activated.

Command Line

You can also activate your license from the command line interface.

  1. As a zimbra user, run the command:

zmlicense -a <license_key>
  1. After successful activation, you will see a success message - Your license is successfully activated.

Upgraded Zimbra Collaboration versions require an immediate activation to maintain network feature functionality.

If you are unable to activate your license automatically, see the next section on Offline License Activation.

Offline License Activation

The method of generating and activating an Offline License in Zimbra Daffodil (v10.1) has changed. As a pre-requisite, a new package zimbra-nalpeiron-offline-daemon has to be installed on the server that is running the license daemon service. After installing the package, an offline daemon service is started which acts as a locally run license manager.

The Offline License activation will not work if the package is not installed or the offline daemon service is not running.
The Offline Daemon service is a critical and important service for the functioning of a Offline License and its management. You are recommended to have a service monitoring setup to check the state of the service.
The offline license may take upto 48 hours to be issued.

Following is the architectural view of the Offline License process:

Offline License Flow 2

Pre-requisites

Following are the pre-requisites to be completed before installing the offline daemon packages:

Disable FIPS

FIPS should be disabled on the system before installing the packages.

Following are the steps to disable FIPS. Execute the commands as root user:

  • For RHEL/CentOS/Rocky Linux systems:

    sudo fips-mode-setup --disable
    sudo reboot
    • Verify FIPS is disabled. Check the /proc/sys/crypto/fips_enabled file. If disabled, following will be the output:

      $ cat /proc/sys/crypto/fips_enabled
      0
  • For Ubuntu systems:

    sudo ua disable fips
    sudo reboot
    • Verify FIPS is disabled. Check the /proc/sys/crypto/fips_enabled file. If disabled, following will be the output:

      $ cat /proc/sys/crypto/fips_enabled
      0
Disable SELinux

SELinux should be disabled on the system before installing the offline daemon packages. You will have to reboot the system to make the changes effective.

Following are the steps to disable SELinux. Execute the commands as root user:

  • For RHEL/CentOS/Rocky Linux systems:

    • Check the SELinux status. If the status appears enabled, execute the further steps to disable:

      $ sestatus| grep 'SELinux status\|Current mode'
      SELinux status:                 enabled
      Current mode:                   enforcing
    • Edit /etc/sysconfig/selinux:

      vi /etc/selinux/config
    • Change the SELINUX directive to disabled.

      SELINUX=disabled
    • Save and exit the file. Reboot the system:

      reboot
    • After the reboot, check the status. SELinux should appear disabled:

      $ sestatus| grep 'SELinux status'
      SELinux status:                 disabled
  • For Ubuntu systems:

    • Check the SELinux status. If the status appears enabled, execute the further steps to disable:

      $ sestatus| grep 'SELinux status\|Current mode'
      SELinux status:                 enabled
      Current mode:                   enforcing
    • Edit /etc/selinux/config:

      vi /etc/selinux/config
    • Change the SELINUX directive to disabled.

      SELINUX=disabled
    • Save and exit the file. You will have to reboot the system:

      reboot
    • After the reboot, check the status. SELinux should appear disabled:

      $ sestatus| grep 'SELinux status'
      SELinux status:                 disabled
Add locale en_US.utf8

Locale en_US.utf-8 is required for the offline daemon packages.

Following are the steps to check and add the locale. Execute the commands as root user:

  • For RHEL/CentOS/Rocky/Ubuntu Linux systems:

    • Check if the required locale en_US.utf8 is available on the system. If available, it will display as following:

      $ locale -a |grep 'en_US.utf8'
      en_US.utf8
    • If not available, add the locale:

      $ localedef -i en_US -f UTF-8 en_US.UTF-8
Install offline daemon packages

Following are the steps to install the offline daemon packages. Execute the commands as a root user:

  • For RHEL/CentOS/Rocky Linux systems:

yum clean metadata
yum check-update
yum install zimbra-nalpeiron-offline-daemon
  • For Ubuntu systems:

apt-get update
apt-get install zimbra-nalpeiron-offline-daemon
  • Verify the nalpdaemon service is active:

$ systemctl status nalpdaemon
● nalpdaemon.service - Nalpeiron Licensing Daemon
   Loaded: loaded (/usr/lib/systemd/system/nalpdaemon.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2024-06-08 02:03:37 EDT; 1s ago

In case the service is not active, restart the service:

$ systemctl restart nalpdaemon

As a zimbra user, restart the LDS and configdctl service:

$ su - zimbra
$ zmlicensectl --service restart
$ zmconfigdctl restart
Requesting and Activating Offline license

The method is supported through Admin Console and CLI.

Following are the steps:

Admin Console
  1. Contact the Support team to get the Network Key and License Key.

  2. Login to Admin Console and go to Home → Get Started → Install Licenses → Offline Activation

  3. Under Step 1, specify the Network Key and License Key and click on Generate Activation Request.

  4. After the network and product activation files are generated successfully, Download button will appear next to the text box.

  5. Click on Download button next to the text box and save the files. The name and filetype will be pre-populated when saving - network_activation_fingerprint, product_activation_fingerprint.

  6. Login to Support Portal and select the License tab.

  7. Select Generate an Offline License Activation file for versions 10.1 or greater.

  8. Specify the Product License Key and Network License Key.

  9. Copy the contents of network_activation_fingerprint.txt file and paste in the Network Activation Fingerprint text box.

  10. Copy the contents of product_activation_fingerprint.txt file and paste in Product Activation Fingerprint text box.

  11. Specify the product version in Product Verstion text box.

  12. Click on Generate License Certificate

  13. Save the generated License Activation XML file.

  14. Go back to the Admin Console License page.

  15. Under Offline Activation → Step3, upload the License Activation XML file and click on Activate.

  16. After successful activation, you will see a success message - Your license is successfully activated.

Command Line
  1. Contact Sales and get the Network Key and License Key.

  2. As a zimbra user, run zmlicense command to generate Network Key and License Key

    zmlicense --offlineActivationRequestCert --network <network_key> --product <product_key>
  3. Save the certificates printed on the screen as network_activation_fingerprint.txt, and product_activation_fingerprint.txt.

  4. Login to Support Portal and select the License tab.

  5. Select Generate an Offline License Activation file for versions 10.1 or greater.

  6. Specify the Product License Key and Network License Key.

  7. Copy the contents of network_activation_fingerprint.txt file and paste in the Network Activation Fingerprint text box.

  8. Copy the contents of product_activation_fingerprint.txt file and paste in Product Activation Fingerprint text box.

  9. Specify the product version in Product Verstion text box.

  10. Click on Generate License Certificate

  11. Save the generated License Activation XML file on the server.

  12. As a zimbra user, run zmlicense command to activate the offline license

    zmlicense -A /path_to_XML/activation_file.xml
  13. After successful activation, you will see a success message - Your license is successfully activated.

If you have problems accessing the Support Portal or facing any issues when activating the Offline License, contact Zimbra Sales or Support.

When Licenses are not Installed or Activated

If you fail to install or activate your Zimbra Collaboration server license, the following scenarios describe how your Zimbra Collaboration server will be impacted.

License Condition Description/Impact

Not installed

With no installed license, the Zimbra Collaboration server defaults to single user mode where all license-limited features are limited to one user.

Not valid

If the license file appears forged or fails validation for other reasons, the Zimbra Collaboration server defaults to single-user mode.

Not activated

A license activation grace period is 10 days. If this period passes without activation, the Zimbra Collaboration server defaults to single-user mode.

For future date

If the license starting date is in the future, the Zimbra Collaboration server defaults to single-user mode.

In grace period

Zimbra Daffodil (v10.1) onwards, the Grace Period functionality has been changed. For more details, please refer to the Grace Period section in the Admin Guide.

Expired

If the license ending date has passed, the 30 day grace period has expired, and users decide not to obtain a new license, following functions stop working - All the network, Account operations (create,edit,delete), Modern UI. Normal email operations will continue to work.

Renewal

If the license is renewed within the grace period or after expiry, the network features will be functional including account operations and Modern UI. Mailbox service restart is required after successful license activation.

Obtaining a License

Go to the Zimbra Website https://www.zimbra.com → Product → Download → Get Trial License to obtain a trial license. Contact Zimbra sales to extend the trial license, or to purchase a subscription license or perpetual license, by emailing sales@zimbra.com or calling 1-972-407-0688.

The subscription and perpetual license can only install on the Zimbra Collaboration system identified during purchase. Only one Zimbra 10 license is required for your Zimbra Collaboration environment. This license sets the maximum number of accounts on the system.

Current license information, including the number of accounts purchased, the number of accounts used, and the expiration date, can be viewed in the Admin Console.

Admin Console:

Home → Get Started → Install Licenses → Current License Information.

License Reconciliation and Data Collection Notice

By consenting to the End-User License Agreement, you grant Synacor Inc. and its certain licensees, permission to collect licensing and non-personally-identifiable usage data from your Zimbra Collaboration server.

During installation, upgrades, and periodically while in use, the Zimbra Collaboration server transmits information for reconciliation of billing and license data.

Permission for this data collection is granted under sections 11.4 and 11.6 of the End User License Agreement for Zimbra Collaboration. Copies of the license can be found at https://www.zimbra.com/legal/licensing/.

The data that is being collected consists of elements of the current license information and is governed by Synacor’s Privacy Policy, which can be found at https://www.synacor.com/privacy-policy/.

The default configuration installs Zimbra 10-LDAP, Zimbra 10-MTA with anti-virus and anti-spam protection, the Zimbra 10 mailbox server, SNMP monitoring tools (optional), Zimbra 10-spell (optional), the logger tool (optional), and the Zimbra 10 proxy on one server.

The menu driven installation displays the components and their existing default values. You can modify the information during the installation process. The table below describes the menu options.

Server Configured Menu Item Description

Main Menu

All

Common Configuration

Select the sub-menu for Common Configuration Options

zimbra-ldap

Select the sub-menu for Ldap configuration

zimbra-logger

Toggle whether zimbra-logger is enabled or not.

zimbra-mta

Select the sub-menu for Mta configuration. Postfix is the open source mail transfer agent (MTA) that receives email via SMTP and routes each message to the appropriate Zimbra mailbox server using Local Mail Transfer Protocol (LMTP). The Zimbra MTA also includes the anti-virus and anti-spam components.

zimbra-dnscache

Select the sub-menu for DNS Cache. Intended primarily on MTAs for optimized DNS and RBL lookups. Can also be installed on mailstores and proxy servers.

zimbra-snmp

Select the sub-menu for Snmp configuration. Installing the Zimbra-SNMP package is optional. If you choose to install Zimbra-SNMP for monitoring, the package should be run on every server (Zimbra server, Zimbra LDAP, Zimbra MTA) that is part of the Zimbra configuration. Zimbra uses swatch to watch the syslog output to generate SNMP traps.

zimbra-store

Select the sub-menu for Store configuration

zimbra-spell

Toggle whether zimbra-spell is enabled or not.

zimbra-convertd

Toggle whether zimbra-convertd is enabled or not - defaults to yes
The default is to install one zimbra-convertd on each zimbra-store server. But only one zimbra-convertd needs to be present in a deployment depending on size of Zimbra 10 environment.

zimbra-proxy

Select the sub-menu for Proxy configuration

Default Class of Service Configuration

This menu section lists major new features for the Zimbra Collaboration release and whether the feature is enabled or not. When you change the feature setting during Zimbra Collaboration installation, you change the default COS settings. Having this control, lets you decide when to introduce new features to your users.

s) Save config to file

At any time during the installation, you can save the configuration to file.

c) Collapse menu

Allows you to collapse the menu.

x) Expand menu

Expand menus to see the underlying options

q) Quit

Quit can be used at any time to quit the installation.

Common Configuration Options

The packages installed in common configuration include libraries, utilities, monitoring tools, and basic configuration files under Zimbra Core.

Server Configured Menu Item Description

Common Configuration - These are common settings for all servers

All

Hostname

The host name configured in the operating system installation

LDAP master host

The LDAP host name. On a single server installation, this name is the same as the hostname. On a multi server installation, this LDAP host name is configured on every server

LDAP port

The default port is 389

LDAP Admin password

This is the master LDAP password. This is the password for the Zimbra admin user and is configured on every server

All except Zimbra LDAP Server

LDAP Base DN

The base DN describes where to load users and groups. In LDAP form, it is cn=Users. Default is cn=zimbra.

All

Secure interprocess communications

The default is yes. Secure interprocess communications requires that connections between the mail store, and other processes that use Java, use secure communications. It also specifies whether secure communications should be used between the master LDAP server and the replica LDAP servers for replication.

Time Zone

Select the time zone to apply to the default COS. The time zone that should be entered is the time zone that the majority of users in the COS will be located in. The default time zone is PST (Pacific Time).

IP Mode

IPv4 or IPv6.

Default SSL digest

Sets the default message digest to use when generating certificate. Defaults is sha256.

Ldap configuration
Server Configured Menu Item Description

zimbra-ldap - These options are configured on the Zimbra LDAP server.

Zimbra LDAP Server

Status

The default is Enabled. For replica LDAP servers, the status can be changed to Disabled if the database is manually loaded after installation completes.

Create Domain

The default is yes. You can create one domain during installation. Additional domains can be created from the administration console.

Domain to create

The default domain is the fully qualified hostname of the server. If you created a valid mail domain on your DNS server, enter it here.

LDAP Root password

By default, this password is automatically generated and is used for internal LDAP operations.

LDAP Replication password

This is the password used by the LDAP replication user to identify itself to the LDAP master and must be the same as the password on the LDAP master server.

LDAP Postfix password

This is the password used by the postfix user to identify itself to the LDAP server and must be configured on the MTA server to be the same as the password on the LDAP master server.

LDAP Amavis password

This password is automatically generated and is the password used by the amavis user to identify itself to the LDAP server and must be the same password on the LDAP master server and on the MTA server.

LDAP Nginx password

This password is automatically generated and is used by the nginx user to identify itself to the LDAP server and must be the same password on the LDAP master server and on the MTA server. NOTE: This option is displayed only if the zimbra-proxy package is installed.

Zimbra Logger
Server Configured Menu Item Description

Zimbra mailbox server

zimbra-logger

The Logger package is installed on one mail server. If installed, it is automatically enabled. Logs from all the hosts are sent to the mailbox server where the logger package is installed. This data is used for generating statistics graphs and reporting and for message tracing.

MTA Server Configuration Options

Zimbra MTA server configuration involves installation of the Zimbra-MTA package. This also includes anti-virus and anti-spam components.

Server Configured Menu Item Description

zimbra-mta

Zimbra MTA Server

MTA Auth host

This is configured automatically if the MTA authentication server host is on the same server, but must be configured if the authentication server is not on the MTA. The MTA Auth host must be one of the mailbox servers.

Enable Spamassassin

Default is enabled.

Enable ClamAV

Default is enabled. To configure attachment scanning, see Scanning Attachments in Outgoing Mail

Notification address for AV alerts

Sets the notification address for AV alerts. You can either accept the default or create a new address. If you create a new address, remember to provision this address from the admin console. NOTE: If the virus notification address does not exist and your host name is the same as the domain name on the Zimbra server, the virus notifications remain queued in the Zimbra MTA server cannot be delivered.

Bind password for Postfix LDAP user

Automatically set. This is the password used by the postfix user to identify itself to the LDAP server and must be configured on the MTA server to be the same as the password on the LDAP master server.

Bind password for Amavis LDAP user

Automatically set. This is the password used by the amavis user to identify itself to the LDAP server and must be configured on the MTA server to be the same as the amavis password on the master LDAP server.

New installs of Zimbra 10 limit spam/ham training to the first MTA installed. If you uninstall or move this MTA, you will need to enable spam/ham training on another MTA, as one host should have this enabled to run zmtrainsa --cleanup. To do this on that host, do:
zmlocalconfig -e zmtrainsa_cleanup_host=TRUE
DNS Cache
Server Configured Menu Item Description

zimbra-dnscache (optional)

Zimbra mailbox server

Master DNS IP address(es)

IP addresses of DNS servers

Enable DNS lookups over TCP

yes or no

Enable DNS lookups over UDP

yes or no

Only allow TCP to communicate with Master DNS

yes or no

Snmp configuration
Server Configured Menu Item Description

zimbra-snmp (optional)

All

Enable SNMP notifications

The default is yes.

SNMP Trap hostname

The hostname of the SNMP Trap destination

Enable SMTP notification

The default is yes.

SMTP Source email address

From address to use in email notifications

SMTP Destination email address

To address to use in email notifications

Store configuration
zimbra-store

Zimbra Mailbox Server

Create Admin User

Yes or No. The administrator account is created during installation. This account is the first account provisioned on the Zimbra 10 server and allows you to log on to the administration console.

Admin user to create

The user name assigned to the administrator account. Once the administrator account has been created, it is suggested that you do not rename the account as automatic Zimbra Collaboration notifications might not be received.

Admin Password

You must set the admin account password. The password is case sensitive and must be a minimum of six characters. The administrator name, mail address, and password are required to log in to the administration console.

Anti-virus quarantine user

A virus quarantine account is automatically created during installation. When AmavisD identifies an email message with a virus, the email is automatically sent to this mailbox. The virus quarantine mailbox is configured to delete messages older than 7 days.

Enable automated spam training

Yes or No. By default, the automated spam training filter is enabled and two mail accounts are created - one for the Spam Training User and one for the Non-spam (HAM) Training User. See the next 2 menu items which will be shown if spam training is enabled.
These addresses are automatically configured to work with the spam training filter. The accounts created have randomly selected names. To recognize what the accounts are used for, you may want to change their names.
The spam training filter is automatically added to the cron table and runs daily.

Spam Training User

to receive mail notification about mail that was not marked as junk, but should have been.

Non-spam (HAM) Training User

to receive mail notification about mail that was marked as junk, but should not have been.

The default port configurations are shown

Zimbra Mailbox Server

SMTP host

Defaults to current server name

Web server HTTP port:

default 80

Web server HTTPS port:

default 443

Web server mode

Can be HTTP, HTTPS, Mixed, Both or Redirect.

  • Mixed mode uses HTTPS for logging in and HTTP for normal session traffic

  • Both mode means that an HTTP session stays HTTP, including during the login phase, and an HTTPS session remains HTTPS throughout, including the login phase.

  • Redirect mode redirects any users connecting via HTTP to an HTTPS connection.

  • All modes use SSL encryption for back-end administrative traffic.

IMAP server port

default 143

IMAP server SSL port

default 993

POP server port

default 110

POP server SSL port

default 995

Use spell checker server

default Yes (if installed)

Spell server URL

http://<example.com>:7780/aspell.php

If either or both of these next 2 options are changed to TRUE, the proxy setting on the mailbox store are enabled in preparation for setting up zimbra-proxy.

Zimbra Mailbox Server

*Configure for use with mail proxy.

default FALSE

*Configure for use with web proxy.

default FALSE

Enable version update checks.

Zimbra Collaboration automatically checks to see if a new Zimbra Collaboration update is available. The default is TRUE.

Enable version update notifications.

This enables automatic notification when updates are available when this is set to TRUE.
NOTE: The software update information can be viewed from the Administration Console Tools Overview pane.

Version update notification email.

This is the email address of the account to be notified when updates are available. The default is to send the notification to the admin’s account.

Version update source email.

This is the email address of the account that sends the email notification. The default is the admin’s account.

License Activation.

To select license options. You can either choose to install activate license during installation or after installation.

Proxy configuration

Zimbra Proxy (Nginx-Zimbra) is a high-performance reverse proxy server that passes IMAP[S]/POP[S]/HTTP[S] client requests to other internal Zimbra 10 services.

It requires the separate package Zimbra Memcached which is automatically selected when the zimbra-proxy package is installed. One server must run zimbramemcached when the proxy is in use. All installed zimbra proxies can use a single memcached server.

Server Configured Menu Item Description

zimbra-proxy

mailbox server,
MTA server or
own independent server

Enable POP/IMAP Proxy

default TRUE

IMAP proxy port

default 143

IMAP SSL proxy port

default 993

POP proxy port

default 110

POP SSL proxy port

default 995

Bind password for nginx ldap user

default set

Enable HTTP[S] Proxy

default TRUE

HTTP proxy port

default 80

HTTPS proxy port

default 443

Proxy server mode

default https

Scanning Attachments in Outgoing Mail

You can enable real-time scanning of attachments in outgoing emails sent using the Zimbra 10 Web Client. If enabled, when an attachment is added to an email, it is scanned using ClamAV prior to sending the message. If ClamAV detects a virus, it will block attaching the file to the message. By default, scanning is configured for a single node installation.

To enable in a multi-node environment, one of the MTA nodes needs to be picked for handling ClamAV scanning. Then, the necessary configuration can be done using the following commands:

zmprov ms <mta server> zimbraClamAVBindAddress <mta server>
zmprov mcf zimbraAttachmentsScanURL clam://<mta server>:3310/
zmprov mcf zimbraAttachmentsScanEnabled TRUE

Overview of the Zimbra Proxy Server

Zimbra 10 Proxy (Nginx-Zimbra) is a high-performance reverse proxy server that passes IMAP[S]/POP[S]/HTTP[S] client requests to other internal Zimbra Collaboration services. A reverse proxy server is an Internet-facing server that protects and manages client connections to your internal services. It can also provide functions like: GSSAPI authentication, throttle control, SSL connection with different certificates for different virtual host names, and other features.

In a typical use case, Zimbra 10 Proxy extracts user login information (such as account id or user name) and then fetches the route to the upstream mail server or web server’s address from the Nginx Lookup Extension, and finally proxies the interactions between clients and upstream Zimbra Collaboration servers. To accelerate the speed of route lookup, memcached is introduced, which caches the lookup result. The subsequent login with the same username is directly proxied without looking up in Nginx Lookup Extension.

You can install the Zimbra 10 Proxy package on a mailbox server, MTA server, or on its own independent server. When the Zimbra 10 Proxy package is installed, the proxy feature is enabled. In most cases, no modification is necessary.

Benefits for using the Zimbra 10 Proxy include:

  • Centralizes access to Mailbox servers

  • Load Balancing

  • Security

  • Authentication

  • SSL Termination

  • Caching

  • Centralized Logging and Auditing

  • URLRewriting

For more information, see the wiki page https://wiki.zimbra.com/wiki/Zimbra_Proxy_Guide

Zimbra 10 Proxy Components and Memcached

Zimbra 10 Proxy is designed to provide a HTTP[S]/POP[S]/IMAP[S] reverse proxy that is quick, reliable, and scalable. Zimbra 10 Proxy includes the following:

  • Nginx. A high performance HTTP[S]/POP[S]/IMAP[S] proxy server which handles all incoming HTTP[S]/POP[S]/IMAP[S] requests.

  • Zimbra 10 Proxy Route Lookup Handler. This is a servlet (also named as Nginx Lookup Extension or NLE) located on the Zimbra Collaboration mailbox server. This servlet handles queries for the user account route information (the server and port number where the user account resides).

Memcached is a high performance, distributed memory object caching system. Route information is cached for further use to increase performance. zimbra-memcached is a separate package that is recommended to be installed along with zimbra-proxy.

Zimbra 10 Proxy Architecture and Flow

The following sequence explains the architecture and the login flow when an end client connects to Zimbra 10 Proxy.

  1. End clients connect to Zimbra 10 Proxy using HTTP[S]/POP[S]/IMAP[S] ports.

  2. Proxy attempts to contact a memcached server (elected from the available memcached servers, using a round-robin algorithm) if available and with caching enabled to query the upstream route information for this particular client.

  3. If the route information is present in memcached, then this will be a cache-hit case and the proxy connects to the corresponding Zimbra Mailbox server right away and initiates a web/mail proxy session for this client. The memcached component stores the route information for the configured period of time (configurable and one hour by default). Zimbra 10 proxy uses this route information instead of querying the Zimbra Proxy Route Lookup Handler/NLE until the default period of time has expired.

  4. If the route information is not present in memcached, then this will be a cache-miss case, so Zimbra 10 Proxy will proceed sending an HTTP request to an available Zimbra 10 Proxy Route Lookup Handler/NLE (elected by round-robin), to look up the upstream mailbox server where this user account resides.

  5. Zimbra 10 Proxy Route Lookup Handler/NLE locates the route information from LDAP for the account being accessed and returns this back to Zimbra 10 Proxy.

  6. Zimbra 10 Proxy uses this route information to connect to the corresponding Zimbra 10 Mailbox server and initiates a web/mail proxy session. It also caches this route information into a memcached server so that the next time this user logs in, the memcached server has the upstream information available in its cache, and Zimbra 10 Proxy will not need to contact NLE.The end client is transparent to this and behaves as if it is connecting directly to the Zimbra 10 Mailbox server.

Zimbra 10 Proxy Position in Zimbra Collaboration Runtime

The following figure displays the positions of Zimbra 10 Proxy and its relationships to other components of Zimbra Collaboration.

Proxy place in network

Deployment Strategy

The deployment strategy and position with respect to non-proxy hosts, Zimbra 10 actively suggests using the Proxy server on the edge (either on an independent server or on the same server running LDAP/MTA) with mailbox servers behind it. In the case of multiple proxies, an external load balancer can be placed in front to distribute the load evenly among the proxy servers.

The Zimbra 10 Proxy package does not act as a firewall and needs to be behind the firewall in customer deployments.

Configuration during installation

zimbra-proxy package needs to be selected during the installation process (it is installed by default). It is highly recommended to install memcached as well along with proxy for better performance.

Install zimbra-proxy [Y]
Install zimbra-memcached [Y]

This would install and enable all IMAP[S]/POP[S]/HTTP[S] proxy components with the following default configuration.

    Proxy configuration

       1) Status:                                  Enabled
       2) Enable POP/IMAP Proxy:                   TRUE
       3) IMAP proxy port:                         143
       4) IMAP SSL proxy port:                     993
       5) POP proxy port:                          110
       6) POP SSL proxy port:                      995
       7) Bind password for nginx ldap user:       set
       8) Enable HTTP[S] Proxy:                    TRUE
       9) HTTP proxy port:                         80
      10) HTTPS proxy port:                        443
      11) Proxy server mode:                       https

Zimbra 10 Proxy Ports

The following ports are used either by Zimbra 10 Proxy or by Zimbra 10 Mailbox (if Proxy is not configured).
If you have any other services running on these ports, turn them off.

End clients connect directly to Zimbra 10 Proxy, using the Zimbra 10 Proxy Ports. Zimbra 10 Proxy connects to the Route Lookup Handler/NLE (which resides on Zimbra 10 Mailbox server) using the Zimbra 10 Mailbox Ports.

Zimbra 10 Proxy Port Mapping

Zimbra 10 Proxy Ports (External to Zimbra Collaboration)

HTTP

80

HTTPS

443

POP3

110

POP3S (Secure POP3)

995

IMAP

143

IMAPS (Secure IMAP)

993

Zimbra 10 Mailbox Ports (Internal to Zimbra Collaboration)

Route Lookup Handler

7072

HTTP Backend (if Proxy configured)

8080

HTTPS Backend (if Proxy configured)

8443

POP3 Backend (if Proxy configured)

7110

POP3S Backend (if Proxy configured)

7995

IMAP Backend (if Proxy configured)

7143

IMAPS Backend (if Proxy configured)

7993

Configuring for Virtual Hosting

You can configure multiple virtual hostnames to host more than one domain name on a server. When you create a virtual host, users can log in without having to specify the domain name as part of their user name.

Virtual hosts are configured from the administration console
Configure>Domains>Virtual Hosts
page. The virtual host requires a valid DNS configuration with an A record.

When users log in, they enter the virtual host name in the browser. For example, https://mail.example.com. When the Zimbra 10 logon screen displays, users enter only their user name and password. The authentication request searches for a domain with that virtual host name. When the virtual host is found, the authentication is completed against that domain.

Preparing Your Server Environment

To successfully install and run Zimbra Daffodil, ensure your system meets the requirements described in this section. System administrators should be familiar with installing and managing email systems.

Do not manually create the user zimbra before running the Zimbra 10 installation. The installation automatically creates this user and sets up its environment.

System Requirements

For the Zimbra Daffodil system requirements see System Requirements for Zimbra Daffodil at the end of this guide.

Modifying Operating System Configurations

Zimbra Collaboration runs on one of several operating systems, including Ubuntu® LTS, Red Hat® Enterprise Linux, CentOS, Rocky and Oracle Linux.

A full default installation of the Linux distribution that you select is required.

Zimbra recommends that the operating systems you use are updated with the latest patches that have been tested with Zimbra Collaboration. See the latest release notes to see the operating systems patch list that has been tested with Zimbra Collaboration.

Configuring High-Fidelity Document Preview

This section is applicable only if zimbra-onlyoffice package was not installed during the installation process. Onlyoffice allows high fidelity document preview & collabarative editing.

The high-fidelity document preview feature requires the installation of LibreOffice or the LibreOffice-core package, depending on the operating system you are running.

If LibreOffice is installed, the system is automatically configured to use high-fidelity document preview. If LibreOffice is not installed, the preview engine from prior Zimbra Collaboration releases is used.

This can be accomplished with the appropriate Linux distribution’s package management systems:

  • For RHEL 7/8, install the libreoffice-core package:

yum install libreoffice
yum install libreoffice-core
  • For Ubuntu, install libreoffice:

apt-get install libreoffice

DNS Configuration Requirement

When you create a domain during the installation process, Zimbra Collaboration checks to see if you have an MX record correctly configured for that domain. If it is not, an error is displayed suggesting that the domain name have an MX record configured in DNS.

To send and receive email, the Zimbra 10 MTA must be configured in DNS with both A and MX records. For sending mail, the MTA uses DNS to resolve hostnames and email-routing information. To receive mail, the MX record must be configured correctly to route the message to the mail server.

You must configure a relay host if you do not enable DNS. After Zimbra Collaboration is installed, go to the administration console's Global Settings → MTA tab and:

  • Uncheck Enable DNS lookups.

  • Enter the relay MTA address to use for external delivery.

Even if a relay host is configured, an MX record is still required if the Zimbra Collaboration server is going to receive email from the Internet.

Multiple-Server Installation

The multiple-server installation is straight-forward and easy to run. You run the same installation script on each server, select the component(s) to install, and use the menu to configure the system.

When the server installation is complete after final set-up and server configuration steps are run, the servers are started and the status is displayed.

For Document server, you can also decide on which node it has to be setup. The default selection for zimbra-onlyoffice package is set to Y. Change the selection to N if you don’t want to install the package. Please refer to section for installation of Document server on a separate node.

Zimbra Daffodil (v10.1) Installer changes

Zimbra Daffodil (v10.1) introduced an automated licensing and entitlement system for better flexibility in managing licenses and allows for future growth.

With the introduction of the new license service within Zimbra Daffodil (v10.1) a new license service has been added named License Daemon Service (LDS) to allow enhanced and flexible license management.

A Zimbra Collaboration license is required to enable license features and create accounts.

Following are the Zimbra Daffodil (v10.1) licensing updates:

  1. A new license daemon is part of the Zimbra installation. It gets displayed as zimbra-license-daemon in the modules list and is required for the normal functioning of Zimbra.

  2. An 18-26 alphanumeric character key is required which replaces the older license.xml file.

  3. Zimbra Collaboration licenses are restrictive to the entitlement defined within the license and do not support multiple activations.

  4. Once the Zimbra Collaboration license is activated no future license management by the user is required. License management is real-time and is managed by Zimbra.

  5. An offline license server has been introduced to support environments that don’t have access to the public network.

  6. All data gathered is based on license requirements and total usage which meets GDPR and other legal regulations.

    The LDAP and LDS hostname are recorded for license registration and activation.
  7. Independent lab licenses are available. Contact Zimbra Sales or Support team.

The license daemon is now part of the Zimbra installation. It gets displayed as zimbra-license-daemon in the modules list and bydefault is set to Y. The LDS is a required service to support the management of the license.

If the license daemon service is not installed or not running, Zimbra’s network features will not be able to validate and will be disabled which will affect license functionality and account management.

LDS service deployment:

LDS service deployment depends on the mode of the license activation. Refer to License Activation section for more information.

  1. Online Activation:

    1. LDS service should be installed on a server having outgoing internet access. Incoming internet traffic is not required.

    2. Zimbra recommends installing LDS on a dedicated node.

    3. If you cannot install LDS on a dedicated node, then it can be installed on a Proxy or MTA node.

      For more information on LDS and how to setup a separate node, please refer to LDS section.
  2. Offline Activation:

    1. LDS service can be installed on any server and does not require internet access.

    2. Offline Daemon service should be installed on server having LDS service.

    3. Zimbra recommends installing LDS and Offline Daemon service on a dedicated node.

    4. If you cannot install LDS and Offline Daemon service on a dedicated node, then it can be installed on any other node.

Order of LDS node installation:
  1. For Online mode, LDS service should be installed before installing first mailbox server.

  2. For Offline mode, LDS and Offline Daemon service should be installed before installing first mailbox server.

Order of Installation

The installation steps are documented assuming you will install LDS on a dedicated node.
  1. LDAP server(s)

  2. MTA server(s)

  3. Proxy server(s)

  4. License Daemon Service

  5. Mailbox server(s)

Zimbra-proxy is normally installed on the MTA server or you can install it on its own server.
Do not manually create the user ‘zimbra’ before running the Zimbra 10 installation. The installation automatically creates this user and sets up its environment.
Before you start, verify that the system clocks are synced on all servers.

Starting the Installation Process

[IMPORTANT]:

Before you begin, make sure to:

For the latest Zimbra Collaboration software downloads, go to https://www.zimbra.com. Save the Zimbra Collaboration tar file to the computer from which you are installing the software.

The screen shots are examples of the Zimbra Collaboration installation script. The actual script may be different.

Step 1 through step 4 are performed for each server to be installed.

Open an SSH session to the Zimbra 10 server and follow the steps below:

  1. Log in as root to the Zimbra Collaboration server and cd to the directory where the Zimbra Collaboration archive file is saved (cd /var/<tmp>). Type the following commands.

    • tar xzvf [zcs.tgz] to unpack the file

    • cd [zcs filename] to change to the correct directory. The filename includes the release and build date.

    • ./install.sh to begin the installation.

    As the installation proceeds, press Enter to accept the defaults that are shown in brackets [ ] or enter the appropriate answer (Y/N) for your configuration.
    root@mailhost:/tmp# tar xzvf zcs.tgz
    zcs-NETWORK-10.1.0_GA_4633.RHEL8_64.20240608004525/
    zcs-NETWORK-10.1.0_GA_4633.RHEL8_64.20240608004525/packages/
    .
    .
    .
    zcs-NETWORK-10.1.0_GA_4633.RHEL8_64.20240608004525/install.sh
    zcs-NETWORK-10.1.0_GA_4633.RHEL8_64.20240608004525/README.txt
    
    root@zimbraiop:/tmp/# cd zcs-NETWORK-10.1.0_GA_4633.RHEL8_64.20240608004525/
    root@zimbraiop:/tmp/zcs-NETWORK-10.1.0_GA_4633.RHEL8_64.20240608004525# ./install.sh
    
    Operations logged to /tmp/install.log.y1YeCSI5
    .
    .
    .
  2. The install.sh script reviews the installation software to verify that the Zimbra 10 packages are available. The installation process checks to see whether any of the applications Sendmail, Postfix, MySQL or MariaDB are running. If any of these applications are running, you are asked to disable them. Disabling MySQL and MariaDB is optional but highly recommended. Sendmail and Postfix MUST be disabled for Zimbra Collaboration to start correctly.

    root@zimbraiop:/tmp/zcs-NETWORK-10.1.0_GA_4633.RHEL8_64.20240608004525# ./install.sh
    
    
    Operations logged to /tmp/install.log.KaWxzjhU
    Checking for existing installation...
        zimbra-license-tools...NOT FOUND
        zimbra-license-extension...NOT FOUND
        zimbra-network-store...NOT FOUND
        zimbra-modern-ui...NOT FOUND
        zimbra-modern-zimlets...NOT FOUND
        zimbra-zimlet-document-editor...NOT FOUND
        zimbra-zimlet-classic-document-editor...NOT FOUND
        zimbra-zimlet-classic-set-default-client...NOT FOUND
        zimbra-patch...NOT FOUND
        zimbra-mta-patch...NOT FOUND
        zimbra-proxy-patch...NOT FOUND
        zimbra-ldap-patch...NOT FOUND
        zimbra-ldap...NOT FOUND
        zimbra-logger...NOT FOUND
        zimbra-mta...NOT FOUND
        zimbra-dnscache...NOT FOUND
        zimbra-snmp...NOT FOUND
        zimbra-license-daemon...NOT FOUND
        zimbra-store...NOT FOUND
        zimbra-apache...NOT FOUND
        zimbra-spell...NOT FOUND
        zimbra-convertd...NOT FOUND
        zimbra-memcached...NOT FOUND
        zimbra-proxy...NOT FOUND
        zimbra-archiving...NOT FOUND
        zimbra-onlyoffice...NOT FOUND
        zimbra-core...NOT FOUND
    
    .
    .
    .
  3. The Zimbra 10 software agreement displays. Press Y to accept and N to decline.

    The license agreement displays in multiple sections, and you must accept each section of the license agreement.
  4. Use Zimbra 10’s package repository [Y] displays, press Enter to continue. Your system will be configured to add the Zimbra 10 packaging repository for yum or apt-get as appropriate so it can install the Zimbra 10 3rd party packages.

    Use Zimbra's package repository [Y] y
    
    Configuring package repository
    
    Checking for installable packages
    
    Found zimbra-core (local)
    Found zimbra-ldap (local)
    Found zimbra-logger (local)
    Found zimbra-mta (local)
    Found zimbra-dnscache (local)
    Found zimbra-snmp (local)
    Found zimbra-license-daemon (repo)
    Found zimbra-store (local)
    Found zimbra-apache (local)
    Found zimbra-spell (local)
    Found zimbra-convertd (local)
    Found zimbra-memcached (repo)
    Found zimbra-proxy (local)
    Found zimbra-archiving (local)
    Found zimbra-onlyoffice (repo)
    Found zimbra-license-tools (local)
    Found zimbra-license-extension (local)
    Found zimbra-network-store (local)
    Found zimbra-modern-ui (repo)
    Found zimbra-modern-zimlets (repo)
    Found zimbra-zimlet-document-editor (repo)
    Found zimbra-zimlet-classic-document-editor (repo)
    Found zimbra-zimlet-classic-set-default-client (repo)
    Found zimbra-patch (repo)
    Found zimbra-mta-patch (repo)
    Found zimbra-proxy-patch (repo)
    Found zimbra-ldap-patch (repo)
  5. Next, select the packages to be installed on this server.

    For the cross mailbox search feature, install the Zimbra 10 Archive package. To use the archiving and discovery feature, contact Zimbra sales.

    The installer verifies that there is enough room to install Zimbra 10.

  6. Next, the installer checks to see that the prerequisite packages are installed as listed in the Other Dependencies section of the System Requirements for Zimbra Collaboration

    Before the Main menu is displayed, the installer checks to see if the hostname is resolvable via DNS and if there is an error asks you if would like to change the hostname. The domain name should have an MX record configured in DNS.

Installing Zimbra 10 LDAP Master Server

You must configure the LDAP Master server before you can install other Zimbra 10 servers. You can set up LDAP replication, configuring a master LDAP server and replica LDAP servers, either configuring all LDAP servers now or after you set up the initial Zimbra Collaboration servers. See the section on Configuring LDAP Replication

  1. Follow steps 1 through 4 in Starting the Installation Process to open an SSH session to the LDAP server, log on to the server as root, and unpack the Zimbra Collaboration software.

  2. Type y and press Enter to install the zimbra-ldap package. The zimbra-mta, zimbra-store and zimbra-logger packages should be marked n.

    Install zimbra-ldap [Y] Y
    
    Install zimbra-logger [Y] N
    
    Install zimbra-mta [Y] N
    
    Install zimbra-dnscache [Y] N
    
    Install zimbra-snmp [Y] N
    
    Install zimbra-license-daemon [Y] N
    
    Install zimbra-store [Y] N
    
    Install zimbra-apache [Y] N
    
    Install zimbra-spell [Y] N
    
    Install zimbra-convertd [Y] N
    
    Install zimbra-memcached [Y] N
    
    Install zimbra-proxy [Y] N
    
    Install zimbra-archiving [N] N
    
    Install zimbra-onlyoffice [Y] N
    
    Install zimbra-patch [Y] N
    
    Install zimbra-mta-patch [Y] N
    
    Install zimbra-proxy-patch [Y] N
    
    Install zimbra-ldap-patch [Y]
    Checking required space for zimbra-core
    Checking space for zimbra-store
    
    Installing:
        zimbra-core
        zimbra-ldap
    
    The system will be modified.  Continue? [N]
  3. Type Y, and press Enter to modify the system. The selected packages are installed on the server. The Main menu displays the default entries for the Zimbra component you are installing. To expand the menu to see the configuration values, type x and press Enter. The main menu expands to display configuration details for the package being installed.

    Values that require further configuration are marked with asterisks (*).

    To navigate the Main menu, select the menu item to change. You can modify any of the values. See the section Main Menu options for a description of the Main menu.

    Main menu
    
       1) Common Configuration:
       2) zimbra-ldap:                             Enabled
       3) Enable default backup schedule:          yes
       s) Save config to file
       x) Expand menu
       q) Quit
    
    *** CONFIGURATION COMPLETE - press 'a' to apply
    Select from menu, or press 'a' to apply config (? - help)
  4. Type 1 to display the Common Configuration submenu.

    Common configuration
    
       1) Hostname:                                ldap-1.example.com
       2) Ldap master host:                        ldap-1.example.com
       3) Ldap port:                               389
       4) Ldap Admin password:                     set
       5) Store ephemeral attributes outside Ldap: no
       6) Secure interprocess communications:      yes
       7) TimeZone:                                America/Mexico_City
       8) IP Mode:                                 ipv4
       9) Default SSL digest:                      sha256
    
    Select, or 'r' for previous menu [r]
  5. Type 4 to display the automatically generated LDAP admin password.

    Select, or 'r' for previous menu [r] 4
    
    Password for ldap admin user (min 6 characters): [bEyMZxNxq]

    You can change this password.
    Write down the LDAP password, the LDAP host name and the LDAP port.

    LDAP Admin Password _______________________
    LDAP Host name      _______________________
    LDAP Port           _______________________
    You must configure this information when you install the mailbox servers and the MTA servers.
  6. Type 7 to set the correct time zone. A list of timezones appears, choose the relevant timezone by typing its number. In the below snapshot, we have selected Europe/London by typing 94.

    1 Africa/Algiers
    .
    .
    .
    94 Europe/London
    .
    .
    .
    109 Pacific/Tongatapu
    110 UTC
    Enter the number for the local timezone: [110] 94
  7. Type r to return to the Main menu.

  8. From the Main menu, type 2 for zimbra-ldap to view the Ldap configuration settings.

    Ldap configuration
    
       1) Status:                                  Enabled
       2) Create Domain:                           yes
       3) Domain to create:                        ldap-1.example.com
       4) Ldap root password:                      set
       5) Ldap replication password:               set
       6) Ldap postfix password:                   set
       7) Ldap amavis password:                    set
       8) Ldap nginx password:                     set
       9) Ldap Bes Searcher password:              set
    
    Select, or 'r' for previous menu [r]
  9. Type 3 for Domain to create to change the default domain name to the main domain name you want to use for your network, (e.g. example.com).

  10. The passwords listed in the LDAP configuration menu are automatically generated.

    If you want to change the passwords for LDAP root, LDAP replication, LDAP Postfix, LDAP Amavis, and LDAP Nginx, enter the corresponding number 4 through 8 and change the passwords.

    Ldap replication password _____________________
    Ldap postfix password     _____________________
    Ldap amavis password      _____________________
    Ldap nginx password       _____________________
    You need these passwords when configuring the MTA and the LDAP replica servers. Write them down.
  11. When changes to the LDAP configuration menu are complete:

    *** CONFIGURATION COMPLETE - press 'a' to apply
    Select from menu, or press 'a' to apply config (? - help) a
    Save configuration data to a file? [Yes]
    Save config in file: [/opt/zimbra/config.8381]
    Saving config in /opt/zimbra/config.8381...done
    • enter r to return to the main menu.

    • Type a to apply the configuration changes.

    • When Save configuration data to file appears, type Yes and press Enter.

    • The next request asks where to save the files. To accept the default, press Enter. To save the files to another directory, enter the directory and press Enter.

  12. When The system will be modified - continue? [No] appears, type y and press Enter.

    The server is modified. Installing all the components and configuring the server can take a few minutes. This includes but is not limited to setting local config values, creating and installing SSL certificates, setting passwords, timezone preferences, and starting the servers, among other processes.

  13. When Configuration complete - press return to exit displays, press Enter.

    *** CONFIGURATION COMPLETE - press 'a' to apply
    Select from menu, or press 'a' to apply config (? - help) a
    Save configuration data to a file? [Yes]
    Save config in file: [/opt/zimbra/config.8381]
    Saving config in /opt/zimbra/config.8381...done.
    The system will be modified - continue? [No] y
    Operations logged to /tmp/zmsetup.20240608-105721.log
    Setting local config values...done.
    .
    .
    .
    Starting servers...done.
    Skipping creation of default domain GAL sync account - not a service node.
    Setting up zimbra crontab...done.
    
    
    Moving /tmp/zmsetup.20240608-105721.log to /opt/zimbra/log
    
    
    Configuration complete - press return to exit

    The installation of the LDAP server is complete.

Installing Zimbra 10 MTA on a Server

When Zimbra 10-mta is installed, the LDAP host name and the Zimbra 10 LDAP password must be known to the MTA server. If not, the MTA cannot contact the LDAP server and is not able to complete the installation.

  1. Follow steps 1 through 4 in Starting the Installation Process to open an SSH session to the MTA server, log on to the server as root, and unpack the Zimbra Collaboration software.

  2. Type y and press Enter to install the zimbra-mta and zimbra-dnscache packages. The other packages should be marked n. In the following screen shot example, the packages to be installed are emphasized.

    If SNMP is being used, the SNMP package is installed on every Zimbra 10 server. Mark y.
    If Document server needs to be installed on this setup, mark y for zimbra-onlyoffice package, else mark n.
    Select the packages to install
    
    Install zimbra-ldap [Y] N
    
    Install zimbra-logger [Y] N
    
    Install zimbra-mta [Y] Y
    
    Install zimbra-dnscache [Y] Y
    
    Install zimbra-snmp [Y] N
    
    Install zimbra-license-daemon [Y] N
    
    Install zimbra-store [Y] N
    
    Install zimbra-apache [Y] N
    
    Install zimbra-spell [Y] N
    
    Install zimbra-convertd [Y] N
    
    Install zimbra-memcached [Y] N
    
    Install zimbra-proxy [Y] N
    
    Install zimbra-archiving [N] N
    
    Install zimbra-onlyoffice [Y] N
    
    Install zimbra-patch [Y] N
    
    Install zimbra-mta-patch [Y] N
    
    Install zimbra-proxy-patch [Y]Y
    
    Install zimbra-ldap-patch [Y] N
    
    Checking required space for zimbra-core
    
    Installing:
        zimbra-core
        zimbra-mta
        zimbra-dnscache
    
    The system will be modified.  Continue? [N] y
    Installing packages
  3. Type Y, and press Enter to modify the system. The selected packages are installed on the server. The Main menu displays the default entries for the Zimbra component you are installing. To expand the menu to see the configuration values, type x and press Enter. The main menu expands to display configuration details for the package being installed.

    Values that require further configuration are marked with asterisks (*).

    To navigate the Main menu, select the menu item to change. You can modify any of the values. See the section Main Menu options for a description of the Main menu.

    Main menu
    
       1) Common Configuration:
            +Hostname:                             mta-1.example.com
    ******* +Ldap master host:                     UNSET
            +Ldap port:                            389
    ******* +Ldap Admin password:                  UNSET
            +LDAP Base DN:                         cn=zimbra
            +Store ephemeral attributes outside Ldap: no
            +Secure interprocess communications:   yes
            +TimeZone:                             Africa/Monrovia
            +IP Mode:                              ipv4
            +Default SSL digest:                   sha256
    
       2) zimbra-mta:                              Enabled
            +Enable Spamassassin:                  yes
            +Enable Clam AV:                       yes
            +Enable OpenDKIM:                      yes
            +Notification address for AV alerts:   admin@mta-1.example.com
    ******* +Bind password for postfix ldap user:  UNSET
    ******* +Bind password for amavis ldap user:   UNSET
    
       3) zimbra-dnscache:                         Enabled
       s) Save config to file
       x) Expand menu
       q) Quit
    
    Address unconfigured (**) items  (? - help)
  4. Type 1 to display the Common Configuration submenu.

    Common configuration
    
       1) Hostname:                                mta-1.example.com
    ** 2) Ldap master host:                        UNSET
       3) Ldap port:                               389
    ** 4) Ldap Admin password:                     UNSET
       5) LDAP Base DN:                            cn=zimbra
       6) Store ephemeral attributes outside Ldap: no
       7) Secure interprocess communications:      yes
       8) TimeZone:                                Africa/Monrovia
       9) IP Mode:                                 ipv4
      10) Default SSL digest:                      sha256

    The mta server hostname is displayed.

    You must change the LDAP master host name and password to be the values configured on the LDAP server.
    • Type 2, press Enter, and type the LDAP host name. (ldap-1.example.com in this example.)

    • Type 4, press Enter, and type the LDAP password.
      To obtain the LDAP password, you will need to log on to the LDAP server as the zimbra user, and run the following command:

    zmlocalconfig -s zimbra_ldap_password

    After you set these values, the server immediately contacts the LDAP server. If it cannot contact the server, you cannot proceed.

  5. Type 8 to set the correct time zone. A list of timezones appears, choose the relevant timezone by typing its number. In the below snapshot, we have selected Europe/London by typing 94.

    1 Africa/Algiers
    .
    .
    .
    94 Europe/London
    .
    .
    .
    109 Pacific/Tongatapu
    110 UTC
    Enter the number for the local timezone: [110] 94
  6. Type r to return to the Main menu.

  7. Type 2 to got to the Mta configuration menu.

    Mta configuration
    
       1) Status:                                  Enabled
       2) Enable Spamassassin:                     yes
       3) Enable Clam AV:                          yes
       4) Enable OpenDKIM:                         yes
       5) Notification address for AV alerts:      admin@mta-1.example.com
    ** 6) Bind password for postfix ldap user:     UNSET
    ** 7) Bind password for amavis ldap user:      UNSET
    
    Select, or 'r' for previous menu [r]
  8. You can change the Notification address for AV alerts. This should be an address on the domain, such as the admin address. (admin@example.com)

    If you enter an address other than the admin address, you must provision an account with that address after the installation is complete.
  9. Select the menu number for Bind password for postfix ldap user. You must use the same value for this as is configured on the LDAP master server.

  10. Select the menu number for Bind password for amavis ldap user. You must use the same value for this as is configured on the LDAP master server.

  11. Type r to return to the Main menu.

    If you are installing the Zimbra 10-proxy package, see Installing Zimbra Proxy before continuing.
  12. When the MTA server is configured, return to the Main menu and type a to apply the configuration changes. Press Enter to save the configuration data.

  13. When Save configuration data to file appears, type Yes and press Enter.

  14. The next request asks where to save the file. To accept the default, press Enter. To save the files to another directory, enter the directory and then press Enter.

  15. When The system will be modified - continue? appears,
    type Yes and press Enter.

    The server is now modified. Installing all the components and configuring the MTA server can take a few minutes. This can include setting passwords, setting ports, setting time zone preferences, and starting the server, among other processes.

  16. When Installation complete - press return to exit displays, press Enter.

The installation of the MTA server is complete.

Installing Zimbra Proxy

Installing the zimbra-proxy package is mandatory for a scalable multi-server deployment. Zimbra 10 proxy is normally installed on the MTA server or can be configured on a separate server. Zimbra 10 proxy can be installed on more than one server. At least one instance of zimbra-memcached must be installed to cache the route information (upstream mailbox server for each endclient).

If you are moving from a non-proxy environment (for example, single server to multi-server environment), additional steps are necessary for the mailbox server and proxy configuration. After you complete the proxy installation, reconfigure the mailbox server as described in the Zimbra Daffodil Administration Guide, Zimbra Proxy chapter.
Memcached is shipped as the caching layer to cache LDAP lookups. Memcache does not have authentication and security features so the servers should have a firewall set up appropriately. The default port is 11211 and is controlled by the zimbraMemcacheBindPort conf setting.

Installing on the MTA Server

If you are installing zimbra-proxy on the MTA server, select the zimbra-proxy package and the zimbra-memcached package. Follow the installation process for [_installing_zimbra_mta_on_a_server]. After Step 11, configure the Zimbra-proxy.

  1. On the MTA server, select to install the zimbra-proxy and zimbra-memcached packages, type y and press Enter to install the selected package.

  2. The Main menu displays the default entries for the Zimbra 10 component you are installing. Select Proxy Configuration menu. You can modify any of the values.

The Bind password for Nginx ldap user was configured when the LDAP server was installed. This is set when the MTA connected to the LDAP server. This is not used unless the Kerberos5 authenticating mechanism is enabled.

Setting the password even though GSSAPI auth/proxy is not set up does not cause any issues.
Proxy configuration

      1) Status:                                Enabled
      2) Enable POP/IMAP Proxy:                 TRUE
      3) IMAP proxy port:                       143
      4) IMAP SSL proxy port:                   993
      5) POP proxy port:                        110
      6) POP SSL proxy port:                    995
      7) Bind password for nginx ldap user:     set
      8) Enable HTTP[S] Proxy:                  TRUE
      9) HTTP proxy port:                       80
      10) HTTPS proxy port:                     443
      11) Proxy server mode:                    https

Return to [_installing_zimbra_mta_on_a_server], step 12, to continue the MTA server installation.

Installing on a separate server

The LDAP host name and the Zimbra 10 LDAP password must be known to the proxy server. If not, the proxy server cannot contact the LDAP server and the installation fails.

  1. Follow steps 1 through 4 in Starting the Installation Process to open a SSH session to the server, log on to the server as root, and unpack the Zimbra 10 software.

  2. Select to install the zimbra-proxy package and the zimbra-memcached package. The other packages should be marked N. If you have not installed zimbra-proxy on another server, you must have at least one instance of zimbra-memcached installed to cache the data for NGINX, as shown in the following screen shot example.

    If SNMP is used, the zimbra-snmp package must also be installed.
    Select the packages to install
    
    Install zimbra-ldap [Y] N
    
    Install zimbra-logger [Y] N
    
    Install zimbra-mta [Y] N
    
    Install zimbra-dnscache [Y] N
    
    Install zimbra-snmp [Y] N
    
    Install zimbra-license-daemon [Y] N
    
    Install zimbra-store [Y] N
    
    Install zimbra-apache [Y] N
    
    Install zimbra-spell [Y] N
    
    Install zimbra-convertd [Y] N
    
    Install zimbra-memcached [Y] Y
    
    Install zimbra-proxy [Y] Y
    
    Install zimbra-archiving [N] N
    
    Install zimbra-onlyoffice [Y] N
    
    Install zimbra-patch [Y] N
    
    Install zimbra-mta-patch [Y] N
    
    Install zimbra-proxy-patch [Y] N
    
    Install zimbra-ldap-patch [Y] N
    Installing:
        zimbra-memcached
        zimbra-proxy
    
    This system will be modified. Continue [N] Y
    Configuration section
  3. Type Y, and press Enter to install the selected package.

  4. The Main menu displays. Type 1 and press Enter to go to the Common Configuration menu.

    The mailbox server hostname is displayed. You must change the LDAP master host name and password to be the values configured on the LDAP server.

    • Type 2, press Enter, and type the LDAP host name. (ldap-1.example.com, in this example.)

    • Type 4, press Enter, and type the LDAP password.

    After you set these values, the server immediately contacts the LDAP server. If it cannot contact the server, you cannot proceed.

    • Type 7 to set the correct time zone

  5. Type r to return to the Main menu.

  6. Type 2 to select zimbra-proxy.

    Main menu
    
    1) Common Configuration:
            +Hostname:                              localhost
            +Ldap master host:                      ldap-1.example.com
            +Ldap port:                             389
            +Ldap Admin password:                   set
            +LDAP Base DN:                          cn=zimbra
            +Store ephemeral attributes outside Ldap: no
            +Secure interprocess communications:    yes
            +TimeZone:                              (GMT-08.00) Pacific Time (US & Canada)
            +IP Mode:                               ipv4
            +Default SSL digest:                    sha256
    
    2) zimbra-proxy:                              Enabled
            +Enable POP/IMAP Proxy:                 TRUE
            +IMAP server port:                      7143
            +IMAP server SSL port:                  7993
            +IMAP proxy port:                       143
            +IMAP SSL proxy port:                   993
            +POP server port:                       7110
            +POP server SSL port:                   7995
            +POP proxy port:                        110
            +POP SSL proxy port:                    995
    ******* +Bind password for nginx ldap user:     Not Verified
            +Enable HTTP[S] Proxy:                  TRUE
          	+Web server HTTP port:				  	8080
    		+Web server HTTPS port:				  	8443
    		+HTTP proxy port: 					  	80
    		+HTTPS proxy port:					  	443
    		+Proxy server mode:					  	https
    
    3) Enable default backup schedule:			  	yes
    s) Save config to file
    x) Expand menu
    q) Quit
    
    Select, or 'r' for previous menu [r] 2
  7. The Proxy Configuration menu displays. You can modify any of the values.

    The Bind password for Nginx ldap user is configured when the LDAP server was installed. This is set when the MTA connected to the LDAP server. This is not used unless the Kerberos5 authenticating mechanism is enabled.

    Setting the password even though GSSAPI auth/proxy is not set up does not cause any issues.
    Proxy configuration
    
       1) Status:                                  Enabled
       2) Enable POP/IMAP Proxy:                   TRUE
       3) IMAP server port:                        7143
       4) IMAP server SSL port:                    7993
       5) IMAP proxy port:                         143
       6) IMAP SSL proxy port:                     993
       7) POP server port:                         7110
       8) POP server SSL port:                     7995
       9) POP proxy port:                          110
      10) POP SSL proxy port:                      995
      11) Bind password for nginx ldap user:       set
      12) Enable HTTP[S] Proxy:                    TRUE
      13) Web server HTTP port:                    8080
      14) Web server HTTPS port:                   8443
      15) HTTP proxy port:                         80
      16) HTTPS proxy port:                        443
      17) Proxy server mode:                       https
  8. Type r to return to the Main menu.

  9. When the proxy server is configured, return to the Main menu and type a to apply the configuration changes. Press Enter to save the configuration data.

  10. When Save Configuration data to a file appears, press Enter.

  11. The next request asks where to save the files. To accept the default, press Enter. To save the files to another directory, enter the directory and then press Enter.

  12. When The system will be modified - continue? appears, type y and press Enter.

  13. When Installation complete - press return to exit displays, press Enter.

The installation of the proxy server is complete.

Installing dedicated LDS node

The License Daemon Service (LDS) is a new service that communicates with the Zimbra License Server in online mode and the Offline Daemon service (local installation) in offline mode. For more information, refer to admin guide LDS Overview section.

To separate the license daemon service from rest of the Zimbra services, you can setup a dedicated LDS node. You need to setup this node after installing/upgrading the LDAP server and before you begin to install/upgrade the Mailbox servers.

The package zimbra-license-daemon gets installed by default during Zimbra installation unless the administrator marks N for the package during Zimbra installation.

Unpack the Zimbra Daffodil (v10.1) and execute the installer script ./install.sh.

Type y and press Enter to install the zimbra-license-daemon package.

Select the packages to install

Install zimbra-ldap [Y] N

Install zimbra-logger [Y] N

Install zimbra-mta [Y] N

Install zimbra-dnscache [Y] N

Install zimbra-snmp [Y] N

Install zimbra-license-daemon [Y] Y

Install zimbra-store [Y] N

Install zimbra-apache [Y] N

Install zimbra-spell [Y] N

Install zimbra-convertd [Y] N

Install zimbra-memcached [Y] N

Install zimbra-proxy [Y] N

Install zimbra-archiving [N] N

Install zimbra-onlyoffice [Y] N

Install zimbra-patch [Y] N

Install zimbra-mta-patch [Y] N

Install zimbra-proxy-patch [Y] N

Complete the rest of the installation.

Installing the Zimbra 10 Mailbox Server

The zimbra-store package can be installed with the LDAP server, the MTA server, or as a separate mailbox server.

The Zimbra license key can be activated through any one of the mailbox servers during the installation. If you do not have a license key, you can install it from the administration console when the Zimbra Collaboration install is complete. See License Activation section.

Install Zimbra Mailbox Services

  1. Follow steps 1 through 4 in Starting the Installation Process to open an SSH session to the Mailbox server, log on to the server as root, and unpack the Zimbra 10 software.

  2. Type Y and press Enter to install the zimbra-logger package (optional and only on one mail server) and zimbra-store. In the following screen shot example, the packages to be installed are emphasized.

  3. Type N and press Enter for zimbra-license-daemon package. Installer will prompt to enter the host where the LDS is installed. Specify the LDS node hostname

  4. In the following screen shot example, the packages to be installed are emphasized.

    If SNMP is being used, the SNMP package is installed on every Zimbra 10 server. Mark Y.
    If Document server needs to be installed on this setup, mark y for zimbra-onlyoffice package, else mark n.
    Install zimbra-ldap [Y] N
    
    Install zimbra-logger [Y] Y
    
    Install zimbra-mta [Y] N
    
    Install zimbra-dnscache [Y] N
    
    Install zimbra-snmp [Y] Y
    
    Install zimbra-license-daemon [Y] N
    Have you installed zimbra-license-daemon package on different node: Y
    Please enter the zimbra-license-daemon host: <LDS_node_hostname>
    
    Install zimbra-store [Y] Y
    
    Install zimbra-apache [Y] Y
    
    Install zimbra-spell [Y] Y
    
    Install zimbra-convertd [Y] Y
    
    Install zimbra-memcached [Y] N
    
    Install zimbra-proxy [Y] N
    
    Install zimbra-archiving [N] Y
    
    Install zimbra-onlyoffice [N] Y
    
    Install zimbra-patch [Y] Y
    
    Install zimbra-mta-patch [Y] N
    
    Install zimbra-proxy-patch [Y] N
    
    Install zimbra-ldap-patch [Y] N
    Checking required space for zimbra-core
    Checking space for zimbra-store
    
    Installing:
        zimbra-core
        zimbra-logger
        zimbra-snmp
        zimbra-license-daemon
        zimbra-store
        zimbra-apache
        zimbra-spell
        zimbra-convertd
        zimbra-archiving
        zimbra-onlyoffice
        zimbra-license-tools
        zimbra-license-extension
        zimbra-network-store
        zimbra-modern-ui
        zimbra-modern-zimlets
        zimbra-zimlet-document-editor
        zimbra-zimlet-classic-document-editor
        zimbra-zimlet-classic-set-default-client
        zimbra-patch
        zimbra-rabbitmq-server
    
    The system will be modified.  Continue? [N]
  5. Type Y, and press Enter to modify the system. The selected packages are installed on the server. The Main menu displays the default entries for the Zimbra component you are installing. To expand the menu to see the configuration values, type x and press Enter. The main menu expands to display configuration details for the package being installed.

    Values that require further configuration are marked with asterisks (*).

    To navigate the Main menu, select the menu item to change. You can modify any of the values. See the section Main Menu options for a description of the Main menu.

    Main menu
    
       1) Common Configuration:
            +Hostname:                             mailstore-1.example.com
    ******* +Ldap master host:                     UNSET
            +Ldap port:                            389
    ******* +Ldap Admin password:                  UNSET
            +LDAP Base DN:                         cn=zimbra
            +Store ephemeral attributes outside Ldap: no
            +Secure interprocess communications:   yes
            +TimeZone:                             UTC
            +IP Mode:                              ipv4
            +Default SSL digest:                   sha256
    
       2) zimbra-logger:                           Enabled
       3) zimbra-snmp:                             Enabled
       4) zimbra-store:                            Enabled
            +Create Admin User:                    yes
            +Admin user to create:                 admin@mailstore-1.example.com
    ******* +Admin Password                        UNSET
            +Anti-virus quarantine user:           virus-quarantine.mgpgruxx@mailstore-1.example.com
            +Enable automated spam training:       yes
            +Spam training user:                   spam.qgku2xsq@mailstore-1.example.com
            +Non-spam(Ham) training user:          ham.y49bbzuis@mailstore-1.example.com
    ******* +SMTP host:                            UNSET
            +Web server HTTP port:                 8080
            +Web server HTTPS port:                8443
            +Web server mode:                      https
            +IMAP server port:                     7143
            +IMAP server SSL port:                 7993
            +POP server port:                      7110
            +POP server SSL port:                  7995
            +Use spell check server:               yes
            +Spell server URL:                     http://mailstore-1.example.com:7780/aspell.php
            +Enable version update checks:         TRUE
            +Enable version update notifications:  TRUE
            +Version update notification email:    admin@mailstore-1.example.com
            +Version update source email:          admin@mailstore-1.example.com
            +Install mailstore (service webapp):   yes
            +Install UI (zimbra,zimbraAdmin webapps): yes
    ******* +License Activation:                     UNSET
    
       5) zimbra-spell:                            Enabled
       6) zimbra-convertd:                         Enabled
       7) Default Class of Service Configuration:
       8) Enable default backup schedule:          yes
       s) Save config to file
       x) Expand menu
       q) Quit
    
    Address unconfigured (**) items  (? - help)
  6. Type 1 to display the Common Configuration submenu.

    Common configuration
    
       1) Hostname:                                mailstore-1.example.com
    ** 2) Ldap master host:                        UNSET
       3) Ldap port:                               389
    ** 4) Ldap Admin password:                     UNSET
       5) LDAP Base DN:                            cn=zimbra
       6) Store ephemeral attributes outside Ldap: no
       7) Secure interprocess communications:      yes
       8) TimeZone:                                UTC
       9) IP Mode:                                 ipv4
      10) Default SSL digest:                      sha256

    The mailbox server hostname is displayed.

    You must change the LDAP master host name and password to be the values configured on the LDAP server.
    • Type 2, press Enter, and type the LDAP host name. (ldap-1.example.com in this example.)

    • Type 4, press Enter, and type the LDAP password. To obtain the LDAP password, you will need to log on to the LDAP server as the zimbra user, and run the following command:

    zmlocalconfig -s zimbra_ldap_password

    After you set these values, the server immediately contacts the LDAP server. If it cannot contact the server, you cannot proceed.

  7. Type 8 to set the correct time zone. A list of timezones appears, choose the relevant timezone by typing its number. In the below snapshot, we have selected Europe/London by typing 94.

    1 Africa/Algiers
    .
    .
    .
    94 Europe/London
    .
    .
    .
    109 Pacific/Tongatapu
    110 UTC
    Enter the number for the local timezone: [110] 94
  8. Type r to return to the Main menu.

  9. From the Main menu, type 4 for zimbra-store to view the Store configuration settings.

    Store configuration
    
       1) Status:                                  Enabled
       2) Create Admin User:                       yes
       3) Admin user to create:                    admin@mailstore-1.example.com
    ** 4) Admin Password                           UNSET
       5) Anti-virus quarantine user:              virus-quarantine.orulkdewtz@mailstore-1.example.com
       6) Enable automated spam training:          yes
       7) Spam training user:                      spam.udbnonsavi@mailstore-1.example.com
       8) Non-spam(Ham) training user:             ham.3ptgqja0f@mailstore-1.example.com
    ** 9) SMTP host:                               UNSET
      10) Web server HTTP port:                    8080
      11) Web server HTTPS port:                   8443
      12) HTTP proxy port:                         80
      13) HTTPS proxy port:                        443
      14) Web server mode:                         https
      15) IMAP server port:                        7143
      16) IMAP server SSL port:                    7993
      17) IMAP proxy port:                         143
      18) IMAP SSL proxy port:                     993
      19) POP server port:                         7110
      20) POP server SSL port:                     7995
      21) POP proxy port:                          110
      22) POP SSL proxy port:                      995
      23) Use spell check server:                  yes
      24) Spell server URL:                        http://mailstore-1.example.com:7780/aspell.php
      25) Configure for use with mail proxy:       TRUE
      26) Configure for use with web proxy:        TRUE
      27) Enable version update checks:            TRUE
      28) Enable version update notifications:     TRUE
      29) Version update notification email:       admin@mailstore-1.example.com
      30) Version update source email:             admin@mailstore-1.example.com
      31) Install mailstore (service webapp):      yes
      32) Install UI (zimbra,zimbraAdmin webapps): yes
    **33) License Activation:                        UNSET
    
    Select, or 'r' for previous menu [r]
  10. Type 4 and set the password for the administrator account. The password is case sensitive and must be a minimum of six characters. The install process provisions the admin account on the mailbox store server. You log on to the administration console with this password.

    By default, the domain name portions of the email addresses for the Admin user, Anti-virus quarantine user, Spam training user and Non-spam(Ham) training user, are set to be the zimbra mailstore server address. You may want to change these to be the Zimbra Collaboration primary domain address instead. (example.com in this example)
  11. Type the corresponding number to set the SMTP host. This is the mta-server host name.

  12. Type the corresponding number if you want to change the default Web server mode. The communication protocol options are HTTP, HTTPS, mixed, both or redirect.

    Mixed

    Uses HTTPS for logging in and HTTP for normal session traffic.

    Both

    An HTTP session stays HTTP, including during the login phase, and an HTTPS session remains HTTPS throughout, including the login phase.

    Redirect

    Redirects any users connecting via HTTP to an HTTPS connection.

    All modes use SSL encryption for back-end administrative traffic.

  13. If you are configuring proxy servers, type the corresponding number to enable the servers. When you enable these, the mail server port and proxy port numbers are automatically changed. See Configuration during installation.

  14. If you install the Zimbra 10-spell package, it should be installed on every mailstore. The hostname portion of the http address for each should be the hostname of the mailstore server it is installed on.

  15. Enable version update checks and Enable version update notifications are set to TRUE. Zimbra Collaboration automatically checks for the latest Zimbra Collaboration software updates and notifies the account that is configured in Version update notification email. You can modify this later from the administration console.

  16. If the Zimbra 10-proxy package is not installed on the mailbox server, two menu options are displayed so you can preconfigure the mailbox server for use with the zimbra proxy server:

    • Configure for use with mail proxy

    • Configure for use with web proxy

    Set either or both of these to TRUE if you are going to set up Zimbra 10-proxy. The Zimbra 10-proxy ports display in the menu when these are set to TRUE.

  17. Type the corresponding menu number for License Activation.

    Select, or 'r' for previous menu [r] 25
    
    1) Activate license with installation
    2) Activate license after installation
    
    Select, or 'r' for previous menu [r]
    • Following are the details on the options:

      • Activate license with installation - This is an online method of activation. You need to specify the 18-26 alphanumeric character license key.

      • Activate license after installation - In case you have not received the license key or want to use the offline method of license activation, you can choose this option. The installationn will be completed but the services will not be started.

    • Select the appropriate option and proceed with the installation.

    • Please see Daffodil v10.1 Licensing section for more information.

  18. Configure the mailstore and webapp services either on a single server or in a split server configuration.

    • To install mailstore server only, set Install UI (zimbra,zimbraAdmin webapps) value to no, which excludes the web services.

    • To install UI server only, set the Install mailstore (service webapp) value to no, which excludes mailstore services.

    • To install both the mailstore and UI services on the same server, confirm the values for Install mailstore (service webapp) and Install UI (zimbra,zimbraAdmin webapps) are both set to yes. The default is yes.

    See the release notes for additional configuration information for installing a split node environment.
  19. Type r to return to the Main menu.

  20. Review the Default Class of Service Configuration settings. If you want to change the COS default configuration of these features,

    1. Type the number for the Default Class of Service Configuration

    2. Type the corresponding number for the feature to be enabled or disabled.
      The default COS settings are adjusted to match.

  21. When the mailbox server is configured, return to the Main menu and type a to apply the configuration changes.
    Press Enter to save the configuration data.

  22. When Save Configuration data to file appears, type Yes and press Enter.

    Save configuration data to a file? [Yes]
  23. The next request asks where to save the files. To accept the default, press Enter. To save the files to another directory, enter the directory and then press Enter

    Save config in file: [/opt/zimbra/config.16039]
    Saving config in /opt/zimbra/config.16039...done.
  24. When The system will be modified - continue? appears, type Yes and press Enter. The server is now modified. Installing all the components and configuring the server can take several minutes. This includes installing SSL certificates, setting passwords, setting ports, installing skins and common zimlets, setting time zone preferences, backup schedules and starting the servers, among other processes.

    The system will be modified - continue? [No] y
    Operations logged to /tmp/zmsetup.20240608-105721.log
    Setting local config values...done.
    .
    .
    .
    Configuration complete - press return to exit
  25. When Configuration complete - press return to exit displays, press Enter

The installation of the mailbox server is complete.

Installing zimbra-archiving Package

Installing the zimbra-archiving package is optional. This package enables Zimbra Collaboration Archiving and Discovery, which offers:

  • Archiving, the ability to archive messages that were delivered to or sent by Zimbra 10.

  • Discovery, the ability to search across mailboxes.

The prerequisite to enabling archiving and discovery is the installation and configuration of the zimbra-archiving package on at least one mailbox server. The installation of this package provides discovery (also known as cross mailbox) search tool and sets the attributes that allow archiving to be enabled on the Zimbra 10 MTAs.

To enable archiving and discovery, select the zimbra-store and zimbra-archiving packages during your installation process. The zimbra-core package is installed by default.

Select the packages to install

Install zimbra-ldap [Y] N

Install zimbra-logger [Y] N

Install zimbra-mta [Y] N

Install zimbra-dnscache [Y] N

Install zimbra-snmp [Y] N

Install zimbra-license-daemon [Y] N

Install zimbra-store [Y] Y

Install zimbra-apache [Y] N

Install zimbra-spell [Y] N

Install zimbra-convertd [Y] N

Install zimbra-memcached [Y] N

Install zimbra-proxy [Y] N

Install zimbra-archiving [N] Y

Install zimbra-onlyoffice [Y] N

Install zimbra-patch [Y] N

Install zimbra-mta-patch [Y] N

Install zimbra-proxy-patch [Y] N

Install zimbra-ldap-patch [Y] N
Installing:
    zimbra-core
    zimbra-store
    zimbra-archiving
This system will be modified. Continue [N] Y

See the Zimbra Archiving and Discovery chapter in the Zimbra Daffodil Administration Guide for more information about configuring and archiving.

Installing the zimbra-SNMP Package

Installing the zimbra-snmp package is optional, but if you use SNMP monitoring, this package should be installed on each Zimbra 10 server.

In the Main menu, select zimbra-snmp to make changes to the default values. The following question is asked for SNMP configuration.

Configure whether to be notified by SNMP or SMTP. The default is No. If you enter yes, you must enter additional information.

  • For SNMP type the SNMP Trap host name.

  • For SMTP type the SMTP source email address and destination email address.

8) zimbra-snmp:                             Enabled
   +Enable SNMP notifications:              yes
   +SNMP Trap hostname:                     example.com
   +Enable SMTP notifications:              yes
   +SMTP Source email address:              admin@example.com
   +SMTP Destination email address:         admin@example.com

Installing the zimbra-onlyoffice Package

This package installation is required for collaborative document editing of documents which is powered by Onlyoffice and enables collaborative editing of the documents stored in Briefcase. This package can be installed and setup on a Mailbox server or as a separate Document server.

This package gets installed by default during Zimbra installation unless the administrator marks N for the package during Zimbra installation.

Type y and press Enter to install the zimbra-onlyoffice package.

Install zimbra-onlyoffice [Y]

Installing the zimbra-onlyoffice package on a separate server

Type y and press Enter to install the zimbra-onlyoffice package.

Select the packages to install

Install zimbra-ldap [Y] N

Install zimbra-logger [Y] N

Install zimbra-mta [Y] N

Install zimbra-dnscache [Y] N

Install zimbra-snmp [Y] N

Install zimbra-license-daemon [Y] N

Install zimbra-store [Y] N

Install zimbra-apache [Y] N

Install zimbra-spell [Y] N

Install zimbra-convertd [Y] N

Install zimbra-memcached [Y] N

Install zimbra-proxy [Y] N

Install zimbra-archiving [N] N

Install zimbra-onlyoffice [Y] Y

Install zimbra-patch [Y] N

Install zimbra-mta-patch [Y] N

Install zimbra-proxy-patch [Y] N

Complete the rest of the installation.

Final Set-Up

After the Zimbra 10 servers are configured in a multi-node configuration, the following functions must be configured:

  • In order for remote management and postfix queue management, the ssh keys must be manually populated on each server. See Set Up the SSH Keys.

  • If logger is installed, set up the syslog configuration files on each server to enable server statistics to display on the administration console, and then enable the logger monitor host. The server statistics includes information about the message count, message volume, and anti-spam and anti-virus activity. See Enabling Server Statistics Display.

  • Zimbra Collaboration ships a default zimbra user with a disabled password. It requires access to this account via ssh public key authentication. On most operating systems this combination is okay, but if you have modified spam rules to disallow any ssh access to disabled accounts then you must define a password for the zimbra UNIX account. This will allow ssh key authentication for checking remote queues. See Mail queue monitoring.

Set Up the SSH Keys

To populate the SSH keys, perform the following as the zimbra user (sudo su - zimbra) on each server:

zmupdateauthkeys

The key is updated in /opt/zimbra/.ssh/authorized_keys.

Enabling Server Statistics Display

In order for the server statistics to display on the administration console, the syslog configuration files must be modified.

Zimbra Collaboration supports the default syslog of a supported operating system. Depending on your operating system, the steps contained in this section might not be correct. See your operating system documentation for specific information about how to enable syslog.
  1. On each server, as root, type /opt/zimbra/libexec/zmsyslogsetup. This enables the server to display statistics.

  2. On the logger monitor host, you must enable rsyslog to log statistics from remote machines:

rsyslog
  1. Uncomment the following lines in /etc/rsyslog.conf

    $modload imudp
    $UDPServerRun 514
  2. Restart rsyslog

rsyslog RHEL or CentOS

Uncomment the following lines in /etc/rsyslog.conf.

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

Spam/Ham Training on MTA servers

New installs of Zimbra 10 limit spam/ham training to the first MTA installed. If you uninstall or move this MTA, you will need to enable spam/ham training on another MTA, as one host should have this enabled to run zmtrainsa --cleanup. To do this, set zmlocalconfig -e zmtrainsa_cleanup_host=TRUE.

Verifying Server Configuration

When Configuration complete - press return to exit is displayed, the installation is finished and the server has been started. Before going to the next server, you should verify that the server is running.

Use the CLI command, zmcontrol status, to verify that each server is running. Perform the following on each server in your Zimbra Collaboration environment.

  1. Log on as root.

  2. Type su - zimbra.

  3. Type zmcontrol status. The services status information is displayed. All services should be running.

    If services are not started, you can type zmcontrol start. See the CLI command appendix in the Zimbra Daffodil Administration Guide for more zmcontrol commands.

Logging on to the Administration Console

  1. To log on to the administration console, open your browser, type the administration console URL and log on to the console. The administration console URL is entered as:

    • In case of Mailbox servers containing backend mailstore and UI services together (mailstore server + UI server), you can access the admin console directly using the link in the format https://<mailstore-hostname>:<zimbraAdminPort>. The default value of zimbraAdminPort is 7071.

    • In case of a deployment having even a single mailbox server running in Web Application server split mode, the admin console needs to be accessed strictly through the proxy using the link in the format https://<proxy-hostname>:<zimbraAdminProxyPort> after switching zimbraReverseProxyAdminEnabled to TRUE and restarting the proxy. The default value of zimbraAdminProxyPort is 9071.

    • The administration console address must be typed with https, even if you configured only http.

    • The first time you log on, a certificate authority (CA) alert may be displayed. Click Accept this certificate permanently to accept the certificate and be able connect to the Zimbra administration console. Then click OK.

  2. Enter the admin user name and password configured during the installation process. Enter the user name as admin@example.com.

Post Installation Tasks

Once Zimbra Collaboration is installed, if you installed the Zimbra 10 license, you can log on to the administration console and configure additional domains, create Classes of Service, and provision accounts. See the Zimbra Daffodil Administration Guide.

Defining Classes of Service

A default Class of Service (COS) is automatically created during the installation of Zimbra 10 software. The COS controls mailbox quotas, message lifetime, password restrictions, attachment blocking and server pools. You can modify the default COS and create new COSs to assign to accounts according to your group management policies.

In an environment with multiple mailbox servers, COS is used to assign the new accounts to a mailbox server. The COS server pool page lists the mailbox servers in your Zimbra 10 environment. When you configure the COS, select which servers to add to the server pool. Within each pool of servers, a random algorithm assigns new mailboxes to any available server.

To create or modify a COS, from the administration console, click COS. If you have questions, refer to the Help section.

Provisioning Accounts

You can configure one account at a time with the New Account Wizard or you can create many accounts at once using the Account Migration Wizard.

Configuring One Account

The administration console New Account Wizard steps you through the account information to be completed.

  1. From the administration console Navigation pane, click Accounts.

    Four accounts are listed: admin account, two spam training accounts, and a global Documents account. These accounts do not need any additional configuration.
  2. Click New. The first page of the New Account Wizard opens.

  3. Enter the account name to be used as the email address and the last name. This the only required information to create an account.

  4. You can click Finish at this point, and the account is configured with the default COS and global features.

    To configure aliases, forwarding addresses, and specific features for this account, proceed through the dialog before you click Finish.

    When the accounts are provisioned, these accounts can immediately start to send and receive emails.

Configuring Many Accounts at Once

You can provision multiple accounts at once using the Account Migration tool from the administration console. The wizard guides you through the steps to import accounts from an external directory server, either Active Directory or an LDAP server. The wizard downloads account information from your directory and creates the accounts in Zimbra 10.

Refer to the Zimbra Daffodil Administration Guide to learn more about provisioning accounts.

Import the Content of Users’ Mailboxes

Zimbra 10’s migration and import tools can be used to move users’ email messages, calendars, and contacts from their old email servers to their accounts on the Zimbra server. When the user’s files are imported, the folder hierarchy is maintained. These tools can be accessed from the administration console Download page and instruction guides are available from the Administration Console Help Desk.

Installing External Zimlets for Modern Web App

These six zimlets are available.

  • Slack

  • Zoom

  • Dropbox

  • Google Drive

  • Onedrive

  • Jitsi

You have to install and configure them for users to integrate and use these zimlets. Once you are done installing the zimlet(s), you need to restart the mailbox service before configuring them.

Slack

  • As root run the below command:

    RHEL

    yum install zimbra-zimlet-slack

    Ubuntu

    apt-get install zimbra-zimlet-slack

  • Restart mailbox service as a zimbra user:

su - zimbra
zmmailboxdctl restart

Zoom

  • As root run the below command:

    RHEL

    yum install zimbra-zimlet-zoom

    Ubuntu

    apt-get install zimbra-zimlet-zoom

  • Restart mailbox service as a zimbra user:

su - zimbra
zmmailboxdctl restart

Dropbox

  • As root run the below command:

    RHEL

    yum install zimbra-zimlet-dropbox

    Ubuntu

    apt-get install zimbra-zimlet-dropbox

  • Restart mailbox service as a zimbra user:

su - zimbra
zmmailboxdctl restart

Google Drive

  • As root run the below command:

    RHEL

    yum install zimbra-zimlet-google-drive

    Ubuntu

    apt-get install zimbra-zimlet-google-drive

  • Restart mailbox service as a zimbra user:

su - zimbra
zmmailboxdctl restart

Onedrive

  • As root run the below command:

    RHEL

    yum install zimbra-zimlet-onedrive

    Ubuntu

    apt-get install zimbra-zimlet-onedrive

  • Restart mailbox service as a zimbra user:

su - zimbra
zmmailboxdctl restart

Jitsi

  • As root run the below command:

    RHEL

    yum install zimbra-zimlet-jitsi

    Ubuntu

    apt-get install zimbra-zimlet-jitsi

  • Restart mailbox service as a zimbra user:

su - zimbra
zmmailboxdctl restart

Please visit Configuring Zimlets for Modern Web App for instructions for on how to configure zimlets for Modern Web App users.

Ephemeral Data Migration

Versions of Zimbra prior to 9.0.0 stored ephemeral data in LDAP. Examples of ephemeral data include:

  • zimbraAuthTokens

  • zimbraCsrfTokenData

  • zimbraLastLogonTimestamp

Zimbra Collaboration versions after 9.0.0 introduced the ability to store ephemeral data in an external service such as SSDB. This is an optional feature; however, it can improve LDAP performance and stability.

Please refer to the Zimbra Daffodil Administration Guide for more information. Migration of ephemeral data out of LDAP and into SSDB must be performed after an install or upgrade has been completed.

Uninstalling Zimbra Collaboration

To uninstall servers, run the install script with the -u option. Then delete the /opt/zimbra directory and remove the Zimbra 10 tgz file on the servers.

  1. Change directories to the original install directory for the zcs files.

  2. Type ./install.sh -u.

  3. When Completely remove existing installation? is displayed, type Yes.

    The Zimbra 10 servers are stopped, the existing packages, the webapp directories, and the /opt/zimbra directory are removed.

  4. Delete the zcs directory, type rm -rf [zcsfilename].

  5. Delete the zcs.tgz file, type rm -rf zcs.tgz.

  6. Additional files may need to be deleted. See Uninstall Zimbra on Linux.

Adding a Mailbox Server to a Single Server Configuration

In the Zimbra Collaboration single server environment, the LDAP, MTA, and mailbox services are on one machine. This chapter explains how to add a new machine that is configured as a mailbox server to a single server configuration and how to remove the mailbox server from the single server node.

Setup Requirements For Adding a Mailbox Server

  • The new machine you are adding must have the same operating system, including the latest version and patch levels, as installed on the single server.

  • The system clock must be configured with the same time on both machines.

  • You must install the same version of the Zimbra Collaboration software that is installed on the single server node.

  • A copy of the Zimbra Collaboration license needs to be added to a directory on the new machine.

  • You are adding a proxy to Zimbra Collaboration, this should be installed on the existing single-server before you set up the new mailbox server. See Installing Zimbra Proxy.

Overview of Process

  • Zimbra 10 Mailbox Server is installed on the prepared machine.

  • Customized configuration for the single-server, such as custom themes and Zimlets are added to the new mailbox server.

  • Commercial SSL certificates are added to the new mailbox server.

  • User accounts are moved from the single server to the new mailbox server.

  • If you are moving all accounts from the single server, the mailbox server is stopped on the single server machine.

Configuring the Mailbox Server

The host name and zmhostname configured on the mailbox server are the same as on the single server.

Make sure you know the LDAP master password as you configure it on the sever that is being added. To find the master LDAP password on the single server node, type:

zmlocalconfig -s zimbra_ldap_password
If you are installing the Zimbra 10 proxy or MTA on the new node, you will also need to record the following:
  • Bind password for postfix ldap user

  • Bind password for amavis ldap user

  • Bind password for nginx ldap user

    zmlocalconfig -s | grep -E '(amavis|nginx|postfix)_password'
Before you begin make sure you have an up-to-date backup!
  1. Follow steps 1 through 4 in Starting the Installation Process to log on to the server as root and unpack the Zimbra 10 software.

  2. Type Y for each package you are installing.

    • Install zimbra-store, and zimbra-spell (optional) packages. When zimbra-spell is installed, the zimbra-apache package also is installed.

    • If zimbra-proxy is configured, install memcached.

    • The zimbra-logger package is installed only on one mailbox server. If you are moving all mailboxes to this server from the original single server, install the zimbra-logger package.

    • If Archive and Discovery is installed on the single-server node, install zimbra-archiving on the new mailbox server.

      If SNMP is being used, type Y for zimbra-snmp. If SNMP is used, it is installed on every Zimbra 10 server.
  3. Type Y, and press Enter to modify the system. The selected packages are installed on the server.

    The Main menu displays the default entries for the Zimbra 10 component you are installing.
  4. Type 1 and press Enter to go to the Common Configuration menu.

    The mailbox server hostname is displayed. You must change the LDAP master host name and password to be the values configured on the single- server node.
    • Type 2, press Enter, and type the LDAP host name.

    • Type 4, press Enter, and type the LDAP password.

      After you set these values, the server immediately contacts the LDAP server. If it cannot contact the server, you cannot proceed.
    • Type 6 to set the correct time zone.

  5. Type r to return to the Main menu.

  6. From the Main menu, type 2 to go to the Store configuration menu.

    • Type 2 to set Create Admin User to No.

    • Type the corresponding number to set the SMTP host. This is the mta-server host name.

    • Type the corresponding number if you want to change the default web server mode.

    • If you are setting up IMAP/POP proxy servers, type the corresponding number to enable the servers.

    • If the zimbra-proxy is used and is installed on another server, configure the following menu options

      • Configure for use with mail proxy

      • Configure to use with web proxy

        Set either or both of these to TRUE if you are going to set up zimbra-proxy.
    • Type the corresponding menu number to install the Zimbra Collaboration license file. Enter the location of the license file. For example, if you saved the license file to the tmp directory, you would type /tmp/ZCSLicense.xml. You cannot proceed without a license file.

    • If you are setting up proxy servers, type the corresponding number to enable the servers. When you enable these, IMAP/POP/HTTP server port numbers and proxy port numbers are automatically changed. See Configuration during installation.

  7. When the mailbox server is configured, return to the Main menu and type a to apply the configuration changes. Press Enter to save the configuration data.

  8. When Save Configuration data to a file appears, press Enter.

  9. The next request asks where to save the files. To accept the default, press Enter. To save the files to another directory, enter the directory and then press Enter.

  10. When The system will be modified - continue? appears, type y and press Enter.

    The server is modified. Installing all the components and configuring the mailbox server can take a few minutes. This includes installing SSL certificates, setting passwords, setting ports, installing skins and Zimlets, setting time zone preferences, and starting the servers, among other processes.
  11. When Configuration complete - press return to exit displays, press Enter.

The installation of the mailbox server is complete.

Adding Customized Features

Any customizing of themes, or Zimlets, and any signed certificates stored on the single-server must be added to the new mailbox server. See the Zimbra Daffodil Administration Guide for information about adding the customized features.

Testing the Configuration

To make sure that the new mail store server is correctly configured, create a new user on the new mailbox server and log into the account to verify that your configuration is correct. See Provisioning Accounts.

Move Mailboxes

The command, zmmboxmove, is run to move user accounts from the mailbox server on the single-sever node to the new mailbox server.

You can set global options to exclude items from the mailbox move. See the Zimbra Daffodil Administration Guide User Accounts chapter for more information about the mailbox move feature.

Move the following types of mailboxes:

  • User accounts.

  • Admin mailboxes. If you do not move the admin mailbox, you cannot log into the Zimbra Collaboration Web Client.

  • Spam and ham mailboxes.

If you were using Archive and Discovery on the single server mailbox, move the archival mailboxes as well.

Move Mailboxes Using CLI zmmboxmove

  1. To move a mailbox to a new server

    zmmboxmove -a <email@address> --from <servername> --to <servername>
  2. To verify that the content of the mailbox was moved successfully, go to the administration console, select the account that was moved. Click View Mail on the toolbar. When the account opens, verify that the account’s content is displayed and can be opened.

  3. Purge the mailbox from the old server:

    zmpurgeoldmbox -a <email@address> -s <oldservername>

Turn Off Mailbox Server on Single-Server Node

When all mailboxes have moved from the single-server node to the new mailbox server node, disable the Mailbox services on the original single-server machine.

  1. On the original single-server node, disable the following mailbox server components:

    mailbox

    zmprov -l ms <singleserver.com> -- -zimbraServiceEnabled mailbox

    logger

    zmprov -l ms <singleserver.com> -- -zimbraServiceEnabled logger

    stats

    zmprov -l ms <singleserver.com> -- -zimbraServiceEnabled stats

    spell

    zmprov -l ms <singleserver.com> -- -zimbraServiceEnabled spell

    convertd

    zmprov -l ms <singleserver.com> -- -zimbraServiceEnabled convertd

    • If archiving was installed, disable it as well:

      zmprov -l ms <singleserver.com> -- -zimbraServiceEnabled archiving
  1. After the mailbox services are disabled, verify that antispam, antivirus, ldap, mta, snmp, proxy, and memcached are the only services on the original single-server node.

    zmprov -l gs <singleserver.com> | grep -i serviceenabled

Configuring Multi-Master Replication

Set up multi-master LDAP replication to have a copy of the LDAP database saved on each server in a group of LDAP servers identified for multi-master replication (MMR). The database can be updated by any member of the group. If one master fails, the other masters continue to update the database.

The Zimbra 10 install program is used to configure the multi-master LDAP servers. Each master LDAP server is given an unique identifier when they are configured and zmlocalconfig is used to add the ldap server to the multi- master group.

You can also promote an existing replica to be part of the multi-master group.

Managing Multiple Master LDAP Servers

When you enable multi-master replication, you assign a server ID to each master server to identify them in the group. This is used to distinguish the servers in the group and to help resolve conflicts that might occur.

In addition, each server is configured to assign internal replication ID’s that are unique to that specific server. Other LDAP master server can use the same replication ID, but within the server, these replication IDs must be unique.

You can run the Zimbra 10 multiple master CLI, zmldapquery-mmr from a specific master to see the server ID for that master and all multi-master servers that are in the group and to see the replication ID values for those masters.

On the server, enter the command as:

/opt/zimbra/libexec/zmldapquery-mmr

Before you can enable the multi-master replication feature, you must know the hostname of the first secondary master that is being added to the group. The hostname is entered when you enable the feature. Once you enable the multi- master replication feature, you do not need to run the command again.

When zmlocalconfig is run the first time, the master LDAP servers are configured as follows:

  • The first master LDAP server ID is set to 1.

  • The master LDAP server is put in a group with a secondary master that is listening to LDAP on port 389.

  • The replication ID is set to 100 by default on the secondary master.

  • Writes initiated from the server go to the LDAP master-1 by default. If LDAP master-1 is down, writes move to ldap master-2.

    1. To enable the feature run:

      ./libexec/zmldapenable-mmr -s 1 -m ldap://<<master-2.example.com>>:389/
    2. Once the feature is enabled use the zmlocalconfig command to add the LDAP servers to a group.

      zmlocalconfig -e ldap_master_url="ldap://<<master-1.example.com>>:389 ldap://<<master-2.example.com>>:389"

Installing a Secondary Master LDAP Server

The master LDAP server must be running when you install the secondary LDAP servers. You run the Zimbra 10 install program on the secondary master LDAP servers to install the LDAP package.

Passwords Required to Install the Secondary Master

Before you install a secondary master, you must know the following passwords:

  • Zimbra 10 admin LDAP password

  • LDAP replication password

  • NGINX LDAP password

  • Amavis LDAP password

  • Postfix LDAP password

To find these passwords, on the Zimbra 10 server run:

zmlocalconfig -s | grep passw | grep ldap

Setting Up a Secondary Master LDAP Server

  1. Follow steps 1 through 4 in Starting the Installation Process to open a SSH session to the LDAP server, log on to the server as root, and unpack the Zimbra 10 software.

  2. Type Y and press Enter to install the zimbra-ldap package.

  3. Type Y, and press Enter to modify the system. The selected packages are installed. The Main menu shows the default entries for the LDAP server.

  4. Type 1 to display the Common Configuration submenu.

    1. Type 2 to change the LDAP Master host name to the name of the primary master’s hostname; e.g., master-1.example.com.

    2. Type 4 to change the LDAP admin password to the Zimbra 10 admin password of the primary master.

    3. Type r to return to the main menu.

  5. Type 2 to display the LDAP configuration submenu.

    1. Type 4 to change the type to mmr.

      Item 5, LDAP Server ID, is set to 2. If this is the second master, leave it unchanged. If it the third or later master, select 5 and update the server ID accordingly.

      The next four steps are to change the default passwords on this server to match the passwords on the master-1 LDAP server.

    2. Type 7 to change the LDAP replication password.

    3. Type 8 to change the LDAP postfix password.

    4. Type 9 to change the LDAP amavis password.

    5. Type 10 to change the LDAP NGINX password.

    6. Type r to return to the main menu.

  6. Type a to apply the configuration changes. Press Enter to save the configuration data.

  7. When Save Configuration data to a file appears, press Enter.

  8. When The system will be modified - continue? appears, type y and press Enter.

    The server is modified. Installing all the components and configuring the server can take a few minutes.
  9. When Installation complete - press return to exit displays, press Enter. The installation is complete.

  10. Update the ldap_master_url attribute to contain both masters, enter this new master as the first master in the list.

    zmlocalconfig -e ldap_master_url="ldap://<<master-2.example.com>>:389 ldap://<<master-1.example.com>>:389"

Promote Existing Replicas to Multi-Master LDAP Servers

In an existing Zimbra 10 setup where there is already a single master and multiple replicas, you can promote an existing replica to become a secondary master.

  1. On the master LDAP server find the LDAP replication, Postfix, Amavis, and NGINX passwords.

    zmlocalconfig -s | grep passw | grep ldap
  2. Change the LDAP passwords on the server you are promoting to be the same as the first master LDAP server.

    • LDAP replication password = zmldappasswd -l <password>

    • LDAP postfix password = zmldappasswd -p <password>

    • LDAP amavis password = zmldappasswd -a <password>

    • LDAP NGINX password = zmldappasswd -n <password>

  3. Assign the next Server ID to this master. This example is 3

    /opt/zimbra/libexec/zmldappromote-replica-mmr -s 3
  4. Update the ldap_master_url attribute to add the master to the list.

    zmlocalconfig -e ldap_master_url="ldap://<<master-1.example.com>>:389 \
      ldap://<<master-2.example.com>>:389 ldap://<<master-3.example.com>>:389"

This updates the replica to be a multi-master replica, enabled with a server ID. It is automatically configured to be a paired master with the master it was previously replicating from.

Deleting a Multi-Master Replication Node

To delete a multi-master replication (MMR) node, use the following steps.

Deleting an MMR node can only be performed in Zimbra Collaboration 8.0.7 and later.
  1. Update the ldap_master_url and ldap_url on every node, removing the LDAP MMR node that will be shut down.

  2. Wait 5-10 minutes to ensure the modification is in place.

  3. Monitor /var/log/zimbra.log on the MMR node that will be shut down and confirm it is no longer receiving modification traffic.

  4. Run ldap stop on the MMR node that is being shut down.

  5. Log into the remaining MMR nodes and perform the following:

    1. /opt/zimbra/libexec/zmldapmmrtool -q

    2. Find the matching RID for the MMR node you shut down.

    3. /opt/zimbra/libexec/zmldapmmrtool -d -o RID

Example of Deleting an MMR Node

The following is an example of using zmldapmmrtool.

  1. There are three MMR servers, ldap-1.example.com, ldap-2.example.com, ldap-3.example.com, with ldap-3.example.com being shut down.

    zimbra@ldap-1:/tmp/mmr$ ./zmldapmmrtool -q
    Master replication information
    Master replica 1
    rid: 100 URI: ldap://ldap-2.example.com:389/ TLS: critical Master replica 2
    rid: 101 URI: ldap://ldap-3.example.com:389/ TLS: critical
  2. The RID being used by ldap-3.example.com is 101. This agreement can be deleted with:

    zimbra@ldap-1:/tmp/mmr$ ./zmldapmmrtool -d -o 101
  3. Confirm the deletion.

    zimbra@ldap-1:/tmp/mmr$ ./zmldapmmrtool -q
    Master replication information
    Master replica 1
    rid: 100 URI: ldap://ldap-2.example.com:389/ TLS: critical zimbra@ldap-1:/tmp/mmr
  4. Repeat on the remaining node(s).

Monitoring Multiple LDAP Master Status

The Monitoring LDAP Replication Status feature monitors the change sequence number (CSN) values between an LDAP master server and an LDAP replica server. The replica server is considered a shadow copy of the master server. If the servers become out of sync, the monitoring feature indicates the problem. The out of sync time period is typically five minutes, although this value is configurable.

Feature Requirement

Run the script zmreplchk located in /opt/zimbra/libexec.

This script must be run on a Zimbra 10 server that has a localconfig value set for ldap_url that includes all of the master servers.

Error Codes and Status Explanations

The following monitoring error codes and status explanations are given with this feature:

Error Code Status Description

0

In Sync

The servers are currently in sync.

1

No contact

No connection to the master server and the system exits.

2

Stand-alone

The master server has no replica servers and is considered a standalone master server.

3

Could not execute StartTLS

The replica server requires StartTLS and fails.

4

Server down

The replica server is currently down.

5

Unable to search

Searching the replica server for the context CSN fails.

6

Xw Xd Xh Xm Xs behind

The replica server becomes out of sync. Status indicates amount of time the replica server is behind the master server in w=weeks, d=days, h=hours, m=minutes, and s=seconds.

For example, ldap-2.example.com is the master server, and ldap-3.example.com and ldap-4.example.com are additional servers. The following screen-shot shows the additional master servers are in sync with the master server, as indicated by the Code:0 and Status: In Sync, and master server ldap005 is currently down, as indicated by Code: 4 and Status: Server down.

zimbra@ldap-2.example.com
Master: ldap://ldap-3.example.com:389 Code: 0 Status: In Sync CSN: 20120528123456.123456Z#000000#001#000000
Master: ldap://ldap-4.example.com:389 Code: 0 Status: In Sync CSN: 20120528123456.123456Z#000000#001#000000
Master: ldap://ldap-5.example.com:389 Code: 4 Status: Server down

Configuring LDAP Replication

Configuring LDAP Replication Overview

Setting up LDAP replication lets you distribute Zimbra 10 server queries to specific replica LDAP servers. Only one master LDAP server can be set up. This server is authoritative for user information, server configuration, etc. Replica LDAP servers can be defined to improve performance and to reduce the load on the master server. All updates are made to the master server and these updates are copied to the replica servers.

The Zimbra 10 install program is used to configure a master LDAP server and additional read-only replica LDAP servers. The master LDAP server is installed and configured first, following the normal Zimbra 10 installation options. The LDAP replica server installation is modified to point the replica server to the LDAP master host.

When the master LDAP server and the replica LDAP servers are correctly installed, the following is automatically configured:

  • SSH keys are set up on each LDAP server.

  • Trusted authentication between the master LDAP and the LDAP replica servers is set up.

  • The content of the master LDAP directory is copied to the replica LDAP server. Replica LDAP servers are read-only.

  • Zimbra 10 servers are configured to query the replica LDAP server instead of the master LDAP server.

Installing Zimbra Master LDAP Server

You must install the master LDAP server before you can install replica LDAP servers. Refer to Installing Zimbra 10 LDAP Master Server for master LDAP server installation instructions. After the installation of the master LDAP server has completed, continue to Enable Replication on the LDAP Master.

Enable Replication on the LDAP Master

On the master LDAP server, as the zimbra user, type: /opt/zimbra/libexec/zmldapenablereplica and press Enter. This enables replication on the LDAP Master.

Installing a Replica LDAP Server

The master LDAP server must be running when you install the replica server. You run the Zimbra 10 install program on the replica server to install the LDAP package.

Follow steps 1 through 4 in Starting the Installation Process to open a SSH session to the LDAP server, log on to the server as root, and unpack the Zimbra 10 software.

  1. Type Y and press Enter to install the zimbra-ldap package. In the screen shot below, the package to be installed is emphasized.

    Select the packages to install
    Install zimbra-ldap [Y] y
    Install zimbra-logger [Y] n
    Install zimbra-mta [Y] n
    Install zimbra-dnscache [N] n
    Install zimbra-snmp [Y] n
    Install zimbra-store [Y] n
    Install zimbra-apache [Y] n
    Install zimbra-spell [Y] n
    Install zimbra-convertd [N] n
    Install zimbra-memcached [Y] n
    Install zimbra-proxy [Y] n
    Installing:
        zimbra-core
    zimbra-ldap
    This system will be modified. Continue [N] Y
  2. Type Y, and press Enter to modify the system. The selected packages are installed. The Main menu shows the default entries for the LDAP replica server. To expand the menu type X and press Enter.

    Main menu
    
      1) Common Configuration:
      2) zimbra-ldap:                               Enabled
      .
      .
      .
      .
      r) Start servers after configuration          yes
      s) Save config to file
      x) Expand menu
      q) Quit
    
    *** CONFIGURATION COMPLETE - press 'a' to apply
    Select from menu, or press 'a' to apply config (? - help)
  3. Type 1 to display the Common Configuration submenus.

    Common Configuration:
    
      1) Hostname:                                  ldap-1.example.com
      2) Ldap master host:                          ldap-1.example.com
      3) Ldap port:                                 389
      4) Ldap Admin password:                       set
      5) Store ephemeral attributes outside Ldap: no
      6) Secure interprocess communications:        Yes
      7) TimeZone:                                  (GMT-08.00) Pacific Time (US & Canada)
  4. Type 2 to change the Ldap Master host name to the name of the Master LDAP host.

  5. Type 3, to change the Ldap port to the same port as configured for the Master LDAP server.

  6. Type 4 and change the Ldap Admin password to the Master LDAP admin password, then type r to return to the main menu.

  7. Type 2 to display the LDAP configuration submenu.

    Ldap configuration
    
      1) Status:                                    Enabled
      2) Create Domain:                             no
      3) Ldap Root password:                        set
      4) Ldap Replication password:                 set
      5) Ldap Postfix password:                     set
      6) Ldap Amavis password:                      set
      7) Ldap Nginx password:                       set
    1. Type 2 and change Create Domain to no.

    2. Type 4 for LDAP replication password and enter the same password to match the value on the Master LDAP Admin user password for this local config variable.

      All passwords must be set to match the master ldap admin user password. To determine this value on the master LDAP server, run zmlocalconfig -s ldap_replication_password

      If you have installed Zimbra 10 MTA on the LDAP server, configure the Amavis and the Postfix passwords. To find these values, issue the following commands:

      zmlocalconfig -s ldap_amavis_password
      zmlocalconfig -s ldap_postfix_password
  8. When the LDAP server is configured, type a to apply the configuration changes. Press Enter to save the configuration data.

    Select, or press 'a' to apply config (? - help) a
    Save configuration data? [Yes]
    Save config in file: [/opt/zimbra/config.2843]
    Saving config in /opt/zimbra/config.2843...Done
    The system will be modified - continue? [No] y
    Operations logged to /tmp/zmsetup.log.2843
    Setting local config zimbra_server_hostname to [ldap.example.com]
    .
    Operations logged to /tmp/zmsetup.log.2843
    Installation complete - press return to exit
  9. When Save Configuration data to a file appears, press Enter.

  10. When The system will be modified - continue? appears, type y and press Enter.

    The server is modified. Installing all the components and configuring the
    server can take a few minutes.
  11. When Installation complete - press return to exit displays, press Enter.

    The installation on the replica LDAP server is complete. The content of the master LDAP directory is copied to the replica LDAP server.

Test the Replica

  1. Create several user accounts, either from the admin console or on the master LDAP server. The CLI command to create these accounts is

    zmprov ca <name@domain.com> <password>

    If you do not have a mailbox server setup, you can create domains instead. Use this CLI command to create a domain

    zmprov cd <domain name>
  2. To see if the accounts were correctly copied to the replica LDAP server, on the replica LDAP server, type zmprov -l gaa. Type zmprov gad to check all domains. The accounts/domains created on the master LDAP server should display on the replica LDAP server.

In cases where the mailbox server is not setup, you can also use the following command for account creation.

zmprov ca <name@domain> <password> zimbraMailTransport <where_to_deliver>

Configuring Zimbra 10 Servers to Use LDAP Replica

To use the replica LDAP server instead of the master LDAP server, you must update the ldap_url value on the Zimbra 10 servers that will query the replica instead of the master. For each server that you want to change:

  1. Stop the Zimbra 10 services on the server. Type zmcontrol stop.

  2. Update the ldap_url value. Enter the replica LDAP server URL

    zmlocalconfig -e ldap_url="ldap://<replicahost>:port ldap://<masterhost>:port"

    Enter more than one replica hostnames in the list typed as

    "ldap://<replicahost1> ldap://<replicahost2>:port ldap://<masterhost>:port"

    The hosts are tried in the order listed. The master URL must always be included and is listed last.

  3. Update the ldap_master_url value. Enter the master LDAP server URL, if not already set.

    zmlocalconfig -e ldap_master_url=ldap://<masterhost>:port

IMPORTANT:

Additional Steps for MTA hosts. After updating the ldap_url, rerun /opt/zimbra/ libexec/zmmtainit. This rewrites the Postfix configuration with the updated ldap_url.

Uninstalling an LDAP Replica Server

If you do not want to use an LDAP replica server, follow these steps to disable it.

Uninstalling an LDAP server is the same as disabling it on the master LDAP server.

Remove LDAP Replica from All Active Servers

  1. On each member server, including the replica, verify the ldap_url value. Type zmlocalconfig [ldap_url].

  2. Remove the disabled LDAP replica server URL from zmlocalconfig. Do this by modifying the ldap_url to only include enabled Zimbra 10 LDAP servers.

    The master LDAP server should always be at the end of the ldap_url string value.
    zmlocalconfig -e ldap_url="ldap://<replica-server-host>:port ldap://<master-server-host>:port"

Disable LDAP on the Replica

To disable LDAP on the replica server:

  1. Type zmcontrol stop to stop the Zimbra 10 services on the server.

  2. To disable LDAP service, type

    zmprov -l ms <zmhostname> -zimbraServiceEnabled ldap
  3. Type zmcontrol start to start other current Zimbra 10 services on the server.

IMPORTANT:

Additional steps for MTA host. After updating the ldap_url with zmlocalconfig, rerun /opt/zimbra/libexec/zmmtainit. This rewrites the Postfix configuration with the updated ldap_url.

Monitoring LDAP Replication Status

The Monitoring LDAP Replication Status feature monitors the change sequence number (CSN) values between an LDAP master server and an LDAP replica server. The replica server is considered a shadow copy of the master server. If the servers become out of sync, the monitoring feature indicates the problem. The out of sync time period is typically five minutes, although this value is configurable.

Feature Requirement

Run the script zmreplchk located in /opt/zimbra/libexec.

This script must be run on a Zimbra 10 server that has a localconfig value set for ldap_url that includes all of the replica servers and ends with the master server.

Error Codes and Status Explanations

The following monitoring error codes and status explanations are given with this feature:

Error Code Status Description

0

In Sync

The servers are currently in sync.

1

No contact

No connection to the master server and the system exits.

2

Stand-alone

The master server has no replica servers and is considered a standalone master server.

3

Could not execute StartTLS

The replica server requires StartTLS and fails.

4

Server down

The replica server is currently down.

5

Unable to search

Searching the replica server for the context CSN fails.

6

Xw Xd Xh Xm Xs behind

The replica server becomes out of sync. Status indicates amount of time the replica server is behind the master server in w=weeks, d=days, h=hours, m=minutes, and s=seconds.

For example, ldap-2.example.com is the master server, and ldap-3.example.com and ldap-4.example.com are replicas servers. The following screen-shot shows that replica server ldap-3 is in sync with the master server, as indicated by the Code:0 and Status: In Sync, and replica server ldap-4 is currently down, as indicated by Code: 4 and Status: Server down.

zimbra@ldap-2.example.com
Replica: ldap://ldap-3.example.com:389 Code: 0 Status: In Sync
Replica: ldap://ldap-4.example.com:389 Code: 4 Status: Server down

If the replica server becomes out of sync with the master server, the status given indicates in a time format how far behind the master server it has become:

Replica: ldap://ldap-3.example.com:389 Code: 0 Status: In Sync
Replica: ldap://ldap-4.example.com:389 Code: 6 Status: 0w 0d 0h 14m 42s behind

System Requirements for Zimbra Daffodil

Servers

Evaluation and Testing

  • Intel/AMD w/ PassMark CPU Mark > 7,000 (e.g., Dual Intel Xeon E5-2407 @ 2.2GHz = 7,303)

  • RAM requirements:

    • For single server installations, Zimbra 10 requires a minimum of 8GB of RAM.

    • For multi-server installations, contact Zimbra sales for recommendations.

  • 50 GB free disk space for software and logs

  • Temp file space for installs and upgrades*

  • Additional disk space for mail storage

Production environments

  • Intel/AMD w/ PassMark CPU Mark > 15,000 (e.g., Quad AMD Opteron 6276 @ 2.2GHz = 7,303)

  • RAM requirements:

    • For single server installations, Zimbra 10 requires a minimum of 8GB of RAM.

    • For multi-server installations, contact Zimbra sales for recommendations.

  • Temp file space for installs and upgrades*

  • 100 GB free disk space for software and logs (SATA or SCSI for performance, and RAID/Mirroring for redundancy)

  • Additional disk space for mail storage

  • Temp files space: The zimbra-store requires 5GB for /opt/zimbra, plus additional space for mail storage. The other nodes require 100MB.

General Requirements

  • Set the firewall configuration to No firewall.

  • We do not recommend RAID-5 for installations with more than 100 accounts.

Network Edition supported Cloud platforms

The following Cloud Platforms are supported:

  • Oracle Cloud

  • VMware vCloud Director

  • VMware vCloud Air

Operating System (Network Edition)

The following operating systems are supported:

  • Red Hat® Enterprise Linux® 7 (64-bit)

  • Red Hat® Enterprise Linux® 8 (64-bit)

  • CentOS Linux® 7 (64-bit)

  • Rocky Linux® 8 (64-bit)

  • Oracle Linux 7 (64-bit)

  • Oracle Linux 8 (64-bit)

  • Ubuntu 18.04 LTS Server Edition (64-bit)

  • Ubuntu 20.04 LTS Server Edition (64-bit)

File Systems

The following file systems are supported:

  • XFS

  • ext3 or ext4 file systems for Linux deployments

The following file system is not supported for Store/HSM/Backup features:

  • NFS

Other Dependencies

Netcat (nc) is required on all operating systems using Zimbra Daffodil. Install the nc utility before installation or upgrading.

For Ubuntu systems, disable AppArmor and verify that the AppArmor service is not running before installing Zimbra Daffodil.

For Red Hat Enterprise, Oracle Linux and Rocky Linux operating systems, the server must also have the following installed:

  • NPTL. Native POSIX Thread Library

  • GMP. GNU Multiple-Precision Library.

Miscellaneous

  • SSH client software to transfer and install the Zimbra Daffodil software.

  • Valid DNS configured with an A record and MX record.

  • Servers should be configured to run Network Time Protocol (NTP) on a scheduled basis.

Administrator Computers

Other configurations may work.

The following operating system/browser combinations are supported:

Windows 8.1 or Windows 10 with one of the following:

  • The latest stable release of:

    • Firefox

    • Safari

    • Google Chrome

    • Microsoft Edge

MacOS 10.12 or later with one of the following:

  • The latest stable release of:

    • Firefox

    • Safari

    • Google Chrome

Linux (Red Hat, Ubuntu, or Fedora) with one of the following:

  • The latest stable release of:

    • Firefox

    • Google Chrome

Administrator Console Monitor

Display minimum resolution 1024 x 768

End User Computers using Zimbra 10 Web Client

Other configurations may work.

For Zimbra 10 Web Client - Classic Web App & Modern Web App

Minimum

  • Intel/AMD w/ PassMark CPU Mark > 2,000 (e.g., Intel Core i3-7020U @ 2.30GHz = 2,434)

  • 256MB RAM

Recommended

  • Intel/AMD w/ PassMark CPU Mark > 4,000

  • 512MB RAM

The following operating system/browser combinations are supported:

Windows 8.1 or Windows 10 with one of the following:

  • The latest stable release of:

    • Firefox

    • Safari

    • Google Chrome

    • Microsoft Edge

MacOS 10.12 or 10.13, 10.14 with one of the following:

  • The latest stable release of:

    • Firefox

    • Safari

    • Google Chrome

Linux (Red Hat, Ubuntu, or Fedora) with one of the following:

  • The latest stable release of:

    • Firefox

    • Google Chrome

End User Computers Using Other Clients

Minimum

  • Intel/AMD w/ PassMark CPU Mark > 2,000

  • 2G RAM

Recommended

  • Intel/AMD w/ PassMark CPU Mark > 4,000

  • 4GB RAM

Operating system POP/IMAP combinations

  • Windows 10 with Windows Mail, Outlook 2016 and above (MAPI), or the latest stable Thunderbird

  • Fedora 31 or later with the latest stable Thunderbird

  • MacOS 10.12 or later with Apple Mail

Exchange Web Services

EWS Clients

  • Outlook 2016/2019 (MAC only)

  • Apple Desktop Clients (macOS 10.12+)

EWS Interoperability

  • Exchange 2010+

Monitor

Display minimum resolution: 1024 x 768

Internet Connection Speed

1 Mbps or higher

Zimbra 10 Connector for Outlook (Network Edition Only)

Operating System

  • Windows 10

  • Windows 11

Microsoft Outlook

  • Outlook 2021: 32-bit and 64-bit editions of Microsoft Office, including Click to run.

  • Outlook 2019: 32-bit and 64-bit editions of Microsoft Office, including Click to run.

  • Outlook 2016: 32-bit and 64-bit editions of Microsoft Office, including Office365 and Click to run versions.

Zimbra 10 Mobile (Network Edition Only)

Network Edition Mobile (MobileSync) provides mobile data access to email, calendar, and contacts for users of selected mobile operating systems, including:

Smartphone Operating Systems:

  • iOS versions currently supported by Apple - iOS12 and above.

  • Android versions currently supported by Google - 8.0 and above.

Available Languages

This section includes information about available languages, including End User Translations and Administrator Translations.

End User Translations

Component Category Languages

Zimbra 10 Classic Web App

Application/UI

Arabic, Basque (EU), Chinese (Simplified PRC and Traditional HK), Danish, Dutch, English (AU, UK, US), French, French Canadian, German, Hindi, Hungarian, Italian, Japanese, Korean, Malay, Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Spanish, Swedish, Thai, Turkish, Ukrainian

Zimbra 10 Classic Web App - Online Help (HTML)

Feature Documentation

Dutch, English, Spanish, French, Italian, Japanese, German, Portuguese (Brazil), Chinese (Simplified PRC and Traditional HK), Russian

Zimbra 10 Classic Web App - End User Guide (PDF)

Feature Documentation

English

Zimbra 10 Modern Web App - End User Guide (HTML)

Feature Documentation

English

Zimbra 10 Connector for Microsoft Outlook

Installer + Application/UI

Arabic, Basque (EU), Chinese (Simplified PRC and Traditional HK), Danish, Dutch, English (AU, UK, US), French, French Canadian, German, Hindi, Hungarian, Italian, Japanese, Korean, Malay, Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Spanish, Swedish, Thai, Turkish, Ukrainian

Zimbra 10 Connector for Microsoft Outlook - End User Guide (PDF)

Feature Documentation

English

Administrator Translations

Component

Category

Languages

Zimbra 10 Admin Console

Application

Arabic, Basque (EU), Chinese (Simplified PRC and Traditional HK), Danish, Dutch, English (AU, UK, US), French, French Canadian, German, Hindi, Hungarian, Italian, Japanese, Korean, Malay, Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Spanish, Swedish, Turkish, Ukrainian

Zimbra 10 Admin Console Online Help (HTML)

Feature Documentation

English

"Documentation" Install + Upgrade / Admin Manual / Migration / Import / Release Notes / System Requirements

Guides

English

Zimbra 10 Connector for Microsoft Outlook - Admin Guide (PDF)

Install + Configuration Guide

English

Note: To find SSH client software, go to Download.com at http://www.download.com/, and search for SSH. The list displays software that can be purchased or downloaded for free. An example of a free SSH client software is PuTTY, a software implementation of SSH for Win32 and Unix platforms. To download a copy go to http://putty.nl