zextras_community_logo

  • Zextras Suite & Zimbra OSE
  • Admin Guide

How To Change IP Address of Zimbra Server | Zimbra

We often need to change the IP address of the Zimbra server. In this guide, we will show you the precise way to change the IP address of your Zimbra server.

Let’s imagine, in your Multiverse Of Madness you are dealing with multiple issues as mentioned below:

In Earth-616, you are going to change your existing service provider. Therefore, the existing IP addresses of your network infrastructure need to be changed including your Zimbra server.

In Earth-1610, you have suffered severe spamming incidents from your server. For that, your server IP address’s reputation is damaged beyond repair. Also, the IP address is listed in several known/unknown BL databases (black listing) and you are unable to delist them by yourself. Your email communication with the remote end is critically hampered. In this situation, you want to change the IP address of your Zimbra server.

In Earth-10005, you are migrating your server from one hardware to another hardware. After the migration, you need to change the IP address of your new server as per the old IP information.

There can be some other exceptional situations when you may need to change the IP address of your Zimbra server.

Follow this article and change the IP address in a convenient way.

Change the IP Address Of Your Server

Before modifying Zimbra, change the IP address of your server.

Change The Hosts Configuration

Modify your /etc/hosts file configuration with the new IP information.

Modify Zimbra MTA Mynetworks

Check your existing Zimbra MTA mynetworks setup.

Here we can see the old IP was from 192.168.2.0/24 IP network. Change the old IP with the new IP.

Recommendation: Make sure that the localhost “127.0.0.0/8” network is included. Never allow a full network address/IP block in your mynetworks settings. Only allow the specific IP address of your server or any other server.

Change the Zimbra MTA mynetworks

Check if Zimbra LDAP needs any modification:

It is all set

All is set now. Restart your Zimbra services and check the settings you modified earlier.

Your email service should be okay now.

Remember to change your old IP address from all relevant DNS records and relay hosts or else you may face a mail send/receive problem in spite of a fully functional Zimbra server.

That’s it for today.

:slight_smile:

Post your comment Cancel reply

You must be logged in to post a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed .

Stack Exchange Network

Stack Exchange network consists of 183 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

How to change ip address used by Zimbra zcs 8.6

For postfix I can change the binded ip by changing parameter like

smtp_bind_address = 192.168.146.197 in main.cf

How to change the ip address binded by zimbra(server have multi ip's) ?

  • email-server

sherpaurgen's user avatar

  • 1 blogs.reliablepenguin.com/2008/03/29/… –  Lenniey Jun 19, 2017 at 7:32

3 Answers 3

You can do the same process editing the /opt/zimbra/postfix/conf/main.cf (like root).

So restart postfix with zimbra user

postfix reload

and must work like you need.

Carlos Mario Mora Restrepo's user avatar

For Zimbra 8.7:

  • Open /opt/zimbra/common/conf/main.cf.default file for editing with your favorite editor (e.g. vi).
  • add smtp_bind_address = 192.168.146.197
  • su - zimbra
  • zmmtactl restart

Micha Kersloot's user avatar

Adding the last action is to change your old IP address from all relevant DNS records and relay hosts or else you may face a mail send/receive problem in spite of a fully functional Zimbra server.

If you have upgraded to the latest version of Zimbra and still facing the issue with Changing IP addresses, here is the link you should follow for the step-by-step instructions.

https://community.zextras.com/how-to-change-ip-address-of-zimbra-server/

Mehul Patel's user avatar

You must log in to answer this question.

Not the answer you're looking for browse other questions tagged linux email-server zimbra ..

  • The Overflow Blog
  • Would you trust an AI bot to find the fix for vulnerabilities in your code?
  • Featured on Meta
  • Site maintenance - Saturday, February 24th, 2024, 14:00 - 22:00 UTC (9 AM - 5...
  • Upcoming privacy updates: removal of the Activity data section and Google...

Hot Network Questions

  • Hiding public IP address while using free DynDns?
  • Why is the key typically the first and/or last note (or chord) of a song?
  • Does travel to Iran affect travel to Canada using eTA?
  • Light emitting transistors on chip to reduce heat
  • Undecidability of minimal PDAs and TM machines
  • Applications of High School Geometry
  • Why CAS is greater at lower air speeds (IAS)?
  • What spares were taken on Apollo missions, and what was left behind? The question of gloves
  • Works of scientists, philosophers and mathematicians that (re)surfaced after a long time
  • If I don't log in the desktop environments, does the desktop enviroment still cost RAM?
  • Using MapThread with pure function and variable number of elements
  • A bug with high precision
  • A simple unit test library for C
  • Lots of electrical noise at boost converter output
  • Markets in Germany with a large selection of seafood
  • Center uppercase chapter title of more than one line with titlesec
  • ogr2ogr: Unable to import shapefile with '-lco RFC7946=YES' parameter to the PostGIS db
  • Paintless (raw) aluminium enclosures connected to Earth: Bad practice?
  • Anna and Boris play the Red Blue game
  • Is it bad practice to cite online news articles in solely because it's not a "reputable" source (i.e journal articles or even books)?
  • Is it possible for truth to be set by humans?
  • How can Australia can be a member of the Antarctic Treaty while still making a territorial claim in the region?
  • Can a subshell create a subprocess?
  • Short story about Jesus being actually an alien that got stranded on Earth

change ip zimbra

.css-363zvk{color:var(--theme-ui-colors-primary);-webkit-text-decoration:underline;text-decoration:underline;font-weight:500;} Watch Short Video

How To Change IP Address on a Zimbra Ser...

How To Change IP Address on a Zimbra Server

How To Change IP Address on a Zimbra Server

NetShop ISP

NetShop ISP · Blog Author

There are a few reasons why someone would need to change the IP address of server. It might be that your server is under attack, you are migrating from your existing provider or the current IP address got blacklisted, you will need to follow certain steps to change the IP on your server.

Whilst changing the IP address on a linux server is straight forward, when it comes to a Zimbra server there are a few more steps to be done. In this article we will show the steps and commands you need to perform on your server so that Zimbra can continue working with the new IP address.

Pre-requisities

  • Root access or sudo-privileges access on server
  • Ability to switch as the ‘zimbra’ user

Steps to Change IP address on Zimbra Server

Assuming you have already changed the IP address on your server via NetworkManager or the configuration file directly, let’s take a look at the next steps to change your Zimbra server’s IP address.

1. Change the Hosts File

Using your favorite editor, edit the file /etc/hosts and replace your old IP with the new one as follows:

Sample output of /etc/hosts files:

2. Modify Zimbra MTA Mynetworks

First check your current IP addresses included in the MyNetworks MTA using the following commands:

Switch to zimbra user:

Then run the following command:

Sample Output:

You can see the current/old IP address which is “45.142.201.251”. Change it to the newly assigned IP address of your server (e.g. 45.142.201.1) using the following command:

Then reload postfix for the new configuration to be applied.

You are all set! The last step remaining is to restart Zimbra services using the following command:

Get Secure and Private E-mail Service powered by Zimbra

At NetShop ISP you can order a Zimbra-based email hosting service which allows you to use a domain name of your choice, create mailboxes and use it on any device.

Browse Email hosting plans: https://netshop-isp.com.cy/addons/zimbra-email-hosting/

Alternatively, you may opt for your own, dedicated Zimbra installation using a VPS or Dedicated Server .

Free VPS Trial

No Credit Card Required.

Recent Posts

How to Install Nginx, MariaDB, PHP-FPM on AlmaLinux 9 Server (LEMP)

How to Install Nginx, MariaDB, PHP-FPM on AlmaLinux 9 Server (LEMP)

16 February, 2024

How To Reset Forgotten MySQL 5.7 Root Pass in Linux

How To Reset Forgotten MySQL 5.7 Root Pass in Linux

09 February, 2024

4 Things Web Developers Should Know about Virtual and Dedicated Server Hosting

4 Things Web Developers Should Know about Virtual and Dedicated Server Hosting

05 February, 2024

How to Install Docker Compose on Debian 12 Server

How to Install Docker Compose on Debian 12 Server

22 January, 2024

What Shall FX Brokers Consider When Choosing a Hosting Provider

What Shall FX Brokers Consider When Choosing a Hosting Provider

16 January, 2024

Zimbra Collaboration Administrator Guide

Third-party components, support and contact information, component deprecation statements, architectural overview, core email, calendar and collaboration functionality, zimbra components, zimbra application packages, mail flow — multi-server configuration, zimbra system directory tree, zimbra web apps, web services and desktop clients, offline mode, identity and access management, information security and privacy, system logs, license types, zimbra license requirements, license usage by account type, automatic license activation, manual license activation, when licenses are not installed or activated, obtain a license, license information, license expiration, updating your license, license reconciliation and data collection notice, message store, index store, mailstore services, user interface services, backing up the mailbox server, mailbox server logs, common imap configuration settings, ldap traffic flow, ldap directory hierarchy, zimbra collaboration objects, internal authentication mechanism, external ldap and external ad authentication mechanism, custom authentication, kerberos5 authentication mechanism, gal attributes in zimbra collaboration, zimbra collaboration gal search parameters, modifying attributes, flush the cache for themes and locales, flush accounts, groups, cos, domains, and servers, flush global attributes, incoming mail routing overview, postfix configuration files, smtp restrictions, sending non local mail to a different server, anti-virus protection, anti-spam protection, message queues, modifying the message, benefits of using zimbra proxy, zimbra proxy components, proxy architecture and flow, changing the zimbra proxy configuration, zimbra proxy ports, strict server name enforcement, setting up imap and pop proxy after http proxy installation, setting up http proxy, setting proxy trusted ip addresses, configuring zimbra proxy for kerberos authentication, administrator accounts, modifying administrator passwords, customizing the login and logout pages, managing tasks, home navigation pane, configure ui, global settings ui, tools and migration ui, setting up a simple search, help center ui, tools in collaborator tables, closing a message of the day, creating message(s) of the day, removing message(s) of the day, gui roadmap, popup menu options, global configuration, general information configuration, setting up email attachment rules, blocking email attachments by file type, global imap and pop configuration, domain general information configuration, global address list (gal) mode configuration, using gal sync accounts for faster access to gal, authentication modes, virtual hosts, setting account limits, renaming a domain, adding a domain alias, enabling support for domain disclaimers, disabling disclaimers for intra-domain emails, disabling the disclaimer feature, zimlets on the domain, general server settings, change mta server settings, setting up ip address binding, managing ssl certificates for zimbra, installing certificates, viewing installed certificates, maintaining valid certificates, install a ssl certificate for a domain, configure zimbra collaboration for dkim signing, update dkim data for a domain, remove dkim signing from zimbra, retrieve dkim data for a domain, anti-spam training filters, disabling the spam training mailboxes, manually training spam filters, protect alias domains from backscatter spam, disabling postfix policy daemon, adding rbls with the cli, setting global rule for messages marked as both spam and whitelist, anti-virus settings, exchange setup requirements, configuring free/busy on zimbra collaboration, zimbra collaboration to zimbra collaboration free/busy interoperability, setting up for using the s/mime feature using the client based solution, setting up for using the s/mime feature using the server based solution, configuring email lifetime rules, purging email messages, configuring message retention and deletion policies, global retention policy, cos retention policy, managing the dumpster, configure legal hold on an account, deploying new administration console ui modules, removing an admin extension module, configuring a running zimbra collaboration to use ssdb, migration procedure, migration info, changing the ephemeral backend url, forwarding ephemeral data, advanced migration options, migration limitations, changes to zmprov, migration csv output, account deletion behavior, installation, high-availability with master-slave replication, high-availability with master-master replication, horizontal scaling via multi-master configuration, required packages, prerequisites, configuration, ldap attributes, invalidate all user sessions, minimum recommended ssdb configuration, managing features and settings with a cos, disabling preferences, setting default time zone, using server pools, viewing account quotas, setting quotas in domains, managing excess quota, directing users to your change password page, configuring a password policy, block common passwords, about 2 factor authentication, managing session timeout policies, managing default external cos, email messaging features, contacts features, troubleshooting calendar appointment problems, changing remote calendar update interval, disabling attendee edits to appointments, setting other user calendar preferences, setting up zimbra tasks, zimbra classic web app user interface themes, 2fa for new user account, 2fa for existing user account, 2fa for class of service, enable sharing, configure sms notification, configure attachment viewing, display a warning when users try to navigate away, enabling the check box for the web client, preferences import/export, adding words to spell dictionary, what is a hab, using hierarchical address book, seniority index, create an organizational unit (ou), create groups within this ou, create hierarchy, get zimbra id, add users to groups, set sort order, specify the root organization for the hab, did it work, list organisational units (ous), rename organisational units (ous), creating a single user accounts, migrating accounts from a zimbra server, migrating accounts from generic imap servers, migrating accounts using an xml file, importing email for selected accounts, xml file examples, auto-provisioning attributes, placeholders, eager mode configuration, lazy mode configuration, manual mode configuration, set up the scheduling policy, status of user accounts, deleting an account, viewing an accounts mailbox, using an email alias, setting subscription policies for distribution lists, management options for owners of distribution lists, creating a distribution list, managing access to distribution lists, create dynamic distribution lists, global configuration options for moving mailboxes, enabling server statistics, reviewing server status, enabling or disabling server services, viewing server performance statistics, configuring logger mail reports, configuring disk space notifications, monitoring servers, identifying false positives, customizing dosfilter configuration, tuning considerations for zimbra collaboration 8.0.3 and later, change the bounce queue lifetime, notifying senders of bounced messages, viewing mail queues, flushing message queues, viewing quota, increase or decrease quota, viewing mobilesync statistics, monitoring authentication failures, using log4j to configure logging, logging levels, protocol trace, reviewing mailbox.log records, reading a message header, checking for index corruption, repairing and reindexing a corrupt index, snmp monitoring tools, snmp configuration, errors generating snmp traps, checking mariadb, checking for zimbra collaboration software updates, updating zimbra connector for microsoft outlook, service status change notification, duplicate mysqld processes running notification, ssl certificates expiration notification, daily report notification, database integrity check notification, backup completion notification, how archiving works, how discovery works, installing zimbra-archiving in a single-server environment, installing zimbra-archiving in a multi-server environment, enable archiving, creating a dedicated archive cos, setting up an archive account name, set up archiving for a users mailbox, creating an archive mailbox and assigning a cos, creating an archive mailbox with no cos or password, enabling archive forwarding to a third-party archiving server, cross mailbox search from the administration console, setting up legal intercept, setting up legal intercept to forward the message header, modifying the intercept cover email message, creating a mailbox snapshot zip file, customizing base theme colors, replacing the classic web app logo, using the admin console to modify theme colors and logo, using the cli to change theme colors and logo, what can be customized, what cannot be customized, creating an empty bundle, customize logos, customizable segments, customize text & links, customize colors & sizes, customizing the pwa, customizing the login page, deployment instructions, advantages of using unified storage, limitations of using unified storage, how to setup unified storage, index volume, message volume, types of volumes, how to assign a volume as a secondary volume, adding a new storage volume to the servers, storage management policies, manage global s3 configurations using zms3config cli, managing internal and external volumes using zmvolume cli, manage scheduling of the policies using zmschedulesmpolicy cli, manage sm session using the zmhsm cli, manage storage management policies, basic integration, http storage, content based storage, resumable upload (octopus only), examples to set the protocol versions:, setting up mobile policies in zimbra, mobile device security policies attributes, mobile device management allow/block rules (abq), quarantined notification, registered devices, supporting autodiscover, set up mobile synchronization for user accounts, change mobile device password policy, user’s mobile device self-care features, backup method overview, auto-grouped backup method, standard backup, directory structure for backup files, configure backup/restore from the admin console, recommendations for working with storage volumes, message recovery settings, backup and restore using the command line interface, scheduling a standard backup, full backup process, incremental backup process, finding a specific backups, aborting a full backup in progress, configuring auto-grouped backup from the cli, schedule auto-group backups, backup up content options, backup the mariadb database, managing disk space for backups, restore process, stop a restore process, restore mailboxes when mail server is down, restore individual accounts on a live system, exclude items from a restore, restore the ldap server, preparation, crash recovery server startup, restore zimbra collaboration, install zimbra on a new server, restoring from different failure scenarios, change local configuration files after restoring zimbra, using snapshots to backup and restore, ephemeral storage ssdb backend, backups with ldap backend, purpose of the migration, usage examples.

Pre-requisites

Sequence of Migration

Target types for granting administrative rights, system-defined rights, attribute right, using the rights list, administrator groups and administrators, configure grants on administrator accounts or admin groups, grant acls to a target, temporarily revoke delegated admin rights, view rights granted to administrators, domain administrator, reset passwords, edit contact info, domain administration group, distribution list administration group, manage multiple domains, manage distribution lists, change passwords, view mail access right, manage class of service assigned to users, manage cross mailbox search, manage zimlets, manage resources, access to the saved searches, access to the server status pages, chat & video cloud permissions, free 1 to 1 chat, default zimlets in classic web app, deploying custom zimlets, enable, disable, or make zimlets mandatory, undeploying a zimlet, adding proxy-allowed domains to a zimlet, upgrading a zimlet, deploying zimlets, adding proxy allowed domains to a zimlet, deploying a zimlet and granting access to a cos, viewing installed zimlets, changing zimlet configurations, using the zimbra gallery, developing customized zimlets, default zimlets in modern web app, client examples, setting up dropbox, setting up google drive, setting up onedrive, setting up slack, setting up zoom, setting up nextcloud, setting up separate jitsi server for the organization, setting up signature template, syntax conventions, location of command-line utilities, using non-ascii characters in clis, zmprov (provisioning), zmarchiveconfig, zmarchivectl, zmarchivesearch, zmschedulebackup, zmbackupabort, zmbackupquery, zmrestoreoffline (offline restore), zmrestoreldap, zmcontrol (start/stop/restart service), zmmboxsearch (cross mailbox search), zmmboxmovequery, zmpurgeoldmbox, zmldappasswd, zmlocalconfig, zmproxyconfgen, zmproxypurge, zmskindeploy, zmstat-chart, zmstat-chart-config, zmzimletctl, zmproxyconfig, zmsyncreverseproxy, configuration process, create the kerberos keytab file, configure zimbra, configure your browser, test your setup, troubleshooting setup, configure kerberos auth with spnego auth, setting up single sign-on options for zco, how to read the crontab, scheduled jobs, jobs for crontab.store, jobs for crontab.logger, jobs for crontab.mta, single server crontab -l example, set up zimbra sp in simplesamlphp, set up zimbra, create users, configurable properties in saml-config.properties, slo endpoint, csrfreferercheck.

CC BY-SA

© 2022-2023 by Synacor, Inc. Zimbra Collaboration Administrator Guide

This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License unless another license agreement between you and Synacor, Inc. provides otherwise. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/4.0 or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.

Synacor, Inc., 2022-2023 505 Ellicott Street, Suite A39 Buffalo, NY 14203 US

https://www.synacor.com

Introduction

Zimbra Collaboration is a full-featured messaging and collaboration solution that includes email, address book, calendaring, tasks, and Web document authoring.

This guide is for system administrators responsible for installing, maintaining, and supporting the server deployment of Zimbra Collaboration.

Readers of this guide should have the following recommended knowledge and skill sets:

Familiarity with the associated technologies and standards

Linux operating system and open source concepts

Industry practices for mail system management

Where possible, Zimbra Collaboration adheres to existing industry standards and open source implementations for backup management, user authentication, operating platform, and database management. However, it only supports the specific implementations described in the Zimbra Collaboration architecture overview in the Product Overview chapter as officially tested and certified. This document might occasionally note when other tools are available in the marketplace, but such mention does not constitute an endorsement or certification.

Contact Zimbra Sales to purchase Zimbra Daffodil (v10).

Zimbra Collaboration customers can contact support at [email protected] .

Explore the Zimbra Forums for answers to installation or configuration problems.

Join the Zimbra Community Forum, to participate and learn more about Zimbra Collaboration.

Send an email to [email protected] to let us know what you like about the product and what you would like to see in the product. If you prefer, post your ideas to the Zimbra Forum.

For additional product information, the following resources are available:

Zimbra Wiki

Security Center

Product Life Cycle

This chapter provides information about the Product Life Cycle stages of Zimbra components.

Product Overview

This chapter provides a system overview of Zimbra components.

The Zimbra Collaboration architecture is built with well-known open source technologies and standards-based protocols. The architecture consists of client interfaces and server components that can run as a single node configuration or be deployed across multiple servers for high availability and increased scalability.

The architecture includes the following core advantages:

Zimbra Collaboration is an innovative messaging and collaboration application that offers the following state-of-the-art solutions that are accessed through the browser based web client.

Intuitive message management, search, tagging, and sharing.

Personal, external, and shared calendar.

Personal and shared Address Books and Distribution Lists.

Personal and Shared Task lists.

Zimbra architecture includes open-source integrations using industry standard protocols. The third-party software listed in Third-Party Software is bundled with Zimbra software and installed as part of the installation process. These components have been tested and configured to work with the software.

Zimbra Collaboration provides the application packages listed in Application Packages .

The configuration for each deployment is dependent on numerous variables such as the number of mailboxes, mailbox quotas, performance requirements, existing network infrastructure, IT policies, security methodologies, spam filtering requirements, and more. In general, deployments share common characteristics for incoming traffic and user connectivity, as depicted in the following diagram. Alternate methods for configuring numerous points within the network are also possible.

Mail Flow - Multi-Server Configuration

The numbered sequences are described below:

Inbound Internet mail goes through a firewall and load balancing to the edge MTA for spam filtering.

The filtered mail then goes through a second load balancer.

An external user connecting to the messaging server also goes through a firewall to the second load balancer.

The inbound Internet mail goes to any of the Zimbra Collaboration MTA servers and goes through spam and virus filtering.

The designated Zimbra Collaboration MTA server looks up the addressee’s directory information from the Zimbra Collaboration LDAP replica server.

After obtaining the user’s information from the Zimbra Collaboration LDPA server, the MTA server sends the mail to the appropriate Zimbra Collaboration server.

Internal end-user connections are made directly to any Zimbra Collaboration server that then obtains the user’s directory information from Zimbra Collaboration LDAP and redirects the user, as needed.

The backups from the Zimbra Collaboration servers can be processed to a mounted disk.

The following table lists the main directories created by the Zimbra installation packages. The directory organization is identical for any server in the Zimbra Collaboration, when installing under (parent) /opt/zimbra .

Zimbra offers multiple Web App types for the use of Zimbra features. The Web Apps provide mail, calendar, address book, and task functions.

Users may select the Web App before they sign in, from the 'Version' drop-down on the login page. The admin can set the Default Web App to either Classic Web App or the Modern Web App, for a COS. Users can override this Default:

In the Modern Web App, users can go to Settings→General to change the value of default Web App they login to

In the Classic Web App, users can go to Preferences→General→Sign in to change the value of default Web App they login to

It is recommended that admins set the Default to the Modern Web App.

In addition to using a web browser or mobile device to connect to Zimbra Collaboration, connection is available using a web service, such as Exchange Web Services (EWS), or a desktop client such as Zimbra Connector to Microsoft Outlook. The following are supported:

Exchange Web Services (EWS) provides client access to enable Zimbra Collaboration to communicate with the Exchange Server when using Microsoft Outlook on a Mac device. To enable EWS client access, see the Class of Service section. EWS is a separately licensed add-on feature.

Messaging Application Programming Interface (MAPI) synchronizes to supported versions of Microsoft Outlook with full delegate, offline access and support for S/MIME. Use the Zimbra Connector for Outlook to connect to Zimbra Collaboration when using Microsoft Outlook on a Windows device. To enable MAPI (Microsoft Outlook) Connector, see the Class of Service section.

Support for all POP3, IMAP4, Calendaring Extensions to Web Distributed Authoring and Versioning (CalDAV), and vCard Extensions to Web Distributed Authoring and Versioning (CardDAV) clients.

Zimbra Offline Mode allows access to data — without network connectivity — when using the Zimbra Modern Web App.

For example, if there is no server connectivity or if server connectivity is lost, the Web App automatically transitions to “offline mode”. When server connectivity is restored, the Web App automatically reverts to “online mode”.

This offline mode uses the caching capability provided by HTML5 in modern browsers.

Security Measures

The coordinated use of multiple security measures, targeted to increase the security of the whole system, is one of the best approaches to securing your information infrastructure. These measures are implemented in the Zimbra Collaboration platform as a result of defense mechanisms summarized in the following topics:

Key functions built into the system for user identity management are summarized in the following table:

Functions built into the system to secure data are summarized in the following table:

The Zimbra Collaboration system logs — generated by SNMP triggers — can be used to record data such as user and administrator activity, login failures, slow queries, mailbox activity, mobile synchronization activity, and data based errors. Events, alerts and traps can be forwarded to log management and event correlation system to create centralized polices and notifications based on your security and compliance requirements.

A Zimbra Collaboration license is required in order to create accounts. When you purchase, renew, or change the Zimbra Collaboration license, you update the Zimbra server with the new license information.

Zimbra Collaboration licensing gives administrators visibility and control of the licensed features they plan to deploy. You can monitor usages and manage the following license types.

A Zimbra license is required to create accounts in Zimbra Daffodil (v10).

To try out Zimbra Collaboration, you can obtain trial versions free of charge. Once you are ready to install a production environment, you need to purchase a subscription or a perpetual license.

An account assigned to a person, including an account created for archiving, requires a mailbox license. Distribution lists, aliases, locations, and resources do not count against the license.

Below is a description of types of Zimbra Collaboration accounts and if they impact your license limit.

License Activation

All Zimbra Daffodil (v10) installations require license activation. New installations have a 10 day grace period from the license issue date before requiring activation. You can activate your license in the Administration Console.

Home → Configure → Global Settings → License , from the Gear icon select Activate License

You can also activate your license from the command line interface.

Licenses are automatically activated if the Zimbra Collaboration server has a connection to the Internet and can communicate with the Zimbra License server. If you are unable to activate your license this way, see the next section on Manual License Activation .

For systems that do not have external access to the Zimbra License server, you can use the Zimbra Support Portal to activate your license manually.

Go to the Zimbra website at https://www.zimbra.com and click on Support to display the Zimbra Technical Support page. Click on the Support Portal Login button to display the Zimbra Support Portal page. Enter your email and password to log in.

If you have problems accessing the Support Portal, contact Zimbra Sales at [email protected] or by calling 1-972-407-0688.688.

If you fail to install or activate your Zimbra Collaboration server license, the following scenarios describe the impact on your Zimbra Collaboration server.

Go to the Zimbra Website https://www.zimbra.com to obtain a trial license from the Network Downloads area. Contact Zimbra sales regarding a trial extended license, or to purchase a subscription license or perpetual license, by emailing [email protected] or calling 1-972-407-0688.

A subscription or perpetual license can only install on the Zimbra Collaboration system identified during purchase. Only one Zimbra license is required for your Zimbra Collaboration environment. This license sets the maximum number of accounts on the system.

View current license information, including the number of purchased accounts, the number of accounts used, and the expiration date, in the Admin Console.

Home → Configure → Global Settings → License .

Managing Licenses

Use the Update License wizard on the Administration Console’s Global Settings page to upload and install a new license. The Activate License link on the toolbar activates the license.

You must have a Zimbra Collaboration license to create accounts. When you purchase, renew, or change the Zimbra license, you must update the Zimbra server with the new license information. The Update License Wizard from the Administration Console’s Global Settings is used to upload and install a new license. The Activate License link on the toolbar activates the license.

When your Zimbra Daffodil (v10) License expires, a license expiration warning appears in the administrative console and web interface for all users. From the date of the license expiration, there is a 30-day grace period during which the administrator sees the warning message, but no features are disabled.

Zimbra does not include a FOSS binary release; therefore, there is no mechanism to fallback to FOSS. If the license ending date has passed, the 30 day grace period has expired, and users decide not to obtain a new license, they can resolve these issues by building the Zimbra binaries and installing them on top of their existing Zimbra system.

If you exhaust your licensed user limit, you are no longer able to create accounts. You can buy additional user licenses, or you can delete existing accounts. Contact Zimbra sales to purchase additional licenses.

You must renew your license within 30 days of the expiration date. Starting 30 days before the license expires, when you log on to the Administration Console, a reminder notice is displayed.

When you renew or change the Zimbra license, you update Zimbra Collaboration mailbox servers with the new license information. Perform this operation from either the CLI or the Administration Console.

Home → Configure → Global Settings → License

Updating a license:

Save the license on the computer you use to access the Administration Console.

Log on to the Administration Console, go to Home → Configure → Global Settings → License , from the Gear icon select Update License . The License Installation Wizard opens.

Browse to select the license file and click Next . The license file is now uploaded.

Click Install to install the license file.

Click Activate License . Upgraded Zimbra Collaboration versions require an immediate activation to maintain network feature functionality.

Your license information is updated automatically, and the cached account license count refreshes on each mailbox server.

During installation, upgrades, and periodically while in use, the Zimbra Collaboration server transmits information for reconciliation of billing and license data.

Permission for this data collection is granted under sections 11.4 and 11.6 of the End User License Agreement for Zimbra Daffodil (v10). Copies of the license can be found at https://www.zimbra.com/legal/licensing/ .

The data that is being collected consists of elements of the current license information and is governed by Synacor’s Privacy Policy, which can be found at https://www.synacor.com/privacy-policy/ .

Zimbra Mailbox Server

The Zimbra mailbox server is a dedicated server that manages all the mailbox content, including messages, contacts, calendar, and attachments.

The Zimbra mailbox server has dedicated volumes for backup and log files. Each Zimbra mailbox server can see only its own storage volumes. Zimbra mailbox servers cannot see, read, or write to another server.

Mailbox Server

Each account is configured on one mailbox server, and this account is associated with a mailbox that contains email messages, attachments, calendar, contacts and collaboration files for that account.

Each mailbox server has its own standalone message store, data store, and index store for the mailboxes on that server. The following is an overview of each store and their directory location.

All email messages are stored in MIME format in the Message Store, including the message body and file attachments.

By default, the message store is located on each mailbox server under /opt/zimbra/store . Each mailbox has its own directory named after its internal mailbox ID. Mailbox IDs are unique per server, not system-wide.

Messages with multiple recipients are stored as a single -copy on the message store. On UNIX systems, the mailbox directory for each user contains a hard link to the actual file.

When Zimbra Collaboration is installed, one index volume and one message volume are configured on each mailbox server. Each mailbox is assigned to a permanent directory on the current index volume. When a new message is delivered or created, the message is saved in the current message volume.

To manage your email storage resources, you can configure storage volumes for older messages by implementing a Storage Management (SM) policy. See Managing Configuration .

The Data Store is a SQL database where internal mailbox IDs are linked with user accounts. All the message metadata including tags, conversations, and pointers indicate where the messages are stored in the file system. The SQL database files are located in /opt/zimbra/db .

Each account (mailbox) resides only on one server. Each server has its own standalone data store containing data for the mailboxes on that server.

The data store maps the mailbox IDs to the users' LDAP accounts. The primary identifier within the Zimbra Collaboration database is the mailbox ID, rather than a user name or account name. The mailbox ID is only unique within a single mailbox server.

Metadata including user’s set of tag definitions, folders, contacts, calendar appointments, tasks, Briefcase folders, and filter rules are in the data store database.

Information about each mail message, including whether it is read or unread, and which tags are associated is stored in the data store database.

The index and search technology is provided through Apache Lucene. Each email message and attachment is automatically indexed when the message arrives. An index file is associated with each account. Index files are located in /opt/zimbra/index .

The tokenizing and indexing process is not configurable by administrators or users.

Index Store

The process is as follows:

The Zimbra MTA routes the incoming email to the mailbox server that contains the account’s mailbox.

The mailbox server parses the message, including the header, the body, and all readable file attachments such as PDF files or Microsoft Word documents, in order to tokenize the words.

The mailbox server passes the tokenized information to Lucene to create the index files.

Web Application Server

The Jetty web application server runs web applications (webapps) on any store server. It provides one or more web application services.

Mailstore services provides the back-end access to mailbox/account data. Webapps for the mailstore include:

Mailstore (mail server) = /opt/zimbra/jetty/webapps/service

Zimlets = /opt/zimbra/jetty/webapps/zimlet

User Interface services provide front-end user interface access to the mailbox account data and Administration Console, including:

Web Apps = /opt/zimbra/jetty/webapps/zimbra

Zimbra administrator console = /opt/zimbra/jetty/webapps/zimbraAdmin

Zimbra Collaboration includes a configurable backup manager that resides on every Zimbra Collaboration server and performs both backup and restore functions. You do not have to stop the Zimbra Collaboration server in order to run the backup process. The backup manager can be used to restore a single user, rather than having to restore the entire system in the event that one user’s mailbox becomes corrupted. Full and incremental backups are in /opt/zimbra/backup . See Backup and Restore .

Each Zimbra mailbox server generates redo logs that contain current and archived transactions processed by the message store server since the last incremental backup. When the server is restored, after the backed up files are fully restored, any redo logs in the archive and the current redo log in use are replayed to bring the system to the point before the failure.

A Zimbra Collaboration deployment consists of various third-party components with one or more mailbox servers. Each of the components may generate its own logging output. Local logs are in /opt/zimbra/log .

Selected Zimbra Collaboration log messages generate SNMP traps, which you can capture using any SNMP monitoring software. See Monitoring Zimbra Servers .

Zimbra Collaboration has a built-in IMAP server which is installed by default and is part of zimbra-mailboxd process ( Zimbra Mailbox Server ).

The following global and server level configuration attributes are available to control and tune the IMAP service.

zimbraImapServerEnabled . When set to TRUE, in-process IMAP server is enabled. When set to FALSE, in-process IMAP server is disabled. Default value is TRUE.

zimbraImapSSLServerEnabled . When set to TRUE, in-process IMAP SSL server is enabled. When set to FALSE, in-process IMAP SSL server is disabled. Default value is TRUE

zimbraImapBindAddress (can be set only on server level). Specifies interface address on which in-process IMAP server should listen; if empty, binds to all interfaces.

zimbraImapBindPort . Specifies port number on which in-process IMAP server should listen. Default value is 7143.

zimbraImapSSLBindAddress (can be set only on server level). Specifies interface address on which in-process IMAP SSL server should listen; if empty, binds to all interfaces.

zimbraImapSSLBindPort . Specifies port number on which in-process IMAP SSL server should listen on. Default value is 7993.

zimbraImapNumThreads . Specifies number of threads in IMAP handler’s thread pool. Zimbra Collaboration uses IMAP NIO by default, which allows each IMAP handler thread to handle multiple connections. The default value of 200 is sufficient to handle up to 10,000 active IMAP clients.

zimbraImapCleartextLoginEnabled . Specifies whether or not to allow cleartext logins over a non SSL/TLS connection. Default value is FALSE.

zimbraImapProxyBindPort . Specifies port number on which IMAP proxy server should listen. Default value is 143. See Zimbra Proxy Components for more information.

zimbraImapSSLProxyBindPort . Specifies port number on which IMAP SSL proxy server should listen. Default value is 993. See Zimbra Proxy Components for more information.

zimbraImapMaxRequestSize . Specifies maximum size of IMAP request in bytes excluding literal data. Note: this setting does not apply to IMAP LOGIN requests. IMAP LOGIN requests are handled by IMAP Proxy ( Zimbra Proxy Components ) and are limited to 256 characters.

zimbraImapInactiveSessionCacheMaxDiskSize . Specifies the maximum disk size of inactive IMAP cache in Bytes before eviction. By default this value is 10GB. This is a rough limit, because due to internals of Ehcache actual size on disk will often exceed this limit by a modest margin.

zimbraImapInactiveSessionEhcacheSize . Specifies the maximum heap size of the inactive session cache in Bytes before eviction. By default this value is 1 megabyte. This is a rough limit, because due to internals of Ehcache actual size in memory will often exceed this limit by a modest margin.

zimbraImapActiveSessionEhcacheMaxDiskSize . Specifies the maximum amount of disk space the imap active session cache will consume in Bytes before eviction. By default this value is 100 gigabytes. This is a rough limit, because due to internals of ehcache actual size in memory will often exceed this limit by a modest margin.

Zimbra LDAP Service

LDAP directory services provide a centralized repository for information about users and devices that are authorized to use your Zimbra service. The central repository used for Zimbra’s LDAP data is the OpenLDAP directory server.

The LDAP server is installed when Zimbra is installed. Each server has its own LDAP entry that includes attributes specifying operating parameters. In addition, a global configuration object sets defaults for any server whose entry does not specify every attribute.

A subset of these attributes can be modified through the Zimbra administration console and others through the zmprov commands.

The LDAP Directory Traffic figure shows traffic between the Zimbra-LDAP directory server and the other servers in the Zimbra Collaboration system. The Zimbra MTA and the Zimbra Collaboration mailbox server read from, or write to, the LDAP database on the directory server.

The Zimbra clients connect through the Zimbra server, which connects to LDAP.

LDAP Traffic Flow

LDAP directories are arranged in an hierarchal tree-like structure with two types of branches, the mail branches and the config branch. Mail branches are organized by domain. Entries belong to a domain, such as accounts, groups, aliases, are provisioned under the domain DN in the directory. The config branch contains admin system entries that are not part of a domain. Config branch entries include system admin accounts, global config, global grants, COS, servers, mime types, and Zimlets.

The Zimbra LDAP Hierarchy figure shows the Zimbra LDAP hierarchy. Each type of entry (object) has certain associated object classes.

LDAP Directory Hierarchy

An LDAP directory entry consists of a collection of attributes and has a globally unique distinguished name ( dn ). The attributes allowed for an entry are determined by the object classes associated with that entry. The values of the object class attributes determine the schema rules the entry must follow.

An entry’s object class that determines what kind of entry it is, is called a structural object class and cannot be changed. Other object classes are called auxiliary and may be added to or deleted from the entry.

Use of auxiliary object classes in LDAP allows for an object class to be combined with an existing object class. For example, an entry with structural object class inetOrgPerson , and auxiliary object class zimbraAccount , would be an account. An entry with the structural object class zimbraServer would be a server in the Zimbra system that has one or more Zimbra packages installed.

Zimbra Collaboration LDAP Schema

At the core of every LDAP implementation is a database organized using a schema.

The Zimbra LDAP schema extends the generic schema included with OpenLDAP software. It is designed to coexist with existing directory installations.

All attributes and object classes specifically created for Zimbra Collaboration are prefaced by “zimbra”, such as zimbraAccount object class or zimbraAttachmentsBlocked attribute.

The following schema files are included in the OpenLDAP implementation:

core.schema

cosine.schema

inetorgperson.schema

zimbra.schema

amavisd.schema

dyngroup.schema

zimbraGroup

Represents a particular server in the Zimbra system that has one or more of the Zimbra software packages installed. Attributes describe server configuration information, such as which services are running on the server.

zimbraServer

Specifies default values for the following objects: server and domain. If the attributes are not set for other objects, the values are inherited from the global settings. Global configuration values are required and are set during installation as part of the Zimbra core package. These become the default values for the system.

zimbraGlobalConfig

Represents an alias of an account, distribution list or a dynamic group. The zimbraAliasTarget attribute points to target entry of this alias entry.

zimbraAlias

Defines Zimlets that are installed and configured in Zimbra.

zimbraZimletEntry

Calendar Resource

Defines a calendar resource such as conference rooms or equipment that can be selected for a meeting. A calendar resource is an account with additional attributes on the zimbraCalendarResource object class.

zimbraCalendarResource

Represents a persona of a user. A persona contains the user’s identity such as display name and a link to the signature entry used for outgoing emails. A user can create multiple personas. Identity entries are created under the user’s LDAP entry in the DIT.

zimbraIdentity

Data Source

Represents an external mail source of a user. Two examples of data source are POP3 and IMAP. A data source contains the POP3/IMAP server name, port, and password for the user’s external email account. The data source also contains persona information, including the display name and a link to the signature entry for outgoing email messages sent on behalf of the external account. Data Source entries are created under the user’s LDAP entry in the DIT.

zimbraDataSource

Represents a user’s signature. A user can create multiple signatures. Signature entries are created under the user’s LDAP entry in the DIT.

zimbraSignature

Account Authentication

Supported authentication mechanisms are Internal, External LDAP, and External Active Directory. The authentication method type is set on a per-domain basis. If zimbraAuthMech attribute is not set, the default is to use internal authentication.

The internal authentication method uses the Zimbra schema running on the OpenLDAP server.

The zimbraAuthFallbackToLocal attribute can be enabled so that the system falls back to the local authentication if external authentication fails. The default is FALSE.

The internal authentication method uses the Zimbra schema running on the OpenLDAP directory server. For accounts stored in the OpenLDAP server, the userPassword attribute stores a salted-SHA512 (SSHA512) digest of the user’s password. The user’s provided password is computed into the SSHA digest and then compared to the stored value.

External LDAP and external Active Directory authentication can be used if the email environment uses another LDAP server or Microsoft Active Directory for authentication and Zimbra LDAP for all other Zimbra Collaboration related transactions. This requires that users exist in both OpenLDAP and in the external LDAP server.

The external authentication methods attempt to bind to the specified LDAP server using the supplied user name and password. If this bind succeeds, the connection is closed and the password is considered valid.

The zimbraAuthLdapURL and zimbraAuthLdapBindDn attributes are required for external authentication.

zimbraAuthLdapURL attribute ldap://ldapserver:port/ identifies the IP address or host name of the external directory server, and port is the port number. You can also use the fully qualified host name instead of the port number.

For example:

If it is an SSL connection, use ldaps: instead of ldap: . The SSL certificate used by the server must be configured as a trusted certificate.

zimbraAuthLdapBindDn attribute is a format string used to determine which DN to use when binding to the external directory server.

During the authentication process, the user name starts out in the format: [email protected]

The user name might need to be transformed into a valid LDAP bind DN (distinguished name) in the external directory. In the case of Active Directory, that bind dn might be in a different domain.

You can implement a custom authentication to integrate external authentication to your proprietary identity database. When an authentication request comes in, Zimbra checks the designated auth mechanism for the domain. If the auth mechanism is set to custom authentication, Zimbra invokes the registered custom auth handler to authenticate the user.

To set up custom authentication, prepare the domain for the custom auth and register the custom authentication handler.

Preparing a domain for custom auth

To enable a domain for custom auth, set the domain attribute, zimbraAuthMech to custom:{registered-custom-auth-handler-name} .

In the following example, "sample" is the name under which custom authentication is registered.

Register a custom authentication handler

To register a custom authentication handler, invoke:

in the init method of the extension.

Class: com.zimbra.cs.account.ldap.ZimbraCustomAuth

Method: public synchronized static void register (String handlerName, ZimbraCustomAuth handler)

Definitions:

handlerName is the name under which this custom auth handler isregistered to Zimbra’s authentication infrastructure. This name is set in the domain’s zimbraAuthMech attribute of the domain.

handler is the object on which the authenticate method is invoked forthis custom auth handler. The object has to be an instance of ZimbraCustomAuth (or subclasses of it).

How Custom Authentication Works

When an authentication request comes in and the domain is specified to use custom authentication, the authenticating framework invokes the authenticate method on the ZimbraCustomAuth instance passed as the handler parameter to ZimbraCustomAuth.register() .

The account object for the principal to be authenticated and the clear-text password entered by the user are passed to ZimbraCustomAuth.authenticate() .

All attributes of the account can be retrieved from the account object.

Kerberos5 Authentication Mechanism authenticates users against an external Kerberos server.

Set the domain attribute zimbraAuthMech to kerberos5 .

Set the domain attribute zimbraAuthKerberos5Realm to the Kerberos5 realm in which users in this domain are created in the Kerberos database. When users log in with an email password and the domain, zimbraAuthMech is set to kerberos5 , the server constructs the Kerberos5 principal by {localpart-of-the-email}@{value-of-zimbraAuthKerberos5Realm} and uses that to authenticate to the kerberos5 server.

To specify Kerberos5 for an individual account set the account’s zimbraForeignPrincipal as kerberos5:{kerberos5-principal} . For example: kerberos5:[email protected].

Global Address List

The Global Address List (GAL) is a company directory of users, usually within the organization itself, that is available to all users of the email system. Zimbra Collaboration uses the company directory to look up user addresses from within the company.

For each Zimbra Collaboration domain you can configure GAL to use:

External LDAP server

Zimbra Collaboration internal LDAP server

Both external LDAP server and Zimbra Collaboration LDAP in GAL searches

The Zimbra Collaboration Web Client can search the GAL. When the user searches for a name, that name is turned into an LDAP search filter similar to the following example, where the string %s is the name the user is searching for.

The Attributes Mapped to Zimbra Collaboration Contact table maps generic GAL search attributes to their Zimbra Collaboration contact fields.

LDAP attributes are mapped to GAL entry fields. For example, the LDAP attribute displayName and cn can be mapped to GAL entry field fullName . The mapping is configured in the zimbraGalLdapAttrMap attribute.

GAL is configured on a per-domain basis. To configure the attributes, you can run the GAL Configuration Wizard from the Administration Console.

Additions, changes and deletions to the GAL attributes are made through the Zimbra Administration Console or from the zmprov commands.

Users can modify attributes for their account in the directory. When users change their options from the Zimbra Classic Web App, they also modify the attributes when they change their preferences.

Flushing LDAP Cache

When you modify the following type of entries in the Zimbra LDAP server, you might need to flush the LDAP cache to make the change available on the server.

Global configuration

Zimlet configuration

When you add or change theme (skin) property files and locale resource files for Zimbra on a server, you must flush the cache to make the new content available.

When you modify the account, COS, groups, domain, and server attributes, the change is effective immediately on the server to which the modification is done. On the other servers, the LDAP entries are automatically updated after a period of time if the attributes are cached.

The default Zimbra setting to update the server is 15 minutes. The caching period is configured on local config key.

If you do not specify a name or ID along with the type, all entries in cache for that type are flushed and the cache is reloaded.

When you modify global config attributes, the changes are effective immediately on the server to which the modification is done. On other mailbox servers, you must flush the cache to make the changes available or restart the server. LDAP entries for global config attributes do not expire.

Some global config attributes are computed into internal representations only once per server restart. For efficiency reasons, changes to those attributes are not effective until after a server restart, even after the cache is flushed. Also, some global configuration settings and server settings that are inherited from global config are only read once at server startup, for example port or number of processing threads. Modifying these types of attributes requires a server restart.

To flush the cache for global config changes on all servers:

Modify the setting on the local server

The change is performed via the server identified by the localconfig keys zimbra_zmprov_default_soap_server and zimbra_admin_service_port .

To flush the global config cache on all other servers, zmprov flushCache must be issued on all servers, one at a time (or use zmprov flushCache -a ).

To determine if the action requires a restart

The requiresRestart value is added to the output if a restart is required.

Zimbra Mail Transfer Agent

The Zimbra MTA (Mail Transfer Agent) receives mail via SMTP and routes each message using Local Mail Transfer Protocol (LMTP) to the appropriate Zimbra mailbox server.

The Zimbra MTA server includes the following programs:

In the Zimbra Collaboration configuration, mail transfer and delivery are distinct functions: Postfix acts as a MTA, and the Zimbra mail server acts as a Mail Delivery Agent (MDA).

The MTA configuration is stored in LDAP. The zmconfigd process polls the LDAP directory every two minutes for modifications and updates the Postfix configuration files with the changes.

The Zimbra mailbox server receives the messages from the Zimbra MTA server and passes them through any filters that have been created.

The MTA server receives mail via SMTP and routes each mail message to the appropriate mailbox server using LMTP. As each mail message arrives, its contents are indexed so that all elements can be searched.

Zimbra MTA Deployment

Zimbra includes a precompiled version of Postfix to route and relay mail and manage attachments. Postfix receives inbound messages via SMTP, performs anti-virus and anti-spam filtering and hands off the mail messages to the Zimbra Collaboration server via LMTP.

Postfix also plays a role in transferring outbound messages. Messages composed from the Zimbra Classic Web App are sent by the Zimbra server through Postfix, including messages sent to other users on the same server.

Zimbra MTA Deployment

Zimbra modified Postfix files — main.cf and master.cf — specifically to work with Zimbra:

main.cf  — Modified to include the LDAP tables. The zmconfigd in the Zimbra MTA pulls data from the Zimbra LDAP and modifies the Postfix configuration files.

master.cf  — Modified to use Amavisd-New.

SMTP Authentication

SMTP authentication allows authorized mail clients from external networks to relay messages through the Zimbra MTA. The user ID and password is sent to the MTA when the SMTP client sends mail so that the MTA can verify if the user is allowed to relay mail.

The user ID and password is sent to the MTA when the SMTP client sends mail. This ensures that the MTA can verify if the user is allowed to relay mail, by checking the associated credentials with the LDAP account.

You can enable restrictions so that messages are not accepted by Postfix when non-standard or other disapproved behavior is exhibited by an incoming SMTP client. These restrictions provide some protection against spam senders. By default, clients that do not greet with a fully qualified domain name are restricted. DNS based restrictions are also available.

You can configure Postfix to send nonlocal mail to a different SMTP server, commonly referred to as a relay or smart host.

A common use case for a relay host is when an ISP requires that all your email be relayed through a designated host, or if you have filtering SMTP proxy servers.

The relay host setting must not be confused with Web mail MTA setting. Relay host is the MTA to which Postfix relays non-local email. Webmail MTA is used by the Zimbra server for composed messages and must be the location of the Postfix server in the Zimbra MTA package.

To use the Administration Console to configure Relay MTA for external delivery:

Home → Configure → Global Settings → MTA → Network

MTA Settings

Anti-Virus and Anti-Spam Protection

The Amavisd-New utility is the interface between the Zimbra MTA and Clam Anti-Virus (ClamAV) and SpamAssassin scanners.

ClamAV software is the virus protection engine enabled for each Zimbra server.

The anti-virus software is configured to put messages that have been identified as having a virus to the virus quarantine mailbox. By default, the Zimbra MTA checks every two hours for any new anti-virus updates from ClamAV.

You can change anti-virus settings at the Administration Console.

Home → Configure → Global Settings → AS/AV → Anti-virus Settings

Anti-Virus Protection

Scanning Attachments in Outgoing Mail

You can enable real-time scanning of attachments in outgoing emails sent using the Zimbra Classic Web App. If enabled, when an attachment is added to an email, it is scanned using ClamAV prior to sending the message. If ClamAV detects a virus, it will block attaching the file to the message. By default, scanning is configured for a single node installation.

To enable scanning, using a single node:

To enable scanning in a multi-node environment:

Designate the MTA nodes to handle ClamAV scanning.

Enable, as follows:

Zimbra uses SpamAssassin to identify unsolicited commercial email (spam) with learned data stored in either the Berkeley DB database or a MariaDB database. You can also use the Postscreen function to provide additional protection against mail server overload. Both strategies are described in the following topics:

Spam Assassin Methods for Avoiding Spam

Postscreen methods for avoiding spam.

Usage guidelines are provided in the following topics:

Managing the Spam Assassin Score

Training the Spam Filter

Configuring Final Destination for Spam

Setting Up Trusted Networks

Enabling a Milter Server

Managing the Spam Assassin Score: SpamAssassin uses predefined rules as well as a Bayes database to score messages with a numerical range. Zimbra uses a percentage value to determine “spaminess” based on a SpamAssassin score of 20 as 100%. Any message tagged between 33%-75% is considered spam and delivered to the user’s junk folder. Messages tagged above 75% are always considered spam and discarded.

You can change the spam percentage settings, and the subject prefix at the Administration Console.

Home → Configure → Global Settings → AS/AV → Spam checking Settings

Spam Assassin Settings

By default, Zimbra uses the Berkeley DB database for spam training. You can also use a MariaDB database.

To use the MariaDB method on the MTA servers:

When this is enabled, Berkeley DB database is not enabled.

Training the Spam Filter  — The effectiveness of the anti-spam filter is dependent on user input to differentiate spam or ham. The SpamAssassin filter learns from messages that users specifically mark as spam by sending them to their junk folder or not spam by removing them from their junk folder. A copy of these marked messages is sent to the appropriate spam training mailbox.

At installation, a spam/ham cleanup filter is configured on only the first MTA. The Zimbra spam training tool, zmtrainsa , is configured to automatically retrieve these messages and train the spam filter. The zmtrainsa script empties these mailboxes each day.

Initially, you might want to train the spam filter manually to quickly build a database of spam and non-spam tokens, words, or short character sequences that are commonly found in spam or ham. To do this, you can manually forward messages as message/rfc822 attachments to the spam and non-spam mailboxes. When zmtrainsa runs, these messages are used to teach the spam filter. Make sure you add a large enough sampling of messages to get accurate scores. To determine whether to mark messages as spam at least 200 known spams and 200 known hams must be identified.

SpamAssassin’s sa-update tool is included with SpamAssassin. This tool updates SpamAssassin rules from the SA organization. The tool is installed into /opt/zimbra/common/bin .

Configuring Final Destination for Spam  — You can configure Amavis behavior to handle a spam item’s final destination by using the following attribute:

zimbraAmavisFinalSpamDestiny

The default is D_DISCARD (which will not deliver the email to the addressee).

Setting final spam destiny attributes:

Setting Up Trusted Networks: The Zimbra configuration allows relaying only for the local network, but you can configure trusted networks that are allowed to relay mail. You set the MTA trusted networks as a global setting, but you can configure trusted networks as a server setting. The server setting overrides the global setting.

To use the Administration Console to set up MTA trusted networks as a global setting:

MTA Trusted Networks

When using the Administration Console to set up MTA trusted networks on a per server basis, first ensure that MTA trusted networks have been set up as global settings.

Home → Configure → Servers → server → MTA → Network

MTA Trusted Networks

Enter the network addresses separated by commas and/or a space . Continue long lines by starting the next line with space, similar to the following examples:

Enabling a Milter Server: Milter server can be enabled to enforce restrictions on which addresses can send to distribution lists and add Reply-To and X-Zimbra-DL headers to messages sent from distribution lists. This can be enabled globally or for specific servers from the Administration Console.

For global configuration, enable the milter server from the Administration Console:

Home → Configure → Global Settings → MTA → Milter Server

MTA Milter Server

Use the Administration Console to enable a specific milter server, and to set bind addressing for individual servers.

Home → Configure → Servers → server → MTA → Milter Server

MTA Milter Server

Zimbra Postscreen is the 8.7 enhancement to the Zimbra Collaboration anti-spam strategy, to provide additional protection against mail server overload. By design, Postscreen is not an SMTP proxy. Its purpose is to keep spambots away from Postfix SMTP server processes, while minimizing overhead for legitimate traffic. A single Postscreen process handles multiple inbound SMTP connections and decides which clients may communicate to a Post-fix SMTP server process. By keeping spambots away, Postscreen frees up SMTP server processes for legitimate clients, and delays the onset of server overload conditions.

In a typical deployment, Postscreen handles the MX service on TCP port 25, while MUA clients submit mail via the submission service on TCP port 587, which requires client authentication. Alternatively, a site could set up a dedicated, non-Postscreen, “port 25” server that provides submission service and client authentication without MX service.

Zimbra Collaboration Postscreen maintains a temporary white-list for clients that have passed a number of tests. When an SMTP client IP address is whitelisted, Postscreen immediately passes the connection to a Postfix SMTP server process. This minimizes the overhead for legitimate mail.

In a typical scenario that uses Postscreen service, it is reasonable to expect potentially malicious email entities — such as bots and zombies — to be mixed in with friendly candidates in email loads. This concept is illustrated in the following diagram, in which undesirable entities are depicted in red; good email candidates are green.

Postscreen

Postscreen performs basic checks and denies connection(s) that are clearly from a bot or zombie. If the connection is not in the temporary whitelist, Postscreen passes the email to the local Anti-SPAM and Anti-Virus engines, which can either accept it or deny it. Good connections are accepted via Postscreen security, then allowed to talk directly with the SMTP daemon, which scans the Email (as usual) with the AS/AV. By default, all bots or zombies are rejected.

Use Zimbra CLI attributes to set parameters for Postscreen operations. For any Postscreen Attributes that provide the ignore, enforce, or drop instruction, use guidelines as follows:

ignore  — Ignore this result. Allow other tests to complete. Repeat this test with subsequent client connections. This is the default setting, which is useful for testing and collecting statistics without blocking mail.

enforce  — Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the hello/sender/recipient information. Repeat this test with subsequent client connections.

drop  — Drop the connection immediately with a 521 SMTP reply. Repeat this test with subsequent client connections.

Postscreen Attributes:

Go to the zmprov mcf prompt (release 8.7+) to use Postscreen commands. You can see example usages of these attributes in Enabling Postscreen .

zimbraMtaPostscreenAccessList  — Default = permit_mynetworks

Postconf postscreen_access_list setting, which is the permanent white/ blacklist for remote SMTP client IP addresses. Postscreen(8) searches this list immediately after a remote SMTP client connects. Specify a comma- or whitespace -separated list of commands (in upper or lower case) or lookup tables. The search stops upon the first command that fires for the client IP address.

zimbraMtaPostscreenBareNewlineAction  — Default = ignore

The action that postscreen(8) is to take when a remote SMTP client sends a bare newline character, that is, a newline not preceded by carriage return — as either ignore, enforce, or drop.

zimbraMtaPostscreenBareNewlineEnable  — Default = no

Enable (yes) or disable (no) “bare newline” SMTP protocol tests in the postscreen(8) server. These tests are expensive: a remote SMTP client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

zimbraMtaPostscreenBareNewlineTTL  — Default = 30d

The amount of time allowable for postscreen(8) to use the result of a successful “bare newline” SMTP protocol test. During this time, the client IP address is excluded from this test. The default setting is lengthy because a remote SMTP client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

zimbraMtaPostscreenBlacklistAction  — Default = ignore

The action that postscreen(8) is to take when a remote SMTP client is permanently blacklisted with the postscreen_access_list parameter, as either ignore, enforce, or drop.

zimbraMtaPostscreenCacheCleanupInterval  — Default = 12h

The amount of time allowable between postscreen(8) cache cleanup runs. Cache cleanup increases the load on the cache database and should therefore not be run frequently. This feature requires that the cache database supports the “delete” and “sequence” operators. Specify a zero interval to disable cache cleanup.

After each cache cleanup run, the postscreen(8) daemon logs the number of entries that were retained and dropped. A cleanup run is logged as “partial” when the daemon terminates early after postfix reload , postfix stop , or no requests for $max_idle seconds.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

zimbraMtaPostscreenCacheRetentionTime  — Default = 7d

The amount of time that postscreen(8) is allowed to cache an expired temporary whitelist entry before it is removed. This prevents clients from being logged as “NEW” just because their cache entry expired an hour ago. It also prevents the cache from filling up with clients that passed some deep protocol test once and never came back.

zimbraMtaPostscreenCommandCountLimit  — Default = 20

Value to set the limit on the total number of commands per SMTP session for postscreen(8)'s built-in SMTP protocol engine. This SMTP engine defers or rejects all attempts to deliver mail, therefore there is no need to enforce separate limits on the number of junk commands and error commands.

zimbraMtaPostscreenDnsblAction  — Default = ignore

The action that postscreen(8) is to take when a remote SMTP client’s combined DNSBL score is equal to or greater than a threshold (as defined with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parameters), as either ignore, enforce, or drop.

zimbraMtaPostscreenDnsblSites

Optional list of DNS white/blacklist domains, filters and weight factors. When the list is non-empty, the dnsblog(8) daemon will query these domains with the IP addresses of remote SMTP clients, and postscreen(8) will update an SMTP client’s DNSBL score with each non-error reply.

When a client’s score is equal to or greater than the threshold specified with postscreen_dnsbl_threshold , postscreen(8) can drop the connection with the remote SMTP client.

Specify a list of domain=filter*weight entries, separated by comma or whitespace.

When no =filter is specified, postscreen(8) will use any non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL replies that match the filter. The filter has the form d.d.d.d , where each d is a number, or a pattern inside [] that contains one or more “;”-separated numbers or number..number ranges.

When no *weight is specified, postscreen(8) increments the remote SMTP client’s DNSBL score by 1. Otherwise, the weight must be an integral number, and postscreen(8) adds the specified weight to the remote SMTP client’s DNSBL score. Specify a negative number for whitelisting.

When one postscreen_dnsbl_sites entry produces multiple DNSBL responses, postscreen(8) applies the weight at most once.

To use example.com as a high-confidence blocklist, and to block mail with example.net and example.org only when both agree:

To filter only DNSBL replies containing 127.0.0.4:

zimbraMtaPostscreenDnsblThreshold  — Default = 1

Value to define the inclusive lower bound for blocking a remote SMTP client, based on its combined DNSBL score as defined with the postscreen_dnsbl_sites parameter.

zimbraMtaPostscreenDnsblTTL  — Default = 1h

The amount of time allowable for postscreen(8) to use the result from a successful DNS-based reputation test before a client IP address is required to pass that test again.

zimbraMtaPostscreenDnsblWhitelistThreshold  — Default = 0

Allow a remote SMTP client to skip “before” and “after 220 greeting” protocol tests, based on its combined DNSBL score as defined with the postscreen_dnsbl_sites parameter.

Specify a negative value to enable this feature. When a client passes the postscreen_dnsbl_whitelist_threshold without having failed other tests, all pending or disabled tests are flagged as completed with a time-to-live value equal to postscreen_dnsbl_ttl . When a test was already completed, its time-to-live value is updated if it was less than postscreen_dnsbl_ttl .

zimbraMtaPostscreenGreetAction  — Default = ignore

The action that postscreen(8) is to take when a remote SMTP client speaks before its turn within the time specified with the postscreen_greet_wait parameter, as either ignore, enforce, or drop.

zimbraMtaPostscreenGreetTTL  — Default = 1d

The amount of time allowed for postscreen(8) to use the result from a successful PREGREET test. During this time, the client IP address is excluded from this test. The default is relatively short, because a good client can immediately talk to a real Postfix SMTP server.

zimbraMtaPostscreenNonSmtpCommandAction  — Default = drop

The action that postscreen(8) takes when a remote SMTP client sends non-SMTP commands as specified with the postscreen_forbidden_ commands parameter, as either ignore, enforce, or drop.

zimbraMtaPostscreenNonSmtpCommandEnable  — Default = no

Enable (yes) or disable (no) "non- SMTP command" tests in the postscreen(8) server. These tests are expensive: a client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

zimbraMtaPostscreenNonSmtpCommandTTL  — Default = 30d

The amount of time allowable for postscreen(8) to use the result from a successful “non_smtp_command” SMTP protocol test. During this time, the client IP address is excluded from this test. The default is long because a client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

zimbraMtaPostscreenPipeliningAction  — Default = enforce

The action that postscreen(8) is to take when a remote SMTP client sends multiple commands instead of sending one command and waiting for the server to respond, as either ignore, enforce, or drop.

zimbraMtaPostscreenPipeliningEnable  — Default = no

Enable (yes) or disable (no) “pipelining” SMTP protocol tests in the postscreen(8) server. These tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

zimbraMtaPostscreenPipeliningTTL  — Default = 30d

Time allowable for postscreen(8) to use the result from a successful “pipelining” SMTP protocol test. During this time, the client IP address is excluded from this test. The default is lengthy because a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

zimbraMtaPostscreenWatchdogTimeout  — Default = 10s

Time allowable for a postscreen(8) process to respond to a remote SMTP client command, or to perform a cache operation, before it is terminated by a built-in watchdog timer. This is a safety mechanism that prevents postscreen(8) from becoming non-responsive due to a bug in Postfix itself or in system software. To avoid false alarms and unnecessary cache corruption this limit cannot be set under 10s.

zimbraMtaPostscreenWhitelistInterfaces

A list of local postscreen(8) server IP addresses where a non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary whitelist status. This status is required before the client can talk to a Postfix SMTP server process. By default, a client can obtain postscreen(8)'s whitelist status on any local postscreen(8) server IP address.

When postscreen(8) listens on both primary and backup MX addresses, the postscreen_whitelist_interfaces parameter can be configured to give the temporary whitelist status only when a client connects to a primary MX address. Once a client is whitelisted it can talk to a Postfix SMTP server on any address. Thus, clients that connect only to backup MX addresses will never become whitelisted, and will never be allowed to talk to a Postfix SMTP server process.

Specify a list of network addresses or network/netmask patterns, separated by commas and/or whitespace. The netmask specifies the number of bits in the network part of a host address. Continue long lines by starting the next line with whitespace.

You can also specify /file/name or type:table patterns. A /file/name pattern is replaced by its contents; a type:table lookup table is matched when a table entry matches a lookup string (the lookup result is ignored).

The list is matched left to right, and the search stops on the first match. Specify !pattern to exclude an address or network block from the list.

zimbraMtaPostscreenDnsblMinTTL  — Default = 60s

The minimum amount of time that postscreen(8) is allowed — resulting from a successful DNS -based reputation test — before a client IP address is required to pass that test again. If the DNS reply specifies a larger TTL value, that value will be used unless it would be larger than postscreen_dnsbl_max_ttl .

zimbraMtaPostscreenDnsblMaxTTL  — Default = postscreen dnsbl ttl

The maximum amount of time allowable for postscreen(8) to use the result from a successful DNS-based reputation test before a client IP address is required to pass that test again. If the DNS reply specifies a shorter TTL value, that value will be used unless it would be smaller than postscreen_dnsbl_min_ttl .

Note that the default setting is backwards-compatible with Postscreen versions earlier than 3.1.

Enabling Postscreen:

The example in this section demonstrates settings appropriate for a global configuration with medium-to-high level Postscreen protection.

Testing Postscreen:

Testing uses Postscreen to view results without taking any action. In a testing scenario, you instruct Postscreen to log email connections without taking action on them. Once you are satisfied with the results, you can set Postscreen values to enforce or drop emails, as required.

Set up the DNS-based Blackhole List (DNSBL).

Set Postscreen to ignore.

The following real-world example demonstrates return of a 550 error from Postscreen during a test session:

Receiving and Sending Mail

The Zimbra MTA delivers the incoming and the outgoing mail messages. For outgoing mail, the Zimbra MTA determines the destination of the recipient address. If the destination host is local, the message is passed to the Zimbra server for delivery. If the destination host is a remote mail server, the Zimbra MTA must establish a communication method to transfer the message to the remote host. For incoming messages, the MTA must be able to accept connection requests from remote mail servers and receive messages for the local users.

To send and receive email, the MTA must be configured in DNS with both an A record and an MX Record. For sending mail, the MTA uses DNS to resolve hostnames and email-routing information. To receive mail, the MX record must be configured correctly to route messages to the mail server.

You must configure a relay host if you do not enable DNS.

When the Zimbra MTA receives mail, it routes the mail through a series of queues to manage delivery; incoming, active, deferred, hold, and corrupt.

Message Queues

The incoming message queue holds the new mail that has been received. Each message is identified with a unique file name. Messages are moved to the active queue when there is room. If there are no problems, message move through this queue very quickly.

The active message queue holds messages that are ready to be sent. The MTA sets a limit to the number of messages that can be in the active queue at any one time. From here, messages are moved to and from the anti-virus and anti-spam filters before being delivered to another queue.

Messages that cannot be delivered are placed in the deferred queue. The reasons for the delivery failures are documented in a file in the deferred queue. This queue is scanned frequently to resend the message. If the message cannot be sent after the set number of delivery attempts, the message fails and is bounced back to the original sender. You can choose to send a notification to the sender that the message has been deferred.

The hold message queue keeps mail that could not be processed. Messages stay in this queue until the administrator moves them. No periodic delivery attempts are made for messages in the hold queue.

The corrupt queue stores damaged unreadable messages.

You can monitor the mail queues for delivery problems from the Administration Console. See Monitoring Zimbra Servers .

Message banner for mails from external domains

A message banner in the mails can be added for the mails coming from external domains. This will help users to identify the mails originating outside their organization. The feature is controlled by a localconfig attribute and by default it is disabled.

Following are the details of the attributes:

zimbra_external_email_warning_enabled - Attribute to enable/disable the feature.

zimbra_external_email_warning_message - Attribute to customize the message to be displayed in the mails.

Following are the instructions to be executed as zimbra user:

Enabling the feature:

Restart mailbox service:

When a user receives mail from an external domain, the message banner will get displayed at the top of the message body.

The message for external domains can also be modified.

Following are the instructions:

Edit the localconfig attribute zimbra_external_email_warning_message with the new message:

When a user receives mail from an external domain, the edited message banner will get displayed at the top of the message body.

Zimbra Proxy Server

Zimbra Proxy is a high-performance proxy server that can be configured as a POP3/IMAP/HTTP proxy used to reverse proxy IMAP/POP3 and HTTP client requests to a set of backend servers.

The Zimbra Proxy package is installed and configured during the Zimbra Collaboration installation. You can install this package on a mailbox server, MTA server, or on its own independent server. When the Zimbra Proxy package is installed, the proxy feature is enabled. In most cases, no modification is necessary.

Benefits for using Zimbra Proxy include:

Zimbra proxy centralizes access to Mailbox servers

Load Balancing

Authentication

SSL Termination

Centralized Logging and Auditing

URL Rewriting

Strict Server Name Enforcement (optional)

For more information, see the wiki page Zimbra_Proxy_Guide .

Zimbra Proxy is designed to provide a HTTP/POP/IMAP proxy that is quick, reliable, and scalable. Zimbra Proxy includes the following:

This section describes the architecture and flow sequence of Zimbra proxy.

End clients connect to Zimbra Proxy using HTTP/HTTPS/POP/IMAP ports.

When Zimbra Collaboration Proxy receives an incoming connection, the Nginx component sends an HTTP request to Zimbra Collaboration Proxy Route Lookup Handler component.

Proxy Architecture

Zimbra Collaboration Proxy Route Lookup Handler locates the route information for the account being accessed and returns this to Nginx.

The Memcached component stores the route information for the configured period of time (the default is one hour). Nginx uses this route information instead of querying the Zimbra Collaboration Proxy Route Lookup Handler until the default period of time has expired.

Nginx uses the route information to connect to Zimbra Collaboration Mailbox.

Zimbra Collaboration Proxy connects to Zimbra Collaboration Mailbox and initiates the web/mail proxy session. The end client behaves as if it is connecting directly to Zimbra Collaboration Mailbox.

When Zimbra proxy is configured, the Zimbra proxy config performs keyword substitution as necessary with values from the LDAP configuration and localconfig.

If changes are required after the Zimbra Proxy is set up, modify the Zimbra LDAP attributes or localconfig values and run zmconfigd to generate the updated Zimbra Proxy configuration. The Zimbra proxy configuration file is in /opt/zimbra/conf/nginx.conf . The nginx.conf includes the main config, memcache config, mail config, and web config files.

Common changes to Zimbra Proxy configuration are IMAP/POP configuration changes from the original default setup

HTTP reverse proxy configuration changes from the original default setup

GSSAPI authentication for Kerberos. In this case you manually identify the location of the Kerberos Keytab file, including Zimbra Proxy password

Zimbra Proxy

Zimbra Proxy allows end users to access their Zimbra Collaboration account using clients such as Microsoft Outlook, Mozilla Thunderbird, or other POP/IMAP end-client software. End users can connect using POP3, IMAP, POP3S (Secure POP3), or IMAPS (Secure IMAP).

For example, proxying allows users to enter imap.example.com as their IMAP server. The proxy running on imap.example.com inspects their IMAP traffic, does a lookup to determine which backend mailbox server a user’s mailbox lives on and transparently proxies the connection from user’s IMAP client to the correct mailbox server.

The following ports are used either by Zimbra Proxy or by Zimbra Mailbox (if Proxy is not configured). If you have any other services running on these ports, turn them off.

End clients connect directly to Zimbra Proxy, using the Zimbra Proxy Ports. Zimbra Proxy connects to the Route Lookup Handler or Zimbra Mailbox using the Zimbra Mailbox Ports.

Zimbra Proxy has the ability to strictly enforce which values are allowed in the Host header passed in by the client.

This is enabled by default on new installations but left disabled for upgrades from previous versions unless toggled during the installation.

The functionality may be altered by setting the zimbraReverseProxyStrictServerNameEnabled boolean configuration option followed by restarting the proxy server.

TRUE - strict server name enforcement enabled

FALSE - strict server name enforcement disabled

When the strict server name functionality is enabled, additional valid server names may be specified using the zimbraVirtualHostName and zimbraVirtualIPAddress configuration items at the domain level.

IMAP proxy is installed with Zimbra Collaboration and set up during installation from the configuration menus. To set up the HTTP proxy, the proxy must be installed on the identified proxy nodes in order to set up HTTP proxy. No other configuration is usually required.

If you need to, set up IMAP/POP proxy after you have already installed HTTP proxy, and set up the mailbox server and the proxy node.

Set Up IMAP/POP Proxy with Separate Proxy Node

Use steps in this section if your configuration includes a separate proxy server.

On each Zimbra mailbox server that you want to proxy with, enable the proxy for IMAP/POP proxy.

This configures the following:

Restart services on the proxy and mailbox servers.

Set Up the Proxy Node

On each proxy node that has the proxy service installed, enable the proxy for the web.

Set Up a Single Node

Use steps in this section if Zimbra proxy is installed with Zimbra Collaboration on the same server.

Enable the proxy for the web.

Configuring Zimbra HTTP Proxy

Zimbra Proxy can also reverse proxy HTTP requests to the right back-end server.

For example, users can use a web browser to connect to the proxy server at https://mail.example.com . The connection from users whose mailboxes live on mbs1.example.com is proxied to mbs1.example.com by the proxy running on the mail.example.com server. The proxy also supports REST and CalDAV clients, Zimbra Connector for Outlook, and Zimbra Mobile Sync devices.

HTTP reverse proxy routes requests as follows:

If the requesting URL can be examined to determine the user name, then the request is routed to the backend mailbox server of the user in the URL. REST, CalDAV, and Zimbra Mobile Sync are supported through this mechanism.

If the request has an auth token cookie ( ZM_AUTH_TOKEN ), the request is routed to the backend mailbox server of the authenticated user.

If the above methods do not work, the IP hash method is used to load balance the requests across the backend mailbox servers which are able to handle the request or do any necessary internal proxying.

To set up HTTP proxy, Zimbra Proxy must be installed on the identified nodes.

Setting Up HTTP Proxy as a Separate Proxy Node

On each Zimbra mailbox server that you want to proxy with, enable the proxy for the web.

Configure each domain with the public service host name to be used for REST URLs, email, and Briefcase folders.

Setting Up Proxy Node

To set the proxy server mail mode, add the -x option to the command with the specific mode: http , https , both , redirect , mixed .

Setting Up a Single Node for HTTP Proxy

Use steps in this section if Zimbra proxy is installed along with Zimbra on the same server.

On each zimbra mailbox server that you want to proxy with, enable the proxy for the web.

Configure each domain with the public service host name to be used for REST URLs, email and Briefcase folders.

Set Up Proxy to use Clear Text for Upstream Connections

When setting up the proxy to use clear text for upstream connections, set zimbraReverseProxySSLToUpstreamEnabled to FALSE.

This attribute defaults to TRUE. In an "out of the box" proxy set up, the upstream communication defaults to SSL.

REST URL Generation

For REST URL, you set the host name, service protocol, and services port globally or for a specific domain from the following attributes.

zimbraPublicServiceHostname

zimbraPublicServiceProtocol

zimbraPublicServicePort

When generating REST URL’s:

If domain.zimbraPublicServiceHostname is set, use zimbraPublicServiceProtocol + zimbraPublicServiceHostname + zimbraPublicServicePort

Otherwise it falls back to the server (account’s home server) attributes:

protocol is computed from server.zimbraMailMode

hostname is server.zimbraServiceHostname

port is computed from the protocol.

On a multiserver Zimbra, if a load balanced name was needed to create a friendly landing page, a user would always have to be redirected. In that case, zimbra_auth_always_send_refer was set to TRUE.

Now with a full-fledged reverse proxy, users do not need to be redirected. The localconfig variable zimbraMailReferMode is used with nginx reverse proxy.

When a proxy is configured with Zimbra, each proxy server’s IP address must be configured in LDAP attribute zimbraMailTrustedIP to identify the proxy addresses as trusted when users log in through the proxy. The proxy IP address is added to the X-Forwarded-For header information. The X-Forwarded-For header is automatically added to the localconfig zimbra_http_originating_ip header attribute. When a user logs in, this IP address and the user’s address are verified in the Zimbra mailbox log.

Set each proxy IP address in the attribute. For example, if you have two proxy servers:

Use steps in this section if you use the Kerberos5 authenticating mechanism, and want to configure it for the IMAP and POP proxy.

On each proxy node, set the zimbraReverseProxyDefaultRealm server attribute to the realm name corresponding to the proxy server. For example:

Each proxy IP address where email clients connect must be configured for GSSAPI authentication by the mail server. On each proxy node for each of the proxy IP addresses:

On each proxy server:

Restart the proxy server

Zimbra Administration Console

The Zimbra Administration Console is a browser-based user interface for the central management of Zimbra servers and user accounts.

When you log in to the Administration Console, the tasks you are authorized to perform show up on the Navigation pane. These tasks depend on the rights assigned to your administrator role.

You can create two types of administrator accounts to manage Zimbra Collaboration:

Global Administrators have full privileges to manage servers, global settings, domains, and accounts as well as create other administrators. One global administrator account gets created automatically during software installation. Create additional global administrator accounts anytime later. You can perform administration tasks from the Administration Console or the command line.

Delegated Administrators are granted customized administrator roles by the global administrator to manage different tasks from the Administration Console. See Delegated Administration for more details.

Logging into the Administration Console

To launch the Administration Console in a typical installation, use the following URL pattern.

https://server.domain.com:7071/

At the login screen, enter the complete administrator address - e.g., [email protected] - and the password configured for it during server installation of Zimbra Collaboration.

Administration Console

You can change the password - from either the Administration Console or the CLI - at any time.

From the Administration Console, use the Change Password screen to set the new password string, and to define the policy for user password modifications.

Home → Manage → Accounts

Double click select user account or from the Gear icon, select Change Password from the popup menu.

Change Password

A different login and logout page can be configured either as a global setting or as a domain setting.

To specify a URL to redirect administrators to if their login fails authentication, or if their authentication has expired:

To specify a URL to redirect administrators to, for logging out:

Most Zimbra tasks - such as creating accounts and Classes of Service, Server Status Monitoring, Domain management, Backup Scheduling, and Session management - can be managed from the Administration Console.

Other configuration and maintenance tasks require the use of the Zimbra CLI because you cannot perform them in the Administration Console. For example: starting and stopping services and managing the local server configuration.

At the Administration Console, if you need to view the attribute associated with a particular function, you can click on the text labels of the currently visible configuration page to open the information in a popup. Guide text is also provided from these popups, as demonstrated in the following illustration.

Navigating the User Interface

The organization of the Zimbra Collaboration Administration Console provides quick navigation to the configuration and monitoring tools and views associated with your login privileges. It also provides easy access to various types of Help and the on-screen guide text.

After logging in to the Administration Console, the Home page provides status information and options you can select to navigate to the configuration and viewing options described in this user guide.

Administration Console

The displays and options in the navigation pane and viewing pane change according to your selections. Other portions of the UI — arrow buttons, search field, screen refresh, current location/path, current login, and Help — always remain in view.

Gear Icon

The options provided in the Home navigation pane get categorized under the Home directory. Some of the options lead to configuration pages; others lead to pages containing reports, as associated with your selections.

The illustration at right is an expanded view of the options currently supported in the Navigation Pane.

The upper bar of the in-view page always displays your current position in the hierarchy, and you can use multiple options for dismissing the current view:

To return to a previous page or go to the next page, click the left or right arrows.

To return to a specific portion of the UI, select an option from the Home dropdown.

To go directly to a specific option, click through the hierarchy in the Navigation Pane.

The Navigation pane options are described in the following topics:

Monitor UI .

Manage UI .

Configure UI .

Global Settings UI .

Tools and Migration UI .

Search UI .

The Home screen is the default, login view, which provides the Home navigation pane and the Home page. This page provides a snapshot view of system status and a series of quick-access links for essential tasks.

Home UI

The Monitor screen provides the Monitor navigation pane and the Monitor pages, which display various itemizations about servers monitored by the Collaborator.

Monitor UI

Monitor Navigation Pane and Pages

The options provided in the Monitor pages provide various methods- dynamic charts, or tables-for viewing the individual or system-wide monitored servers and services listed in the following table.

The Manage screen provides the Manage navigation pane, and the Manage pages, which display the tables categorically provided as Accounts, Aliases, Distribution Lists, and Resources that are currently managed by Collaborator.

Manage UI

The Configure screen provides the Configure navigation pane, and the Configure pages, which enable configurations for individual or global components.

Configure UI

Global Settings define the default global values for servers, accounts, COS, and domains. These default values and parameters apply when no specific values and parameters for particular items are in their settings.

You configure the defaults for Global Settings during installation. You can change the settings at any time from Global Settings at the Administration Console.

The Tools and Migration screen provides the Tools and Migration navigation pane, for access to system software management and system backup/restore. Administrators can access and download specific wizards and tools from this page.

Tools and Migration UI

Downloadable Wizards and Connectors

Use the Tools and Migration screen Downloads option to get the tools described in this section.

Zimbra Collaboration Migration Wizard for Domino

Legacy Zimbra Collaboration Migration Wizard for Exchange

Zimbra Connector for Outlook MSI Customizer

Present text file containing functions you can use to customize the standard ZCO MSI. The server name, port, and other variables particular to an organization can be customized.

Zimbra Connector for Outlook Branding MSI

Get the Windows Visual Basic Script Edition (VBScript Script File) to customize the standard ZCO MSI. Customization replaces all instances of the Zimbra product name and logo.

(Legacy) Migration Wizard for Microsoft Exchange

General Migration Wizard

This tool imports data within Microsoft Exchange servers and Outlook PST files to the Zimbra Server.

The Search screen displays the Search results from queries made in the Search field in the Administration Console header.

When you open this page without entering a search query, All Results is the default search, which displays accounts, domains, and distribution lists in the Content pane.

The auto-completion function allows you to enter a partial name, then select a searchable name from the displayed list of matched strings.

You can also use the Zimbra mailbox ID number to search for an account. However, to return a search from a mailbox ID, the complete ID string must be entered in the search.

Search UI

At the Search field, use search options from the drop-down selector to define the type of search, as either accounts , distribution lists , aliases , resources , domains , class of service , or all objects .

For accounts, you can search by display name, first/last name, the first part of an email address, alias, delivery address, or mailbox ID.

Type the search string into the Search field.

Partial entries are allowed as search criteria, but a search based on mailbox ID must include the complete ID string.

Click Search .

The Search page appears, containing results of the search based on your criteria.

View the total number of results at the Navigation pane, in Search> All Results .

The Help Center is a reference of resources available from the online help and documentation, which you can access with the links provided in the Help Center screen. Use this page, also, to access community forums and to view expert responses to the top migration questions.

Help Center UI

The selection of a category from the Navigation pane typically results in a tabular display of all managed objects for the selected category. All tables display labeled columns in which to view information such as email addresses, display names, status, last logins, and descriptions (if configured).

Each row in a table enables actions you can perform if you require additional information or access to the configuration for the selected table entry.

Message of the Day

Global administrators can create the message- or messages-of-the-day (MOTD) that administrators view when logging into the Administration Console.

The MOTD displays during administrative login at the top-left of the Administration Console, similar to the example below.

Message of the Day

The message can be closed, replaced, or removed.

To remove a message from view, click Close located alongside the message content.

Use the zimbraAdminConsoleLoginMessage attribute, with guidelines in this section, to create a single message of the day, or to create multiple messages to be displayed.

Creating a global message or domain-specific message.

Creating a multiple-message display:

Use the zimbraAdminConsoleLoginMessage attribute, with guidelines in this section, to delete a single message of the day, or to delete multiple messages.

Place a minus sign (-) before the attribute, and double quote marks at the beginning and end of an individual message-id for deletion.

Use single quote marks with the attribute to remove all messages.

Removing a specific message:

Removing all messages:

Functional Reference

This section provides birds-eye views of the functions you can use when navigating the Administration Console, in the following topics:

The following illustration provides a high-level view of the Administration Console UI.

High-level View of Administration Console UI

You can select options to perform on a selected entity from the navigation pane from the Gear icon or a topical popup menu.

Using the Gear icon

The Gear icon is always located at the upper-right edge of the page view if pertinent to selectable items in the displayed page.

The Gear Icon

To view the available options, highlight a topic at the navigation pane or in the page view: In the popup, the options that do not apply to your selection are disabled — the remaining enabled options are valid with your selection. The following example demonstrates Gear options based on the selection of a navigation bar topic, versus a table row entry from within the same page view.

The Gear Icon

The following table provides a high-level view of the operations derived from the Gear icon, which varies for particular functions.

Using the Topical Popup Menus

You can elect to access options to perform on a selection by using popup menus:

The following example demonstrates the popup options provided by a specific selection in the page view.

Popup Options

The Administration Console logically groups a wide range of Configuration options into containers . Applicable configuration options inside these containers are listed in the High-level View of Administration Console UI

By default, all containers on a page are opened (expanded). You can opt to close (collapse) containers - which can free up additional space in a page view - by clicking on collapse/expand located at the upper-left edge of the container.

Containers

Managing Configuration

The Zimbra components are configured during the initial installation of the software. After the installation, you can manage the following components from either the Administration Console or using the CLI utility.

Help is available from the Administration Console about how to perform tasks from the Administration Console. If the task is only available from the CLI, see Zimbra CLI Commands for a description of how to use the CLI utility.

Global Settings apply to all accounts in the Zimbra servers. They are initially set during installation. You can modify the settings from the Administration Console.

Configurations set in Global Settings define inherited default values for the following objects: server, account, COS, and domain. If these attributes are set in the server, the server settings override the global settings.

To configure global settings, navigate to: Home → Configure → Global Settings

Configured global settings are:

Default domain

Maximum number of results returned for GAL searches. Default = 100.

User views of email attachments and attachment types not permitted.

Configuration for authentication process, Relay MTA for external delivery, DNS lookup, and protocol checks.

Spam check controls and anti-virus options to check messages received.

Free/busy scheduling across a mix of Zimbra Collaboration servers and third party email servers.

Customization of themes: modify colors and add your logo.

Configuration of company name display for external guest log on, when viewing a shared Briefcase folder.

Backup default directory and backup notification information.

Global SM schedule that defines when messages should be moved to a secondary storage space.

View of current Zimbra license information, license updating, and view the number of accounts created.

Home → Configure → Global Settings

Use the General Information screen to view and set global parameters for servers that have been installed and enabled.

General Information

Modify parameters, as appropriate for your requirements.

From the Gear icon, select Save to use your settings.

Admin Help URL Delegated Admin Help URL

To use the Zimbra Collaboration Help, you can designate the URL that is linked from the Administration Console Help

Attachments Configuration

Global email attachment settings allow you to specify global rules for handling attachments to an email message. You can also set rules by COS and for individual accounts. When attachment settings are configured in Global Settings, the global rule takes precedence over COS and Account settings.

Home → Configure → Global Settings → Attachments

Attachment Rules

You can also reject messages with certain types of files attached. You select which file types are unauthorized from the Common extensions list. You can also add other extension types to the list. Messages with those type of files attached are rejected. By default the recipient and the sender are notified that the message was blocked.

If you do not want to send a notification to the recipient when messages are blocked, you can disable this option.

MTA Configuration

Use options from the MTA page to enable or disable authentication and configure a relay hostname, the maximum message size, enable DNS lookup, protocol checks, and DNS checks.

Home → Configure → Global Settings → MTA

MTA Configuration

You can enable the X-Originating-IP header to messages checkbox. The X-Originating-IP header information specifies the original sending IP of the email message the server is forwarding.

Policy Service

Customize zimbraMtaRestriction (restrictions to reject Checks some suspect SMTP clients).

Protocol checks

To reject unsolicited commercial email (UCE), for spam control.

To reject mail if the client’s IP address is unknown, the hostname in the greeting is unknown, or if the sender’s domain is unknown.

Add other email recipient restrictions to the List of RBLs field.

Use the IMAP and POP pages to enable global access.

Home → Configure → Global Settings → IMAP Home → Configure → Global Settings → POP

IMAP and POP3 polling intervals can be set from the Administration Console COS Advanced page. Default = No polling interval.

With POP3, users can retrieve their mail stored on the Zimbra server and download new mail to their computer. The user’s POP configuration in their Preference → Mail page determines how their messages are downloaded and saved.

Working With Domains

One domain is identified during the installation process. You can add domains after installation. From the Administration Console you can manage the following domain features.

Virtual hosts for the domain to establish a default domain for a user login

Public service host name that is used for REST URLs, commonly used in sharing.

Maximum number of accounts that can be created on the domain

Free/Busy Interop settings for use with Microsoft Exchange.

Domain SSL certificates

A domain can be renamed and all account, distribution list, alias and resource addresses are changed to the new domain name. The CLI utility is used to changing the domain name. See Renaming a Domain .

Use the New Domain Wizard to set options described in this section.

Home → 2 Set up Domain → 1. Create Domain…​

Create Domain

When a domain status is marked as Closed , login for accounts on the domain is disabled and messages are bounced. The closed status overrides an individual account’s status setting.

When a domain status is marked as Locked , users cannot log in to check their email, but email is still delivered to the accounts. If an account’s status setting is marked as maintenance or closed, the account’s status overrides the domain status setting.

When the domain status is marked for maintenance, users cannot log in and their email is queued at the MTA. If an account’s status setting is marked as closed, the account’s status overrides the domain status setting.

When the domain status is marked as Suspended , users cannot log in, their email is queued at the MTA, and accounts and distribution lists cannot be created, deleted, or modified. If an account’s status setting is marked as closed, the account’s status overrides the domain status setting.

Setting up a Public Service Host Name

You can configure each domain with the public service host name to be used for REST URLs. This is the URL that is used when sharing email folders and Briefcase folders, as well as sharing task lists, address books, and calendars.

When users share a Zimbra Collaboration folder, the default is to create the URL with the Zimbra server hostname and the Zimbra service host name. This is displayed as https://server.domain.com/service/home/username/sharedfolder . The attributes are generated as follows:

Hostname is server.zimbraServiceHostname

Protocol is determined from server.zimbraMailMode

Port is computed from the protocol

When you configure a public service host name, this name is used instead of the server/service name, as https://publicservicename.domain.com/home/username/sharedfolder . The attributes to be used are:

You can use another FQDN as long as the name has a proper DNS entry to point at 'server' both internally and externally.

The Global Address List (GAL) is your company-wide listing of users that is available to all users of the email system. GAL is a commonly used feature in mail systems that enables users to look up another user’s information by first or last name, without having to know the complete email address.

GAL is configured on a per-domain basis. The GAL mode setting for each domain determines where the GAL lookup is performed.

Use the GAL Mode Settings tool with your domain configuration to define the Global Address List.

Home → 2 Set up Domain → 1 Create Domain…​ → GAL Mode Settings

GAL Mode Settings

A GAL sync account is created for the domain when an internal or external GAL is created, and if you have more than one mailbox server, you can create a GAL sync account for each mailbox server in the domain. Using the GAL sync account gives users faster access to auto complete names from the GAL.

When a GAL sync account is created on a server, GAL requests are directed to the server’s GAL sync account instead of the domain’s GAL sync account. The GalSyncResponse includes a token which encodes the GAL sync account ID and current change number. The client stores this and then uses it in the next GalSyncRequest. Users perform GAL sync with the GAL sync account they initially sync with. If a GALsync account is not available for some reason, the traditional LDAP-based search is run.

When you configure the GAL sync account, you define the GAL datasource and the contact data is synced from the datasource to the GAL sync accounts' address books. If the mode Both is selected, an address book is created in the account for each LDAP data source.

The GAL polling interval for the GAL sync determines how often the GALsync account syncs with the LDAP server. The sync intervals can be in x days, hours, minutes, or seconds. The polling interval is set for each data source.

When the GAL sync account syncs to the LDAP directory, all GAL contacts from the LDAP are added to the address book for that GAL. During the sync, the address book is updated with new contact, modified contact and deleted contact information. You should not modify the address book directly. When the LDAP syncs the GAL to the address book, changes you made directly to the address book are deleted.

You create GALsync accounts from the Administration Console. The CLI associated with this feature is zmgsautil.

Creating Additional GALsync Accounts

When Zimbra is configured with more than one server, you can add an additional GAL sync account for each server.

Home → Configure → Domains

Select the domain to add another GAL sync account.

In the Gear icon, select Configure GAL .

Click Add a GAL account .

In the GAL sync account name field, enter the name for this account. Do not use the default name.

Select the mailbox server that this account will apply to.

Enter the GAL datasource name . If the GAL mode is BOTH, enter the data source name for both the internal GAL and the external GAL.

Set the GAL polling interval to how often the GAL sync account should sync with the LDAP server to update.

Click Finish .

Changing GAL sync account name

The default name for the GAL sync account is galsync . When you configure the GAL mode, you can specify another name. After the GAL sync account is created, you cannot rename the account because syncing the data fails.

To change the account name, delete the existing GAL sync account and configure a new GAL for the domain.

Select the domain where you want to change the GAL sync account name.

In the Gear icon, select Configure GAL to open the configuration wizard and change the GAL mode to internal. Do not configure any other fields. Click Finish .

In the domain’s account Content pane, delete the domain’s galsync account.

Select the domain again and select Configure GAL to reconfigure the GAL. In the GAL sync account name field, enter the name for the account. Complete the GAL configuration and click Finish . The new account is displayed in the Accounts Content pane.

Authentication is the process of identifying a user or a server to the directory server and granting access to legitimate users based on user name and password information provided when users log in.

Set the authentication method on a per-domain basis.

Home → 2 Set up Domain → 1 Create Domain…​ → Authentication Mode

Virtual hosting allows you to host more than one domain name on a server. The general domain configuration does not change.

When you create a virtual host, this becomes the default domain for user login; users can log in without having to specify the domain name as part of their user name.

Home → 2 Set up Domain → 1 Create Domain…​ → Virtual Hosts

To open the Zimbra Classic Web App log in page, users enter the virtual host name as the URL address. For example, https://mail.company.com .

When the Zimbra login screen displays, users enter only their user name and password. The authentication request searches for a domain with that virtual host name. When the virtual host is found, the authentication is completed against that domain.

You can limit the number of accounts that can be provisioned on a domain. The maximum number of accounts that can be provisioned for the domain can be set when the domain is created. You can also edit the domain configuration to add or change the number.

In the Administration Console this is set for a domain in the Account Limits page. If this page is not configured, no limits on the domain are set.

Resources, spam, and ham accounts are not counted against this limit.

When multiple Classes of Service (COS) are available, you can select which classes of service can be configured and how many accounts on the domain can be assigned to the COS. This is configured in the domain’s Account Limits page. The number of COS account types used is tracked. The limits for all COSs cannot exceed the number set for the maximum accounts for the domain.

The number of COS assigned to accounts is tracked. You can see the number assigned/number remaining from any account’s General Information page.

When you rename a domain you are actually creating a new domain, moving all accounts to the new domain and deleting the old domain. All account, alias, distribution list, and resource addresses are changed to the new domain name. The LDAP is updated to reflect the changes.

Before you rename a domain

Make sure MX records in DNS are created for the new domain name

Make sure you have a functioning and current full backup of the domain

After the domain has been renamed

Update external references that you have set up for the old domain name to the new domain name. This may include automatically generated emails that were sent to the administrator’s mailbox such as backup session notifications. Immediately run a full backup of the new domain:

Domain Rename Process

When you run this zmprov command, the domain renaming process goes through the following steps:

The status of the old domain is changed to an internal status of shutdown, and mail status of the domain is changed to suspended. Users cannot login, their email is bounced by the MTA, and accounts, calendar resources and distribution lists cannot be created, deleted or modified.

The new domain is created with the status of shutdown and the mail status suspended.

Accounts, calendar resources, distribution lists, aliases, and resources are all copied to the new domain.

The LDAP is updated to reflect the new domain address.

The old domain is deleted.

The status for the new domain is changed to active. The new domain can start accepting email messages.

A domain alias allows different domain names to direct to a single domain address. For example, your domain is domain.com , but you want users to have an address of example.com , you can create example.com as the alias for the domain.com address. Sending mail to [email protected] is the same as sending mail to [email protected] .

Home → Configure → Domains , from the Gear icon select, Add a Domain Alias .

Disclaimers are set per-domain. When upgrading, an existing global disclaimer is converted to domain specific disclaimers on every domain to preserve behavior with previous releases.

Per domain disclaimer support can be enabled using the following steps:

Create a new domain (e.g. example.com ) and account (e.g. [email protected] ).

Enable the use of disclaimers

Add disclaimers to the new domain

On the first MTA:

On all additional MTAs:

To test, send an email from the account (e.g. [email protected] ) in html and plain text format

To verify, check emails received with correct HTML disclaimer and plain text disclaimer.

To disable for the domain example.com

On the first MTA, as the Zimbra user:

You can enable the option for emails between individuals in the same domain to not have a disclaimer attached.

Set the attribute attachedzimbraAmavisOutboundDisclaimersOnly to TRUE .

To preserve backward-compatibility, this attribute defaults to FALSE .

It is possible to completely remove support for disclaimers by setting the related attribute to FALSE .

All Zimlets that are deployed are displayed in the domain’s Zimlets page. If you do not want all the deployed Zimlets made available for users on the domain, select from the list the Zimlets that are available for the domain. This overrides the Zimlet settings in the COS or for an account.

Managing Server Settings

A server is a machine that has one or more of the Zimbra service packages installed. During the installation, the Zimbra server is automatically registered on the LDAP server.

In the Administration Console, you can view the current status of all the servers that are configured with Zimbra software, and you can edit or delete existing server records. You cannot add servers directly to LDAP. The Zimbra Collaboration installation program must be used to add new servers because the installer packages are designed to register the new host at the time of installation.

The server settings that can be viewed from the Administration Console, Configure Servers link for a specific server include:

General information about the service host name, and LMTP advertised name and bind address, and the number of threads that can simultaneously process data source imports.

A list of enabled services. You can disable and enable the services.

Authentication types enabled for the server, setting a Web mail MTA host-name different from global. Setting relay MTA for external delivery, and enabling DNS lookup if required. Enable the Milter Server and set the bind address.

Enabling POP and IMAP and setting the port numbers for a server. If IMAP/POP proxy is set up, making sure that the port numbers are configured correctly.

Index and message volumes configuration. Setting SM policies.

IP Address Bindings. If the server has multiple IP addresses, IP Address binding allows you to specify which interface to bind to.

Proxy settings if proxy is configured.

Backup and Restore configuration for the server. When backup and restore is configured for the server, this overrides the global backup and restore setting.

Servers inherit global settings if those values are not set in the server configuration. Settings that can be inherited from the Global configuration include MTA, SMTP, IMAP, POP, anti-virus, and anti-spam configurations.

The General Information page includes the following configuration information:

Server display name and a description field

Server hostname

LMTP information including advertised name, bind address, and number of threads that can simultaneously process data source imports. Default = 20 threads.

Purge setting : The server manages the message purge schedule. You configure the duration of time that the server should "rest" between purg-ing mailboxes from the Administration Console, Global settings or Server settings, or General Information page. Default = message purge is scheduled to run each minute.

When installing a reverse proxy the communication between the proxy server and the backend mailbox server must be in plain text. Checking This server is a reverse proxy lookup target automatically sets the following parameters:

The Notes text box can be used to record details you want to save.

Home → Configure → Servers → server → MTA

The MTA page show the following settings:

Authentication enabled.

Enables SMTP client authentication, so users can authenticate. Only authenticated users or users from trusted networks are allowed to relay mail. TLS authentication when enabled, forces all SMTP auth to use Transport Layer Security (successor to SSL) to avoid passing passwords in the clear.

Network settings, including Web mail MTA hostname, Web mail MTA time-out, the relay MTA for external delivery, MTA trusted networks ID, and the ability to enable DNS lookup for the server.

Milter Server.

If Enable Milter Server is checked, the milter enforces the rules that are set up for who can send email to a distribution list on the server.

If the server has multiple IP addresses, you can use IP address binding to specify which specific IP addresses you want a particular server to bind to.

Home → Configure → Servers → server → IP Address Bindings

A certificate is the digital identity used for secure communication between different hosts or clients and servers. Certificates are used to certify that a site is owned by you.

Two types of certificates can be used - self-signed and commercial certificates.

A self-signed certificate is an identity certificate that is signed by its own creator.

You can use the Certificate Installation Wizard to generate a new self-signed certificate. This is useful when you use a self-signed certificate and want to change the expiration date. Self-signed certificates are normally used for testing. Default = 1825 days (5 years)

A commercial certificate is issued by a certificate authority (CA) that attests that the public key contained in the certificate belongs to the organization (servers) noted in the certificate.

When Zimbra Collaboration is installed, the self-signed certificate is automatically installed and can be used for testing Zimbra Collaboration. You should install the commercial certificate when Zimbra Collaboration is used in your production environment.

To generate the Certificate Signing Request (CSR) you complete a form with details about the domain, company, and country, and then generate a CSR with the RSA private key. You save this file to your computer and submit it to your commercial certificate authorizer.

To obtain a commercially signed certificate, use the Zimbra Certificates Wizard in the Administration Console to generate the RSA Private Key and CSR.

Home → 1 Get Started → 2. Install Certificates

Use guidelines from the Install Certificates table to set parameters for your certificates.

Download the CSR from the Zimbra server and submit it to a Certificate Authority, such as VeriSign or GoDaddy. They issue a digitally signed certificate.

When you receive the certificate, use the Certificates Wizard a second time to install the certificate on Zimbra Collaboration. When the certificate is installed, you must restart the server to apply the certificate.

You can view the details of certificates currently deployed. Details include the certificate subject, issuer, validation days and subject alternative name.

Home → Configure → Certificates → zmhostname

Certificates display for different Zimbra services such as LDAP, mailboxd, MTA and proxy.

It is important to keep your SSL certificates valid to ensure clients and environments work properly, as the Zimbra system can become non-functional if certificates are allowed to expire. You can view deployed SSL certificates from the Zimbra administrator console, including their validation days. It is suggested that certificates are checked periodically, so you know when they expire and to maintain their validity.

You can install an SSL certificate for each domain on a Zimbra Collaboration server. Zimbra Proxy must be installed on Zimbra Collaboration and correctly configured to support multiple domains. For each domain, a virtual host name and Virtual IP address are configured with the virtual domain name and IP address.

Each domain must be issued a signed commercial certificate that attests that the public key contained in the certificate belongs to that domain.

Configure the Zimbra Proxy Virtual Host Name and IP Address.

Edit the certificate for the domain:

Copy the domain’s issued signed commercial certificates and private key files to the Domain Certificate section for the selected domain.

Certificate Domain Load

Copy the root certificate and the intermediate certificates in descending order, starting with your domain certificate. This allows the full certificate chain to be validated.

Remove any password (passphrase) from the private key before the certificate is saved.

See your commercial certificate provider for details about how to remove the password.

Click Upload .

The domain certificate is deployed to /opt/zimbra/conf/domaincerts

Using DKIM to Authenticate Email Message

Domain Keys Identified Mail (DKIM) defines a domain-level authentication mechanism that lets your organization take responsibility for transmitting an email message in a way that can be verified by a recipient. Your organization can be the originating sending site or an intermediary. Your organization’s reputation is the basis for evaluating whether to trust the message delivery.

You can add a DKIM digital signature to outgoing email messages, associating the message with a domain name of your organization. You can enable DKIM signing for any number of domains that are being hosted by Zimbra. It is not required for all domains to have DKIM signing enabled for the feature to work.

DKIM defines an authentication mechanism for email using

A domain name identifier

Public-key cryptography

DNS-based public key publishing service.

The DKIM signature is added to the email message header field. The header information is similar to the following example.

Receivers who successfully validate a DKIM signature can use information about the signer as part of a program to limit spam, spoofing, phishing, or other undesirable behavior.

DKIM signing to outgoing mail is done at the domain level.

To set up DKIM you must run the CLI zmdkimkeyutil to generate the DKIM keys and selector. You then update the DNS server with the selector which is the public key.

Log in to the Zimbra server and as zimbra:

The public DNS record data that must be added for the domain to your DNS server is displayed. The public key DNS record appears as a DNS TXT-record that must be added for the domain to your DNS server.

Optional. To specify the number of bits for the new key, include -b in the command line, -b <####> . If you do not add the -b , the default setting is 2048 bits.

The generated DKIM data is stored in the LDAP server as part of the domain LDAP entry.

Work with your service provider to update your DNS for the domain with the DKIM DNS text record.

Reload the DNS and verify that the DNS server is returning the DNS record.

Verify that the public key matches the private key. See the Identifiers table for -d , -s , and -x descriptions.

When the DKIM keys are updated, the DNS server must be reloaded with the new TXT record.

Good practice is to leave the previous TXT record in DNS for a period of time so that email messages that were signed with the previous key can still be verified.

Verify that the public key matches the private key: See the Identifiers table for -d , -s , and -x descriptions.

Removing DKIM signing deletes the DKIM data from LDAP, and new email messages are no longer signed for the domain. When you remove DKIM from the domain, it is a good practice to leave the previous TXT record in DNS for some time so that email messages that were signed with the previous key can still be verified.

Use the following command syntax to remove the file:

Use the following command syntax to view the stored DKIM information for the domain, selector, private key, public signature and identity:

Anti-spam Settings

Zimbra uses SpamAssassin to control spam. SpamAssassin uses predefined rules as well as a Bayes database to score messages. Zimbra evaluates spam as a percentage value. Messages tagged between 33%-75% spam are delivered to the user’s junk folder. Messages tagged above 75% are not sent to the user and are discarded.

You can change the anti-spam settings.

Home → Configure → Global Settings → AS/AV

Anti-Spam Settings

At the Anti-Spam fields, enter parameters, as appropriate for your requirements.

When a message is tagged as spam, the message is delivered to the recipient’s junk folder. Users can view the number of unread messages that are in their junk folder and can open the junk folder to review the messages marked as spam. If you have the anti-spam training filters enabled, when users add or remove messages in the junk folder, their action helps train the spam filter.

RBL (Real time black-hole lists) can be turned on or off in SpamAssassin from the Zimbra CLI.

The automated spam training filter is enabled by default and two feedback system mailboxes are created to receive mail notification.

Spam Training User for mail that was not marked as spam but should be.

Non-spam (referred to as ham) training user for mail that was marked as spam but should not have been.

The mailbox quota and attachment indexing is disabled for these training accounts. Disabling quotas prevents bouncing messages when the mailbox is full.

How well the anti-spam filter works depends on recognizing what is considered spam. The SpamAssassin filter learns from messages that users specifically mark as spam by sending them to their junk folder or not spam by removing them from their junk folder. A copy of these marked messages is sent to the appropriate spam training mailbox.

When Zimbra is installed, the spam/ham cleanup filter is configured on only the first MTA. The Zimbra spam training tool, zmtrainsa , is configured to automatically retrieve these messages and train the spam filter. The zmtrainsa script is enabled through a crontab job to feed mail to the SpamAssassin application, allowing SpamAssassin to 'learn' what signs are likely to mean spam or ham. The zmtrainsa script empties these mailboxes each day.

The Zimbra default is that all users can give feedback when they add or remove items from their junk folder.

If you do not want users to train the spam filter you can disable this function.

Modify the global configuration attributes, ZimbraSpamIsSpamAccount and ZimbraSpamIsNotSpamAccount

Remove the account addresses from the attributes.

When these attributes are modified, messages marked as spam or not spam are not copied to the spam training mailboxes.

Initially, you might want to train the spam filter manually to quickly build a database of spam and non-spam tokens, words, or short character sequences that are commonly found in spam or ham. To do this, you can manually forward messages as message/rfc822 attachments to the spam and non-spam mailboxes.

When zmtrainsa runs, these messages are used to teach the spam filter. Make sure you add a large enough sampling of messages to get accurate scores. To determine whether to mark messages as spam at least 200 known spams and 200 known hams must be identified.

To reduce the risk of backscatter spam, you can run a service that runs a Zimbra Access Policy Daemon that validates RCPT To: content specifically for alias domains.

Set the Postfix LC key.

Define the MTA restriction.

The postfix_policy_time_limit key is set because by default the Postfix spawn(8) daemon kills its child process after 1000 seconds. This is too short for a policy daemon that might run as long as an SMTP client is connected to an SMTP process.

Disable the SMTPD policy.

Define the policy restriction.Setting Email Recipient RestrictionsRealtimeBlackhole Lists and Realtime Right-Hand Side Blocking/Black Lists can be turned on or off in the MTA.

For protocol checks, the following three RBLs can be enabled:

Client must greet with a fully qualified hostname - reject_non_fqdn_hostname

Sender address must be fully qualified - reject_non_fqdn_sender

Hostname in greeting violates RFC - reject_invalid_host

The following RBLs can also be set.

reject_rbl_client cbl.abuseat.org

reject_rbl_client bl.spamcop.net

reject_rbl_client dnsbl.sorbs.net

reject_rbl_client sbl.spamhaus.org

As part of recipient restrictions, you can also use the reject_rbl_client <rbl hostname> option.

Home → Configure → Global Settings → MTA → DNS Checks

Use the DNS tools in MTA configuration to define the restriction lists.

DNS Checks

For a list of current RBL’s, see the Comparison of DNS blacklists article.

View the current RBLs.

Add new RBLs: list the existing RBLs and the new Add, in the same command entry. For 2-word RBL names, surround the name with quotes in your entry.

When you use a third-party application to filter messages for spam before messages are received by Zimbra, the Zimbra global rule is to send all messages that are marked by the third-party as spam to the junk folder. This includes messages that are identified as spam and also identified as whitelisted.

If you do not want messages that are identified as whitelisted to be sent to the junk folder, you can configure zimbraSpamWhitelistHeader and zimbraSpamWhitelistHeaderValue to pass these messages to the user’s mailbox. This global rule is not related to the Zimbra MTA spam filtering rules. Messages are still passed through a user’s filter rules.

To search the message for a whitelist header:

To set the value:

Anti-virus protection is enabled for each server when the Zimbra software is installed. The anti-virus software is configured to send messages that have been identified as having a virus to the virus quarantine mailbox. An email notification is sent to recipients letting them know that a message has been quarantined. The quarantine mailbox message lifetime is set to 7 days.

From the Admin Console, you can specify ho aggressively spam is to be filtered in your Zimbra Collaboration.

AS/AV

At the Anti-Virus fields, enter parameters, as appropriate for your requirements.

During Zimbra Collaboration installation, the administrator notification address for anti- virus alerts is configured. The default is to set up the admin account to receive the notification. When a virus has been found, a notification is automatically sent to that address.

Zimbra Free/Busy Calendar Scheduling

The Free/Busy feature allows users to view each other’s calendars for efficiently scheduling meetings. You can set up free/busy scheduling across Zimbra and Microsoft Exchange servers.

Zimbra can query the free/busy schedules of users on supported Microsoft Exchange servers and also can propagate the free/busy schedules of Zimbra users to the Exchange servers.

To set free/busy interoperability, the Exchange systems must be set up as described in the Exchange Setup Requirements section, and the Zimbra Collaboration Global Config, Domain, COS and Account settings must be configured. The easiest way to configure Zimbra Collaboration is from the Administration Console.

The following is required to set up the free/busy feature:

Either a single Active Directory (AD) must be in the system or the global catalog must be available.

The Zimbra Collaboration server must be able to access the HTTP(S) port of IIS on at least one of the Exchange servers.

Web interface to Exchange public folders needs to be available via IIS. ( http://server/public/ )

Zimbra Collaboration users must be provisioned as a contact on the AD using the same administrative group for each mail domain. This is required only for Zimbra to Exchange free/busy replication.

For Zimbra Collaboration to Exchange free/busy replication, the Exchange user email address must be provisioned in the account attribute zimbra-ForeignPrincipal for all Zimbra Collaboration users.

To set Free/Busy Interoperability up from the Administration Console, the global config, Domain, COS and Account settings must be configured as described here.

Configure the Exchange server settings, either globally or per-domain.

Microsoft Exchange Server URL. This is the Web interface to the Exchange.

Microsoft Exchange Authentication Scheme, either Basic or Form .

Basic is authentication to Exchange via HTTP basic authentication.

Form is authentication to Exchange as HTML form based authentication.

Microsoft Exchange Server Type, either WebDav or ews

Select WebDAV to support free/busy with Exchange 2003 or Exchange 2007.

Select ews (Exchange Web Service) to support free/busy with Exchange 2010 SP1 and newer.

Include the Microsoft Exchange user name and password. This is the name of the account in Active Directory and password that has access to the public folders. These are used to authenticate against the Exchange server on REST and WebDAV interfaces.

Add the o and ou values that are configured in the legacyExchangeDN attribute for Exchange on the Global Config Free/Busy Interop page, the Domain Free/Busy Interop page or on the Class of Service (COS) Advanced page. Set at the global level this applies to all accounts talking to Exchange.

In the Account’s Free/Busy Interop page, configure the foreign principal email address for the account. This sets up a mapping from the Zimbra Collaboration account to the corresponding object in the AD.

You can set up free/busy interoperability between Zimbra servers. Free/Busy interoperability is configured on each server.

Enter the server host names and ports.

If the user:pass is not included, the server runs an anonymous free/busy lookup.

Restart the server.

Repeat these steps at all other servers.

Setting Up S/MIME

S/MIME is a standard to send secure email messages. S/MIME messages use digital signature to authenticate and encrypt messages.

Currently, there are two different methods for providing the S/MIME feature

The old client based solution which requires Java 1.6 SE deployed on the client machine

The new server based solution which does not require Java on the client machine. The server performs all the cryptographic operations. (Recommended)

To use S/MIME, users must have a PKI certificate and a private key. The private key must be installed in the user’s local certificate store on Windows and Apple Mac and in the browser certificate store if they use the Firefox browser. See the appropriate computer or browser documentation for how to install certificates.

Users can use any of the following browsers:

Mozilla Firefox 4 or later

Internet Explorer 8, 9

Chrome 12 or later

Users computers must have Java 1.6 SE deployed to use S/MIME. If they do not, they see an error asking them to install it.

S/MIME License

You must have a Zimbra license that is enabled for S/MIME.

Enable S/MIME Feature

Home → Configure → Class of Service → COS → Features Home → Manage → Accounts → account → Features

The S/MIME feature can be enabled from either the COS or Account FeaturesTab.

Select the COS or account to edit.

In the Features tab S/MIME features section, check Enable S/MIME .

Click Save .

Importing S/MIME Certificates

Users can send encrypted messages to recipients if they have the recipients' public-key certificate stored in one of the following:

Recipient’s contact page in their Address Book.

Local OS or browser keystore.

External LDAP directory.

The certificates should be published into the LDAP directory so that they can be retrieved from the GAL. The format of the S/MIME certificates must be X.509 Base64 encoded DER.

Configure External LDAP Lookup for Certificates

If you use an external LDAP to store certificates, you can configure the Zimbra server to lookup and retrieve certificates from the external LDAP, on behalf of the client.

Home → Configure → Global Settings → S/MIME Home → Configure → Domains → domain → S/MIME

You can configure the external LDAP server settings from either the Global Settings → S/MIME tab or the Domains → S/MIME tab.

Edit the global settings page or select a domain to edit. Open the S/MIME tab.

In the Configuration Name field, enter a name to identify the external LDAP server. Example, companyLDAP_1

In the LDAP URL field, enter the LDAP server’s URL. Example, ldap://host.domain:3268

To use DN to bind to the external server, in the S/MIME LDAP Bind DN field, enter the bind DN. Example, administrator@domain

If you want to use anonymous bind, leave the Bind ND and Bind password fields empty.

In the S/MIME Ldap Search Base field, enter the specific branch of the LDAP server that should be searched to find the certificates.

Example, ou=Common Users, DC=host, DC=domain

Or, check Automatically discover search base to automatically discover the search base DNs. For this to work, the S/MIME Search Base field must be empty.

In the S/MIME Ldap filter field, enter the filter template for the search. The filter template can contain the following conversion variables for expansion:

%n - search key with @ (or without, if no @ was specified)

%u - with @ removed (For example, mail=%n )

In the S/MIME Ldap Attribute field, enter attributes in the external LDAP server that contain users' S/MIME certificates. Multiple attributes can be separated by a comma ( , ).

Example, "userSMIMECertificate, UserCertificate"

To set up another external LDAP server, click Add Configuration .

Same as for the client based S/MIME solution except that Java is not required on the client machine. The private key is also not required to be on the client machine’s local/browser certificate store.

Same as for the client based S/MIME solution

Same as for the client based S/MIME solution except that the recipients' public-key certificate no longer needs to be stored in the Local OS or browser keystore. The certificate can be published to all other places mentioned in previous S/MIME version.

List of LDAP attributes introduced to support the server based S/MIME solution

zimbraSmimeOCSPEnabled

Used by server at the time of validating the user as well as public certificates

If TRUE , the revocation check will be performed during certificate validation

If FALSE , the revocation check will not be performed during certificate validation

zimbraSmimePublicCertificateExtensions

The supported public certificate file extensions separated by commas

Contains the list of supported formats for the userCertificate LDAP attribute

Default values: cer , crt , der , spc , p7b , p7r , sst , sto , pem

Zimbra Classic Web App retrieves the supported file formats or extensions for uploading public certificate from the server

zimbraSmimeUserCertificateExtensions

Contains the list of supported formats for the userSmimeCertificate LDAP attribute

Default values: p12 , pfx

Process for Adding the CA certificate to the mailbox truststore for S/MIME

S/MIME uses the mailbox trust store path and its password which are defined in localconfig.xml

The key names are:

mailboxd_truststore

mailboxd_truststore_password

If the mailboxd_truststore key is not defined in localconfig.xml, by default the value of mailboxd_truststore is:

<zimbra_java_home>/jre/lib/security/cacerts

A CA certificate can be imported to the mailbox trust store by executing the following command:

Email Retention Management

You can configure retention policies for user account’s email, trash, and junk folders. The basic email retention policy is to set the email, trash and spam message lifetime in the COS or for individual accounts.

You can set up specific retention policies that users can enable for the Inbox and other email folders in their account. Users can also create their own retention policies.

You can enable the dumpster feature to save messages that are deleted from Trash. When a message reaches the end of its retention lifetime, based on email lifetime rules or deletion policies, the message is moved to the dumpster if enabled. Users can recover deleted items from the dumpster until the threshold set in the Visibility lifetime in dumpster for end user setting.

If dumpster is not enabled, messages are purged from the server when the email retention lifetime is reached.

You can also set up a legal hold on an account to prevent messages from being deleted.

You can configure when email messages should be deleted from an accounts folders, and the trash and junk folders by COS or for individual accounts.

By default, the server purges email messages that have exceeded their lifetime every minute. You can change the duration of time that the server should "rest" between purging mailboxes.

Use the global Sleep Time setting to define duration, in minutes, between mailbox purges.

Home → Configure → Global Settings → General Information

Purge Interval

For example, if the purge interval is set to 1 minute, the server purges mailbox1 , waits for 1 minute, and then begins to purge mailbox2.

If the message purge schedule is set to 0, messages are not purged even if the mail, trash and spam message lifetime is set.

Retention and deletion policies can be configured as a global setting or as a COS setting. Users can select these policies to apply to their message folders in their account. They can also set up their own retention and deletion policies. Users enable a policy you set up or create their own policies from their folders' Edit Properties dialog box.

System wide retention and deletion policies can be managed from the Administration Console.

Use the global Retention Policy page to set global retention or deletion policies.

Home → Configure → Global Settings → Retention Policy

Global Retention Policy

Use the COS Retention Policy page to set retention or deletion for the selected COS.

Home → Configure → Class of Service → COS → Retention Policy

COS Retention Policy

Ensure that the Enable COS-level policies instead of inheriting from the policy defined in Global Settings is enabled.

The retention policy is not automatically enforced on a folder. If users option an item in a folder that has not met the threshold of the retention policy, the following message is displayed, You are deleting a message that is within its folder’s retention period. Do you wish to delete the message?

When the threshold for the deletion policy is reached, items are deleted from the account. They are not sent to the Trash folder. If the dumpster feature is enabled, they are sent to the dumpster, if it is not enabled, they are purged from the server.

How Lifetime and Retention/Deletion Policies Work Together

If the Email Message Lifetime is set to a value other than zero (0), this setting applies in addition to the disposal or retention policy values applied to a folder. For example:

Email Message Lifetime is set to 120 days

Folder A has a policy with a disposal threshold of 360 days. Messages in Folder a are disposed of in 120 days.

Folder B has a policy with disposal threshold of 90 days. Messages in Folder B are disposed of in 90 days.

Folder C has a policy with retention range of 150 days. Messages in Folder C are disposed of in 120 days.

When a message, trash or spam lifetime has been reached, the message is moved to the dumpster if the feature is enabled. When users right-click on Trash, they can click Recover deleted items to retrieve items from their trash that have been deleted in the last x days. This threshold is based on the Visibility lifetime in dumpster for end user setting.

The Retention lifetime in dumpster before purging setting sets retention lifetime for items in dumpster. Items in dumpster older than the threshold are purged and cannot be retrieved.

Administrators can access the individual dumpster’s content, including spam, and they can delete data at any time before the message lifetime is reached.

Searching for an item in the dumpster folder

The search field can be a date range: 'before:mm/dd/yyyy and after:mm/dd/yyyy' or emails from or to a particular person: 'from:Joe', etc.

Deleting items in the dumpster folder

Items in the dumpster folder can be deleted with the CLI or from the Administration Console:

Home → Configure → Class of Service → COS → Features → General Features

Enable (check) the Dumpster folder checkbox.

To set Visibility lifetime in dumpster for end user , go to the Timeout Policy section on COS' Advanced page

To set Retention lifetime in dumpster before purging , go to the COS’s Advanced page, Email Retention Policy section.

If the dumpster folder feature is enabled, you can set up a legal hold to preserve all items in user accounts.

When dumpster is enabled, Can purge dumpster folder is also enabled. Disabling this feature turns off purging of items in the user’s dumpster. This can be set on a COS or for individual accounts. When Can purge dumpster folder is enabled, any deletion policies set up on the accounts' folders are ignored.

Configure legal hold:

Deselect Can purge dumpster folder on the Features page.

Customized Admin Extensions

Developers can create and add custom modules to the Zimbra Administration Console user interface, to provide new views, manage new data objects, extend existing objects with new properties, and customize existing views.

For the most up-to-date and comprehensive information about how to create an extended Administration Console UI module, go to the Zimbra wiki Extending Admin UI article located at Extending_Admin_UI .

All Zimbra extensions currently incorporated at the Administration Console UI are listed in the content pane as view only.

Only those created by you can be removed (see also Removing Admin Extension Modules).

Home → Configure → Admin Extensions

Save the module zip file to the computer you use to access the Administration Console.

From the Gear icon, select Deploy to present the Deploying a Zimlet or an extension dialog.

Browse to the custom module zip file you need to upload.

Click Deploy .

The file is uploaded and the extension is immediately deployed on the server.

Deleting an Admin Extension results in removal of the selected extension and all associated files. This action does not delete the originating zip file.

Use steps in this section to remove custom Admin Extensions.

Select the module to remove, and select Undeploy from the Gear icon. A confirmation query is presented.

At the confirmation query, click Yes to proceed.

Ephemeral Data

There are 3 main types of ephemeral data stored in LDAP during normal operation of Zimbra Collaboration.

Last Logon Time Stamps ( zimbraLastLogonTimestamp )

Auth Tokens ( zimbraAuthTokens )

CSRF Tokens ( zimbraCsrfTokenData )

On small systems, storage of these types of ephemeral data may be done in the LDAP Server. However, mail systems with large numbers of active users have been found to overload LDAP for short-lived data storage. Therefore, the preferred option is to store this ephemeral data using an external server.

Configuring the storage location of ephemeral data is done through the following LDAP attribute:

The two currently supported Ephemeral Data backends are:

Frequent authentication requests place a high load on Ephemeral Data storage backend. See the following Zimbra wiki pages for results of authentication-based load tests:

LDAP Authentication load tests

SSDB Authentication load tests

Configuring an already running Zimbra Collaboration installation to utilize SSDB instead of LDAP for short-lived data storage is done through the following process:

Install SSDB and note the IP address and port configured since you will need this data for the next steps. Refer to Overview of Configuration Options for more information.

Migrate any existing short-lived data to SSDB using the /opt/zimbra/bin/zmmigrateattrs command.

Configure Zimbra Collaboration to utilize SSDB .

Access the command prompt on one of the machines in the installation.

Migrate existing ephemeral data to the SSDB backend using the zmmigrateattrs utility

You may use either an IP address or a hostname for the host portion of the destination URL. Either way, you will need to ensure it resolves to the proper IP address on all machines in the cluster. If the provided SSDB address does not resolve to a functioning backend, the migration process will terminate.

Configure Zimbra Collaboration to use SSDB :

As with migration, the host and port must resolve to a functioning SSDB backend. Otherwise, the value of zimbraEphemeralBackendURL will not be changed.

Migration Details

Information about the latest migration process can be viewed by running the command zmmigrateattrs --status . If the migration is currently in progress, this command may have to be run from a new terminal window. This command will output three pieces of information:

The status of the migration: one of IN_PROGRESS, COMPLETED or FAILED

The URL of the SSDB backend acting as the destination

A timestamp of when the migration process was initiated

The migration info can be reset with the command zmmigrateattrs --clear . This should only be done if the status does not reflect the true state of the system.

When the value of zimbraEphemeralBackendURL is modified, Zimbra Collaboration checks the status of the last known migration. This can result in one of several scenarios:

If the migration is completed and the URL of this migration matches the newly provided value, zimbraEphemeralBackendURL is changed to the new value and the migration info is reset. This is the expected use case.

If a migration is currently in progress, zimbraEphemeralBackendURL will not be changed.

If no migration info is available, the migration has failed, or the new URL does not match the migration URL, zimbraEphemeralBackendURL will be changed; however, a warning will be logged stating that data is not guaranteed to have been migrated.

During the migration process, and until the backend URL is changed, Zimbra Collaboration will store new ephemeral data both in LDAP and SSDB ; this keeps the two backends from getting out of sync. If the new value of zimbraEphemeralBackendURL is changed to match the migration URL, migration info is reset and the forwarding mechanism is turned off. If the values do not match, migration info is not reset, and forwarding remains in place. Note that this means that migration only needs to be run once, even if there is a gap between the initial migration and URL change. As long as the target backend is never taken offline, it will stay up-to-date. However, if SSDB is taken offline between the end of the migration and the backend URL change, migration will need to be re-run.

These scenarios are demonstrated below:

ephemeral data migration

The zmmigrateattrs tool provides several migration options, to be used with careful consideration:

The -r or --dry-run option outputs the changes to be made for each account to the console, without actually performing the migration.

The -n or --num-threads option specifies how many threads will be used for migration. Omitting this will result in migration happening synchronously.

The -a or --account option allows for migration of a comma-separated list of specific accounts. This should be used only for testing or debugging.

The -d or --debug option enables debug logging.

If no attribute names are explicitly passed in as arguments, migration will occur for all known ephemeral attributes, as in the example above.

Ephemeral data migration is a one-way process. The zmmigrateattrs script does not support migrating data from SSDB back into LDAP, nor does it support migrating data between different instances of SSDB . This means that if the value of zimbraEphemeralBackendURL is reverted back to LDAP after migration, prior authentication data will become inaccessible, and all user sessions will be invalidated. If migration to a new SSDB backend becomes necessary, the data should be replicated to the new location prior to changing the value of zimbraEphemeralBackendURL .

There is one exception to this is: the backend can be safely reverted back to LDAP immediately after the switch to SSDB with minimal loss of data. This is because the original values are retained in LDAP during migration; switching the backend to SSDB leaves a "snapshot" of ephemeral data in LDAP at the time of the switch. The migration utility does not currently provide a way to delete this data to free up space; however, it allows for the backend to be reverted. The more time passes between the initial change and the reversion, the less the LDAP snapshot will reflect the true state of ephemeral data.

Due to changes in the way multi-valued ephemeral data is stored, the attributes zimbraAuthTokens and zimbraCsrfTokenData are no longer returned as part of the zmprov ga <account> response. The value of zimbraLastLogonTimestamp is returned as before, although only if the -l flag is not used, as adding the -l flag will restrict the server to accessing attributes in LDAP only. It is still possible to modify these attributes using the zmprov ma <account> command, regardless of the ephemeral backend. In order to do this, the provided attribute value must match its LDAP format: tokenId|expiration|serverVersion for auth tokens; data:crumb:expiration for CSRF tokens.

Each run of zmmigrateattrs generates a CSV file in the /opt/zimbra/data/tmp/ folder. The file contains migration info for every migrated account, such as the number of attributes migrated. Note that it is possible for this to be zero, which can happen if all ephemeral data for an account is already present in the destination store.

If any migrations fail, a cutdown CSV file report detailing only the errors is also created in the same directory. The name(s) of the file(s) are logged at the end of the run.

Ephemeral data deletion behavior differs slightly between SSDB and LDAP backends. With SSDB as the backend, account deletion results in the zimbraLastLogonTimestamp attribute being explicitly deleted from SSDB. zimbraAuthTokens and zimbraCsrfTokenData , however, are left to be expired by SSDB when the token lifetimes are reached (default of 2 days). Conversely, ephemeral data in LDAP is wiped immediately as part of the account deletion process.

SSDB Installation and Configuration

Zimbra Collaboration packages do not include SSDB server and Zimbra Collaboration installation and configuration utilities do not alter SSDB configuration. To install the latest version of SSDB, follow instructions provided by SSDB developer community in SSDB Installation Documentation . Please note, that Zimbra Collaboration has been tested with SSDB version 1.9.5. In order to install SSDB 1.9.5, download stable-1.9.5.zip instead of master.zip when following SSDB installation instructions .

Overview of Configuration Options

The purpose of this guide is to discuss some of the options available with SSDB , specifically with regards to:

High-availability via master-slave replication

High-availability via master-master replication

Horizontal scaling, with high-availability, via multi-master configuration.

This guide is not meant to be an exhaustive treatment of the subject. Also, as of the time of this writing, SSDB and any related packages must be installed and configured by the system administrator prior to updating zimbraEphemeralBackendURL and migrating attributes.

SSDB is compatible with Redis clients and Zimbra Collaboration currently uses a Redis -compatible client for communication with SSDB , so many of the concepts described herein are applicable with a Redis backend.

Normal Operation

The method described in this document to implement master-slave replication makes use of Keepalived to maintain a configured virtual IP address that is bound to the master SSDB instance under normal conditions.

ssdb master slave normal

If Keepalived detects a failure of the master instance, then the backup instance is promoted to master by re-binding the virtual IP address to the backup.

ssdb master slave failover

This differs from master-slave replication in that both SSDB instances are online and accessible. Each replicates changes from the other. In the example set-up described later, we use HAProxy as a front-end. Keep in mind that, for production, you must use a proxy service that is, itself, highly-available.

ssdb master master

Normally, both SSDB and Redis contain the entire key-space in a single instance. It is possible to front-end multiple instances using a service such as twemproxy . It supports various hashing modes such that the data associated with a particular key is always stored on the same server. This allows for horizontal scaling with very large installations.

By configuring each SSDB instance in master-slave configuration, you get both horizontal scaling and high-availability.

ssdb multi master

Master-Slave Replication

One way to ensure that SSDB remains highly-available is to set-up master-slave replication and configure a system that will allow the backup SSDB instance to automatically take-over in the event that the primary instance goes down. This document will describe one technique for accomplishing that goal.

SSDB will be installed on two servers. It will be configured such that one server is the designated master and the other server is the designated slave, or backup, that will constantly replicate changes from the master server.

Keepalived will also be installed on these two servers. Each Keepalived instance will monitor the other. In the event that the master server goes down, Keepalived will detect that failure and promote the slave, or backup, server to master. Keepalived will maintain a Virtual IP address bound to whichever server is the current master.

Zimbra Collaboration will be configured such that the zimbraEphemeralBackendURL will bind to the Virtual IP address that is being maintained by Keepalived .

Once the installation and configuration of both the SSDB master-slave setup and Zimbra Collaboration have been completed, follow the instructions in Ephemeral Data to update the zimbraEphemeralBackendURL accordingly.

The example documented here was done on servers running Ubuntu 16.04 .

Install SSDB and Keepalived on two servers in accordance with the procedure that is applicable to the Linux distribution that you are using.

The following configuration steps assume that you have installed SSDB to /var/lib/ssdb and that all SSDB configuration files are located in that same directory. It further assumes that the internal host addresses are on the 192.168.56/24 network.

192.168.56.111 - This is IP address of the initial master SSDB server

192.168.56.112 - This is the IP address of the initial slave SSDB server

192.168.56.120 - This is the virtual IP address that will be maintained by Keepalived .

SSDB Configuration, Designated (Initial) Master

The IP address of this machine is 192.168.56.111 .

/var/lib/ssdb/ssdb_master.conf

The key configuration items in the following block are:

server/ip - Binding to all available IP addresses

server/port - Binding to standard SSDB port

server/deny , server/allow - Restrict SSDB access to localhost and the internal (host) addresses.`

Only the configuration items related to master-slave replication are shown here.

/var/lib/ssdb/ssdb_slave.conf

server/ip - Binding to localhost

slaveof/type - sync

slaveof/host - 192.168.56.112 is the other SSDB server

slaveof/port - 8888 - The standard SSDB port

Again, only the configuration items related to master-slave replication are show.

SSDB Configuration, Designated (Initial) Slave

The IP address of this machine is 192.168.56.112 .

The ssdb_master.conf file is identical to that of the designated master server.

The ssdb_slave.conf file is almost identical to that of the designated master server. Only the following items differ;

slaveof/ip (or host) - 192.168.56.111 is the other SSDB server

Keepalived configuration, Designated (Initial) Master

/etc/keepalived/keepalived.conf

The key configuration items to note are:

state - State is set to BACKUP for both the designated (initial) master and backup servers. In this scenario, the priority is used to negotiate which server will assume MASTER status initially.

nopreempt - In the event that the master server fails and the backup server is promoted to master, this configuration directive will keep the original master from reclaiming that role should it come back online automatically. This is required because it will likely be stale. In this case, when it comes back up, it will remain in backup mode and will begin replicating information from the new master. Note : Human intervention may be required to bring a failed master back into service.

interface - In this example, enp0s8 is the interface identifier for which the virtual_ipaddress will be defined. You will choose a value that is appropriate to your installation.

priority - The designated initial master must have a higher priority than the designated initial backup.

advert_int - For the purposes of this documentation, the default value of 1 second was use. If you install Keepalived 1.2.21 or newer, you can specify a floating-point value here; e.g., 0.1 (seconds). This will allow Keepalived to detect a master failure more rapidly.

notify - This is the path to a script that will be called for state transitions. The full contents of the script is shown below

virtual_ipaddress - This is the virtual IP address that is maintained by Keepalived .

/var/lib/ssdb/notify.sh

This is the script that is called by Keepalived during state transitions. Note that the value assigned to USER should be the username that owns the SSDB process.

Keepalived configuration, Designated (Initial) Backup

This file is almost identical to the same file on the master node. Exceptions:

priority - It is given a lower initial priority.

It does not contain the nopreempt option. Once the backup server has become master due to a failure of the original master, the system should allow for some human intervention before restoring the original server to master status.

The /var/lib/ssdb/notify.sh for the backup server is identical to the master.

Master-Master Replication

Another way to ensure that SSDB remains highly-available is to set-up master-master replication and configure a proxy that understands Redis protocol in front of the two SSDB servers. The proxy is responsible for monitoring the health of the two servers and removing a failed server from the poop.

The following simplified example uses a single HAProxy instance in front of two SSDB servers.

SSDB . In the examples shown below it is assumed that version 1.9.2 or newer is installed.

Install SSDB on two servers in accordance with the procedure that is applicable to the Linux distribution that you are using. Install HAProxy on an additional server. Note that Keepalived can be used to configure a highly-available pool of HAProxy servers.

SSDB Configuration, First Master

Only the configuration related to master-master replication is shown.

SSDB Configuration, Second Master

Haproxy configuration.

Only the configuration related to SSDB is shown.

SSDB supports Redis network protocol. You can use Redis clients to connect to an SSDB server and operate on it. This is what Zimbra Collaboration does.

Multi-Master Scaling / Replication

The details of multi-master configuration will not be covered in this document. In essence, you will install and configure multiple independent SSDB master-slave pairs using the instructions included above. Each pair will be responsible for storing a subset of the total key-space.

As in the master-master configuration, all of the pairs in the pool of SSDB servers will be front-ended by a proxy service that understands Redis protocol. It must also be capable of consistently hashing the data keys that are presented such that all requests relating to a particular key always get routed to the same master-slave pair.

One such product is twemproxy from Twitter .

The the SSDB backend makes use of a resource pool to manage access to the SSDB server; threads attempting ephemeral data operations must first acquire a resource from this pool. To that end, two LDAP attributes have been introduced to control the pool configuration.

zimbraSSDBResourcePoolSize controls the size of the pool. This determines how many client threads can simultaneously perform ephemeral API operations. By default this is set to 0, which results an unlimited pool size.

zimbraSSDBResourcePoolTimeout controls the amount of time a thread will wait for a resource before throwing an exception. The default is 0, which results in no timeout. This attribute has no effect when the pool size is 0, as threads will never have to wait for resources to be freed in order to perform ephemeral data operations.

A non-zero timeout value is recommended when the pool size is finite. Otherwise, a lost SSDB connection may cause mailboxd threads to remain blocked indefinitely, even after the connection is re-established. In general, the resource pool should be sized such that the mailbox server is not starved for resources.

Depending on your environment, running this command will take some time, there will not be a progress indication. Use the cd command to change into the SSDB installation directory:

SSDB replication may be affected, so it is best to first break replication and run this command on a single master of SSDB and then resume SSDB replication.

Scaling SSDB for Production Load with Zimbra Collaboration

The main characteristics of Zimbra Collaboration production load that affects load on SSDB server are the frequency of authentication requests and frequency of SOAP requests sent by Zimbra Collaboration Web Client and 3rd party SOAP clients. Each authentication request results in a 2 or 3 write operations for SSDB. The write operations update zimbraLastLogonTimestamp, zimbraAuthTokens and zimbraCsrfTokenData values. Note, that zimbraCsrfTokenData is updated only when using a CSRF-enabled SOAP client such as Zimbra Collaboration Web Client. Each authenticated SOAP request results in 2 read operations for SSDB.

We recommend that your SSDB server has at least 2GB RAM and 1 CPU. If you plan on running additional tools, such as monitoring and configuration management on your SSDB server, consider increasing memory and adding one more CPU core to accommodate additional software. Check out Zimbra and SSDB Authentication Load Tests for more information.

For installations whose ephemeral data storage requirements will fit in a single instance, simple master-slave replication is the easiest to implement and requires the fewest resources. Master-master replication does allow requests to be load-balanced across both masters; however, each master is also constantly replicating from the other, so SSDB must do additional work to maintain consistency.

Class of Service and Accounts

The Class of Service (COS) assigned to an account determines the default attributes for user accounts, and the features to be enabled or denied. Each account is assigned a COS. The COS controls mailbox quotas, message lifetime, password restrictions, attachment blocking, and server pool usage.

A COS is a global object and is not restricted to a particular domain or set of domains.

You can create and edit the classes of services from the Administration Console:

Home → Configure → Class of Service → COS

A default COS is created when Zimbra Collaboration is installed. You can modify the default COS and create new ones.

From a COS, you can manage the following functions:

Features and preferences that users can access.

Themes and Zimlets that users can access.

Advanced settings including attachment settings, quotas, and password login policies.

Web App Versions (Modern Web App and Classic Web App).

Web Services and Desktop Clients (EWS, MAPI and more).

Offline Mode.

Retention policies.

As an example, you could create an Executive COS that is configured to enable all features, provide unlimited mailbox quotas, and never purges messages. Another General-Employee COS may also be created, which enables only the mail feature, sets the mailbox quota, and purges messages every 60 days. Grouping accounts to a specific COS allows you update or change account features in bulk. As such, when the COS is changed, all accounts assigned to the COS are changed.

If a COS is not explicitly set for a new account, or if the COS assigned to a user no longer exists, the default COS is automatically assigned.

You can create a COS and assign that as a default COS for all accounts that are created on that domain. You can create different COSs and specify which ones are available for the domain. If a domain does not have a COS defined, and you do not specify a COS, the original default COS is automatically assigned when an account is created.

Some COS settings can be overridden either by global settings or by user settings. For example:

Whether outgoing messages are saved to Sent can be changed from the Zimbra Classic Web App in the user’s preferences.

Attachment blocking set as a global setting can override the COS setting.

Selecting Features and Preferences

All the features available for a COS are displayed in its Features page. From there, you can select or deselect the features you do not want included in the COS.

You can define the initial preferences for saving and viewing messages, in the Preferences page. You can also select a specific locale for the Classic Web App and Modern Web App. If a locale is not specified, the browser locale is the default.

For a description of the features and preferences, see Customizing Accounts .

By default, Preferences are enabled, and your users can modify the default preferences that are configured for their accounts.

As the Administrator, you can disable Preferences. As a result, the Preferences page will not display in users mailboxes: they therefore cannot modify the default configuration for features that are set up for their accounts.

When using the Classic Web App or the Modern Web App, the time zone setting on the computer is used as the time stamp for displaying received messages and for calendar activities.

The Time Zone value in Calendar settings is used only to identify where the Working Hours start and end times are anchored, and how they appear in Free / Busy information.

In an environment with multiple mailbox servers, the COS is used to assign a new account to a mailbox server. When you configure the COS, you select which servers to add to the server pool. Within each pool of servers, a random algorithm assigns new mailboxes to any available server.

You can assign an account to a particular mailbox server when you create an account in the New Account Wizard, Server field. Uncheck auto and enter the mailbox server in the Server field.

Setting Account Quota

An account quota is the storage limit allowed for an account. Email messages, address books, calendars, tasks, and Briefcase files contribute to the volume of the quota. Account quotas can be set for a COS or for individual accounts from the Administration Console.

If you set the quota to 0, accounts do not have a quota.

To view account quotas for all accounts on a domain:

Home → Configure → Domains → domain → Mailbox Quota

Notifying Users When Maximum Quota is Near

Users can be notified that their mailboxes are nearing their quota. The quota percentage can be set and the warning message text can be modified: Go to the Quotas container for a specified Class of Service:

Home → Configure → Class of Service → COS → Advanced → Quotas

When the displayed/configured threshold is reached, a quota warning message is sent to the user.

You can set a maximum mailbox quota for a domain. The default for the domain mailbox quota is unlimited. The domain quota is the maximum amount of storage that can be used by all mailboxes within the domain.

You can set an aggregate quota as well. The sum of the quotas for all accounts in the domain can exceed the size of the aggregate.

An aggregate quota policy for how to handle messages that are sent or received once the aggregate quota has been reached can be set up. The policy options include:

Continue to allow messages to be sent and received as usual.

Do not allow messages to be sent.

Do not allow messages to be sent or received.

Notifications can be automatically sent when the quota is within a configured percentage of the aggregate quota. A cron tab job runs daily to check the aggregate quota percentage and if the percentage has been reached, the quota warning email is sent.

To configure domain quotas, go to the Domain Quota Setting container for a specified domain:

Home → Configure → Domains → domain → Advanced → Domain Quota Setting

You can set how message delivery is handled when a user’s mailbox exceeds the configured quota. The default behavior is for the MTA to temporarily send the message to the deferred queue. When the mailbox has sufficient space, the message is delivered. You can change this behavior to either have messages bounce back to the sender instead of being sent to the deferred queue first or you can configure to send the message to the mailbox even if the quota has been exceeded.

To bounce messages instead of sending them to the deferred queue:

To send the message to the mailbox even if the quota has been exceeded:

When this attribute is set to TRUE, a mailbox that exceeds its quota is still allowed to receive new mail and calendar invites. This quote bypass is only implemented for messages. All other mail items are still affected by the quota.

Managing Passwords

If you use internal authentication, you can quickly change an account’s password from the Account’s toolbar. The user must be told the new password to log on.

If you want to make sure users change a password that you create, you can enable Must Change Password for the account. The user must change the password the next time he logs on.

Password restrictions can be set either at the COS level or at the account level. You can configure settings to require users to create strong passwords and change their passwords regularly, and you can set the parameters to lock out accounts when incorrect passwords are entered.

If authentication is configured as external auth, you can configure Zimbra Collaboration to direct users to your password change page when users change their passwords. You can either set this URL as a global setting or a per domain setting.

Set the zimbraChangePasswordURL attribute to the URL of your password change page.

Change Password in the Classic Web App under Preferences → General links to this URL, and when passwords expire, users are sent to this page. In the Modern Web App, Change Password appears under the account avatar menu, and it will also link to the provided URL.

Modifying the password for the domain:

If internal authentication is configured for the domain, you can require users to create strong passwords to guard against simple password harvest attacks. Users can be locked out of their accounts if they fail to sign in after the maximum number of attempts configured.

To set password policy, use the Password container for a specified Class of Service:

Home → Configure → Class of Service → COS → Advanced → Password

The password settings that can be configured are listed below.

Block Common Passwords feature enables an organization to restrict the use of the commonly used passwords when creating users. The list of the common passwords is maintained on the server which is referred to when an administrator tries to create a user with a commonly used password.

The feature is controlled by a local config attribute zimbra_block_common_passwords_enabled and the default value is set to FALSE .

When this feature is enabled, it will also prevent end users from setting their password to a commonly used password via these options:

Profile → Change Password in Modern Web App at the top right corner.

Forgot Password option on the Login page. (If the Forgot Password feature is enabled for the user).

Enabling Block Common Passwords feature

Login as zimbra user:

Set the localconfig zimbra_block_common_passwords_enabled value to TRUE :

After enabling this feature, if you try to create a user, Password is invalid error is displayed and the user is not created.

Managing Login Policies

You can set the maximum number of failed login attempts before the account is locked out for the specified lockout time. This type of policy is used to prevent password attacks.

To set user login policy, use the Filed Login Policy container for a specified Class of Service:

Home → Configure → Class of Service → COS → Advanced → Failed Login Policy

With the 2 Factor Authentication (FA) feature you can apply additional security policies to COS and/or user accounts to provide another layer of authentication during attempts to access the system. This feature must be enabled or disabled in the Admin Console, to manage 2FA functions applicable to user mailboxes.

2 Factor Authentication

For more information, see 2 Factor Authentication .

You can set the period of time to allot for user sessions based on various conditions.

To set the session timeout policy use the Timeout Policy container for a specified Class of Service:

Home → Configure → Class of Service → COS → Advanced → Timeout Policy

You can manually expire a user’s web client session from the Administration Console Expire Sessions link. This forces the current session of the account to expire immediately.

The defaultExternal COS is assigned to external virtual accounts that are created when external users accepts a Zimbra provisioned users' invitation to share their calendar or briefcase items.

This account is not provisioned on the server, but the external user can sign in to the Classic Web App, create a display name and set a password to view the shared items. The only folders available are for the content they have access to.

The defaultExternal COS is configured with the following general features: Change password, Change UI themes, HTML compose, Export and Search. None of the major features are configured.

Customizing Accounts

This chapter describes the features and user preferences that can be configured for an account, either from the assigned COS or in an individual account.

Messaging and Collaboration Applications

Your COS configuration and assignment of a COS to accounts determines the default settings for account features and the restrictions to be applied to groups of accounts. Individual accounts can be configured differently, and any changes you make override the COS setting. When you update the COS, the changes are not reflected in accounts that have COS overrides.

You configure which email messaging features are enabled. Users can then manage many of the enabled features as preferences.

By default, users manage their own preferences, but you can administratively elect not to allow user modifications to their account preferences. Currently supported Web App Email Messaging Features are listed and described in Email Features .

See COS → Features → Mail Features container in the Admin Console.

When enabled, users can create additional account names to manage different roles. Account aliases can be selected for the From name of messages sent from that persona account and a specific signature can be set for the persona account. The number of personas that can be created is configurable depending on your requirements. The minimum is 0, and the default is 20 ( zimbraIdentityMaxNumEntries ).

Maximum length of mail signature

The maximum number of characters that can be in a signature. The default is 1024 characters.

The number of signatures users can create is configured in zimbraSignatureMaxNumEntries .

See COS → Preferences → Composing Mail container in the Admin Console.

Advanced search

Allows users to build a complex search by date, domain, status, tags, size, attachment, Zimlets, and folders.

See COS → Features → Search Features container in the Admin Console.

Saved searches

Users can save a search that they have previously executed or built.

Initial search preference

When enabled, the default search mailbox can be changed.

See COS → Features → General Options container in the Admin Console.

External POP access

When enabled, users can retrieve their POP accounts' email messages directly from their Zimbra account. They add the external account address to their account settings.

External IMAP Access

When enabled, users can retrieve their IMAP accounts' email messages directly from their Zimbra account. They can add the external account address to their account settings.

Aliases for this account

You can create aliases for the account. Users cannot change this.

Mail filters

Users can define a set of rules and corresponding actions to apply to incoming and outgoing mail and calendar appointments. When an incoming email message matches the conditions of a filter rule, the corresponding actions associated with that rule are applied.

Users can create flags and assign them to messages, contacts, and files in Briefcase folders. (This feature is supported only in the Classic Web App.)

Enable keyboard shortcuts

Users can use keyboard shortcuts within their mailbox. The shortcut list can be viewed in the Classic Web App from the Username drop-down menu.

Keyboard shortcuts are always available in the Modern Web App. The shortcut list can be viewed by typing Ctrl - Q .

See COS → Preferences → General Options container in the Admin Console.

Global Address List (GAL) access

Users can access the company directory to find names for their email messages.

See COS → Features → General Features container in the Admin Console.

Autocomplete from GAL

When enabled, users enter a few letters in their compose header and names listed in the GAL are displayed ranked by usage. See also Autocomplete Ranks Names .

Offline support for Web App

When enabled, users can use the offline mode to access their data without network connectivity when using the Zimbra Modern Web App. See also Offline Mode .

IMAP access

Users can use third party mail applications to access their mailbox using the IMAP protocol.

You can set the polling interval from the COS or Account Advanced page, Data Source → IMAP polling interval section. The polling interval is not set by default.

POP3 access

Users can use third party mail applications to access their mailbox using the POP protocol. When they retrieve their POP email messages, the messages and attachments are saved on the Zimbra server.

Users can configure from their Preferences → Mail page

How messages are downloaded.

Whether to include their junk messages. Junk messages are downloaded to their Inbox.

How to delete messages from their POP account.

You can set the polling interval from the COS or Account Advanced page, Data Source → POP3 polling interval section. The polling interval is not set by default.

Autocomplete Ranks Names

The autocomplete feature displays names ranked with the most frequently recalled contact listed at the top. If the contact name that appears first should not be listed at the top, the user can click Forget and the contact names are re-ranked. (Classic Web App only.)

Email Preferences that Users Manage

The default behavior for many of the preferences listed in this section can be set from either the COS or the Accounts Preferences page. Users can modify the following mail preferences from their account Preferences or Settings in the Classic Web App or Modern Web App.

How often, in minutes, that the Web Client checks for new messages:

Check for new mail every…​

Set or change email message alerts. Alerts can be set up to play a sound, highlight the Mail tab when a message arrives, and flash the browser, depending on which Web App they use.

Set the display language for the Classic Web App and Modern Web App. If more than one language locale is installed on Zimbra Collaboration, users can select a locale that is different from the browser language settings.

Whether to save copies of outbound messages to the Sent folder.

Whether to save a local copy of a message that is forwarded or to have it deleted from their mailbox. (Only the Classic Web App can manage this setting currently.)

Whether to compose messages in a separate window. (This feature is supported only in the Classic Web App.)

Whether to view mail as HTML for messages that include HTML or to view messages as plain text. (This feature is supported only in the Classic Web App.)

Whether to send a read receipt when it is requested.

Adjust the default font size for printed messages. The default is 12 points. (This feature is supported only in the Classic Web App.)

Users can set up their own Spam mail options of whitelist and blacklist email addresses that are used to filter incoming message from their Preferences Mail folder. The default maximum number of whitelist and blacklist addresses is 100 on each list. This value can be changed using CLI zmprov for accounts and COS. The attributes are zimbraMailWhitelistMaxNumEntries and zimbraMailBlacklistMaxNumEntries .

Users can modify the following mail preferences under Signatures :

Whether to automatically append a signature to outgoing messages.

Preferences for how signatures are applied to messages that are replied to or forwarded.

Using Import and Export to Save User’s Data

From the Preferences Import/Export page in the Classic Web App or under Accounts → Primary account in the Modern Web App users may export all of their account data, including mail, contacts, calendar, and tasks. By selecting export options, they can export specific items in their account and save the data to their computer.

The account data is saved as a tar-gzipped ( .tgz ) archive file so that it can be imported to restore their account. Individual contacts are saved as .csv files, and individual calendar files are saved as .ics files. The data are copied, not removed from the user’s account.

The exported account data file can be viewed with an archive program such as WinZip . Any of these files can be imported into their account from the same page.

You can turn the Import/Export feature off from the COS or Account Features page, General Features section.

Setting Up RSS Polling Intervals

Users can subscribe to Websites that provide RSS and podcast feeds and receive updated information directly to their mailboxes. The maximum number of feeds that can be returned is 50. RSS feeds count against users' account quota.

The default is to update the RSS data every 12 hours. Users can right-click on an RSS feed folder to manually load new feed.

You can change the polling interval from the Administration Console the COS or Account Advanced page, Data Source → RSS polling interval section.

Zimbra Contacts allows users to create multiple contact lists and add contact names automatically when mail is received or sent. Users can import contacts into their Address Book.

Users can modify the following Address Book preferences from their account Preferences Address Book page.

To set default behavior:

Home → Configure → Class of Service → COS → Preferences Home → Manage → Accounts → account → Preferences

Enable auto adding of contacts to automatically add contacts to their Emailed Contact list when they send an email to a new address.

Enable the ability to use the Global Access List when using the contact picker to look up names.

Enable the options to include the GAL addresses and names in shared address books when using autocomplete to address a message.

Calendar Features

Zimbra Calendar lets users schedule appointments and meetings, establish recurring activities, create multiple calendars, share calendars with others, and delegate manager access to their calendars. They can subscribe to external calendars and view their calendar information from the Zimbra Classic Web App or Modern Web App. They can also use search for appointments in their calendars.

Nested Calendars

Calendars can be nested within Zimbra folders like Mail, Contact, and Calendar folders. The administrator creates a nested list of calendars using CLI. A nested calendar grouping can be imported through migration as well. See example below.

Sets the time zone to use for Calendar scheduling. Domain admins set this in the Accounts, General Information page.

Preferences

Forward calendar invitation to specific addresses

You can specify email addresses to forward a user’s calendar invitations. Users can also specify forwarding address from the Preferences Calendar folder.

The account the invitation is forwarded to must have admin privileges on the shared calendar to reply to the invitation.

Accounts Forwarding

Create a calendar nested under the "Calendar Name" folder:

Use the zmcalchk command to check for discrepancy between different users' calendars for the same meeting, and send an email notification regarding the discrepancies.

You can also use this command to notify the organizer and/or all attendees when an appointment is out of sync.

Remote calendars are updated every 12 hours, by default. The frequency can be modified at the Admin Console.

To modify the frequency of calendar updates in the Admin Console go to the desired COS or Account Advanced page, Data Source → Calendar polling interval field.

Attendees can edit appointments in their calendars, but their changes do not affect anyone else. If the appointment organizer makes changes, these changes overwrite the attendees edits. You can modify the COS attribute zimbraPrefCalendarApptAllowAtendeeEdit to prevent attendees from editing appointments in their calendar.

Users can modify the Calendar preferences listed in the Calendar Preference table. You can set the default behavior in the COS or Accounts Preferences page.

Allow sending cancellation email to organizer

When users receive an invitation they cannot attend at the scheduled time, they have the option to click Propose New Time and select another time. The meeting organizer receives an email with the proposed time.

Automatically add invites with PUBLISH method

A calendar invitation email should have method=REQUEST in the calendar object but some third-party email clients incorrectly set method=PUBLISH . These emails are not processed as invitations by default. You can relax the rules by enabling this option.

Automatically add forwarded invites to calendar

Invites that have been forwarded to users are automatically added to the forwarded recipient’s calendar.

Flash browser title on appointment reminder

When appointment reminders pop up, the browser flashes until the user closes the pop-up.

Enable audible appointment notification

When an appointment reminder pops up, users can be notified by a beep on their computer. Users must have either QuickTime or Windows Media installed.

Auto-decline invites from users who are denied from inviting this user

Users can configure who can send them calendar invites. When enabled, an auto-reply message is sent to those users to let them know they do not have permission to invite the user.

Automatically add appointments when invited

When enabled, appointments are automatically added to user’s Primary calendar.

Show declined meetings

When enabled, declined appointments display on the Classic Web App calendar in a faded view.

Notify of changes made via delegated access

Users that delegated their calendar are notified of changes made to an appointment by a delegated access grantee.

Always show the mini-calendar

The mini-calendar automatically displays in the Calendar view.

Use the QuickAdd dialog when creating new appointments

When is enabled, the QuickAdd dialog displays when users double-click or drag on the calendar in the Zimbra Classic Web App.

QuickAdd is always available in the Modern Web App.

Show time zone list in appointment view

When enabled, a time zones list displays in the event editor along with event time, giving them the opportunity to change time zones while making appointments.

Zimbra Tasks lets users create to-do lists and manage tasks through to completion.

To enable or disable the Tasks feature:

The appearance of the Zimbra Classic Web App user interface can be changed. A number of Zimbra themes are included with Zimbra, and you can create others. You can select a theme to be the default and the themes that users can select to customize their user experience. To develop themes, see Color and Logo Management .

The following theme usage options can be configured either from COS or by individual accounts.

Limit users to one theme

On the Features page, remove the check mark from Change UI Themes . The Classic Web App theme is the theme listed in Current UI theme field on the Themes page.

Let users access any of the installed Zimbra themes

If the Change UI Themes is checked, users can access any of the themes that are listed in the Available UI themes list.

Two Factor Authentication

The Two Factor Authentication (2FA) function allows you to configure a secondary set of security requirements that may be applicable to any or all critical mailboxes or users in the environment. You can set 2FA for user accounts and/or class of service.

In the Wizard setup for a new user account, you will find settings for 2FA with other Advanced options.

Home → 3 Add Accounts → 1. Add Account  —  Next until Advanced , scroll down to Two Factor Authentication

New Account Two Factor Authentication

See Two Factor Authentication Parameters for parameter descriptions.

For an existing user account, you can apply 2FA settings from the Advanced options.

Locate the Two Factor Authentication container within the editable configurations for an account:

Select an account from the list of accounts.

Select Edit from the Gear icon.

 —  The General Information for the account is now displayed.

Select Advanced from the left panel.

Scroll down to the Two Factor Authentication container in the main panel.

Edit Account Two Factor Authentication

Parameters you can use to set up 2FA for a Class of Service are included with other Advanced features.

To apply 2FA to a class of service, use the Two Factor Authentication container to set parameters.

Home → Configure → Class of Service → COS → Advanced → Two Factor Authentication

Class of Service Two Factor Authentication

Other Configuration Settings for Accounts

When the Sharing feature is enabled, users can share any of their folders, including their mail folders, calendars, address books, task lists, and Briefcase folders.

A users specifies the type of access permissions to give the grantee. They can share with internal users who can be given complete manager access, external guests who must use a password to view the folder content, as well as public access so that anyone who has the URL can view the folder’s content.

When internal users share a mail folder, a copy of the shared folder is put in the grantee’s folder list on the Overview pane. Users can manage their shared folders from their Classic Web App Preferences Sharing page.

At this time, the Modern Web App supports share management from folder and calendar context menus only.

The Classic Web App Preferences → Notification page lets users configure an email address or SMS alert to their mobile device to receive a reminder message for a task or a meeting on their calendar. Notification by SMS is disabled by default.

SMS notification can be configured by domain, COS or for individual accounts. SMS notification set in a COS overrides SMS notifications set on a domain. In the Administration Console, this is set on the domain, COS or account’s Feature page.

Users select a region and a carrier when setting up their SMS alert. The list of SMS/email gateways is in ZmSMS.properties . You can customize this list to add SMS/email gateways that are not listed.

You can set attachment viewing rules as a global setting, by COS, or for a specific account. The global setting takes precedence over COS and account Settings. You can select from four options.

Attachments can be viewed in HTML and their original format

Users can select to open either in the original format or as HTML.

Users can click the Back and Forward arrows in the browser, or close their browser without logging out of their account.

If this preference is checked, users are asked to confirm that they want to navigate away from their account.

If this preference is not checked, the question is not asked.

If Show selection checkbox for selecting email, contact, voicemail items in a list view for batch operations is enabled, when users view email messages,contacts, and tasks lists in the Content pane, a check box displays for each item. Users can select items and then perform an action such as mark as read/unread, move to a specific folder, drag and drop to a folder, delete, and tag for all those selected items.

If Classic Web App users frequently use words, abbreviations or acronyms that are marked as spelling errors during a Classic Web App spell check, you can update the COS or domain attribute zimbraPrefSpellIgnoreWord with the words that should be ignored when spell check is run.

To configure words to ignore for a domain:

Hierarchical Address Book (HAB) in Zimbra

The hierarchical address book (HAB) allows users to look for recipients in their address book using organizational hierarchy. Typically, users only see the default global address list (GAL) whose structure doesn’t help understand who reports to whom or to identify one John Doe from another. Being able to customize a HAB, which maps to your organization’s unique business structure, provides your users with an efficient method for locating internal recipients.

In a Hierarchical Address Book (HAB), your root organization (e.g., Zimbra) is the top-level tier. Under this top-level tier, you can add several child tiers to create a customized HAB that is segmented by division, department, or any other organizational level you want to specify. The following figure illustrates a HAB for Zimbra with the following structure:

The top-level tier represents the root organization — Zimbra.

The second-level child tiers represent the business divisions within Zimbra — Corporate Office, Engineering, Product Support, and Sales & Marketing.

The third-level child tiers represent departments within the Corporate Office division — Human Resources, Accounts, and Administration.

HABHierarchy

Seniority Index provides an additional level in the hierarchy. When creating a HAB, use this parameter to rank individuals or organizational groups by seniority within these organizational tiers. This ranking specifies the order in which HAB displays recipients or groups. A higher seniority index ensures that a user or group appears above another with a lower seniority index.

100 for Vice President

50 for Administration Operations Manager

25 for Business Administrator

Configuring hierarchical address books

Explanation.

ZimbraOU as an organizational unit created.

You have to create a group and assign an email address for each department.

In this series of commands, we create 8 HAB groups — as per the Example Hierarchy .

Each of these groups (except Zimbra) needs to be assigned a parent group to create a hierarchy.

In this series of commands, we designate 7 HAB groups — except Zimbra because it is root — as per the hierarchy in the figure Example Hierarchy .

For this, we add Human Resources , Accounts , and Administration to Corporate Office ; and add Corporate Office , Engineering , Product Support , and Sales & Marketing to Zimbra .

zimbraId is a unique identifier associated with an email address. It is used to assign users to groups and to specify a group as root .

Example Output

[email protected] is the email address of the group which is to become root.

This example adds the users Jane Doe and John Smith to the group named CorporateOffice without affecting other existing members.

Configure the sort order for groups in the HAB. Groups with higher seniority index appear above groups with lower seniority index.

To have Engineering appear above CorporateOffice  — irrespective of their names and alphabetical order, get Zimbra ID , decide on a number in place of SeniorityIndexNumber , and run the below command.

Assign CorporateOffice a seniority index of 90

Assign Engineering a seniority index of 100

A group needs to be specified as root so that other groups can be added as child groups to comply with the organizational hierarchy. Run below command to make [email protected] as root.

Log in to Zimbra client.

Click New Message .

In the Compose window, click the To field.

On Select Addresses window, locate the Show Names from: drop-down on the top right corner.

Choose Organizational Address Book .

The address book in a hierarchical format appears in the left pane.

HABStructure zimbra

Click any group to view and select users of that group.

Manage Organisational Units (OUs)

There can be multiple organizational units in a domain. This command lists all the OUs in a specified domain.

All OUs in example.com listed.

This command renames the specified OU in a domain.

ZimbraOU renamed to ZMXOU .

This command deletes the specified OU in a domain.

ZimbraOU deleted.

Provisioning User Accounts

When an account is provisioned, you create the mailbox, assign the primary account email address, and assign a class of service (COS) to enable Zimbra Collaboration applications and features.

You can configure one account at a time or migrate multiple existing accounts from a server.

Before adding a user account, determine which features and access privileges should be assigned. You can either assign a class of service (COS) with the features enabled when you create the account or you can configure the features for the individual accounts. For a description of the features, see Class of Service and Accounts .

If the COS you assign has the correct functionality for the account, you do not need to perform any additional configuration.

Creating an account sets up the appropriate entries on the Zimbra LDAP directory server. When the user logs in for the first time or when an email is delivered to the user’s account, the mailbox is created on the mailbox server.

Basic user account setup:

Home → 3 Add Accounts → 1. Add Account

In the Account Name section, enter the account name and the last name as a minimum to configure the account.

The default COS is assigned to the account.

Click Finish to create the account.

You can continue to configure features and functionality for the individual account. Changes you make to the account override the COS that is assigned to the account.

Migrating Accounts and Importing Account Email

You can provision multiple accounts at one time using the Account Migration Wizard from the Administration Console. You can import accounts from either a generic IMAP server or from another Zimbra server.

You can also import account names to provision from an XML file that you create.

You can run the migration wizard one time to provision accounts and import data or you can run the migration wizard the first time to provision the accounts and then run the wizard again to import the provisioned accounts' data.

Whether you get the account records from an LDAP directory or use an XML file, you need to set the password requirements for the newly provisioned accounts. The options are to have Zimbra randomly create passwords for each account or to set the same password on each account. You have the option to force users to change the password when they sign in the first time.

When the provisioning is complete, the wizard generates a .csv file with a list of new accounts. This includes the passwords that are generated. You should download this file for future reference. Choose a secure location to store the file as it can contain password information for the user accounts you provisioned.

If you’re running a split-domain configuration, you can set the SMTP host and port in the wizard. For more information about split domains, see the wiki article about split domains at https://wiki.zimbra.com/wiki/Split_Domain .

To migrate accounts from a server running Zimbra Collaboration 7.2 or later to Zimbra Collaboration 8.

Home → 3 Add Accounts → 3. Migration and Co-existence

In the Type of mail server field, select Zimbra Collaboration.

If you are provisioning accounts, select Yes to import the account’s records. If you are not going to import the data at this time, in the Would you like to import mail , select No .

Click Next .

On the Overview dialog, Import from another Zimbra LDAP directory is selected. Click Next .

On the Bulk provisioning options page, select whether to generate random passwords or to assign the same password for each account.

On the Directory connection dialog enter the information to connect to the server.

The Account Migration Wizard connects to the directory server and generates a report showing the number of domains found; number of accounts found on the server and how many of those accounts are already created on Zimbra. This dialog also shows the password options you configured.

Review the report generated and then click Next . The accounts are provisioned on the Zimbra Collaboration server.

Download the .csv file that lists the provisioned accounts and their passwords. The .csv file is deleted when you close the wizard. If you do not download the file, you cannot access the report later.

Use steps in this section to provision accounts on the Zimbra server.

In the Type of mail server field, select Generic IMAP Server .

If you are provisioning accounts, select Yes to import the account’s records. If you are not going to import the data at this time, in the Would you like to import mail, select No .

On the Overview dialog, Import from another LDAP directory is selected. Click Next .

The Migration Wizard connects to the directory server and generates a report showing the number of domains found; number of accounts found on the server and how many of those accounts are already created on Zimbra. This dialog also shows the password options you configured.

Use steps in this section to create an XML file with the account information and save it to a computer you can access.

In the Type of mail server field, select the type of server your are migrating from.

On the Overview dialog, select Import from an XML file.

The Review options dialog displays the number of domains; number of accounts and the password options configured in the XML file.

If this information is correct, click Next . If this information is not correct, fix your XML file before proceeding.

If you clicked Next , the accounts are provisioned on the Zimbra Collaboration server.

Use steps in this section to specify the list of accounts whose mail you want to import by either selecting the accounts to import data or by using an XML file to select the accounts.

In the Type of mail server field, select the type of server your are importing the data from.

In the Would you like to import account records menu, select No .

In the Would you like to import mail menu , select Yes .

On the Import options dialog box, select which way you are going to specify the accounts whose mail is being imported.

If you are selecting accounts, go to step 7. If you are using an XML file go to step 9.

If you are selecting the accounts to import, on the Selected Accounts dialog box, search for the accounts to add. You can search by domain or user name. If you click Search without entering text, all accounts are returned.

Add the accounts to the Accounts for data import column.

If you are using an XML file with the accounts listed, browse to the XML file to use.

In the IMAP Connection details dialog box, enter the information necessary to connect to the exporting server’s IMAP, this includes the IMAP host name, port and administrator login information.

Review the data import options. If the information is correct, click Next .

This section contains three examples of the XML file structure to provision accounts and import data.

The following example shows an XML file that is used to provision multiple email accounts without importing mail:

The following example shows an XML file that is used to provision multiple email accounts for externally hosted domain without importing mail.

In this example, the zimbraMailTransport attribute of newly provisioned accounts will be set to point to external SMTP server instead of the Zimbra server.

The following example shows an XML file that is used to import email for one account via IMAP from a gmail account without provisioning the email account in Zimbra. The account must be provisioned on Zimbra before running this type of XML file.

Auto Provisioning New Accounts from External LDAP

Auto provisioning of new accounts from external LDAP is supported via the CLI. This section describes the supported CLI attributes and auto provisioning methods.

When an external LDAP authentication mechanism - such as external LDAP authentication, preauth, or SPNEGO - is configured for a Zimbra domain, you can set up Zimbra to automatically create user accounts on Zimbra. Primary email address and account attributes are mapped from an external directory. You can configure how and when new accounts should be created from the external directory data.

Three modes are supported for auto-provisioning configuration.

When an account is created, the account name (consisting of the characters alongside the @ symbol) is mapped from a user attribute on the external directory that you define in zimbraAutoProvAccountNameMap . Other account information, such as first and last name, phone numbers, and address, is populated from the attributes mapped from the external directory based on zimbraAutoProvAttrMap . You can review the external directory’s attributes to determine those that should be mapped to a Zimbra attribute.

The COS assignment for auto-provisioned accounts is identical to the way that COS is determined for manually provisioned accounts:

If a COS is defined for the domain, this COS is assigned to the accounts that are created.

If a domain COS is not defined, the Zimbra default COS is assigned.

You can configure a Welcome email message to be sent to newly created accounts. The subject and body of this email can be configured with AutoProvNotification attributes on the domain.

The attributes listed in this section can be used with the zmprov command to configure auto provisioning of new accounts with an external LDAP directory.

Set auto provision mode as either EAGER, LAZY, and/or MANUAL. Multiple auto-provisioning modes can be enabled on a domain.

Set type of authentication mechanism - as either LDAP, PREAUTH, KRB5, or SPNEGO - to enable for LAZY mode. Once a user authenticates via the specified authentication mechanism, and if the user account does not yet exist in the Zimbra directory, an account will be automatically created in the Zimbra directory.

Set the LDAP URL of the external LDAP source for auto provisioning

Enable (TRUE) or disable (FALSE) the StartTLS protocol when accessing the external LDAP server for auto provisioning. Default = FALSE.

Defines the LDAP search bind DN for auto provisioning.

Set the LDAP search admin bind password for auto provisioning.

Set the LDAP search base for auto provisioning, used in conjunction with zimbra zimbraAutoProvLdapSearchFilter . If not set, LDAP root DSE will be used.

Defines the LDAP search filter template for account auto provisioning. For LAZY mode, either zimbraAutoProvLdapSearchFilter or zimbraAutoProvLdapBindDn must be set.

If both are set, zimbraAutoProvLdapSearchFilter will take precedence. See Placeholders for supported placeholders.

Defines the LDAP external DN template for account auto provisioning. For LAZY mode, either zimbraAutoProvLdapSearchFilter or zimbraAutoProvLdapBindDn must be set.

Defines the attribute name in the external directory that contains local part of the account name. This is the name used to create the Zimbra account. If this is not specified, the local part of the account name is the principal user used to authenticated to Zimbra.

Defines the attribute map for mapping attribute values from the external entry to Zimbra account attributes. Values are in the format of {external attribute}={zimbra attribute} . If this is not set, no attributes from the external directory are populated in Zimbra account.

Defines the email address to put in the From header for the Welcome email sent to the newly created account. If not set, no notification email is sent to the newly created account.

Template used to construct the subject of the notification message sent to the user when the user’s account is auto provisioned.

Supported variables: ${ACCOUNT_ADDRESS} , ${ACCOUNT_DISPLAY_NAME}

Template used to construct the body of the notification message sent to the user when the user’s account is auto provisioned.

Domain setting to define the class name of auto provision listener. The class must implement the com.zimbra.cs.account.Account.AutoProvisionListener interface. The singleton listener instance is invoked after each account is auto created in Zimbra. Listener can be plugged in as a server extension to handle tasks like updating the account auto provision status in the external LDAP directory.

At each eager provision interval, Zimbra does an LDAP search based on the value configured in zimbraAutoProvLdapSearchFilter . Returned entries from this search are candidates to be auto provisioned in this batch. The zimbraAutoProvLdapSearchFilter should include an assertion that will only hit entries in the external directory that have not yet been provisioned in Zimbra, otherwise it’s likely the same entries will be repeated pulled in to Zimbra. After an account is auto provisioned in Zimbra, com.zimbra.cs.account.Account.AutoProvisionListener.postCreate (Domain domain, Account acct, String external DN) will be called by the auto provisioning framework. Customer can implement the AutoProvisionListener interface in a Zimbra server extension and get their AutoProvisionListener.postCreate() get called. The implementation of customer’s post Create method can be, for example, setting an attribute in the external directory on the account just provisioned in Zimbra. The attribute can be included as a condition in the zimbraAutoProvLdapSearchFilter , so the entry won’t be returned again by the LDAP search in the next interval.

Domain | Global setting to define the maximum number of accounts to process in each interval for EAGER auto provision.

Server attribute that lists the domains scheduled for EAGER auto provision on this server. Scheduled domains must have EAGER mode enabled in zimbraAutoProvMode . Multiple domains can be scheduled on a server for EAGER auto provision. Also, a domain can be scheduled on multiple servers for EAGER auto provision.

Domain | Global setting to define the interval between successive polling and provisioning accounts in EAGER mode. The actual interval might take longer since it can be affected by two other factors: zimbraAutoProvBatchSize and number of domains configured in zimbraAutoProvScheduledDomains .

At each interval, the auto provision thread iterates through all domains in zimbraAutoProvScheduledDomains and auto creates accounts up to domain.zimbraAutoProvBatchSize . If that process takes longer than zimbraAutoProvPollingInterval than the next iteration starts immediately instead of waiting for zimbraAutoProvPollingInterval amount of time.

If set to 0 when server starts up, the auto provision thread will not start.

If changed from a non-0 value to 0 while server is running, the auto provision thread will be shutdown.

If changed from 0 to a non-0 value while server is running, the auto provision thread will be started.

With Eager mode, Zimbra polls the external directory for accounts to auto provision. You configure how often the external directory is polled for new users, the maximum number of users to process at each interval, and the domains to be scheduled for account auto-provisioning on specified servers.

Log in to the Zimbra server as zimbra and type zmprov at the command prompt.

Enable EAGER mode on the domain.

Set the maximum number of accounts to process in each interval

Configure the interval (in minutes) between polling and provisioning of accounts. This must be set to a non-0 value for the auto provisioning thread to start. Default = 15 minutes.

Select the domains to be scheduled for auto provisioning. Multiple domains can be scheduled on the server.

A domain can be scheduled on multiple servers.

Configure the external LDAP settings:

The LDAP port is typically 389.

(Optional) Enable StartTls.

LDAP admin bind DN for auto provision:

Administrator’s LDAP search bind password for auto provision.

Search template to use when searching for users to auto provision.

Example using the LDAP search filter:

Refer to Placeholders for supported placeholders.

LDAP search base for auto provisioning

This is the location in the directory from which the LDAP search begins. This is used with zimbraAutoProvLdapSearchFilter . If this is not set, the LDAP directory root, rootDSE , is the starting point.

(Optional) Define the attribute name that is mapped to the local part of the account name on the external directory. This is used to define the account name on Zimbra. If this is not specified, the local part of the account name is the principal user name used to authenticate to Zimbra.

(Optional) Map the attribute values from the external entry to the Zimbra account attributes. If this is not set up, no attributes from the external directory are populated in the Zimbra directory. The value is mapped in the form of {external attribute}={zimbra attribute} .

To map the "sn" value on the external entry to "displayName" on the Zimbra account and map description value on the external entry to description on the Zimbra account, type

(Optional) If you want to send a Welcome email to new accounts, enter the from address of the originator.

To exit zmprov, type

Lazy mode auto provisioning automatically creates a new account after a user authenticates from an external authentication mechanisms (LDAP, preauth, Kerberos 5, and/or SPNEGO).

Enable LAZY mode,

Select the external authentication mechanism for the LAZY mode: LDAP, PREAUTH, KRB5, SPNEGO. You can specify multiple authentication mechanisms.

Configure the external LDAP settings

The LDAP port is usually 389.

(Optional) Enable StartTls

LDAP Admin bind DN for auto provision in the format cn=<LDAPadmin_name>, dc=autoprov, dc=<company_name>, dc=<com>

For example, "cn=admin, dc=autoprov, dc=company, dc=com"

(Optional) Search template to use when searching for users to auto provision.

Example: using LDAP search filter:

LDAP search base for auto provision. This is the location in the directory from which the LDAP search begins. This is used with zimbraAutoProvLdapSearchFilter . If this is not set, the LDAP directory root, rootDSE , is the starting point.

For example, "dc=autoprov,dc=company,dc-com"

(Optional) Define the LDAP external DN template for account provisioning.

(Optional) Identify the attribute name on the external entry that contains the local part of the account name to be provisioned in Zimbra. If this is not specified, the local part of the account name is the principal user used to authenticate to Zimbra.

(Optional) Map the attribute values from the external entry to the Zimbra account attributes. If this is not set up, no attributes from the external directory are populated in the Zimbra directory. Value is in the form of {external attribute}={zimbra attribute} .

To map the sn value on the external entry to displayName on the Zimbra account and map description value on the external entry to description on the Zimbra account, type as

Exit zmprov, type exit .

Use the Manual Mode setting to disable auto provisioning with an external LDAP server.

Enable MANUAL mode:

Managing Resources

A resource is a location or equipment that can be scheduled for a meeting. Each meeting room location and other non-location specific resources such as AV equipment is set up as a resource account. The Manage → Resources section in the Administration Console shows all resources that are configured for Zimbra Collaboration.

User accounts with the Calendar feature can select these resources for their meetings. The resource accounts automatically accept or reject invitations based on availability.

Administrators do not need to monitor these mailboxes on a regular basis. The contents of the resource mailboxes are purged according to the mail purge policies.

A Resource Wizard guides you through the resource configuration. You can configure the account with the following details about the resource:

Type of resource, either location or equipment

Scheduling policy

Forwarding address to receive a copy of the invite

Description of the resource

Contact information, which can be a person to contact if there are issues

Location information, including room name, specific building location including building and address, and room capacity

Customize auto response message and signatures to be used in the reply email messages

When you create a resource account, a directory account is created in the LDAP server.

To schedule a resource, users invite the equipment resource and/or location to a meeting. When they select the resource, they can view the description of the resource, contact information and free/busy status for the resource, if these are set up.

When the meeting invite is sent, an email is sent to the resource account, and, based on the scheduling policy, if the resource is free the meeting is automatically entered in the resource’s calendar and the resource is shown as Busy.

The scheduling policy establishes how the resource’s calendar is maintained. The following resource scheduling values can be set up:

Auto decline all recurring appointments  — This value is enabled when the resource can be scheduled for only one meeting at a time. No recurring appointments can be scheduled for this resource.

Auto accept if available, auto-decline on conflict  — When this option is selected, the resource account automatically accepts appointments unless the resource is already scheduled. The free/busy times can be viewed. You can modify the auto-decline rule to accept some meetings that conflict.

Manual accept, auto decline on conflict  — When this option is selected, the resource account automatically declines all appointments that conflict. Appointment requests that do not conflict are marked as tentative in the resource calendar and must be manually accepted. If you set this up, configure the forwarding address so a copy of the invite is sent to the account that can manually accept the invitation. You can modify the auto-decline rule to accept some meetings that conflict.

Auto accept always  — The resource account automatically accepts all appointments that are scheduled. In this case, free/busy information is not maintained, thus more than one meeting could schedule the resource at the same time. Because the resource always accepts the invitation, the suggested use for this policy would be for a frequently used location off premises that you want the location address to be included in the invite to attendees.

No auto accept or decline  — The resource account is manually managed. A delegated user must log into the resource account and accept or decline all requests.

Conflict Rules  — For accounts that include the auto decline on conflict value, you can set up a threshold, either as a number of conflicts or as a percentage of all the recurring appointments to partially accept recurring appointments.

Maximum allowed number of conflicts and/or Maximum allowed percent of conflicts are configured to allow a recurring resource to be scheduled even if it is not available for all the requested recurring appointment dates.

The resource accepts appointments even if there are conflicts until either the number of conflicts reaches the maximum allowed or the maximum percentage of conflicts allowed. In order for partial acceptance of a series to work, both fields must be set to nonzero values.

Manage Resource Accounts

You can log on to the resource account and set preferences for the resource. The Resource Accounts Preference → Calendar can be configured to let users manage the Resource’s Calendar. You can configure the following options to manage the resource.

An address to forward invites. If the forwarding address was set up when the account was provisioned, you can change the address

Who can use this resource. In the Permissions section, Invites, select Allow only the following internal users to invite me to meetings and add the appropriate users' email addresses to the list.

You can share the resource calendar with a user and give the user Manager rights. Users delegated as Manager have full administrative rights for that calendar. They can view, edit, add, remove, accept or decline the invites.

Managing User Accounts

The status of an account determines whether a user can log in and receive mail. The account status is displayed on the Accounts pane of the Administration Console.

You can delete accounts from the Administration Console. This removes the account from the server, deletes the messages in the message store, and changes the number of accounts used against your license.

You can view a selected account’s mailbox content, including all folders, calendar entries, and tags from the Administration Console.

Home → Manage → Accounts → account

Select an account , from the Gear icon select View Mail . The user’s Zimbra account opens in a new browser window.

This feature can be used to assist users who are having trouble with their mail account as you and the account user can be logged on to the account at the same time.

Any View Mail action to access an account is logged to the audit.log file.

An email alias is an email address that redirects all mail to a specified mail account. An alias is not an email account. Each account can have unlimited numbers of aliases.

When you select Aliases from the Manage Aliases navigation pane, all aliases that are configured are displayed in the content pane. You can create an alias, view the account information for a specific alias, move the alias from one account to another, and delete the alias.

Working with Distribution Lists

A distribution list is a group of email addresses contained in a list with a common email address. When users send to a distribution list, they are sending the message to everyone whose address is included in the list. The address line displays the distribution list address; the individual recipient addresses cannot be viewed.

You can create distribution lists that require an administrator to manage the member list and you can create dynamic distribution lists that automatically manages adding and deleting members in the list. For more information about dynamic distribution lists, see Using Dynamic Distribution Lists .

You can see which distribution lists a user is a member of from the user’s account "Member of" page. When a Zimbra user’s email address is added to a distribution list, the user’s account Member Of page is updated with the distribution list name. When a distribution list is deleted, the distribution list name is automatically removed from the account’s "Member Of" page.

Subscription policies can be set up to manage a distribution list’s membership. Owners of the list manage the subscription policy from the Properties page of a distribution list.

You can add owners to distribution lists and they manage the list from their Zimbra account’s Address Book, Distribution List folder. Owners of a list can right-click a distribution list and click the Edit Group link to edit a list.

Besides adding and deleting members, distribution list properties that owners can configure include:

Marking the list as private so it is hidden in the Global Address List

Managing who can send messages to the list

Setting a member subscription policy

Adding additional owners

Use steps in this section to create a distribution list:

Home → Manage → Distribution Lists

From the Gear icon, click New .

On the Members page, add the distribution list name. Do not use spaces. The other fields are optional.

Find members to add to the distribution list in the right column. Select the members to add and click Add Selected . If you want to add all addresses on the page, click Add This Page . If you want to add members that are not in the company list, in the Or enter addresses below section, type a complete mail address.

Click Next to configure the Properties page.

In the Members Of page, select distribution lists that should be direct or indirect members of the list.

If the distribution list should have an alias, create it.

If this distribution list can be managed by other users, enter these email addresses in the Owners page.

Set how messages received to the distribution list should be replied to.

Click Finish . The distribution list is enabled and the URL is created.

After a distribution list is created, you can manage who can view members of a distribution list and who can send messages to a distribution list. The default is all users have access to all distribution lists. This section describes how to use the CLI to manage access.

To limit who can access distribution lists, grant rights to individual users on a domain or if you want only members of a domain to access distribution lists, you can grant rights on the domain. When you grant the right on the domain, all distribution lists on the domain inherit the grant.

You can grant the right on individual distribution lists and configure specific users that are allowed to access the distribution list.

You can restrict access to a distribution list from the CLI zmprov grantRight ( grr ) command.

Who Can View Members of a Distribution List

The default is that all users can view members addresses in a distribution list. A distribution list address displays a + in the address bubble. Users can click on this to expand the distribution list. A list of the addresses in the distribution list is displayed. Users can select individual addresses from the expanded list.

Restricting who can view addresses in a distribution list to individuals or to a domain:

For individual users:

For all users in a domain:

To grant rights on a distribution list and let specific users view the list:

Who Can Send to a Distribution List

The default is that all users can send messages to all distribution lists. You can grant rights to a distribution list or to a domain that defines who can send messages to a distribution list. When users attempt to send to a distribution list that they are not authorized to use, a message is sent stating that they are not authorized to send messages to the recipient distribution list.

Restricting who can send messages to a distribution list to individuals or to a domain:

Granting rights to an individual user in a domain to send messages to all distribution lists.

Granting rights to all users in a domain to send messages to all distribution lists.

Restricting access and to remove the restriction to individual distribution lists for different user types.

Access to specific internal users:

Revoke access

Access only to members of the distribution list:

Access only to all users in a domain:

Access only to all users in an external domain:

Access only to internal users:

Access only to all public email addresses:

Access only to specific external email address:

Enabling View of Distribution List Members for AD Accounts

To view Active Directory distribution list members in messages or in the address book, the GAL group handler for Active Directory must be configured in the Zimbra GALsync account for each Active Directory.

Use steps in this section to update the GALsync account for each Active Directory. This configuration requires that you know the GALsync account name and all data sources on that GALsync account.

Display the Zimbra ID of the GAL sync account:

To find the name:

Display data sources for the GALsync account:

Enable the group handler for the Active Directory:

Using Dynamic Distribution Lists

Dynamic distribution lists automatically manage their membership. Users are added and removed from the distribution list automatically. When you create a dynamic distribution list, a member URL is specified. This member URL is used to identify who should be members of the list. You can view this URL from the Administration Console distribution list’s Properties page.

You can create dynamic distribution lists from the Administration Console or from the CLI. In the URL, you specify specific object classes that identify the type of users to be added to the dynamic distribution list. For example, you can configure a dynamic distribution list with the object class= zimbraAccount. In this case, when accounts are provisioned or accounts are deleted, the dynamic distribution list is updated.

You can create dynamic distribution lists for all mobile users or POP/IMAP users.

You can modify a distribution list to change the filter rules. When you modify a distribution list, the members in the list are changed to reflect the new rule.

You can create a dynamic distribution list with the admin console or with the CLI, as described in this section.

Home → Manage → Distribution Lists .

On the Members page, add the dynamic distribution list name. Do not use spaces. Do not add members to the list.

If the dynamic distribution list should have an alias, create it.

If this dynamic distribution list can be managed by other users, enter these email addresses in the Owners page.

If you want to set up a reply to address, enter it here. Any replies to this distribution list are sent to this address.

Click Finish . The dynamic distribution list is created.

Users are added automatically to the list based on the filter you specified. If you add or delete users, the list is updated.

Use the CLI zmprov command to manage dynamic distribution lists. In the command, ldap:///??sub? is the URL. You can add any combination of filters to this to create different types of dynamic distribution lists.

Creating a dynamic distribution list of all new and existing accounts

All users, GAL account names, and spam/ham account names are included. When user accounts are deleted, they are removed from the list.

Creating a COS and Assign Users

If you create COSs and assign users to the COS based on specific criteria, such as all managers, you can quickly modify a dynamic distribution list to be used for a specific COS.

To use this, the account’s Contact Information Job Title field must include the title. In this example it would be set to "Manager".

Moving a Mailbox

Mailboxes can be moved between Zimbra servers that share the same LDAP server.

You can move a mailbox from either the Administration Console or use the CLI command zmmboxmove to reposition a mailbox from one server to another, without taking down the servers.

The destination server manages the mailbox move process. The move runs in the background and the account remains in active mode until most of the data has been moved. The account is locked briefly to move the last data and then returned to active mode.

The mailbox move process goes through the following steps:

Mailbox blobs are moved to the new server

When most of the content has been moved, the account is put into maintenance mode

Database tables, index directories, and any changed blobs are moved

The account is put back into active mode

After the mailbox is moved to a new server, a copy still remains on the older server, but the status of the old mailbox is closed. Users cannot log on and mail is not delivered. Check to see that all the mailbox content was moved successfully before purging the old mailbox.

Moving a mailbox to a new server

Purging the mailbox from the old server

Global configuration options for moving a mailbox can be set to exclude search indexes, blobs, and SM blobs when mailboxes are moved. The following configuration options can be set on either the exporting server or the destination server:

zimbraMailboxMoveSkipSearchIndex  — If you do not include the search index data, the mailbox will have to be reindexed after the move.

zimbraMailboxMoveSkipBlobs  — Blobs associated with the mailbox, including primary and secondary volumes (SM) are excluded.

zimbraMailboxMoveSkipHsmBlobs  — This is useful when SM blobs already exist for the mailbox being moved. Set this if zimbraMailboxMoveSkipBlobs is not configured, but you want to skip blobs on SM volumes.

Monitoring Zimbra Servers

The Zimbra Collaboration (Zimbra) includes the following to help you monitor the Zimbra servers, usage, and mail flow:

Zimbra Logger package to capture and display server statistics and server status, and to create nightly reports

Mailbox quota monitoring

MTA mail queue monitoring

Also, selected error messages generate SNMP traps, which can be monitored using an SNMP tool.

Zimbra Logger

The Logger includes tools for syslog aggregation and reporting. Installing the Logger is optional, but if you do not install it, server statistics and server status information are not captured.

In environments with more than one Zimbra Collaboration server, Logger is enabled on one mailbox server only. This server is designated as the monitor host. The Zimbra Collaboration monitor host is responsible for checking the status of all the other Zimbra Collaboration servers and presenting this information on the Zimbra administration console. Real-time service status, MTA, spam, virus traffic and performance statistics can be displayed. The Logger creates a daily report about mail activity, such as the number of messages, average delivery delay, and errors generated.

Enable server statistics to show both system- wide and server specific data about the inbound message volume, inbound message count, anti-spam/anti-virus activity and disk usage for messages processed in the last 48 hours, 30 days, 60 days, and the last year.

On each server, as root, type /opt/zimbra/libexec/zmsyslogsetup . This updates the syslog configuration to enable gathering server statistics.

On the logger monitor host, you must configure syslog to accept syslog messages from remote machines. See https://wiki.zimbra.com/wiki/Configuring-Logger-Host for details.

Home → Monitor

The Server Status page lists all servers and services, their status, and when the server status was last checked. The servers include the MTA, LDAP, and mailbox server. The services include MTA, LDAP, Mailbox, SNMP, Anti-Spam, Anti-Virus, Spell checker, and Logger.

To start a server if it is not running, use the zmcontrol CLI command. You can stop and start services from the Administration Console.

Home → Configure → Servers → server

Server services are enabled or disabled from the Servers → server page. Select Services in the Navigation pane and select to enable or disable services.

If the Logger package is installed on a Zimbra mailbox server, Server Statistics shows bar graphs of the message count, message volume, anti-spam, and anti-virus activity. The information is displayed for the last 48 hours, and 30 days, 60 days, and 365 days.

When Server Statistics is selected in the Navigation pane, consolidated statistics for all mailbox servers is displayed. Selecting a specific server in the expanded view shows statistics for that server only. Server specific information also includes disk usage, session information, and mailbox quota details.

The following display system-wide information:

Message Count  — counts message transactions. A transaction is defined as either the SMTP receipt of a message per person (by Postfix) or a LMTP delivery of it (by mailboxd) per person. For example, if a message is sent to three people, six transactions are displayed. Three for SMTP to Postfix and three for LMTP to mailboxd. The message count is increased by six.

Message Volume  — displays the aggregate size in bytes of transactions sentand received per hour and per day. Graphs show the total inbound data by volume in bytes.

Anti-Spam/Anti-Virus Activity  — displays the number of messages that werechecked for spam or viruses and the number of messages that were tagged as spam or deemed to contain a virus. The AS/AV count is increased by one per message scanned. One message sent to three people counts as only one message processed by AS/AV.

The Message Count and the Anti-spam/Anti-virus Activity graphs display a different message count because:

Outbound messages may not go through the Amavisd filter, as the system architecture might not require outbound messages to be checked.

Messages are received and checked by Amavisd for spam and viruses before being delivered to all recipients in the message. The message count shows the number of recipients who received messages.

Server-specific statistics also include the following details:

Disk  — for a selected server displays the disk used and the disk space available. The information is displayed for the last hour, day, month, and year.

Session  — displays information about the active Web client, administrator and IMAP sessions. You can see how many active sessions are opened, who is logged on, when the session was created and the last time the session was accessed.

Mailbox Quota  — displays information about each account sorted by mailbox size in descending order. See Monitoring Mailbox Quotas .

The Logger generates a report about mail activity daily at 11:30 p.m. and sends it to the administrator’s email address.

You can configure the number of accounts to include in the report. The default is 25 sender and 25 recipient accounts.

Changing the number of recipients to add to the report:

Changing the number of senders to add to the report:

You should regularly review your disk capacity and when disks are getting full, take preventative measures to maintain service. A warning alert email notification is sent to the administrator account when disk space is low. The default is to send a warning alert when the threshold reaches 85% and a critical alert when the threshold reaches 95%.

You can change these values. Use zmlocalconfig to configure the disk warning thresholds.

Warning alerts

Critical alert:

When starting services with zmcontrol , if the threshold is exceeded a warning is displayed before the services are started. You should clean up your disk to free up space.

The Zimbra Collaboration server collects many performance related statistics that can help you diagnose problems and load issues.

Home → Monitor → Advanced Statistics

The Advanced Statistics page includes advanced graphing options that lets you generate various charts based on statistical information for the CPU, IO, mailboxd, MTA queue, MariaDB and other components.

To chart the graphics in Advanced Statistics, select one of these groups and then select from the list of specific counters for the type of information to display.

The information covers a wide array of data:

cpu.csv  — CPU utilization. This group contains counters to keep track ofCPU usage (iowait, idle, system, user, time etc.). CPU information can be tracked both at the server level and the process level.

df.csv  — Captures disk usage. Disk utilization is tracked for each diskpartition.

fd.csv  — file descriptor count. Keeps track of system file descriptor usageover time. This is primarily used to track down "out-of-file descriptor" errors.

mailboxd.csv  — Zimbra Collaboration server and JVM statistics. Mailboxdstores almost all of its statistics here. Interesting numbers to keep track of are heap_used, heap_free, imap_conn, soap_sessions, pop_conn, db_conn_count.

mtaqueue.csv  — Postfix queue. This measures the mail queue size innumber of messages and the size in bytes.

proc.csv  — Process statistics for Zimbra processes. For example mailboxd/java, MariaDB, OpenLDAP, etc.)

soap.csv  — SOAP request processing time.

threads.csv  — JVM thread counts. Counts the number of threads with acommon name prefix.

vm.csv  — Linux VM statistics (from the vmstat command).

io-x.csv and io.csv  — store data from the iostat(1) command ( io-x.csv with iostat -x ).

Configuring Denial of Service Filter Parameters

The denial-of-service filter (DoSFilter) limits exposure to requests flooding over HTTP/HTTPS. The DoSFilter throttles clients sending a large number of requests over a short period of time.

DosFilter is only applied to HTTP and HTTPS requests, in other words, it does not affect requests for any other protocols like POP3, IMAP or SMTP. You can modify the configuration to accommodate your specific environmental needs. DoSFilter is enabled by default on Zimbra. Disabling the DoSFilter is not recommended. For information on preventing multiple failed login attempts see Password Policy

Sometimes Zimbra Connector for Outlook (ZCO), mobile ActiveSync clients, or running some zmprov commands trigger the DoSFilter. When this happens, the Zimbra mailbox service is unavailable. You can review the following logs to see if the DoSFilter was applied.

/opt/zimbra/log/sync.log .

/opt/zimbra/log/zmmailboxd.out

The following attributes are used with zmprov to configure the DoSFilter. These attributes can be configured as global settings and as server settings. If these attributes are set in the server, the server settings override the global settings.

You can modify these settings, but the default configuration is recommended.

A mailbox server restart is required after modifying these attributes. Type:

Zimbra Member Servers  — Zimbra servers under the control of a single masterLDAP server are automatically whitelisted by IP address. These hosts are discovered using a GetAllServersRequest . Type as zmprov gas .

External Provisioning Hosts/SOAP API  — External provisioning hosts can be added to the IP whitelist to ensure that the DoSFilter does not block some requests. For example, a mailbox reindex might make several calls per second that can trigger the DoSFilter.

Working with Mail Queues

When the Zimbra MTA receives mail, it routes the mail through a series of queues to manage delivery; incoming, active, deferred, held, and corrupt.

Messages that cannot be delivered are placed in the deferred queue. The reasons for the delivery failures are documented in a file in the deferred queue. This queue is scanned frequently to resend the message. If the message cannot be sent after the set number of delivery attempts, the message fails. The message is bounced back to the original sender. The default for the bounce queue lifetime is five days.

The held message queue keeps mail that could not be processed. Messages stay in this queue until the administrator moves them. No periodic delivery attempts are made for messages in the held queue.

The MTA server’s bounce queue lifetime is set for five days. To change the default queue lifetime setting

To permanently have messages bounced back to the sender, instead of being sent to the deferred queue first

Before the bounce queue lifetime sends the message back to the sender, senders can be notified that the message they sent is in the deferred queue and has not been delivered.

Configure the following attributes to send a warning message to the sender.

Configure the time after which the sender receives the message headers of email that is still queued.

Configure the recipient of postmaster notifications with the message headers of mail that the MTA did not deliver.

Configure the list of error classes that are reported to the postmaster.

You can monitor the mail queues for delivery problems from the Administration Console.

Home → Monitor → Mail Queues

If you are having problems with mail delivery, you can view the mail queues from the Mail Queues page in the Administration Console to see if you can fix the mail delivery problem. When you open mail queues, the content of the deferred, incoming, active, hold, and corrupt queues at that point in time can be viewed. You can view the number of messages and where they are coming from and going to.

For each queue, the Summary pane shows a summary of messages by receiver domain, origin IP, sender domain, receiver address, sender address, and for the deferred queue, by error type. You can select any of the summaries to see detailed envelope information by message in the Messages pane.

The Messages pane displays individual message envelope information for search filters selected from the Summary pane.

The following mailbox queue functions can be performed for all the messages in a queue:

Hold to select a set of messages that you want to hold. Incoming, active,deferred, and corrupt messages can be moved to the Held queue. Messages stay in this queue until the administrator moves them.

Release to remove all message from the Held queue. Messages are moved to the Deferred queue.

Requeue all messages in the queue being viewed. Requeuing messages can be used to send messages that were deferred because of a configuration problem that has been fixed. Messages are re-evaluated and earlier penalties are forgotten.

Delete all messages in the queue being viewed.

The Zimbra MTA, Postfix queue file IDs are reused. If you requeue or delete a message, note the message envelope information, not the queue ID. It is possible that when you refresh the mail queues, the queue ID could be used on a different message.

You can flush the server of all messages. When you click Flush on the Mail Queue toolbar, delivery is immediately attempted for all messages in the Deferred, Incoming and Active queues.

Monitoring Mailbox Quotas

Mailbox quotas apply to email messages, attachments, calendar appointments, and tasks in a user’s account. When an account quota is reached, all mail messages are rejected. Users must delete mail from their account to get below their quota limit - this includes emptying their Trash, or you can increase their quota.

You can check mailbox quotas for individual accounts from Server Statistics on the Administration Console. Mailbox Quota gives you an instant view of the Mailbox Size and Quota Used information for each account.

Home → Monitor → Server Statistics

Select the server for which you want to view statistics.

In the Navigation pane, select Mailbox Quota . The Mailbox Quota page displays with the following information:

Quota column shows the mailbox quota allocated to the account. Quotas are configured either in the COS or by account.

Mailbox Size column shows the disk space used.

Quota Used column shows what percentage of quota is used.

From a COS or Account, you can configure a quota threshold that, when reached, sends a message alerting users that they are about to reach their mailbox quota.

Home → Configure → Class of Service → COS → Advanced Home → Manage → Accounts → account → Advanced

Scroll down to the Quota section.

Modify the quota settings.

The MobileSync Statistics page in the Monitor section in the admin console displays the number of currently connected ActiveSync devices that are on the Zimbra Collaboration system.

To protect against dictionary-based and distributed attacks, you can configure the zmauditwatch . The script attempts to detect more advanced attacks by looking at where the authentication failures are coming from and how frequently they are happening for all accounts on a Zimbra mailbox server and sends an email alert to the administrator’s mailbox.

The types of authentication failures checked include:

IP/Account hash check  — The default is to send an email alert if 10authenticating failures from an IP/account combination occur within a 60 second window.

Account check  — The default is to send an email alert if 15 authentication failures from any IP address occur within a 60 second window. This check attempts to detect a distributed hijack based attack on a single account.

IP check  — The default is to send an email alert if 20 authentication failures to any account occur within a 60 second window. This check attempts to detect a single host based attack across multiple accounts.

Total authentication failure check  — The default is to send an email alert if1000 auth failures from any IP address to any account occurs within 60 seconds. The default should be modified to be 1% of the active accounts on the mailbox server.

The default values that trigger an email alert are changed in the following zmlocalconfig parameters:

IP/Account value, change zimbra_swatch_ipacct_threshold

Account check, change zimbra_swatch_acct_threshold

IP check, change zimbra_swatch_ip_threshold

Total authentication failure check, change zimbra_swatch_total_threshold

Configure zimbra_swatch_notice_user with the email address that should receive the alerts.

Viewing Log Files

Zimbra Collaboration logs its activities and errors to a combination of system logs through the syslog daemon as well as Zimbra specific logs on the local file system. The logs described below are the primary logs that are used for analysis and troubleshooting.

Local logs containing Zimbra Collaboration activity are in the /opt/zimbra/log directory.

audit.log  — This log contains authentication activity of users and administrators and login failures. In addition, it logs admin activity to be able to track configuration changes.

clamd.log  — This log contains activity from the anti-virus application clamd.

freshclam.log  — This log contains log information related to the updating of the clamd virus definitions.

mailbox.log  — This log is a mailboxd log4j server log containing the logs from the mailbox server. This includes the mailbox store, LMTP server, IMAP and POP servers, and Index server.

myslow.log  — This slow query log consists of all SQL statements from the mailbox server that took more then long_query_time seconds to execute.

spamtrain.log  — This log contains output from zmtrainsa during regularly scheduled executions from the cron.

sync.log  — This log contains information about Zimbra Collaboration mobilesync operations.

Other logs include:

/opt/zimbra/jetty/logs/  — This is where Jetty-specific activity is logged.

/opt/zimbra/db/data/<hostname>.err  — This is the message store database error log.

/opt/zimbra/logger/db/data/<hostname>.err  — This is the Logger database error log.

Zimbra Collaboration activity logged to System syslog

/var/log/zimbra.log  — The Zimbra syslog details the activities of the ZimbraMTA (Postfix, amavisd, anti-spam, anti-virus), Logger, Authentication (cyrus-sasl), and Directory (OpenLDAP). By default LDAP activity is logged to zimbra.log .

Zimbra Collaboration modifies the systems syslog daemon to capture data from the mail and local syslog facility to /var/log/zimbra.log . This allows syslogd to capture data from several Zimbra Collaboration components including Postfix, Amavis, ClamAV, mailboxd, zmconfigd, and logger. The SNMP module uses the data from the log file to generate traps for critical errors. The zmlogger daemon also collects a subset of the data in this file to provide statistics on the utilization of Zimbra Collaboration via the Administration Console.

By default, mailboxd is configured to log its output to /opt/zimbra/log/mailbox.log . You can enable mailboxd to take advantage of a centralized syslogd infrastructure by enabling the following either globally or by server:

The Zimbra Collaboration server uses log4j , a Java logging package as the log manager. By default, the Zimbra Collaboration server has log4j configured to log to the local file system. You can configure log4j to direct output to another location. Go to the Log4j website for information about using log4j .

Zimbra does not check the log4j changes. To remove all account loggers and reloads in /opt/zimbra/conf/log4j.properties , use the zmprov resetAllLoggers command.

The default logging level is set to include logs that are generated for INFO, WARNING, ERROR and FATAL. When problems start to occur, you can turn on the DEBUG or TRACE log levels.

To change the logging levels, edit the log4j properties, log4j.properties , log4j.logger.zimbra .

When enabling DEBUG, you can specify a specific category to debug. For example, to see debug details for POP activity, you would type logger.zimbra.pop=DEBUG .

The following categories are predefined in log4j :

(*) A few non-critical messages such, as service startup messages, will generate traps.

Protocol trace is available in the following logging categories:

The mailbox.log file contains every action taken on the mailbox server, including authentication sessions, LMTP, POP3, and IMAP servers, and Index server. Review the mailbox.log to find information about the health of your server and to help identify problems.

mailbox.log records valid and invalid login attempts, account activity such as opening email, deleting items, creating items, indexing of new mail, server activities including start and stop. The progress of an activity on the mail server is logged as INFO. If the expected results of the activity fails and errors occurs, an exception is written to the log.

You can set up logging options for a single account in order to trace account activity for one user without filling up mailbox.log with log messages for unrelated accounts. See Command-Line Utilities , the zmprov miscellaneous section.

Log pattern

by default log entries in mailbox.log have the following Log4j pattern:

%d %-5p [%t] [%z] %c{1} - %m%n

This pattern consists of 6 blocks of data:

Date and time (e.g.: 2021-01-22 19:23:07,100 )

Log level (e.g. INFO )

Thread name (e.g. [qtp1043351526-547:https:https://localhost:7071/service/admin/soap/DeleteAccountRequest] , [Index-9] , etc.)

Zimbra Collaboration context

Component name (e.g. soap , mailbox , mbxmgr , etc.)

Log message. Note: the log message section may span multiple lines. When a log message contains an exception, the stack trace will always start on a new line below the error message.

You can read more about Log4j patterns in Log4j PatternLayout documentation .

Thread name in mailbox.log

Thread names in mailbox.log are prefixed to identify internal components. Most threads have one of the following naming convention: " {thread prefix}-{thread number} " or " {thread prefix}-{thread number}:{url} ".

The following {thread prefix} values are currently used for thread names in Zimbra Collaboration: btpool , pool , LmtpServer , ImapServer , ImapSSLServer , Pop3Server , Pop3SSLServer , ScheduledTask , Timer , AnonymousIoService , CloudRoutingReaderThread , GC , SocketAcceptor , Thread , qtp .

Threads with prefix qtp are created by Jetty QueuedThreadPool and have the following naming convention: " qtp{hash code}-{thread number}:{url} " where {hash code} ` is the hash code value of the instance of QueuedThreadPool that owns the thread (see Object::hashCode in Java platform documentation).

{thread number} in thread names is an integer that monotonically increases within each thread factory. Thread numbers are reset when mailboxd process is stopped or restarted.

Log records reported by threads that serve SOAP requests will usually contain URL of the request being served in {url} part of thread name, as in the following example:

Mailbox Log Entry for SOAP

Due to a known bug in Zimbra Collaboration {url} part of the thread name may contain duplicate protocol identifier, as in the following example:

[qtp1043351526-547:https:https://localhost:7071/service/admin/soap/DeleteAccountRequest]

Zimbra Collaboration Context in mailbox.log

[%z] section in the log pattern describes Zimbra Collaboration context and consists of key-value pairs in the format key=value , separated by semi-colons (;). In cases where a value contains a semi-colon, the semi-colon is replaced with a double semi-colon (;;). E.g., browser UserAgent strings often include semi-colons, such as this one "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36". In mailbox.log, this UserAgent string will appear as following:

ua value with double semi-colon

The following key value pairs are currently supported and may be recorded in log entries in any order and any combination:

ip  — IP of the TCP/IP client making a request

oip  — originating IP address. When a request is made through NGINX proxy, this value will contain the IP address of the client application, while ip value will contain the IP address of the proxy server

cid  — connection id of a server that is monotonically increasing - useful for tracking individual connections

id  — ID of the target account

name  — name of the target account (email address)

aid  — ID of the authenticated account. Only present if target account is different then authenticated account

aname  — name of the authenticated account. Only present if target account is different then authenticated account

mid  — ID of requested mailbox. Only present if request is dealing with a mailbox

ua  — name of the client application (i.e. User Agent)

via  — list of IP addresses and user-agents of the request’s proxy chain

soapId  — ID assigned to a SOAP request to track proxied hops for a particular request

msgid  — value of Message-ID header of the message being operated on

ds  — name of the Data Source being operated on

port  — server port to which the client connected

oport  — originating port number of request

oproto  — originating protocol of request. This can be passed by internal components that make SOAP requests on behalf of a user (e.g. MTA)

The example below is a record showing that on October 25, 2021, 28 minutes after midnight, a POP3 client with IP address 222.173.186.17 has contacted the Zimbra Collaboration server and that the request was proxied through a local proxy server with IP 10.1.1.136 .

Mailbox Log Entry for POP

The following example shows a record of a failed IMAP STATUS request sent by [email protected] using AquaMail mobile app. The user’s device has IP address 72.83.144.255 (as reported in oip field). The request came to IMAP server via Zimbra Collaboration nginx proxy, which has IP address 10.4.4.138 (as reported in ip and via fields).

Mailbox Log Entry for IMAP

The following example shows a record of LMTP server delivering a message. The IP address in this log message most likely belongs to Zimbra Collaboration MTA running on local network.

Mailbox Log Entry for LMTP

The next example shows a record of MailboxPurge thread purging message with ID 462 from the mailbox of [email protected] . This log message does not have ip , oip , port or via fields, because it originates from an internal process rather than from an external request.

Mailbox Log Entry for Purge

Handler Exceptions and Stack Traces

If an error occurs during the progress of an activity, a handler exception is added to the end of the log record to notify you that an event occurred during the execution of the process that disrupted the normal flow. This signals that some type of error was detected.

Sometimes a stack trace is displayed after the exceptions notification. A stack trace reports the threads and monitors in Zimbra’s mailboxd service. This information aids in debugging, because the trace shows where the error occurred. The last few entries in the stack often indicate the origin of the problem. When the caused by descriptor is included in the log line, this is the root of the error. In the example below, the error was caused by 501, bad address syntax.

Mailbox log files

The mailbox.log files rotate daily. The mailbox log files are saved in /opt/zimbra/log . Previous mailbox.log file names include the date the file was made. The log without a date is the current log file. You can back up and remove these files.

Troubleshooting Mail Problems

To review the mailbox.log for errors, search for the email address or the service that is experiencing the problem. Also, search for WARN or ERROR log levels, read the text of the message. When you find the error, review the records, tracing the events that happened before the problem was recorded.

System Crashing

When your system crashes, locate the startup message and then look for errors before the startup message date. This example shows an out-of-memory error on June 17, 2021.

Look for errors before the startup message.

Mail Delivery Problem

Locate the "LmtpServer" service. This example includes a stack trace report with a caused by explanation that the recipient address was rejected as the address must be a fully-qualified address.

Account Error - Login error

mailbox.log logs any successful or unsuccessful login attempts from IMAP, POP3 or ZWC. When you are looking for a login error, start by looking for "Auth." This example shows that someone from IP address 10.4.5.6 was trying to log in as admin on the Zimbra Classic Web App, using Firefox in a Windows OS. Permission was denied because it was not an admin account.

Account Errors - IMAP or POP related

When you are looking for a log because of an IMAP or POP issue, look for "ImapServer/Pop3Server." This example shows a fatal IMAP server error occurred while trying to connect [email protected] .

Each email message includes a header that shows the path of an email from its origin to destination. This information is used to trace a message’s route when there is a problem with the message. The Zimbra email message header can be viewed from the Zimbra Classic Web App Message view. Right-click on a message and select Show Original .

The following lines are in the message header:

Date  — The date and time the message was sent. When you specify time, you can specify range by adding start and stop time to search for messages.

From  — The name of the sender and the email address

To  — The name of the recipient and the email address. Indicates primary recipients.

Message-ID  — Unique number used for tracing mail routing

In-Reply-To  — Message ID of the message that is a reply to. Used to link related messages together.

Received: from  — The name and IP address the message was sent from. The header displays Received: from information from the MTA to the LMTP and from the local host.

Fixing Corrupted Mailbox Index

Mail messages and attachments are automatically indexed before messages are deposited in a mailbox. Each mailbox has an index file associated with it. This index file is required to retrieve search results from the mailbox.

If a mailbox’s index file becomes corrupt or is accidentally deleted, you can re-index the messages in the mailbox from the Administration Console.

Text searches on an account might or might not fail with errors when the index is corrupt. You cannot count on a user reporting a failed text search to identify that the index is corrupt. You must monitor the index log for messages about corrupt indexes. If the server detects a corrupt index, a message is logged to the Zimbra mailbox.log at the WARN logging level. The message starts with Possibly corrupt index . When this message is displayed, the administrator must correct the problem. In many cases correcting the problem might mean reindexing the mailbox.

Reindexing a mailbox’s content can take some time, depending on the number of messages in the mailbox. Users can still access their mailbox while reindexing is running, but because searches cannot return results for messages that are not indexed, searches may not find all results.

Run a sanity check on a specific mailbox index using the zmprov verifyIndex command.

If problems are detected, a failure status is returned and a repair can be performed on the index.

Use the reIndexMailbox command to repair and reindex a corrupt index.

This returns a status of started .

SNMP Monitoring and Configuration

You will probably want to implement server monitoring software in order to monitor system logs, CPU and disk usage, and other runtime information.

Zimbra Collaboration uses swatch to watch the syslog output to generate SNMP traps.

Zimbra Collaboration includes an installer package with SNMP monitoring. This package should be run on every server (Zimbra Collaboration, OpenLDAP, and Postfix) that is part of the Zimbra Collaboration configuration.

The only SNMP configuration is the destination host to which traps should be sent.

The Zimbra Collaboration error message generates SNMP traps when a service is stopped or is started. You can capture these messages using third-party SNMP monitoring software and direct selected messages to a pager or other alert system.

The MariaDB database is automatically checked weekly to verify the health of the database. This check takes about an hour. If any errors are found, a report is sent to the administrator’s account. The report name that runs the MariaDB check is zmbintegrityreport, and the crontab is automatically configured to run this report once a week.

When Zimbra Collaboration is installed, the Zimbra Collaboration software update utility is automatically configured to check for the latest Zimbra Collaboration version once a day and if there is an update, to send notification to the address that is configured in the Administration Console’s Server Updates .

The dates and times Zimbra Collaboration checked for updates is saved to the Updates tab and an email notification is sent out until you update the Zimbra version. If you do not want to receive an email notification of updates, disable Send notification email when updates are available .

You can configure the following:

Server that checks for updates  — Available servers are listed and only one server is configured. The selected server checks for updates and the result of the update response from www.zimbra.com is stored in LDAP.

Check for updates every x  — The default is to check once a day. You can change the frequency interval to check every x hours, minutes, or seconds. A cron job is configured to check for new updates. If the frequency interval is less than 2 hours, the crontab file must be modified.

Updates URL  — This address is the URL that the server connects to when checking for updates. When a Zimbra Collaboration server checks for updates, it transmits its version, platform, and build number to Zimbra. Normally, this URL is not changed.

To be notified of updates, check the Send notification email when updates are available and enter the send to and send from addresses. The default address is the administrator’s address.

A generic email is created. The subject and content of the email can be changed.

When a server polls the URL specified, the response is displayed.

The Zimbra Connector for Microsoft Outlook (ZCO) msi file is available from the Zimbra Utilities Downloads page on the Administration Console. When a newer version of ZCO is released before a new version of Zimbra, you can upload the newer ZCO msi file to the Zimbra server from the Administration Console. The file is uploaded to the /opt/zimbra/jetty/webapps/zimbra/downloads folder.

Home → Tools and Migration → Client Upload

Download the new ZCO file to a computer that you can access from Client Upload in the Administration Console

Click Browse to locate the ZCO file to upload.

Restart Zimbra:

The downloads/index.html file is updated with the latest ZCO client version. This new file can be downloaded from the ZCO link on the Administration Console Home → Tools and Migration → Download page.

Notifications and Alerts Sent by Zimbra Collaboration

This notification is sent when service are stopped or restarted.

Server Start Notification Message

Server stop notification message, disk usage notification.

A warning alert email notification is sent to the admin account when disk space is low. The default is to send a warning alert when the threshold reaches 85% and a critical alert when the threshold reaches 95%

A script is executed to see if mysqld process is running to detect cases where corruption is likely to be caused. An email is generated if it finds more than 1 mysqld process running.

A report runs on the first of each month and warns of certificates expiring with the next 30 days.

When the logger package is installed, a daily mail report is automatically scheduled in the crontab. The report is sent daily to the administrator’s mailbox.

The MariaDB database can be checked by running the zmdbintegrityreport automatically scheduled in the crontab to run on a weekly basis. A report is sent to the administrator’s mailbox.

When configuring the type of backups that should be run, you can set up to receive notification about the results of a backup session.

Archiving and Discovery

Zimbra Archiving and Discovery is an optional feature that enables archiving of messages that were delivered to or sent by Zimbra Collaboration and to search across mailboxes.

The installation of the archiving feature provides the Zimbra Collaboration discovery tool (also known as cross mailbox search) and sets the attributes that allow archiving to be enabled on the Zimbra MTAs.

Archiving is configured on a per account basis. Each account enabled for archiving requires a Zimbra archive license. When archiving is enabled for an account, a copy of all email from or to that account is forked at the MTA and a copy of the message is delivered to a predefined archive mailbox. The archiving process is transparent to account users.

Discovery allows you to conduct a search for email messages across live and archived mailboxes and copy the results to a specified mailbox.

When a message is sent or received by a user, the message is always routed through the Postfix MTA. The Postfix MTA allows integrating software that can perform actions on messages that are in flight. When archiving is enabled for the sender or the recipient of messages, Zimbra Archiving integrates with an MTA hook and the Amavisd-New utility to fork a copy of the message.

The “ does recipient or sender have archiving enabled ” check is performed on the SMTP standard envelope and not on the From or To/Cc headers. Since checks are performed on the envelope, Bcc copies and messages sent to distribution lists are captured.

For example, if User A sends a message to User B, and if User B has archiving enabled, the MTA delivers two messages — one to User B’s mailbox and one to User B’s archive mailbox. The message received in User B’s mailbox looks normal, as shown in the following example:

The message received in User B’s archive mailbox contains additional X-Envelope-From and X-Envelope-To headers. These headers show the real email address the message was sent from and each of the email addresses that the message was sent to.

Zimbra archiving can be set up to create archiving accounts that are maintained within Zimbra Collaboration or to work with third-party archiving systems using SMTP forwarding to send messages to a third-party archive server. For third-party archiving, Zimbra Collaboration is configured to act as the forwarding agent.

The discovery feature of Archiving and Discovery is used to search across live * and archive mailboxes for email messages and attachments. The discovery tool can be run from the Administration Console and the results are copied to a target mailbox that you specify.

* A live mailbox is an account on the system other than archive accounts and system accounts.

You can search outgoing and incoming email by date, from, to, cc, subject, keywords, and attachments. You can also create queries to search by name, dates and time ranges, distribution list, aliases.

Search results are placed in a target mailbox. You can organize your search results by creating different target mailboxes or by creating individual folders within a target mailbox for each search you run. X-zimbra-Source header information is added to each message header that is copied to the targeted mailbox. This header label includes the account ID, the account name, and the server that the account resides on.

You can see the results of the search by logging on to the target mailbox address.

Installing the Archiving Package

You can install the archiving package on an existing single-server deployment or on a multi-server deployment.

If the mailbox server and the MTA server reside on the same node, you configure and enable archiving as a single process. If your mailbox and MTA servers are on separate nodes, the zimbra-archive package is installed first on at least one mailbox server and then the archiving component is enabled on each MTA in the deployment.

The following scenario assumes that the LDAP, MTA, mailstore and archiving servers are on the same node.

Refer to the Zimbra Collaboration Single Server Installation Guide to open an SSH connection to the Zimbra Collaboration server. Log on to the server as root and run the ./install.sh command to begin the upgrade process.

Accept the license agreement and type Yes to run the upgrade.

Type Yes for zimbra-archiving when presented with the packages to be installed.

The upgrade process begins and the archiving package is installed. At this point, the Discovery feature is installed and can be used.

To enable archiving, switch to the zimbra user and enable archiving on the MTA server.

The following upgrade scenario is adding a new server that is dedicated as an archiving server to your Zimbra Collaboration environment.

Before beginning the install process, record the following information. You need this information when you install the archiving server. Run the zmlocalconfig -s command to find the information.

Refer to the Multiple-Server Installation chapter in the Zimbra Collaboration Multi-Server Installation guide for detailed steps on installing the packages.

Open an SSH connection to the mailbox server that is being configured for archiving. Log on to the server as root and unpack the Zimbra software. Run the ./install.sh command to begin the install process.

Type y and press Enter to install the following packages:

zimbra-store

zimbra-archiving

The zimbra-core package is installed by default.

Type y and press Enter to modify the system.

The Main menu displays the default entries for the Zimbra component you are installing. To expand the menu, type x and press Enter .

Select the Common Configuration menu and configure the LDAP Hostname, LDAP password, and LDAP port.

Select the zimbra-store menu and configure the Admin password and the License file location.

Complete the installation process following the steps in the Multi-server Installation guide, under Installing Zimbra Mailbox Server.

At this point, the Discovery feature is installed and can be used.

Manage Archiving From the Administration Console

After Archiving is installed, you can set up archiving and manage it from the Administration Console.

Home → Configure → Global Settings → MTA , from Archiving Configuration check Enable archiving

Restart Zimbra from the command line

You can configure attributes in the COS to set mailbox features, quotas, and passwords, turn off spam and virus checks, and hide the archive accounts from GAL.

Home → Configure → Class of Service , from the Gear icon select New

Change Features and Preferences as required for an Archiving COS.

If you have a dedicated archive server, in the Server Pool page, deselect the archiver server from the list. In a multi-server deployment with a dedicated archive server, the server should be removed from the COS server pool so that the archive server is not randomly assigned to new accounts.

Modify the options on the Advanced page if required.

In the Archiving page, check the Enable archiving box to make this COS an archiving cos.

If you want to change the format for the naming scheme for archive accounts, modify the two template fields. See the Setting Up an Archive Account Name section for more information.

You use attributes to create and manage the naming scheme for archive accounts. You can set up these attributes either by COS or by account. For COS, these attributes can be changed from the Administration Console, COS or individual account’s Archiving page.

Account date template . Sets the date format used in the name template. The default is yyyyMMdd . Adding the date to the account name makes it easier to roll off older data from the system to backups.

Account name template . Sets up how the archive mailbox name is created. The default value is ${USER} ${DATE}@${DOMAIN}.archive .

The archive account address would be similar to the following example:

[email protected]

If you change the default value, you must use syntax that creates a valid email address. We recommend that you add .archive to all archive accounts to create archive mailboxes in a non-routable domain to prevent spoofing of the archives.

When the template based on the zimbraArchiveAccountDateTemplate attribute is set up, amavisArchiveQuarantineAccount is updated to the new template name when zmconfigarchive is run.

Administering the archive server

The amavisd-new server process controls account archiving as well as antivirus and anti-spam processes. The zmarchivectl command can be used to start, stop, restart or obtain the status of the amavisd-new server process that controls account archiving. Caution should be taken when starting or stopping the archiving process as it is a shared server process between archiving, antivirus, and anti-spam processes. Performing actions on any of them affect any of the other services that may be enabled in your deployment.

If you want to disable archiving but not antivirus or anti-spam services, disable the respective service either through the CLI or through the Administration Console.

Four attributes are related to the archive feature for accounts. Two that configure a mailbox and two template attributes to construct the archive account names.

To set up archiving for a mailbox two attributes are configured on the primary user’s mailbox. One attributed enables archiving and the second shows where messages are being archived.

Currently archived to  — The current archive address. Archiving is to a single account. If this is unset, archiving is not enabled.

Archived accounts  — Any previous and current archive addresses that this mailbox was archived to. containing all the accounts that have been archived for the given account.

Archive Mailboxes

You can create an archive mailbox with or without an assigned COS. You can also forward archive email to a third-party.

Archive accounts are created based on the Zimbra Archive name templates.

The attribute —  zimbraIsSystemResource  — is added to the archive account and set to TRUE.

The archive account is displayed in the Administration Console.

When a message is received in a mailbox with archiving enabled, a copy of the message is sent to the archive mailbox.

Log on as zimbra , and use the zmarchiveconfig command:

If the archive account is not assigned a COS, the following settings are set by default.

Mailbox quota is set to 0, unlimited quota.

Spam and virus checks are disabled.

Hide in GAL is enabled, so the archive account does not display in the GAL

If the archive account is not maintained within Zimbra Collaboration, you do not need to set a password, COS, or other attributes.

Searching Across Mailboxes

When the archiving and discovery feature is installed, you can search across mailboxes either from the Administration Console or through the command line interface.

You can assign a user to run the mailbox searches from the Administration Console by creating a delegated administrator with rights to access the mailbox search tool.

The discovery tool, Search Mail , is added to Tools and Migration on the Navigation pane when the archiving package is added. To set up a cross-mailbox search you configure the following information.

Home → Tools and Migration → Search Mail , from the Gear icon select New

Server name . The server name to be searched.

Target mailbox and folders . One target mailbox and folder are created automatically. You can use this mailbox for all your search results and create new folders for each search, or you can create a new target mailbox for each separate search.

A target mailbox is like any other mailbox and can have any features or preferences that are defined by the COS or by account. Target mailboxes are listed in the Administration Console Accounts list. You might want to give the target mailboxes account names that identify them as target mailboxes for cross-mailbox searches and configure a COS specific for target mailboxes to be able to manage access.

Limit the number of messages returned by the search . The default is 500 results.

You can select to send an email notification when the search is completed. The email notification includes the search task ID and status on the subject line and you can specify the type of information to include in the message, such as the number of messages found, the list of addresses resulting from the search and the search query used.

Select which mailboxes to search. When you check Select accounts to search , you select which account addresses to search.

Create the search query . You can search outgoing and incoming email by date, from, to, cc, subject, keywords, and attachments. Advanced can be used to quickly create a query to search by name, dates and time ranges, distribution list, aliases.

When searching archive messages, you can search by the envelope address using the envfrom and envto query language extensions.

As the search runs, the Search Mailbox Content pane lists the search and the status. Click Refresh to update this page.

Delete the search task when it is completed because it occupies server memory. When the server is restarted, past searches are deleted.

When you use the discovery feature in the Administration Console, the tool makes copies of messages in the target mailbox you create. The messages occupy server space, increasing the size of your server. You might want to delete these messages from the target mailbox when they are no longer needed.

Legal Requests for Information

The Legal Intercept feature makes copies of email messages sent, received, or saved as drafts from targeted accounts and sends these messages to a designated “shadow” email address.

Legal Intercept can be configured to send the complete content of the message or to send only the header information. When a targeted account sends, receives, or saves a draft message, an intercept message is automatically created to forward copies of the messages as attachments to the specified email address.

Legal Intercept Settings

The Legal Intercept feature can be configured either for a Class of Service or an individual account. The feature is configured from the CLI, using zmprov .

The only required configuration to set up Legal Intercept is to enable the feature —  zimbraInterceptAddress  — on target accounts or COS.

You can enable the attribute zimbraInterceptSendHeadersOnly to send only the header information of the email message instead of sending the complete message.

Specify the intercept address to receive intercepted messages.

If enabling intercept by COS:

If enabling Intercept for an account:

If you are going to use the default intercept message template and From address ( postmaster@<yourdomain.com>` ), a Legal Intercept is set up.

To forward the header information, instead of the complete message for an account:

An email message is automatically created to forward copies of the intercepted messages as attachments. The default message includes:

From address is “postmaster@<yourdomain.com>”

Subject line “Intercept message for < [email protected] > <interceptedmessage subject>”

Message “Intercept message for < [email protected] >. Operation=<type of message>, folder=<foldername>, folder ID=<#>”.

The cover email message can be modified. Use the following parameters to modify the email message.

Use steps in this section to change the from-name, the subject line, or text in the message body:

To change the From name:

To change the text of the Subject line:

To change the text in the message body :

Creating Mailbox Snapshots for Legal Discovery

You can create a query for the user’s mailbox using the REST URL format to search for specific types of email messages and attachments and have these messages zipped and saved to your computer. This zip file can be forwarded to a requesting law enforcement agency.

The email message appears as an .eml file name after the subject line. The attachments get saved in the format that they were delivered.

You must be logged into the Zimbra Administration Console to create the zip file. You create a query for one account at a time.

In the Administration Console address field of the browser, after the port number 7071/ , type:

home/<username>?fmt=zip&query=<searchquerystring>

Address Bar

In the above example, the search query is requesting a zip file of all accounts called user1 .

You can use any search operators supported for searching in Zimbra. For example, you can search by folder ( in:folder_name ), by sender’s name ( from:<someone> ), and you can use multiple search terms. See the Search Tips wiki page for keyword examples, https://wiki.zimbra.com/wiki/Search_Tips .

Press Enter or the arrow to create the zip. A Confirm box displays, asking if you want to navigate away from this page.

Choose where you want to save the zip file. This zip file is ready to be delivered.

Color and Logo Management

You can change the logo and base colors of the Zimbra Classic Web App themes without having to customize individual Zimbra Collaboration themes. This can be done from the administration console or the CLI.

Changing Theme Color and Logos on the Zimbra Classic Web App

Base colors for themes, and custom logos can be configured as a global setting or as a domain setting.

When the global settings are changed, the changes apply to themes on all servers.

When the domain settings are changed, the base color and logos for themes on the domain are changed.

If global settings and domain-level settings for theme base colors or logos are not identical, the domain values are displayed for the domain.

The following base colors in Zimbra Classic Web App themes can be changed:

The primary background color displayed in the client. This color is the background of the page. Variants of the color are used for buttons, background color of the Content and panes, tabs, and selection highlight. In the following image, the background color displays with the logo, the variant of the background color displays in the login area.

The secondary color is the color used for the toolbar.

The selection color is the color displayed for a selected item such as a message or an item in the Overview pane.

The foreground color is the text color displayed. The default text color is black. The text color usually does not need to be changed.

You can replace the logo with your company’s logo globally or per domain.

Graphics to Replace

The following logo files can be changed. Your logos must be the same size as specified here or the image might not display correctly. These graphic files can be saved on another server or in a directory that is not overwritten when Zimbra Collaboration is upgraded.

Company logo that displays on the login and splash screens for Zimbra Classic Web App and the Zimbra Collaboration administration console. The dimension of the graphic must be exactly 300 x 30.

Small company logo in the upper-left of the Zimbra Classic Web App application and the administration console. The dimension of the graphic must be exactly 170 x 35.

Company Web address that links from the company logos.

Graphics not replaced

The icon that displays in the Advanced search toolbar and the favicon.ico that displays in the URL browser address field cannot be changed at this time.

On the administration console, the Global Settings and the Domains settings include a Themes page that can be configured to customize the color scheme and to add a company logo and logo URL. You upload your company logo to be used on the Zimbra Classic Web App and administration console pages.

Changing Base Theme Colors

You can either select colors from popup view of predefined colors, or enter the six-digit hexadecimal color value for an exact color match to set theme colors for the following categories:

Foreground, which is the text color.

Background, which is the primary background color displayed in the client.

Secondary, which is the color used for the toolbar and selection headers in the pane.

Selection, which is the color displayed for a selected item such as a message, right-click, or drop down menu selection.

Use the Customize the theme colors container to set colors for your theme categories:

Home → Configure → Global Settings → Themes or Home → Configure → Domains → domain → Themes

Click on the field alongside the theme category to be modified, then use the popup color selector to define the color for your selection.

You can either click directly on a color, or use the entry field to write the hexadecimal value of the color. In either case, your selection will be displayed in the field. If you opt out of your color selections, click reset all theme colors to discard your settings.

Navigating away from this page results in query for save of the settings.

Click Yes (to save) or No (to discard your settings).

Adding Your Logo

You can replace the Zimbra Collaboration logo with your company’s logo globally or per domain from the appropriate Themes page. Your logos must be the same size as specified in the Graphics to Replace section or the images might not display correctly. The graphic files are saved on another server or in a directory that is not overwritten when Zimbra Collaboration is upgraded.

The Zimlet icon that displays in the Advanced search toolbar and the favicon.ico that displays in the URL browser address field are not changed.

Use the Customize the logo of the themes container to a logo to accompany the theme:

To change the Zimbra Classic Web App theme base colors and logos, use the zmprov command. The following attributes are configured either as a global config setting or as a domain settings. Color values are entered as a six-digit hexadecimal codes.

Changing base colors for themes

Before you begin, identify the six-digit hexadecimal base color values for the various elements you are changing. You will be using these in your command entries.

Modifying a domain

The example in this section demonstrates how to change to the following base colors:

Background color = Coral, #FF7F50

Secondary color = turquoise, #ADEAEA

Selection color = yellow, #FFFF00

Specify the skin colors: Log in as the zimbra user and use zmprov to modify the domain:

The quote marks, "" , are required so the use of the # sign does not comment out the text that follows.

Use the zmmailboxdctl command to apply the changes by restarting the mailbox server process:

Reload the Classic Web App, and Zimbra Collaboration themes for that domain should now display these colors.

Adding Your Logos

You add the company logo information and URL by modifying these the following attributes for logos:

To add logos for a domain

If logo files are saved in the Zimbra Collaboration server, they must be in a subdirectory of /opt/zimbra/jetty/webapps/zimbra .

If the logos are hosted on another machine, enter the full URL when identifying the logo.

Use steps in this section to update the logo(s) displayed over a domain:

Change the URL link:

Modify the logo display:

To change the logo displayed in the login and splash screens:

To change the logo displayed on the Zimbra Classic Web App main page:

Stop/start the server:

Customizing Modern Web App

This section is applicable only for Modern Web App.

In this section, we guide you through customizing Modern Web App and deploying your customization. We’re going to address customization by overriding dynamic layouts.

As a general rule, you can customize the following within the branding framework:

Color and border of various widgets such as Buttons, links, and Tabs

Text fonts, colors, and sizes

The basic appearance of the Modern Web App

There are several sections of the Modern Web App user interface that require a significant amount of Javascript coding to change. Customizing these segments is beyond the scope of this document:

Changing the behavior of something (e.g., a button)

Order of application tabs

Order of toolbar buttons

Adding new toolbar buttons

Adding search locations to the Search toolbar

Before we start customizing the Modern Web App, we need to create an empty Modern Web App bundle.

You should also have the following knowledge and skillsets:

Familiarity with usage of linux terminal and commands

Familiarity with basic HTML and CSS concepts and associated terminologies

Familiarity with terms like font, font size, and line-height

Familiarity with logos, images, color codes, and other styling elements

Familiarity with your organization’s branding guidelines

We first create an empty folder and its contents locally. Once done, we copy the folder to the Zimbra server.

Folder Name

Naming the folder is a crucial first step.

Keeping the folder name same as the hostname , the customizations reflect on all domains and, by extension, all the accounts on those domains.

If the folder name is the same as the domain name , the customizations appear on all accounts on that domain .

In case there is a virtual host setup, the folder name must be the domain name on which you have configured the virtual host.

For Example, consider a domain named example.com that has a virtual host mail.example.com ; in such a case, you must create a folder mail.example.com .

Log in using ssh to your Zimbra server.

Switch to user zimbra .

Run this command to get the hostname.

Run this command to get the domain name(s).

For this document, we consider mail.example.com as the folder name.

Folder contents

The folder ( mail.example.com in our case) must have the following hierarchy and contents.

The Zimbra’s Modern Web App uses the primary logo of your organization unless you specify a secondary logo.

Save the primary logo as logo.svg .

Save the secondary logo as secondarylogo.svg .

Along with the logo, you also need your organization’s emblem to use it as an icon.

Create multiple icons — of different sizes — using this emblem. Refer to the below table for the file name , size , and destination of each icon.

Consider the below Zimbra’s Modern Web App screenshot.

This labeled screenshot shows the customizable segments of Modern Web App.

Navigation bar containing the links

Left-side links on the navigation bar

Right-side links on the navigation bar

Left Sidebar

Right Sidebar

The items marked 1 , 2 , 3 , and 4 are text and links. Instructions to change them are in the section Customize Text & Links .

The colors for items marked 5 , 6 , and 7 are customizable. Instructions to change these, and other colors, are in Customize Colors & Sizes .

Copy and paste Sample config.json in mail.example.com/config.json

To change the title text ( marked 1 in Customizable components ) edit the value against "title" in Sample config.json .

To replace the text Zimbra with your organization’s name ( "Example" in this case) throughout the application, change the value against`"clientName"` in Sample config.json .

To hide and remove the Forgot Password link, set "disableForgotPassword" as "true" in Sample config.json .

To insert links and hypertext in the navigation bar ( 2 ) edit "left" ( 3 ) and "right" ( 4 ) under "nav" in Sample config.json .

To remove the navigation bar altogether remove the below snippet:

This section handles colors and sizes of fonts, logos, and sidebars — among other things.

Palette.css

This file helps you to create a palette of colors to use throughout the application.

Navigate to palette generator and enter the hex code for Primary , Secondary and Tertiary colors.

Specify hex code for colors associated with Success , Informative , Warning , and Danger messages.

Click Generate .

A ready styling template with color codes appears.

Click Copy .

Paste the contents generated in mail.example.com/palette.css .

Copy the below segment and paste as is in the mail.example.com/index.css file. Change the values to change various aspects of the Modern Web App as it appears to the user.

The various variable names used are self-explanatory. However, the below table offers a brief description. The number against some of the variables refer to the figure Customizable components .

This section helps customize certain aspects of Progressive Web App (PWA). For more information on PWAs, refer What is a Progressive Web App .

Copy and paste Sample manifest.json in mail.example.com/pwa/manifest.json .

Edit all instances of mail.example.com to the folder name as decided in the section Folder Name .

Edit "name" and "short_name" to have the same value as "title" from Sample config.json .

"name" represents the name of the web application as it appears to users in list of mobile applications.

"short_name" represents the name of the web application as it appears to users if there is not enough space to display "name" .

Set the "background_color" to background-color in Palette.css .

Set the "theme_color" to the same value as primary color in Palette.css .

This section helps you change the way Zimbra Modern Web App login page appears to users.

Before you begin login (or ssh ) on the Zimbra server.

Changing the Background Image

Copy a background image to

Open and edit

Locate the entry LoginScreen .

Replace new-back-ground-image.png with the file name of the image you just copied.

Changing the Logo

The Modern Web App references the logo it uses from :

You have to overwrite this file with the logo you prefer to use.

Rename your organization’s logo that you have as new-logo.png .

Copy this file to :

Navigate to and open the mail.example.com folder.

Edit config.json to change the version . Do not use a previously used value.

Enter a unique positive number.

Use a new value every time for your customizations to reflect on users' Modern Web App.

Enclose the text in quotes.

Save the file.

Copy mail.example.com to /opt/zimbra/jetty/webapps/zimbra/modern/clients/ on Zimbra server.

Restart Zimbra mailbox server

To apply the changes you have made, restart Zimbra’s mailbox server.

Login to your Zimbra installation as root .

Restart Zimbra’s mailbox server.

Refresh Zimbra’s Modern Web App login page to see the changes

Storage Management

Storage Management (SM) feature is where you configure storage volumes for primary, secondary data stores and indexing. SM supports local and external storage for the following providers (Amazon S3, Ceph, EMC, Netapp StorageGrid, Scality, OpenIO). SM through the scheduler also provides the ability to move older data from primary higher cost to secondary lower cost storage based on age at the scheduled time. In most instances, end users will not experience any performance differences when accessing the data stored on external storage.

Storage Management can be managed within the Administrator UI within the global and server level or from the command line.

Unified Storage

From Daffodil 10.0.5 Patch onwards, support for Unified Storage has been added in the Storage Management module.

Unified Storage is designed to streamline data management by consolidating data from multiple mailbox servers under the same directory structure within a single S3 bucket. This approach simplifies storage, enhances accessibility, and reduces operational complexity.

Unified Storage feature is suitable for you if:

Your environment is a multi-server environment with more than 1 mailbox server.

Your organization has substantial data storage and access needs benefit from the centralized, scalable approach.

In the following example, the mailbox server’s - Mailbox-1, Mailbox-2, Mailbox-3 use the same bucket on the external storage. The users - d8bd3037-38d0-4c45-ade4-a6866f2912bd, 91fee523-4841-400f-9dc9-0d1e41f4c61b, and a8bd3037-4841-400f-ade4-bf1e41f4c61h use the same directory structure irrespective of on which Mailbox server the account is hosted.

Following are some of the advantages of using Unified Storage:

Mailbox movement: Since the data from multiple mailbox servers are stored under a single S3 bucket, it becomes easier to move user’s mailboxes from one server to another without moving the data stored in S3.

Simplified Data Management: Unified Storage eliminates the need to manage multiple storage locations for mailbox servers. All data is consolidated into a single S3 bucket, making it easier to manage, and maintain.

Scalability: The unified approach allows for easier scaling as the organization grows, reducing the complexity of data expansion.

Support only S3 providers: Unified Storage is only supported on S3 providers.

Message duplication: Message duplication is lost and is not supported when data is moved to external S3.

The Unified Storage based volume can be created through Administrator UI or CLI.

To optimize the utilization of the feature, when creating an external volume with S3, it is essential to ensure that the same volume path (same volumePrefix) is consistently set across all mailbox servers.

Administrator UI

When creating volumes through Home → Configure → Server → Storage Management → Manage Volumes → Add , select Unified Storage checkbox which will enable Unified Storage feature.

Please refer to External Storage Type section for detailed steps on creating volumes through Administrator UI.

An option --unified or -un can be used with zmvolume command to enable Unified Storage feature.

Please refer to External volume for S3 section for detailed steps on creating S3 volumes through CLI

Volume Management

On a server’s Storage management page you can manage storage volumes on each Zimbra Mailbox server:

When Zimbra Collaboration Server is installed, one index volume and one message volume are configured on each mailbox server.

The Index volume is /opt/zimbra/index

The Message volume is /opt/zimbra/store

Within the Storage Management location, you can add new volumes, set the volume type, and set the compression threshold.

Each Zimbra mailbox server is configured with one current index volume. Each mailbox is assigned to a permanent directory on the current index volume. When an account is created, the current index volume is automatically defined for the account. You cannot change which index volume the account is assigned.

As volumes become full, you can create a new current index volume for new accounts. You can add new volumes, set the volume type, and set the compression threshold.

Index volumes not marked current are still actively in use for the accounts assigned to them. Any index volume that is referenced by a mailbox as its index volume cannot be deleted.

When a new message is delivered or created, the message is saved in the current message volume. Message volumes can be created, but only one is configured as the current volume where new messages are stored. When the volume is full, you can configure a new current message volume. The current message volume receives all new messages. New messages are never stored in the previous volume.

A current volume cannot be deleted, and message volumes that have messages referencing the volume cannot be deleted.

Admin Console: Storage Management Page

The Storage Management page contains five sections:

Manage Volumes section shows all configured and allows the Admin the ability to create, edit and delete volumes.

Volume Name is the name that is assigned to each volume. The initial volumes are named index1 and message1.

Volume Root Path is the location in the file system where volume data is stored.

Volume Type defines the type of volume that was set when the volume was created. It can be set to index, primary or secondary and once set, it can not be changed.

Compress Blobs When this box is checked, message blobs whose size is above the compression threshold are compressed. If blob compression is turned on, the disk space used is decreased. Note : Turning on blob compression also increases memory requirements for the server.

Compression Threshold . Messages larger than the threshold are compressed. The default threshold is 4096 bytes.

Current defines which volume is currently set to default with a check mark.

Assign Current Volumes section is the location where you will set which volume will be currently used for primary message, secondary message, or index volume’s.

Current primary message volume The current primary volume name. New messages are saved in this current message volume.

Current secondary message volume The current secondary message volume name. Older data is stored on the secondary message volume.

Current index volume . The current index volume name. As volumes become full, you can create a new current index volume for new accounts

Storage Management Policies Section:

SM Session Scheduling gives the Admin the ability to enable and schedule when the SM policy will occur on a daily bases.

Manage SM Session gives the Admin the ability to manually execute the Storage Management policies.

Item to Move section defines the SM policies used to manage when data is migrated from the primary to secondary store. SM policies can be set at the global or on each mailbox server.

Types of items to move . You can select messages, tasks, appointments, contacts, and briefcase items to move from a primary volume to the current secondary volume.

Move items older than. The default global SM policy is to move messages and files more than 30 days old to the secondary volume. The age of items to be moved can be specified by a number of days, months, weeks, hours, or minutes.

Policy String . You can use the search query language to set up other SM policies. For example, if you wanted all messages marked as junk to be included in messages moved to the current secondary volume, you would add the following to the policy: message:in:junk before:-[x] days .

Zimbra provides two types of volume that can be configured and linked for data storage.

Internal Storage Type

Internal Storage Type is the store located on the zimbra Servers.

For adding the Internal storage volume follow the below steps:

Go to Home → Configure → Server → Storage Management

Scroll to Manage Volumes , then click on Add button.

Select Volume as Internal . Click Next .

Select the appropriate volume type i.e. Primary, Secondary, or Index.

Enter the volume name and volume root path .

If you want to compress blobs, check Compress Blobs and set the Compression Threshold .

Use custom store manager is the optional field. Do not click on Enable checkbox if you want to use the default zimbra store manager.

Compress Blobs: When this box is checked, message blobs whose size is above the compression threshold is compressed. If blob compression is turned on, the disk space used is decreased.

Compression Threshold: Messages that exceed the defined threshold are compressed. The default threshold is 4096 bytes.

External Storage Type

External storage type is storage that is accessible locally but which is hosted externally from the mailbox server. Currently Zimbra supports the following providers:

Custom S3 - Option to create any unsupported external storage.

NetApp StorageGrid.

Following are the steps to add the Amazon S3 Storage:

Go to Home → Configure → Servers .

Select the server, right-click and select Edit .

Go to Storage Management → Manage Volumes page and click on Add button.

Select provider Amazon S3 . Click Next .

Select the Volume Type . i.e. Primary or Secondary.

Enter the Volume Name , Volume Prefix .

For add an S3 compatible bucket . Click on Create a new bucket .

Enter the Bucket name, Access key, Secret, Destination path and URL

Select the appropriate Region and click Next .

The bucket will be created once it is validated successfully.

Select the created bucket from the S3 compatible bucket dropdown.

Select the checkbox to enable the Infrequent access. Enter the threshold for infrequent access. Optionally you can select the checkbox to enable the Intelligent tiering.

Infrequent Access: S3 Standard-IA is for data accessed less frequently but requires rapid access when needed.

Infrequent Access Threshold: The threshold is used to set any file larger than the Infrequent Access Threshold value for this storage class.

Intelligent Tiering: This will set the appropriate Intelligent Tiering flag on all files of the volume.

Click Finish to add the Amazon S3 storage type.

Following are the steps to add the Ceph Storage:

Select provider Ceph . Click Next .

Select the Volume Type . i.e. Primary or Secondary

Click Finish to add the Ceph storage.

Following are the steps to add the Custom S3 Storage:

Select provider Custom S3 . Click Next .

Click Finish to add the Custom S3 storage.

Following are the steps to add the EMC Storage:

Select provider EMC . Click Next .

Click Finish to add the EMC storage.

NetApp StorageGrid

Following are the steps to add the NetApp StorageGrid:

Select provider NetApp StorageGrid . Click Next .

Select the cretaed bucket from the S3 compatible Bucket dropdown.

Click Finish to add the NetApp StorageGrid storage.

Following are the steps to add the OpenIO storage:

Select Volume Type as OpenIO . Click Next .

Enter the Volume Name, URL, Account, Namespace, Proxy Port and Account Port .

Click Finish to add the OpenIO storage.

Following are the steps to add the Scality Storage:

Select provider Scality . Click Next .

Click Finish to add the Scality storage.

Before you can assign an SM volume, the volume must exist. Please refer to Adding a New Storage Volume to the Servers for an overview on adding volumes. Once the volume has been created, follow the below steps:

Scroll to Assign Current Volumes section

Click the dropdown list for Current secondary message volume and select the appropriate volume.

The selected volume is now configured as the Secondary message volume.

After the new volume has been set to Secondary Message volume, messages will be moved to the secondary storage volume based on the SM policy.

Each Zimbra mailbox Servers is configured with one primary message volume and an index volume. Refer to Volume Management section for more details. Additionally the Zimbra Data Store configuration allows the creation of new primary, secondary and index stores.

To access the volume page, follow the below steps.

By default, the Index and Primary Data volumes are configured.

Storage Management Policy is a process of moving older data to a secondary storage device. To manage your email storage resources, you can implement an SM policy that defines what items are moved and at what age they should be moved. Messages and attachments are moved from a primary volume to the current secondary volume based on the age of the message. The messages are still accessible. Users are not aware of any change and do not see any noticeable differences when opening older items that have been moved.

You can implement the SM policy globally or at the server level.

The policy configured within individual servers overrides the global policy.

The default global SM policy moves messages and briefcase files (over 30 days from the date of receipt) to the secondary volume. Also, you can move the tasks, appointments, contacts, and notes manually.

You can change the 30-day age policy to a specific age of months, weeks, hours, or minutes.

Setup or Editing SM Policies

Within the storage management window within the Global or Server level, scroll to Items to Move and edit or create a new rule by:

Selecting on the existing rule then clicking Edit or clicking Add .

Select or modify the policies you wish to assign.

The following are the rules that can be configured when creating or editing a policy rule.

Delete the Existing Policy

Deleting an existing policy will remove the rule from future runs of SM Sessions.

To delete an existing policy, select the policy you want to delete.

Click the Delete button.

Select Yes .

If a rule was accidentally deleted, recreating the rule will be applied to all data within the define configuration at the next SM session. If an SM session is initiated manually, please be aware there could be higher server and IO load.

Storage Management CLI Utilities

The zms3config is the CLI utility to manage the Global S3 buckets which can be shared across mailstore nodes. Bucket configurations can be created from any node and it is available across the nodes.

Here are some of the important aspects of S3 Global Configurations:

The bucket name should be unique within the provider.

The same bucket can be used for multiple volumes, just follow different paths (check volume prefix option in zmvolume command) for each volume.

Following providers are supported: Amazon AWS, Ceph, Custom S3, EMC, NetApp-StorageGrid, OpenIO and Scality

Add S3 Configuration

To create an AWS bucket configuration with long option names, use the command:

To create a Ceph bucket configuration with short option names, use the command:

To create a Custom S3 bucket configuration with short option names, use the command:

To create a EMC bucket configuration with short option names, use the command:

To create a StorageGrid bucket configuration with short option names, use the command:

To create a Scality bucket configuration with short option names, use the command:

List S3 bucket configuration

List all the S3 buckets which are configured on the setup.

Delete S3 Configuration

The zmvolume command is used to create, edit and delete storage volumes. It supports creating Internal and External volumes. Internal volume is the default storage which is located on server directory whereas external volume uses S3 buckets/OpenIO setup provided by external store providers.

Description

Add new volume, internal volume.

To create Internal volume the required parameters are -n, -t, and -p , and the optional parameters are -c, -ct, and -st .

External volume for OpenIO

To create a primary or secondary OpenIO volume, execute the following command:

External volume for S3

To create a primary or secondary S3 (Amazon S3, NetApp StorageGrid, Ceph) volume, execute the following command:

To create a primary or secondary S3 (Amazon S3, NetApp StorageGrid, Ceph) volume with Unified Storage support, execute the following command:

Edit a Volume

Admin can edit all the parameters of the internal volumes used when creating it:

External volume

Only the name of the external volume can be edited:

List Volume

To list all the volumes created:

Delete a Volume

Set current volume.

Sets the volume id as the current volume to be used as per the configured volume type:

Display current volume:

Display Primary and Secondary volume details set as current:

Turn off secondary

To disable the secondary volume:

Help section

To display the help section:

The zmschedulesmpolicy command is used for scheduling a Storage Management poilcy execution. To track the progress of the SM session, use the zmhsm -u command.

The scheduler supports a single SM session which can contain a single or multiple policies. If a new SM session is scheduled, it will override the existing session, if one exists.

The scheduled SM policy will execute once a day at the scheduled time and will execute every day until it is removed.

The time format used for scheduling a session is a 24-hour format. Minutes can not be specified while scheduling the SM session.

Even if the admin hasn’t defined any policy, a default global policy i.e. message, document:before:-30days will be executed while starting an SM session manually.

Help - zmchedulesmpolicy

Prints help page:

List - Print the current scheduled SM policy

List the schedule SM policy execution. If there is no output regarding the scheduled SM policy it means no SM policy is currently scheduled.

Flush/Cancel - Remove the current scheduled SM policy

The current scheduled SM policy is cancelled if available.

Add/Edit - Schedule SM policy at a specified time

It accepts 24-hour format time as an argument which is a time to schedule SM policy.

This option will schedule a new SM policy if there are no scheduled policy execution or edit the existing schedule.

The zmhsm command is used to start, stop, abort and view the status of an SM session. SM session executes on the SM policy created for the particular server and starts moving blobs from the primary volume to the current secondary volume.

Start the SM Session

To start the SM session, execute the following command:

Abort the SM Session

To initiate the SM abort sequence, execute the following command:

Status of SM session

To view the SM status, execute the following command:

It only shows the last SM session status. Following are some examples:

The Storage Management(SM) Policy is a set of rules that will be applied to define what items will be moved from the Primary Store to the Secondary Store when the zmhsm command is triggered, either manually or by scheduling zmchedulesmpolicy .

SM policies can be configured at global and server levels, since it is stored in the global and server LDAP attribute zimbraHSMPolicy .

Configure at Global Level (Default policies)

Use + prefix with the zimbraHSMPolicy attribute when adding multiple policies to the attribute.

When multiple values are desired, the attribute can also be specified multiple times in a single provisioning command.

Server level Policies

A similar format can also be used to set up the policies at the server level.

Custom Storage Manager

The Zimbra StoreManager SDK is used to connect Zimbra to external data storage which is not available in Storage Management feature. By default, Zimbra uses a StoreManager implementation which writes files to local disk. Using this SDK it is possible to write files to a cloud data storage provider, a remote database, or any other storage technology.

zimbra_class_store

The zimbra_class_store zmlocalconfig option configures the class used for the StoreManager. The default StoreManager class is the standard filesystem-based blob store:

This class can be replaced with a custom class to write the message blobs to the Store Manager of choice.

zmlocalconfig options

Configuration example.

Copy zimbra-extns-storemanager.jar to /opt/zimbra/lib/ext/storemanager dir

Restart server

Perform any write operations such as sending mail, uploading files, etc. Blobs should be written to /tmp/examplestore/blobs

The minimum code for integration requires overriding ExternalStoreManager and implementing ExternalBlobIO. This interface contains methods for writing data, reading data, and deleting data.

Here is an example of a minimalist StoreManager implementation which writes to local disk using java.io.File and related classes. The details of getNewFile() are omitted for brevity and would typically involve creating a new empty file in a predefined directory.

This class also overrides three methods from ExternalStoreManager

startup() - called during initialization, can be used to setup any paths, background threads, or other resources needed by the store implementation. Must call super.startup() to initialize parent resources

shutdown() - called during application shutdown, can be used to cleanup any temporary resources and terminate background threads. Must call super.shutdown() to cleanup parent resources

isCentralized() - A boolean value which is used in multi-server configurations. If true then the store is global and locators from one Zimbra server can be accessed from another Zimbra server, otherwise locators are only valid within the server where they are created. An example of a centralized store would be a cloud file storage system, and an example of a non-centralized store would be a local filesystem

Another common use case is writing to an external HTTP API, i.e. a cloud file store. If the HTTP API allows anonymous uploads, this can be accomplished by extending HttpStoreManager. The implementor need only provide the code for the methods which define the URL which is used to POST new content, the process of extracting the HTTP server’s unique identifier from the POST response, and the URLs for getting and deleting previously stored content. The Zimbra Mailbox object is provided for optional usage; depending on the HTTP API semantics it can be used to construct part of the URL, or it can be ignored. The size, SHA-256 digest, and Mailbox object are provided in the getLocator() method, as is the Apache Commons HttpClient PostMethod which can be used to extract response headers and the response body. For complete details on HttpClient see http://hc.apache.org/httpclient-3.x/

The full listing of HttpStoreManager is below. Note that isCentralized() returns true since there will typically be a single HTTP store which all Zimbra servers connect to. The store must generate globally unique locators which can be accessed from any Zimbra server.

Some external storage systems may maintain identifiers based on data content. For example, a store may use SHA-256 or another hash as the primary key for stored objects. The ContentAddressableStoreManager abstract class may be used as a starting point for integration with this type of store.

The implementer must provide code to generate a byte[] hash and a String locator.

Here is an example implementation which uses SHA-256 as the hash and appends .blob to generate the locator.

The full listing of ContentAddressableStoreManager is below. Several methods from ExternalStoreManager are overridden so the content locator can be included in the upstream write requests.

In the Octopus REST API it is possible for clients to partially upload documents and then resume them later. With a default ExternalStoreManager implementation, the blobs are staged within the Octopus server and only sent to the external store once fully uploaded. This can lead to undesirable delay for the client upon completion of an upload. In order to optimize this process, integrators may implement the ExternalResumableUpload interface, then provide ExternalResumableIncomingBlob and ExternalResumableOutputStream implementation which interacts with the store in a resumable manner.

The following example illustrates the key functionality involved in resumable upload. The example is intentionally arbitrary and uses local disk storage.

Zimbra Mobile Sync

Zimbra Mobile Sync provides over-the-air synchronization of mail, contacts, calendar and task data and device security policy enforcement between the mobile device and an account on the mailbox server.

Active Sync is a synchronization protocol defined by Microsoft. It is used to configure and sync the Zimbra mailbox server with the native client that is used on a user’s device.

Zimbra Mobile Sync is compatible with iPhone, iPod Touch, Android, Outlook (Mac and Windows), and many other phones that support the ActiveSync™ protocol.

Following are the highlights of Zimbra ActiveSync:

Supports protocol versions 12.1, 14.1 and 16.1 .

Full sync support for Draft, Mail, Calendar and Contacts .

Supports Allow Block Quarantine Devices (a.k.a ABQ).

Supports Mobile Device Management (a.k.a MDM).

Supports configuring user-level ActiveSync protocol version.

Calendar Features :

Supports syncing of appointments created on Android, iOS (Changes to invitees, date/time, etc).

Support for recurring appointments (Modifying exceptions, whole series).

For Shared Calendar, supports modifications, permissions, etc.

Sharing Features :

Sharing support is available for Mail, Calendar, and Contact folders. By default the sharing is disabled. Following are the attributes to enable sharing:

zimbraMobileShareMailEnabled : Attribute to enable Mail folders sharing. Supported on cos and account levels. zimbraMobileShareCalendarEnabled : Attribute to enable Calendar sharing. Supported on cos and account levels. zimbraMobileShareContactEnabled : Attribute to enable Contact folders sharing. Supported on cos and account levels.

Following are the commands to enable sharing:

Mail folder sharing:

To enable for user:

To enable for cos:

Calendar folder sharing:

Contact folder sharing:

Setting the ActiveSync protocol versions

Administrators can limit users' access to a specific ActiveSync protocol version by configuring it at the user, cos, and domain levels. A multi-value LDAP attribute zimbraActiveSyncVersion is used to configure the protocol version. By default, no protocol version is set for this attribute. Any version updates for this attribute will override the local config attribute zimbra_activesync_versions . It supports applying the version based on user agent, device Id, or device type .

Following are the details on the format to specify the versions:

android:14.1 - The android device will be connected over the 14.1 version.

iphone:16.1 - iPhone device will be connected over the 16.1 version.

14.1 - All device types will be connected over the 14.1 version.

DeviceID:14.1 - Replace DeviceID with the actual device id. The specified device id will be connected over the 14.1 version.

WindowsMail:14.0 - For apps sending user agent as WindowsMail , it will be connected over 14.0 version.

To restrict a user to version 14.1 who is using an android device:

To restrict a user by device id to version 16.0:

To restrict users in cos to version 14.1 who are using an android device:

To restrict users in a domain to version 16.0 who are using an iPhone device:

To restrict all the users in a domain to version 16.0 who are using any device:

Mobile Device Security Policies

The administrator can configure mobile security policies to enforce security rules on compliant mobile devices that sync with Zimbra Collaboration accounts.

The following features can be configured to enhance the security of mobile devices.

Remote wipe to erase all data from the device if the mobile device is lost or stolen.

Device password policies to set up strong password enforcement including minimum password length, inactivity time, enforce password history, and wipe device after configured failed sign in attempts

S/MIME encryption policies to enable S/MIME usage and set the policies for sending and signing encrypted messages.

In addition, you can manage the following device usage options:

Sync settings for past calendar and email items, message size, formatting

Device settings, such as cameras, desktop sync, bluetooth, use of removable storage can be disabled.

You can manage mobile device policies from the administration console as a Class of Service or for individual accounts.

The policy configured on an individual account overrides the COS policy.

To set mobile policies from a COS, go to the Configure → Class of Service and double-click the COS you want to configure.

In order for mobile devices to sync to Zimbra, check Mobile → General → Enable Mobile Sync .

Check Enable Mobile Policy to set up mobile security policies that enforce security rules.

To support older devices that do not support some or all device security policies, check Allow non-provisionable devices.

If a device does not acknowledge or support all assigned policies, but you want to allow the device to download messages, check Allow partial policy enforcement on devices .

The refresh interval for policy refresh on a device’s default setting is 24 hours.

Configure the appropriate policies in the other sections. See Mobile Device Security Policies Attributes for a description of the settings you can configure. Managing Mobile Devices

Click Save.

The following attributes can be configured from the administration console to establish mobile policies.

General Settings

Password Settings

S/MIME Settings

Sync Settings

Device Settings

Device Applications

Approved Application Lists

Mobile Device Management

After the mobile policy is set up, the next time a mobile device sends a request to the server, mobile devices that are capable of enforcing security policies automatically set up the rules and immediately enforces them.

For example, if a password has not been set up on the device or the password is not as strong as required by the mobile policy, the user must fix the password before syncing with the server. Once the server confirms that the policy is enforced on the mobile device, the device can sync.

If a mobile device is lost or stolen, the device is protected by the following policy rules:

When the Password re-entry required after inactivity (min) is configured, after the number of minutes configured, the device is locked. To unlock the device, users must re enter their password.

When the Failure attempts allowed is configured, after the password is entered incorrectly more than the specified number of times, a locally (generated by the device) initiated wipe of the device is performed. This erases all data on the device.

In addition to the rules set up from the administration console to perform a local device wipe, users can initiate a remote wipe from their ZWC account to erase all data on lost, stolen, or retired devices.

Zimbra Mobile Device Management (a.k.a MDM) functionality is also found within the Admin Console where the mobile devices can be managed at the Global, COS, Domain and Account levels:

Mobile policy and registered device management settings are located within COS’s and Account.

Only the registered device management settings is available within the Global and Domain sections.

Device Management Allow/Block Rules supports regular expression rules which can be created to allow or block devices from connecting to the Zimbra Collaboration server. These rules are applied using the command line and can be created at the global or domain level by using zimbraMobileAllowedDevices and zimbraMobileBlockedDevices multi-valued attributes. These attributes can be set at the Global or Domain level.

zimbraMobileAllowedDevices

Only devices that match what is configured within zimbraMobileAllowedDevices will be allowed to sync using the Activesync protocol, all other devices will be blocked. For example, if iPhone * is configured, then only devices that report as iPhone~ will be permitted to sync.

zimbraMobileBlockedDevices

Only devices that match what is configured within zimbraMobileBlockedDevices will be blocked , all other devices will be allowed to connect. For example, if iPhone * is added, then all devices that reports as iPhone~ will be blocked, and all other devices such as Android, and Windows will be permitted to sync.

Command Line Examples

The following are examples of how to create Allow and Block rules from the command line at the Global and Domain level:

Block only iPhone devices:

Allow only iPhone devices:

List all existing Allow or Blocked Rules at the global level:

A quarantine notification can be configured for a specific time interval for all new quarantined devices. This will need to be configured on each mailbox server using zmlocalconfig command.

Following are the attributes used to configure the notification email body and subject:

zimbra_mobile_mdm_notification_email_body : Attribute used to customize the notification email body. If not set, default body will be used.

zimbra_mobile_mdm_notification_email_subject : Attribute used to customize the notification email subject. If not set, default body will be used.

To view the email body, execute:

To change the notification email body, execute:

To view the notification email subject, execute:

To change the notification email subject, execute:

Setting the Quarantine Notification Interval

The zmmdmmailschedule command is used for setting the notification interval. By default, there is no notification interval set.

Syntax to edit the notification intervals:

CLI examples to set the notification intervals:

Minutes : To set the quarantine notification to be sent to [email protected] at every 45 minutes, execute the following command:

Hours : To set the quarantine notification to be sent to [email protected] at every 6 hours, execute the following command:

Day : To set the quarantine notification to be sent to [email protected] at every 3 days, execute the following command:

Zero : To disable quarantine notification, execute the following command:

flush : To remove the quarantine notification schedule, execute the following command:

The Registered Devices section enables the Admin to take various action for the user.

Following are the supported actions

Wipe Pending . Once the action is completed successfully, the status is changed to Wipe Completed .

Cancel Wipe

Cancel’s the Wipe Device operation.

Waiting for Device

Blocks the device and removes the synced messages from the device.

Remove Account

Removes the account from the mobile

Remove account pending . Once the account is removed successfully, the status is changed to Account Removed .

Cancel Remove Account

Cancels the Remove Account operation.

Once the device connects and syncs emails, the status is changed to Active .

Zimbra supports the Autodiscover service so that users can provision mobile devices for their Zimbra accounts without having to know the server settings. Autodiscover returns the required server settings after users enter their email address and password.

Autodiscover is enabled by default. For autodiscover to work, you must configure a valid SSL certificate from a certification authority.

The recommended type of certificate to use is a Unified Communications Certificate or UCC. This certificate lets you add multiple host names in the Subject Alternative Name field. For autodiscover to work, the Subject Alternative Name field must include the hostnames users are connecting to.

You must have a valid domain name service (DNS SRV record) for autodiscover.<domain>.com so that the client devices can locate and connect to the autodiscover service.

Use the Install Certificates wizard on the administration console to generate the certificate signing request and to install the signed certificate when received. Unified Communications Certificates can be issued by many certification authorities.

When you complete the request you must have a valid domain name service (DNS SRV record) for autodiscover.<domain>.com . Configure the Subject Alternative Name (SAN) field with the valid domain names that you use. The alternative name should include the domain autodiscover.<company>.com. Include all the domain names required for your environment in the Subject Alternative Name field.

Mobile sync is enabled either in the COS profiles for the account or on individual accounts. In most cases, no additional plug-ins are required.

Users might need to configure the following on their in the mobile device to sync to their Zimbra account if they don’t have auto discover.

Server name (address) : Enter the fully qualified host name of the user’s Zimbra Collaboration mailbox server.

User name : Enter the user’s primary Zimbra Collaboration account name.

Domain : Enter the user’s Zimbra Collaboration domain name (DNS).

SSL certificate from the server might have to be added to the device as trusted if SSL is used when the certification is self-signed.

Users can sync their Zimbra account to their mobile device. They can send email, create appointments, and add contacts to their address book.

For details about specific device setup, see the Mobile Device Setup pages on the Zimbra Wiki.

If a mobile device is locked by the Zimbra Collaboration mobile password policy, the PIN requirement must be removed to resync the device.

In the administration console, open the user account to be modified.

On the Mobile page, uncheck Force pin on device . After the password policy has been disabled, the user must resync the device.

Users can directly manage the following device functions.

Perform a remote wipe of a device. If a mobile device is lost, stolen, or no longer being used, users can initiate a remote wipe from their ZWC account to erase all data from the mobile device. The device is returned to its original factory settings.

Suspend a sync that has been initiated from the mobile device and resume the sync to the device.

Delete the device from their list. If a device is deleted from the list and the device attempts to sync after that, the server forces the device to fetch the the policy again on the next sync.

Backup and Restore

Zimbra Collaboration includes a configurable backup manager that resides on every Zimbra Collaboration server and performs both backup and restore functions. You do not have to stop the Zimbra Collaboration server in order to run the backup process.

This chapter describes how data is backed up and restored and how to use the the Admin User Interface (Admin Console) and CLI tools to backup or restore your Zimbra Collaboration mailbox server. In addition, this chapter also provides information and general guidelines for disaster recovery.

Zimbra Collaboration includes a configurable backup manager that resides on every Zimbra Collaboration server and performs both backup and restore functions. You do not have to stop the Zimbra Collaboration server in order to run the backup process. The backup manager can be used to restore a single user, rather than having to restore the entire system in the event that one user’s mailbox becomes corrupted. Full and incremental backups are saved in /opt/zimbra/backup .

Each Zimbra mailbox server generates redo logs that contain current and archived transactions processed by the message store server since the last incremental backup.

When the server is restored, after the backed up files are fully restored, any redo logs in the archive and the current redo log in use are replayed to bring the system to the point before the failure.

When the current redo log file size reaches 100MB, the current redo log rolls over to an archive directory. At that point, the server starts a new redo log. All uncommitted transactions from the previous redo log are preserved. In the case of a crash, when the server restarts, the current redo logs are read to re-apply any uncommitted transactions.

When an incremental backup is run, the redo logs are moved from the archive to the backup directory.

Backup Methods

Two backup methods are available:

The auto-grouped backup method is the default method which will backup a subset of accounts each day.

The standard backup method is appropriate for customers who want to backup all accounts on the same day

Auto-Grouped and Standard Backup will perform a full backup process backing up all the information needed to restore mailboxes, including the LDAP directory server, database, index directory, and message directory for each mailbox.

The LDAP directory is backed up as part of either the full or incremental backup process. All accounts, domains, servers, COS, and other data are backed up.

Each mailbox server generates redo logs that contain every transaction processed by that server. If an unexpected shutdown occurs to the server, the redo logs are used for the following:

To ensure that no uncommitted transactions remain, the server reads the current redo log upon startup and re-executes and completes any uncommitted transactions.

To recover data written since the last full backup in the event of a server failure.

When backing up shared messages, if a file representing a message already exists in the daily backup, it flags this object as such and does not copy its content again.

If the Auto-Grouped or incremental backup process finds no previous full backup for a mailbox, a full backup is performed on that mailbox.

Auto-grouped backups combine full and incremental backup functions, there is no need for incremental backups.

Auto-grouped and incremental backups move the redo logs to the backup directory. The redo logs are a journal of every activity that has taken place. They contain a full copy of all messages delivered, as well as metadata such as tags, contacts, and conversations.

These backup files can be used to restore the complete mailbox server or individual mailboxes so that account and message data is completely restored.

The Zimbra MTA is not backed up, as the data is only on the server for a very short time.

Custom configurations — such as mailboxd’s `jetty/etc/*.xml — are not backed up.

Auto-grouped backup method runs a full backup for a different group of mailboxes then gathers the redo logs for the remaining accounts on each mailbox server. It is not recommended to run auto-grouped backups manually since they are scheduled from the CLI and run automatically at the scheduled time.

Standard backup method runs a weekly full backup for each mailbox server, then an incremental backup will occur the remaining days defined within the scheduler. This method is useful for smaller installations under 400 users.

Backup Notification

A backup report is sent to the admin mailbox when full and incremental backups are performed. This report shows the success or failure of the backup and includes information about when the backup started and ended, the number of accounts backed up and redo log sequence range.

If the backup failed, additional error information is included.

The backup destination is known as a backup target. To the backup system, it is a path in the file system of the mail server. The Zimbra default backup directory is /opt/zimbra/backup .

The backup directory structure created by the standard backup process is shown in Standard Backup directory structure . You can run regularly scheduled backups to the same target area without overwriting previous backup sessions.

The accounts.xml file lists all accounts that are in all the backups combined. For each account, this file shows the account ID, the email address, and the label of the latest full backup for that account. If you save your backup sessions to another location, you must also save the latest accounts.xml file to that location. The accounts.xml file is used to look up the latest full Backup for an account during restore. If the accounts.xml file is missing you must specify the backup label to restore from.

The redo log directory is located at /opt/zimbra/redolog/redo.log . When the current redo log file size reaches 100MB, the current redo log rolls over to an archive directory, /opt/zimbra/redolog/archive . At this point the server starts a new redo log. All uncommitted transactions from the previous redo log are preserved. In the case of a crash, when the server restarts, the current redo logs are read to re-apply any uncommitted transactions.

Redo operations are time critical, therefore a directory move is performed instead of a copy-then-delete function. This directory move can only be performed if the source and destination paths are on the same file system volume. In other words, the redo log and redo-archive log must be on the same file system volume because the archive files are a subdirectory of the redo log file system.

All incremental and auto-grouped backup sessions must be saved to the same directory as all the redo logs must be found in the same backup target. Standard full backup sessions can use a different target directory.

Backup and Restore Using the Administration Console

Many of the backup and restore tasks can be run directly from the Administration Console. You can configure them at the global or server level where server level configuration will override global settings. The Administrator Backup & Recovery location are located at:

Global Backup Configuration

Server Backup Configuration

Backup Management and Restore

Backups can be configured from the Administration Console as a global settings configuration and or as a server-specific configuration. Server settings override global settings. Global settings are by default applicable for every server, until overridden by the server.

Backup/Restore

Enable Backups - When set to TRUE , enables backup globally and initialize current global and server configurations to create and manage backups.

LDAP attribute - zimbraGlobalBackupEnabled

Default value - TRUE

Type of backup - Auto-grouped or Standard backup

LDAP attribute - zimbraBackupMode

Default value - Auto-Grouped

Days to retain full backup - The number of days backups will be kept. Backup Scheduler deletes backups older than the set value.

LDAP attribute - zimbraBackupRetentionDays

Default value - 8

Throttling automatic backups - The auto-grouped backup method automatically backs up mailboxes that have never been backed up when the next backup is scheduled. This might not be the best option every time a full backup is required on all mailboxes, such as immediately after massive mailbox migrations or after a major upgrade. Enabling this option limits the mailbox count in a daily backup to T/N. This breaks the constraint of backing up all mailboxes in N days, but it helps backup to finish during off hours.

When all mailboxes are backed up at least once, disable throttling:

Scheduling hours - Daily backup start time which is configurable using hours and minutes.

LDAP attribute - zimbraBackupStartTime

Default value - 01:00

Default backup target - The default path to store the created backups.

LDAP attribute - zimbraBackupTarget

Default value - /opt/zimbra/backup

Prefix for notification email subject - Subject used within backup notification emails.

LDAP attribute - zimbraBackupReportEmailSubjectPrefix

Backup minimum free space - Configuring the zimbraBackupMinFreeSpace attribute helps you manage running backup session by notifying you. Set the value for attribute zimbraBackupMinFreeSpace to the amount of free space required on the backup target disk before a backup session is run. If the disk has less space than the value set in the attribute, the back up session will not run and an email notification is sent to the administrator. If you are also backing up the MariaDB database, make sure you set the value large enough to include the myslqdump file size. The value for this attribute can be specified as a percentage of the total disk space, for example 25% , or as a number of bytes, for example 300MB , 50GB , etc. The default value is 0 , meaning the check is disabled and backup is always allowed to start.

LDAP attribute - zimbraBackupMinFreeSpace

Notifications

In the global settings, you can configure the email addresses to receive notification about the results of the backup. The default is to send the notification to the admin account.

LDAP attributes

zimbraMailReportEnabled

zimbraBackupReportEmailSender

zimbraBackupReportEmailRecipients

You can configure these backup options so that search indexes, blobs, and SM blobs are not backed up during a full backup session.

Exclude blobs - If this is set to TRUE , blobs are not backed up. This might be useful for getting a quicker backup of just database data when the blobs reside on fault-tolerant storage. This configuration applies to all blobs, those on the primary volumes as well as secondary (SM) volumes.

LDAP attribute - zimbraBackupSkipBlobs

Default value - FALSE

Exclude blobs on SM volumes - If this is set to TRUE , blobs on SM volumes are not backed up. Set this if zimbraBackupSkipBlobs is FALSE but you want to skip blobs on SM volumes.

LDAP attribute - zimbraBackupSkipHsmBlobs

Compress blobs in zip format - Blobs inside a backup are compressed by default in zip format.

zip - blobs are backed up into zip files with compression (default).

zipStore - blobs are backed up into zip files without compression.

noZip - blobs are backed up as individual files rather in zip files.

LDAP attribute - zimbraBackupBlobsCompressType

Default - zip

Exclude search index - When set to TRUE , the search index for all accounts will be excluded from the backup. If an account is restored, index will need to be recreated. after restoring from a backup without the search index.

LDAP attribute - zimbraBackupSkipSearchIndex

Selecting users for backup

Select user for backup section provides the ability to backup one or more COS’s, Domain’s or all accounts. The following are key items to know:

This configuration will apply to all mailbox stores but can be overridden through the command-line.

An account can be flagged to be backed-up within a COS and Domain but will only be backup once.

When enabling 'Domain and COS', zimbraBackupObjectLevelEnabled will be set to TRUE which enables Domain, COS, account backups in useBackupConfig within zmschedulebackup command. When selecting 'All Users' zimbraBackupObjectLevelEnabled is set to FALSE, and zmschedulebackup will set to all users.

At least one COS or Domain needs to be selected to

Zimbra inheritance will be followed

For internal storage, with-blob backup/restore is recommended

For external storage, blob-less backup/restore is recommended

In setup with internal primary storage and external secondary storage, with-blob backup/restore is recommended for primary and blob-less backup/restore is recommended for external secondary storage

Same blob skip configurations for backup should be used for restore

For every blob-less backup, backup responsibility of the blobs is with the S3 storage providers

A configuration where primary is external and secondary is internal storage is not supported in this release

Message recovery is build using the dumpster feature which is now part of the backup and recovery configuration. When using message recovery, you will need to be aware of:

Message Recovery and Dumpster shared configuration and enabling, disabling or modifying the configuration within either location will apply to the other.

Message Recovery is the recommended method to restore deleted messages, calendar appointments, contacts, and tasks.

Enabling message recovery can be set on all accounts or one or more Domain’s and/or COS’s within the Admin UI.

To disable Message Recovery, select Domain and COS and leave class of service and Domain empty.

Domain and COS configuration require at least one Domain or COS to enable the feature.

When enabling Message Recovery, the zimbraDumpsterEnabled attribute will be set to TRUE which is a global, COS, Domain, and user attribute.

Related LDAP attributes are:

zimbraMailDumpsterLifetimetype - Retention period of messages in the dumpster. 0 means that all messages will be retained.

Default - 30d

zimbraDumpsterUserVisibleAge - limits how much of a dumpster data is viewable by the end user, based on the age since being put in dumpster

zimbraDumpsterUserVisibleAge- limits how much of a dumpster data is viewable by the end user, based on the age since being put in dumpster

zimbraDumpsterPurgeEnabled - disables purging from dumpster when set to FALSE

Default - FALSE

The Zimbra backup and restore procedures can be run as CLI commands.

The following utilities are provided to create backup schedules, perform full and incremental backups, restore the mail server, or restore the LDAP server.

zmschedulebackup  — This command is used to schedule full backups, incremental backups, and deletion of old backups.

zmbackup  — This command executes full or incremental backup of the Zimbra Collaboration mailbox server. This is run on a live server, while the mailboxd process and the mailbox server are running. This command also has an option to manually delete old backups when they are no longer needed.

zmbackupabort  — This command stops a full backup that is in process.

zmbackupabort -r  — This command stops an ongoing restore.

zmbackupquery  — This command lists the information about ongoing and completed backups, including labels and dates.

zmrestore  — This command restores a backup to a running Zimbra Collaboration mailbox server.

zmrestoreoffline  — This command restores the Zimbra Collaboration mail server when the mailboxd process is stopped.

zmrestoreldap  — This command restores the complete LDAP directory server, including accounts, domains, servers, COS and other data.

Refer to Appendix A: Command Line Utilities for usage and definitions for each of these commands.

Backing up using the Standard Method

When you initiate a backup, you can issue the command from the same server being backed up, run the command remotely and specify the target server on the command line, or use the Administration Console to start a backup session.

When configuring Standard Backup as your backup method, a full and incremental backup entry will be added to the crontab. Under the default schedule, the full backup is scheduled for 1:00 a.m., every Saturday. The incremental backups are scheduled for 1:00 a.m., Sunday through Friday.

By default, backups older than a month are deleted every night at 12 a.m.

You can change the backup schedule using the zmschedulebackup command or from the Admin UI.

Specify the fields as follows, separate each field with a blank space:

minute — 0 through 59

hour — 0 through 23

day of the month — 1 through 31

month — 1 through 12

day of the week — 0 through 7 (0 or 7 is Sunday, or use names)

Type an asterisk (*) in the fields you are not using.

Replace the existing full backup, incremental backup and delete backup schedule. When you use -R , the complete backup schedule is replaced. If you use this command, remember to set the deletion schedule, if you want backup sessions to be scheduled for automatic deletion. This example replaces the existing schedule to have full backups run on Sunday at 1 a.m., incremental backups to run Monday through Saturday at 1 a.m., and old backups deleted at 12:00 a.m. every day.

Add an additional full backup time to your current schedule. This example adds a full backup on Thursday at 1 a.m.

Review your backup schedule. The schedule is displayed.

Save the schedule command to a text file. This would allow you to easily recreate the same schedule after a reinstall or upgrade

Default Standard Backup Schedule

The default backup schedule is displayed similarly to the following example:

Read as follows:

Each crontab entry contains six fields that appear in this order:

minute (0-59 allowed)

hour (0-23)

day of the month (1-31)

month (1-12 or names)

day of the week (0-7 or names allowed, with both 0 and 7 representing Sunday

string to be executed

Home → Configure → Global Settings → Backup/Restore

You can add additional recipient addresses or change the notification email address in the Administration Console.

The full backup process goes through the following steps to back up the mailbox, the database, the indexes, and the LDAP directory:

Backs up the global system data including system tables and localconfig.xml .

Iterates through each account to be backed up and backs up the LDAP entries for those accounts.

Places the account’s mailbox in maintenance mode to temporarily block mail delivery and user access to that mailbox.

Backs up the mailbox.

Creates MariaDB dump for all data related to that mailbox.

Backs up the message directory for that mailbox.

Creates a backup of the index directory for that mailbox.

Returns that account’s mailbox to active mode and moves on to the next one.

Backs up the LDAP directory.

A full backup is usually run asynchronously. When you begin the full backup, the label of the ongoing backup process is immediately displayed. The backup continues in the background. You can use the zmbackupquery command to check the status of the running backup at any time.

Backup files are saved as zip files without compression. To change the default zip option, see Appendix A: Command Line Utilities , zmbackup section.

Incremental backups are run using the CLI command, zmbackup . The process for incremental backup is as follows:

Moves the archive redo logs, created since the last backup, to the <backup_target>/redologs folder.

Archived logs that are less than an hour old at the time of incremental backup are copied to the backup and are not deleted. These redologs are deleted one hour after the backup. The interval is set by the localconfig key backup_archived_redolog_keep_time . The default is 3600 seconds.

If no full backup for this account is found, the backup process performs a full backup on this account, even if only an incremental backup was specified.

Performing Manual Backups

Use the zmbackup command to perform the following backup operations:

Perform a manual backup of all mailboxes on server<1>:

Perform a manual, incremental backup of all mailboxes on server1 since last full backup

Perform a manual, full backup of only user1’s mailbox on server1

Deleting Backup Sessions

You can delete backup sessions either by label or by date.

Deleting by label deletes that session and all backup sessions before that session.

Deleting by date deletes all backup session prior to the specified date.

For example, zmbackup -del 7d deletes backups older than 7 days from now. You can specify day ( d ), month ( m ), or year ( y ).

Each full or incremental backup is a backup session.

Each backup session is labeled with date and time. For example, the label full-20210712.155951.123 says this is a backup from July 12, 2021 at 3:59:51.123.

Use the zmbackupquery command to find full backup sessions.

To find a specific full backup session:

To find a full backup sessions since a specific date:

To find all full backup sessions in the backup directory:

To find the best point in time to restore for an account specify a time window

Before you can abort a backup, you must know the backup session label. This label is displayed when zmbackup first starts. If you do not know the full backup label, use zmbackupquery to find the label.

Use the zmbackupabort command to stop a backup that is in progress. The backup is immediately stopped and becomes a partially successful backup.

Stop the backup, if you know the label name

Stop the backup, if you do not know the label

Backup using the Auto-Grouped Method

The auto-grouped backup method is configured either from the Administration Console or from the CLI.

Home → Configure → Global Settings → Backup/Restore Home → Configure → Servers → server → Backup/Restore

Set the backup method in the global configuration, and you can override the configuration on a per server basis if you do not want a particular server to use the auto-grouped backup method.

To set up auto-grouped backup, you modify LDAP attributes with the zmprov command:

You can also set the attributes at the server level using zmprov ms {server_name} {attribute} .

The following LDAP attributes are modified:

zimbraBackupMode  — Set to Auto-Grouped . The default is Auto-Grouped.

zimbraBackupAutoGroupedInterval  — Set this to the interval in either days or weeks that backup sessions should run for a group. The default is 8d . Backup intervals can be 1 or more days, entered as xd (e.g. 1d ); or 1 or more weeks, entered as xw (e.g. 1w ).

zimbraBackupAutoGroupedNumGroups  — This is the number of groups to spread mailboxes over. The default is 7 groups.

The auto-group backup schedule is set as the default mode and can be configured within the admin UI or command line.

Run zmschedulebackup -D to set the default schedule for auto-grouped backups based on your zimbraBackupAutoGroupedInterval setting.

One group is backed up each interval. The auto-grouped backup automatically adjusts for changes in the number of mailboxes on the server. Each backup session backs up the following:

All mailboxes that have never been backed up before. These are newly provisioned mailboxes.

All mailboxes that have not been backed within the number of scheduled backup days. For example, if backups are scheduled to run over six days, mailboxes that have not been backed up in the past 5 days are backed up.

More mailboxes, the oldest backup first. This is done so that the daily auto-grouped backup load is balanced.

For example, if you configured the auto-grouped backup interval to be daily (1d) and the number of groups to be 7, the first time auto-grouped backup runs, all accounts are backed up. After the initial backup, auto-grouped backup runs again the next day. This time accounts that have been newly provisioned and a percentage of accounts close to one-seventh of the total are backed up again. Accounts with the oldest backup date are backed up first. The backup continues with newly provisioned accounts and approximately one-seventh of accounts being backed up daily over seven days.

When backing up shared messages, if a file representing a message already exists in the backup, it flags this object as such and does not copy its content again.

These backup files can be used to restore the complete Zimbra Collaboration system or individual mailboxes so that account and message data is completely restored. Archived redo logs are moved to the backup session as part of the full backup. When the server is restored from an auto-grouped backup, redo logs are replayed to bring the system to the point before the failure.

Backup Options

The backup process can be configured to selectively backup content and to back up the MariaDB database.

zimbraBackupSkipSearchIndex  — Default is FALSE . If set to TRUE , the search index is not backed up. The mailbox will have to be reindexed after restoring from a backup without the search index.

zimbraBackupSkipBlobs  — Default is FALSE . If this is set to TRUE , blobs are not backed up. This might be useful for getting a quicker backup of just database data when the blobs reside on fault-tolerant storage. This configuration applies to all blobs, those on the primary volumes as well as secondary (SM) volumes.

zimbraBackupSkipHsmBlobs  — Default is FALSE . If this is set to TRUE , blobs on SM volumes are not backed up. Set this if zimbraBackupSkipBlobs is FALSE but you want to skip blobs on SM volumes.

You can configure Zimbra Collaboration backups to run mysqldump to back up your MariaDB database during backup sessions. When this is enabled, a mysqldump backup runs with each full, incremental, and auto-grouped backup.

The mysqldump is a backup of your MariaDB database at a specific time. Data changes that occur later than the dump file are written to the binary log. To recover to a specific point in time, binary logging must be enabled. See the Zimbra wiki article, MariaDB Backup and Restore at https://wiki.zimbra.com/wiki/MySQL_Backup_and_Restore .

The MariaDB dump files are gzipped and placed in the backup target directory, or to /opt/zimbra/backup , if no directory is specified.

These files can be quite large. Make sure that the free disk space is at least three times greater than the actual MariaDB database file for each MariaDB database backup file that is saved.

Enable mysqldump to run automatically with your backups, type

N is the number of copies of the MariaDB database backups that are retained.

Backup sessions fail if the target disk does not have enough space. All data backed up in the backup session is discarded and deleted.

You can choose to receive notification when your disk might not have enough space to complete the backup

Configuring the zimbraBackupMinFreeSpace attribute helps you manage running backup session by notifying you.

Set the value for attribute zimbraBackupMinFreeSpace to the amount of free space required on the backup target disk before a backup session is run. If the disk has less space than the value set in the attribute, the back up session will not run and an email notification is sent to the administrator.

The value for this attribute can be specified as a percentage of the total disk space, for example 25% , or as a number of bytes, for example 300MB , 50GB , etc. The default value is 0 , meaning the check is disabled and backup is always allowed to start.

The attribute can be set globally or by server.

Backup sessions run if the free disk space is at least the value you set. If your backup file is larger than the value, the backup session fails. You should monitor the size of the backup files and adjust the attribute value if the backup requires more space than the configured value.

Restoring Data

Three types of restore procedures can be run:

The zmrestore command is used to restore the mailboxes while the Zimbra Collaboration mailbox server is running.

The zmrestoreoffline command is used to restore the mailbox server when just the mailboxd process been stopped. This command is run for disaster recovery.

The zmrestoreldap command is used to restore the content of the LDAP directory server.

The restore process allows all accounts or individual accounts to be specified.

The zmrestore process goes through the following steps to restore the mailbox, the database, the indexes, and the LDAP directory.

Retrieves specified accounts to be restored, or specify all for all accounts that have been backed up.

Iterates through each mailbox:

Deletes the mailbox on the server to clear any existing data

Restores the last full backup of the MariaDB data, the index directory, and the message directory for that mailbox

Replays redo logs in all incremental backups since last full backup

Replays all archived redo logs for that mailbox, from the redo log archive area on the mailbox server

Replays the current redo log

Including last full backup and any incremental backups since last full backup

The following restore options affect redo log replay. If you do not specify one of these options, all redo logs since the full backup you’re restoring from are replayed

A restore that is run using any of the following options is a point-in-time restore:

-restoreToTime <arg> - Replay the redo logs until the time specified.

-restoreToIncrLabel <arg> - Replay redo logs up to and including this incremental backup.

-restoreToRedoSeq <arg> - Replay up to and including this redo log sequence.

-br - Replays the redo logs in backup only, therefore excluding archived and current redo logs of the system.

-rf - Restores to the full backup only. This does not include any incremental backups at all.

Restore stops at the earliest possible point in time if more than one point in time restore options are specified.

Two common ways to write the <timearg> are

"YYYY/MM/DD hh:mm:ss"

YYYYMMDD.hhmmss

A prefix is prepended to the original account names

The result from the above example would be an account called [email protected] .

When -c is designated, accounts that could not be restored are displayed when the restore process is complete.

Can also be used to restore deleted accounts

When the mailbox is restored it will contain messages that were deleted. This is useful if users use POP and remove messages from the server

The zmbackupabort -r command interrupts a restore that is in process. The restore process stops after the current account finishes being restored. The command displays a message showing which accounts were not restored.

To stop the restore type:

The offline restore process can only be run when the$1`mailboxd` server is not running. In general, offline restore is run under the following circumstances:

Certain components of the Zimbra server are corrupted, and the server cannot be started. For example, the data in LDAP or the database are corrupted.

A disaster requires the Zimbra software to be reinstalled on the server.

The offline restore must be run before the Zimbra Collaboration mailbox store server is started to keep the redo logs in sequence.

In a disaster recovery when the Zimbra software is reinstalled, if mailboxd is started before the backup files are restored, the mail server would begin to accept email messages and perform other activities, producing redo logs in the process. Since the pre-disaster data have not been restored to the server, the redo logs would be out of sequence. Once mailboxd is running, it would be too late to restore the pre-disaster data.

The offline restore process goes through the following steps.

Specified accounts to be restored are retrieved. If the command-line does not specify any mailbox address, the list of all mailboxes on the specified mail host is retrieved from Zimbra LDAP directory server.

Restore All Accounts

Restore all accounts on server1 when mailboxd is stopped

Start mailboxd after the offline restore is complete

Use the zmrestore command to restore one or more selected accounts. In the event that a user’s mailbox has become corrupted, you might want to restore that user from the last full and incremental backup sets.

For each account to be restored, put the account into maintenance mode

Maintenance mode prevents the delivery of new emails during the restore. Otherwise, the emails would be overwritten during the restore process.

Run the zmrestore command to restore the accounts

For each account that was restored, put the account back into active mode

When you restore from a full backup, you can exclude the search index and blobs.

Search index  — If you do not restore the search index data, the mailbox will have to be reindexed after the restore.

Blobs  — This is a useful option when all blobs for the mailbox being restored already exist.

HSM-blobs  — This is useful when all SM blobs for the mailbox being restored already exist.

In a disaster recovery where you need to restore the entire system, restore the LDAP directory server first.

The zmrestoreldap command restores the global LDAP data including COS, distribution lists, etc. You can restore the complete LDAP server, which recreates the entire schema or you can restore specific accounts. You specify the session to restore. The restore command has to be run on the LDAP server being restored.

General Steps for Disaster Recovery

Use the following steps to restore a mailbox store server in a general disaster scenario involving multiple machines.

Restore the LDAP directory server to a known good state before doing anything with the mailbox store server.

Put all mailboxes into maintenance mode to prevent mail delivery and user login while restoring the mailboxes.

Stop the mailbox store server if it is running.

Reinstall the Zimbra Collaboration software on the mailbox server, if necessary.

Restore mailboxes.

Start the Zimbra Collaboration server.

Put all Zimbra Collaboration mailboxes back in active mode.

Run a full backup of the server.

When your system unexpectedly stops and then restarts on startup, the server searches the redo log for uncommitted transactions and replays any that it finds. Replaying the redo logs brings the system to a consistent state.

If a complete machine failure occurs, use the following steps to restore to a new server.

The new server hardware must meet the requirements described in the Installation Prerequisites section of the Zimbra Collaboration Single Server Installation guide. Install the new operating system, making any necessary OS configuration modifications as described in the installation guide.

You do the following to restore to a new server:

Prepare the new server.

Block client access to the old server’s IP address with firewall rules.

Mount any volumes that were in use on the older server.

Delete the MariaDB data that is set up in the initial installation of Zimbra Collaboration.

Copy the backup files to the new server.

Run zmrestoreldap to restore the global LDAP data.

Run zmrestoreoffline to restore account data from the backup sessions.

Prepare and run a new backup.

Old Server Status

Two scenarios for disaster recovery are the server has died and the Zimbra Collaboration files cannot be accessed, or Zimbra Collaboration is still running, but the server hardware needs to be replaced.

If the server is not running:

Block client access to the server IP address with firewall rules.

Find the latest full Zimbra Collaboration backup session to use.

If the server is still running, to prepare the move to the new server:

Block client access to the server’s IP address with firewall rules.

Run a full backup of the old service, or if the backup is recent, run an incremental backup to get the most current incremental backup session.

Run zmcontrol stop , to stop Zimbra Collaboration. In order to restore to the most current state, no new mail should be received after the last incremental backup has run.

Change the hostname and IP address on the old server to something else. Do not turn off the server.

Before you begin, make sure that the new server is correctly configured with the IP address and hostname and that Zimbra Collaboration is installed and configured with the same domain, hostname, passwords, etc. as the previous server. See the Zimbra Collaboration installation guide for more information about preparing the server. Before you begin to install Zimbra Collaboration, note the information you need from the old server including admin account name and password, LDAP, Amavis, and Postfix passwords, spam training, and non-spam training user account names, exact domain name, and the global document account name.

Copy the Zimbra Collaboration License.xml file to a directory on the new server. You cannot complete the Zimbra Collaboration installation if the license is not on the new server.

Run ./install.sh and follow the directions in the installation guide to install Zimbra Collaboration. Make sure that you configure the same domain, hostname, passwords as on the old server. During Zimbra Collaboration install, the following settings must be changed to match the original server settings:

Zimbra LDAP Server  — For Domain to create , identify the same default domain as on the old server.

Zimbra Mailbox Server  — An administrator’s account is automatically created.

Make sure that the account name for Admin user to create is the same name as on the original server.

Set the admin password to be the same as on the old server.

Set the LDAP password to be the same as on the old server.

Set the Postfix user and Amavis user passwords to be the same as on the old server

Change the Spam training user and the Non-spam (HAM) training user account names to be the same as the spam account names on the old server.

Global Document Account  — This account name is automatically generated and is usually named wiki. If you changed this, change the Global Document Account name to be the same account name as on the original server.

Change any other settings on the new server to match the configuration on the original server.

In the main menu, set the default backup schedule and the automatic starting of servers after the configuration is complete to NO .

Restoring a Backup to a New Server

Stop the new server

If the old server had additional storage volumes configured, mount the additional volumes now.

Delete the MariaDB data and reinitialize an empty data directory. If you do not do this, zmrestoreoffline will have errors. As zimbra , type:

The MariaDB service is now running.

Copy all the files in the /backup folder from the old server or from an archive location to /opt/zimbra/backup .

Restore the LDAP.

If you are restoring a large number of accounts, you might run a command such as the UNIX command, nohup , so that the session does not terminate before the restore is complete.

Ensure that the following services are running before attempting to execute zmrestoreoffline .

mysqld (MariaDB)

slapd (OpenLDAP)

Ensure that the following services are stopped before attempting to execute zmrestoreoffline .

Because some Zimbra Collaboration services are running at this point, type zmconvertctl start . This is required before running zmrestoreoffline .

Sync your LDAP password from backup directory to the new production servers LDAP config.

Start the offline restore after stopping mailboxd .

You might run a command such as nohup here also. To watch the progress, tail /opt/zimbra/log/mailbox.log .

Because some Zimbra Collaboration services are running at this point, type zmcontrol stop to stop all services.

Remove any old backup sessions because these sessions are no longer valid.

Start Zimbra Collaboration.

Run a full backup.

Remove the firewall rules and allow client access to the new server.

The restoration steps are similar for most server failures you may encounter. If a failure occurs, review the disaster recovery section to understand the process and then follow the steps below for the specific type of failure.

Restore When LDAP is Corrupted

Reinstall the LDAP server. See the Zimbra Collaboration Installation guide.

Find the label for the LDAP session to restore. Run the zmrestoreldap - lb <label> command, with no arguments to restore all accounts, domains, servers, COS, etc. for the LDAP server.

Make sure that all accounts are in active mode. From the command line, type zmprov ma zimbraAccountStatus active

Restore After Replacing Corrupted Partitions

If a partition becomes corrupted, replace the failed disk.

To restore the latest full and incremental backup files, run

The zmrestore process automatically retrieves the list of all mailboxes on the specified mail host from the backup date and iterates through each mailbox to restore the mailboxes to the last known good state.

Restore After Corrupted or Unreadable Redo Log

If the redo log becomes unreadable, the mailboxd service stops and cannot restart. If this happens, inspect the hardware and software to find the source of the problem before proceeding.

Without the latest redo log, the Zimbra mailbox server cannot be returned to the most current state. The Zimbra mailbox data can be restored to the latest archived redo log state. A new redo log for current transactions is created after the Zimbra mailbox server is restored.

Put all accounts into maintenance mode.

With the mailboxd service not running, type

The offline restore process begins by retrieving the list of all mailboxes on the specified mail host from the backup.

The offline restore than iterates through each mailbox to:

Delete the mailboxes on the server

Restore the last full backup from the backup area

Restore all incremental backups for that mailbox in order, since the last full backup. This involves replaying the redo logs from the backup target area

Replay all archived redo logs

Because the redo log for current transactions is not available, the mailbox server is returned to the state of the last archived redo log.

After the offline restore is complete, start Zimbra Collaboration server.

When the Zimbra mailbox server is up, run a full backup of the Zimbra server. The full backup must be run immediately to have the latest data backed up because the latest redo log is not available.

The localconfig.xml file, located in the /opt/zimbra/conf folder, includes the core Zimbra server configuration, such as paths and passwords, This file is backed up in full and incremental backups. When you run an incremental or full restore, the backed-up version of the localconfig.xml is renamed localconfig.xml.restore and is copied to the /opt/zimbra/conf directory.

If you have made changes since the last backup, you might need to replace the localconfig.xml file with the restored copy. Compare these files, and if the .restore file has the latest local configuration data, delete the localconfig.xml file and rename the file with the .restore extension to localconfig.xml .

You can backup and restore a server using the snapshot feature provided by the storage layer rather than using Zimbra’s backup and restore feature. Using snapshots, you can maintain a standby site and reroute users to the standby site to keep operations running if the primary site fails.

Snapshots are taken for all volumes of data and are transferred to the standby site periodically. Data volumes that are backed up using snapshots include MariaDB, blobs, Lucene index, and redologs .

When the primary site is down, the zmplayredo command is used to bring consistency to the snapshots and to reapply any changes in data to minimize data loss across volumes

There are four volumes of data:

Lucene index

Sets of snapshots are taken every hour and transferred to the remote standby site. However, all snapshots are not taken at one instant and could be a second to a minute apart from each other. Also, snapshots of redologs may be taken more frequently. The sequence of events could look like:

On the remote site, there are snapshots from the 8:00 set of data as well as subsequent snapshots of the redologs. They all have to be brought together so that the most recent information is available on the standby site once users are rerouted to it.

You can now run the zmplayredo command to replay changes from 8:00:00.

All data is brought forward to the current time and the standby site is set up and running. Data from 8:30:00 to 8:35:00 is lost but that is expected when the restore process is being carried out.

Notes on Ephemeral Data

As of Zimbra Collaboration 8.8, ephemeral data is not backed up as part of the backup process. Since auth tokens are ephemeral attributes, the implication is that clients accessing accounts restored after deletion will need to re-authenticate; auth tokens generated prior to the backup will no longer work.

Backing up Ephemeral Data in SSDB

If SSDB is used as the ephemeral backend, a backup will not include any ephemeral attributes.

Note: This section does not detail how to deploy and administer an SSDB server. For that information please see section SSDB Configuration Options .

Backing up the data stored in SSDB (if so configured) is done as follows:

Note: If running in master / slave configuration the ssdb-dump should be run on the master .

Example backup

Restoring ephemeral data to ssdb.

Restoring ephemeral data to SSDB from a backup can only be done with a backup from an SSDB server.

Restoration can be done in one of two ways:

import into a running server

override of existing data

Importing into a running server

Using the leveldb-import command provided with the SSDB software a backup created with the ssdb-dump command can be imported into a running SSDB server.

Data override

Stop the SSDB server.

Copy the directory created using the ssdb-dump command previously to a known location.

Update ssdb.conf configuration file to update the work_dir option to the proper path.

Start the SSDB server back up and verify previously working logins still work.

If the ephemeral backend is LDAP, a backup will not include auth tokens or CSRF tokens, but it will include the last login timestamp. Upon account restore, the appropriate "Last Login" value in the admin console will be restored.

Restore NG Backup to Zimbra 10

The NG backup restore utility will be helpful to customers who have upgraded to Zimbra 10, which now has a native backup and restore feature. This utility can read existing NG backups and restore them, providing a useful option for customers who have previously used NG backup.

To restore backups using the NG backup restore utility, it should be triggered on the server where the backup needs to be restored. However, before restoring the backup, admins should manually upload the backup folder from the NG server to the server where the restore is being performed. Once the backup folder has been uploaded, the NG backup restore utility can be executed to restore the backup data.

Please note that this is not a general purpose restore utility for restoring old NG backups. This utility is only meant to help organizations for auditing and BCP testing purposes.

We recommend taking a full-backup using Zimbra backup feature immediately after installation for Zimbra Daffodil (v10) is complete. And then using this full-backup (in conjunction with incremental or auto-grouped backups) in case of disaster recovery.

The utility can be used for the following use cases where customers cannot avoid dealing with old NG Backups:

Large organisations, financial institutions and government customers have compliance requirements related to backing up old email data. These requirements come from auditor to conduct forensic accounting.

Several medium and large organisations need to create a Business Continuity Planning (BCP). During BCP testing, depending on the regulations applicable for that company, old backups may need to be restored to check if email data is accessible or not.

To restore emails and documents for the for the account [email protected] to prefixed account name [email protected]

To restore documents for the account [email protected]

To restore emails and documents (all - emails, documents for now) for the for the account [email protected] to prefixed account name [email protected]

Following are the module wise prerequisites which should be satisfied before migration is executed. Please note that these prerequisites may not be comprehensive and additional steps may be required depending on the specific server configurations

A backup must be taken on the NG server for the module/data that needs to be migrated.

The backup folder must be manually migrated/copied to the server where the backup will be restored.

The backup folder must have the correct permissions set to enable the restore process to access and read the backup files.- The restore process must be executed on the Z10 server where the module is installed and needs to be migrated.

The following sequence needs to be adhered to for migration:

The utility required to restore the backup needs to be installed on the Z10 server.

The backup taken on the NG server needs to be manually transferred to the Z10 server.

The backup folder should be located in a directory that is accessible to the Zimbra user on the Z10 server. The ideal location for the backup folder would be "/opt/zimbra/zxbackup".

The domain for the account being restored should be present on the Z10 server.

Delegated Administration

The global administrator can create different delegated administrator roles.

Delegated administrator roles can be as simple as having the rights to manage one or more distribution lists or reset forgotten passwords for one or more users, to having domain administration rights on one or more domains.

Two frequently used delegated administrator roles, domain administrator and distribution list administrator, are already defined. You can add administrators to these predefined roles with no other configuration necessary.

Delegated administration provides a way to define access control limits on targets and grant rights to administrators to perform tasks on the target.

A target is a Zimbra Collaboration object on which rights can be granted. Each target is associated with a target type that identifies the type of access control entries you can grant on the target.

When selecting a target type for a target consider the following:

Target: Which specific target are you granting rights? For example, if the target type you select is "domain", which domain do you mean? You specify a specific domain’s name (Target Name = example.com). Access Control Entries (ACE) are granted on that target. An ACE is stored in an LDAP attribute on the target entry.

Is the right you want to grant applicable to the selected target type? A right can only be applied on the relevant target type. For example, creating an account can only apply to a domain target type, and the setting passwords can only apply to accounts and calendar resources target types. If a right is granted on a target that is not applicable to the target, the grant is ignored.

When defining rights, you need to consider the scope of targets in which granted rights are effective. For example, the right to set the password is applicable only to accounts and calendar resources, but if this right is included in the domain targets list of rights, it is effective for all accounts or calendar resource in the domain.

Rights are the functions that a delegated administrator can or cannot perform on a named target. A right is either system-defined or granted at the attribute level.

Types of system defined rights include:

Preset rights ( preset ). For example, createAccount creates an account; renameDomain , renames the domain.

Preset rights are associated with a fixed target type. For example, createAccount is a right only on a domain; renameAccount is a right on an account; getServer is a right on a server

No other rights are required to administer that action on the target.

Preset rights could involve accessing multiple targets. The grantee needs to have adequate rights on all pertinent targets. For example, to create an alias for an account, the grantee must have rights to add an alias to an account and to create an alias on a domain.

Granting rights at the attribute level allow a delegated administrator/ administrator group to modify or view (or not modify or view) a specific attribute on a target.

Types of attributes rights include:

Attribute ( setAttrs ) rights allow the domain administrator to modify and view an attribute value. For example, the modifyAccount right allows the domain administrator to modify all attributes of the account.

Get attribute rights ( getAttrs ) let the domain administrator view an attribute value. For example, the getAccount right shows all the attributes for a user’s account.

The specific attribute being granted is configured on the target and the type of permission, read (get) or write (set), is specified.

Attribute rights can be granted in any combination of attributes to grant positive or negative rights. This lets you negate some attributes from a grant.

Combo Rights

Combo rights can be assigned to any target type and can include preset rights and attribute rights. You can use combo right to grant multiple attribute rights quickly on targets.

Negative Rights

Rights can be either positive or negative. Negative rights are rights specifically denied to a grantee.

When a negative right is granted to an admin group, all administrators in the group are denied that right for the target and sub-targets on which the right is granted.

When a negative right is granted to an administrator who may or may not be in an admin group, the specific administrator is denied that right for the target and sub-targets on which the right is granted.

An admin group is granted domain administrator rights, including the right to create accounts on Domain1. AdminA is in this admin group, but you want AdminA to have all domain administrator rights, except the right to create accounts. You would grant a negative createAccount right to AdminA on the target Domain1.

For grants on the same level, negative rights always take precedence. For example, AdminGroup1 is granted a positive right to view accounts in a domain; AdminGroup2 is granted a negative right to view accounts in the same domain. AdminA is a member in both admin groups. AdminA cannot view any account in this domain because the negative right takes precedence.

For grants on different levels, the most specific grant takes precedence. For example, AdminA is granted the negative right to view accounts in GroupDistributionList1, which User1 is a member. AdminA is also granted the positive right to view account directly on User1’s account. In this case, AdminA can view User1’s account as the grant on the account target is more specific than the grant on the distribution list.

System rights are listed and described in the Rights folder in the Administration Console Overview pane. You can use the Rights folder to help you define which system-defined rights to grant to delegated administrators. This folder displays the name of the right, the target types associated with that right, the right type and a brief description.

When you select a right on the page and click on it, another page displays more information:

For combo rights, a list of the rights associated with the combo right are listed.

For the other system rights, a list of attributes associated with the right are listed

You can use zmprov commands to view combo rights.

Direct sub-rights of a combo right

Second level sub-rights of the combo

Viewing System Defined Rights Lists

You can use zmprov commands to view system defined rights for a specific topic:

Implementing Delegated Administration

Before you create delegated administrators and grant rights, define the role and which rights to assign to the targets the administrator will manage.

For more efficient management of delegated administrators, create administrator groups and add individual administrator accounts to the group. An administrator group allows you to create role-based access control. Administrators with the same or almost the same responsibilities can be grouped into an admin group.

Delegated administration rights can be set up in one of the following methods:

Create an administrator or an administrator group and grant rights to the account using the Administrator Wizard.

Configure grants on existing administrator accounts. Add new rights or modify rights to an existing delegated administrator or administrator group account.

Add, modify and delete rights directly in a target’s Access Control List page.

Administrator and group administrator accounts are created in the Administration Console.

Use the administration wizard to

Create the create either an Admin Group or an Admin Account.

Admin Groups are distribution lists (DL) that have Admin Group enabled, which flags it as a delegated administrator DL. After the admin group administrator is created and configured with rights and admin views, you add administrator user accounts to the admin group.

Admin Account is a user account that has Administrator enabled on the account.

Configure the admin views for the account. You select the views from the Directly Assigned Admin views list. An admin view represent the items the delegated administrator sees when logged on to the Administration Console.

A directly assigned admin view is the view set on the admin account. An inherited admin view is the view set on the admin group the account belongs to.

Configure the Grants. The Grants dialog displays a list the grants requiredto display the items you selected in the Directly Assigned Views column. You can accept these rights and add additional rights, skip this page to not configure these rights, or click Finish to accept these rights and quit the wizard.

You can manage the rights granted to an administrator or an administrator group through the Configure Grants link on the accounts toolbar. When you click Configure Grant on the Manage Accounts Addresses toolbar, the Content pane shows a list of direct and inherited grants. You can grant rights, modify rights or delete rights on existing administrator accounts.

When you want to add a specific grantee or specific rights on a target you can edit the target directly. Each target has an ACL page which lists the granted ACLs. You can add, edit or delete the target’s grants. The administration account (grantee) is updated to reflect the change.

Revoking Rights

Global administrators can revoke any rights granted to an administrator.

Open the desired administrator account and click Configure Grants .

Select the right to revoke and click Delete .

When the dialog asks if are sure, click Yes .

Delegated administrators can revoke rights if the right was created with the Can Grant the right to other admins enabled.

To temporarily revoke rights to a delegated administrator account, you can edit the administrator account and remove the check next to the Administrator field. The ACLs are not removed from the account.

The View Rights link from an admin account or admin group account toolbar displays the granted rights, readable attributes and modifiable attributes associated with a specific target. Click on the tabs to view rights for different targets.

Granting Predefined Rights

Delegated Administrators can be assigned predefined rights for common tasks. A common example is to create a Helpdesk administrator who can only reset password.

Following commonly used rights have been predefined, and more are planned to be added in the future.

When an admin is assigned a Domain administrator predefined right, the administrator can access all commonly used functionality that is required by an administrator who is managing a domain. Assigning this right to the user is equivalent of assigning the following rights and views:

Assigned rights

domainAdminRights

getDomainQuotaUsage

Assigned views

accountListView

downloadsView

aliasListView

resourceListView

domainListView

certificatesView

When an admin is assigned a Reset passwords predefined right, the administrator can access all commonly used functionality that is required by an administrator who is resetting password for an organization. Assigning this right to the user is equivalent of assigning the following rights and views:

listAccount

countAccount

countCalendarResource

countDistributionList

listDistributionList

changeAccountPassword

When an admin is assigned an Edit contact info predefined right, the administrator can access all commonly used functionality that is required by an administrator who needs to edit contact information for users. Assigning this right to the user is equivalent of assigning the following rights and views:

getAccountInfo

domainAdminConsoleAccountsContactTabRights

Predefined Delegated Administrator Role

The following pre-configured administrator groups are created automatically. You can assign administrator accounts to these groups.

The zimbradomainadmins delegated admin group grants all the rights necessary to support Zimbra Collaboration domain administration for accounts, aliases, distribution lists and resources.

Administrators who are part of the zimbradomainadmins group can create and manage accounts including setting the account quota, aliases, distribution lists, and resources accounts in their domain.

When domain administrators log onto the Administration Console, only the functions they are authorized to manage are displayed on the console’s Navigation pane.

Create Link from Zimbra Classic Web App Account to Admin Console

For domain administrators, all tasks are performed from the Administration Console. To facilitate easy log in, when a delegated administrator account is created, their Classic Web App account can have a link to the Administration Console.

The link is created from the zmprov CLI

The zimbradladmin delegated admin group grants all the rights necessary to log on to the Administration Console and manage distribution lists.

Administrators who are part of this group can

View the account list

Create new distribution lists and delete distribution lists

Add, edit and remove members in a distribution list

Creating Delegated Administrator Roles

To have one domain administrator manage more than one domain, you assign the rights to manage individual domains to the administrator account or administrator group.

For example, to set up [email protected] to manage domainexample1.com and domainexample2.com. Create a new administrator account on one of the domains to be managed.

Create the administrator account on one of the domains to be managed (domainexample1.com)

Select the views that domain administrators need to manage a domain. When the views are selected, the rights associated with these views automatically display on the Configure the Grants dialog.

Configure the grants for this domain if they are different from the grants associated with the views you select.

To add another domain to be managed (domainexample2.com).

On the Configure Grants page, click Add

Select the target type as domain

Enter the target’s domain name (domainexample2.com)

For Right Type, select System Defined Right

For Right Name type, adminConsoleAccountRights. Is Positive Right should be selected.

Click Add and More

The Add ACE page displays again and the Right Name field is empty. Type, adminConsoleDLRights and click Add and More.

Continue to add the following right names:

adminConsoleAliasRights

adminConsoleResourceRights

adminConsoleSavedSearchRights

adminConsoleDomainRights

After the last right, click Add and Finish . The Configure the Grants dialog displays these rights associated with the target domain. If you are adding another domain to manage, click Add and More . Repeat Step 4. If not, click Finish .

To assign a user to manage a distribution list, you create a distribution list and enable Admin Group, select the view, grant the distribution list rights, add the user to the list and make that user an administrator.

Create a new distribution list:

Check Admin Group

Add the user who will be the administrator as a member of the DL.

Go to the Admin Views page and check Distribution List View so the admin can view the distribution list.

In the Configure Grants page, add the following rights.

To create delegated administrators who only change passwords, you create the admin or admin group, select the views and grant the set Account Password combo right.

Select the following views

Account List view to be able to select accounts to change passwords

Alias List view to be able to find users who use an alias instead of account name.

The Configure the Grants page displays recommended grants for the views you have chosen. For Change Password rights, do not configure these grants. Select Skip . Click Add to add the following right:

View Mail access right can be granted on accounts, domains, and distribution lists.

To prevent administrators from viewing an account with a domain or distribution list, assign the Is Negative Right to the account.

You can expand the domain administrator role to be able to view and change the class of service (COS) assigned to a user. To add the rights to manage the COS for a domain, add the following rights to the domain administrator account or domain administrator admin group.

Add the System Defined Rights to each COS in the domain.

This role creates a delegated administrator role that can run the Search Mail tool to search mail archives or live mail for accounts. This also allows the administrator to create, abort, delete, purge or get status of a cross mailbox search request.

For full functionality, this role includes the ability to create new accounts so that the admin can create the target mailbox to receive the search results. If you do not want this role to have the ability to create accounts, grant the following negative right as well.

If you want this admin to also view the target mailbox with the results of the cross mailbox search, grant the right to view that mailbox only.

This role creates a delegated administrator role that can create, deploy and view Zimlets.

This role creates a delegated administrator that can create and manage resources.

This role creates a delegated administrator that can access all the searches saved in the Administration Console Navigation pane, Search section.

This role creates a delegated administrator that can access the Server Status page. In addition to granting this right, you must also select the Admin View, Global Server Status View .

Chat and Video

Chat and Video provides an all-in-one centralized collaboration platform with high performance, low latency with minimal administrator cost.

For detailed installation steps, please refer to the Installation Guide .

Once all the installation and configuration steps are completed, user access to the Chat and Video zimlet will be set for your default domain. Access management can also be done at the class of service (COS) and account levels. Please note, because the Chat and Video zimlet exists separately in the Classic and Modern UI, management steps will need to be taken for both clients independently.

In Zimbra Admin Console, Zimbra Chat and Video zimlet can be managed just like any other zimlet for COS or account level.

Licensing for chat and video

Chat and Video is a network edition licensed feature and needs a valid Zimbra license. It uses the value set for the license attribute ZTalkAccountsLimit to limit the number of users accessing this feature. For example, if the value of ZTalkAccountsLimit is set to 50 in a valid Zimbra license, then only 50 specific users will be able to use the chat and video feature. Administrators can set the zimbraFeatureModernChatEnabled attribute to TRUE for accounts which need chat and video enabled.

Enabling chat and video for a user

To enable chat and video for a user:

Set zimbraFeatureModernChatEnabled to TRUE for user’s account or COS or Domain. Please note that the attribute zimbraFeatureModernChatEnabled is currently only accessible via CLI.

To enable Chat and Video UI in Classic Web App, enable the zimlet com_zimbra_chat_video (in Admin Console) for user’s account or COS or Domain

To enable Chat and Video UI in Modern Web App, enable the zimlet zimbra-zimlet-chat-video (in Admin Console) for user’s account or COS or Domain

Set permission by User Interface

First login into Zimbra Admin Console (ZAC) with your administrator account.

Set permission via Class of Service

Go to Home → Configure → Class of Service .

Select the class of service from the list pane.

Select Zimlets from the menu bar.

Now, you can enable or disable the com_zimbra_chat_video` zimlet for Classic UI and/or zimbra-zimlet-chat-video zimlet for the Modern UI .

Set Permissions via User Account

Go to Home → Manage → Accounts .

Select the user account from the list pane.

User not default set to their COS , select Limit Zimlets available to this user to: .

Then, you can enable or disable the com_zimbra_chat_video` zimlet for Classic UI and/or zimbra-zimlet-chat-video zimlet for the Modern UI .

Set permission by Command line Interface

You can make changes in class of service and view Zimlet usage by using the following commands.

View usage:

Permissions at the COS level

First, use the following command to view what Zimlets are available on which COS(es):

Grant permission to a COS with the following, replacing “testcos” with the appropriate value for Classic UI:

Grant permission to a COS with the following, replacing “testcos” with the appropriate value for Modern UI:

Revoke permission for a COS with the following, again, replacing “testcos” with the appropriate value for Classic UI:

Revoke permission for a COS with the following, again, replacing “testcos” with the appropriate value for Modern UI:

Please note, for both steps above, the zmprov fc cos step will flush the cache. This can create reload work for your instance, so please consider performance needs and timing before taking this step.

The new 1:1 chat feature is available for all customers of Zimbra Daffodil. This feature allows unlimited number of users access hosted chat and is available under Zimbra’s Free Tier license for chat and video.

Getting Started

To use the 1:1 chat feature, ensure that the Classic (com_zimbra_chat_video) and Modern (Zimbra-zimlet-chat-video) zimlets are enabled in your domain and the config.domains.json and config.properties (post-configuration) have been configured correctly. You should have at least two users on the domain with Chat access and visible under Chats > Company Contacts.

Here are the LDAP attributes that are relevant to the new 1:1 chat feature:

ZTalkAccountsLimit: This attribute determines the maximum number of chat accounts that can be created.

zimbraFeatureModernChatEnabled: This attribute determines whether the modern chat feature is enabled.

Chat Seat Transfer

If zimbraFeatureModernChatEnabled is set to TRUE (COS, Domain, Account) and the number of chat users equals ZTalkAccountsLimit, then when the Chat account is deleted for a user that had Chat previously, a new account added to the domain will be able to see Chat & Video options with full functionality when they log into webmail.

Please note that these attributes should be properly configured to ensure the correct functioning of the chat feature.

1:1 Private Chats

With the new 1:1 chat feature, you can engage in private chats with any other user on the same domain. To start a chat:

Log into your Zimbra account.

Navigate to the Chat vertical.

Under Contacts, select the user you want to chat with.

In the right-side chat pane, type your message into the text input field and send.

Search within a Chat

The 1:1 chat feature allows you to search within a selected chat. This is particularly useful when you need to find specific information from your chat history. To use this feature:

Select the chat you want to search from.

Click on the magnifying glass icon in the header of the selected chat.

Enter the string you want to search for.

Limitations

Please note that under the Free Tier license, there are some limitations:

Videoconference on Web for 1:1 chat is blocked: This means user cannot start a video conference during a 1:1 chat.

Creation of group chats on Web is blocked: User cannot create new group chats.

Access to group chats on Web is blocked: User cannot join or access group chats.

All chats search on Web is blocked: User cannot search across all chats at once.

Action logs are blocked: You cannot view action logs from the admin view.

Message auditing is not allowed: User cannot perform message auditing.

Storage - Under the Free Tier license, storage is limited to 1GB total for the domain. This includes all files shared within the chats. Even after consuming the 1GB limit, the users can continue to use the chat, but they will not be able to send any attachments.

If an organisation has 100 employees, and decides to buy 20 premium chat and video licenses, then the first 20 users who login to email will automatically have premium features enabled. The next 80 will only be able to access the free 1:1 chat.

Zimlets are a mechanism to integrate Zimbra with different third-party applications to enhance the user experience from the Zimbra Classic Web App. With Zimlets, users can look at information and interact with the third-party application from within their email messages. Zimlets can be made available from the Zimbra Classic Web App Overview Pane to users by modifying the Class of Service (COS).

Classic Web App lists only the classic zimlets.

Zimbra includes several predefined Zimlets. You can also create Zimlets or download them from the Zimlet Gallery located on the Zimbra Web site.

In Admin Console → Home → Configure → Zimlets , zimlets developed for Modern Web App have (Modern) in Description .

Classic Web App lists only th

Predefined Zimlets, when enabled, let users preview the following in Classic Web App:

Mouse over a date or time and see what is in calendar.

Mouse over a name or email address and see details from the address book for this name.

Right-click on a phone number to make a call with your soft-phone.

Right-click on a date to schedule a meeting.

Right-click on a name, address, or phone number to update address book information.

Managing Zimlets from the Administration Console

The following Zimlet management tasks are available from the Zimbra Administration Console.

Deploy a Zimlet, which creates the Zimlet entry in the LDAP server, installs the Zimlet files on the server, enables the Zimlet and makes it available to the members of the default COS.

Make a Zimlet available or not available per COS or account.

Make a Zimlet mandatory.

Disable a Zimlet, which leaves it on the server, but the Zimlet is not used.

Undeploy a Zimlet, which removes it from the COS listings and the Zimlets list but does not uninstall the Zimlet from the server.

You can download and deploy custom Zimlets from the Zimlet Gallery located on the Zimbra Web site. When a Zimlet is deployed, it is available immediately to everyone in the default COS. If a Zimlet is not deployed to another COS directly, the COS displays the Zimlets but they are not enabled.

Home → Configure → Zimlets , from the Gear icon select Deploy

Browse to the Zimlet you want to deploy, then click Deploy .

The Zimlet deploys to the server. A dialog displays indicating the server name where the Zimlet is deployed and the status of the deployment.

Verify the Zimlet is enabled by viewing the Zimlets page.

You can enable, disable, or make Zimlets mandatory. You can also use the toggle feature to choose if an installed Zimlet will be made available for users to choose from.

Home → Configure → Class of Service → COS → Zimlets

When a Zimlet is undeployed, it is removed from all COSs and then removed from the LDAP.

Home → Configure → Zimlets

Select a Zimlet to undeploy.

From the Gear icon menu select Undeploy .

Click Yes to confirm.

Proxy Allowed Domains lets you configure which external domains can be accessed through a Zimlet. For the Zimlets that are included in Zimbra, proxy allowed domains are already configured. If you download and deploy other Zimlets, you can add additional proxy domain names.

Home → Configure → Class of Service

Select the COS to edit.

In the Advanced page, scroll down to the Proxy Allowed Domains section.

Click Add Domain to add domains.

Use the same steps as deploying a new Zimlet to upgrade a customized Zimlet. The new Zimlet zip file should have the same name as the existing Zimlet zip file.

Check Flush Zimlet cache, so that the upgraded zimlet will be used.

Browse to the Zimlet you want to upgrade, then click Deploy .

Managing Zimlets from the Command Line Interface

The following Zimlet management tasks are available from the command line interface.

When a Zimlet is deployed, it is available immediately to everyone in the default COS. If a Zimlet is not deployed to another COS directly, the COS displays the Zimlets but they are not enabled.

Deploy a Zimlet using the CLI, including modifying the COS before deploying.

Select a Zimlet and copy the Zimlet zip file to /tmp folder on your Zimbra server.

Login as the zimbra user su - zimbra

Deploy the Zimlet

When deploying a Zimlet, the COS attributes, zimbraProxyAllowedDomains , must be set for the domain address that the Zimlet might call to get information.

To set the zimbraProxyAllowedDomains attribute, type:

The * must be added before the example.com .

This must be applied to all COSs that have your Zimlet enabled.

Use steps in this section to deploy a Zimlet to one or more COSs other than the default:

Login as zimbra user: su – zimbra

Copy the Zimlet file from Gallery to /tmp folder.

Install the Zimlet to the default COS:

To deploy the zimlet to additional COSs, run:

This will grant permission to cosname1 . You can also grant access to more than one COS on the same command line:

To allow this zimlet to use the allowed proxy domains, run the following on each COS and add the allowed domains.

Use the zmzimletctl command to view currently installed Zimlets:

The output from this command displays the Zimlets installed on the server, installed in LDAP, and those available by COS.

Some Zimlets may require additional configuration after they are deployed.

The Zimlet configuration template allows you to make changes on the configuration template and then install the new configuration file on the Zimbra server.

Use steps in this section to change a Zimlet configuration:

Extract the configuration template:

Make the required changes in the template, taking care to change only the required areas, then save the file.

Use the zmzimletctl command to update the configuration in the LDAP. If you changed the name of the configuration template, replace config_template.xml with the new name.

Upgrading a customized Zimlet is performed by using the same steps as those used to deploy a new Zimlet.

Use steps in this section upgrade a Zimlet:

Copy the Zimlet zip file to the /opt/zimbra/zimlets-extra folder, replacing the older version.

The Zimlet is copied to the /opt/zimbra/zimlets-deployed folder. If your Zimlet includes a .jsp file, the .jsp file is also copied to the /opt/zimbra/jetty/webapps/zimlet/<zimletnamefolder> .

To ensure availability of the newer version, flush the cache:

You can download and deploy Zimlets from the Zimlet Gallery located on the Zimbra web site. Go to https://www.zimbra.org/extend/ and scroll through the Extensions from the Zimbra Gallery section.

To develop your own custom Zimlets, see the Zimlet Developers Guide on the Zimbra Wiki at https://wiki.zimbra.com .

Configuring Zimlets for Modern Web App

Zimlets are plugins which enhance the Modern Web App’s functionalities. The zimlets need to be configured and authorized before you can use them with the Modern Web App.

Modern Web App lists only the modern zimlets.

Default Zimlets, for Modern Web App, let users perform the following tasks:

Restore contacts from previous backups

Add additional signatures for replies, forwards, or new emails

Detect dates from given content and provide event list of that day on mouse hover

Use Zimbra as a progressive web app

Subscribe to external calendar feeds

Add an option in settings to change default client in Zimbra

Configuring LDAP

This section is a basic guide to configuring the necessary LDAP properties for zm-oauth-social . Assumes basic Zimbra Collaboration CLI knowledge.

The following examples may be used as a starting point for configuring the required LDAP properties to enable use of the zm-oauth services.

As the Zimbra Collaboration user, these properties can be applied globally as in the following examples, or applied to specific domains.

Basic Template For User OAuth Token Configuration

zimbraOAuthConsumerRedirectUri is the app’s relay during the oauth flow (i.e. where the social media site will send the user with a one-time use code to continue the oauth flow). The left part of the LDAP value must match the app’s whitelist.

zimbraOAuthConsumerCredentials is the app’s credentials — provided by the social media app setup. verification_token may be left out for all clients except Zoom. These credentials tie the oauth flow to a specific app. The clientId is used by an end-user to request an oauth code, then the clientId + clientSecret are both used by the Zimbra Collaboration server to exchange that code for an access_token.

zimbraOAuthConsumerAPIScope is the app’s required scopes for the specified auth type (caldav,contact,noop). These scopes determine what permissions are requested from an authorizing user during the social media site leg of the oauth flow.

Dropbox Example

See Setting Up Dropbox for instructions on obtaining a Client Id , and Client Secret .

Google Example

See Setting Up Google Drive for instructions on obtaining a Client Id and Client Secret .

Microsoft Example

See Setting Up OneDrive for instructions on obtaining a Client Id, and Client Secret.

Slack Example

See Setting Up Slack for instructions on obtaining a Client Id and Client Secret .

Zoom Example

The last line of the above code block allows Zimbra Collaboration to perform proxy requests for the Zoom zimlet to the Zoom API on behalf of default class of service Zimbra Collaboration accounts. This is necessary for the Zoom Zimlet’s basic operations. If users on other class of services should have access, this may be applied on those as well.

See Setting Up Zoom for instructions on obtaining a Client Id, Client Secret, and Verification Token.

Domain Configuration

Configuring the credentials of a single domain will override the credentials inherited from global configuration for that domain. Because of this, it is possible to configure just the credentials, and allow the domain to inherit the redirect uri and scopes if neither of these configurations should differ between the global and domain app.

Visit Dropbox App Console

Choose Create app.

Choose Dropbox API with Full Dropbox access, name your app, then click create app.

Adjust and configure the following Redirect URLs in the OAuth 2 section:

https://<hostname>/service/extension/oauth2/authenticate/dropbox

https://<hostname>/@zimbra/service/extension/oauth2/authenticate/dropbox

Adjust and configure the relevant hostnames in the Chooser/saver domains section.

Fill out the application Branding information and descriptions.

Click Enable additional users so that others may authorize with the app.

Acquire the App key and App Secret from the Settings tab.

See Configuring LDAP .

Visit Google API Console .

Select Select a project from the project dropdown menu in the top navigation bar.

Select New Project.

Configure the project name (and optionally organization location).

Select + Enable APIs and Services

Search for Google Drive then select Google Drive API.

Select Enable.

Select Google APIs to return to the APIs & Services menu.

Navigate to the APIs & Services section: OAuth consent screen via the left navigation menu.

Choose either internal or external application type, then configure the basic application information.

Select Add scope then enable all of the scopes related to Google Drive.

Add your mail server’s host as an authorized domain.

Select Save.

Navigate to the APIs & Services section: Credentials via the left navigation menu.

Select + Create Credentials, then select OAuth client ID.

Choose Web application as the Application type.

Configure the application name.

Under Authorized JavaScript origins select + Add URI then adjust and add your mail server’s hostname (Replace "hostname" with the public hostname of your Zimbra Collaboration server):

https://hostname

Under Authorized redirect URIs select + Add URI then adjust and add the following redirect URIs (Replace "<hostname>" with the public hostname of your Zimbra Collaboration server):

https://<hostname>/service/extension/oauth2/authenticate/google

https://<hostname>/@zimbra/service/extension/oauth2/authenticate/google

Select Create, then copy the Client ID and Client Secret.

Visit Azure Portal .

Search for and select App Registrations.

Select New registration.

Under Supported account types, select Accounts in any organizational directory and personal Microsoft account.

Adjust and add the following Redirect URL (Replace "<hostname>" with the public hostname of your Zimbra Collaboration server):

https://<hostname>/service/extension/oauth2/authenticate/outlook

Select Register.

Navigate to the Manage section: Authentication via the left navigation menu.

Select Add URI then adjust and add the following Redirect URL (Replace "<hostname>" with the public hostname of your Zimbra Collaboration server), then click Save:

https://<hostname>/%40zimbra/service/extension/oauth2/authenticate/outlook

Navigate to the Manage section: API Permissions via the left navigation menu.

Add the required Microsoft Graph Delegated Permissions, then click Save:

offline_access

Files.ReadWrite.All

Navigate to the Manage section: Certificates & secrets via the left navigation menu.

Select New client secret, add a description, and no expiration.

Repeat this task, removing previously created entries, until a Value without a : is created (secret must not contain colons for compatibility reasons), then click Save .

Configure the new Application Credentials in Zimbra

Acquire the Application (client) ID from the Overview via the left navigation menu, and Client Secret from the Manage section: Certificates & secrets via the left navigation menu.

Visit Slack App Management

Configure the Basic Information section after creating the Application.

Navigate to the Features section: OAuth & Permissions via the left navigation menu.

Add the required Bot Token Scopes:

Add the required User Token Scopes:

groups:write

users:read.email

Adjust and add the following Redirect URLs (Replace "<hostname>" with the public hostname of your Zimbra Collaboration server):

https://<hostname>/service/extension/oauth2/authenticate/slack

https://<hostname>/@zimbra/service/extension/oauth2/authenticate/slack

Configure the Bot Name in Features section: App Home.

Sign-in to Zoom as your organization‘s owner or an organization account with the developer role.

Visit Zoom App Management

Choose Develop → Build App → OAuth → Create

Configure the App name, turn on User-managed app, leave on the intent to publish, then click Create.

Navigate to the App Credentials section via the left navigation menu.

Add the following Redirect URL to the Production section (Replace "<hostname>" with the public hostname of your Zimbra Collaboration server):

https://<hostname>/service/extension/oauth2/authenticate/zoom

Add the following Whitelist URLs (Replace "<hostname>" with the public hostname of your Zimbra Collaboration server):

https://<hostname>/@zimbra/service/extension/oauth2/authenticate/zoom

Navigate to the Information section via the left navigation menu.

Configure the Deauthorization Notification Endpoint URL (Replace "<hostname>" with the public hostname of your Zimbra Collaboration server):

https://<hostname>/service/extension/oauth2/deauthorization/zoom

Navigate to the Scopes section via the left navigation menu.

Add the required Scopes:

meeting:write

Navigate to the Submit section via the left navigation menu.

Generate a Publishable URL then leave the Submit page (do not submit the app if using for a single Zoom Organization account).

For easy understanding of the steps, we will refer to following examples throughout the section:

NextCloud Server - nextcloud.server.com

Zimbra Server - myzimbra.server.com

Domain - example.com

Setup a NextCloud server by following this video - https://www.youtube.com/watch?v=QXfsi0pwgYw

Install NextCloud zimlet and its dependencies on Zimbra Server:

To install on Red Hat and CentOS, run:

To install on Ubuntu, run:

Restart zmmailbox server:

On NextCloud server, update the below configuration in /etc/httpd/conf.d/nextcloud-ssl.conf

Login to NextCloud server URL https://nextcloud.server.com and navigate to Settings → Administration → Security.

In Brute-force IP whitelist section, specify the Zimbra server’s IP Range.

In OAuth 2.0 clients section, specify the Name and Redirection URL of the Zimbra server. For e.g.:

Specify Name - My Zimbra Server

Specify Redirection URL - https://myzimbra.server.com/service/extension/oauth2/authenticate/nextcloud

Copy the Client Identifier and Client Secret fields for the above entered Client. This will be used to update LDAP related configuration in the next step.

To enable NextCloud for domain example.com , add LDAP entries for it by executing the following commands:

In case your Zimbra and Nextcloud are on different domains, for e.g. zimbra.example.com and nextcloud.example.org , in that case you have to disable the same site cookie restriction. Execute the following commands:

Setting up Jitsi Videoconferencing Solution

Jitsi is a fully encrypted, 100% open-source, video conferencing solution. Jitsi integration is available in the Modern Web App allowing end-users to set up video conferencing directly in their calendar; i.e. just click a button to add a Jitsi link to a meeting invite and then launch into that video meeting.

Administrators must install/enable the zimlet and define what video server instance they plan to use. Administrators can deploy their own Jitsi video server instance. Even if administrators have not set up a Jitsi server instance, the Jitsi integration zimlet can use Jitsi’s publicly available free video conferencing solution to schedule meetings for the end users.

Install Jitsi zimlet and its dependencies on Zimbra Server:

To install on Red Hat or CentOS, run:

If an organization do not intend to use Jitsi’s publicly available free video conferencing solution and wants to set up their own Jitsi server, they can refer to this setup guide

Once the Jitsi server is set up, configuration changes would be required on the Zimbra server to update the organization’s Jitsi server URL.

In this example, we will assume your organization’s Jitsi server URL as https://my-org-jitsi-server.com .

The following CLI commands need to be run as zimbra user.

Go to /opt/zimbra/zimlets-deployed/zimbra-zimlet-jitsi .

Edit config_template.xml and change the value of jitUrl parameter to https://my-org-jitsi-server.com .

Example of the global block in the file after the update.

Execute these commands to apply the changes:

End-user guide on how to use Jitsi integration zimlet - https://zimbra.github.io/userguide/zcloud/userguide-zcloud.html#_jitsi

The Signature Template Zimlet offers a globally configured email signature template that users can use to configure their email signature. This way all users in an organization can have a uniform signature.

The Administrator must install the zimlet and enable it for the users.

Copy and paste the below config file in /tmp/zimbra-zimlet-signature-template.xml :

Use base64 decoder to decode the htmlTemplate value.

Make the required changes in htmlTemplate block. Re-encode it and paste it in /tmp/zimbra-zimlet-signature-template.xml

Deploy the changes:

Appendix A: Command Line Utilities

Command Line Interface (CLI) can be used to create, modify and delete certain features and functions of the Zimbra Collaboration. The Administration Console is the main tool for maintaining the Zimbra Collaboration, but some functions can only be changed from CLI utilities.

The CLI utilities can be used for the following purposes:

Provisioning accounts

Starting and stopping a service

Move mailboxes

Cross-mailbox searches

Installing self-signed certificates

Local configuration

General Tool Information

The Zimbra Collaboration command-line utilities follow standard UNIX command-line conventions. Use the following general guidelines with the CLI:

CLI commands are run as the zimbra user: su - zimbra

The CLI commands are case-sensitive. You must type them in lower case.

Press ENTER after you type a command.

To display usage information about a command, type the CLI command with -h .

Example: zmprov -h lists all the options available for the zmprov utility.

Each operation is invoked through command-line options. Many have a long name and a short name. For example, these two commands are equivalent:

When demonstrating the syntax of each tool, the following conventions indicate required, optional, and alternate values:

{ attribute } in curly brackets is required information.

[ attribute ] in square brackets are optional arguments or information.

{ a|b|c } or [ a|b|c ] options separated by the pipe character | means "a" OR "b" OR "c"

For attribute names that may contain spaces, surround the name with double quotes.

The command-line tools available for administrators are all located in the /opt/zimbra/bin folder on the Zimbra Collaboration server.

Zimbra CLI Commands

CLI

The table below lists the CLI commands in /opt/zimbra/bin .

If you use non-ASCII characters in the CLI, in order for the characters to display correctly, you must change this setting to the desired UTF-8 before running the CLI command. To change this, type

export LC_All=<UTF_locale>

The zmprov tool performs all provisioning tasks in Zimbra LDAP, including creating accounts, aliases, domains, COS, distribution lists, and calendar resources. Each operation is invoked through command-line options, each of which has a long name and a short name.

The syntax is zmprov [cmd] [argument] .

The syntax for modify can include the prefix “+” or “-” so that you can make changes to the attributes affected and do not need to reenter attributes that are not changing.

Use + to add a new instance of the specified attribute name without changing any existing attributes.

Use - to remove a particular instance of an attribute.

The following example would add the attribute zimbraZimletUserProperties with the value "blue" to user 1 and would not change the value of any other instances of that attribute.

The attributes for the tasks zmprov can be used with are listed when you type zmprov -h . The task area divided into the following sections:

The commands are categorized and briefly described in the following topics:

Account Provisioning Commands

Calendar resource provisioning commands, free busy commands, domain provisioning commands, cos provisioning commands, server provisioning commands, config provisioning commands, distribution list provisioning commands, mailbox commands, logs commands, search commands, share provisioning commands, unified communication service commands, imap/pop proxy commands.

createAccount (ca)

{name@domain} {password} [attr1 value1]…​

createDataSource (cds)

{name@domain} {ds-type} {ds-name} zimbraDataSourceEnabled {TRUE | FALSE} zimbraDataSourceFolderId {folder-id} [attr1 value1 [attr2 value2]…​]

createIdentity (cid)

{name@domain} {identity-name} [attr1 value1 [attr2 value2]…​]

createSignature (csig)

{name@domain} {signature-name} [attr1 value1 [attr2 value2]…​]

deleteAccount (da)

{name@domain | id | adminName}

deleteDataSource (dds)

{name@domain | id} {ds-name | ds-id}

deleteIdentity (did)

{name@domain | id} {identity-name}

deleteSignature (dsig)

{name@domain | id} {signature-name}

getAccount (ga)

getAccountMembership (gam)

{name@domain | id}

getAllAccounts (gaa)

[-v] [domain]

Must include -l / --ldap

getAllAdminAccounts (gaaa)

getDataSources (gds)

{name@domain | id} [arg1 [arg2]…​]

getIdentities (gid)

getSignatures (gsig)

modifyAccount (ma)

{name@domain | id | adminName} [attr1 value1]…​

modifyDataSource (mds)

{name@domain | id} {ds-name | ds-id} [attr1 value1 [attr2 value2]…​]

modifyIdentity (mid)

{name@domain | id} {identity-name} [attr1 value1 [attr2 value 2]…​]

modifySignature (msig)

{name@domain | id} {signature-name | signature-id} [attr1 value1 [attr2 value2]…​]

removeAccountAlias (raa)

{name@domain | id | adminName} {alias@domain}

renameAccount (ra)

{name@domain | id} {newname@domain}

setAccountCOS (sac)

{name@domain | id | adminName} {cos-name | cos-id}

setPassword (sp)

{name@domain | id | adminName} {password}

renameDomain (rd)

{domain | id} {newDomain}

getDistributionList (gdl)

{list@domain | id}

modifyDistributionList (mdl)

{list@domain | id} attr1 value1 [attr2 value2]…​

deleteDistributionList (ddl)

addDistributionListAlias (adla)

{list@domain | id} {alias@domain}

removeDistributionListAlias (rdla)

renameDistributionList (rdl)

{list@domain | id} {newName@domain}

reIndexMailbox (rim)

{name@domain | id} {start | status | cancel} [type | id]…​

compactIndexMailbox (cim)

{name@domain | id} {start | status}

verifyIndex (vi)

getIndexStats (gis)

selectMailbox (sm)

{account-name} [{zmmailbox commands}]

unlockMailbox (ulm)

{name@domain | id} [hostname]

Only specify the hostname parameter when unlocking a mailbox after a failed move attempt.

Miscellaneous Provisioning Commands

See the zmprov Log Categories for a list of logging categories.

Examples — using zmprov

You must know the COS ID number. To find a COS ID:

The empty single quote is required and indicates that there is no local password.

See Provisioning User Accounts for the procedure.

See the Zimbra wiki page Bulk_Provisioning .

The ID of the distribution list is returned.

Use this command to change any password. Enter the address of the password to be changed.

Then type zmloggerctl start, to start the logger.

For example, zmprov gs example.com zimbraServiceEnabled=ldap to find out if the ldap service is enabled.

To modify the purge interval, set zimbraMailPurgeSleepInterval to the duration of time that the server should "sleep" between every two mailboxes.

X is the duration of time between mailbox purges; m represents minutes. You could also set <xh> for hours.

Modify zimbraNewMailNotification to customize the notification email template. A default email is sent from Postmaster notifying users that they have received mail in another mailbox. To change the template, you modify the receiving mailbox account. The variables are

${SENDER_ADDRESS}

${RECIPIENT_ADDRESS}

${RECIPIENT_DOMAIN}

${NOTIFICATION_ADDRESSS}

You can specify which of the above variables appear in the Subject , From , or Body of the email. The following example is changing the appearance of the message in the body of the notification email that is received at [email protected] . You can also change the template in a class ofservice, use zmprov mc . The command is written on one line.

Configure Auto-Grouped Backup from the CLI

Set the backup method in the global configuration, and you can override the configuration on a per server basis if you do not want a server to use the auto-grouped backup method.

To set up auto-grouped backup, you modify LDAP attributes using the zmprov CLI. Type the command as

You can also set the attributes at the server level using zmprov ms .

zimbraBackupMode  —  Set it to be Auto-Grouped . The default is Standard .

zimbraBackupAutoGroupedInterval — Set this to the interval in either days or weeks that backup sessions should run for a group. The default is `1d . Backup intervals can be 1 or more days, entered as xd ( 1d ); or 1 or more weeks, entered as xw ( 1w ).

zimbraBackupAutoGroupedNumGroups  — This the number of groups to spread mailboxes over. The default is 7 groups.

Changing Conversations Thread Default

Messages can be grouped into conversations by a common thread. The default is to thread messages in a conversation by the References header. If there is no References header, the Subject is used to determine the conversation thread. The default options can be changed from the COS or for individual accounts.

The types include:

none  — no conversation threading is performed.

subject  — the message will be threaded based solely on its normalized subject.

strict  — only the threading message headers (References, In-Reply-To, Message-ID, and Resent-Message-ID) are used to correlate messages. No checking of normalized subjects is performed.

references  — the same logic as "strict" with the constraints slightly altered so that the non-standard Thread-Index header is considered when threading messages and that a reply message lacking References and In-Reply-To headers will fall back to using subject-based threading.

subjrefs  — the same logic as "references" with the further caveat thatchanges in the normalized subject will break a thread in two.

Detecting Corrupted Indexes

Run zmprov verifyIndex as a sanity check for the specified mailbox index. Diagnostic information is written to stdout. If problems are detected, a failure status is returned.

verifyIndex locks the index while it’s running, and checks every byte in the index. Therefore, it’s not recommended to run this on a regular basis such as in a cron job. The zmprov verifyIndex command should be used only when you need to make a diagnosis.

If verifyIndex reports that the index is corrupted, you can repair the mailbox index by running reIndexMailbox (rim) .

Use zmaccts to run a report that lists all the accounts, their status, when they were created and the last time anyone logged on. The domain summary shows the total number of accounts and their status.

Use zmarchiveconfig for configuring the archiving mailbox. It has the option of using short commands or full names for commands that lead to the same function being carried out.

Use zmarchivectl to start, stop, reload, or check the status of the Zimbra account archive.

Use zmarchivesearch to search across account archives. You can search for archives that match specific criteria and save copies to a directory.

Use zmbackup to perform full backups and incremental backups for a designated mail host.

This utility has short option names and full names. The short option is preceded by a single dash, while the full option is preceded by a double dash. For example, -f is the same as --fullBackup .

One of -f , -i , or -del must be specified.

In these examples, the server ( -s ) is server1.domain.com . The ( -t ) is not required if the target is the default directory, ( /opt/zimbra/backup ).

Use zmblobchk to check the consistency of the Zimbra blob store ( /opt/zimbra/store ). This command checks and records notes of files without matching database metadata. It also checks to make sure that size information is correct for the files.

The start command is required to avoid unintentionally running a blob check. The ID values are separated by commas.

Use zmcalchk to check the consistency of appointments on the Zimbra calendar and sends an email notification regarding inconsistencies. For example, it checks if all attendees and organizers of an event on the calendar agree on start/stop times and occurrences of a meeting.

See the output of zmmailbox help appointment for details on time-specs.

Use zmschedulebackup to schedule backups and add the command to your cron table.

The default schedule is as follows:

Full backup, every Saturday at 1:00 a.m. ( 0 1 * * 6 )

Incremental backup, Sunday through Friday at 1:00 a.m. ( 0 1 * * 0-5 )

Each crontab entry is a single line composed of five fields separated by a blank space. Specify the fields as follows:

day of the (month) — 1 through 31

day of the (week) — 0 through 7 (0 or 7 is Sunday, or use names)

Type an asterisk ( * ) in the fields you are not using.

This command automatically writes the schedule to the crontab.

Account specific. The default is all accounts.

--mail-report

Send an email report to the admin user.

server - Mail server hostname. Default is localhost.

Runs full backup synchronously.

--excludeBlobs

Exclude blobs from full backup. If unspecified, server config is used.

--includeBlobs

Include blobs in full backup. If unspecified, the server config is used.

--excludeHsmBlobs

Exclude blobs on SM volumes from full backup. If unspecified, the server config is used.

--includeHsmBlobs

Include blobs on SM volumes in full backup. If unspecified, the server config is used.

--excludeSearchIndex

Exclude search index form full backup. If unspecified, the server config is used.

--includeSearchIndex

Include search index in full backup. If unspecified, the server config is used.

Cron schedule  — backup-type: <i | f | d arg>

incremental backup

<time specifier> Incremental backup.

Incremental backup is not used with the auto-grouped backup mode.

full backup

Full backup

d <arg>

Delete backups. <arg> is n(d | m | y)

Backup Scheduling Examples

Display the schedules on one line as a command, so that they can be copied to a text file and saved to be used if the application needs to be restored.

Use zmbackupabort to stop a backup process. Before you can abort an account you must know its backup label. This label is displayed after you start the backup procedure. If you do not know the label, use zmbackupquery to find the label name.

To stop the restore process:

The zmbackupabort -r interrupts an ongoing restore. The restore process is stopped after the current account is restored. The command displays message showing which accounts were not restored.

Use zmbackupquery to find full backup sets. The command can be used to find a specific full backup set or full backup sets since a specific date, or all backup sets in the backup directory.

To find out the best full backup to use as the basis for point-in-time restore of an account, run a command like this:

Specify date/time in one of these formats:

Specify year, month, date, hour, minute, second, and optionally millisecond.

Month/date/hour/minute/second are 0-padded to 2 digits, millisecond to 3 digits.

Hour must be specified in 24-hour format, and time is in local time zone.

Use zmrestore to perform full restores and incremental restores for a designated mail host. You can either specify specific accounts, or, if no accounts are specified, all accounts are in the backup are restored. In addition, you can restore to a specific point in time.

This utility has short option names and full names. The short option is preceded by a single dash, the full option is proceeded by a double dash. For example, -rf is the same as --restorefullBackupOnly .

Perform complete restore of all accounts on server1 , including last full backup and any incremental backups since last full backup.

Perform restore only to last full backup, excluding incremental backups since then, for all accounts on server1 .

The name of the new account will be [email protected] .

zmrestoreoffline requires that the following is true:

mailboxd IS NOT running

SQL database IS RUNNING

LDAP directory IS RUNNING

Before you begin zmrestoreoffline , the LDAP directory server must be running.

Perform a complete restore of all accounts on server1 , including last full backup and any incremental backups since last full backup.

Use zmrestoreldap to restore accounts from the LDAP backup.

Use zmcontrol to start, to stop, or to restart services. You can also find which version of the Zimbra Collaboration is installed.

Use zmmboxsearch is used to search across mailboxes. You can search across mailboxes to find messages and attachments that match specific criteria and save copies of these messages to a directory.

The following example performs a cross-mailbox search in the inbox folder of two different mailboxes on the specified server and puts a copy of the found messages in to the specified directory.

Use zmmboxmove to move mailboxes. The destination server manages the overall move process. Using the zmmboxmove command significantly reduces the account lockout time.

The CLI command zmmboxmove is used to move mailboxes from one Zimbra server to another. Mailboxes can be moved between Zimbra servers that share the same LDAP server. All the files are copied to the new server and the LDAP is updated. After the mailbox is moved to a new server a copy still remains on the older server, but the status of the old mailbox is closed . Users cannot log on and mail is not delivered. You should check to see that all the mailbox content was moved successfully before purging the old mailbox.

Use zmmboxmovequery to query ongoing mailbox moves on a server, both move-ins and move-outs.

Use zmpurgeoldmbox to purge the mailbox from the older server after a mailbox move.

Use zmgsautil to create or delete the GAL sync account, and to force syncing of the LDAP data to the GAL sync account.

A GAL sync account is created when the GAL is configured on a domain. This account is created and the polling interval for performing a full sync is managed from the Administration Console.

To see attributes and settings for a GAL sync account, run zmprov gds against the account.

Use zmldappasswd to change the LDAP password on the local server. In multi node environments, this command must be run on the LDAP master server only.

This CLI command used with options changes other passwords.

For better security and audit trails the following passwords are generated in Zimbra:

LDAP Admin password . This is the master LDAP password.

LDAP Root password . This is used for internal LDAP operations.

LDAP Postfix password . This is the password used by the postfix user to identify itself to the LDAP server and must be configured on the MTA server to be the same as the password on the LDAP master server.

LDAP Amavis password . This is the password used by the amavis user to identify itself to the LDAP server and must be configured on the MTA server to be the same as the password on the LDAP server.

LDAP Replication password . This is the password used by the LDAPreplication user to identify itself to the LDAP master and must be the same as the password on the LDAP master server.

Use zmlocalconfig to set or get the local configuration for a Zimbra server. Use zmlocalconfig -i to see a list of supported properties that can be configured by an administrator.

To see the local config type zmlocalconfig .

Use zmmailbox for mailbox management. The command can help administrators provision new mailboxes along with accounts, debug issues with a mailbox, and help with migrations.

You can invoke the zmmailbox command from within the zmprov command. You enter selectMailbox within zmprov to access the zmmailbox command connected to that specified mailbox. You can then enter zmmailbox commands until you type exit. Exit returns you to zmprov . This is useful when you want to create accounts and also pre-create some folders, tags, or saved searches at the same time.

Specific CLI tools are available for the different components of a mailbox. Usage is described in the CLI help for the following.

When you create an account, you may want to pre-create some tags and folders. You can invoke zmmailbox inside of zmprov by using selectMailbox(sm) .

This is required when using the command emptyDumpster . Use --admin-priv to skip delegated auth as the target mailbox.

This lets one user login to another user’s mailbox. The authenticating user must be a delegated admin account and must have the adminLoginAs right on the target mailbox. This auth option uses a non-admin auth token. Use the --auth option to specify the authenticating account. To login as user bar and open mailbox foo :

When you use zmmailbox to backup individual mailboxes, you can save the file as either a zip file or a tgz file. The default settings for the information that is saved in these formats is different.

To include all the mailbox content in a zip file, you must enable the meta data. Type as:

Use zmtlsctl to set the Web server zimbraMailMode to the communication protocol options: HTTP, HTTPS, Mixed, Both and Redirect. The default setting is HTTPS.

HTTP . HTTP only, the user would browse to http://zimbra.domain.com .

HTTPS. HTTPS only (default), the user would browse to https://zimbra.domain.com . http:// is denied.

Mixed If the user goes to http:// it will switch to https:// for the login only,then will revert to http:// for normal session traffic. If the user browses to https:// , then the user will stay https://

Both A user can go to http:// or https:// and will keep that mode for the entire session.

Redirect Like mixed if the user goes to http:// it will switch to https:// but they will stay https:// for their entire session.

All modes use TLS encryption for back-end administrative traffic.

Note, mailboxd has to be stopped and restarted for the change to take effect.

mode = http , https , mixed , both , redirect

Steps to run

Type zmtlsctl [mode] and press ENTER .

Type zmmailboxdctl stop and press ENTER.

When mailboxd is stopped, type zmmailboxdctl start and press ENTER.

Limitations When Using Redirect

Many client applications send an auth request in the initial HTTP request to the Server ("blind auth"). The implications of this are that this auth request is sent in the clear/unencrypted prior to any possible opportunity to redirect the client application to HTTPS.

Redirect mode allows for the possibility of a man-in-the-middle attack, international/unintentional redirection to a non-valid server, or the possibility that a user will mis type the server name and not have certificate-based validity of the server.

In many client applications, it is impossible for users to tell if they have been redirected (for example, ActiveSync), and therefore the users continue to use HTTP even if the auth request is being sent unencrypted.

Use zmhsm to start, stop (abort), and see the status of a SM session. The threshold for when messages are moved to a storage volume is configured from the Administration Console, Servers → Volumes page.

Use zmlicense to view and install your Zimbra license. The license can be viewed and installed from the Administration Console, Global Settings → License page.

The zmmetadump command is a support tool that dumps the contents of an item’s metadata in a human readable form.

Use zmmypasswd to change zimbra_mysql_password . If the --root option is specified, the mysql_root_passwd is changed. In both cases, MariaDB is updated with the new passwords. Refer to the MariaDB documentation to see how you can start the MariaDB server temporarily to skip grant tables, to override the root password.

Users who maintain a backup and restore mechanism using the snapshot facility of the storage layer use zmplayredo to restore backed up data. This command brings all backed up data to the current state so that there is no loss of information during the restore process.

Time is specified in the local time zone. The year, month, date, hour, minute, second, and optionally millisecond should be specified. Month/date/hour/ minute/second are 0-padded to 2 digits, millisecond to 3 digits. The hour must be specified in a 24-hour format.

Use zmproxyconfgen to generate the Nginx proxy configuration files. It reads LDAP settings to replace template variables and generates the final Nginx configuration.

Use zmproxypurge to purge POP/IMAP proxy routing information from one or more memcached servers. Available memcached servers are discovered by the zmprov gamcs function. Others can be specified if necessary using the server port.

Use zmredodump for debugging purposes and to dump the contents of a redolog file. When users are debugging a problem, Zimbra support might ask them to run zmredodump with specific options.

Multiple log files/directories can be specified with all redolog files under each directory being sorted in ascending order and processed.

Use zmskindeploy to simplify the process of deploying skins for the Classic Web App. This tool processes the available skins, enables them for all users of the Zimbra deployment, and restarts the web server so that it recognizes the new skins.

Use zmsoap to print mail, account, and admin information in the SOAP format.

Use zmstat-chart to collect statistical information for the CPU, IO, mailboxd , MTAqueue, MariaDB, and other components and to run a script on the csv files to display the usage details in various charts. These csv files are saved to /opt/zimbra/zmstat/ .

You must enable zmstat to collect the performance charts data:

Enter zmprov ms {hostname} zimbraServerEnable stats .

Restart the server, Enter:

Use zmstat-chart-config to generate an xml file /opt/zimbra/conf/zmstat-chart.xml from a template, taking into account the server setup including theLDAP node and the processes run, among other specifications.

Use zmstatctl to run a control script for checking zmstat data collectors. This instruction starts or stops monitoring processes, and checks status or rotates logs.

Use zmthrdump to invoke a thread dump in the Zimbra server process and print the output file. This command also gives the option of saving the thread dump to a file and inserts a timestamp on the logfile.

Use zmtrainsa to train the anti-spam filter. This command is run automatically every night to train the SpamAssasin filter from messages users mark as "junk" / "not junk" from their mailbox. See SpamAssassin’s sa-update tool , which is included with SpamAssassin. This tool updates SpamAssassin rules from the SA organization. The tool is installed into /opt/zimbra/common/bin .

The zmtrainsa command can be run manually to forward any folder from any mailbox to the spam training mailboxes. If you do not enter a folder name when you manually run zmtrainsa for an account, for spam, the default folder is Junk. For ham, the default folder is Inbox.

Use zmtzupdate to update time zone changes in existing appointments for specific users or all users. An .ics rule file should first be created to run with this command. A rule file lists a series of rules to match a time zone and the replacement time zone definitions. More information about this command can be found at: https://wiki.zimbra.com/wiki/Changing_ZCS_Time_Zones .

Use zmvolume to manage storage volumes from the CLI. Note that volumes can be managed from the Administration Console, Server → Volumes page.

Use zmzimletctl to manage Zimlets and to list all Zimlets on the server. Additional information is provided in Zimlets . Most Zimlet deployment can be completed from the Zimbra Administration Console.

Use zmproxyconfig to manage Zimbra proxy and should only be used when you have to make changes to Zimbra proxy after it has been installed. See Zimbra Proxy Server .

hostname is the value of the zimbra_server_hostname LC key for the server being modified.

Required options are -f by itself, or -f with -d or -e .

-d or -e require one or both of -m and -w .

-i or -p require -m .

-a requires -w .

-x requires -w and -d for store.

-x requires -w for proxy.

The following are the defaults for -a , -i , -p , and -x if they are not supplied as options.

Use zmsyncreverseproxy to reverse proxy mobile sync HTTP traffic between the source and forwarding server and port. Decodes the sync requests/responses and logs them when verbose mode is turned on.

Appendix B: Configuring SPNEGO Single Sign-On

The SPNEGO protocol mechanism can be configured on Zimbra for single sign-on authentication to the Zimbra Classic Web App, Modern Web App, and to the Zimbra Connector for Outlook (ZCO). For ZCO configuration see Setting Up Single Sign-On Options for ZCO .

When users have authenticated to their Intranet through Active Directory, they can enter their Zimbra mailbox using Classic Web App or Modern Web App without having to re-authenticate.

SPNEGO Architecture

The Zimbra server configuration will redirect users attempting to log on to the Classic Web App or Modern Web App to a URL under SPNEGO protection. The server asks for authentication with Kerberos through SPNEGO, and redirects users to their Zimbra mailbox. When users log out, they get redirected to a logout URL that displays a Launch button. When users click it, they get directed to the Zimbra login page.

Create the Kerberos keytab file.

Create an Active Directory service account. You use this account to generate the Kerberos keytab file.

Add the service Principal Names (SPN) directory property for an Active Directory service account.

Create the keytab file.

Enable and configure the SPNEGO protocol on the Zimbra server.

Configure browsers

Create an Active Directory service Domain account for each mailstore server.

Create an Active Directory service account. You use this account to generate the Kerberos keytab file to add to the Zimbra server.

Go to the Active Directory Start → Programs → Administrative Tools → Active Directory Users and Computers console.

To create the service account, click the AD Domain name and from the expanded content right-click Users and select New → User . Complete the New Object – User dialog.

AD New User

Full name : Enter the user display name for the AD service account. We recommend using the Zimbra mailbox server name as the full name.

Example: Zimbra SPNEGO .

User Logon Name : This name is the value set for the zimbraSpnegoAuthTargetName server attribute in LDAP. Write it down.

Example: zimbraspnego/zimbralab.local .

User Logon Name (pre-Windows2000): This name is used for the –mapUser parameter in the setspn and ktpass commands.

Example: ZIMBRALAB\zimbraspnego .

New AD User Dialog

Enter and confirm the password for the –pass {AD-user-password} parameter in the ktpass command, configured below.

Check Password never expires and User cannot change password , and click Next .

Click Finish to create the user. The service account name displays in the Users directory.

Use the setspn command to map the mailbox server name to the user account as the Service Principal Name (SPN). The SPN features in the process of mutual authentication between the client and the server hosting a particular service.

From the command prompt, type setspn –a {userlogonname} {serviceaccountname}

To verify that the SPN is registered, type C:\>setspn –l {accountname} A list of registered SPNs is displayed.

Create the keytab file used when signing into the Kerberos domain. Use the ktpass tool from the Windows Server toolkit to create the Kerberos keytab.

The command to type follows:

Using ktpass to create a jetty.keytab file

The command confirmation comes with something similar to the example below.

`spnegofile.keytab`

Transfer the keytab file (jetty.keytab) to the Zimbra server. Copy the file created in step 3 to the following Zimbra server location: /opt/zimbra/data/mailboxd/spnego/jetty.keytab .

Repeat steps 1 to 4 to create an create the keytab file ( jetty.keytab ) for each Zimbra mailstore server.

SPNEGO attributes get configured in Global Config and on each Zimbra server, and domain pre-authentication gets configured for the domain. Use the zmprov command to modify the Zimbra server.

Modify the following global config attributes, with the zmprov mcf command.

To modify the global config attributes, type:

zmprov mcf zimbraSpnegoAuthEnabled TRUE

zmprov mcf zimbraSpnegoAuthErrorURL '/zimbra/?ignoreLoginURL=1'

zmprov mcf zimbraSpnegoAuthRealm <MY_COMPANY.COM>

On each Zimbra server, modify the following global config attributes with the zmprov ms command.

To modify the server global config attributes, type:

zmprov ms mail1.example.com zimbraSpnegoAuthTargetName HTTP/mail1.example.com

zmprov ms mail1.example.com zimbraSpnegoAuthPrincipal HTTP/mail1.example.com@MY_COMPANY.COM

Set up the following for the domain.

Kerberos Realm

Virtual host

Web client login URL and UAs

Web client logout URL and UAs

Set up the Kerberos Realm for the domain as the same realm set in the global config attribute zimbraSpnegoAuthRealm . Type zmprov md {domain} zimbraAuthKerberos5Realm {kerberosrealm} .

Set up the virtual hosts for the domain. Virtual-hostname-* are the hostnames you can browse to for the Zimbra Classic Web App UI. Type:

Setup the web client login URL, and UAs allowed for the login URL on the domain.

Set the login URL. The login URL is the URL to redirect users to when the Zimbra auth token is expired. zmprov md {domain} zimbraWebClientLoginURL '../service/spnego' .

Honor only supported platforms and browsers.

zimbraWebClientLoginURLAllowedUA is a multi-valued attribute,values are regex. If this is not set, all UAs are allowed. If multiple values are set, an UA is allowed as long as it matches any one of the values.

For example, to honor zimbraWebClientLoginURL only for Firefox, Internet Explorer, Chrome, and Safari on computers running Windows, and Safari on Apple Mac computers, type the following commands.

Setup the web client logout URL and UAs allowed for the logout URL on the domain.

Set the logout URL. The logout URL is the URL to redirect users to when users click Logout .

Honor only supported platforms and browsers. zimbraWebClientLogoutURLAllowedUA is a multi-valued attribute, where the accepted values are regex. If this attribute has no set value, all UAs are allowed. When it has multiple values, a UA is allowed as long as it matches any one of the values.

For example, to honor zimbraWebClientLogoutURL only for Firefox, Internet Explorer, Chrome, and Safari on computers running Windows, and Safari on Apple Mac computers, type the following commands.

With the SPNEGO SSO feature enabled on your domain, you must configure users' browsers to use its Authentication mechanism. Improperly configured browsers exhibit different behaviors depending on the browser.

The following browsers are supported:

For computers running Windows: Edge, Firefox 52 or later, Chrome, Safari

Apple Mac computer: Safari

Configuration steps:

Firefox browser for computers running Windows

In the Firefox browser address field, type about:config . The warning —  This might void your warranty , is now displayed.

Click I’ll be careful, I promise!

Search in Filters, type network.n . Enter a comma-delimited list of trusted domains or URLs.

Double-click network.negotiate-auth.delegation-uris . Enter http://,https:// .

Double-click network.negotiate-auth.trusted-uris . Enter http://,https:// .

Or, to set specific URLs,

Double-click network.negotiate-auth.delegation-uris . Enter the domain addresses. For example, http://mail1.example.com,https://mail2.example.com .

Double-click network.negotiate-auth.trusted-uris . Enter the domain addresses. For example, http://mail1.example.com,https://mail2.example.com .

Internet Explorer, Chrome, and Safari for computers running Windows

In these browsers, go to Tools → Internet Options → Security → Local Intranet >Sites . In the "Sites" dialog, check all items.

Select Advanced . Add the domain server (hostname) URL, both http:// and https:// .

Click OK to close the file.

Go to Tools → Options → Advanced → Security . Locate and check Enable Integrated Windows Authentication .

Click OK and close the browser.

Safari for Apple Mac computers. No configuration is necessary.

On a Windows computer or an Apple Mac computer, log in to the computer as a domain user.

Your domain user token gets saved on the computer. The token gets picked up by the SPNEGO-aware browser and sent to the Zimbra server in the Authorization header.

Browse to the Zimbra Classic Web App login page. You should get redirected to your inbox without being prompted for your user name and password.

If SPNEGO auth fails, the user gets redirected to an error URL.

Make sure the following are true.

The browser is in the Intranet zone.

The user is accessing the server using a Hostname rather than an IP address.

Integrated Windows Authentication has been enabled in Internet Explorer, and the host has been "trusted" in Firefox.

The server is not local to the browser.

The client’s Kerberos system is authenticated to a domain controller.

If the browser displays "401 Unauthorized", it’s most likely that the browser either did not send another request with Authorization in response to the 401 or had sent an Authorization without using the GSS-API/SPNEGO scheme.

Check your browser settings and make sure it is one of the supported browsers/platforms.

If you get redirected to the error URL specified in zimbraSpnegoAuthErrorURL , it means that the SPNEGO authentication sequence does not work.

Take a network trace, make sure the browser sends Authorization header in response to the 401 . Make sure the Negotiate is using GSS-API/ SPNEGO, not NTLM (use a network packet decoder like Wireshark ).

After verifying that the browser is sending the correct Negotiate, if it still does not work, turn on the following debug and check Zimbra logs:

Add (do not replace) -DDEBUG=true -Dsun.security.spnego.debug=all to local config key spnego_java_options .

Add log4j.logger.org.mortbay.log=DEBUG in log4j .

Then restart the mailbox server.

Browse to the debug snoop page ( http://{server}:{port}/spnego/snoop.jsp ). See if you can access snoop.jsp .

Check zmmailboxd.out and mailox.log for debugging output.

One of the errors at this stage could be because of clock skew on the jetty server. If this is the case, it should get shown in zmmailboxd.out . Fix the clock skew and try again.

Kerberos auth and SPNEGO can co-exist on a domain. In this use case, you are using Kerberos as the mechanism for verifying a user’s principal/password against a KDC, instead of the native Zimbra LDAP, when the user cannot get in by SPNEGO.

In a properly configured browser, users are redirected to the Zimbra sign-in page when SPNEGO auth fails. Users can enter their Zimbra username and password on the sign-in page to sign in manually. The Domain attribute zimbraAuthMech controls the mechanism for verifying passwords. If zimbraAuthMech is "kerberos5", the entered user name is used first to identify a valid Zimbra user (users must appear in the Zimbra LDAP). The Zimbra user gets mapped to a Kerberos principal, and then the Kerberos principal + password is validated against a KDC. This KDC could be different from, or the same as, the KDC used by the Active Directory domain controller (for SPNEGO auth).

For Kerberos auth ( zimbraAuthMech*="kerberos5" ), the mailbox server needs to contact KDC to validate principal+password. For the java Kerberos client (i.e., Zimbra mailbox server), the default realm and KDC for the realm get specified in a Kerberos config file. Specify the location of this config file in the optional JVM argument as java.security.krb5.conf . If it is not specified, the default is /etc/krb5.conf . When SPNEGO gets enabled in Zimbra, java.security.krb5.conf for the mailbox server is set to /opt/zimbra/jetty/etc/krb5.ini . Therefore, that is the active file for configuring Kerberos auth.

Note that /opt/zimbra/jetty/etc/krb5.ini gets rewritten from /opt/zimbra/jetty/etc/krb5.ini.in each time the mailbox server restarts. For persistent configuration then, you need to modify the /opt/zimbra/jetty/etc/krb5.ini.in file, not /opt/zimbra/jetty/etc/krb5.ini .

Under the [realms] section, KDC and admin_server get left unset for SPNEGO auth, but Kerberos auth requires them.

To configure:

Edit /opt/zimbra/jetty/etc/krb5.ini.in .

Replace YOUR-KDC and YOUR-ADMIN-SERVER to the hostname on which the kdc/admin_server for Kerberos auth is running.

Save the file and restart the mailbox server.

An important restriction is that the realm for SPNEGO and Kerberos auth must be the same. For SPNEGO auth, the Kerberos principal in the Authorization header gets mapped to a unique Zimbra account. For Kerberos auth, the Zimbra account gets mapped to a unique Kerberos principal. The mapping (by domain attribute zimbraAuthKerberos5Realm ) is the same for both.

The single sign-on option works with a specific server. The server name used in the ZCO profile must match that in the SPNEGO configuration. Make sure that the server name gets incorporated into the .msi file before installation.

To set up the single sign-on option in the .msi customization script:

Set the server name to be the server name configured for SPNEGO, enter -sn <spnegoserver.example.com> .

Set the password rule, enter -pw 0 .

Appendix C: Zimbra Crontab Jobs

The crontab is used to schedule commands to be executed periodically on the Zimbra servers.

Each entry in a crontab file consists of six fields, specified in the following order: minute, hour, day, month, weekday, command

The fields are separated by blank spaces or tabs.

When an asterisk (*) is displayed, it means all possible values for the field. For example, an asterisk in the hour time field would be equivalent to "every hour".

Zimbra Cron Jobs

You can view the Zimbra crontab by logging on as zimbra and typing crontab -l .

The following cron jobs are scheduled to run for Zimbra:

Log pruning

The log pruning deletes logs from /opt/zimbra/log that are over eight days old. The job runs at 2:30 a.m.

Status logging

zmstatuslog calls zmcontrol status and outputs it data into syslog.

This is primarily so that logger can read the data and keep the administration console status up-to-date.

Status logging job runs every 2 minutes.

Full and increment backups are scheduled to run according to the schedule defined by zmschedulebackup command. By default the full backup is scheduled for 1:00 a.m., every Saturday. The incremental backups are scheduled for 1:00 a.m., Sunday through Friday.

By default, backups older then a month are deleted on the first of each month at 12 a.m.

The log pruning deletes logs from /opt/zimbra/mailboxd/logs that are over eight days old. The job runs at 2:30 a.m.

Clean up the quarantine dir

Mail identified with a virus or spam are not dropped immediately, but are put in quarantine. Messages older than seven days are deleted at 1:00 a.m daily.

Table maintenance

The ANALYZE TABLE statement is run on all tables in the database to update the statistics for all indexes. This is done to make sure that the SQL query optimizer picks the correct indexes when executing SQL statements. This script is run 1:30 a.m. on Sunday.

Report on any database inconsistencies

zmdbintegrityreport is run weekly to check the SQL database for corruption and will notify the administrator if any corruption is found. When this is run, it may consume a significant amount of I/O. If you find that it is an issue, you may want to change the frequency with which zmdbintegrityreport is run by editing the Zimbra crontab entry. This report runs at 11:00 p.m. Sundays.

Large sites may opt to disable this by setting:

If you choose to disable this, it is recommended that the integrity report be run by hand during the normal maintenance windows and prior to running any Zimbra upgrades.

Monitor for multiple mysqld to prevent corruption

A script is executed to see if mysqld process is running to detect cases where corruption is likely to be caused. An email is generated if it finds more than 1 mysqld process running. The script runs every 5 minutes.

process logs

zmlogprocess runs every 10 minutes to parse logs and produce MTA metrics (as/av, volume, count, etc).

Daily reports

When the logger package is installed, a daily mail report is automatically scheduled in the crontab. The report runs every morning at 11:30 and is sent to the administrator’s email address.

Queue logging

The zmqueue report status via the syslog is reviewed. This is logger data. The status is updated every 10 minutes.

Spam training

The zmtrainsa script is enabled to feed mail that has been classified as spam or a non-spam to the SpamAssassin application. SpamAssassin learns what signs are likely to mean spam or ham. This job should run only on one Zimbra MTA. The job runs at 11:00 p.m.

Spam training cleanup

zmtrainsa empties the spam and ham mailboxes each day. The job runs at 11:45 p.m.

Spam Bayes auto-expiry

Spam bayes auto-expiry maintains the SpamAssassin Bayes database. This keeps the database to manageable size ensuring spam processing remains as quick as possible. This runs every day at 11:20 p.m.

Clean up amavisd/tmp

This job is used to clean up the amavisd temp files. It runs at 5:15 a.m. and at 8:15 p.m.

Zimbra Single Sign-On using SAML with SimpleSAMLphp

Did you know that Zimbra supports SAML single sign-on? SAML is an open standard that allows you to have a single login page for all applications in your organization. SAML is a Zimbra Network Edition feature. Once you have set-up your SAML portal you can easily add [Multi Factor Authentication](multi-factor authentication).

In SAML terms applications are called Service Providers or SP’s. The service that provides your user database and takes care of your authentication is in SAML terms called Identity Provider or IDP. Usually, you only have one IDP and as many SP’s as you have applications. In this example, we will set-up Zimbra as a SAML SP and use SimpleSAMLphp as IDP. This is the configuration needed on SimpleSAMLphp (in /etc/simplesamlphp/metadata/saml20-sp-remote.php ):

You will also need to get the X.509 public certificate that is used for signing the SAML request from the IDP to Zimbra. You will need to download it and save it on your Zimbra server. This guide will assume you store your cert in /tmp/idpcert.pem , don’t forget to chown zimbra:zimbra /tmp/idpcert.pem . If you followed the SimpleSAMLphp setup guide you can find the certificate at /etc/simplesamlphp/cert/server.crt .

Add the file /opt/zimbra/conf/saml/saml-config.properties to configure SAML in Zimbra add the contents:

From command line as user root , copy the samlextn.jar and set up the IDP certificate:

Your user accounts must be manually created in Zimbra and be available in your IDP user database. It is important that the E-mail attribute in your IDP is set exactly the same as the Zimbra account name. Or the user will not be able to log-in. If it does not work run a tail -f /opt/zimbra/log/* while doing the authentication request and dig through to log to find out what the issue may be. Keywords to grep for: SAML, Audience and assertion.

The samlextn.jar uses a property file located at: ${zimbra_home}/conf/saml/saml-config.properties .

The following properties are supported:

In case you need to support SLO initiated from the IDP you need the SLO URL: https://zimbraserver.example.com/service/extension/samlslo

Also if you want to trigger the IDP to log-out when the user clicks logout in Zimbra you have to configure Zimbra to use this log-out URL: https://zimbraserver.example.com/service/extension/samllogout .

On Zimbra 9 in most cases, you will need to disable CsrfRefererCheck for the SAML and restart Mailbox service to work.

The Glossary lists terms and acronyms used in this document, and includes both industry terms and application-specific terms. If a general industry concept or practice has been implemented in a specific way within the product, that is noted as well.

A (for "Address") records map the hostname to the numeric IP address. For Zimbra, the A record is the IP address for the Zimbra server.

The Allow/Block/Quarantine function gives system administrators control over which devices are allowed to sync via ActiveSync.

Class of Service as exposed in Zimbra administration console.

Microsoft Active Directory Server. Used in Zimbra Collaboration as an optional choice for authentication and GAL, along with OpenLDAP for all other Zimbra Collaboration functions.

An “also known as” email address, which should be routed to a user at a different email address.

Contains object-related data for directory server entries. Attributes store information such as a server host name or email forwarding address.

Process by which user-supplied login information is used to validate that user’s authority to enter a system.

Anti-spam term, indicates a known bad IP address. This could be one that has been hijacked by spammers, or also one from a poorly maintained but legitimate site that allows mail relaying from unauthorized parties.

Binary Large Object.

Describes an object in the Zimbra Collaboration LDAP data schema, which contains settings for things like user mail quotas. Each Zimbra Collaboration account includes a COS, and the account inherits all the settings from the selected COS.

Command-Line Interface. Used to refer to the collective set of Zimbra Collaboration command-line tools, such as zmprov .

A type of network configuration for high availability, using clusters of servers (nodes). If one server fails or drops off the network, a spare takes over.

Within Zimbra Collaboration, Contacts are a user-interface feature listing that user’s personal collection of address and contact information.

Within Zimbra Collaboration, Conversations are a user-interface feature that presents email threads (emails sharing the same subject line) as a single Conversation listing. Users can expand the Conversation to view all emails within it.

Dynamic HTML. A technology employed in the Zimbra Classic Web App.

Domain Name System is an Internet directory service. DNS is how domain names are translated into IP addresses and DNS also controls email delivery. Correctly configured DNS is required for Postfix to route messages to remote destinations

Generic term used to refer to any mail transfer agent that is the first line of defense in handling incoming email traffic. Functions that may occur on the Edge MTA include spam filtering.

An item in the directory server, such as an account or mail host.

Data which is short lived or fast changing in nature. Login timestamps, authentication tokens, etc.

Takeover process where a spare server machine detects that a main server is unavailable, and the spare takes over processing for that server.

Fully qualified domain name. The hostname and the path to the host. For example, www.zimbra.com is a fully qualified domain name where www is the host, zimbra is the second-level domain, and .com is the top level domain.

Global Address List, the Outlook version of a company directory. Lists contact information, including email addresses, for all employees within an organization.

A Zimbra Collaboration object containing default settings for servers and Class of Service.

Abbreviated as HA, high availability refers to the availability of resources in a computer system in the wake of component failures in the system.

HyperText Transfer Protocol, used along with SOAP for UI integration.

Internet Message Access Protocol is a method of accessing mail from a remote message store as if the users were local.

Within Zimbra Collaboration, a directory area that stores all the indexing information for mail messages on a particular mailbox server.

The process of parsing incoming email messages for search words.

Java is an industry standard object-oriented programming language. Used for the core Zimbra Collaboration application server.

Scripting largely developed by Netscape that can interact with HTML source code. Technology used in the Zimbra Classic Web App.

Lightweight Directory Access Protocol, an industry standard protocol used for authentication.

Local Mail Transfer Protocol, used for transferring messages from Postfix MTA to the Zimbra Collaboration server for final delivery.

Alternative term for Zimbra Collaboration server.

Messaging Application Programming Interface. A system built into Microsoft Windows to enable different email applications to work together.

Within Zimbra Collaboration, a directory area that stores the mail messages on a particular mailbox server.

Mail Delivery Agent, sometimes known as a mail host. The Zimbra Collaboration server functions as an MDA.

Data that describes other data, rather than actual content. Within Zimbra Collaboration, metadata consists of user folders, threads, message titles and tags, and pointers.

Multipurpose Internet Mail Extensions, a specification for formatting non-ASCII Internet message content such as image files. Format used to store messages in Message Store.

Message Transfer Agent. MTA is a program that delivers mail and transports it between machines. A Zimbra Collaboration deployment assumes both the Postfix MTA and an edge MTA.

Mail eXchange. An MX record is an entry in a domain name database that identifies the mail server that is responsible for handling emails for that domain name. The email system relies on DNS MX records to transmit emails between domains. When mail is processed, the MX record is checked before the A record for the destination address.

Common shorthand for “out of the office”, used when sending vacation messages.

Refers to software created by groups of users for non-commercial distribution, where source code is published rather than proprietary.

Operating system, such as Linux, UNIX, or Microsoft Windows.

Post Office Protocol is used to retrieve email from a remote server over TCP/IP and save it to the local computer.

The process of creating accounts or other data, usually in batch or automated fashion.

Real-time black hole. Usually refers to web sites that, as a public service, provide lists of known bad IP addresses from which mail should be blocked, because the servers are either known to be spammers, or are unsecured and exploited by spammers.

This approach to design ensures that the application displays and functions well on a variety of devices and window or screen sizes. The Modern Web App is a Responsive Web App, facilitating a consistent user experience on any screen.

Detailed transaction log for the Zimbra Collaboration server, used for replay and replication.

Storage Array Network. A high-availability data storage area.

Describes the data structures in use for by directory services at a particular organizational site.

Simple Mail Transfer Protocol. Used in Zimbra Collaboration deployments between the Edge MTA and the Postfix MTA.

Simple Network Monitoring Protocol. Used by monitoring software to pick up critical errors from system logs.

Simple Object Access Protocol, an XML-based messaging protocol used for sending requests for Web services. The Zimbra Collaboration servers use SOAP for receiving and processing requests, which can come from Zimbra Collaboration command-line tools or Zimbra Collaboration user interfaces.

Unsolicited commercial email. Spammers refer to their output as “bulk business email”.

Structured Query Language, used to look up messages in the Message Store.

Secure Sockets Layer.

A Zimbra Classic Web App feature. Users can define tags and apply them to mail messages for searching.

Total Cost of Ownership. Zimbra Collaboration reduces total cost of ownership (TCO) by reducing requirements for server hardware, OS licensing fees, supporting application license fees, disk storage requirements, and personnel (IT, help desk, consulting).

Transport Layer Security.

Unsolicited commercial email, also known as spam.

A type of mail alias recognized in the Postfix MTA.

Anti-spam term for a known good mail or IP address. Mail coming from such an address may be “automatically trusted”.

eXtended Markup Language.

The Zimbra Collaboration administrator interface.

Refers to any of the end-user interfaces provided over the Web as part of a Zimbra server.

Zimbra : Blog

  • Open Source

Setting up DNS before installing Zimbra

DNS is an important aspect of any Zimbra installation. This article will help those that are new on installing Zimbra to get an idea what needs to be configured to get started. There will also be some tips and best practices that will improve security and email deliverability that may be lesser know even to experienced administrators. Having a good DNS configuration will improve:

  • Reliability
  • Performance

DNS and reliability

The first things to consider is rolling out Zimbra using a so called Split DNS .

Example: Your Zimbra server has the domain name mail.example.com. When on the server itself you query the DNS A record for mail.example.com, the answer from DNS is an internal network address such as 10.0.0.1. However when someone from the Internet queries the A record for example.com the answer is a public IP address such as 54.172.92.245.

One of the benefits of a split DNS is that you can make sure network traffic does not needlessly have to pass though your router/firewall and or NAT. On top of that when set-up correctly the internal DNS should be 100% under your control. This makes the Zimbra system more reliable. Because even when external DNS would fail, internally Zimbra would run as normally.

Setting up Split DNS

The following steps will show you how to set-up a basic split DNS using the /etc/hosts file on your Zimbra machines combined with DNSMASQ. These steps assume you have not yet installed Zimbra. First find the local IP address of your server by running the ip a command from the server.

You will have to use the address that is listed after inet under the device called ensX, ethX or enpX. In most cases it will start with 192.168. or 10.0. If you directly get a public IP for example 54.84.210.249 from your hosting provider on your Zimbra machine, you can use this IP.

Next you have to set this IP and the hostname in the /etc/hosts file. The following line must be present or added as follows:

You have to set-up the /etc/hostname file as follows:

Next install DNSMASQ as follows:

Next disable systemd-resolved:

Next set this server to resolve DNS using the locally installed DNSMASQ:

You can optionally prevent changes from upstream package updates to resolv.conf by making this file immutable:

If you are installing Zimbra or installing Zimbra/OS updates make sure to reset the resolv.conf file to the regular setting, meaning chattr -i because otherwise packages fail to install.

Finally configure DNSMASQ by editing /etc/dnsmasq.conf , in this example we will be using Quad9, Cloudflare and Google for upstream resolving of DNS. Set listen-address to 127.0.0.1 so only queries from the local Zimbra machine are accepted.

You can now restart your server and proceed with the installation of Zimbra. Please note that when running the Zimbra installer choose N when asked to install zimbra-dnscache.

At the very minimum you will also have to set an MX record, you can use the command dig to verify it is set correctly:

To find the actual IP of mail.example.com you use dig again as follows:

Internally you should get the internal IP such as 10.0.0.229 in this example. Externally you would get 54.84.210.249 again this is just an example.

DNS and Performance

When using DNSMASQ you can control the cache of DNS, and since DNSMASQ runs locally it answer very quickly. This makes it that your email gets delivered faster.

Setting zimbraMtaLmtpHostLookup

After installation you can set the zimbraMtaLmtpHostLookup directive. This tells Zimbra NOT to use DNS when delivering internal email. This increases performance.

DNS and Security

With the installation of DNSMASQ and the configuration as above you enforce DNSSEC this increases security. You should also implement SPF, DKIM, DMARC etc. Take a look at our email security webinars for in depth information on these topics.

Testing DNSSEC

You can use the following service via the command line: https://dnssec.vs.uni-due.de/ or http://conn.internet.nl/connection/ from a browser (in most cases you will not have a browser on your Zimbra server).

To test from the command line using dig :

Zimbra Server , administrators

2 Responses to Setting up DNS before installing Zimbra

' src=

This guide IMHO has two mistakes: the first one is that it sets resolv.conf nameserver 127.0.0.1 but then dnsmasq is bind to another ip (in this case 10.0.0.229) and of course if you bind dnsmasq MUST point to the same IPs or they won’t work. The second mistake is that if you make immutable resolv.conf with chattr +i /etc/resolv.conf , then the installation of – at least zimbra10 – returns “installed resolvconf package post-installation script subprocess returned error exit status 1” even if you doesn’t install zimbra-dnscache. So can’t be set.

Avatar photo

Thanks for the comment, you are right about the first issue. The second issue was already mentioned in the blog post, but I reworded it to make it more clear.post

  • Zimbra Network Edition
  • Zimbra Open Source Edition
  • Zimbra Connector
  • Support Offerings
  • Professional Services
  • Security Center
  • Support Portal

VARs or BSPs

  • Value Added Resellers
  • Business Service Providers
  • Become a Partner
  • Partner Login

Quick Links

  • Documentation
  • Tech Center
  • Mon. Feb 19th, 2024

Vavai's Personal Notes

Life is our precious gift

Change IP Address of Zimbra Mail Server : How to Resolve the Problem

By muhammad rivai.

By default, Zimbra will not get the problem if we try to change the IP Address. The problem will only occured if the replace IP have a different netmask with the previous one. If we tried to change Zimbra mail server IP Address from a set of IP, eg : 192.168.0.1 into 192.168.0.101 and both of them are within same net mask, it will not get any problem. Zimbra mail server version 5.x.x will automatically change LDAP setting to proper configuration. As described above, the problem will only occurred if current IP Address have different net mask, eg : change IP from 192.168.0.1 into 192.168.5.1 or into 10.0.0.101. Below is an example of the error message :

and then another message :

The problem occurred because Zimbra have different TrustedNetwork Setting in Postfix configuration within Zimbra configuration. Zimbra used Postfix as MTA engine and while it’s first initial install, trustednetwork setting will be filled out with existing IP Address format. To ensure if this is the main problem, checked current configuration at terminal / konsole and type in :

And another check : Zimbra LDAP configuration :

If the setting display different IP set compared to current configuration, change the setting with zmprov modifyserver as noticed below :

After change the proper setting, reload and restart your Zimbra server :

Another resource : ZimbraMTAMyNetworks

Related Post

Livebook, deep learning with python, second edition, php imagemagick extension (imagick) with php 7.4, virtualbox error kernel driver not installed (rc=-1908) on zorin os 15.2, 6 thoughts on “change ip address of zimbra mail server : how to resolve the problem”.

This was a bit complex for me. But i do understand it is important to change IP for a variety of reasons. One of the most important one is to be able to be secure and enjoy some privacy on the internet or at least try. There have become available some cool software such as Private Proxy software to rapidly change IP and route the connection through multiple servers. Thus effectively hiding your IP address and allowing one to surf the net anonymously. In order to combat security and privacy challenges on the internet Changing the IP has become an effective weapon against hackers and identity thieves.

Thank you so much for this as I just changed the sub-net for my lan and couldn’t send mail. This was exactly what I needed.

hey, thank you for provided information. I have moved one of my Zimbra’s (5.X) to another host and took the steps you described. I had to edit main.cf in /opt/zimbra/postfix/conf/ There was still mentioned line (mynetworks) with old values however I set it previously by zmprov and restarted it afterwards maybe that helps 😉

Thanks for the tip buddy! Just what I needed.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Chasing Health Targets with Noom’s Help

أين الحمام : where is the toilet, learning arabic (and thai, spanish, chinese) through mondly, achieving personal project success: why setting targets too low holds you back.

Change IP

IP Management & Technical Internet Services

Solopreneurs. Small Businesses. DIY Network Admins.

ESTABLISH A RELIABLE ONLINE PRESENCE AND ENSURE YOUR AUDIENCE CAN ALWAYS FIND YOU.

When running a business online, you can’t afford for customers to get lost trying to find your website.

Without a static IP address , you could be faced with major technical and operational problems.

Getting lost in the void and potential visitors being unable to reach your site

Zero functionality passing through your server

Work coming to a halt because your customers can’t find you

You deserve an easy, economical, reliable solution to reinforce your business. And you don’t have to do it alone.

Forget trying to diy your web hosting..

Efficiently establish your online presence, secure your business, and shore up your domain with services from ChangeiP.

Dynamic DNS

Daily IP maintenance? No, thanks. Stop the headaches and leave the DNS admin to us.

Keep all your systems connected without having to manually make one-off IP changes.

We offer a variety of options to fit your needs and budget, even if that budget is $0 . Utilize our Free DDNS service to automatically update records, or upgrade to Paid DDNS services and build out your existing operations.

Virtual Private Hosting

Get ready to scale with the hosting capabilities your business needs to grow.

Level up your business and migrate to cost-effective, easy-to-use shared hosting . When it’s time for big growth, upgrade to a virtual private server that will scale with you.

Let hosting problems become a thing of the past. No matter the size or location of your business, ChangeiP has your back.

No fluff. no unnecessary bells and whistles..

JUST STRAIGHTFORWARD HOSTING SUPPORT TO KEEP YOUR BUSINESS RUNNING.

You can get what you need on any budget

Uptime that sets the industry standard

Human-led services and support to foster trust and peace of mind

We’re here to get you up and running with hyper-specific tools built to help you establish your online presence.

We know that hosting, dns, and constantly changing ip addresses are the last things you want to deal with..

THAT’S WHY WE’VE DEDICATED 20 YEARS TO DELIVERING SERVICES THAT TAKE THE HEAVY LIFTING OFF YOUR PLATE SO YOU CAN FOCUS ON EXACTLY WHAT YOU NEED TO RUN YOUR BUSINESS .

Finding ChangeiP meant that I could have the reliability, speed, and privacy needed to run a learning management system and e-commerce platform on my website. I may not have a huge team yet, but I am proud to have ChangeiP as one of my secret weapons! I am happy to have more time to focus on the front side of my business knowing that ChangeiP has my backside.

Join More than 1M Satisfied Clients

Additional goodies.

Easily connect other ChangeIP products or 3rd party services, social media within minutes.

Domain lock prevents unauthorized transfer of your domain.

Have questions regarding any of our products or services? We’re here for you, just login to open a ticket.

Add subdomains to your domain. Have a store? Not a problem. Easily direct traffic to store.yourawesomedomain.com.

Ever wonder what that little lock icon is next to a URL? That tells visitors that you have an SSL certificate in place. Google loves this and helps your rankings. Don’t have one and Google banishes you into the Netherealm.

IMAGES

  1. Zimbra Change IP Address 1

    change ip zimbra

  2. DevOps & SysAdmins: How to change ip address used by Zimbra zcs 8.6? (2

    change ip zimbra

  3. Life with IP Network: Zimbra Distribution-list Restriciton

    change ip zimbra

  4. Did You Know? Change Your Zimbra General Preferences

    change ip zimbra

  5. How to install and configure zimbra multi server

    change ip zimbra

  6. Power Tip Tuesday

    change ip zimbra

VIDEO

  1. P1 / Change 3 Mobilelegens Badgirl 14.match #mobilelegends #badgirl #change

  2. les tutoriels informaticsclubs : Insérer une pièce jointe dans la messagerie Zimbra

  3. Heritage Zimbra Change Password

  4. Automatically change IP address in every 10 second

  5. How to convert/change hostname to IP address

  6. Zimbra em manaus 2023

COMMENTS

  1. How To Change IP Address of Zimbra Server

    We often need to change the IP address of the Zimbra server. In this guide, we will show you the precise way to change the IP address of your Zimbra server. Let's imagine, in your Multiverse Of Madness you are dealing with multiple issues as mentioned below: In Earth-616, you are going to change your existing service provider.

  2. [SOLVED] Change IP address

    For changing the IP correct (DNS, /etc/hosts, & other network config locations like /etc/sysconfig/network). Changing the hostname however requires ZmSetServerName - Zimbra :: Wiki - which I generally say shy away from right now, but we are working to take the uncertainty out of it.

  3. How to change ip address used by Zimbra zcs 8.6

    Adding the last action is to change your old IP address from all relevant DNS records and relay hosts or else you may face a mail send/receive problem in spite of a fully functional Zimbra server. If you have upgraded to the latest version of Zimbra and still facing the issue with Changing IP addresses, here is the link you should follow for ...

  4. How To Change IP Address on a Zimbra Server · NetShop ISP

    Assuming you have already changed the IP address on your server via NetworkManager or the configuration file directly, let's take a look at the next steps to change your Zimbra server's IP address. 1. Change the Hosts File. Using your favorite editor, edit the file /etc/hosts and replace your old IP with the new one as follows:

  5. Setting up Zimbra using a dynamic IP

    This article discusses a procedure for preparing a Zimbra environment with a dynamic IP address. It is assumed that the basic hardware and operating system requirements to run Zimbra have been met. ... Since dynamic IP addresses are unreliable and change throughout the day, a dynamic DNS name will be required to make sure that the server can be ...

  6. Administration Console

    The Zimbra administration console is the browser-based user interface used to centrally manage all Zimbra servers and mailbox accounts. ... Where server.domain.com is the current running Zimbra server name or IP address and default HTTP listen port is 7071. ... Select the administrator account and click Change Password.

  7. Split DNS

    Change /etc/resolv.conf to use the Zimbra server as the primary DNS address. Also remember to change the search path to be the name of the Zimbra server. ... You need a line to resolve the IP of mail.yourdomain.com to the private IP of the zimbra server, so make sure you have: 192.168.1.30 mail.yourdomain.com mail

  8. Change IP address

    Change IP address. Discuss your pilot or production implementation with other Zimbra admins or our engineers. 4 ... Change IP address. Post by AndrewBirch » Mon Jul 19, 2010 2:01 am. Hi Guys, I'm changing ISPs, and hence changing my Zimbra server's IP address and I'm wondering has anyone done this and if so, whether they have any tips. My plan ...

  9. Zimbra Collaboration Administrator Guide

    When you purchase, renew, or change the Zimbra license, you must update the Zimbra server with the new license information. ... The X-Forwarded-For header is automatically added to the localconfig zimbra_http_originating_ip header attribute. When a user logs in, this IP address and the user's address are verified in the Zimbra mailbox log. ...

  10. Change IP Address Of Zimbra Mail Server

    How to Change IP Address Of Zimbra Mail Server: Check current IP address configuration in postconf[root@mail /]# su zimbra[zimbra@mail /]$ postconf mynetworksmynetworks = 127.0.0.0/8 192.168.1./24…

  11. Setting up DNS before installing Zimbra

    The following steps will show you how to set-up a basic split DNS using the /etc/hosts file on your Zimbra machines combined with DNSMASQ. These steps assume you have not yet installed Zimbra. First find the local IP address of your server by running the ip a command from the server. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state ...

  12. Configuring-Proxy-Server+Change-Zimbra-Hostname

    Steps to change zmhostname: 1. Stop the flow of mail/Zimbra and take backup. 2. The new hostname must exist in the DNS before zmsetservername is run. If it does not already exist in the DNS, we need to add the new hostname to the DNS now. Note: If the box is duplicate of production server, prevent this server from affecting the production ...

  13. DevOps & SysAdmins: How to change ip address used by Zimbra ...

    DevOps & SysAdmins: How to change ip address used by Zimbra zcs 8.6?Helpful? Please support me on Patreon: https://www.patreon.com/roelvandepaarWith thanks ...

  14. How to rename a domain

    Make sure the DNS records (MX records too) are changed beforehand to reflect the new domain, and to match the IP of the server. 2. Check the hosts file of the server, and in any other servers, where this server exists. 3. Take a backup. Whether full backup, snapshot of VM, or rsync the /opt/zimbra directory, its strongly recommended to have a ...

  15. Bind Zimbra On Specific IP Address

    Here's how to configure Zimbra services to bind to a specific IP address. These instructions apply to ZCS 5.x only. Assume that the IP address is [IP].

  16. Change IP Address of Zimbra Mail Server

    Zimbra used Postfix as MTA engine and while it's first initial install, trustednetwork setting will be filled out with existing IP Address format. To ensure if this is the main problem, checked current configuration at terminal / konsole and type in : su - zimbra $ postconf mynetworks mynetworks = 127.0.0.0/8 192.168../24.

  17. Changing primary DNS server

    I'm changing to a new internal primary DNS server, and I'm not sure where to go in Zimbra to point it to the new server. When I do an nslookup on my Zimbra server it gives me: Server: 127.0.0.1. Address: 127.0.0.1#53. .53 is the address of my current primary DNS so I'm assuming that's what the #53 means.

  18. External auth IP address change

    Any changes to the external LDAP IP address should be done from the Admin console. Go to the respective domain for which the external auth has been enabled and for whom the IP address is changed > right click and select > Configure Authentication and change to the new IP address. This should reflect the change. Try Zimbra Collaboration with a ...

  19. IP Management & Technical Internet Services

    Keep all your systems connected without having to manually make one-off IP changes. We offer a variety of options to fit your needs and budget, even if that budget is $0. Utilize our Free DDNS service to automatically update records, or upgrade to Paid DDNS services and build out your existing operations.