There are 3 things you need:
- Private key
First, switch to the user zimbra:
su - zimbra
Let’s except your files are located here:
Private Key: /tmp/private.key
Now, copy your private key file to the following location:
cp /tmp/private.key /opt/zimbra/ssl/zimbra/commercial/commercial.key
Now, first, verify 3 things to make sure, they are correct:
/opt/zimbra/bin/zmcertmgr verifycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.key /tmp/your.domain.com.crt /tmp/your.domain.com.ca-bundle
If it, says ok, now you may deploy the certificate like the following:
/opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/your.domain.com.crt /tmp/your.domain.com.ca-bundle
Once done, now, exit from the user zimbra and restart zimbra:
service zimbra restart
Your SSL should work now.
Open your main.cf file, in my case, it’s a zimbra main.cf file:
Now change the following settings:
relayhost = [smtp.yourrelayserver.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = static:relayusername:relaypassword
smtp_sasl_mechanism_filter = login
You need to replace 3 things here:
- smtp.yourrelayserver.com should be your original relay server.
- relayusername should be the relay authentication username.
- relaypassword should be the relay authentication password.
Once done, you may now restart your postfix to see the mail is relaying through the new relay you have added.
Zimbra provides the ability to use a distribution list, that allows you t add members to the list, and when you send mail to the distribution list, zimbra picks all the members and sends the same mail to all the members. This allows you to easily do group mailing or department wise mailing in a company. Zimbra admin panel does not allow you to list/download all the members in one page and download them. One option available from admin panel is to go to the details of the distribution list email address and from the Member pane, you may download the first page of the list. But the page does not allow you to move on. How can we download all the members of distribution list in Zimbra in one command?
How To List/Download Members of Distribution List in Zimbra
You may do it using the zimprov command given by zimbra. Here are the steps to do so:
~ su - zimbra
~ for i in `zmprov gadl` ; do zmprov gdl $i zimbraMailAlias zimbraMailForwardingAddress ; done
# if you want to store them in a file and download them:
for i in `zmprov gadl` ; do zmprov gdl $i zimbraMailAlias zimbraMailForwardingAddress ; done > /tmp/dd_users.txt
Sometimes, if you restart Zimbra, you see zmconfigd is not starting or saying it’s failed. You may also see the zmconfigd service is not running in the Zimbra admin panel. There are couple of common reasons why zmconfigd fails to start.
One reason of zmconfigd fails to start is IPv6, for some reason, it fails to route the IPv6 and fails to start. A quick solution to this problem is to disable ipv6 and restart zmconfigd. You may do this like the following:
#Edit your sysctl.conf file
# paste the following inside the file
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
# Save the file, and update sysctl in realtime
# now try to restart zmconfigd
su - zimbra
Now you can check the zmconfigd status with the following, to know if it’s running or not:
[root@mailapp ~]# cat /opt/zimbra/log/zmconfigd.pid
If it returns an ID, it means the zmconfigd is running.
Netcat is not installed
Another reason of the error could be because nc is not installed in your system. Zimbra zmconfigd has a dependency on netcat package. Netcat is available through nmap-ncat in centos systems. You may run the following to install netcat:
yum install nc
yum install nmap-netcat
Zimbra Supports HTTPs by Default:
By default Zimbra will use HTTPs support only and disable HTTP use on the webmail client. But users will always use non http port to access the webclient. Users do not like to type https before the domain each time to get into the webmail client. Zimbra uses Nginx to run the proxy services to access the Javamail Client of Zimbra. Zimbra supports 5 types of proxy services through Nginx:
You may check the following for details:
How to Redirect HTTP to HTTPs automatically in Zimbra 8.8*
The most popular out of 5 options for proxy services, is to redirect. To do this, you can run the following:
zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
This will redirect your URLs to the zimbra hostname based HTTPs.
Now, restart the proxy services:
su - zimbra
Hope this helps.
Note: This does not seem to work on 2021. I have written another article on how to do this now: How to manually install/renew let’s encrypt ssl in Zimbra
Ok, there is a reason to put 2020 on the title. Because the process has changed since past. At this moment, I manage a Zimbra server with multiple domains in it, which won’t deploy the ‘other’ domains if not specified. The process is fairly simple, but I am keeping this as a documentation purpose, so that I don’t miss next time.
To renew the certificate for attached domains using certbot is fairly simple, just do:
# certbot renew
Once done, you you want to use the pre-hook and deploy-hook to do the patching and deploying as following using certbot_zimbra.sh
# certbot_zimbra.sh -p
# certbot_zimbra.sh -r -d 'your_domain'
Updated, certbot_zimbra doesn’t take this. ‘-n’ used to be taken as new and ‘-r’ for replacing, now, ‘-r’ is removed. Instead you can use ‘-e’ to specify new domains. So the command for replacement and deployment would be fairly simple as following:
# certbot_zimbra.sh -p
# certbot_zimbra.sh -d -e 'mail.yourdomain.com'
# certbot_zimbra.sh -d -e 'mailapp.yourdomain.com'
… and so on. At this moment, I couldn’t find a way to advise zimbra certbot to follow a list of domains instead of one. But this is probably possible by cracking the certbot.