This guide is to help you perform a Zimbra Multi-Server Installation on CentOS 7. Zimbra has been rated as the best open-source Mail collaboration suite. It can only be matched with Exchange and other commercial email products.
Installation of single server Zimbra is a straightforward process, but getting a multi-server setup is a bit of a process with many moving parts and need to be performed in the following order.
- Install LDAP server(s) – Multi-Master Replication (MMR) or Replication
- Install Zimbra Mailbox Server(s)
- Install MTA Server(s)
- Install Proxy Server(s)
My setup will have the following servers:
- 2 LDAP Servers – with Multi-Master Replication (MMR)
- 2 Mailbox servers
- 2 MTA Servers
- 2 Proxy servers – with keepalived and VIP
So the total number of servers for this setup is 7. Hostnames use the following formats
- LDAP Servers – ldap-01.domain.com & ldap-02.domain.com
- Mailbox servers – mx-01.domain.com & mx-02.domain.com
- 2 MTA servers – mta-01.domain.com & mta-02.domain.com
- 2 Proxy servers – proxy-01.domain.com & proxy-02.domain.com. VIP on mail.domain.com
You may need to replace domain.com with your active domain name if you are following this guide strictly. Or modify it to fit your environment.
Lab Environment Setup and Installation
Below steps will cover OS setup and installation of various Zimbra services.
Step 1: Install CentOS 7 on all servers
Step one is to install CentOS 7 on all target servers and update packages to the latest release by running:
sudo yum -y updateStep 2: Install Zimbra Prerequisite packages and set hostnames
Install all packages required for Zimbra installation and set hostnames on all servers. These packages can be installed by running the command:
sudo yum -y install perl-core unzip libaio nmap-ncat sysstat openssh-clientsSet hostnames using the command:
$ sudo hostnamectl set-hostname <hostname>E.g
sudo hostnamectl set-hostname ldap-01.domain.comStep 3: Modify /etc/hosts with the hostname and IP address
Now that you have correct hostname set on each server, edit hosts file to have the IP address and hostname. You can use echo command for this:
$ sudo vim /etc/hosts
192.168.1.20 mta-01.domain.com Do this on all servers you have
Step 4: Download latest Zimbra release locally on all servers
Download Zimbra compressed package to each server and extract it to make it ready for the installation process. For this installation, I’m using Zimbra 8.8.
wget https://files.zimbra.com/downloads/8.8.15_GA/zcs-8.8.15_GA_3869.RHEL7_64.20190918004220.tgz
tar xvf zcs-8.8.15_GA_3869.RHEL7_64.20190918004220.tgzI like retaining the full name of the file and directory since it helps later when doing an upgrade. If downloading the same version of Zimbra, you should have a directory named zcs-8.8.8_GA_2009.RHEL7_64.20180322150747/.
Step 4: Install Zimbra LDAP Server 1 (ldap-01.domain.com)
We’ll start with the first installation of Zimbra on LDAP server. The other LDAP server we’ll configure multi-master replication for it.
cd zcs-8.8.15_GA_3869.RHEL7_64.20190918004220Start the installation process:
sudo ./install.shFill information like below:
Do you agree with the terms of the software license agreement? [N] y
Use Zimbra's package repository [Y] y
Select the packages to install
Install zimbra-ldap [Y] y
Install zimbra-logger [Y] n
Install zimbra-mta [Y] n
Install zimbra-dnscache [N] n
Install zimbra-snmp [Y] y
Install zimbra-store [Y] n
Install zimbra-apache [Y] n
Install zimbra-spell [Y] n
Install zimbra-memcached [Y] n
Install zimbra-proxy [Y] n
Install zimbra-chat [N] n
Install zimbra-drive [N] n
Checking required space for zimbra-core
Installing:
zimbra-core
zimbra-ldap
zimbra-snmp
The system will be modified. Continue? [N] YThe download of packages should now start. My configs are as below:
Common configuration
1) Hostname: ldap-01.domain.com
2) Ldap master host: ldap-01.domain.com
3) Ldap port: 389
4) Ldap Admin password: set
5) Store ephemeral attributes outside Ldap: no
6) Secure interprocess communications: yes
7) TimeZone: UTC
8) IP Mode: ipv4
9) Default SSL digest: sha256
Ldap configuration
1) Status: Enabled
2) Create Domain: yes
3) Domain to create: mail.domain.com
4) Ldap root password: set
5) Ldap replication password: set
6) Ldap postfix password: set
7) Ldap amavis password: set
8) Ldap nginx password: set
9) Ldap Bes Searcher password: set Double-check the setting for Ldap master host, hostname, and domain to create. Once you’re convinced with the settings, press a to start the installation and configuration process.
*** CONFIGURATION COMPLETE - press 'a' to apply
Select from menu, or press 'a' to apply config (? - help) a
Save configuration data to a file? [Yes]
Save config in file: [/opt/zimbra/config.31786]
Saving config in /opt/zimbra/config.31786...done.
The system will be modified - continue? [No] YesOnce the installation is complete, pull password credentials that you’ll need for all the next steps:
ldap_amavis_password = 4Y9WzugHAz
ldap_bes_searcher_password = 4Y9WzugHAz
ldap_nginx_password = 4Y9WzugHAz
ldap_postfix_password = 4Y9WzugHAz
ldap_replication_password = 4Y9WzugHAz
ldap_root_password = 4Y9WzugHAz
zimbra_ldap_password = 4Y9WzugHAzStep 5: Enable LDAP MMR on ldap-01 server
Since we’re setting both LDAP servers to act as masters, we need to enable this functionality on the first master server we just installed.
Enabling Multi-Master replication on an existing Single node master:
[[email protected] ~]# su - zimbra
[[email protected] ~]$ ./libexec/zmldapenable-mmr -s 1 -m ldap://ldap-02.domain.com:389/
[[email protected] ~]$ ./libexec/zmldapenable-mmr -r 101 -m ldap://dap-02.domain.com:389/
[[email protected] ~]$ /opt/zimbra/libexec/zmldapmmrtool -q
Master Server ID: 1
Master replication agreement: 1
rid: 100 URI: ldap://ldap-02.domain.com:389/ TLS: critical
Master replication agreement: 2
rid: 101 URI: ldap://ldap-02.domain.com:389/ TLS: critical
[[email protected] ~]$On Ldap Server 2, install Zimbra like the first once, but its configuration should look like below:
Common configuration
1) Hostname: ldap-02.domain.com
2) Ldap master host: ldap-01.domain.com
3) Ldap port: 389
4) Ldap Admin password: set
5) Store ephemeral attributes outside Ldap: no
6) Secure interprocess communications: yes
7) TimeZone: UTC
8) IP Mode: ipv4
9) Default SSL digest: sha256
Ldap configuration
1) Status: Enabled
2) Create Domain: yes
3) Domain to create: mail.domain.com
4) Ldap replication type: mmr
5) Ldap Server ID: 2
6) Ldap root password: set
7) Ldap replication password: set
8) Ldap postfix password: set
9) Ldap amavis password: set
10) Ldap nginx password: set
11) Ldap Bes Searcher password: set The following should be configured:
- Ldap Admin password
- Ldap replication password
- Ldap replication type: mmr
- All other passwords
Refer to step 4 for how to obtain all passwords required.
Step 6: Install Zimbra Mailbox Server(s)
Now install two mailbox servers by running installer.
sudo ./install.shThe packages to install are:
Do you agree with the terms of the software license agreement? [N] y
Use Zimbra's package repository [Y] y
Select the packages to install
Install zimbra-ldap [Y] n
Install zimbra-logger [Y] y
Install zimbra-mta [Y] n
Install zimbra-dnscache [N] n
Install zimbra-snmp [Y] y
Install zimbra-store [Y] y
Install zimbra-apache [Y] y
Install zimbra-spell [Y] y
Install zimbra-memcached [Y] n
Install zimbra-proxy [Y] n
Install zimbra-chat [N] n
Install zimbra-drive [N] n
Install zimbra-imapd (BETA - for evaluation only) [N] n
Checking required space for zimbra-core
Installing:
zimbra-core
zimbra-logger
zimbra-snmp
zimbra-store
zimbra-apache
zimbra-spell
zimbra-convertd
zimbra-archiving
zimbra-drive
The system will be modified. Continue? [N] YPlease note that you need to install logger on only one server. For me, the logger is installed on mx-01. Configs look like below:
Common configuration
1) Hostname: mx-01.domain.com
2) Ldap master host: ldap-01.domain.com
3) Ldap port: 389
4) Ldap Admin password: set
5) LDAP Base DN: cn=zimbra
6) Store ephemeral attributes outside Ldap: yes
7) Value for zimbraEphemeralBackendURL: ldap://default
8) Secure interprocess communications: yes
9) TimeZone: UTC
10) IP Mode: ipv4
11) Default SSL digest: sha256 Under Common configuration, set:
- Hostname: mx-01.domain.com
- Ldap master host: ldap-01.domain.com
- Ldap Admin password:
Under zimbra-store make sure the following items are configured:
- Admin Password:
- SMTP host:
- Configure for use with mail proxy: TRUE
- Configure for use with web proxy: TRUE
- Install UI (zimbra,zimbraAdmin webapps): yes
- Install mailstore (service webapp): yes
You can modify any other settings you see necessary and start the installation process. For the other Mailbox server, repeat same steps but don’t install the logger, it will run on mx-01.
Step 7: Install Zimbra MTA Server(s)
The next phase is the installation of MTA servers. Your package selection should be as below:
Select the packages to install
Install zimbra-ldap [Y] n
Install zimbra-logger [Y] n
Install zimbra-mta [Y] y
Install zimbra-dnscache [Y] y
Install zimbra-snmp [Y] y
Install zimbra-store [Y] n
Install zimbra-apache [Y] n
Install zimbra-spell [Y] n
Install zimbra-memcached [Y] n
Install zimbra-proxy [Y] n
Install zimbra-chat [N] n
Install zimbra-drive [N] n
Checking required space for zimbra-core
Installing:
zimbra-core
zimbra-mta
zimbra-snmp
zimbra-dnscache
The system will be modified. Continue? [N] yOn the configurations window, make sure to set the following:
Under 1) Common Configuration, set:
- Hostname:
- Ldap master host:
- Ldap Admin password:
1) Hostname: mta-01.domain.com
2) Ldap master host: ldap-01.domain.com
3) Ldap port: 389
4) Ldap Admin password: set
5) LDAP Base DN: cn=zimbra
6) Store ephemeral attributes outside Ldap: yes
7) Value for zimbraEphemeralBackendURL: ldap://default
8) Secure interprocess communications: yes
9) TimeZone: UTC
10) IP Mode: ipv4
11) Default SSL digest: sha256 Under 2) zimbra-mta set
- Bind password for postfix ldap user:
- Bind password for amavis ldap user:
Look at step 4 for how to obtain them.
Mta configuration
1) Status: Enabled
2) Enable Spamassassin: yes
3) Enable Clam AV: yes
4) Enable OpenDKIM: yes
5) Notification address for AV alerts: [email protected]
6) Bind password for postfix ldap user: set
7) Bind password for amavis ldap user: set Under zimbra-dnscache, configure master DNS ip addresses separated by space:
DNS Cache configuration
1) Status: Enabled
2) Master DNS IP address(es): 8.8.4.4 1.1.1.1 8.8.8.8
3) Enable DNS lookups over TCP: yes
4) Enable DNS lookups over UDP: yes
5) Only allow TCP to communicate with Master DNS: no Once done, save the settings and type a to begin Zimbra MTA setup.
Step 7: Install Zimbra Proxy Server(s)
For installation of Zimbra Proxy server(s), you need to select the following packages during installation:
Select the packages to install
Install zimbra-ldap [Y] n
Install zimbra-logger [Y] n
Install zimbra-mta [Y] n
Install zimbra-dnscache [N] n
Install zimbra-snmp [Y] y
Install zimbra-store [Y] n
Install zimbra-apache [Y] n
Install zimbra-spell [Y] n
Install zimbra-memcached [Y] y
Install zimbra-proxy [Y] y
Install zimbra-chat [N] n
Install zimbra-drive [N] n
Checking required space for zimbra-core
Installing:
zimbra-core
zimbra-snmp
zimbra-memcached
zimbra-proxy
The system will be modified. Continue? [N] yFill all required information:
Common configuration
1) Hostname: proxy-01.domain.com
2) Ldap master host: ldap-01.domain.com
3) Ldap port: 389
4) Ldap Admin password: set
5) LDAP Base DN: cn=zimbra
6) Store ephemeral attributes outside Ldap: yes
7) Value for zimbraEphemeralBackendURL: ldap://default
8) Secure interprocess communications: yes
9) TimeZone: UTC
10) IP Mode: ipv4
11) Default SSL digest: sha256
Proxy configuration
1) Status: Enabled
2) Enable POP/IMAP Proxy: TRUE
3) Enable strict server name enforcement? TRUE
4) IMAP server port: 7143
5) IMAP server SSL port: 7993
6) IMAP proxy port: 143
7) IMAP SSL proxy port: 993
8) POP server port: 7110
9) POP server SSL port: 7995
10) POP proxy port: 110
11) POP SSL proxy port: 995
12) Bind password for nginx ldap user: set
13) Enable HTTP[S] Proxy: TRUE
14) Web server HTTP port: 8080
15) Web server HTTPS port: 8443
16) HTTP proxy port: 80
17) HTTPS proxy port: 443
18) Proxy server mode: redirect For Proxy Server mode you can choose http, https, both, redirect or mixed depending on your requirements. In my case, I’m using a redirect.
Once all Zimbra proxy servers are installed, enable proxy console on port 9071 by running the following command on proxy servers as Zimbra user:
$ sudo su - zimbra
$ /opt/zimbra/libexec/zmproxyconfig -e -w -C -H `zmhostname`- This will enable admin console proxy port 9071 on the proxy server.
- Make sure mailbox server’s admin console is configured on port 7071 (default).
You need to restart proxy service after making the changes:
$ zmproxyctl restartThe service should bind to port 9071, you can confirm this with ss command:
$ ss -tunelp | grep 9071To access admin console over a proxy, the URL should be https://proxy-0x.domain.com:9071/
Step 8: Configure Zimbra Logger Service
As mentioned earlier, our logger service will run on mailbox server 1 (mx-01.domain.com). For this, we need to first install and configure rsyslog service on this server.
Uncomment the following lines on /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514Also, add this line after $UDPServerRun 514:
SYSLOGD_options="-r -m 0"Then setup Zimbra syslog and restart rsyslog service:
$ /opt/zimbra/libexec/zmfixperms -e -v
$ /opt/zimbra/libexec/zmsyslogsetup
updateSyslog: Updating /etc/rsyslog.conf...done.
$ sudo systemctl restart rsyslog.service
$ sudo su - zimbra
$ /opt/zimbra/libexec/zmloggerinit
Stopping logswatch...done.
Starting logswatch...done.
$ /opt/zimbra/bin/zmupdateauthkeysVerify the LogHostname using commands below. (it should be set to name of logger monitor host on all servers)
$ sudo su - zimbra
$ zmprov gacf | grep zimbraLogHostname
zimbraLogHostname: mx-01.domain.comIf it is different, change the same to Logger monitor Host using below command.
$ zmprov mcf zimbraLogHostname <Logger monitor Hostname>Configure each Zimbra server to log to newly set logger server.
$ sudo /opt/zimbra/libexec/zmfixperms -e -v
$ sudo su - zimbra
/opt/zimbra/bin/zmupdateauthkeys ; exit
$ /opt/zimbra/libexec/zmsyslogsetup
$ sudo systemctl restart rsyslog
$ sudo su - zimbra -c "zmcontrol restart"Step 9: Configure Zimbra Proxy HA with Keepalived
Since we have two Zimbra proxy servers, we need to ensure that we have HA for the proxy server. My setup for the proxy is:
- 2 Proxy servers – proxy-01.domain.com & proxy-02.domain.com
- Both will be served using mail.domain.com
The target solution diagram is
In a nutshell, this is how it works:
- The Proxy Master as the VIP
- The Proxy Master become unavailable
- The VIP is passed to the Backup server who will handle the service
I will configure proxy-01 as master, and proxy-02 as a Backup server.
Install Keepalived on both servers.
sudo yum -y install keepalivedConfigure Keepalived on Master Server (proxy-01)
$ sudo vim /etc/keepalived/keepalived.conf
vrrp_script chk_zimbra_nginx {
script "killall -0 nginx" # check the zimbra nginx process interval 2 # every 2 seconds
weight 2 # add 2 points if OK}vrrp_instance VI_1 {
interface eth0 # interface to monitor
state MASTER # MASTER on proxy-01, BACKUP on proxy-02
virtual_router_id 51
priority 101 # 101 on proxy-01, 100 on proxy-02
virtual_ipaddress {
192.168.1.23/24
}
track_script {
chk_zimbra_nginx
}
}Configure Keepalived on Backup Server (proxy-01)
$ sudo vim /etc/keepalived/keepalived.conf
vrrp_script chk_zimbra_nginx {
script "killall -0 nginx" # check the zimbra nginx process
interval 2 # every 2 seconds
weight 2 # add 2 points if OK
}
vrrp_instance VI_1 {
interface eth0 # interface to monitor
state BACKUP # MASTER on proxy-01, BACKUP on proxy-02
virtual_router_id 51
priority 100 # 101 on proxy-01, 100 on proxy-02
virtual_ipaddress {
192.168.1.23/24
}
track_script {
chk_zimbra_nginx
}
}Enable IP forwarding and configure firewalld:
Keepalived requires IP forwarding configured and some firewall rules added for VRRP packets to come through.
Enable IP forwarding:
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -pAdd firewall rules to allow VRRP communication using the multicast IP address 224.0.0.18 and the VRRP protocol (112) on each network interface that Keepalived will control, for example:
sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface eth0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 --out-interface eth0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT
sudo firewall-cmd --reloadEnable and start the keepalived service on each server:
sudo systemctl enable keepalived
sudo systemctl start keepalivedIf you change the Keepalived configuration, reload the keepalived service:
sudo systemctl reload keepalivedYou can test keepalived functionality by killing nginx process on the master server and see if the Virtual IP will be switched to the backup server:
$ sudo killall nginx
$ ip add > Run on Backup server to check IP address configurationStep 10: Reset admin password and Access Web UI
Reset admin password:
$ sudo su - zimbra
$ zmprov sp [email protected] strongpasswordAccess Web UI through direct access to proxy servers or hostname that points to proxy servers. Admin dashboard is accessible from port 9071.
You can configure firewall rules for proxy servers using:
sudo firewall-cmd --add-service={http,https,smtp,smtps,imap,imaps,pop3,pop3s} --permanent
sudo firewall-cmd --add-port=11211/tcp --permanent
sudo firewall-cmd --add-port=9071/tcp --permanent
sudo firewall-cmd --reloadTo restrict access or admin interface from specific IP address, use firewalld rich rules instead:
sudo firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=source-ip-address/32 \
destination address=dest-ip-address/32 port port=9071 protocol=tcp accept"Remember to replace source-ip-address with source IP address and dest-ip-address with the proxy server destination IP address.
You should now be ready to roll, reset admin password and login to Admin dashboard to start making changes and doing further configurations to your Zimbra installation. Also, read our previous guide on Zimbra Firewall Configuration with ufw for Ubuntu and firewalld for CentOS.
