Do you need support with Zimbra Multi-Server Installation on CentOS 7?

This guide will help you.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to configure Zimbra Email.

In this context, we shall look into the process to perform Zimbra Multi-Server Installation on CentOS 7.

Zimbra Multi-Server Installation on CentOS 7

Zimbra is the best open-source Mail collaboration suite. It can only match with Exchange and other commercial email products.

Installation of single server Zimbra is a straightforward process. However, getting a multi-server setup is a bit of a process with many moving parts.

We need to perform it in the given order:

i. Install LDAP server(s) – Multi-Master Replication (MMR) or Replication

ii. Then Install Zimbra Mailbox Server(s)

iii. Install MTA Server(s)

iv. Finally, Install Proxy Server(s)

This setup will have the following servers:

a. LDAP Servers – with Multi-Master Replication (MMR)

b. Mailbox servers

c. MTA Servers

d. Proxy servers – with keepalived and VIP 2 each.

So the total number of servers for this setup is 7.

Hostnames use the following formats:

i. LDAP Servers – ldap01.domain.com & ldap02.domain.com

ii. Mailbox servers – mx01.domain.com & mx02.domain.com

iii. 2 MTA servers – mta01.domain.com & mta02.domain.com

iv. 2 Proxy servers – proxy01.domain.com & proxy02.domain.com. VIP on mail.domain.com

We replace domain.com with our active domain name or modify it to fit the environment.

Lab Environment Setup and Installation

Now we will cover how our Support Techs go about with the Zimbra Multi-Server Installation on CentOS 7

Step 1: Install CentOS 7 on all servers

The first step is to install CentOS 7 on all target servers and update packages to the latest release.

sudo yum -y update

Step 2: Install Zimbra Prerequisite packages and set hostnames

Install all packages required for Zimbra installation and set hostnames on all servers. To do this we run the command:

sudo yum -y install perl-core unzip libaio nmap-ncat sysstat openssh-clients

Then we set hostnames using the command:

$ sudo hostnamectl set-hostname <hostname>

For example,

sudo hostnamectl set-hostname ldap01.domain.com

Step 3: Modify /etc/hosts with the hostname and IP address

Now that we have the correct hostname set, edit the host’s file to have the IP address and hostname. We can use the Echo command for this:

sudo echo <IP Address> <Hostname> >> /etc/hosts

For example,

sudo echo 192.168.1.20 mta-01.domain.com >> /etc/hosts

We perform this on all servers.

Step 4: Download latest Zimbra release locally on all servers

We download Zimbra compressed package to each server and extract it to make it ready for the installation process. For this installation, let us use Zimbra 8.8.

wget https://files.zimbra.com/downloads/8.8.8_GA/zcs-8.8.8_GA_2009.RHEL7_64.20180322150747.tgz
tar -xvf zcs-8.8.8_GA_2009.RHEL7_64.20180322150747.tgz

We retain the full name of the file and directory since it helps later when doing an upgrade.

If we download the same version of Zimbra, we should have a directory named zcs-8.8.8_GA_2009.RHEL7_64.20180322150747/.

Step 5: Install Zimbra LDAP Server 1 (ldap01.domain.com)

Let us start with the first installation of Zimbra on the LDAP server. For the other LDAP server, we will configure multi-master replication for it.

# cd zcs-8.8.8_GA_2009.RHEL7_64.20180322150747/

Then we start the installation process:

# ./install.sh

Next, we fill in information like below:

Do you agree with the terms of the software license agreement ?

Use Zimbra’s package repository

Select the packages to install

Install zimbra-ldap

Install zimbra-logger

Install zimbra-mta

Install zimbra-dnscache

Install zimbra-snmp

Install zimbra-store

Install zimbra-apache

Install zimbra-spell

Install zimbra-memcached

Install zimbra-proxy

Install zimbra-chat

Install zimbra-drive

Checking required space for zimbra-core

Installing zimbra-core zimbra-ldap zimbra-snmp

The system will be modified. Continue

The download of packages should now start. The configs are as below:

Common configuration 

Hostname: ldap01.domain.com

Ldap master host: ldap01.domain.com

Ldap port: 389

Ldap Admin password: set

Store ephemeral attributes outside: Ldap no

Secure interprocess communications: yes

TimeZone: UTC

IP Mode: ipv4

Default SSL digest: sha256

Ldap configuration 

Status: Enabled

Create Domain: yes

Domain to create: mail.domain.com

Ldap root password: set

Ldap replication password: set

Ldap postfix password: set

Ldap amavis password: set

Ldap nginx password: set

Ldap bes-searcher password: set

Double-check the setting for Ldap master host, hostname, and domain to create. Once the settings are verified, press a to start the installation and configuration process.

***CONFIGURATION COMPLETE-press ’a’ to apply

Select from menu or press ’a’ to apply config (help):

Save configuration data to a file: Yes

Save config in file /opt/zimbra/config.31786

Saving config in /opt/zimbra/config.31786…done.

The system will be modified – continue: Yes

Once the installation is complete, pull password credentials that will be required for all the next steps:

ldap_amavis_password 4Y9WzugHAz

ldap_bes_searcher_password 4Y9WzugHAz

ldap_nginx_password 4Y9WzugHAz

ldap_postfix_password 4Y9WzugHAz

ldap_replication_password 4Y9WzugHAz

ldap_root_password 4Y9WzugHAz

zimbra_ldap_password 4Y9WzugHAz

Step 6: Enable LDAP MMR on ldap01 server

Since we set both LDAP servers to act as masters, we need to enable it on the master server.

We enable Multi-Master replication on an existing Single node master:

root@ldap01 ~]$ su – zimbra
zimbra@ldap01 ~]$ ./libexec/zmldapenable-mmr -s 1 -m ldap://ldap-02.domain.com:389/
[zimbra@ldap-01 ~]$ ./libexec/zmldapenable-mmr -r 101 -m ldap://dap-02.domain.com:389/
[zimbra@ldap-01 ~]$ /opt/zimbra/libexec/zmldapmmrtool -q
Master Server ID: 1
Master replication agreement: 1
rid: 100 URI: ldap://ldap-02.domain.com:389/ TLS: critical
Master replication agreement: 2
rid: 101 URI: ldap://ldap-02.domain.com:389/ TLS: critical
[zimbra@ldap-01 ~]$

On Ldap Server 2, install Zimbra like the first one, but its configuration should look like below:

Common configuration

Hostname:ldap-02.domain.com

Ldapmasterhost:ldap-01.domain.com

Ldapport:389

LdapAdminpassword:set

StoreephemeralattributesoutsideLdap:no

Secureinterprocesscommunications: yes

TimeZone: UTC

IPMode:ipv4

DefaultSSLdigest:sha256

Ldap configuration

Status: Enabled

CreateDomain: yes

Domaintocreate:mail.domain.com

Ldapreplicationtype:mmr

LdapServerID:2

Ldaprootpassword: set

Ldapreplicationpassword: set

Ldappostfixpassword: set

Ldapamavispassword: set

Ldapnginxpassword: set

LdapBesSearcherpassword:set

Then we should configure the following:

EnablingLdap Admin password

Ldap replication password

Ldap replication type: mmr

All other passwords

Step 7: Install Zimbra Mailbox Server(s)

Firstly, we install two mailbox servers

sudo ./install.sh

The packages to install are:

Do you agree with the terms of the software license agreement ? [N ] y

Use Zimbra’s package repository [Y ] y

Select the packages to install

Install zimbra-ldap [Y ] n

Install zimbra-logger [Y ] y

Install zimbra-mta [Y ] n

Install zimbra-dnscache [N ] n

Install zimbra-snmp [Y ] y

Install zimbra-store [Y ] y

Install zimbra-apache [Y ] y

Install zimbra-spell [Y ] y

Install zimbra-memcached [Y ] n

Install zimbra-proxy [Y ] n

Install zimbra-chat [N ] n

Install zimbra-drive [N ] n

Install zimbra-imapd (BETA – for evaluation only) [N ] n

Checking required space for zimbra-core

Installing :

zimbra-core

zimbra-logger

zimbra-snmp

zimbra-store

zimbra-apache

zimbra-spell

zimbra-convertd

zimbra-archiving

zimbra-drive

The system will be modified. Continue ? [N ] Y

We should only install the logger on one server. We can install logger on mx-01. Configs look like below:

Common configuration

Hostname: mx01.domain.com

Ldap master host: ldap01.domain.com

Ldap port: 389

Ldap Admin password: set

LDAP Base DN: cn=zimbra

Store ephemeral attributes outside Ldap: yes

Value for zimbraEphemeralBackendURL: ldap ://default

Secure interprocess communications: yes

TimeZone: UTC

IP Mode: ipv4

Default SSL digest: sha256

Under Common configuration, we set:

Hostname: mx01.domain.com

Ldap master host: ldap01.domain.com

Ldap Admin password:

Similarly, under zimbra-store, we make sure the following items are configured:

Admin Password:

SMTP host:

Configure for use with mail proxy: TRUE

Configure for use with web proxy: TRUE

Install UI (zimbra,zimbraAdmin webapps): yes

Install mailstore (service webapp): yes

Then we modify the settings that are necessary and start the installation process. For the other Mailbox server, we repeat the same steps but do not install the logger. It will run on mx-01.

[Do you need Linux Support? We are here to help you]

Step 8: Install Zimbra MTA Server(s)

Our next phase is the installation of MTA servers. The package selection should be as below:

Select the packages to install

Install zimbra-ldap [Y ] n

Install zimbra-logger [Y ] n

Install zimbra-mta [Y ] y

Install zimbra-dnscache [Y ] y

Install zimbra-snmp [Y ] y

Install zimbra-store [Y ] n

Install zimbra-apache [Y ] n

Install zimbra-spell [Y ] n

Install zimbra-memcached [Y ] n

Install zimbra-proxy [Y ] n

Install zimbra-chat [N ] n

Install zimbra-drive [N ] n

Checking required space for zimbra-core

Installing:

zimbra-core

zimbra-mta

zimbra-snmp

zimbra-dnscache

The system will be modified. Continue ? [N ] y

On the configurations window, make sure to set the following:

Under 1) Common Configuration, set:

Hostname:

Ldap master host:

Ldap Admin password:

Hostname: mta01.domain.com

Ldap master host: ldap01.domain.com

Ldap port: 389

Ldap Admin password: set

LDAP Base DN: cn=zimbra

Store ephemeral attributes outside Ldap: yes

Value for zimbraEphemeralBackendURL: ldap ://default

Secure interprocess communications: yes

TimeZone: UTC

IP Mode: ipv4

Default SSL digest: sha256

Under 2) zimbra-mta, set:

Bind password for postfix ldap user:

Bind password for amavis ldap user:

Mta configuration

Status: Enabled

Enable Spamassassin: yes

Enable Clam AV: yes

Enable OpenDKIM: yes

Notification address for AV alerts: admin@mta01.domain.com

Bind password for postfix ldap user: set

Bind password for amavis ldap user: set

Under zimbra-dnscache, configure master DNS IP addresses separated by space:

DNS Cache configuration

1) Status: Enabled

2) Master DNS IP address(es): 8.8.4.4 1.1.1.1 8.8.8.8

3) Enable DNS lookups over TCP: yes

4) Enable DNS lookups over UDP: yes

5) Only allow TCP to communicate with Master DNS: no

Once done, save the settings and type a to begin Zimbra MTA setup.

Step 9: Install Zimbra Proxy Server(s)

For installation of Zimbra Proxy server(s), we select the following packages during installation:

Select the packages to install

Install zimbra-ldap [Y] n

Install zimbra-logger [Y] n

Install zimbra-mta [Y] n

Install zimbra-dnscache [N] n

Install zimbra-snmp [Y] y

Install zimbra-store [Y] n

Install zimbra-apache [Y] n

Install zimbra-spell [Y] n

Install zimbra-memcached [Y] y

Install zimbra-proxy [Y] y

Install zimbra-chat [N] n

Install zimbra-drive [N] n

Checking required space for zimbra-core

Installing:

zimbra-core

zimbra-snmp

zimbra-memcached

zimbra-proxy

The system will be modified. Continue? [N] y

Then we fill in all the required information:

Common configuration

Hostname: proxy01.domain.com

Ldap master host: ldap01.domain.com

Ldap port: 389

Ldap Admin password: set

LDAP Base DN: cn=zimbra

Store ephemeral attributes outside Ldap: yes

Value for zimbraEphemeralBackendURL: ldap://default

Secure interprocess communications: yes

TimeZone: UTC

IP Mode: ipv4

Default SSL digest: sha256

Proxy configuration

Status: Enabled

Enable POP/IMAP Proxy: TRUE

Enable strict server name enforcement? TRUE

IMAP server port: 7143

MAP server SSL port: 7993

IMAP proxy port: 143

IMAP SSL proxy port: 993

POP server port: 7110

POP server SSL port: 7995

POP proxy port: 110

POP SSL proxy port: 995

Bind password for nginx ldap user: set

Enable HTTP[S] Proxy: TRUE

Web server HTTP port: 8080

Web server HTTPS port: 8443

HTTP proxy port: 80

HTTPS proxy port: 443

Proxy server mode: redirect

For Proxy Server mode, we choose http, https, both, redirect, or mixed depending on requirements. In this case, we can use a redirect.

Once we install all Zimbra proxy servers, we enable proxy console on port 9071:

$ su – zimbra
$ /opt/zimbra/libexec/zmproxyconfig -e -w -C -H `zmhostname`

This will enable admin console proxy port 9071 on the proxy server.

Make sure to configure the mailbox server’s admin console on port 7071 (default).

Then we restart the proxy service after making the changes:

$ zmproxyctl restart

The service should bind to port 9071. We confirm this with the ss command:

$ ss -tunelp | grep 9071

To access the admin console over a proxy, the URL should be https://proxy-0x.domain.com:9071/

Step 10: Configure Zimbra Logger Service

As mentioned earlier, our logger service will run on mailbox server 1 (mx01.domain.com). For this, we need to first install and configure rsyslog service on this server.

Uncomment the following lines on /etc/rsyslog.conf

$ModLoad imudp
$UDPServerRun 514

Similarly, we add this line after $UDPServerRun 514:

SYSLOGD_options=”-r -m 0″

Then we set up Zimbra syslog and restart rsyslog service:

$ /opt/zimbra/libexec/zmfixperms -e -v
$ /opt/zimbra/libexec/zmsyslogsetup

updateSyslog: Updating /etc/rsyslog.conf…done.

$ systemctl restart rsyslog.service
$ su – zimbra
$ /opt/zimbra/libexec/zmloggerinit

Stopping logswatch…done.

Starting logswatch…done.

$ /opt/zimbra/bin/zmupdateauthkeys

We verify the LogHostname using the commands below:

$ sudo su – zimbra
$ zmprov gacf | grep zimbraLogHostname

zimbraLogHostname: mx01.domain.com

If it is different, we change the same to Logger monitor Host using the below command:

$ zmprov mcf zimbraLogHostname <Logger monitor Hostname>

Then we configure each Zimbra server to log to the newly set logger server.

$ sudo /opt/zimbra/libexec/zmfixperms -e -v
$ sudo su – zimbra

/opt/zimbra/bin/zmupdateauthkeys ; exit

$ /opt/zimbra/libexec/zmsyslogsetup
$ sudo systemctl restart rsyslog
$ sudo su – zimbra -c “zmcontrol restart”
 

Step 11: Configure Zimbra Proxy HA with Keepalived

Since we have two Zimbra proxy servers, we need to ensure that we have HA for the proxy server.

The setup for the proxy is:

2 Proxy servers – proxy01.domain.com & proxy02.domain.com

Both will serve using mail.domain.com

In a nutshell, this is how it works:

The Proxy Master as the VIP

The Proxy Master become unavailable

The VIP pass to the Backup server who will handle the service

We configure proxy01 as master and proxy02 as a Backup Server.

Initially, we install Keepalived on both servers:

sudo yum -y install keepalived

Then we configure Keepalived on Master Server (proxy01):

$ cat /etc/keepalived/keepalived.conf
vrrp_script chk_zimbra_nginx {
script “killall -0 nginx” # check the zimbra nginx process interval 2 # every 2 seconds
weight 2 # add 2 points if OK}vrrp_instance VI_1 {
interface eth0 # interface to monitor
state MASTER # MASTER on proxy-01%2C BACKUP on proxy-02
virtual_router_id 51
priority 101 # 101 on proxy-01%2C 100 on proxy-02
virtual_ipaddress {
192.168.1.23/24
}
track_script {
chk_zimbra_nginx
}
}

Next, we configure Keepalived on Backup Server (proxy01):

$ cat /etc/keepalived/keepalived.conf
vrrp_script chk_zimbra_nginx {
script “killall -0 nginx” # check the zimbra nginx process
interval 2 # every 2 seconds
weight 2 # add 2 points if OK
}
vrrp_instance VI_1 {
interface eth0 # interface to monitor
state BACKUP # MASTER on proxy-01%2C BACKUP on proxy-02
virtual_router_id 51
priority 100 # 101 on proxy-01%2C 100 on proxy-02
virtual_ipaddress {
192.168.1.23/24
}
track_script {
chk_zimbra_nginx
}
}

Enable IP forwarding and configure firewalld:

Keepalived requires IP forwarding configured and some firewall rules added for VRRP packets to come through.

To do this, first, we, enable IP forwarding:

$ echo “net.ipv4.ip_forward = 1″ >> /etc/sysctl.conf
$ sysctl -p
net.ipv4.ip_forward = 1

Then we add firewall rules on each network interface that Keepalived will control. It is to allow VRRP communication using the multicast IP address 224.0.0.18 and the VRRP protocol (112).

For example:

$ firewall-cmd –direct –permanent –add-rule ipv4 filter INPUT 0 \
–in-interface eth0 –destination 224.0.0.18 –protocol vrrp -j ACCEPT
$ firewall-cmd –direct –permanent –add-rule ipv4 filter OUTPUT 0 \
–out-interface eth0 –destination 224.0.0.18 –protocol vrrp -j ACCEPT
$ firewall-cmd –reload

We enable and start the keepalived service on each server:

sudo systemctl enable keepalived
sudo systemctl start keepalived

If we change the Keepalived configuration, we need to reload it:

suso systemctl reload keepalived

By killing the Nginx process on the master server, see if the Virtual IP will switch to the backup server:

$ killall nginx
$ ip add > Run on Backup server to check IP address configuration

[Confused with IP forwarding and configure firewalld? Contact us now!]

Step 12: Reset admin password and Access Web UI

Initially, we reset the admin password:

$ su – zimbra
$ zmprov sp admin@domain.com strongpassword

We access Web UI through direct access to proxy servers or hostname. Admin dashboard is accessible from port 9071.

Then we configure firewall rules for proxy servers using:

firewall-cmd –add-service={http,https,smtp,smtps,imap,imaps,pop3,pop3s} –permanent
firewall-cmd –add-port=11211/tcp –permanent
firewall-cmd –add-port=9071/tcp –permanent
firewall-cmd –reload

To restrict access or admin interface from specific IP address, we use firewalld rich rules instead:

firewall-cmd –permanent –add-rich-rule=”rule family=ipv4 source address=source-ip-address/32 \
destination address=dest-ip-address/32 port port=9071 protocol=tcp accept”

Now it is ready to roll. Reset the admin password, and log in to the Admin dashboard. Start making changes and do further configurations to Zimbra installation.

[Stuck with Zimbra Multi-Server Installation on CentOS 7? We’d be happy to assist]