If you are upgrading/migrating from a previous version of Zimbra and plan to enable the new mobile sync module for Zimbra, please read "Things to Know Before Upgrading" and the install guide for critical information.

License

CC BY-SA Synacor, Inc., 2020-2022

© 2020-2022 by Synacor, Inc. Zimbra Collaboration Administrator Guide

This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License unless another license agreement between you and Synacor, Inc. provides otherwise. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/4.0 or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.

Synacor, Inc., 2020-2022
40 La Riviere Drive, Suite 300
Buffalo, New York 14202

Introduction

Zimbra Collaboration is a full-featured messaging and collaboration solution that includes email, address book, calendaring, tasks, and Web document authoring.

Audience

This guide is for system administrators responsible for installing, maintaining, and supporting the server deployment of Zimbra Collaboration.

Readers of this guide should have the following recommended knowledge and skill sets:

  • Familiarity with the associated technologies and standards

  • Linux operating system and open source concepts

  • Industry practices for mail system management

Third-Party Components

Where possible, Zimbra Collaboration adheres to existing industry standards and open source implementations for backup management, user authentication, operating platform, and database management. However, it only supports the specific implementations described in the Zimbra Collaboration architecture overview in the Product Overview chapter as officially tested and certified. This document might occasionally note when other tools are available in the marketplace, but such mention does not constitute an endorsement or certification.

Support and Contact Information

  • Contact Zimbra Sales to purchase Zimbra Collaboration 9.0.0.

  • Zimbra Collaboration customers can contact support at support@zimbra.com.

  • Explore the Zimbra Forums for answers to installation or configuration problems.

  • Join the Zimbra Community Forum, to participate and learn more about Zimbra Collaboration.

  • Send an email to feedback@zimbra.com to let us know what you like about the product and what you would like to see in the product. If you prefer, post your ideas to the Zimbra Forum.

For additional product information, the following resources are available:

Product Life Cycle

This chapter provides information about the Product Life Cycle stages of Zimbra components.

Component Deprecation Statements

Component Deprecation Statement

IMAPD

Removed

Zimbra Collaboration Migration Wizard for Exchange

Removed We recommend Audriga’s self-service migration solution as a preferred alternative for all account migrations.

Zimbra Collaboration Migration Wizard for Domino

Removed

Zimbra Collaboration Account Migration

Removed

Enterprise modules

Zimbra Classic HSM, Classic Backup, and Classic Mobile have been removed.

Zimbra Desktop

Removed

Zimbra Touch Client

Removed

Zimbra Mobile Client

Removed

HTML Client

Removed

Product Overview

This chapter provides a system overview of Zimbra components.

Architectural Overview

The Zimbra Collaboration architecture is built with well-known open source technologies and standards-based protocols. The architecture consists of client interfaces and server components that can run as a single node configuration or be deployed across multiple servers for high availability and increased scalability.

Architectural Overview

The architecture includes the following core advantages:

Core Advantage Components/Description

Open source integrations

Linux®, Jetty, Postfix, MariaDB, OpenLDAP®

Industry-standard open protocols

SMTP, LMTP, SOAP, XML, IMAP, POP

Modern technology Design

HTML5, Javascript, XML, and Java

Scalability

Each Zimbra mailbox server includes its own mailbox accounts and associated message store and indexes. The Zimbra platform scales vertically (by adding more system resources) and horizontally (by adding more servers)

Browser-based client interface

Easy, intuitive access to Zimbra Collaboration features, using a standard web platform.

Browser-based Administration Console

Core Email, Calendar and Collaboration Functionality

Zimbra Collaboration is an innovative messaging and collaboration application that offers the following state-of-the-art solutions that are accessed through the browser based web client.

  • Intuitive message management, search, tagging, and sharing.

  • Personal, external, and shared calendar.

  • Personal and shared Address Books and Distribution Lists.

  • Personal and Shared Task lists.

Zimbra Components

Zimbra architecture includes open-source integrations using industry standard protocols. The third-party software listed in Third-Party Software is bundled with Zimbra software and installed as part of the installation process. These components have been tested and configured to work with the software.

Table 1. Third-Party Software
3rd-Party Component Description

Jetty

Web application server that runs Zimbra software.

Postfix

Open source mail transfer agent (MTA) that routes mail messages to the appropriate Zimbra server

Open LDAP software

Open source implementation of the Lightweight Directory Access Protocol (LDAP) that stores Zimbra system configuration, the Zimbra Global Address List, and provides user authentication. Zimbra can also work with GAL and authentication services provided by external LDAP directories such as Active Directory

MariaDB

Database software

Lucene

Open source full-featured text and search engine

Third-party source that converts certain attachment file types to HTML

Anti-virus/anti-spam

Open source components that include:

  • ClamAV, an anti-virus scanner that protects against malicious files

  • SpamAssassin, a mail filter that attempts to identify spam

  • Amavisd-new interfaces between the MTA and one or more content checkers

Apache JSieve

Manages filters for email

LibreOffice

High fidelity document preview

Zimbra Application Packages

Zimbra Collaboration provides the application packages listed in Application Packages.

Table 2. Application Packages
Package Description

Zimbra Core

The libraries, utilities, monitoring tools, and basic configuration files. zmconfigd is contained in the zimbra-core and is automatically enabled to run on all systems.

Zimbra Modern Web Client

The assets required for Zimbra Modern Web App. This package is automatically installed on each server.

Zimbra Store

The components for the mailbox server (including Jetty). The Zimbra mailbox server includes the following components:

  • Data store — A MariaDB database.

  • Message store — Location of all email messages and file attachments.

  • Index store — Index and search technology is provided through Lucene. Index files are maintained for each mailbox.

  • Web application services — The Jetty web application server runs web applications (webapps) on any store server. It provides one or more web application services.

Zimbra LDAP

Zimbra Collaboration uses the OpenLDAP® software, which is an open source LDAP directory server. User authentication, the Zimbra Global Address List, and configuration attributes are services provided through OpenLDAP. Note that the Zimbra GAL and authentication services can be provided by an external LDAP Directory such as Active Directory.

Zimbra MTA

Postfix is the open source mail transfer agent (MTA) that receives email via SMTP and routes each message to the appropriate Zimbra mailbox server using Local Mail Transfer Protocol (LMTP). The Zimbra MTA also includes the anti-virus and anti-spam components.

Zimbra Proxy

Zimbra Proxy is a high-performance reverse proxy service for passing IMAP[S]/POP[S]/HTTP[S] client requests to other internal Zimbra services.This package is normally installed on the MTA server(s) or on its own independent server(s). When the zimbra-proxy package is installed, the proxy feature is enabled by default. Installing the Zimbra Proxy is highly recommended, and required if using a separate web application server.

Zimbra Memcached

Memcached is automatically selected when the zimbra-proxy is installed. At least one server must run zimbra-memcached when the proxy is in use. You can use a single memcached server with one or more Zimbra proxies. zimbra-memcached is required if using a separate web application server.

Zimbra SNMP (Optional)

If you choose to install zimbra-SNMP for monitoring, this package should be installed on every Zimbra server.

Zimbra Logger (Optional)

If used, this is installed on one mailbox server, and must be installed at the same time as the mailbox server.The Zimbra Logger installs tools for syslog aggregation and reporting. If you do not install Logger, the server statistics section of the Administration Console will not display.

Zimbra Spell (Optional)

Aspell is the open source spell checker used on the Zimbra Classic Web App. When Zimbra-Spell is installed, the Zimbra-Apache package is also installed.

Zimbra Apache

This package is installed automatically when Zimbra Spell or Zimbra Convertd is installed.

Zimbra Convertd

This package is installed on the zimbra-store server. Only one Zimbra-convertd package needs to be present in the Zimbra Collaboration environment. The default is to install one zimbra-convertd on each zimbra-store server. When Zimbra-Convertd is installed, the Zimbra-Apache package is also installed.

Zimbra Archiving (Optional)

Archiving and Discovery offers the ability to store and search all messages delivered to, or sent by the Zimbra Collaboration Server. This package includes the cross mailbox search function which can be used for both live and archive mailbox searches. Note: Using Archiving and Discovery can trigger additional mailbox license usage. To find out more about Zimbra Archiving and Discovery, contact Zimbra sales.

Mail Flow — Multi-Server Configuration

The configuration for each deployment is dependent on numerous variables such as the number of mailboxes, mailbox quotas, performance requirements, existing network infrastructure, IT policies, security methodologies, spam filtering requirements, and more. In general, deployments share common characteristics for incoming traffic and user connectivity, as depicted in the following diagram. Alternate methods for configuring numerous points within the network are also possible.

Mail Flow - Multi-Server Configuration

The numbered sequences are described below:

  1. Inbound Internet mail goes through a firewall and load balancing to the edge MTA for spam filtering.

  2. The filtered mail then goes through a second load balancer.

  3. An external user connecting to the messaging server also goes through a firewall to the second load balancer.

  4. The inbound Internet mail goes to any of the Zimbra Collaboration MTA servers and goes through spam and virus filtering.

  5. The designated Zimbra Collaboration MTA server looks up the addressee’s directory information from the Zimbra Collaboration LDAP replica server.

  6. After obtaining the user’s information from the Zimbra Collaboration LDPA server, the MTA server sends the mail to the appropriate Zimbra Collaboration server.

  7. Internal end-user connections are made directly to any Zimbra Collaboration server that then obtains the user’s directory information from Zimbra Collaboration LDAP and redirects the user, as needed.

  8. The backups from the Zimbra Collaboration servers can be processed to a mounted disk.

Zimbra System Directory Tree

The following table lists the main directories created by the Zimbra installation packages. The directory organization is identical for any server in the Zimbra Collaboration, when installing under (parent) /opt/zimbra.

The directories not listed in the following table are libraries used for building the core Zimbra software or miscellaneous third-party tools.
Table 3. System Directory Tree under /opt/zimbra
File Description

backup/

Backup target contains full and incremental backup data

bin/

Zimbra Collaboration application files, including the utilities described in Command-Line Utilities

cdpolicyd

Policy functions, throttling

clamav/

Clam AV application files for virus and spam controls

conf/

Configuration information

contrib/

Third-party scripts for conveyance

convertd/

Convert service

cyrus-sasl/

SASL AUTH daemon

data/

Includes data directories for LDAP, mailboxd, postfix, amavisd, clamav

db/

Data Store

docs/

SOAP txt files and technical txt files

extensions-extra/

Server extensions for different authentication types

extensions-network-extra/

Server extensions for different network version authentication types

httpd/

Contains the Apache Web server. Used for both aspell and convertd as separate processes

index/

Index store

java/

Contains Java application files

jetty/

mailboxd application server instance. In this directory, the webapps/zimbra/skins folder includes the Zimbra UI theme files

lib/

Libraries

libexec/

Internally used executables

log/

Local logs for Zimbra Collaboration server application

logger/

RRD and SQLite data files for logger services

mariadb/

MariaDB database files

net-snmp/

Used for collecting statistics

openldap/

OpenLDAP server installation, pre-configured to work

postfix/

Postfix server installation, pre-configured to work with Zimbra Collaboration

redolog/

Contains current transaction logs for the Zimbra Collaboration server

snmp/

SNMP monitoring files

ssl/

Certificates

store/

Message store

zimbramon/

Contains control scripts and Perl modules

zimlets/

Contains Zimlet zip files that are installed with Zimbra

zimlets-deployed/

Contains Zimlets that are available with the Zimbra Classic Web App

zimlets-network/

Contains Zimlet zip files for features that are installed with the network edition

zmstat/

mailboxd statistics, saved as .csv files

Zimbra Web Apps

Zimbra offers multiple Web App types for the use of Zimbra features. The Web Apps provide mail, calendar, address book, and task functions.

Table 4. Zimbra Web Apps
Client Type Description

Modern Web App

Uses modern technologies, UI design, and offers same user experience across devices like Desktop, Mobile and Tablet.

Classic Web App

Includes Ajax capability and offers a full set of web collaboration features. Supports desktop web browsers only; does not provide a user experience adapted to smaller screens, touch capabilities, or gestures.

Users may select the Web App before they sign in, from the 'Version' drop-down on the login page. The admin can set the Default Web App to either Classic Web App or the Modern Web App, for a COS. Users can override this Default:

  • In the Modern Web App, users can go to Settings→General to change the value of default Web App they login to

  • In the Classic Web App, users can go to Preferences→General→Sign in to change the value of default Web App they login to

It is recommended that admins set the Default to the Modern Web App.

Web Services and Desktop Clients

In addition to using a web browser or mobile device to connect to Zimbra Collaboration, connection is available using a web service, such as Exchange Web Services (EWS), or a desktop client such as Zimbra Connector to Microsoft Outlook. The following are supported:

  • Exchange Web Services (EWS) provides client access to enable Zimbra Collaboration to communicate with the Exchange Server when using Microsoft Outlook on a Mac device. To enable EWS client access, see the Class of Service section. EWS is a separately licensed add-on feature.

  • Messaging Application Programming Interface (MAPI) synchronizes to supported versions of Microsoft Outlook with full delegate, offline access and support for S/MIME. Use the Zimbra Connector for Outlook to connect to Zimbra Collaboration when using Microsoft Outlook on a Windows device. To enable MAPI (Microsoft Outlook) Connector, see the Class of Service section.

  • Support for all POP3, IMAP4, Calendaring Extensions to Web Distributed Authoring and Versioning (CalDAV), and vCard Extensions to Web Distributed Authoring and Versioning (CardDAV) clients.

Offline Mode

For Classic Web App, Offline mode is no more supported for Chrome versions 85 and above (affects Kepler9-Patch9 onwards). Users can still continue to use Offline mode in previous browser versions.

Zimbra Offline Mode allows access to data — without network connectivity — when using the Zimbra Modern Web App.

For example, if there is no server connectivity or if server connectivity is lost, the Web App automatically transitions to “offline mode”. When server connectivity is restored, the Web App automatically reverts to “online mode”.

This offline mode uses the caching capability provided by HTML5 in modern browsers.

Security Measures

The coordinated use of multiple security measures, targeted to increase the security of the whole system, is one of the best approaches to securing your information infrastructure. These measures are implemented in the Zimbra Collaboration platform as a result of defense mechanisms summarized in the following topics:

To view current and detailed security news and alerts, please refer to Security Center on the Zimbra Wiki.

Identity and Access Management

Key functions built into the system for user identity management are summarized in the following table:

Table 5. Identity and Access Management Functions
Function Description

Identity Lifecycle Management

The leveraging of LDAP directory for all Create, Read, Update, and Delete (CRUD) functions associated to user administration with Zimbra Collaboration. LDAP usage is optional but all attributes specific to Zimbra Collaboration are stored and managed through the native LDAP directory.

First Factor Authentication

The combined user name and password primarily employed by authorized users when attempting to access the system. These credentials are retained in the user store: the passwords are stored as salted hash that is compared against that of the entered password, for rejection (no match) or acceptance (matched). If external directory (LDAP or Active Directory) is preferred, the appropriate login credentials can be stored in this external LDAP directory. See also Zimbra LDAP Service for more details.

Two Factor Authentication

A second layer of identity security that is configured at the Admin Console to enable or disable passcode generation to mobile devices associated with Zimbra Collaboration. When enabled, user or COS accounts must use the generated passcode to gain access to their client services. See also About 2 Factor Authentication and Two Factor Authentication.

Authorized Access

User accounts are defined by various attributes, permission levels, and policies to allow or disallow what data can be viewed and which functions can be performed. Admin Console administrators can create groups and assign access permissions to support targeted business objectives.

Information Security and Privacy

Functions built into the system to secure data are summarized in the following table:

Table 6. Information Security and Privacy Functions
Key Concept Description

Management of security, integrity, and privacy

Zimbra Collaboration supports the use of S/MIME certificates (provided by publicly trusted Certification Authority (CA), as well as internal PKI; DomainKeys Identified Mail (DKIM); Domain-based Message Authentication, Reporting and Conformance (DMARC); Amavisd-new, which is housed in the Mail Transfer Agent (MTA) to manage incoming and out going DMARC policies.

Encryption methods:

In-transit

Secure connections between endpoints and services use TLS in addition to various other protocols: SMTP, LMTP+STARTTLS, HTTPS, IMAPS/IMAP+STARTTLS, POP3S/POP3+STARTTLS.

At-rest

With S/MIME for end-to-end encryption, data stored in a Zimbra Collaboration message store is encrypted until decryption occurs with the appropriate private key.

Anti-virus and Anti-spam

Both malware and spam are challenged by the Zimbra Collaboration native functionality and third-party plugins: Amavisd-new, ClamAV, and Spam Assassin.

This feature is supported only in the Classic Web App.

System Logs

The Zimbra Collaboration system logs — generated by SNMP triggers — can be used to record data such as user and administrator activity, login failures, slow queries, mailbox activity, mobile synchronization activity, and data based errors. Events, alerts and traps can be forwarded to log management and event correlation system to create centralized polices and notifications based on your security and compliance requirements.

Table 7. Security Data
Function Description

Incident response

Administrators can use remote device wiping and/or account lockout in the event of a malicious or accidental activities (such as stolen user account credential, or lost smart phone).

Archiving and discovery

This optional feature allows administrators to select specific user email messages for archival and application of retention policies, which can be used for both archived and live mailboxes.

Licensing

A Zimbra Collaboration license is required in order to create accounts. When you purchase, renew, or change the Zimbra Collaboration license, you update the Zimbra server with the new license information.

License Types

Zimbra Collaboration licensing gives administrators visibility and control of the licensed features they plan to deploy. You can monitor usages and manage the following license types.

License limitations To set maximum number of…​

Accounts limit

Accounts you can create.

MAPI accounts limit

Accounts that can use Zimbra Connector for Microsoft Outlook (ZCO).

Exchange web services (EWS) accounts limit

Accounts that can use EWS for connecting to an Exchange server. EWS is a separately licensed add-on feature.

High-fidelity document preview

Accounts that can use the High-Fidelity document preview facility. LibreOffice installation is required.

Archiving accounts limit

Allowed archive accounts. The archive feature installation is required.

Zimbra License Requirements

A Zimbra license is required to create accounts in Zimbra Collaboration 9.0.0.

A Zimbra license is required to use the Modern Web App in Zimbra Collaboration 9.0.0.

To try out Zimbra Collaboration, you can obtain trial versions free of charge. Once you are ready to install a production environment, you need to purchase a subscription or a perpetual license.

License Types Description

Trial

You can obtain a free Trial license from the Zimbra website, at https://www.zimbra.com. The trial license allows you to create up to 50 users. It expires in 60 days.

Trial extended

You can obtain a Trial Extended license from Zimbra Sales by contacting sales@zimbra.com or calling 1-972-407-0688. This license allows you to create up to 50 users and is valid for an extended period.

Subscription

A Zimbra Subscription license can only be obtained through purchase. This license is valid for a specific Zimbra Collaboration system, is encrypted with the number of Zimbra accounts (seats) you have purchased, the effective date, and the expiration date of the subscription license.

Perpetual

A Zimbra Perpetual license can only be obtained through purchase. This license is similar to a subscription license. It is valid for a specific Zimbra Collaboration system, is encrypted with the number of Zimbra accounts (seats) you have purchased, the effective date, and an expiration date of 2099-12-31. When you renew your support agreement, you receive no new perpetual license, but your Account record in the system gets updated with your new support end date.

License Usage by Account Type

An account assigned to a person, including an account created for archiving, requires a mailbox license. Distribution lists, aliases, locations, and resources do not count against the license.

Below is a description of types of Zimbra Collaboration accounts and if they impact your license limit.

License Account Type Description

System account

System accounts are specific accounts used by Zimbra Collaboration. They include the spam filter accounts for junk mail (spam and ham), the virus quarantine account for email messages with viruses, and the GALsync account if you configure GAL for your domain.

Do not delete these accounts! These accounts do not count against your license.

Administrator account

Administrator and delegated administrator accounts count against your license.

User account

User accounts count against your license account limit.

When you delete an account, the license account limit reflects the change.

Alias account

These types do not count against your license.

Distribution list

Resource account

License Activation

All Zimbra Collaboration 9.0.0 installations require license activation. New installations have a 10 day grace period from the license issue date before requiring activation. You can activate your license in the Administration Console.

Admin Console:

Home → Configure → Global Settings → License, from the Gear icon select Activate License

You can also activate your license from the command line interface.

Upgraded Zimbra Collaboration versions require an immediate activation to maintain network feature functionality.

Automatic License Activation

Licenses are automatically activated if the Zimbra Collaboration server has a connection to the Internet and can communicate with the Zimbra License server. If you are unable to activate your license this way, see the next section on Manual License Activation.

Manual License Activation

For systems that do not have external access to the Zimbra License server, you can use the Zimbra Support Portal to activate your license manually.

Go to the Zimbra website at https://www.zimbra.com and click on Support to display the Zimbra Technical Support page. Click on the Support Portal Login button to display the Zimbra Support Portal page. Enter your email and password to log in.

If you have problems accessing the Support Portal, contact Zimbra Sales at sales@zimbra.com or by calling 1-972-407-0688.688.

When Licenses are not Installed or Activated

If you fail to install or activate your Zimbra Collaboration server license, the following scenarios describe the impact on your Zimbra Collaboration server.

License Condition Description/Impact

Not installed

With no installed license, the Zimbra Collaboration server defaults to single user mode where all license-limited features are limited to one user.

Not valid

If the license file appears forged or fails validation for other reasons, the Zimbra Collaboration server defaults to single-user mode.

Not activated

A license activation grace period is 10 days. If this period passes without activation, the Zimbra Collaboration server defaults to single-user mode.

For future date

If the license starting date is in the future, the Zimbra Collaboration server defaults to single-user mode.

In grace period

If the license ending date has passed and is within the 30 day grace period, all license-limited features are still enabled, but administrators may see license renewal prompts.

Expired

Zimbra does not include a FOSS binary release; therefore, there is no mechanism to fallback to FOSS. If the license ending date has passed, the 30 day grace period has expired, and users decide not to obtain a new license, they can resolve these issues by building the Zimbra binaries and installing them on top of their existing Zimbra system.

Obtain a License

Go to the Zimbra Website https://www.zimbra.com to obtain a trial license from the Network Downloads area. Contact Zimbra sales regarding a trial extended license, or to purchase a subscription license or perpetual license, by emailing sales@zimbra.com or calling 1-972-407-0688.

A subscription or perpetual license can only install on the Zimbra Collaboration system identified during purchase. Only one Zimbra license is required for your Zimbra Collaboration environment. This license sets the maximum number of accounts on the system.

View current license information, including the number of purchased accounts, the number of accounts used, and the expiration date, in the Admin Console.

Admin Console:

Home → Configure → Global Settings → License.

Managing Licenses

Use the Update License wizard on the Administration Console’s Global Settings page to upload and install a new license. The Activate License link on the toolbar activates the license.

View current license information, including the number of purchased accounts, the number of accounts used, and the expiration date, in the Admin Console.

Admin Console:

Home → Configure → Global Settings → License.

License Information

You must have a Zimbra Collaboration license to create accounts. When you purchase, renew, or change the Zimbra license, you must update the Zimbra server with the new license information. The Update License Wizard from the Administration Console’s Global Settings is used to upload and install a new license. The Activate License link on the toolbar activates the license.

View current license information, including the number of purchased accounts, the number of accounts used, and the expiration date, in the Admin Console.

Admin Console:

Home → Configure → Global Settings → License.

License Expiration

When your Zimbra Collaboration 9.0.0 License expires, a license expiration warning appears in the administrative console and web interface for all users. From the date of the license expiration, there is a 30-day grace period during which the administrator sees the warning message, but no features are disabled.

Zimbra does not include a FOSS binary release; therefore, there is no mechanism to fallback to FOSS. If the license ending date has passed, the 30 day grace period has expired, and users decide not to obtain a new license, they can resolve these issues by building the Zimbra binaries and installing them on top of their existing Zimbra system.

Renewal

If you exhaust your licensed user limit, you are no longer able to create accounts. You can buy additional user licenses, or you can delete existing accounts. Contact Zimbra sales to purchase additional licenses.

You must renew your license within 30 days of the expiration date. Starting 30 days before the license expires, when you log on to the Administration Console, a reminder notice is displayed.

Updating Your License

When you renew or change the Zimbra license, you update Zimbra Collaboration mailbox servers with the new license information. Perform this operation from either the CLI or the Administration Console.

zmlicense
Admin Console:

Home → Configure → Global Settings → License

Updating a license:

  1. Save the license on the computer you use to access the Administration Console.

  2. Log on to the Administration Console, go to Home → Configure → Global Settings → License, from the Gear icon select Update License. The License Installation Wizard opens.

  3. Browse to select the license file and click Next. The license file is now uploaded.

  4. Click Install to install the license file.

  5. Click Activate License. Upgraded Zimbra Collaboration versions require an immediate activation to maintain network feature functionality.

Your license information is updated automatically, and the cached account license count refreshes on each mailbox server.

License Reconciliation and Data Collection Notice

By consenting to the End-User License Agreement, you grant Synacor Inc. and certain of its licensees permission to collect licensing and non-personally-identifiable usage data from your Zimbra Collaboration 9.0.0 server.

During installation, upgrades, and periodically while in use, the Zimbra Collaboration server transmits information for reconciliation of billing and license data.

Permission for this data collection is granted under sections 11.4 and 11.6 of the End User License Agreement for Zimbra Collaboration 9.0.0. Copies of the license can be found at https://www.zimbra.com/legal/licensing/.

The data that is being collected consists of elements of the current license information and is governed by Synacor’s Privacy Policy, which can be found at https://www.synacor.com/privacy-policy/.

This data is being furnished to Synacor’s licensor, ZeXtras, for the purposes of license reconciliation and is therefore also governed by the ZeXtras Privacy Policy, which can be found at https://www.zextras.com/privacy-legal/.

Zimbra Mailbox Server

The Zimbra mailbox server is a dedicated server that manages all the mailbox content, including messages, contacts, calendar, and attachments.

The Zimbra mailbox server has dedicated volumes for backup and log files. Each Zimbra mailbox server can see only its own storage volumes. Zimbra mailbox servers cannot see, read, or write to another server.

Mailbox Server

Each account is configured on one mailbox server, and this account is associated with a mailbox that contains email messages, attachments, calendar, contacts and collaboration files for that account.

Each mailbox server has its own standalone message store, data store, and index store for the mailboxes on that server. The following is an overview of each store and their directory location.

Message Store

All email messages are stored in MIME format in the Message Store, including the message body and file attachments.

By default, the message store is located on each mailbox server under /opt/zimbra/store. Each mailbox has its own directory named after its internal mailbox ID. Mailbox IDs are unique per server, not system-wide.

Messages with multiple recipients are stored as a single -copy on the message store. On UNIX systems, the mailbox directory for each user contains a hard link to the actual file.

When Zimbra Collaboration is installed, one index volume and one message volume are configured on each mailbox server. Each mailbox is assigned to a permanent directory on the current index volume. When a new message is delivered or created, the message is saved in the current message volume.

To manage your email storage resources, you can configure storage volumes for older messages by implementing a Hierarchical Storage Management (HSM) policy. See Managing Configuration.

Data Store

The Data Store is a SQL database where internal mailbox IDs are linked with user accounts. All the message metadata including tags, conversations, and pointers indicate where the messages are stored in the file system. The SQL database files are located in /opt/zimbra/db.

Each account (mailbox) resides only on one server. Each server has its own standalone data store containing data for the mailboxes on that server.

  • The data store maps the mailbox IDs to the users' LDAP accounts. The primary identifier within the Zimbra Collaboration database is the mailbox ID, rather than a user name or account name. The mailbox ID is only unique within a single mailbox server.

  • Metadata including user’s set of tag definitions, folders, contacts, calendar appointments, tasks, Briefcase folders, and filter rules are in the data store database.

  • Information about each mail message, including whether it is read or unread, and which tags are associated is stored in the data store database.

Index Store

The index and search technology is provided through Apache Lucene. Each email message and attachment is automatically indexed when the message arrives. An index file is associated with each account. Index files are located in /opt/zimbra/index.

The tokenizing and indexing process is not configurable by administrators or users.

Index Store

The process is as follows:

  1. The Zimbra MTA routes the incoming email to the mailbox server that contains the account’s mailbox.

  2. The mailbox server parses the message, including the header, the body, and all readable file attachments such as PDF files or Microsoft Word documents, in order to tokenize the words.

  3. The mailbox server passes the tokenized information to Lucene to create the index files.

Tokenization is the method for indexing by each word. Certain common patterns, such as phone numbers, email addresses, and domain names are tokenized as shown in the Message Tokenization illustration.

Web Application Server

The Jetty web application server runs web applications (webapps) on any store server. It provides one or more web application services.

Mailstore Services

Mailstore services provides the back-end access to mailbox/account data. Webapps for the mailstore include:

  • Mailstore (mail server) = /opt/zimbra/jetty/webapps/service

  • Zimlets = /opt/zimbra/jetty/webapps/zimlet

User Interface Services

User Interface services provide front-end user interface access to the mailbox account data and Administration Console, including:

  • Web Apps = /opt/zimbra/jetty/webapps/zimbra

  • Zimbra administrator console = /opt/zimbra/jetty/webapps/zimbraAdmin

  • Zimlets = /opt/zimbra/jetty/webapps/zimlet

Web Application Server Split

The Web Application Server Split functionality provides an option to separate the mailstore services (mail server) and the user interface services (web client server).

For example, a web client server running 'zimbra,zimbraAdmin' webapps serving the static UI content like html/css pages, and mail server running 'service' webapp serving all the SOAP requests. These servers are running in split mode.

The Modern Web App does not currently support Zimbra Web Application Server Split configuration.

The Web Application Server Split benefits include:

  • Splitting the web client server from the mail server makes the customization process more agile, allowing the roll out of new or updated web UI customization without having to restart the mail servers. This means zero down time.

  • If you want to customize the Zimbra Classic Web App or Zimbra Administration Console, you can take the web client server offline and run customization or maintenance, while not having to take down the mail server.

  • The web client server is completely decoupled from mailbox accounts. This means any web client server can service any account request.

Installation and Configuration of the Web Application Server Split

For installation and configuration of the Web Application Server Split, see the Zimbra Collaboration Multi-Server Installation Guide.

Backing Up the Mailbox Server

Zimbra Collaboration includes a configurable backup manager that resides on every Zimbra Collaboration server and performs both backup and restore functions. You do not have to stop the Zimbra Collaboration server in order to run the backup process. The backup manager can be used to restore a single user, rather than having to restore the entire system in the event that one user’s mailbox becomes corrupted. Full and incremental backups are in /opt/zimbra/backup. See Backup and Restore.

Each Zimbra mailbox server generates redo logs that contain current and archived transactions processed by the message store server since the last incremental backup. When the server is restored, after the backed up files are fully restored, any redo logs in the archive and the current redo log in use are replayed to bring the system to the point before the failure.

Mailbox Server Logs

A Zimbra Collaboration deployment consists of various third-party components with one or more mailbox servers. Each of the components may generate its own logging output. Local logs are in /opt/zimbra/log.

Selected Zimbra Collaboration log messages generate SNMP traps, which you can capture using any SNMP monitoring software. See Monitoring Zimbra Servers.

System logs, redo logs, and backup sessions should be on separate disks to minimize the possibility of unrecoverable data loss in the event that one of those disks fails.

IMAP

Zimbra Collaboration has a built-in IMAP server which is installed by default and is part of zimbra-mailboxd process (Zimbra Mailbox Server).

Common IMAP Configuration settings

The following global and server level configuration attributes are available to control and tune the IMAP service.

  • zimbraImapServerEnabled. When set to TRUE, in-process IMAP server is enabled. When set to FALSE, in-process IMAP server is disabled. Default value is TRUE.

  • zimbraImapSSLServerEnabled. When set to TRUE, in-process IMAP SSL server is enabled. When set to FALSE, in-process IMAP SSL server is disabled. Default value is TRUE

  • zimbraImapBindAddress (can be set only on server level). Specifies interface address on which in-process IMAP server should listen; if empty, binds to all interfaces.

  • zimbraImapBindPort. Specifies port number on which in-process IMAP server should listen. Default value is 7143.

  • zimbraImapSSLBindAddress (can be set only on server level). Specifies interface address on which in-process IMAP SSL server should listen; if empty, binds to all interfaces.

  • zimbraImapSSLBindPort. Specifies port number on which in-process IMAP SSL server should listen on. Default value is 7993.

  • zimbraImapNumThreads. Specifies number of threads in IMAP handler’s thread pool. Zimbra Collaboration uses IMAP NIO by default, which allows each IMAP handler thread to handle multiple connections. The default value of 200 is sufficient to handle up to 10,000 active IMAP clients.

  • zimbraImapCleartextLoginEnabled. Specifies whether or not to allow cleartext logins over a non SSL/TLS connection. Default value is FALSE.

  • zimbraImapProxyBindPort. Specifies port number on which IMAP proxy server should listen. Default value is 143. See Zimbra Proxy Components for more information.

  • zimbraImapSSLProxyBindPort. Specifies port number on which IMAP SSL proxy server should listen. Default value is 993. See Zimbra Proxy Components for more information.

  • zimbraImapMaxRequestSize. Specifies maximum size of IMAP request in bytes excluding literal data. Note: this setting does not apply to IMAP LOGIN requests. IMAP LOGIN requests are handled by IMAP Proxy (Zimbra Proxy Components) and are limited to 256 characters.

  • zimbraImapInactiveSessionCacheMaxDiskSize. Specifies the maximum disk size of inactive IMAP cache in Bytes before eviction. By default this value is 10GB. This is a rough limit, because due to internals of Ehcache actual size on disk will often exceed this limit by a modest margin.

  • zimbraImapInactiveSessionEhcacheSize. Specifies the maximum heap size of the inactive session cache in Bytes before eviction. By default this value is 1 megabyte. This is a rough limit, because due to internals of Ehcache actual size in memory will often exceed this limit by a modest margin.

  • zimbraImapActiveSessionEhcacheMaxDiskSize. Specifies the maximum amount of disk space the imap active session cache will consume in Bytes before eviction. By default this value is 100 gigabytes. This is a rough limit, because due to internals of ehcache actual size in memory will often exceed this limit by a modest margin.

Zimbra LDAP Service

LDAP directory services provide a centralized repository for information about users and devices that are authorized to use your Zimbra service. The central repository used for Zimbra’s LDAP data is the OpenLDAP directory server.

Zimbra Collaboration supports integration with Microsoft’s Active Directory Server. Contact support for information on specific directory implementation scenarios.

The LDAP server is installed when Zimbra is installed. Each server has its own LDAP entry that includes attributes specifying operating parameters. In addition, a global configuration object sets defaults for any server whose entry does not specify every attribute.

A subset of these attributes can be modified through the Zimbra administration console and others through the zmprov commands.

LDAP Traffic Flow

The LDAP Directory Traffic figure shows traffic between the Zimbra-LDAP directory server and the other servers in the Zimbra Collaboration system. The Zimbra MTA and the Zimbra Collaboration mailbox server read from, or write to, the LDAP database on the directory server.

The Zimbra clients connect through the Zimbra server, which connects to LDAP.

LDAP Traffic Flow

LDAP Directory Hierarchy

LDAP directories are arranged in an hierarchal tree-like structure with two types of branches, the mail branches and the config branch. Mail branches are organized by domain. Entries belong to a domain, such as accounts, groups, aliases, are provisioned under the domain DN in the directory. The config branch contains admin system entries that are not part of a domain. Config branch entries include system admin accounts, global config, global grants, COS, servers, mime types, and Zimlets.

The Zimbra LDAP Hierarchy figure shows the Zimbra LDAP hierarchy. Each type of entry (object) has certain associated object classes.

LDAP Directory Hierarchy

An LDAP directory entry consists of a collection of attributes and has a globally unique distinguished name (dn). The attributes allowed for an entry are determined by the object classes associated with that entry. The values of the object class attributes determine the schema rules the entry must follow.

An entry’s object class that determines what kind of entry it is, is called a structural object class and cannot be changed. Other object classes are called auxiliary and may be added to or deleted from the entry.

Use of auxiliary object classes in LDAP allows for an object class to be combined with an existing object class. For example, an entry with structural object class inetOrgPerson, and auxiliary object class zimbraAccount, would be an account. An entry with the structural object class zimbraServer would be a server in the Zimbra system that has one or more Zimbra packages installed.

Zimbra Collaboration LDAP Schema

At the core of every LDAP implementation is a database organized using a schema.

The Zimbra LDAP schema extends the generic schema included with OpenLDAP software. It is designed to coexist with existing directory installations.

All attributes and object classes specifically created for Zimbra Collaboration are prefaced by “zimbra”, such as zimbraAccount object class or zimbraAttachmentsBlocked attribute.

The following schema files are included in the OpenLDAP implementation:

  • core.schema

  • cosine.schema

  • inetorgperson.schema

  • zimbra.schema

  • amavisd.schema

  • dyngroup.schema

  • nis.schema

You cannot modify the Zimbra schema.

Zimbra Collaboration Objects

Object Description Object class

Accounts

Represents an account on the Zimbra mailbox server that can be logged into. Account entries are either administrators or user accounts. The object class name is zimbraAccount. This object class extends the zimbraMailRecipient object class.
All accounts have the following properties:

  • A name in the format of user@example.domain A unique ID that never changes and is never reused.

  • A set of attributes, some of which are user-modifiable (preferences) and others that are only configurable by administrators.

  • All user accounts are associated with a domain, so a domain must be created before creating any accounts.

zimbraAccount

Class of Service (COS)

Defines the default attributes an account has and what features are allowed or denied. The COS controls features, default preference settings, mailbox quotas, message lifetime, password restrictions, attachment blocking, and server pools for creation of new accounts.

zimbraCOS

Domains

Represents an email domain such as example.com or example.org. A domain must exist before email addressed to users in that domain can be delivered.

zimbraDomain

Distribution Lists

Also known as mailing lists, are used to send mail to all members of a list by sending a single email to the list address.

zimbraDistributionList

Dynamic Groups

Are like distribution lists. The difference is members of a dynamic group are dynamically computed by a LDAP search. The LDAP search filter is defined in an attribute on the dynamic group entry.

Both distribution lists and dynamic groups can be used as grantee or target in the delegated administrator framework.

zimbraGroup

Servers

Represents a particular server in the Zimbra system that has one or more of the Zimbra software packages installed. Attributes describe server configuration information, such as which services are running on the server.

zimbraServer

Global Configuration

Specifies default values for the following objects: server and domain. If the attributes are not set for other objects, the values are inherited from the global settings. Global configuration values are required and are set during installation as part of the Zimbra core package. These become the default values for the system.

zimbraGlobalConfig

Alias

Represents an alias of an account, distribution list or a dynamic group. The zimbraAliasTarget attribute points to target entry of this alias entry.

zimbraAlias

Zimlet

Defines Zimlets that are installed and configured in Zimbra.

zimbraZimletEntry

Calendar Resource

Defines a calendar resource such as conference rooms or equipment that can be selected for a meeting. A calendar resource is an account with additional attributes on the zimbraCalendarResource object class.

zimbraCalendarResource

Identity

Represents a persona of a user. A persona contains the user’s identity such as display name and a link to the signature entry used for outgoing emails. A user can create multiple personas. Identity entries are created under the user’s LDAP entry in the DIT.

zimbraIdentity

Data Source

Represents an external mail source of a user. Two examples of data source are POP3 and IMAP. A data source contains the POP3/IMAP server name, port, and password for the user’s external email account. The data source also contains persona information, including the display name and a link to the signature entry for outgoing email messages sent on behalf of the external account. Data Source entries are created under the user’s LDAP entry in the DIT.

zimbraDataSource

Signature

Represents a user’s signature. A user can create multiple signatures. Signature entries are created under the user’s LDAP entry in the DIT.

zimbraSignature

Account Authentication

Supported authentication mechanisms are Internal, External LDAP, and External Active Directory. The authentication method type is set on a per-domain basis. If zimbraAuthMech attribute is not set, the default is to use internal authentication.

The internal authentication method uses the Zimbra schema running on the OpenLDAP server.

The zimbraAuthFallbackToLocal attribute can be enabled so that the system falls back to the local authentication if external authentication fails. The default is FALSE.

Internal Authentication Mechanism

The internal authentication method uses the Zimbra schema running on the OpenLDAP directory server. For accounts stored in the OpenLDAP server, the userPassword attribute stores a salted-SHA512 (SSHA512) digest of the user’s password. The user’s provided password is computed into the SSHA digest and then compared to the stored value.

External LDAP and External AD Authentication Mechanism

External LDAP and external Active Directory authentication can be used if the email environment uses another LDAP server or Microsoft Active Directory for authentication and Zimbra LDAP for all other Zimbra Collaboration related transactions. This requires that users exist in both OpenLDAP and in the external LDAP server.

The external authentication methods attempt to bind to the specified LDAP server using the supplied user name and password. If this bind succeeds, the connection is closed and the password is considered valid.

The zimbraAuthLdapURL and zimbraAuthLdapBindDn attributes are required for external authentication.

  • zimbraAuthLdapURL attribute ldap://ldapserver:port/ identifies the IP address or host name of the external directory server, and port is the port number. You can also use the fully qualified host name instead of the port number.

    For example:

    ldap://server1:3268
    ldap://exch1.acme.com

    If it is an SSL connection, use ldaps: instead of ldap:. The SSL certificate used by the server must be configured as a trusted certificate.

  • zimbraAuthLdapBindDn attribute is a format string used to determine which DN to use when binding to the external directory server.

    During the authentication process, the user name starts out in the format: user@example.com

    The user name might need to be transformed into a valid LDAP bind DN (distinguished name) in the external directory. In the case of Active Directory, that bind dn might be in a different domain.

Custom Authentication

You can implement a custom authentication to integrate external authentication to your proprietary identity database. When an authentication request comes in, Zimbra checks the designated auth mechanism for the domain. If the auth mechanism is set to custom authentication, Zimbra invokes the registered custom auth handler to authenticate the user.

To set up custom authentication, prepare the domain for the custom auth and register the custom authentication handler.

Preparing a domain for custom auth

To enable a domain for custom auth, set the domain attribute, zimbraAuthMech to custom:{registered-custom-auth-handler-name}.

In the following example, "sample" is the name under which custom authentication is registered.

Example 1. Enable a domain for custom authentication
zmprov modifydomain {domain|id} zimbraAuthMech custom:sample
Register a custom authentication handler

To register a custom authentication handler, invoke:

ZimbraCustomAuth.register( handlerName, handler )

in the init method of the extension.

  • Class: com.zimbra.cs.account.ldap.ZimbraCustomAuth

  • Method: public synchronized static void register (String handlerName, ZimbraCustomAuth handler)

    Definitions:

    • handlerName is the name under which this custom auth handler isregistered to Zimbra’s authentication infrastructure. This name is set in the domain’s zimbraAuthMech attribute of the domain.

    • handler is the object on which the authenticate method is invoked forthis custom auth handler. The object has to be an instance of ZimbraCustomAuth (or subclasses of it).

Example 2. Registering a custom authentication handler
public class SampleExtensionCustomAuth implements ZimbraExtension {

  public void init() throws ServiceException {
  /*
   * Register to Zimbra's authentication infrastructure
   * custom:sample should be set for domain attribute zimbraAuthMech
   */
   ZimbraCustomAuth.register("sample", new SampleCustomAuth());
  }
...
}
How Custom Authentication Works

When an authentication request comes in and the domain is specified to use custom authentication, the authenticating framework invokes the authenticate method on the ZimbraCustomAuth instance passed as the handler parameter to ZimbraCustomAuth.register().

The account object for the principal to be authenticated and the clear-text password entered by the user are passed to ZimbraCustomAuth.authenticate().

All attributes of the account can be retrieved from the account object.

Kerberos5 Authentication Mechanism

Kerberos5 Authentication Mechanism authenticates users against an external Kerberos server.

  1. Set the domain attribute zimbraAuthMech to kerberos5.

  2. Set the domain attribute zimbraAuthKerberos5Realm to the Kerberos5 realm in which users in this domain are created in the Kerberos database. When users log in with an email password and the domain, zimbraAuthMech is set to kerberos5, the server constructs the Kerberos5 principal by {localpart-of-the-email}@{value-of-zimbraAuthKerberos5Realm} and uses that to authenticate to the kerberos5 server.

To specify Kerberos5 for an individual account set the account’s zimbraForeignPrincipal as kerberos5:{kerberos5-principal}. For example: kerberos5:user1@MYREALM.COM.

Global Address List

The Global Address List (GAL) is a company directory of users, usually within the organization itself, that is available to all users of the email system. Zimbra Collaboration uses the company directory to look up user addresses from within the company.

For each Zimbra Collaboration domain you can configure GAL to use:

  • External LDAP server

  • Zimbra Collaboration internal LDAP server

  • Both external LDAP server and Zimbra Collaboration LDAP in GAL searches

The Zimbra Collaboration Web Client can search the GAL. When the user searches for a name, that name is turned into an LDAP search filter similar to the following example, where the string %s is the name the user is searching for.

Example 3. Searching the GAL
(|(cn = %s*)(sn=%s*)(gn=%s*)(mail=%s*))
  (zimbraMailDeliveryAddress = %s*)
  (zimbraMailAlias=%s*)
  (zimbraMailAddress = %s*)

GAL Attributes in Zimbra Collaboration

The Attributes Mapped to Zimbra Collaboration Contact table maps generic GAL search attributes to their Zimbra Collaboration contact fields.

LDAP attributes are mapped to GAL entry fields. For example, the LDAP attribute displayName and cn can be mapped to GAL entry field fullName. The mapping is configured in the zimbraGalLdapAttrMap attribute.

Table 8. Attributes Mapped to Zimbra Collaboration Contact
Standard LDAP Attribute Zimbra Collaboration Contact Field

co

workCountry

company

Company

givenName/gn

firstName

sn

lastName

cn

fullName

initials

initials

l

workCity

street, streetaddress

workStreet

postalCode

workPostalCode

telephoneNumber

workPhone

mobile

mobile

pager

pager

facisimileTelephoneNumber

faxNumber

st

workState

title

jobTitle

mail

email

thumbnailPhoto

thumbnailPhoto

objectClass

Not currently mapped

Zimbra Collaboration GAL Search Parameters

GAL is configured on a per-domain basis. To configure the attributes, you can run the GAL Configuration Wizard from the Administration Console.

Modifying Attributes

Additions, changes and deletions to the GAL attributes are made through the Zimbra Administration Console or from the zmprov commands.

Users can modify attributes for their account in the directory. When users change their options from the Zimbra Classic Web App, they also modify the attributes when they change their preferences.

Flushing LDAP Cache

When you modify the following type of entries in the Zimbra LDAP server, you might need to flush the LDAP cache to make the change available on the server.

  • Themes

  • Locales

  • Account

  • Groups

  • COS

  • Domains

  • Global configuration

  • Server

  • Zimlet configuration

Flush the Cache for Themes and Locales

When you add or change theme (skin) property files and locale resource files for Zimbra on a server, you must flush the cache to make the new content available.

To flush skins:
zmprov flushCache skin
To flush locales
zmprov flushCache locale

Flush Accounts, Groups, COS, Domains, and Servers

When you modify the account, COS, groups, domain, and server attributes, the change is effective immediately on the server to which the modification is done. On the other servers, the LDAP entries are automatically updated after a period of time if the attributes are cached.

The default Zimbra setting to update the server is 15 minutes. The caching period is configured on local config key.

To change the setting:
zmlocalconfig ldap_cache_<object>_maxage
To enable changes immediately:
zmprov flushCache {account|cos|domain|group|server|...} [name|id]...

If you do not specify a name or ID along with the type, all entries in cache for that type are flushed and the cache is reloaded.

Some server attributes require a server restart even after the cache is flushed. For example, settings like bind port or number of processing threads.

Flush Global Attributes

When you modify global config attributes, the changes are effective immediately on the server to which the modification is done. On other mailbox servers, you must flush the cache to make the changes available or restart the server. LDAP entries for global config attributes do not expire.

Some global config attributes are computed into internal representations only once per server restart. For efficiency reasons, changes to those attributes are not effective until after a server restart, even after the cache is flushed. Also, some global configuration settings and server settings that are inherited from global config are only read once at server startup, for example port or number of processing threads. Modifying these types of attributes requires a server restart.

To flush the cache for global config changes on all servers:

  1. Modify the setting on the local server

    zmprov mcf zimbraImapClearTextLoginEnabled TRUE

    The change is performed via the server identified by the localconfig keys zimbra_zmprov_default_soap_server and zimbra_admin_service_port.

  2. To flush the global config cache on all other servers, zmprov flushCache must be issued on all servers, one at a time (or use zmprov flushCache -a).

    For example:

    zmprov –s server2 flushCache config
    zmprov –s server3 flushCache config
  3. To determine if the action requires a restart

    zmprov desc -a <attributename>

    The requiresRestart value is added to the output if a restart is required.

Zimbra Mail Transfer Agent

The Zimbra MTA (Mail Transfer Agent) receives mail via SMTP and routes each message using Local Mail Transfer Protocol (LMTP) to the appropriate Zimbra mailbox server.

You can set MTA parameters with the Admin Console and the CLI. However, it is highly recommended that you use the CLI for MTA configuration to ensure the best results.

The Zimbra MTA server includes the following programs:

MTA Server Programs Purpose/Description

Postfix MTA

Mail routing, mail relay, and attachment blocking

Clam Anti-Virus

Scanning email messages and attachments in email messages for viruses

Spam Assassin

Identify unsolicited commercial email (spam)

Amavisd-New

Interface between Postfix and ClamAV / SpamAssassin

Zimbra Milter Server

Enforce restrictions on which addresses can send to distribution lists and adds Reply-To and X-Zimbra-DL headers to messages sent from distribution lists

Zimbra policy server

Aid in protecting Alias Domains from Backscatter Spam

Cluebringer

Policy daemon/cbpolicyd used to enforce actions, such as rate limiting. For more information, see https://wiki.zimbra.com/wiki/Postfix_Policyd

Opendkim

Sign outgoing email if it has been configured to do so. For more information, see https://wiki.zimbra.com/wiki/Configuring_for_DKIM_Signing

In the Zimbra Collaboration configuration, mail transfer and delivery are distinct functions: Postfix acts as a MTA, and the Zimbra mail server acts as a Mail Delivery Agent (MDA).

The MTA configuration is stored in LDAP. The zmconfigd process polls the LDAP directory every two minutes for modifications and updates the Postfix configuration files with the changes.

Incoming Mail Routing Overview

The Zimbra mailbox server receives the messages from the Zimbra MTA server and passes them through any filters that have been created.

The MTA server receives mail via SMTP and routes each mail message to the appropriate mailbox server using LMTP. As each mail message arrives, its contents are indexed so that all elements can be searched.

Zimbra MTA Deployment

Zimbra includes a precompiled version of Postfix to route and relay mail and manage attachments. Postfix receives inbound messages via SMTP, performs anti-virus and anti-spam filtering and hands off the mail messages to the Zimbra Collaboration server via LMTP.

Postfix also plays a role in transferring outbound messages. Messages composed from the Zimbra Classic Web App are sent by the Zimbra server through Postfix, including messages sent to other users on the same server.

Zimbra MTA Deployment
The Edge MTA can be any edge security solution for mail. You might already deploy such solutions for functions such as filtering. Some filtering might be duplicated between an edge MTA and the Zimbra MTA.

Postfix Configuration Files

Zimbra modified Postfix files — main.cf and master.cf — specifically to work with Zimbra:

  • main.cf — Modified to include the LDAP tables. The zmconfigd in the Zimbra MTA pulls data from the Zimbra LDAP and modifies the Postfix configuration files.

  • master.cf — Modified to use Amavisd-New.

Changes made to postfix configuration files will be overwritten with every upgrade and should be well documented. If possible, try to implement any necessary configuration changes using Zimbra defined parameters.

SMTP Authentication

SMTP authentication allows authorized mail clients from external networks to relay messages through the Zimbra MTA. The user ID and password is sent to the MTA when the SMTP client sends mail so that the MTA can verify if the user is allowed to relay mail.

The user ID and password is sent to the MTA when the SMTP client sends mail. This ensures that the MTA can verify if the user is allowed to relay mail, by checking the associated credentials with the LDAP account.

User authentication is provided through the Zimbra LDAP directory server, or if implemented, through the Microsoft Active Directory Sever.

SMTP Restrictions

You can enable restrictions so that messages are not accepted by Postfix when non-standard or other disapproved behavior is exhibited by an incoming SMTP client. These restrictions provide some protection against spam senders. By default, clients that do not greet with a fully qualified domain name are restricted. DNS based restrictions are also available.

Understand the implications of these restrictions before you implement them. You might have to compromise on these checks to accommodate people outside of your system who have poorly implemented mail systems.

Sending Non Local Mail to a Different Server

You can configure Postfix to send nonlocal mail to a different SMTP server, commonly referred to as a relay or smart host.

A common use case for a relay host is when an ISP requires that all your email be relayed through a designated host, or if you have filtering SMTP proxy servers.

The relay host setting must not be confused with Web mail MTA setting. Relay host is the MTA to which Postfix relays non-local email. Webmail MTA is used by the Zimbra server for composed messages and must be the location of the Postfix server in the Zimbra MTA package.

To use the Administration Console to configure Relay MTA for external delivery:

Admin Console:

Home → Configure → Global Settings → MTA → Network

To prevent mail loops, use caution when setting the relay host.
MTA Settings

Anti-Virus and Anti-Spam Protection

The Amavisd-New utility is the interface between the Zimbra MTA and Clam Anti-Virus (ClamAV) and SpamAssassin scanners.

Anti-Virus Protection

ClamAV software is the virus protection engine enabled for each Zimbra server.

The anti-virus software is configured to put messages that have been identified as having a virus to the virus quarantine mailbox. By default, the Zimbra MTA checks every two hours for any new anti-virus updates from ClamAV.

You can change anti-virus settings at the Administration Console.

Admin Console:

Home → Configure → Global Settings → AS/AV → Anti-virus Settings

Anti-Virus Protection
Updates are obtained via HTTP from the ClamAV website.
Scanning Attachments in Outgoing Mail

You can enable real-time scanning of attachments in outgoing emails sent using the Zimbra Classic Web App. If enabled, when an attachment is added to an email, it is scanned using ClamAV prior to sending the message. If ClamAV detects a virus, it will block attaching the file to the message. By default, scanning is configured for a single node installation.

To enable scanning, using a single node:

zmprov mcf zimbraAttachmentsScanURL clam://localhost:3310/
zmprov ms `zmhostname` zimbraAttachmentsScanEnabled TRUE

To enable scanning in a multi-node environment:

  1. Designate the MTA nodes to handle ClamAV scanning.

  2. Enable, as follows:

    zmprov ms <mta_server> zimbraClamAVBindAddress <mta_server>
    zmprov mcf zimbraAttachmentsScanURL clam://<mta_server>:3310/
    zmprov ms <mailbox_server> zimbraAttachmentsScanEnabled TRUE

Anti-Spam Protection

Zimbra uses SpamAssassin to identify unsolicited commercial email (spam) with learned data stored in either the Berkeley DB database or a MariaDB database. You can also use the Postscreen function to provide additional protection against mail server overload. Both strategies are described in the following topics:

Spam Assassin Methods for Avoiding Spam

Usage guidelines are provided in the following topics:

For information about how to customize SpamAssassin, see https:// wiki.zimbra.com/wiki/Anti-spam_strategies.

Managing the Spam Assassin Score: SpamAssassin uses predefined rules as well as a Bayes database to score messages with a numerical range. Zimbra uses a percentage value to determine “spaminess” based on a SpamAssassin score of 20 as 100%. Any message tagged between 33%-75% is considered spam and delivered to the user’s junk folder. Messages tagged above 75% are always considered spam and discarded.

You can change the spam percentage settings, and the subject prefix at the Administration Console.

Admin Console:

Home → Configure → Global Settings → AS/AV → Spam checking Settings

Spam Assassin Settings

By default, Zimbra uses the Berkeley DB database for spam training. You can also use a MariaDB database.

To use the MariaDB method on the MTA servers:

zmlocalconfig -e antispam_mariadb_enabled=TRUE

When this is enabled, Berkeley DB database is not enabled.

Training the Spam Filter — The effectiveness of the anti-spam filter is dependent on user input to differentiate spam or ham. The SpamAssassin filter learns from messages that users specifically mark as spam by sending them to their junk folder or not spam by removing them from their junk folder. A copy of these marked messages is sent to the appropriate spam training mailbox.

At installation, a spam/ham cleanup filter is configured on only the first MTA. The Zimbra spam training tool, zmtrainsa, is configured to automatically retrieve these messages and train the spam filter. The zmtrainsa script empties these mailboxes each day.

New installations of Zimbra limit spam/ham training to the first MTA installed. If you uninstall or move this MTA, you will need to enable spam/ham training on another MTA, as one host should have this enabled to run zmtrainsa --cleanup.

To set this on a new MTA server:

zmlocalconfig -e zmtrainsa_cleanup_host=TRUE

Initially, you might want to train the spam filter manually to quickly build a database of spam and non-spam tokens, words, or short character sequences that are commonly found in spam or ham. To do this, you can manually forward messages as message/rfc822 attachments to the spam and non-spam mailboxes. When zmtrainsa runs, these messages are used to teach the spam filter. Make sure you add a large enough sampling of messages to get accurate scores. To determine whether to mark messages as spam at least 200 known spams and 200 known hams must be identified.

SpamAssassin’s sa-update tool is included with SpamAssassin. This tool updates SpamAssassin rules from the SA organization. The tool is installed into /opt/zimbra/common/bin.

Configuring Final Destination for Spam — You can configure Amavis behavior to handle a spam item’s final destination by using the following attribute:

zimbraAmavisFinalSpamDestiny

The default is D_DISCARD (which will not deliver the email to the addressee).

Setting final spam destiny attributes:

zmprov mcf "zimbraAmavisFinalSpamDestiny" D_PASS
zmprov ms serverhostname.com D_PASS
Table 9. Configurable attribute values
Value Description

D_PASS

Deliver the email to the recipient. The email is likely to be placed in the recipient’s junk folder (although some sites disable junk).

D_BOUNCE

The email is bounced back to the sender. Because this setting can create backscatter — as the "sender" is not the person who actually sent the email — it is not advised.

D_REJECT

Reject the email. This setting reduces the chance of backscatter:

  • If the sender is valid, the MTA will notify this person about the rejection.

  • If the sender is not valid, the associated MTA will discard the email (i.e. email that was sent by a spammer spoofing someone else).

D_DISCARD

The email is silently discarded (not delivered).

Setting Up Trusted Networks: The Zimbra configuration allows relaying only for the local network, but you can configure trusted networks that are allowed to relay mail. You set the MTA trusted networks as a global setting, but you can configure trusted networks as a server setting. The server setting overrides the global setting.

To use the Administration Console to set up MTA trusted networks as a global setting:

Admin Console:

Home → Configure → Global Settings → MTA → Network

MTA Trusted Networks

When using the Administration Console to set up MTA trusted networks on a per server basis, first ensure that MTA trusted networks have been set up as global settings.

Admin Console:

Home → Configure → Servers → server → MTA → Network

MTA Trusted Networks

Enter the network addresses separated by commas and/or a space. Continue long lines by starting the next line with space, similar to the following examples:

127.0.0.0/8, 168.100.189.0/24
127.0.0.0/8 168.100.189.0/24 10.0.0.0/8 [::1]/128 [fe80::%eth0]/64

Enabling a Milter Server: Milter server can be enabled to enforce restrictions on which addresses can send to distribution lists and add Reply-To and X-Zimbra-DL headers to messages sent from distribution lists. This can be enabled globally or for specific servers from the Administration Console.

Only enable a Milter Server on a server where an MTA is running.

For global configuration, enable the milter server from the Administration Console:

Admin Console:

Home → Configure → Global Settings → MTA → Milter Server

MTA Milter Server

Use the Administration Console to enable a specific milter server, and to set bind addressing for individual servers.

Admin Console:

Home → Configure → Servers → server → MTA → Milter Server

MTA Milter Server
Postscreen Methods for Avoiding Spam

Zimbra Postscreen is the 8.7 enhancement to the Zimbra Collaboration anti-spam strategy, to provide additional protection against mail server overload. By design, Postscreen is not an SMTP proxy. Its purpose is to keep spambots away from Postfix SMTP server processes, while minimizing overhead for legitimate traffic. A single Postscreen process handles multiple inbound SMTP connections and decides which clients may communicate to a Post-fix SMTP server process. By keeping spambots away, Postscreen frees up SMTP server processes for legitimate clients, and delays the onset of server overload conditions.

In a typical deployment, Postscreen handles the MX service on TCP port 25, while MUA clients submit mail via the submission service on TCP port 587, which requires client authentication. Alternatively, a site could set up a dedicated, non-Postscreen, “port 25” server that provides submission service and client authentication without MX service.

Postscreen should not be used on SMTP ports that receive mail from end-user clients (MUAs).

Zimbra Collaboration Postscreen maintains a temporary white-list for clients that have passed a number of tests. When an SMTP client IP address is whitelisted, Postscreen immediately passes the connection to a Postfix SMTP server process. This minimizes the overhead for legitimate mail.

In a typical scenario that uses Postscreen service, it is reasonable to expect potentially malicious email entities — such as bots and zombies — to be mixed in with friendly candidates in email loads. This concept is illustrated in the following diagram, in which undesirable entities are depicted in red; good email candidates are green.

Postscreen

Postscreen performs basic checks and denies connection(s) that are clearly from a bot or zombie. If the connection is not in the temporary whitelist, Postscreen passes the email to the local Anti-SPAM and Anti-Virus engines, which can either accept it or deny it. Good connections are accepted via Postscreen security, then allowed to talk directly with the SMTP daemon, which scans the Email (as usual) with the AS/AV. By default, all bots or zombies are rejected.

Use Zimbra CLI attributes to set parameters for Postscreen operations. For any Postscreen Attributes that provide the ignore, enforce, or drop instruction, use guidelines as follows:

  • ignore — Ignore this result. Allow other tests to complete. Repeat this test with subsequent client connections. This is the default setting, which is useful for testing and collecting statistics without blocking mail.

  • enforce — Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the hello/sender/recipient information. Repeat this test with subsequent client connections.

  • drop — Drop the connection immediately with a 521 SMTP reply. Repeat this test with subsequent client connections.

Postscreen Attributes:

Go to the zmprov mcf prompt (release 8.7+) to use Postscreen commands. You can see example usages of these attributes in Enabling Postscreen.

  • zimbraMtaPostscreenAccessList — Default = permit_mynetworks

    Postconf postscreen_access_list setting, which is the permanent white/ blacklist for remote SMTP client IP addresses. Postscreen(8) searches this list immediately after a remote SMTP client connects. Specify a comma- or whitespace -separated list of commands (in upper or lower case) or lookup tables. The search stops upon the first command that fires for the client IP address.

  • zimbraMtaPostscreenBareNewlineAction — Default = ignore

    The action that postscreen(8) is to take when a remote SMTP client sends a bare newline character, that is, a newline not preceded by carriage return — as either ignore, enforce, or drop.

  • zimbraMtaPostscreenBareNewlineEnable — Default = no

    Enable (yes) or disable (no) “bare newline” SMTP protocol tests in the postscreen(8) server. These tests are expensive: a remote SMTP client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

  • zimbraMtaPostscreenBareNewlineTTL — Default = 30d

    The amount of time allowable for postscreen(8) to use the result of a successful “bare newline” SMTP protocol test. During this time, the client IP address is excluded from this test. The default setting is lengthy because a remote SMTP client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

    Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

  • zimbraMtaPostscreenBlacklistAction — Default = ignore

    The action that postscreen(8) is to take when a remote SMTP client is permanently blacklisted with the postscreen_access_list parameter, as either ignore, enforce, or drop.

  • zimbraMtaPostscreenCacheCleanupInterval — Default = 12h

    The amount of time allowable between postscreen(8) cache cleanup runs. Cache cleanup increases the load on the cache database and should therefore not be run frequently. This feature requires that the cache database supports the “delete” and “sequence” operators. Specify a zero interval to disable cache cleanup.

    After each cache cleanup run, the postscreen(8) daemon logs the number of entries that were retained and dropped. A cleanup run is logged as “partial” when the daemon terminates early after postfix reload, postfix stop, or no requests for $max_idle seconds.

    Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

  • zimbraMtaPostscreenCacheRetentionTime — Default = 7d

    The amount of time that postscreen(8) is allowed to cache an expired temporary whitelist entry before it is removed. This prevents clients from being logged as “NEW” just because their cache entry expired an hour ago. It also prevents the cache from filling up with clients that passed some deep protocol test once and never came back.

    Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

  • zimbraMtaPostscreenCommandCountLimit — Default = 20

    Value to set the limit on the total number of commands per SMTP session for postscreen(8)'s built-in SMTP protocol engine. This SMTP engine defers or rejects all attempts to deliver mail, therefore there is no need to enforce separate limits on the number of junk commands and error commands.

  • zimbraMtaPostscreenDnsblAction — Default = ignore

    The action that postscreen(8) is to take when a remote SMTP client’s combined DNSBL score is equal to or greater than a threshold (as defined with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold parameters), as either ignore, enforce, or drop.

  • zimbraMtaPostscreenDnsblSites

    Optional list of DNS white/blacklist domains, filters and weight factors. When the list is non-empty, the dnsblog(8) daemon will query these domains with the IP addresses of remote SMTP clients, and postscreen(8) will update an SMTP client’s DNSBL score with each non-error reply.

    When postscreen rejects mail, it replies with the DNSBL domain name. Use the postscreen_dnsbl_reply_map feature to hide “password” information in DNSBL domain names.

    When a client’s score is equal to or greater than the threshold specified with postscreen_dnsbl_threshold, postscreen(8) can drop the connection with the remote SMTP client.

    Specify a list of domain=filter*weight entries, separated by comma or whitespace.

    • When no =filter is specified, postscreen(8) will use any non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL replies that match the filter. The filter has the form d.d.d.d, where each d is a number, or a pattern inside [] that contains one or more “;”-separated numbers or number..number ranges.

    • When no *weight is specified, postscreen(8) increments the remote SMTP client’s DNSBL score by 1. Otherwise, the weight must be an integral number, and postscreen(8) adds the specified weight to the remote SMTP client’s DNSBL score. Specify a negative number for whitelisting.

    • When one postscreen_dnsbl_sites entry produces multiple DNSBL responses, postscreen(8) applies the weight at most once.

    Examples:

    To use example.com as a high-confidence blocklist, and to block mail with example.net and example.org only when both agree:

    postscreen_dnsbl_threshold = 2
    postscreen_dnsbl_sites = example.com*2, example.net, example.org

    To filter only DNSBL replies containing 127.0.0.4:

    postscreen_dnsbl_sites = example.com=127.0.0.4
  • zimbraMtaPostscreenDnsblThreshold — Default = 1

    Value to define the inclusive lower bound for blocking a remote SMTP client, based on its combined DNSBL score as defined with the postscreen_dnsbl_sites parameter.

  • zimbraMtaPostscreenDnsblTTL — Default = 1h

    The amount of time allowable for postscreen(8) to use the result from a successful DNS-based reputation test before a client IP address is required to pass that test again.

    Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

  • zimbraMtaPostscreenDnsblWhitelistThreshold — Default = 0

    Allow a remote SMTP client to skip “before” and “after 220 greeting” protocol tests, based on its combined DNSBL score as defined with the postscreen_dnsbl_sites parameter.

    Specify a negative value to enable this feature. When a client passes the postscreen_dnsbl_whitelist_threshold without having failed other tests, all pending or disabled tests are flagged as completed with a time-to-live value equal to postscreen_dnsbl_ttl. When a test was already completed, its time-to-live value is updated if it was less than postscreen_dnsbl_ttl.

  • zimbraMtaPostscreenGreetAction — Default = ignore

    The action that postscreen(8) is to take when a remote SMTP client speaks before its turn within the time specified with the postscreen_greet_wait parameter, as either ignore, enforce, or drop.

  • zimbraMtaPostscreenGreetTTL — Default = 1d

    The amount of time allowed for postscreen(8) to use the result from a successful PREGREET test. During this time, the client IP address is excluded from this test. The default is relatively short, because a good client can immediately talk to a real Postfix SMTP server.

    Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

  • zimbraMtaPostscreenNonSmtpCommandAction — Default = drop

    The action that postscreen(8) takes when a remote SMTP client sends non-SMTP commands as specified with the postscreen_forbidden_ commands parameter, as either ignore, enforce, or drop.

  • zimbraMtaPostscreenNonSmtpCommandEnable — Default = no

    Enable (yes) or disable (no) "non- SMTP command" tests in the postscreen(8) server. These tests are expensive: a client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

  • zimbraMtaPostscreenNonSmtpCommandTTL — Default = 30d

    The amount of time allowable for postscreen(8) to use the result from a successful “non_smtp_command” SMTP protocol test. During this time, the client IP address is excluded from this test. The default is long because a client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

    Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

  • zimbraMtaPostscreenPipeliningAction — Default = enforce

    The action that postscreen(8) is to take when a remote SMTP client sends multiple commands instead of sending one command and waiting for the server to respond, as either ignore, enforce, or drop.

  • zimbraMtaPostscreenPipeliningEnable — Default = no

    Enable (yes) or disable (no) “pipelining” SMTP protocol tests in the postscreen(8) server. These tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

  • zimbraMtaPostscreenPipeliningTTL — Default = 30d

    Time allowable for postscreen(8) to use the result from a successful “pipelining” SMTP protocol test. During this time, the client IP address is excluded from this test. The default is lengthy because a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server.

    Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

  • zimbraMtaPostscreenWatchdogTimeout — Default = 10s

    Time allowable for a postscreen(8) process to respond to a remote SMTP client command, or to perform a cache operation, before it is terminated by a built-in watchdog timer. This is a safety mechanism that prevents postscreen(8) from becoming non-responsive due to a bug in Postfix itself or in system software. To avoid false alarms and unnecessary cache corruption this limit cannot be set under 10s.

    Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

  • zimbraMtaPostscreenWhitelistInterfaces

    A list of local postscreen(8) server IP addresses where a non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary whitelist status. This status is required before the client can talk to a Postfix SMTP server process. By default, a client can obtain postscreen(8)'s whitelist status on any local postscreen(8) server IP address.

    When postscreen(8) listens on both primary and backup MX addresses, the postscreen_whitelist_interfaces parameter can be configured to give the temporary whitelist status only when a client connects to a primary MX address. Once a client is whitelisted it can talk to a Postfix SMTP server on any address. Thus, clients that connect only to backup MX addresses will never become whitelisted, and will never be allowed to talk to a Postfix SMTP server process.

    Specify a list of network addresses or network/netmask patterns, separated by commas and/or whitespace. The netmask specifies the number of bits in the network part of a host address. Continue long lines by starting the next line with whitespace.

    You can also specify /file/name or type:table patterns. A /file/name pattern is replaced by its contents; a type:table lookup table is matched when a table entry matches a lookup string (the lookup result is ignored).

    The list is matched left to right, and the search stops on the first match. Specify !pattern to exclude an address or network block from the list.

    IPv6 address information must be specified inside [] in the postscreen_whitelist_interfaces value, and in files specified with /file/name. IP version 6 addresses contain the “:” character, and would otherwise be confused with a type:table pattern.

    Example:

    /etc/postfix/main.cf:
    
    # Don't whitelist connections to the backup IP address.
    postscreen_whitelist_interfaces = !168.100.189.8, static:all
  • zimbraMtaPostscreenDnsblMinTTL — Default = 60s

    The minimum amount of time that postscreen(8) is allowed — resulting from a successful DNS -based reputation test — before a client IP address is required to pass that test again. If the DNS reply specifies a larger TTL value, that value will be used unless it would be larger than postscreen_dnsbl_max_ttl.

    Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

  • zimbraMtaPostscreenDnsblMaxTTL — Default = postscreen dnsbl ttl

    The maximum amount of time allowable for postscreen(8) to use the result from a successful DNS-based reputation test before a client IP address is required to pass that test again. If the DNS reply specifies a shorter TTL value, that value will be used unless it would be smaller than postscreen_dnsbl_min_ttl.

    Specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit). Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

    Note that the default setting is backwards-compatible with Postscreen versions earlier than 3.1.

Enabling Postscreen:

The example in this section demonstrates settings appropriate for a global configuration with medium-to-high level Postscreen protection.

Example 4. Global Configuration for Postscreen
zmprov mcf zimbraMtaPostscreenAccessList permit_mynetworks
zmprov mcf zimbraMtaPostscreenBareNewlineAction ignore
zmprov mcf zimbraMtaPostscreenBareNewlineEnable no
zmprov mcf zimbraMtaPostscreenBareNewlineTTL 30d
zmprov mcf zimbraMtaPostscreenBlacklistAction ignore
zmprov mcf zimbraMtaPostscreenCacheCleanupInterval 12h
zmprov mcf zimbraMtaPostscreenCacheRetentionTime 7d
zmprov mcf zimbraMtaPostscreenCommandCountLimit 20
zmprov mcf zimbraMtaPostscreenDnsblAction enforce
zmprov mcf \
  zimbraMtaPostscreenDnsblSites 'b.barracudacentral.org=127.0.0.2_7' \
  zimbraMtaPostscreenDnsblSites 'dnsbl.inps.de=127.0.0.2*7' \
  zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[10;11]*8' \
  zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.[4..7]*6' \
  zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.3*4' \
  zimbraMtaPostscreenDnsblSites 'zen.spamhaus.org=127.0.0.2*3' \
  zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].0*-2' \
  zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].1*-3' \
  zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].2*-4' \
  zimbraMtaPostscreenDnsblSites 'list.dnswl.org=127.0.[0..255].3*-5' \
  zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.2*5' \
  zimbraMtaPostscreenDnsblSites 'bl.mailspike.net=127.0.0.[10;11;12]*4' \
  zimbraMtaPostscreenDnsblSites 'wl.mailspike.net=127.0.0.[18;19;20]*-2' \
  zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.10*8' \
  zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.5*6' \
  zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.7*3' \
  zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.8*2' \
  zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.6*2' \
  zimbraMtaPostscreenDnsblSites 'dnsbl.sorbs.net=127.0.0.9*2'
zmprov mcf zimbraMtaPostscreenDnsblTTL 5m
zmprov mcf zimbraMtaPostscreenDnsblThreshold 8
zmprov mcf zimbraMtaPostscreenDnsblTimeout 10s
zmprov mcf zimbraMtaPostscreenDnsblWhitelistThreshold 0
zmprov mcf zimbraMtaPostscreenGreetAction enforce
zmprov mcf zimbraMtaPostscreenGreetTTL 1d
zmprov mcf zimbraMtaPostscreenNonSmtpCommandAction drop
zmprov mcf zimbraMtaPostscreenNonSmtpCommandEnable no
zmprov mcf zimbraMtaPostscreenNonSmtpCommandTTL 30d
zmprov mcf zimbraMtaPostscreenPipeliningAction enforce
zmprov mcf zimbraMtaPostscreenPipeliningEnable no
zmprov mcf zimbraMtaPostscreenPipeliningTTL 30d
zmprov mcf zimbraMtaPostscreenWatchdogTimeout 10s
zmprov mcf zimbraMtaPostscreenWhitelistInterfaces static:all

Testing Postscreen:

Testing uses Postscreen to view results without taking any action. In a testing scenario, you instruct Postscreen to log email connections without taking action on them. Once you are satisfied with the results, you can set Postscreen values to enforce or drop emails, as required.

  1. Set up the DNS-based Blackhole List (DNSBL).

  2. Set Postscreen to ignore.

The following real-world example demonstrates return of a 550 error from Postscreen during a test session:

Mar 1 02:03:26 edge01 postfix/postscreen[23154]: DNSBL rank 28 for [112.90.37.251]:20438

Mar 1 02:03:26 edge01 postfix/postscreen[23154]: CONNECT from [10.210.0.161]:58010 to [10.210.0.174]:25

Mar 1 02:03:26 edge01 postfix/postscreen[23154]: WHITELISTED [10.210.0.161]:58010

Mar 1 02:03:27 edge01 postfix/postscreen[23154]: NOQUEUE: reject: RCPT from [112.90.37.251]:20438: 550 5.7.1 Service unavailable; client [112.90.37.251] blocked using zen.spamhaus.org; from=<hfxdgdsggfvfg@gmail.com>, to=<support@zimbra.com>, proto=ESMTP, helo=<gmail.com>

Mar 1 02:03:27 edge01 postfix/postscreen[23154]: DISCONNECT [112.90.37.251]:20438

Receiving and Sending Mail

The Zimbra MTA delivers the incoming and the outgoing mail messages. For outgoing mail, the Zimbra MTA determines the destination of the recipient address. If the destination host is local, the message is passed to the Zimbra server for delivery. If the destination host is a remote mail server, the Zimbra MTA must establish a communication method to transfer the message to the remote host. For incoming messages, the MTA must be able to accept connection requests from remote mail servers and receive messages for the local users.

To send and receive email, the MTA must be configured in DNS with both an A record and an MX Record. For sending mail, the MTA uses DNS to resolve hostnames and email-routing information. To receive mail, the MX record must be configured correctly to route messages to the mail server.

You must configure a relay host if you do not enable DNS.

Message Queues

When the Zimbra MTA receives mail, it routes the mail through a series of queues to manage delivery; incoming, active, deferred, hold, and corrupt.

Message Queues

The incoming message queue holds the new mail that has been received. Each message is identified with a unique file name. Messages are moved to the active queue when there is room. If there are no problems, message move through this queue very quickly.

The active message queue holds messages that are ready to be sent. The MTA sets a limit to the number of messages that can be in the active queue at any one time. From here, messages are moved to and from the anti-virus and anti-spam filters before being delivered to another queue.

Messages that cannot be delivered are placed in the deferred queue. The reasons for the delivery failures are documented in a file in the deferred queue. This queue is scanned frequently to resend the message. If the message cannot be sent after the set number of delivery attempts, the message fails and is bounced back to the original sender. You can choose to send a notification to the sender that the message has been deferred.

The hold message queue keeps mail that could not be processed. Messages stay in this queue until the administrator moves them. No periodic delivery attempts are made for messages in the hold queue.

The corrupt queue stores damaged unreadable messages.

You can monitor the mail queues for delivery problems from the Administration Console. See Monitoring Zimbra Servers.

Message banner for mails from external domains

Kepler-Patch-25, a message banner in the mails can be added for the mails coming from external domains. This will help users to identify the mails originating outside their organization. The feature is controlled by a localconfig attribute and by default it is disabled.

Following are the details of the attributes:

  • zimbra_external_email_warning_enabled - Attribute to enable/disable the feature.

  • zimbra_external_email_warning_message - Attribute to customize the message to be displayed in the mails.

Following are the instructions to be executed as zimbra user:

  1. Enabling the feature:

    su - zimbra
    zmlocalconfig -e zimbra_external_email_warning_enabled=true
  2. Restart mailbox service:

    zmmailboxdctl restart

When a user receives mail from an external domain, the message banner will get displayed at the top of the message body.

Modifying the message

The message for external domains can also be modified.

Following are the instructions:

  1. Edit the localconfig attribute zimbra_external_email_warning_message with the new message:

    zmlocalconfig -e zimbra_external_email_warning_message="The external domain warning has been edited"
  2. Restart mailbox service:

    zmmailboxdctl restart

When a user receives mail from an external domain, the edited message banner will get displayed at the top of the message body.

Zimbra Proxy Server

Zimbra Proxy is a high-performance proxy server that can be configured as a POP3/IMAP/HTTP proxy used to reverse proxy IMAP/POP3 and HTTP client requests to a set of backend servers.

The Zimbra Proxy package is installed and configured during the Zimbra Collaboration installation. You can install this package on a mailbox server, MTA server, or on its own independent server. When the Zimbra Proxy package is installed, the proxy feature is enabled. In most cases, no modification is necessary.

Benefits of Using Zimbra Proxy

Benefits for using Zimbra Proxy include:

  • Zimbra proxy centralizes access to Mailbox servers

  • Load Balancing

  • Security

  • Authentication

  • SSL Termination

  • Caching

  • Centralized Logging and Auditing

  • URL Rewriting

  • Strict Server Name Enforcement (optional)

For more information, see the wiki page Zimbra_Proxy_Guide.

Zimbra Proxy Components

Zimbra Proxy is designed to provide a HTTP/POP/IMAP proxy that is quick, reliable, and scalable. Zimbra Proxy includes the following:

Component Description

Nginx

High performance HTTP/IMAP/POP3 proxy server that handles all incoming HTTP/POP/IMAP requests.

Memcached

High performance distributed memory object caching system in which routing information is cached to enable increased performance.

Zimbra Proxy Route Lookup Handler

Servelet—located on the Zimbra mailbox server—that handles queries for the user account route information. This routing information consists of the server and port number where the user account resides.

Proxy Architecture and Flow

This section describes the architecture and flow sequence of Zimbra proxy.

  1. End clients connect to Zimbra Proxy using HTTP/HTTPS/POP/IMAP ports.

  2. When Zimbra Collaboration Proxy receives an incoming connection, the Nginx component sends an HTTP request to Zimbra Collaboration Proxy Route Lookup Handler component.

    Proxy Architecture

  3. Zimbra Collaboration Proxy Route Lookup Handler locates the route information for the account being accessed and returns this to Nginx.

  4. The Memcached component stores the route information for the configured period of time (the default is one hour). Nginx uses this route information instead of querying the Zimbra Collaboration Proxy Route Lookup Handler until the default period of time has expired.

  5. Nginx uses the route information to connect to Zimbra Collaboration Mailbox.

  6. Zimbra Collaboration Proxy connects to Zimbra Collaboration Mailbox and initiates the web/mail proxy session. The end client behaves as if it is connecting directly to Zimbra Collaboration Mailbox.

Changing the Zimbra Proxy Configuration

When Zimbra proxy is configured, the Zimbra proxy config performs keyword substitution as necessary with values from the LDAP configuration and localconfig.

If changes are required after the Zimbra Proxy is set up, modify the Zimbra LDAP attributes or localconfig values and run zmconfigd to generate the updated Zimbra Proxy configuration. The Zimbra proxy configuration file is in /opt/zimbra/conf/nginx.conf. The nginx.conf includes the main config, memcache config, mail config, and web config files.

Common changes to Zimbra Proxy configuration are IMAP/POP configuration changes from the original default setup

  • HTTP reverse proxy configuration changes from the original default setup

  • GSSAPI authentication for Kerberos. In this case you manually identify the location of the Kerberos Keytab file, including Zimbra Proxy password

Zimbra Proxy

Zimbra Proxy allows end users to access their Zimbra Collaboration account using clients such as Microsoft Outlook, Mozilla Thunderbird, or other POP/IMAP end-client software. End users can connect using POP3, IMAP, POP3S (Secure POP3), or IMAPS (Secure IMAP).

For example, proxying allows users to enter imap.example.com as their IMAP server. The proxy running on imap.example.com inspects their IMAP traffic, does a lookup to determine which backend mailbox server a user’s mailbox lives on and transparently proxies the connection from user’s IMAP client to the correct mailbox server.

Zimbra Proxy Ports

The following ports are used either by Zimbra Proxy or by Zimbra Mailbox (if Proxy is not configured). If you have any other services running on these ports, turn them off.

End clients connect directly to Zimbra Proxy, using the Zimbra Proxy Ports. Zimbra Proxy connects to the Route Lookup Handler or Zimbra Mailbox using the Zimbra Mailbox Ports.

Table 10. Proxy Ports
Zimbra Proxy Ports (External to Zimbra) Port

HTTP

80

HTTPS

443

POP3

110

POP3S (Secure POP3)

995

IMAP

143

IMAPS (Secure IMAP)

993

Zimbra Mailbox Ports (Internal to Zimbra)

Port

Route Lookup Handler

7072

HTTP Backend (if Proxy configured)

8080

HTTPS Backend (if Proxy configured)

8443

POP3 Backend (if Proxy configured)

7110

POP3S Backend (if Proxy configured)

7995

IMAP Backend (if Proxy configured)

7143

IMAPS Backend (if Proxy configured)

7993

Strict Server Name Enforcement

Zimbra Proxy has the ability to strictly enforce which values are allowed in the Host header passed in by the client.

This is enabled by default on new installations but left disabled for upgrades from previous versions unless toggled during the installation.

The functionality may be altered by setting the zimbraReverseProxyStrictServerNameEnabled boolean configuration option followed by restarting the proxy server.

  • TRUE - strict server name enforcement enabled

  • FALSE - strict server name enforcement disabled

zmprov mcf zimbraReverseProxyStrictServerNameEnabled TRUE

When the strict server name functionality is enabled, additional valid server names may be specified using the zimbraVirtualHostName and zimbraVirtualIPAddress configuration items at the domain level.

zmprov md example.com zimbraVirtualHostName mail.example.com zimbraVirtualIPAddress 1.2.3.4
Only one virtual ip address is needed per domain although more than one is acceptable.

Setting Up IMAP and POP Proxy After HTTP Proxy Installation

IMAP proxy is installed with Zimbra Collaboration and set up during installation from the configuration menus. To set up the HTTP proxy, the proxy must be installed on the identified proxy nodes in order to set up HTTP proxy. No other configuration is usually required.

If you need to, set up IMAP/POP proxy after you have already installed HTTP proxy, and set up the mailbox server and the proxy node.

You can run the command as zmproxyconfig -r, to run against a remote host. This requires the server to be properly configured in the LDAP master.
Set Up IMAP/POP Proxy with Separate Proxy Node

Use steps in this section if your configuration includes a separate proxy server.

  1. On each Zimbra mailbox server that you want to proxy with, enable the proxy for IMAP/POP proxy.

    /opt/zimbra/libexec/zmproxyconfig -e -m -H mailbox.node.service.hostname

    This configures the following:

    Port Attributes Setting

    zimbraImapBindPort

    7143

    zimbraImapProxyBindPort

    143

    zimbraImapSSLBindPort

    7993

    zimbraImapSSLProxyBindPort

    993

    zimbraPop3BindPort

    7110

    zimbraPop3ProxyBindPort

    110

    zimbraPop3SSLBindPort

    7995

    zimbraPop3SSLProxyBindPort

    995

    zimbralmapCleartextLoginEnabled

    TRUE

    zimbraReverseProxyLookupTarget

    TRUE

    zimbraPop3CleartextLoginEnabled

    TRUE

  2. Restart services on the proxy and mailbox servers.

    zmcontrol restart

Set Up the Proxy Node

On each proxy node that has the proxy service installed, enable the proxy for the web.

/opt/zimbra/libexec/zmproxyconfig -e -m -H proxy.node.service.hostname

This configures the following:

Port Attribute Setting

zimbraImapBindPort

7143

zimbraImapProxyBindPort

143

zimbraImapSSLBindPort

7993

zimbraImapSSLProxyBindPort

993

zimbraPop3BindPort

7110

zimbraPop3ProxyBindPort

110

zimbraPop3SSLBindPort

7995

zimbraPop3SSLProxyBindPort

995

zimbraReverseProxyMailEnabled

TRUE

Set Up a Single Node

Use steps in this section if Zimbra proxy is installed with Zimbra Collaboration on the same server.

  1. Enable the proxy for the web.

    /opt/zimbra/libexec/zmproxyconfig -e -m -H mailbox.node.service.hostname

    This configures the following:

    Port Attribute Setting

    zimbraImapBindPort

    7143

    zimbraImapProxyBindPort

    143

    zimbraImapSSLBindPort

    7993

    zimbraImapSSLProxyBindPort

    993

    zimbraPop3BindPort

    7110

    zimbraPop3ProxyBindPort

    110

    zimbraPop3SSLBindPort

    7995

    zimbraPop3SSLProxyBindPort

    995

    zimbraImapCleartextLoginEnabled

    TRUE

    zimbraReverseProxyLookupTarget

    TRUE

    zimbraPop3CleartextLoginEnabled

    TRUE

    zimbraReverseProxyMailEnabled

    TRUE

  2. Restart services on the proxy and mailbox servers.

    zmcontrol restart

Configuring Zimbra HTTP Proxy

Zimbra Proxy can also reverse proxy HTTP requests to the right back-end server.

For example, users can use a web browser to connect to the proxy server at https://mail.example.com. The connection from users whose mailboxes live on mbs1.example.com is proxied to mbs1.example.com by the proxy running on the mail.example.com server. The proxy also supports REST and CalDAV clients, Zimbra Connector for Outlook, and Zimbra Mobile Sync NG devices.

HTTP reverse proxy routes requests as follows:

  • If the requesting URL can be examined to determine the user name, then the request is routed to the backend mailbox server of the user in the URL. REST, CalDAV, and Zimbra Mobile Sync are supported through this mechanism.

  • If the request has an auth token cookie (ZM_AUTH_TOKEN), the request is routed to the backend mailbox server of the authenticated user.

  • If the above methods do not work, the IP hash method is used to load balance the requests across the backend mailbox servers which are able to handle the request or do any necessary internal proxying.

Setting Up HTTP Proxy

To set up HTTP proxy, Zimbra Proxy must be installed on the identified nodes.

You can run the command as /opt/zimbra/libexec/zmproxyconfig -r, to run against a remote host. Note that this requires the server to be properly configured in the LDAP master.
Setting Up HTTP Proxy as a Separate Proxy Node

Use steps in this section if your configuration includes a separate proxy server.

  1. On each Zimbra mailbox server that you want to proxy with, enable the proxy for the web.

    /opt/zimbra/libexec/zmproxyconfig -e -w -H mailbox.node.service.hostname

    This configures the following:

    Attribute Setting

    zimbraMailReferMode

    reverse-proxied.

    zimbraMailPort

    8080 (to avoid port conflicts)

    zimbraMailSSLPort

    8443 (to avoid port conflicts)

    zimbraReverseProxyLookupTarget

    TRUE

    zimbraMailMode

    HTTP

  2. Restart services on the proxy and mailbox servers.

    zmcontrol restart
  3. Configure each domain with the public service host name to be used for REST URLs, email, and Briefcase folders.

    zmprov modifyDomain <domain.com> zimbraPublicServiceHostname <hostname.domain.com>

Setting Up Proxy Node

On each proxy node that has the proxy service installed, enable the proxy for the web.

/opt/zimbra/libexec/zmproxyconfig -e -w -H proxy.node.service.hostname

This configures the following:

Attribute Setting

zimbraMailReferMode

reverse-proxied. To set the proxy server mail mode, add the -x option to the command, with the specific mode as either http, https, both, redirect, or mixed.

zimbraMailProxyPort

80 (to avoid port conflicts).

zimbraMailSSLProxyPort

443 (to avoid port conflicts).

zimbraReverseProxyHttpEnabled

TRUE (to indicate that Web proxy is enabled).

zimbraReverseProxyMailMode

HTTP (default)

To set the proxy server mail mode, add the -x option to the command with the specific mode: http, https, both, redirect, mixed.

Setting Up a Single Node for HTTP Proxy

Use steps in this section if Zimbra proxy is installed along with Zimbra on the same server.

  1. On each zimbra mailbox server that you want to proxy with, enable the proxy for the web.

    /opt/zimbra/libexec/zmproxyconfig -e -w -H mailbox.node.service.hostname

    This configures the following:

    Attribute Setting

    zimbraMailReferMode

    reverse-proxied.

    zimbraMailPort

    8080 (to avoid port conflicts)

    zimbraMailSSLPort

    8443 (to avoid port conflicts)

    zimbraReverseProxyLookupTarget

    TRUE

    zimbraMailMode

    HTTP (the only supported mode)

    zimbraMailProxyPort

    80 (to avoid port conflicts)

    zimbraMailSSLProxyPort

    443 (to avoid port conflicts)

    zimbraReverseProxyHttpEnabled

    TRUE (to indicate that Web proxy is enabled)

    zimbraReverseProxyMailMode

    HTTP (default)

    To set the proxy server mail mode, add the -x option to the command with the specific mode: http, https, both, redirect, mixed.

  2. Restart services on the proxy and mailbox servers.

    zmcontrol restart

    Configure each domain with the public service host name to be used for REST URLs, email and Briefcase folders.

    zmprov modifyDomain <domain.com> zimbraPublicServiceHostname <hostname.domain.com>

Set Up Proxy to use Clear Text for Upstream Connections

When setting up the proxy to use clear text for upstream connections, set zimbraReverseProxySSLToUpstreamEnabled to FALSE.

This attribute defaults to TRUE. In an "out of the box" proxy set up, the upstream communication defaults to SSL.

REST URL Generation

For REST URL, you set the host name, service protocol, and services port globally or for a specific domain from the following attributes.

  • zimbraPublicServiceHostname

  • zimbraPublicServiceProtocol

  • zimbraPublicServicePort

When generating REST URL’s:

  • If domain.zimbraPublicServiceHostname is set, use zimbraPublicServiceProtocol + zimbraPublicServiceHostname + zimbraPublicServicePort

  • Otherwise it falls back to the server (account’s home server) attributes:

    • protocol is computed from server.zimbraMailMode

    • hostname is server.zimbraServiceHostname

  • port is computed from the protocol.

About using zimbraMailReferMode - In earlier versions, a local config variable — zimbra_auth_always_send_refer — determined which action the back-end server took when a user’s mailbox did not reside on the server that the user logged in to. The default value of FALSE redirected the user if the user was logging in on the incorrect backend host.

On a multiserver Zimbra, if a load balanced name was needed to create a friendly landing page, a user would always have to be redirected. In that case, zimbra_auth_always_send_refer was set to TRUE.

Now with a full-fledged reverse proxy, users do not need to be redirected. The localconfig variable zimbraMailReferMode is used with nginx reverse proxy.

Setting Proxy Trusted IP Addresses

When a proxy is configured with Zimbra, each proxy server’s IP address must be configured in LDAP attribute zimbraMailTrustedIP to identify the proxy addresses as trusted when users log in through the proxy. The proxy IP address is added to the X-Forwarded-For header information. The X-Forwarded-For header is automatically added to the localconfig zimbra_http_originating_ip header attribute. When a user logs in, this IP address and the user’s address are verified in the Zimbra mailbox log.

Set each proxy IP address in the attribute. For example, if you have two proxy servers:

zmprov mcf +zimbraMailTrustedIP {IP of nginx-1} +zimbraMailTrustedIP {IP of nginx-2}

To verify that X-Forwarded-For was correctly added to the localconfig, type

zmlocalconfig | grep -i http

You should see

zimbra_http originating_ip_header = X-Forwarded-For

Configuring Zimbra Proxy for Kerberos Authentication

Use steps in this section if you use the Kerberos5 authenticating mechanism, and want to configure it for the IMAP and POP proxy.

Make sure that your Kerberos5 authentication mechanism is correctly configured. See Zimbra LDAP Service
  1. On each proxy node, set the zimbraReverseProxyDefaultRealm server attribute to the realm name corresponding to the proxy server. For example:

    zmprov ms [DNS name.isp.net] zimbraReverseProxyDefaultRealm [ISP.NET]
  2. Each proxy IP address where email clients connect must be configured for GSSAPI authentication by the mail server. On each proxy node for each of the proxy IP addresses:

    zmprov mcf +zimbraReverseProxyAdminIPAddress [IP address]
  3. On each proxy server:

    zmprov ms [proxyexample.net] zimbraReverseProxyImapSaslGssapiEnabled TRUE
    
    zmprov ms proxyl.isp.net zimbraReverseProxyPop3SaslGssapiEnabled TRUE
  4. Restart the proxy server

    zmproxyctl restart

Zimbra Administration Console

The Zimbra Administration Console is a browser-based user interface for the central management of Zimbra servers and user accounts.

Administrator Accounts

When you log in to the Administration Console, the tasks you are authorized to perform show up on the Navigation pane. These tasks depend on the rights assigned to your administrator role.

You can create two types of administrator accounts to manage Zimbra Collaboration:

  • Global Administrators have full privileges to manage servers, global settings, domains, and accounts as well as create other administrators. One global administrator account gets created automatically during software installation. Create additional global administrator accounts anytime later. You can perform administration tasks from the Administration Console or the command line.

  • Delegated Administrators are granted customized administrator roles by the global administrator to manage different tasks from the Administration Console. See Delegated Administration for more details.

Logging into the Administration Console

  1. To launch the Administration Console in a typical installation, use the following URL pattern.

    https://server.domain.com:7071/

    Parameter Description

    server.domain.com

    The Zimbra server name or IP address.

    7071

    The default HTTP listen port.

  2. At the login screen, enter the complete administrator address - e.g., admin@domain.com - and the password configured for it during server installation of Zimbra Collaboration.

    Administration Console

Modifying Administrator Passwords

You can change the password - from either the Administration Console or the CLI - at any time.

From the Administration Console, use the Change Password screen to set the new password string, and to define the policy for user password modifications.

Admin Console:

Home → Manage → Accounts

Double click select user account or from the Gear icon, select Change Password from the popup menu.

Change Password
zmprov sp adminname@domain.com password

Customizing the Login and Logout Pages

A different login and logout page can be configured either as a global setting or as a domain setting.

To specify a URL to redirect administrators to if their login fails authentication, or if their authentication has expired:

Global:

zmprov mcf zimbraAdminConsoleLoginURL <https://example.com>

Domain:

zmprov md <domain> zimbraAdminConsoleLoginURL <https://example.com>

To specify a URL to redirect administrators to, for logging out:

Global:

zmprov mcf zimbraAdminConsoleLogoutURL <https://example.com>

Domain:

zmprov md <domain> zimbraAdminConsoleLogoutURL <https://example.com>

Managing Tasks

Most Zimbra tasks - such as creating accounts and Classes of Service, Server Status Monitoring, Domain management, Backup Scheduling, and Session management - can be managed from the Administration Console.

Other configuration and maintenance tasks require the use of the Zimbra CLI because you cannot perform them in the Administration Console. For example: starting and stopping services and managing the local server configuration.

At the Administration Console, if you need to view the attribute associated with a particular function, you can click on the text labels of the currently visible configuration page to open the information in a popup. Guide text is also provided from these popups, as demonstrated in the following illustration.

Viewing Attributes at the Administration Console

Click the field label to view the Attribute popup.

Viewing Attributes

With the attribute popup in view, click More to view guidetext about the field.

Viewing Attributes

Navigating the User Interface

The organization of the Zimbra Collaboration Administration Console provides quick navigation to the configuration and monitoring tools and views associated with your login privileges. It also provides easy access to various types of Help and the on-screen guide text.

After logging in to the Administration Console, the Home page provides status information and options you can select to navigate to the configuration and viewing options described in this user guide.

Administration Console
<1> Go to Previous or Next page
<2> Current Location/Path
<3> Search
<4> Screen Refresh
<5> Current User and Logout Option
<6> Help
<7> Gear Icon
<8> Status Pane
<9> Viewing Pane
<10> Navigation Pane

The displays and options in the navigation pane and viewing pane change according to your selections. Other portions of the UI — arrow buttons, search field, screen refresh, current location/path, current login, and Help — always remain in view.

The Gear Icon Gear Icon is displayed with some screens, to enable quick access to functions associated with the functions provided in the screens. For more information about the Gear icon, see Using the Gear icon

Home Navigation Pane

The options provided in the Home navigation pane get categorized under the Home directory. Some of the options lead to configuration pages; others lead to pages containing reports, as associated with your selections.

The illustration at right is an expanded view of the options currently supported in the Navigation Pane.

The upper bar of the in-view page always displays your current position in the hierarchy, and you can use multiple options for dismissing the current view:

  • To return to a previous page or go to the next page, click the left or right arrows.

  • To return to a specific portion of the UI, select an option from the Home dropdown.

  • To go directly to a specific option, click through the hierarchy in the Navigation Pane.

The Navigation pane options are described in the following topics:

Home UI

The Home screen is the default, login view, which provides the Home navigation pane and the Home page. This page provides a snapshot view of system status and a series of quick-access links for essential tasks.

Home UI
<1> Go to Previous or Next page
<2> Search
<3> Screen Refresh
<4> Current User and Logout Option
<5> Help
<6> System Status
<7> Status Pane
<8> Quick Start
<9> Navigation Pane
Table 11. Home UI
Topic Description

Summary

Displays the version of Zimbra Collaboration currently running and in view, and the detected number of servers, account, domains, and classes of service associated with this session.

Maintenance

Displays the most recent software backup performed.

Runtime

Displays the runtime statistics for Service, Active Session, and Queue Length.

1 Get Started

Displays the steps essential to getting started with your Zimbra Collaboration operations, and provides quick links to the functions in this UI:

  1. Install Licenses

  2. Configure Back-ups

  3. Install Certificates

  4. Configure Default COS

2 Set up Domain

Displays the steps you use to establish the domain(s) to be managed by the Collaborator. Each step is a link to the function in this UI:

  1. Create a Domain

  2. Configure GAL…​

  3. Configure Authentication

3 Add Accounts

Displays the steps for adding accounts for management by the Collaborator. Each step is a link to the function in this UI:

  1. Add Account

  2. Manage Accounts

  3. Migration and Co-existence

Monitor UI

The Monitor screen provides the Monitor navigation pane and the Monitor pages, which display various itemizations about servers monitored by the Collaborator.

Monitor UI
<1> Go to Previous or Next page
<2> Search
<3> Screen Refresh
<4> Current User and Logout Option
<5> Help
<6> Status Pane
<7> Navigation Pane
Monitor Navigation Pane and Pages

The options provided in the Monitor pages provide various methods- dynamic charts, or tables-for viewing the individual or system-wide monitored servers and services listed in the following table.

Adobe Flash Player must be activated to enable views of the dynamic charts.
Table 12. Monitor UI
Option Description

Server Status

Server, Service, and Time details for each server monitored by the Collaborator.

Advanced Statistics

System-wide Information page for Advanced Statistics, which allows you to set up a new monitoring chart using parameters from the selection fields available from this page: Server, Group, Start, end, and Counters.

From this Advanced Statistics page, you can also elect to perform the following operations:

  • Hide Chart Settings

  • Update Chart

  • Remove Chart

Message Count

System-wide Information page, for Message Counts, to examine charts depicting counts over the last 48, 30, 60, and 365 days. The information summarizes the number of recipients of messages using either SMTP or LMTP. The polling intervals for the counts are posted directly beneath each chart.

Message Volume

System-wide Information page, for Message Volume, to view charts depicting the number of recipients of messages using either SMTP or LMTP, and associated message sizes. These counts get summarized in periods over the last 48, 30, 60, and 365 days. The polling intervals for the counts are posted directly beneath each chart.

Anti-Spam/Anti-Virus

System-wide Information page, for Anti-Spam/Anti-Virus

Activity

Activity, depicting the number of unique messages processed by the AS/AC system over the last 48, 30, 60, and 365 days. The polling intervals for the counts are posted directly beneath each chart.

Server Statistics

Access to statistics for a selected Service Host. You can view information for a selected host, as follows:

  • Place and hold the cursor on the Service Hostname to view popup license information.

    License

  • Right-click on the Service Hostname and select View from the popup to go to the statistics page for it. You can also double-click on the Service Hostname to access the statistics page.

    View

For the selected Server, the Server Statistics navigation pane provides options to view Disk, Session, Mailbox Quota, Message Count, Message Volume, and Anti- Spam/Anti-Virus Activity.

Mail Queues

Tab pages from which to view counts of Deferred, Incoming, Active, Held, and Corrupt statistics for detected mail queues. Each tab page provides summary filtering information and Message details.

Manage UI

The Manage screen provides the Manage navigation pane, and the Manage pages, which display the tables categorically provided as Accounts, Aliases, Distribution Lists, and Resources that are currently managed by Collaborator.

Manage UI
<1> Go to Previous or Next page
<2> Search
<3> Screen Refresh
<4> Current User and Logout Option
<5> Help
<6> Gear Icon
<7> Status Pane
<8> Navigation Pane
Table 13. Manage UI
Option Description

Accounts (count)

Table of accounts managed by the Collaborator. Actions you can perform:

  • View ID information from a popup display: Hold the cursor over an Accounts row.

  • Right-click on a table row, or use the Gear icon to access the following functions: Delete, Edit, Change Password, New Administrator, View Mail, New, Invalidate Session, View Rights, Configure Grants, Move Mailbox, Search Mail.

Aliases (count)

Table of Aliases managed by the Collaborator. Each alias is an email address that forwards all email to a specified account.

Actions you can perform:

  • View ID information in a popup display: Hold the cursor over an Alias row.

  • Right-click on a table row, or use the Gear icon to access the following functions: Delete, Edit, New Administrator, View Mail, Move Alias, New, Invalidate Session, View Rights, Configure Grants, Move Mailbox, Search Mail.

Distribution Lists (count)

Table of Distribution Lists managed by the Collaborator. A Distribution List is a group of mail addresses contained in a list, with a mail address for the list. When you send a message to a distribution list, you are sending it implicitly to everyone whose address appears in the list. The To: address line displays the distribution list address.

Actions you can perform:

  • View ID information: Hold the cursor over a Distribution List row.

  • Right-click on a table row, or use the Gear icon to access the following functions: Delete, Edit, New Administrator, View Mail, New, View Rights, Configure Grants, Search Mail.

Resources (count)

Table of Resources managed by the Collaborator. A Resource is a location or a piece of equipment that supports scheduling for meetings.

Actions you can perform:

  • View ID information: Hold the cursor over a Resources row.

  • Right-click on a table row, or use the Gear icon to access the following functions: Delete, Edit, New Administrator, View Mail, New, View Rights, Configure Grants, Search Mail.

Configure UI

The Configure screen provides the Configure navigation pane, and the Configure pages, which enable configurations for individual or global components.

Configure UI
<1> Go to Previous or Next page
<2> Search
<3> Screen Refresh
<4> Help
<5> Gear Icon
<6> Status Pane
<7> Configure Navigation Pane
Table 14. Configure UI
Option Description

Class of Service

Displays the COSs managed from this AdministrationConsole.

  • Double-click on a table row to access the configuration screens for the selected COS,

    or

  • Right-click on a table row, or use the Gear icon to access the following functions: New, Delete, Edit, Duplicate

Domains

Displays the domains managed from this Administration Console.

  • Double-click on a table row to access the configuration screens for the selected domain,

    or

  • Right-click on a table row, or use the Gear icon to access the following functions: New, Delete, Edit, Configure GAL, Configure Authentication, View Accounts, Add a Domain Alias, Configure Grants

Servers

Displays the servers managed from this Administration Console.

  • Double-click on a table row to access the configuration screens for the selected server,

    or

  • Right-click on a table row, or use the Gear icon to access the following functions: Edit, Flush Cache, Enable Proxy, Disable Proxy

Global Settings

Provides access to tools you use to set various global parameters for your Zimbra Collaboration.

Gear Icon: Save, Download, Update License, Activate License, Manually Activate License

Zimlets

Displays the Zimlets managed from this Administration Console.

  • Double-click on a table row to access the configuration screens for the selected Zimlet,

    or

  • Right-click on a table row, or use the Gear icon to access the following functions: Deploy, Undeploy, Toggle Status

Admin Extensions

Displays the Admin Extensions managed from this Administration Console.

  • Double-click on a table row to access the configuration screens for the selected Admin Extension,

    or

  • Right-click on a table row, or use the Gear icon to access the following functions: Deploy, Undeploy

Certificates

Displays the Certificates managed from this Administration Console.

  • Double-click on a table row to access the General Information screen for the selected certificate,

    or

  • Right-click on a table row, or use the Gear icon to access the following functions: Install Certificate, View Certificate

Rights

Displays the various Rights applicable to this Administration Console.

  • Double-click on a table row to access the General Information screen for the selected Right,

    or

  • Right-click on a table row, or use the Gear icon to access the following function: View

Global ACL

Displays the Global Access Control Lists managed from this Administration Console.

  • Double-click on a table row to access the Edit ACE screen for the selected Global ACL,

    or

  • Right-click on a table row, or use the Gear icon to access the following functions: Add, Delete, Edit

Global Settings UI

Global Settings define the default global values for servers, accounts, COS, and domains. These default values and parameters apply when no specific values and parameters for particular items are in their settings.

You configure the defaults for Global Settings during installation. You can change the settings at any time from Global Settings at the Administration Console.

Table 15. Global Settings UI
Option Description

General Information

  • Set global ceiling for the number of results from a GAL search.

  • Define default domain.

  • Configure the number of threads that can be used to get the content from the remote data sources.

For more information, see General Information Configuration

Attachments

  • Enable rules to reject messages that include attachments of a specific extension.

  • Disable attachments from being read.

  • Convert attachments to HTML for viewing.

For more information, see Attachments Configuration.

MTA

  • Enable authentication.

  • Set maximum message size.

  • Enable or disable protocol and DNS check.

  • Add X-Originating-IP message headers.

For more information, see MTA Configuration.

IMAP

Enable IMAP service. Changes to these settings do not take effect until the server restarts.

POP

Enable POPS3 Service. Changes to these settings do not take effect until the server restarts.

AS/AV

Set anti-spam and anti-virus rules. Changes to the Spam-check settings do not take effect until the server restarts.

Themes

  • Customize the color scheme of existing themes

  • Add logo to a theme.

Changes to the theme settings require flushing of the server theme cache by using Flush Cache on the toolbar in Server settings.

For more information, see Color and Logo Management.

Advanced

  • Configure the company name to be displayed in the prompt on the Authentication Required dialog used to log in to Briefcase folders shared with external guests

  • Add regular expression rules for Account Email Validation.

Retention Policy

Set up a retention and deletion time threshold for items in user folders. You can configure retention and deletion policies as a global setting, or configure COS-level policies instead of inheriting from the global settings.

Proxy

Set parameters for Web Proxy and Mail Proxy. There are also tools provided for setting Advanced Proxy parameters.

S/MIME

(Secure Multipurpose Internet Mail Extensions): Configure the LDAP settings on the S/MIME tab (if S/MIME feature is enabled). Users retrieve private keys from LDAP servers.

ACL

(Access Control List): Go to ACE (Access Control Entry) configuration for delegated administration rights granted on selected target(s), to add, edit, or delete an ACE.

Backup/Restore

Set parameters for backup-for standard or auto- grouped mode. For more information see Backup and Restore.

HSM

(hierarchical storage management): Configure the aging of messages before they move to the secondary volume.

License

  • Update and install your Zimbra license.

  • View current license information.

Tools and Migration UI

The Tools and Migration screen provides the Tools and Migration navigation pane, for access to system software management and system backup/restore. Administrators can access and download specific wizards and tools from this page.

Tools and Migration UI
<1> Go to Previous or Next page
<2> Search
<3> Screen Refresh
<4> Current User and Logout Option
<5> Help
<6> Status Pane
<7> _Tools and Migration_ Navigation Pane
Table 16. Tools and Migration
Option Description

Downloads

Access Zimbra utilities, which provides downloadable zip packages - for general administration use, and to synchronize an individual end-user - containing migration wizards for various platforms, and Outlook connectors. Additional information is provided in Downloadable Wizards and Connectors.

Software Updates

Find out if your system needs a Zimbra Server update or not, and use this page to view polling and email contact information pertinent to software updates for your system.

See also Checking for Zimbra Collaboration Software Updates.

Account Migration

View tabular details about account migrations, as detected by your system. This page lists total imports and the status of each. This page also provides the name(s) of the owners for each account migration listed. See also Migrating Accounts from a Zimbra Server.

Client Upload

Use this page to browse for the latest version of software to be uploaded to your system. After selecting the image, you can use Upload on this page to complete the software upload.

Backups

Access a summary view of current free and total space (MB) based on the most recent system backup. You can also choose an administrator from this navigation pane to view their backup history. The history lists labels, start and end times, and success or failure for each backup occurrence. Each of these listings is associated with an identical displayed directory path to the backup target. The section Backup and Restore provides additional information.

Downloadable Wizards and Connectors

Use the Tools and Migration screen Downloads option to get the tools described in this section. Check Zimbra PST Migration to migrate Outlook PSTs to Zimbra Collaboration.

Table 17. Administrator Tools and Migration Options

Zimbra Collaboration Migration Wizard for Exchange/PST (32 bit)
Zimbra Collaboration Migration Wizard for Exchange/PST (64 bit)

Get zip files to perform a server-to-server migration of mail, calendar, and contacts from Microsoft Exchange or PST file to the Zimbra Collaboration Server.

This package is supported only for PST file import, with End of Technical Guidance set for 31 December 2020. We recommend audriga's self-service migration solution as a preferred alternative for all account migrations.

Zimbra Collaboration Migration Wizard for Domino

This package is deprecated! We recommend Audriga’s self-service migration solution as a preferred alternative for all account migrations.

Legacy Zimbra Collaboration Migration Wizard for Exchange

This package is deprecated! We recommend Audriga’s self-service migration solution as a preferred alternative for all account migrations.

Zimbra Connector for Outlook MSI Customizer

Present text file containing functions you can use to customize the standard ZCO MSI. The server name, port, and other variables particular to an organization can be customized.

Zimbra Connector for Outlook Branding MSI

Get the Windows Visual Basic Script Edition (VBScript Script File) to customize the standard ZCO MSI. Customization replaces all instances of the Zimbra product name and logo.

Table 18. End User Desktop Applications and Utilities / Migration and Import Tools

Zimbra Connector for Outlook (32 bits)
Zimbra Connector for Outlook (64 bit) (User Instructions)

This application enables Outlook to synchronize calendar, contacts, and mail with the Zimbra server and access Zimbra Collaboration’s business features. Address books, Contacts, Calendars, Tasks, and mail are synced directly with the Zimbra Collaboration server.

(Legacy) Microsoft Outlook PST Import Tool

This package is deprecated! Users should use the General Migration Wizard for PST import.

(Legacy) Migration Wizard for Microsoft Exchange

This package is deprecated! We recommend Audriga’s self-service migration solution as a preferred alternative for all account migrations.

General Migration Wizard

This tool imports data within Microsoft Exchange servers and Outlook PST files to the Zimbra Server.

This package is supported only for PST file import. We recommend Audriga’s self-service migration solution as a preferred alternative for all account migrations.

Search UI

The Search screen displays the Search results from queries made in the Search field in the Administration Console header.

  • When you open this page without entering a search query, All Results is the default search, which displays accounts, domains, and distribution lists in the Content pane.

  • The auto-completion function allows you to enter a partial name, then select a searchable name from the displayed list of matched strings.

  • You can also use the Zimbra mailbox ID number to search for an account. However, to return a search from a mailbox ID, the complete ID string must be entered in the search.

Search UI
<1> Go to Previous or Next page
<2> Search Options
<3> Search
<4> Screen Refresh
<5> Current User and Logout Option
<6> Help
<7> Gear Icon
<8> Status Pane
<9> Search Navigation Pane
Table 19. Search UI
Option Description

All Result

View the count and table of all search results.

Accounts

View the count and table resulting from a query for Accounts.

Domains

View the count and table resulting from a query for Domains.

Distribution Lists

View the count and table resulting from a query for Distribution Lists.

Basic Attributes

Search for a user by first name, last name, display name, or account ID number. You can search for administrators or delegated administrators only.

Status

Search for an account by status: Active, Closed, Locked, Logout, Pending, or Maintenance.

Last Login Time

Search for accounts by the last login time. You can specify a date range to search.

External Email Address

Search for an account with an external email address.

COS

Search for objects by COS or for objects that are not assigned a COS.

Server

Search for accounts on selected servers.

Domains

Search for accounts on selected domains.

Saved Searches

By default, this section includes predefined common search queries. You can also create and save your queries. After you enter the query syntax, click Save Search and provide a name for the search. The search is then added to this Saved Searches section.

  1. At the Search field, use search options from the drop-down selector to define the type of search, as either accounts, distribution lists, aliases, resources, domains, class of service, or all objects.

    For accounts, you can search by display name, first/last name, the first part of an email address, alias, delivery address, or mailbox ID.

  2. Type the search string into the Search field.

    Partial entries are allowed as search criteria, but a search based on mailbox ID must include the complete ID string.

  3. Click Search.

    The Search page appears, containing results of the search based on your criteria.

  4. View the total number of results at the Navigation pane, in Search> All Results.

Help Center UI

The Help Center is a reference of resources available from the online help and documentation, which you can access with the links provided in the Help Center screen. Use this page, also, to access community forums and to view expert responses to the top migration questions.

Help Center UI
<1> Go to Previous or Next page
<2> Search
<3> Screen Refresh
<4> Current User and Logout Option
<5> Help
<6> Status Pane
<7> Help Center Navigation Pane

Tools in Collaborator Tables

The selection of a category from the Navigation pane typically results in a tabular display of all managed objects for the selected category. All tables display labeled columns in which to view information such as email addresses, display names, status, last logins, and descriptions (if configured).

Each row in a table enables actions you can perform if you require additional information or access to the configuration for the selected table entry.

Action at Table Row Result

Hold cursor

Display ID details for the selection, similar to the example at right (invoked from an Accounts row).

Tools

Right-click

Access the popup menu for a selected table row. The popup menus from a typical table may differ from row to row, as demonstrated in the following examples.

Accounts and Aliases: Dist Lists and Resources:

Tools

Message of the Day

Global administrators can create the message- or messages-of-the-day (MOTD) that administrators view when logging into the Administration Console.

The MOTD displays during administrative login at the top-left of the Administration Console, similar to the example below.

Message of the Day

The message can be closed, replaced, or removed.

Closing a Message of the Day

To remove a message from view, click Close located alongside the message content.

Creating Message(s) of the Day

Use the zimbraAdminConsoleLoginMessage attribute, with guidelines in this section, to create a single message of the day, or to create multiple messages to be displayed.

When creating a message with your command entry, always place double-quote marks at the beginning and end of the message to be displayed.

Creating a global message or domain-specific message.

zmprov md <domain> zimbraAdminConsoleLoginMessage "message to display"

Creating a multiple-message display:

zmprov md <domain> +zimbraAdminConsoleLoginMessage "second message to display"

Removing Message(s) of the Day

Use the zimbraAdminConsoleLoginMessage attribute, with guidelines in this section, to delete a single message of the day, or to delete multiple messages.

When removing a message with your command entry, use the following guidelines for individual and multiple deletions:
  • Place a minus sign (-) before the attribute, and double quote marks at the beginning and end of an individual message-id for deletion.

  • Use single quote marks with the attribute to remove all messages.

Removing a specific message:

zmprov md <domain> -zimbraAdminConsoleLoginMessage "message to display"

Removing all messages:

zmprov md <domain> zimbraAdminConsoleLoginMessage ''

Functional Reference

This section provides birds-eye views of the functions you can use when navigating the Administration Console, in the following topics:

GUI Roadmap

The following illustration provides a high-level view of the Administration Console UI.

High-level View of Administration Console UI
High-level View of Administration Console UI

You can select options to perform on a selected entity from the navigation pane from the Gear icon or a topical popup menu.

Using the Gear icon

The Gear icon is always located at the upper-right edge of the page view if pertinent to selectable items in the displayed page.

The Gear Icon

To view the available options, highlight a topic at the navigation pane or in the page view: In the popup, the options that do not apply to your selection are disabled — the remaining enabled options are valid with your selection. The following example demonstrates Gear options based on the selection of a navigation bar topic, versus a table row entry from within the same page view.

The Gear Icon

The following table provides a high-level view of the operations derived from the Gear icon, which varies for particular functions.

Table 20. Gear Icon Operations
Navigation Pane Topic Selections Options Gear Icon

Home Monitor

Server Statistics

View

Mail Queues

Flush

Manage

Accounts

New, New Administrator, Edit, Delete, Change Password, Invalidate Sessions, View Mail, Move Mailbox, View Rights, Configure Grants

Aliases

New, New Administrator, Edit, Delete, Move Alias, Invalidate Sessions, View Mail, Move Mailbox, View Rights, Configure Grants

Distribution Lists

New, New Administrator, Edit, Delete, View Mail, View Rights, Configure Grants

Resources

New, New Administrator, Edit, Delete, View Mail, View Rights, Configure Rights

Configure

Class of Service

New, Delete, Edit, Duplicate

Domains

New, Delete, Edit, Configure GAL, Configure Authentication, View Accounts, Add a Domain Alias, Configure Grants

Servers

Edit, Flush Cache, Enable Proxy, Disable Proxy

Global Settings

Save, Download, Update License, Activate License, Manually Activate License

Zimlets

Deploy, Undeploy, Toggle Status

Admin Extensions

Deploy, Undeploy

Certificates

Install Certificate, View Certificate

Voice/Chat Service

New, Delete, Edit, Generate Session ID

Rights

View

Global ACL

Add, Delete, Edit

Tools and Migration

Account Migration

Delete Task, Refresh, Migration Wizard

Software Updates

Save, Check Now

Backups

View, Backup, Restore, Configure, Refresh

Search

All Result

Delete, Edit, Change Password, View Mail, Move Alias, Invalidate Sessions, Move Mailbox, Download

Accounts

Aliases

Domains

Distribution Lists

Using the Topical Popup Menus

You can elect to access options to perform on a selection by using popup menus:

There are no popup menus in the Navigation Pane.

The following example demonstrates the popup options provided by a specific selection in the page view.

Example 5. Popup Options
Popup Options

Containers

The Administration Console logically groups a wide range of Configuration options into containers. Applicable configuration options inside these containers are listed in the High-level View of Administration Console UI

By default, all containers on a page are opened (expanded). You can opt to close (collapse) containers - which can free up additional space in a page view - by clicking on collapse/expand located at the upper-left edge of the container.

Containers

Managing Configuration

The Zimbra components are configured during the initial installation of the software. After the installation, you can manage the following components from either the Administration Console or using the CLI utility.

Help is available from the Administration Console about how to perform tasks from the Administration Console. If the task is only available from the CLI, see Zimbra CLI Commands for a description of how to use the CLI utility.

Global Configuration

Global Settings apply to all accounts in the Zimbra servers. They are initially set during installation. You can modify the settings from the Administration Console.

Configurations set in Global Settings define inherited default values for the following objects: server, account, COS, and domain. If these attributes are set in the server, the server settings override the global settings.

Admin Console:

To configure global settings, navigate to:
Home → Configure → Global Settings

Configured global settings are:

  • Default domain

  • Maximum number of results returned for GAL searches. Default = 100.

  • User views of email attachments and attachment types not permitted.

  • Configuration for authentication process, Relay MTA for external delivery, DNS lookup, and protocol checks.

  • Spam check controls and anti-virus options to check messages received.

  • Free/busy scheduling across a mix of Zimbra Collaboration servers and third party email servers.

  • Customization of themes: modify colors and add your logo.

  • Configuration of company name display for external guest log on, when viewing a shared Briefcase folder.

  • Backup default directory and backup notification information.

  • Global HSM schedule that defines when messages should be moved to a secondary storage space.

  • View of current Zimbra license information, license updating, and view the number of accounts created.

General Information Configuration

Admin Console:

Home → Configure → Global Settings

Use the General Information screen to view and set global parameters for servers that have been installed and enabled.

Settings defined at the server(s) override those configured in the General Information screen.

General Information

  1. Modify parameters, as appropriate for your requirements.

  2. From the Gear icon, select Save to use your settings.

Table 21. General Information Parameters
Option Description

Most results returned by GAL search

The maximum number of GAL results returned from a user search. This value can be set by domain: the domain setting overrides the global setting.
Default = 100.

Default domain

Domain that users' logins are authenticated against.

Number of scheduled tasks that can run simultaneously

Number of threads used to fetch content from remote data sources. * If set too low, users do not get their mail from external sources pulled down often enough. * If set too high, the server may be consumed with downloading this mail and not servicing "main" user requests.
Default = 20

Sleep time between subsequent mailbox purges

The duration of time that the server should "rest" between purging mailboxes. If the message purge schedule is set to 0, messages are not purged, even if the mail, trash and spam message life time is set.
Default = message purge is scheduled to run every 1 minute.

Maximum size of an uploaded file for Briefcase files (KB)

The maximum size of a file that can be uploaded into Briefcase.

The maximum message size for an email message and attachments that can be sent is configured in the Home → Configure → Global Settings → MTA page, Messages section.

Admin Help URL
Delegated Admin Help URL

To use the Zimbra Collaboration Help, you can designate the URL that is linked from the Administration Console Help

Attachments Configuration

Setting Up Email Attachment Rules

Global email attachment settings allow you to specify global rules for handling attachments to an email message. You can also set rules by COS and for individual accounts. When attachment settings are configured in Global Settings, the global rule takes precedence over COS and Account settings.

Admin Console:

Home → Configure → Global Settings → Attachments

Attachment Rules
See Blocking Email Attachments by File type for information about this section of the screen.

Table 22. Global Settings Advanced
Option Description

Attachments cannot be viewed regardless of COS

Users cannot view any attachments. This global setting can be set to prevent a virus outbreak from attachments, as no mail attachments can be opened.

Attachments are viewed in HTML regardless of COS

Email attachments can only be viewed in HTML. The COS may have another setting but this global setting overrides the COS setting.

Attachments are viewed according to COS

This global setting states the COS sets the rules for how email attachments are viewed

Send blocked extension notification to recipient

Blocking Email Attachments by File Type

You can also reject messages with certain types of files attached. You select which file types are unauthorized from the Common extensions list. You can also add other extension types to the list. Messages with those type of files attached are rejected. By default the recipient and the sender are notified that the message was blocked.

If you do not want to send a notification to the recipient when messages are blocked, you can disable this option.

Admin Console:

Home → Configure → Global Settings → Attachments

MTA Configuration

Use options from the MTA page to enable or disable authentication and configure a relay hostname, the maximum message size, enable DNS lookup, protocol checks, and DNS checks.

Admin Console:

Home → Configure → Global Settings → MTA

MTA Configuration

Table 23. MTA Page Options
Option Description

Authentication

  • Authentication should be enabled, to support mobile SMTP authentication users so that their email client can talk to the Zimbra MTA.

  • TLS authentication only forces all SMTP auth to use Transaction Level Security to avoid passing passwords in the clear.

Network

  • Web mail MTA Host name and Web mail MTA Port. The MTA that the web server connects to for sending mail. The default port number is 25.

  • The Relay MTA for external delivery is the relay host name. This is the Zimbra MTA to which Postfix relays non- local email.

  • If your MX records point to a spam-relay or any other external non-Zimbra server, enter the name of that server in the Inbound SMTP host name field. This check compares the domain MX setting against the zimbraInboundSmtpHostname setting, if set. If this attribute is not set, the domain MX setting is checked against zimbraSmtpHostname.

  • MTA Trusted Networks. Configure trusted networks that are allowed to relay mail. Specify a list of network addresses, separated by commas and/or a space.

  • If Enable DNS lookups is checked, the Zimbra MTA makes an explicit DNS query for the MX record of the recipient domain. If this option is disabled, set a relay host in the Relay MTA for external delivery.

  • If Allow domain administrators to check MX records from Administration Console is checked, domain administrators can check the MX records for their domain.

Milter Server

  • If Enable Milter Server is checked, the milter enforces the rules that are set up for who can send email to a distribution list.

Archiving

  • If you installed the Archiving feature, you can configure it here.

Messages

  • Set the Maximum messages size for a message and its attachments that can be sent.

    To set the maximum size of an uploaded file to Briefcase, go to the General Information page.
  • You can enable the X-Originating-IP header to messages checkbox. The X-Originating-IP header information specifies the original sending IP of the email message the server is forwarding.

Policy Service

  • Customize zimbraMtaRestriction (restrictions to reject Checks some suspect SMTP clients).

Protocol checks

  • To reject unsolicited commercial email (UCE), for spam control.

DNS checks

  • To reject mail if the client’s IP address is unknown, the hostname in the greeting is unknown, or if the sender’s domain is unknown.

  • Add other email recipient restrictions to the List of RBLs field.

RBL (Real time black-hole lists) can be turned on or off from the Zimbra CLI.

Global IMAP and POP Configuration

Use the IMAP and POP pages to enable global access.

Admin Console:

Home → Configure → Global Settings → IMAP
Home → Configure → Global Settings → POP

When you make changes to the IMAP or POP settings, you must restart Zimbra Collaboration before the changes take effect.

IMAP and POP3 polling intervals can be set from the Administration Console COS Advanced page.
Default = No polling interval.

If IMAP/POP proxy is set up, ensure that the port numbers are configured correctly.

With POP3, users can retrieve their mail stored on the Zimbra server and download new mail to their computer. The user’s POP configuration in their Preference → Mail page determines how their messages are downloaded and saved.

Working With Domains

One domain is identified during the installation process. You can add domains after installation. From the Administration Console you can manage the following domain features.

  • Global Address List

  • Authentication

  • Virtual hosts for the domain to establish a default domain for a user login

  • Public service host name that is used for REST URLs, commonly used in sharing.

  • Maximum number of accounts that can be created on the domain

  • Free/Busy Interop settings for use with Microsoft Exchange.

  • Domain SSL certificates

A domain can be renamed and all account, distribution list, alias and resource addresses are changed to the new domain name. The CLI utility is used to changing the domain name. See Renaming a Domain.

Domain settings override global settings.

Domain General Information Configuration

Use the New Domain Wizard to set options described in this section.

Admin Console:

Home → 2 Set up Domain → 1. Create Domain…​

Create Domain

Table 24. New Domain — General Information
Option Description

Domain name *
Public service host name

Enter the host name of the REST URL. This is commonly used for sharing. See Setting up a Public Service Host

Public service protocol

Select HTTP or HTTPS from the drop-down field.

Public service port

Inbound SMTP host name

If your MX records point to a spam-relay or any other external non-Zimbra server, enter the name of the server here.

Description

Default Class of Service

This COS (for the domain) is automatically assigned to accounts created on the domain if another COS is not set.

Status

The domain status is active in the normal state. Users can log in and mail is delivered. Changing the status can affect the status for accounts on the domain also. The domain status is displayed on the Domain → General page. Domain status can be set as follows:

Active

Active is the normal status for domains. Accounts can be created and mail can be delivered.

If an account has a different status setting than the domain setting, the account status overrides the domain status.
Closed

When a domain status is marked as Closed, login for accounts on the domain is disabled and messages are bounced. The closed status overrides an individual account’s status setting.

Locked

When a domain status is marked as Locked, users cannot log in to check their email, but email is still delivered to the accounts. If an account’s status setting is marked as maintenance or closed, the account’s status overrides the domain status setting.

Maintenance

When the domain status is marked for maintenance, users cannot log in and their email is queued at the MTA. If an account’s status setting is marked as closed, the account’s status overrides the domain status setting.

Suspended

When the domain status is marked as Suspended, users cannot log in, their email is queued at the MTA, and accounts and distribution lists cannot be created, deleted, or modified. If an account’s status setting is marked as closed, the account’s status overrides the domain status setting.

Setting up a Public Service Host Name

You can configure each domain with the public service host name to be used for REST URLs. This is the URL that is used when sharing email folders and Briefcase folders, as well as sharing task lists, address books, and calendars.

When users share a Zimbra Collaboration folder, the default is to create the URL with the Zimbra server hostname and the Zimbra service host name. This is displayed as https://server.domain.com/service/home/username/sharedfolder. The attributes are generated as follows:

  • Hostname is server.zimbraServiceHostname

  • Protocol is determined from server.zimbraMailMode

  • Port is computed from the protocol

When you configure a public service host name, this name is used instead of the server/service name, as https://publicservicename.domain.com/home/username/sharedfolder. The attributes to be used are:

  • zimbraPublicServiceHostname

  • zimbraPublicServiceProtocol

  • zimbraPublicServicePort

You can use another FQDN as long as the name has a proper DNS entry to point at 'server' both internally and externally.

Global Address List (GAL) Mode Configuration

The Global Address List (GAL) is your company-wide listing of users that is available to all users of the email system. GAL is a commonly used feature in mail systems that enables users to look up another user’s information by first or last name, without having to know the complete email address.

GAL is configured on a per-domain basis. The GAL mode setting for each domain determines where the GAL lookup is performed.

Use the GAL Mode Settings tool with your domain configuration to define the Global Address List.

Admin Console:

Home → 2 Set up Domain → 1 Create Domain…​ → GAL Mode Settings

GAL Mode Settings

Table 25. New Domain — GAL Mode Settings
Option Description

GAL Mode

  • Internal. The Zimbra LDAP server is used for directory lookups.

  • External. External directory servers are used for GAL lookups. You can configure multiple external LDAP hosts for GAL. All other directory services use the Zimbra LDAP service (configuration, mail routing, etc.). When you configure an external GAL, you can configure different search settings and sync settings. You might want to configure different search settings if your LDAP environment is set up to optimize LDAP searching by setting up an LDAP cache server, but users also will need to be able to sync to the GAL.

  • Both. Internal and external directory servers are used for GAL lookups.

Most results returned by GAL search

Maximum number of search results that can be returned in one GAL search. If this value is undefined here, the system will use the value defined in Global Settings.
Default = 100 results.

GAL sync account name*

Read-only field that displays the galsync name and associated domain.

Datasource name for internal GAL

Read-only field that displays the name of the internal GAL.

Internal GAL polling interval

Define how often — as days, hours, minutes, or seconds — the GAL sync account is to sync with the LDAP server. With the first sync to the LDAP server, all GAL contacts from the LDAP are added to the galsync account’s address book. On subsequent syncs, the account is updated with information about new contacts, modified contacts, and deleted contacts.

Using GAL sync accounts for faster access to GAL

A GAL sync account is created for the domain when an internal or external GAL is created, and if you have more than one mailbox server, you can create a GAL sync account for each mailbox server in the domain. Using the GAL sync account gives users faster access to auto complete names from the GAL.

When a GAL sync account is created on a server, GAL requests are directed to the server’s GAL sync account instead of the domain’s GAL sync account. The GalSyncResponse includes a token which encodes the GAL sync account ID and current change number. The client stores this and then uses it in the next GalSyncRequest. Users perform GAL sync with the GAL sync account they initially sync with. If a GALsync account is not available for some reason, the traditional LDAP-based search is run.

The GAL sync accounts are system accounts and do not use a Zimbra license.

When you configure the GAL sync account, you define the GAL datasource and the contact data is synced from the datasource to the GAL sync accounts' address books. If the mode Both is selected, an address book is created in the account for each LDAP data source.

The GAL polling interval for the GAL sync determines how often the GALsync account syncs with the LDAP server. The sync intervals can be in x days, hours, minutes, or seconds. The polling interval is set for each data source.

When the GAL sync account syncs to the LDAP directory, all GAL contacts from the LDAP are added to the address book for that GAL. During the sync, the address book is updated with new contact, modified contact and deleted contact information. You should not modify the address book directly. When the LDAP syncs the GAL to the address book, changes you made directly to the address book are deleted.

You create GALsync accounts from the Administration Console. The CLI associated with this feature is zmgsautil.

Creating Additional GALsync Accounts

When Zimbra is configured with more than one server, you can add an additional GAL sync account for each server.

Admin Console:

Home → Configure → Domains

  1. Select the domain to add another GAL sync account.

  2. In the Gear icon, select Configure GAL.

  3. Click Add a GAL account.

  4. In the GAL sync account name field, enter the name for this account. Do not use the default name.

  5. Select the mailbox server that this account will apply to.

  6. Enter the GAL datasource name. If the GAL mode is BOTH, enter the data source name for both the internal GAL and the external GAL.

  7. Set the GAL polling interval to how often the GAL sync account should sync with the LDAP server to update.

  8. Click Finish.

Changing GAL sync account name

The default name for the GAL sync account is galsync. When you configure the GAL mode, you can specify another name. After the GAL sync account is created, you cannot rename the account because syncing the data fails.

To change the account name, delete the existing GAL sync account and configure a new GAL for the domain.

Admin Console:

Home → Configure → Domains

  1. Select the domain where you want to change the GAL sync account name.

  2. In the Gear icon, select Configure GAL to open the configuration wizard and change the GAL mode to internal. Do not configure any other fields. Click Finish.

  3. In the domain’s account Content pane, delete the domain’s galsync account.

  4. Select the domain again and select Configure GAL to reconfigure the GAL. In the GAL sync account name field, enter the name for the account. Complete the GAL configuration and click Finish. The new account is displayed in the Accounts Content pane.

Authentication Modes

Authentication is the process of identifying a user or a server to the directory server and granting access to legitimate users based on user name and password information provided when users log in.

Set the authentication method on a per-domain basis.

Admin Console:

Home → 2 Set up Domain → 1 Create Domain…​ → Authentication Mode

Table 26. New Domain — Authentication Mode
Option Description

Authentication mechanism

  • Internal. The Internal authentication uses the Zimbra directory server for authentication on the domain. When you select Internal, no other configuration is required.

  • External LDAP. The user name and password is the authentication information supplied in the bind operation to the directory server. You must configure the LDAP URL, LDAP filter, and to use DN password to bind to the external server.

  • External Active Directory. The user name and password is the authentication information supplied to the Active Directory server. You identify the Active Directory domain name and URL.

Virtual Hosts

Virtual hosting allows you to host more than one domain name on a server. The general domain configuration does not change.

When you create a virtual host, this becomes the default domain for user login; users can log in without having to specify the domain name as part of their user name.

Admin Console:

Home → 2 Set up Domain → 1 Create Domain…​ → Virtual Hosts

Table 27. New Domain — Virtual Hosts
Option Description

Add virtual host

Alphanumeric string to identify the virtual host(s) for this domain. The virtual host requires a valid DNS configuration with an A record. To delete a virtual host from the domain, click Remove alongside the host name displayed in this wizard screen.

To open the Zimbra Classic Web App log in page, users enter the virtual host name as the URL address. For example, https://mail.company.com.

When the Zimbra login screen displays, users enter only their user name and password. The authentication request searches for a domain with that virtual host name. When the virtual host is found, the authentication is completed against that domain.

Setting Account Limits

You can limit the number of accounts that can be provisioned on a domain. The maximum number of accounts that can be provisioned for the domain can be set when the domain is created. You can also edit the domain configuration to add or change the number.

In the Administration Console this is set for a domain in the Account Limits page. If this page is not configured, no limits on the domain are set.

Resources, spam, and ham accounts are not counted against this limit.

You cannot exceed the account limit set by the Zimbra Collaboration license.

When multiple Classes of Service (COS) are available, you can select which classes of service can be configured and how many accounts on the domain can be assigned to the COS. This is configured in the domain’s Account Limits page. The number of COS account types used is tracked. The limits for all COSs cannot exceed the number set for the maximum accounts for the domain.

The number of COS assigned to accounts is tracked. You can see the number assigned/number remaining from any account’s General Information page.

Renaming a Domain

When you rename a domain you are actually creating a new domain, moving all accounts to the new domain and deleting the old domain. All account, alias, distribution list, and resource addresses are changed to the new domain name. The LDAP is updated to reflect the changes.

Before you rename a domain

  • Make sure MX records in DNS are created for the new domain name

  • Make sure you have a functioning and current full backup of the domain

After the domain has been renamed

  • Update external references that you have set up for the old domain name to the new domain name. This may include automatically generated emails that were sent to the administrator’s mailbox such as backup session notifications. Immediately run a full backup of the new domain:

zmprov -l rd [olddomain.com] [newdomain.com]
Domain Rename Process

When you run this zmprov command, the domain renaming process goes through the following steps:

  1. The status of the old domain is changed to an internal status of shutdown, and mail status of the domain is changed to suspended. Users cannot login, their email is bounced by the MTA, and accounts, calendar resources and distribution lists cannot be created, deleted or modified.

  2. The new domain is created with the status of shutdown and the mail status suspended.

  3. Accounts, calendar resources, distribution lists, aliases, and resources are all copied to the new domain.

  4. The LDAP is updated to reflect the new domain address.

  5. The old domain is deleted.

  6. The status for the new domain is changed to active. The new domain can start accepting email messages.

Adding a Domain Alias

A domain alias allows different domain names to direct to a single domain address. For example, your domain is domain.com, but you want users to have an address of example.com, you can create example.com as the alias for the domain.com address. Sending mail to user@example.com is the same as sending mail to user@domain.com.

A domain alias is a domain name just like your primary domain name. You must own the domain name and verify your ownership before you can add it as an alias.
Admin Console:

Home → Configure → Domains, from the Gear icon select, Add a Domain Alias.

Enabling Support for Domain Disclaimers

Disclaimers are set per-domain. When upgrading, an existing global disclaimer is converted to domain specific disclaimers on every domain to preserve behavior with previous releases.

Per domain disclaimer support can be enabled using the following steps:

  1. Create a new domain (e.g. example.com) and account (e.g. user2@example.com).

    $ zmprov cd example.com cb9a4846-6df1-4c18-8044-4c1d4c21ccc5
    $ zmprov ca user2@example.com test123 95d4caf4-c474-4397-83da-aa21de792b6a
    $ zmprov -l gaa user1@example.com user2@example.com
  2. Enable the use of disclaimers

    $ zmprov mcf zimbraDomainMandatoryMailSignatureEnabled TRUE
    $ zmprov gcf zimbraDomainMandatoryMailSignatureEnabled
    zimbraDomainMandatoryMailSignatureEnabled: TRUE
  3. Add disclaimers to the new domain

    $ zmprov md example.com
    zimbraAmavisDomainDisclaimerText "text disclamer"
    zimbraAmavisDomainDisclaimerHTML "HTML disclaimer"
    
    $ zmprov gd example.com zimbraAmavisDomainDisclaimerText zimbraAmavisDomainDisclaimerHTML
    # name example.com
    zimbraAmavisDomainDisclaimerHTML: HTML disclaimer
    zimbraAmavisDomainDisclaimerText: text disclamer
    
    $ zmprov gd eng.example.com
    # name eng.example.com
    zimbraAmavisDomainDisclaimerText
    zimbraAmavisDomainDisclaimerHTML
    1. On the first MTA:

      /opt/zimbra/libexec/zmaltermimeconfig -e example.com
      
      Enabled disclaimers for domain: example.comm
      Generating disclaimers for domain example.com.
    2. On all additional MTAs:

      /opt/zimbra/libexec/zmaltermimeconfig
      • To test, send an email from the account (e.g. user2@example.com) in html and plain text format

      • To verify, check emails received with correct HTML disclaimer and plain text disclaimer.

      • To disable for the domain example.com

        1. On the first MTA, as the Zimbra user:

          /opt/zimbra/libexec/zmaltermimeconfig -d example.com
        2. On all additional MTAs:

          /opt/zimbra/libexec/zmaltermimeconfig

Disabling Disclaimers for Intra-domain Emails

You can enable the option for emails between individuals in the same domain to not have a disclaimer attached.

Set the attribute attachedzimbraAmavisOutboundDisclaimersOnly to TRUE.

To preserve backward-compatibility, this attribute defaults to FALSE.

Disabling the Disclaimer Feature

It is possible to completely remove support for disclaimers by setting the related attribute to FALSE.

zmprov mcf zimbraDomainMandatoryMailSignatureEnabled FALSE

Zimlets on the Domain

All Zimlets that are deployed are displayed in the domain’s Zimlets page. If you do not want all the deployed Zimlets made available for users on the domain, select from the list the Zimlets that are available for the domain. This overrides the Zimlet settings in the COS or for an account.

Managing Server Settings

A server is a machine that has one or more of the Zimbra service packages installed. During the installation, the Zimbra server is automatically registered on the LDAP server.

In the Administration Console, you can view the current status of all the servers that are configured with Zimbra software, and you can edit or delete existing server records. You cannot add servers directly to LDAP. The Zimbra Collaboration installation program must be used to add new servers because the installer packages are designed to register the new host at the time of installation.

The server settings that can be viewed from the Administration Console, Configure Servers link for a specific server include:

  • General information about the service host name, and LMTP advertised name and bind address, and the number of threads that can simultaneously process data source imports.

  • A list of enabled services. You can disable and enable the services.

  • Authentication types enabled for the server, setting a Web mail MTA host-name different from global. Setting relay MTA for external delivery, and enabling DNS lookup if required. Enable the Milter Server and set the bind address.

  • Enabling POP and IMAP and setting the port numbers for a server. If IMAP/POP proxy is set up, making sure that the port numbers are configured correctly.

  • Index and message volumes configuration. Setting HSM policies.

  • IP Address Bindings. If the server has multiple IP addresses, IP Address binding allows you to specify which interface to bind to.

  • Proxy settings if proxy is configured.

  • Backup and Restore configuration for the server. When backup and restore is configured for the server, this overrides the global backup and restore setting.

Servers inherit global settings if those values are not set in the server configuration. Settings that can be inherited from the Global configuration include MTA, SMTP, IMAP, POP, anti-virus, and anti-spam configurations.

General Server Settings

The General Information page includes the following configuration information:

  • Server display name and a description field

  • Server hostname

  • LMTP information including advertised name, bind address, and number of threads that can simultaneously process data source imports.
    Default = 20 threads.

  • Purge setting: The server manages the message purge schedule. You configure the duration of time that the server should "rest" between purg-ing mailboxes from the Administration Console, Global settings or Server settings, or General Information page.
    Default = message purge is scheduled to run each minute.

When installing a reverse proxy the communication between the proxy server and the backend mailbox server must be in plain text. Checking This server is a reverse proxy lookup target automatically sets the following parameters:

zimbraImapCleartextLoginEnabled TRUE
zimbraReverseProxyLookupTarget TRUE
zimbraPop3CleartextLoginEnabled TRUE

The Notes text box can be used to record details you want to save.

Change MTA Server Settings

Admin Console:

Home → Configure → Servers → server → MTA

The MTA page show the following settings:

  • Authentication enabled.

    Enables SMTP client authentication, so users can authenticate. Only authenticated users or users from trusted networks are allowed to relay mail. TLS authentication when enabled, forces all SMTP auth to use Transport Layer Security (successor to SSL) to avoid passing passwords in the clear.

  • Network settings, including Web mail MTA hostname, Web mail MTA time-out, the relay MTA for external delivery, MTA trusted networks ID, and the ability to enable DNS lookup for the server.

  • Milter Server.

    If Enable Milter Server is checked, the milter enforces the rules that are set up for who can send email to a distribution list on the server.

Setting Up IP Address Binding

If the server has multiple IP addresses, you can use IP address binding to specify which specific IP addresses you want a particular server to bind to.

Admin Console:

Home → Configure → Servers → server → IP Address Bindings

Table 28. IP Address Bindings
Option Description

Web Client Server IP Address

Interface address on which the HTTP server listens

Web Client Server SSL IP Address

Interface address on which the HTTPS server listens

Web Client Server SSL Client Cert IP Address

Interface address on which HTTPS server accepting the client certificates listen

Administration Console Server IP Address

Administrator console Interface address on which HTTPS server listens

Managing SSL Certificates for Zimbra

A certificate is the digital identity used for secure communication between different hosts or clients and servers. Certificates are used to certify that a site is owned by you.

Two types of certificates can be used - self-signed and commercial certificates.

  • A self-signed certificate is an identity certificate that is signed by its own creator.

    You can use the Certificate Installation Wizard to generate a new self-signed certificate. This is useful when you use a self-signed certificate and want to change the expiration date. Self-signed certificates are normally used for testing.
    Default = 1825 days (5 years)

  • A commercial certificate is issued by a certificate authority (CA) that attests that the public key contained in the certificate belongs to the organization (servers) noted in the certificate.

When Zimbra Collaboration is installed, the self-signed certificate is automatically installed and can be used for testing Zimbra Collaboration. You should install the commercial certificate when Zimbra Collaboration is used in your production environment.

ZCO users in a self-signed environment will encounter warnings about connection security unless the root CA certificate is added to the client’s Window Certificate Store. See the Zimbra Wiki article ZCO Connection Security for more information.

Installing Certificates

To generate the Certificate Signing Request (CSR) you complete a form with details about the domain, company, and country, and then generate a CSR with the RSA private key. You save this file to your computer and submit it to your commercial certificate authorizer.

To obtain a commercially signed certificate, use the Zimbra Certificates Wizard in the Administration Console to generate the RSA Private Key and CSR.

Admin Console:

Home → 1 Get Started → 2. Install Certificates

Use guidelines from the Install Certificates table to set parameters for your certificates.

Table 29. Install Certificates
Option Description

Common Name (CN)

Exact domain name that should be used to access your Web site securely. Are you going to use a wildcard common name? If you want to manage multiple sub domains on a single domain on the server with a single certificate, check this box. An asterisk (*) is added to the Common Name field.

Country Name (C)

Country name you want the certificate to display as our company location

State/Province (ST)

State/province you want the certificate to display as your company location.

City (L)

City you want the certificate to display as your company location.

Organization Name (O)

Your company name

Organization Unit (OU)

Unit name (if applicable)

Subject Alternative Name (SAN)

If you are going to use a SAN, the input must be a valid domain name. When SAN is used, the domain name is compared with the common name and then to the SAN to find a match. You can create multiple SANs. When the alternate name is entered here, the client ignores the common name and tries to match the server name to one of the SAN names.

Download the CSR from the Zimbra server and submit it to a Certificate Authority, such as VeriSign or GoDaddy. They issue a digitally signed certificate.

When you receive the certificate, use the Certificates Wizard a second time to install the certificate on Zimbra Collaboration. When the certificate is installed, you must restart the server to apply the certificate.

Viewing Installed Certificates

You can view the details of certificates currently deployed. Details include the certificate subject, issuer, validation days and subject alternative name.

Admin Console:

Home → Configure → Certificates → zmhostname

Certificates display for different Zimbra services such as LDAP, mailboxd, MTA and proxy.

Maintaining Valid Certificates

It is important to keep your SSL certificates valid to ensure clients and environments work properly, as the Zimbra system can become non-functional if certificates are allowed to expire. You can view deployed SSL certificates from the Zimbra administrator console, including their validation days. It is suggested that certificates are checked periodically, so you know when they expire and to maintain their validity.

Install a SSL Certificate for a Domain

You can install an SSL certificate for each domain on a Zimbra Collaboration server. Zimbra Proxy must be installed on Zimbra Collaboration and correctly configured to support multiple domains. For each domain, a virtual host name and Virtual IP address are configured with the virtual domain name and IP address.

Each domain must be issued a signed commercial certificate that attests that the public key contained in the certificate belongs to that domain.

Configure the Zimbra Proxy Virtual Host Name and IP Address.

zmprov md <domain> +zimbraVirtualHostName {domain.example.com} +zimbraVirtualIPAddress {1.2.3.4}
The virtual domain name requires a valid DNS configuration with an A record.

Edit the certificate for the domain:

Admin Console:

Home → 1 Get Started → 2. Install Certificates

Copy the domain’s issued signed commercial certificates and private key files to the Domain Certificate section for the selected domain.

Certificate Domain Load

  1. Copy the root certificate and the intermediate certificates in descending order, starting with your domain certificate. This allows the full certificate chain to be validated.

  2. Remove any password (passphrase) from the private key before the certificate is saved.

    See your commercial certificate provider for details about how to remove the password.

  3. Click Upload.

    The domain certificate is deployed to /opt/zimbra/conf/domaincerts

Using DKIM to Authenticate Email Message

Domain Keys Identified Mail (DKIM) defines a domain-level authentication mechanism that lets your organization take responsibility for transmitting an email message in a way that can be verified by a recipient. Your organization can be the originating sending site or an intermediary. Your organization’s reputation is the basis for evaluating whether to trust the message delivery.

You can add a DKIM digital signature to outgoing email messages, associating the message with a domain name of your organization. You can enable DKIM signing for any number of domains that are being hosted by Zimbra. It is not required for all domains to have DKIM signing enabled for the feature to work.

DKIM defines an authentication mechanism for email using

  • A domain name identifier

  • Public-key cryptography

  • DNS-based public key publishing service.

The DKIM signature is added to the email message header field. The header information is similar to the following example.

DKIM-Signature a=rsa-sha1; q=dns;
     d=example.com;
     i=user@eng.example.com;
     s=jun2021.eng; c=relaxed/simple;
     t=1117574938; x=1118006938;
     h=from:to:subject:date;
     b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZVoG4ZHRNiYzR

Receivers who successfully validate a DKIM signature can use information about the signer as part of a program to limit spam, spoofing, phishing, or other undesirable behavior.

Configure Zimbra Collaboration for DKIM Signing

DKIM signing to outgoing mail is done at the domain level.

To set up DKIM you must run the CLI zmdkimkeyutil to generate the DKIM keys and selector. You then update the DNS server with the selector which is the public key.

  1. Log in to the Zimbra server and as zimbra:

    /opt/zimbra/libexec/zmdkimkeyutil -a -d <example.com>

    The public DNS record data that must be added for the domain to your DNS server is displayed. The public key DNS record appears as a DNS TXT-record that must be added for the domain to your DNS server.

    Optional. To specify the number of bits for the new key, include -b in the command line, -b <####>. If you do not add the -b, the default setting is 2048 bits.

    DKIM Data added to LDAP for domain example.com with selector B534F5FC-EAF5-11E1-A25D-54A9B1B23156
    
    Public signature to enter into DNS:
    B534F5FC-EAF5-11E1-A25D-54A9B1B23156._domainkey IN TXT
    "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+ycHjGL/mJXEVlRZnxZL/VqaN/Jk9VllvIOTkKgwLSFtVsKC69kVaUDDjb3zkpJ6qpswjjOCO+0eGJZFA4aB4BQjFBHbl97vgNnpJq1sV3QzRfHrN8X/gdhvfKSIwSDFFl3DHewKDWNcCzBkNf5wHt5ujeavz2XogL8HfeL0bTwIDAQA B" ; ----- DKIM B534F5FC-EAF5-11E1-A25D-54A9B1B23156 for example.com

    The generated DKIM data is stored in the LDAP server as part of the domain LDAP entry.

  2. Work with your service provider to update your DNS for the domain with the DKIM DNS text record.

  3. Reload the DNS and verify that the DNS server is returning the DNS record.

  4. Verify that the public key matches the private key. See the Identifiers table for -d, -s, and -x descriptions.

    /opt/zimbra/common/sbin/opendkim-testkey -d <example.com> -s <0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB> -x /opt/zimbra/conf/opendkim.conf
    Table 30. Identifiers
    Parameter Description

    -d

    Domain name

    -s

    Selector name

    -x

    Configuration file name.

Update DKIM Data for a Domain

When the DKIM keys are updated, the DNS server must be reloaded with the new TXT record.

Good practice is to leave the previous TXT record in DNS for a period of time so that email messages that were signed with the previous key can still be verified.

Log in to the Zimbra server and as zimbra:

/opt/zimbra/libexec/zmdkimkeyutil -u -d <example.com>

Optional. To specify the number of bits for the new key, include -b in the command line, -b <####>. If you do not add the -b, the default setting is 2048 bits.

  1. Work with your service provider to update your DNS for the domain with the DKIM DNS text record.

  2. Reload the DNS and verify that the DNS server is returning the DNS record.

  3. Verify that the public key matches the private key: See the Identifiers table for -d, -s, and -x descriptions.

    /opt/zimbra/common/sbin/opendkim-testkey -d <example.com> -s <0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB> -x /opt/zimbra/conf/opendkim.conf

Remove DKIM Signing from Zimbra

Removing DKIM signing deletes the DKIM data from LDAP, and new email messages are no longer signed for the domain. When you remove DKIM from the domain, it is a good practice to leave the previous TXT record in DNS for some time so that email messages that were signed with the previous key can still be verified.

Use the following command syntax to remove the file:

/opt/zimbra/libexec/zmdkimkeyutil -r -d example.com

Retrieve DKIM Data for a Domain

Use the following command syntax to view the stored DKIM information for the domain, selector, private key, public signature and identity:

/opt/zimbra/libexec/zmdkimkeyutil -q -d example.com

Anti-spam Settings

Zimbra uses SpamAssassin to control spam. SpamAssassin uses predefined rules as well as a Bayes database to score messages. Zimbra evaluates spam as a percentage value. Messages tagged between 33%-75% spam are delivered to the user’s junk folder. Messages tagged above 75% are not sent to the user and are discarded.

You can change the anti-spam settings.

Admin Console

Home → Configure → Global Settings → AS/AV

Anti-Spam Settings

  1. At the Anti-Spam fields, enter parameters, as appropriate for your requirements.

  2. From the Gear icon, select Save to use your settings.

    Table 31. Anti-Spam
    Option Description

    Kill percent

    Percent that scored mail to be considered as spam, and therefore not to be delivered.
    Default = 75%

    Tag percent

    Percent that scores mail to be considered as spam, which should be delivered to the Junk folder.
    Default = 33%

    Subject prefix

    Text string to be added to the subject line for messages tagged as spam.

When a message is tagged as spam, the message is delivered to the recipient’s junk folder. Users can view the number of unread messages that are in their junk folder and can open the junk folder to review the messages marked as spam. If you have the anti-spam training filters enabled, when users add or remove messages in the junk folder, their action helps train the spam filter.

RBL (Real time black-hole lists) can be turned on or off in SpamAssassin from the Zimbra CLI.

Anti-Spam Training Filters

The automated spam training filter is enabled by default and two feedback system mailboxes are created to receive mail notification.

  • Spam Training User for mail that was not marked as spam but should be.

  • Non-spam (referred to as ham) training user for mail that was marked as spam but should not have been.

The mailbox quota and attachment indexing is disabled for these training accounts. Disabling quotas prevents bouncing messages when the mailbox is full.

How well the anti-spam filter works depends on recognizing what is considered spam. The SpamAssassin filter learns from messages that users specifically mark as spam by sending them to their junk folder or not spam by removing them from their junk folder. A copy of these marked messages is sent to the appropriate spam training mailbox.

When Zimbra is installed, the spam/ham cleanup filter is configured on only the first MTA. The Zimbra spam training tool, zmtrainsa, is configured to automatically retrieve these messages and train the spam filter. The zmtrainsa script is enabled through a crontab job to feed mail to the SpamAssassin application, allowing SpamAssassin to 'learn' what signs are likely to mean spam or ham. The zmtrainsa script empties these mailboxes each day.

New installs of Zimbra limit spam/ham training to the first MTA installed. If you uninstall or move this MTA, you will need to enable spam/ham training on another MTA, as one host should have this enabled to run zmtrainsa --cleanup.

To set this on a new MTA server

zmlocalconfig -e zmtrainsa_cleanup_host=TRUE

Disabling the Spam Training Mailboxes

The Zimbra default is that all users can give feedback when they add or remove items from their junk folder.

If you do not want users to train the spam filter you can disable this function.

  1. Modify the global configuration attributes, ZimbraSpamIsSpamAccount and ZimbraSpamIsNotSpamAccount

  2. Remove the account addresses from the attributes.

    zmprov mcf ZimbraSpamIsSpamAccount ''
    zmprov mcf ZimbraSpamIsNotSpamAccount ''

When these attributes are modified, messages marked as spam or not spam are not copied to the spam training mailboxes.

Manually Training Spam Filters

Initially, you might want to train the spam filter manually to quickly build a database of spam and non-spam tokens, words, or short character sequences that are commonly found in spam or ham. To do this, you can manually forward messages as message/rfc822 attachments to the spam and non-spam mailboxes.

When zmtrainsa runs, these messages are used to teach the spam filter. Make sure you add a large enough sampling of messages to get accurate scores. To determine whether to mark messages as spam at least 200 known spams and 200 known hams must be identified.

Protect Alias Domains from Backscatter Spam

To reduce the risk of backscatter spam, you can run a service that runs a Zimbra Access Policy Daemon that validates RCPT To: content specifically for alias domains.

For information about creating domain aliases, see the Zimbra wiki article Managing Domains.
  1. Set the Postfix LC key.

    zmlocalconfig -e postfix_enable_smtpd_policyd=yes
  2. Define the MTA restriction.

    zmprov mcf +zimbraMtaRestriction "check_policy_service unix:private/policy"

The postfix_policy_time_limit key is set because by default the Postfix spawn(8) daemon kills its child process after 1000 seconds. This is too short for a policy daemon that might run as long as an SMTP client is connected to an SMTP process.

Disabling Postfix Policy Daemon

Disable the SMTPD policy.

zmlocalconfig -e postfix_enable_smtpd_policyd=no
Admin Console:

Home → Configure → Global Settings → MTA

Define the policy restriction.Setting Email Recipient RestrictionsRealtimeBlackhole Lists and Realtime Right-Hand Side Blocking/Black Lists can be turned on or off in the MTA.

For protocol checks, the following three RBLs can be enabled:

  • tname

  • Client must greet with a fully qualified hostname - reject_non_fqdn_hostname

  • Sender address must be fully qualified - reject_non_fqdn_sender

Hostname in greeting violates RFC - reject_invalid_host

zmprov mcf -zimbraMtaRestriction "check_policy_service unix:private/policy"

The following RBLs can also be set.

  • reject_rbl_client cbl.abuseat.org

  • reject_rbl_client bl.spamcop.net

  • reject_rbl_client dnsbl.sorbs.net

  • reject_rbl_client sbl.spamhaus.org

As part of recipient restrictions, you can also use the reject_rbl_client <rbl hostname> option.

Admin Console:

Home → Configure → Global Settings → MTA → DNS Checks

Use the DNS tools in MTA configuration to define the restriction lists.

DNS Checks

For a list of current RBL’s, see the Comparison of DNS blacklists article.

Adding RBLs with the CLI

  1. View the current RBLs.

    zmprov gacf zimbraMtaRestriction
  2. Add new RBLs: list the existing RBLs and the new Add, in the same command entry. For 2-word RBL names, surround the name with quotes in your entry.

    zmprov mcf zimbraMtaRestriction [RBL type]
Example 6. adding all possible restrictions
zmprov mcf \
 zimbraMtaRestriction reject_invalid_hostname \
 zimbraMtaRestriction reject_non-fqdn_hostname \
 zimbraMtaRestriction reject_non_fqdn_sender \
 zimbraMtaRestriction "reject_rbl_client cbl.abuseat.org" \
 zimbraMtaRestriction "reject_rbl_client bl.spamcop.net" \
 zimbraMtaRestriction "reject_rbl_client dnsbl.sorbs.net" \
 zimbraMtaRestriction "reject_rbl_client sbl.spamhaus.org"

Setting Global Rule for Messages Marked as Both Spam and Whitelist

When you use a third-party application to filter messages for spam before messages are received by Zimbra, the Zimbra global rule is to send all messages that are marked by the third-party as spam to the junk folder. This includes messages that are identified as spam and also identified as whitelisted.

If you do not want messages that are identified as whitelisted to be sent to the junk folder, you can configure zimbraSpamWhitelistHeader and zimbraSpamWhitelistHeaderValue to pass these messages to the user’s mailbox. This global rule is not related to the Zimbra MTA spam filtering rules. Messages are still passed through a user’s filter rules.

To search the message for a whitelist header:

zmprov mcf zimbraSpamWhitelistHeader <X-Whitelist-Flag>

To set the value:

zmprov mcf zimbraSpamWhitelistHeaderValue <value_of_third-party_white-lists_messages>

Anti-virus Settings

Anti-virus protection is enabled for each server when the Zimbra software is installed. The anti-virus software is configured to send messages that have been identified as having a virus to the virus quarantine mailbox. An email notification is sent to recipients letting them know that a message has been quarantined. The quarantine mailbox message lifetime is set to 7 days.

From the Admin Console, you can specify ho aggressively spam is to be filtered in your Zimbra Collaboration.

Admin Console:

Home → Configure → Global Settings → AS/AV

AS/AV

  1. At the Anti-Virus fields, enter parameters, as appropriate for your requirements.

  2. From the Gear icon, select Save to use your settings.

Table 32. Anti Virus
Option Description

Definition update frequency

By default, the Zimbra MTA checks every two hours for any new anti-virus updates from ClamAV. The frequency can be set between 1 and 24 hours.

Block encrypted archives

Restrict encrypted files, such as password protected zipped files.

Send notification to recipient

To alert that a mail message had a virus and was not delivered.

During Zimbra Collaboration installation, the administrator notification address for anti- virus alerts is configured. The default is to set up the admin account to receive the notification. When a virus has been found, a notification is automatically sent to that address.

Updates are obtained via HTTP from the ClamAV website.

Zimbra Free/Busy Calendar Scheduling

The Free/Busy feature allows users to view each other’s calendars for efficiently scheduling meetings. You can set up free/busy scheduling across Zimbra and Microsoft Exchange servers.

Zimbra can query the free/busy schedules of users on supported Microsoft Exchange servers and also can propagate the free/busy schedules of Zimbra users to the Exchange servers.

To set free/busy interoperability, the Exchange systems must be set up as described in the Exchange Setup Requirements section, and the Zimbra Collaboration Global Config, Domain, COS and Account settings must be configured. The easiest way to configure Zimbra Collaboration is from the Administration Console.

Exchange Setup Requirements

The following is required to set up the free/busy feature:

  • Either a single Active Directory (AD) must be in the system or the global catalog must be available.

  • The Zimbra Collaboration server must be able to access the HTTP(S) port of IIS on at least one of the Exchange servers.

  • Web interface to Exchange public folders needs to be available via IIS. (http://server/public/)

  • Zimbra Collaboration users must be provisioned as a contact on the AD using the same administrative group for each mail domain. This is required only for Zimbra to Exchange free/busy replication.

  • For Zimbra Collaboration to Exchange free/busy replication, the Exchange user email address must be provisioned in the account attribute zimbra-ForeignPrincipal for all Zimbra Collaboration users.

Configuring Free/Busy on Zimbra Collaboration

To set Free/Busy Interoperability up from the Administration Console, the global config, Domain, COS and Account settings must be configured as described here.

  • Configure the Exchange server settings, either globally or per-domain.

    • Microsoft Exchange Server URL. This is the Web interface to the Exchange.

    • Microsoft Exchange Authentication Scheme, either Basic or Form.

      • Basic is authentication to Exchange via HTTP basic authentication.

      • Form is authentication to Exchange as HTML form based authentication.

    • Microsoft Exchange Server Type, either WebDav or ews

      • Select WebDAV to support free/busy with Exchange 2003 or Exchange 2007.

        This is for information only, as these versions of Exchange are no longer supported.
      • Select ews (Exchange Web Service) to support free/busy with Exchange 2010 SP1 and newer.

  • Include the Microsoft Exchange user name and password. This is the name of the account in Active Directory and password that has access to the public folders. These are used to authenticate against the Exchange server on REST and WebDAV interfaces.

  • Add the o and ou values that are configured in the legacyExchangeDN attribute for Exchange on the Global Config Free/Busy Interop page, the Domain Free/Busy Interop page or on the Class of Service (COS) Advanced page. Set at the global level this applies to all accounts talking to Exchange.

  • In the Account’s Free/Busy Interop page, configure the foreign principal email address for the account. This sets up a mapping from the Zimbra Collaboration account to the corresponding object in the AD.

To find these settings on the Exchange server, you can run the Exchange ADSI Edit tool and search the legacyExchangeDN attribute for the o= , ou= , and cn= settings.

Zimbra Collaboration to Zimbra Collaboration Free/Busy Interoperability

You can set up free/busy interoperability between Zimbra servers. Free/Busy interoperability is configured on each server.

Each server must be running Zimbra Collaboration 8.0.x or later.
  1. Enter the server host names and ports.

    zmprov mcf zimbraFreebusyExternalZimbraURL http[s]://[user:pass@]host:port

    If the user:pass is not included, the server runs an anonymous free/busy lookup.

  2. Restart the server.

    zmcontrol restart
  3. Repeat these steps at all other servers.

Setting Up S/MIME

S/MIME is a standard to send secure email messages. S/MIME messages use digital signature to authenticate and encrypt messages.

Currently, there are two different methods for providing the S/MIME feature

  1. The old client based solution which requires Java 1.6 SE deployed on the client machine

  2. The new server based solution which does not require Java on the client machine. The server performs all the cryptographic operations. (Recommended)

This feature is supported only in the Classic Web App.

Setting up for using the S/MIME feature using the client based solution

Prerequisites
  • To use S/MIME, users must have a PKI certificate and a private key. The private key must be installed in the user’s local certificate store on Windows and Apple Mac and in the browser certificate store if they use the Firefox browser. See the appropriate computer or browser documentation for how to install certificates.

  • Users can use any of the following browsers:

    • Mozilla Firefox 4 or later

    • Internet Explorer 8, 9

    • Chrome 12 or later

  • Users computers must have Java 1.6 SE deployed to use S/MIME. If they do not, they see an error asking them to install it.

S/MIME License

You must have a Zimbra license that is enabled for S/MIME.

Enable S/MIME Feature
Admin Console:

Home → Configure → Class of Service → COS → Features
Home → Manage → Accounts → account → Features

The S/MIME feature can be enabled from either the COS or Account FeaturesTab.

  1. Select the COS or account to edit.

  2. In the Features tab S/MIME features section, check Enable S/MIME.

  3. Click Save.

Importing S/MIME Certificates

Users can send encrypted messages to recipients if they have the recipients' public-key certificate stored in one of the following:

  • Recipient’s contact page in their Address Book.

  • Local OS or browser keystore.

  • External LDAP directory.

The certificates should be published into the LDAP directory so that they can be retrieved from the GAL. The format of the S/MIME certificates must be X.509 Base64 encoded DER.

Configure External LDAP Lookup for Certificates

If you use an external LDAP to store certificates, you can configure the Zimbra server to lookup and retrieve certificates from the external LDAP, on behalf of the client.

Admin Console:

Home → Configure → Global Settings → S/MIME
Home → Configure → Domains → domain → S/MIME

You can configure the external LDAP server settings from either the Global Settings → S/MIME tab or the Domains → S/MIME tab.

Global Settings override Domain settings
  1. Edit the global settings page or select a domain to edit. Open the S/MIME tab.

  2. In the Configuration Name field, enter a name to identify the external LDAP server. Example, companyLDAP_1

  3. In the LDAP URL field, enter the LDAP server’s URL. Example, ldap://host.domain:3268

  4. To use DN to bind to the external server, in the S/MIME LDAP Bind DN field, enter the bind DN. Example, administrator@domain

    If you want to use anonymous bind, leave the Bind ND and Bind password fields empty.

  5. In the S/MIME Ldap Search Base field, enter the specific branch of the LDAP server that should be searched to find the certificates.

    Example, ou=Common Users, DC=host, DC=domain

    Or, check Automatically discover search base to automatically discover the search base DNs. For this to work, the S/MIME Search Base field must be empty.

  6. In the S/MIME Ldap filter field, enter the filter template for the search. The filter template can contain the following conversion variables for expansion:

    • %n - search key with @ (or without, if no @ was specified)

    • %u - with @ removed (For example, mail=%n)

  7. In the S/MIME Ldap Attribute field, enter attributes in the external LDAP server that contain users' S/MIME certificates. Multiple attributes can be separated by a comma (,).

    Example, "userSMIMECertificate, UserCertificate"

  8. Click Save.

To set up another external LDAP server, click Add Configuration.

Setting up for using the S/MIME feature using the server based solution

Prerequisites

Same as for the client based S/MIME solution except that Java is not required on the client machine. The private key is also not required to be on the client machine’s local/browser certificate store.

S/MIME License

Same as for the client based S/MIME solution

Enable S/MIME Feature

Same as for the client based S/MIME solution

Importing S/MIME Certificates

Same as for the client based S/MIME solution except that the recipients' public-key certificate no longer needs to be stored in the Local OS or browser keystore. The certificate can be published to all other places mentioned in previous S/MIME version.

List of LDAP attributes introduced to support the server based S/MIME solution
  1. zimbraSmimeOCSPEnabled

    • Used by server at the time of validating the user as well as public certificates

    • If TRUE, the revocation check will be performed during certificate validation

    • If FALSE, the revocation check will not be performed during certificate validation

  2. zimbraSmimePublicCertificateExtensions

    • The supported public certificate file extensions separated by commas

    • Contains the list of supported formats for the userCertificate LDAP attribute

    • Default values: cer, crt, der, spc, p7b, p7r, sst, sto, pem

    • Zimbra Classic Web App retrieves the supported file formats or extensions for uploading public certificate from the server

  3. zimbraSmimeUserCertificateExtensions

    • The supported public certificate file extensions separated by commas

    • Contains the list of supported formats for the userSmimeCertificate LDAP attribute

    • Default values: p12, pfx

    • Zimbra Classic Web App retrieves the supported file formats or extensions for uploading public certificate from the server

Process for Adding the CA certificate to the mailbox truststore for S/MIME

S/MIME uses the mailbox trust store path and its password which are defined in localconfig.xml

The key names are:

  • mailboxd_truststore

  • mailboxd_truststore_password

If the mailboxd_truststore key is not defined in localconfig.xml, by default the value of mailboxd_truststore is:

  • <zimbra_java_home>/jre/lib/security/cacerts

A CA certificate can be imported to the mailbox trust store by executing the following command:

keytool -import -alias -keystore <mailboxd_truststore path> -trustcacerts -file <CA_Cert>

Storage Management

Managing Storage Volumes

In the Volume page you manage storage volumes on the Zimbra Mailbox server. When Zimbra Collaboration is installed, one index volume and one message volume are configured on each mailbox server. You can add new volumes, set the volume type, and set the compression threshold.

If Compress Blobs is enabled (YES), the disk space used is decreased, but memory requirements for the server increases.
Index Volumes

Each Zimbra mailbox server is configured with one current index volume. Each mailbox is assigned to a permanent directory on the current index volume. You cannot change the volume to which an account is assigned.

As volumes become full, you can create a new current index volume for new accounts. You can add new volumes, set the volume type, and set the compression threshold.

Index volumes not marked current are still actively in use for the accounts assigned to them. Any index volume that is referenced by a mailbox as its index volume cannot be deleted.

Message Volumes

When a new message is delivered or created, the message is saved in the current message volume. Message volumes can be created, but only one is configured as the current volume where new messages are stored. When the volume is full, you can configure a new current message volume. The current message volume receives all new messages. New messages are never stored in the previous volume.

A current volume cannot be deleted, and message volumes that have messages referencing the volume cannot be deleted.

Email Retention Management

You can configure retention policies for user account’s email, trash, and junk folders. The basic email retention policy is to set the email, trash and spam message lifetime in the COS or for individual accounts.

You can set up specific retention policies that users can enable for the Inbox and other email folders in their account. Users can also create their own retention policies.

You can enable the dumpster feature to save messages that are deleted from Trash. When a message reaches the end of its retention lifetime, based on email lifetime rules or deletion policies, the message is moved to the dumpster if enabled. Users can recover deleted items from the dumpster until the threshold set in the Visibility lifetime in dumpster for end user setting.

If dumpster is not enabled, messages are purged from the server when the email retention lifetime is reached.

You can also set up a legal hold on an account to prevent messages from being deleted.

Configuring Email Lifetime Rules

You can configure when email messages should be deleted from an accounts folders, and the trash and junk folders by COS or for individual accounts.

Table 33. Email Lifetime Options
Email Lifetime Option Description

Email message lifetime

Number of days a message can remain in a folder before it is purged. This includes data in RSS folders.
Default = 0
Minimum = 30 days

Trashed message lifetime

Number of days a message remains in the Trash folder before it is purged.
Default = 30 days.

Spam message lifetime

Number of days a message can remain in the Junk folder before it is purged.
Default = 30 days.

Purging Email Messages

By default, the server purges email messages that have exceeded their lifetime every minute. You can change the duration of time that the server should "rest" between purging mailboxes.

Use the global Sleep Time setting to define duration, in minutes, between mailbox purges.

Admin Console:

Home → Configure → Global Settings → General Information

Purge Interval

For example, if the purge interval is set to 1 minute, the server purges mailbox1, waits for 1 minute, and then begins to purge mailbox2.

If the message purge schedule is set to 0, messages are not purged even if the mail, trash and spam message lifetime is set.

Because users cannot view message lifetime settings, you will need to apprise them of your purge policies.

Configuring Message Retention and Deletion Policies

Retention and deletion policies can be configured as a global setting or as a COS setting. Users can select these policies to apply to their message folders in their account. They can also set up their own retention and deletion policies. Users enable a policy you set up or create their own policies from their folders' Edit Properties dialog box.

Global Retention Policy

System wide retention and deletion policies can be managed from the Administration Console.

Use the global Retention Policy page to set global retention or deletion policies.

Admin Console:

Home → Configure → Global Settings → Retention Policy

Global Retention Policy

COS Retention Policy

Use the COS Retention Policy page to set retention or deletion for the selected COS.

Admin Console:

Home → Configure → Class of Service → COS → Retention Policy

COS Retention Policy

Ensure that the Enable COS-level policies instead of inheriting from the policy defined in Global Settings is enabled.

The retention policy is not automatically enforced on a folder. If users option an item in a folder that has not met the threshold of the retention policy, the following message is displayed, You are deleting a message that is within its folder’s retention period. Do you wish to delete the message?

When the threshold for the deletion policy is reached, items are deleted from the account. They are not sent to the Trash folder. If the dumpster feature is enabled, they are sent to the dumpster, if it is not enabled, they are purged from the server.

How Lifetime and Retention/Deletion Policies Work Together

If the Email Message Lifetime is set to a value other than zero (0), this setting applies in addition to the disposal or retention policy values applied to a folder. For example:

Email Message Lifetime is set to 120 days

  • Folder A has a policy with a disposal threshold of 360 days. Messages in Folder a are disposed of in 120 days.

  • Folder B has a policy with disposal threshold of 90 days. Messages in Folder B are disposed of in 90 days.

  • Folder C has a policy with retention range of 150 days. Messages in Folder C are disposed of in 120 days.

Managing the Dumpster

When a message, trash or spam lifetime has been reached, the message is moved to the dumpster if the feature is enabled. When users right-click on Trash, they can click Recover deleted items to retrieve items from their trash that have been deleted in the last x days. This threshold is based on the Visibility lifetime in dumpster for end user setting.

The Retention lifetime in dumpster before purging setting sets retention lifetime for items in dumpster. Items in dumpster older than the threshold are purged and cannot be retrieved.

Administrators can access the individual dumpster’s content, including spam, and they can delete data at any time before the message lifetime is reached.

Searching for an item in the dumpster folder
zmmailbox -z -m <user@example.com> search --dumpster -l <#> --types <message,contact,document> <search-field>

The search field can be a date range: 'before:mm/dd/yyyy and after:mm/dd/yyyy' or emails from or to a particular person: 'from:Joe', etc.

Deleting items in the dumpster folder

Items in the dumpster folder can be deleted with the CLI or from the Administration Console:

zmmailbox -z -m <user@example.com> -A dumpsterDeleteItem <item-ids>
Admin Console:

Home → Configure → Class of Service → COS → Features → General Features

  1. Enable (check) the Dumpster folder checkbox.

  2. To set Visibility lifetime in dumpster for end user, go to the Timeout Policy section on COS' Advanced page

  3. To set Retention lifetime in dumpster before purging, go to the COS’s Advanced page, Email Retention Policy section.

If the dumpster folder feature is enabled, you can set up a legal hold to preserve all items in user accounts.

When dumpster is enabled, Can purge dumpster folder is also enabled. Disabling this feature turns off purging of items in the user’s dumpster. This can be set on a COS or for individual accounts. When Can purge dumpster folder is enabled, any deletion policies set up on the accounts' folders are ignored.

Configure legal hold:

Admin Console:

Home → Configure → Class of Service → COS → Features
Home → Manage → Accounts → account → Features

Deselect Can purge dumpster folder on the Features page.

Customized Admin Extensions

Developers can create and add custom modules to the Zimbra Administration Console user interface, to provide new views, manage new data objects, extend existing objects with new properties, and customize existing views.

For the most up-to-date and comprehensive information about how to create an extended Administration Console UI module, go to the Zimbra wiki Extending Admin UI article located at Extending_Admin_UI.

All Zimbra extensions currently incorporated at the Administration Console UI are listed in the content pane as view only.

Only those created by you can be removed (see also Removing Admin Extension Modules).

Deploying New Administration Console UI Modules

Admin Console:

Home → Configure → Admin Extensions

Save the module zip file to the computer you use to access the Administration Console.

  1. From the Gear icon, select Deploy to present the Deploying a Zimlet or an extension dialog.

  2. Browse to the custom module zip file you need to upload.

  3. Click Deploy.

    The file is uploaded and the extension is immediately deployed on the server.

Removing An Admin Extension Module

Deleting an Admin Extension results in removal of the selected extension and all associated files. This action does not delete the originating zip file.

Admin Console:

Home → Configure → Admin Extensions

Use steps in this section to remove custom Admin Extensions.

  1. Select the module to remove, and select Undeploy from the Gear icon. A confirmation query is presented.

  2. At the confirmation query, click Yes to proceed.

Ephemeral Data

There are 3 main types of ephemeral data stored in LDAP during normal operation of Zimbra Collaboration.

  • Last Logon Time Stamps (zimbraLastLogonTimestamp)

  • Auth Tokens (zimbraAuthTokens)

  • CSRF Tokens (zimbraCsrfTokenData)

On small systems, storage of these types of ephemeral data may be done in the LDAP Server. However, mail systems with large numbers of active users have been found to overload LDAP for short-lived data storage. Therefore, the preferred option is to store this ephemeral data using an external server.

This document does not cover how to install and maintain the ephemeral storage server.

Configuring the storage location of ephemeral data is done through the following LDAP attribute:

Attribute

Format

Description

zimbraEphemeralBackendURL

[backend name]:[params]

Ephemeral Backend URL Configuration

The two currently supported Ephemeral Data backends are:

Backend

Format

Description

LDAP

ldap://default

Default configuration

SSDB

ssdb:127.0.0.1:8888

SSDB server and port

Frequent authentication requests place a high load on Ephemeral Data storage backend. See the following Zimbra wiki pages for results of authentication-based load tests:

Configuring a Running Zimbra Collaboration to Use SSDB

Configuring an already running Zimbra Collaboration installation to utilize SSDB instead of LDAP for short-lived data storage is done through the following process:

  1. Install SSDB and note the IP address and port configured since you will need this data for the next steps. Refer to Overview of Configuration Options for more information.

  2. Migrate any existing short-lived data to SSDB using the /opt/zimbra/bin/zmmigrateattrs command.

  3. Configure Zimbra Collaboration to utilize SSDB.

Migration Procedure

  1. Access the command prompt on one of the machines in the installation.

  1. Migrate existing ephemeral data to the SSDB backend using the zmmigrateattrs utility

sudo su - zimbra
/opt/zimbra/bin/zmmigrateattrs ssdb:<ip address|hostname>:port # substituting your server values

You may use either an IP address or a hostname for the host portion of the destination URL. Either way, you will need to ensure it resolves to the proper IP address on all machines in the cluster. If the provided SSDB address does not resolve to a functioning backend, the migration process will terminate.

  1. Configure Zimbra Collaboration to use SSDB:

sudo su - zimbra
zmprov mcf zimbraEphemeralBackendURL ssdb:<ip address|hostname>:port # substituting your server values

As with migration, the host and port must resolve to a functioning SSDB backend. Otherwise, the value of zimbraEphemeralBackendURL will not be changed.

Migration Details

Migration Info

Information about the latest migration process can be viewed by running the command zmmigrateattrs --status. If the migration is currently in progress, this command may have to be run from a new terminal window. This command will output three pieces of information:

  1. The status of the migration: one of IN_PROGRESS, COMPLETED or FAILED

  2. The URL of the SSDB backend acting as the destination

  3. A timestamp of when the migration process was initiated

The migration info can be reset with the command zmmigrateattrs --clear. This should only be done if the status does not reflect the true state of the system.

Changing the Ephemeral Backend URL

When the value of zimbraEphemeralBackendURL is modified, Zimbra Collaboration checks the status of the last known migration. This can result in one of several scenarios:

  1. If the migration is completed and the URL of this migration matches the newly provided value, zimbraEphemeralBackendURL is changed to the new value and the migration info is reset. This is the expected use case.

  2. If a migration is currently in progress, zimbraEphemeralBackendURL will not be changed.

  3. If no migration info is available, the migration has failed, or the new URL does not match the migration URL, zimbraEphemeralBackendURL will be changed; however, a warning will be logged stating that data is not guaranteed to have been migrated.

Forwarding Ephemeral Data

During the migration process, and until the backend URL is changed, Zimbra Collaboration will store new ephemeral data both in LDAP and SSDB; this keeps the two backends from getting out of sync. If the new value of zimbraEphemeralBackendURL is changed to match the migration URL, migration info is reset and the forwarding mechanism is turned off. If the values do not match, migration info is not reset, and forwarding remains in place. Note that this means that migration only needs to be run once, even if there is a gap between the initial migration and URL change. As long as the target backend is never taken offline, it will stay up-to-date. However, if SSDB is taken offline between the end of the migration and the backend URL change, migration will need to be re-run.

These scenarios are demonstrated below:

ephemeral data migration

Advanced Migration Options

The zmmigrateattrs tool provides several migration options, to be used with careful consideration:

  • The -r or --dry-run option outputs the changes to be made for each account to the console, without actually performing the migration.

  • The -n or --num-threads option specifies how many threads will be used for migration. Omitting this will result in migration happening synchronously.

  • The -a or --account option allows for migration of a comma-separated list of specific accounts. This should be used only for testing or debugging.

  • The -d or --debug option enables debug logging.

If no attribute names are explicitly passed in as arguments, migration will occur for all known ephemeral attributes, as in the example above.

Migration Limitations

Ephemeral data migration is a one-way process. The zmmigrateattrs script does not support migrating data from SSDB back into LDAP, nor does it support migrating data between different instances of SSDB. This means that if the value of zimbraEphemeralBackendURL is reverted back to LDAP after migration, prior authentication data will become inaccessible, and all user sessions will be invalidated. If migration to a new SSDB backend becomes necessary, the data should be replicated to the new location prior to changing the value of zimbraEphemeralBackendURL.

There is one exception to this is: the backend can be safely reverted back to LDAP immediately after the switch to SSDB with minimal loss of data. This is because the original values are retained in LDAP during migration; switching the backend to SSDB leaves a "snapshot" of ephemeral data in LDAP at the time of the switch. The migration utility does not currently provide a way to delete this data to free up space; however, it allows for the backend to be reverted. The more time passes between the initial change and the reversion, the less the LDAP snapshot will reflect the true state of ephemeral data.

Changes to zmprov

Due to changes in the way multi-valued ephemeral data is stored, the attributes zimbraAuthTokens and zimbraCsrfTokenData are no longer returned as part of the zmprov ga <account> response. The value of zimbraLastLogonTimestamp is returned as before, although only if the -l flag is not used, as adding the -l flag will restrict the server to accessing attributes in LDAP only. It is still possible to modify these attributes using the zmprov ma <account> command, regardless of the ephemeral backend. In order to do this, the provided attribute value must match its LDAP format: tokenId|expiration|serverVersion for auth tokens; data:crumb:expiration for CSRF tokens.

Migration CSV Output

Each run of zmmigrateattrs generates a CSV file in the /opt/zimbra/data/tmp/ folder. The file contains migration info for every migrated account, such as the number of attributes migrated. Note that it is possible for this to be zero, which can happen if all ephemeral data for an account is already present in the destination store.

If any migrations fail, a cutdown CSV file report detailing only the errors is also created in the same directory. The name(s) of the file(s) are logged at the end of the run.

Account Deletion Behavior

Ephemeral data deletion behavior differs slightly between SSDB and LDAP backends. With SSDB as the backend, account deletion results in the zimbraLastLogonTimestamp attribute being explicitly deleted from SSDB. zimbraAuthTokens and zimbraCsrfTokenData, however, are left to be expired by SSDB when the token lifetimes are reached (default of 2 days). Conversely, ephemeral data in LDAP is wiped immediately as part of the account deletion process.

SSDB Installation and Configuration

Installation

Zimbra Collaboration packages do not include SSDB server and Zimbra Collaboration installation and configuration utilities do not alter SSDB configuration. To install the latest version of SSDB, follow instructions provided by SSDB developer community in SSDB Installation Documentation. Please note, that Zimbra Collaboration has been tested with SSDB version 1.9.5. In order to install SSDB 1.9.5, download stable-1.9.5.zip instead of master.zip when following SSDB installation instructions.

SSDB does not have encryption or authentication support, this means you have to protect access to it at the network level.

Overview of Configuration Options

The purpose of this guide is to discuss some of the options available with SSDB, specifically with regards to:

  • High-availability via master-slave replication

  • High-availability via master-master replication

  • Horizontal scaling, with high-availability, via multi-master configuration.

This guide is not meant to be an exhaustive treatment of the subject. Also, as of the time of this writing, SSDB and any related packages must be installed and configured by the system administrator prior to updating zimbraEphemeralBackendURL and migrating attributes.

SSDB is compatible with Redis clients and Zimbra Collaboration currently uses a Redis-compatible client for communication with SSDB, so many of the concepts described herein are applicable with a Redis backend.

High-availability with Master-Slave replication

Normal Operation

The method described in this document to implement master-slave replication makes use of Keepalived to maintain a configured virtual IP address that is bound to the master SSDB instance under normal conditions.

ssdb master slave normal

Fail-over

If Keepalived detects a failure of the master instance, then the backup instance is promoted to master by re-binding the virtual IP address to the backup.

ssdb master slave failover

High-availability with Master-Master replication

This differs from master-slave replication in that both SSDB instances are online and accessible. Each replicates changes from the other. In the example set-up described later, we use HAProxy as a front-end. Keep in mind that, for production, you must use a proxy service that is, itself, highly-available.

ssdb master master

Horizontal Scaling via Multi-Master Configuration

Normally, both SSDB and Redis contain the entire key-space in a single instance. It is possible to front-end multiple instances using a service such as twemproxy. It supports various hashing modes such that the data associated with a particular key is always stored on the same server. This allows for horizontal scaling with very large installations.

By configuring each SSDB instance in master-slave configuration, you get both horizontal scaling and high-availability.

ssdb multi master

Master-Slave Replication

One way to ensure that SSDB remains highly-available is to set-up master-slave replication and configure a system that will allow the backup SSDB instance to automatically take-over in the event that the primary instance goes down. This document will describe one technique for accomplishing that goal.

Overview

SSDB will be installed on two servers. It will be configured such that one server is the designated master and the other server is the designated slave, or backup, that will constantly replicate changes from the master server.

Keepalived will also be installed on these two servers. Each Keepalived instance will monitor the other. In the event that the master server goes down, Keepalived will detect that failure and promote the slave, or backup, server to master. Keepalived will maintain a Virtual IP address bound to whichever server is the current master.

Zimbra Collaboration will be configured such that the zimbraEphemeralBackendURL will bind to the Virtual IP address that is being maintained by Keepalived.

Once the installation and configuration of both the SSDB master-slave setup and Zimbra Collaboration have been completed, follow the instructions in Ephemeral Data to update the zimbraEphemeralBackendURL accordingly.

The example documented here was done on servers running Ubuntu 16.04.

Required Packages

Prerequisites

Install SSDB and Keepalived on two servers in accordance with the procedure that is applicable to the Linux distribution that you are using.

Configuration

The following configuration steps assume that you have installed SSDB to /var/lib/ssdb and that all SSDB configuration files are located in that same directory. It further assumes that the internal host addresses are on the 192.168.56/24 network.

  • 192.168.56.111 - This is IP address of the initial master SSDB server

  • 192.168.56.112 - This is the IP address of the initial slave SSDB server

  • 192.168.56.120 - This is the virtual IP address that will be maintained by Keepalived.

SSDB Configuration, Designated (Initial) Master

The IP address of this machine is 192.168.56.111.

/var/lib/ssdb/ssdb_master.conf

The key configuration items in the following block are:

  • server/ip - Binding to all available IP addresses

  • server/port - Binding to standard SSDB port

  • server/deny, server/allow - Restrict SSDB access to localhost and the internal (host) addresses.`

Only the configuration items related to master-slave replication are shown here.

# ssdb-server config
# MUST indent by TAB!

# relative to path of this file, directory must exists
work_dir = ./var
pidfile = ./var/ssdb.pid

server:
        ip: 0.0.0.0
        port: 8888
        deny: all
        allow: 127.0.0.1
        allow: 192.168.56

replication:
        binlog: yes
        # Limit sync speed to *MB/s, -1: no limit
        sync_speed: -1
        slaveof:
                # sync|mirror, default is sync
                #type: sync

/var/lib/ssdb/ssdb_slave.conf

The key configuration items in the following block are:

  • server/ip - Binding to localhost

  • server/port - Binding to standard SSDB port

  • slaveof/type - sync

  • slaveof/host - 192.168.56.112 is the other SSDB server

  • slaveof/port - 8888 - The standard SSDB port

Again, only the configuration items related to master-slave replication are show.

# ssdb-server config

# relative to path of this file, must exist
work_dir = ./var_slave
pidfile = ./var_slave/ssdb.pid

server:
        ip: 127.0.0.1
        port: 8888

replication:
        binlog: yes
        # Limit sync speed to *MB/s, -1: no limit
        sync_speed: -1
        slaveof:
                # sync|mirror, default is sync
                type: sync
                # Can use host: <hostname> with SSDB 1.9.2 or newer
                ip: 192.168.56.112
                port: 8888
SSDB Configuration, Designated (Initial) Slave

The IP address of this machine is 192.168.56.112.

The ssdb_master.conf file is identical to that of the designated master server.

The ssdb_slave.conf file is almost identical to that of the designated master server. Only the following items differ;

  • slaveof/ip (or host) - 192.168.56.111 is the other SSDB server

Keepalived configuration, Designated (Initial) Master

/etc/keepalived/keepalived.conf

The key configuration items to note are:

  • state - State is set to BACKUP for both the designated (initial) master and backup servers. In this scenario, the priority is used to negotiate which server will assume MASTER status initially.

  • nopreempt - In the event that the master server fails and the backup server is promoted to master, this configuration directive will keep the original master from reclaiming that role should it come back online automatically. This is required because it will likely be stale. In this case, when it comes back up, it will remain in backup mode and will begin replicating information from the new master. Note: Human intervention may be required to bring a failed master back into service.

  • interface - In this example, enp0s8 is the interface identifier for which the virtual_ipaddress will be defined. You will choose a value that is appropriate to your installation.

  • priority - The designated initial master must have a higher priority than the designated initial backup.

  • advert_int - For the purposes of this documentation, the default value of 1 second was use. If you install Keepalived 1.2.21 or newer, you can specify a floating-point value here; e.g., 0.1 (seconds). This will allow Keepalived to detect a master failure more rapidly.

  • notify - This is the path to a script that will be called for state transitions. The full contents of the script is shown below

  • virtual_ipaddress - This is the virtual IP address that is maintained by Keepalived.

vrrp_instance VRRP1 {
        state BACKUP
        nopreempt
        interface enp0s8
        virtual_router_id 41
        priority 200
		advert_int 1
        notify /var/lib/ssdb/notify.sh

        authentication {
                auth_type PASS
                auth_pass 1234
        }
        virtual_ipaddress {
                192.168.56.120 dev enp0s8 label enp0s8:vip
        }
}

/var/lib/ssdb/notify.sh

This is the script that is called by Keepalived during state transitions. Note that the value assigned to USER should be the username that owns the SSDB process.

#!/bin/bash
# This must be run as root.

ENDSTATE=$3
NAME=$2
TYPE=$1

LOG=/var/log/keepalived-state-transition.log
LOG_ERROR=0
LOG_WARNING=1
LOG_INFO=2
LOG_DEBUG=3
LOG_LEVEL=$LOG_INFO

KPCFG=/etc/keepalived/keepalived.conf
USER=<SSDB-user-name>
PREFIX=/var/lib/ssdb


function log {
    lvl=$1
    msg="$2"
    if [ $lvl -le $LOG_LEVEL ]
    then
        now=$(date)
        echo "$now [$lvl] $msg" >> $LOG
    fi
}

function log_error {
    log $LOG_ERROR "$1"
}
function log_warning {
    log $LOG_WARNING "$1"
}
function log_info {
    log $LOG_INFO "$1"
}
function log_debug {
    log $LOG_DEBUG "$1"
}

function backup {
    log_info "Transitioning to BACKUP state"
    runuser -l $USER -c "${PREFIX}/ssdb-server ${PREFIX}/ssdb.conf -s stop"
    runuser -l $USER -c "cp ${PREFIX}/ssdb_slave.conf ${PREFIX}/ssdb.conf"
    runuser -l $USER -c "${PREFIX}/ssdb-server -d ${PREFIX}/ssdb.conf"

}

function fault {
    log_error "keepalived is in FAULT state"
}

function master {
    log_info "Transitioning to MASTER state"
    runuser -l $USER -c "${PREFIX}/ssdb-server ${PREFIX}/ssdb.conf -s stop"
    runuser -l $USER -c "cp ${PREFIX}/ssdb_master.conf ${PREFIX}/ssdb.conf"
    runuser -l $USER -c "${PREFIX}/ssdb-server -d ${PREFIX}/ssdb.conf"
}


case $ENDSTATE in
    "BACKUP") # Perform action for transition to BACKUP state
        backup
        exit 0
        ;;
    "FAULT")  # Perform action for transition to FAULT state
        fault
        exit 0
        ;;
    "MASTER") # Perform action for transition to MASTER state
        master
        exit 0
        ;;
    *)    echo "Unknown state ${ENDSTATE} for VRRP ${TYPE} ${NAME}"
        exit 1
        ;;
esac
Keepalived configuration, Designated (Initial) Backup

/etc/keepalived/keepalived.conf

This file is almost identical to the same file on the master node. Exceptions:

  • priority - It is given a lower initial priority.

  • It does not contain the nopreempt option. Once the backup server has become master due to a failure of the original master, the system should allow for some human intervention before restoring the original server to master status.

vrrp_instance VRRP1 {
        state BACKUP
        interface enp0s8
        virtual_router_id 41
        priority 100
        advert_int 1
        notify /var/lib/ssdb/notify.sh

        authentication {
                auth_type PASS
                auth_pass 1234
        }
        virtual_ipaddress {
                192.168.56.120 dev enp0s8 label enp0s8:vip
        }
}

The /var/lib/ssdb/notify.sh for the backup server is identical to the master.

Master-Master Replication

Overview

Another way to ensure that SSDB remains highly-available is to set-up master-master replication and configure a proxy that understands Redis protocol in front of the two SSDB servers. The proxy is responsible for monitoring the health of the two servers and removing a failed server from the poop.

The following simplified example uses a single HAProxy instance in front of two SSDB servers.

Required Packages

  • SSDB. In the examples shown below it is assumed that version 1.9.2 or newer is installed.

  • HAProxy

Prerequisites

Install SSDB on two servers in accordance with the procedure that is applicable to the Linux distribution that you are using. Install HAProxy on an additional server. Note that Keepalived can be used to configure a highly-available pool of HAProxy servers.

Configuration

SSDB Configuration, First Master

Notes:

  • Only the configuration related to master-master replication is shown.

# ssdb-server config
## ssdb-server config MUST indent by TAB!

# relative to path of this file, directory must exists
work_dir = ./var
pidfile = ./var/ssdb.pid

server:
        ip: 0.0.0.0
        port: 8888
        deny: all
        allow: 127.0.0.1
        # e.g., 192.168.56
        allow: <ip-address-prefix>


replication:
        binlog: yes
        # Limit sync speed to *MB/s, -1: no limit
        sync_speed: -1
        slaveof:
                id: svc_2
                type: mirror
                host: <hostname-of-other-master>
                port: 8888
SSDB Configuration, Second Master

Notes:

  • Only the configuration related to master-master replication is shown.

# ssdb-server config
# MUST indent by TAB!

# relative to path of this file, directory must exists
work_dir = ./var
pidfile = ./var/ssdb.pid

server:
        ip: 0.0.0.0
        port: 8888
        deny: all
        allow: 127.0.0.1
        # e.g., 192.168.56
        allow: <ip-address-prefix>


replication:
        binlog: yes
        # Limit sync speed to *MB/s, -1: no limit
        sync_speed: -1
        slaveof:
                id: svc_1
                type: mirror
                host: <hostname-of-other-master>
                port: 8888
HAProxy Configuration

Notes:

  • Only the configuration related to SSDB is shown.

  • SSDB supports Redis network protocol. You can use Redis clients to connect to an SSDB server and operate on it. This is what Zimbra Collaboration does.

defaults REDIS
        mode tcp
        timeout connect  4s
        timeout server  30s
        timeout client  30s

frontend ft_redis
        bind <published-ip-address>:8888 name redis
        default_backend bk_redis

backend bk_redis
        option tcp-check
        server R1 <first-master-ip-address>:8888 check inter 1s
        server R2 <second-master-ip-address>:8888 check inter 1s

Multi-Master Scaling / Replication

Overview

The details of multi-master configuration will not be covered in this document. In essence, you will install and configure multiple independent SSDB master-slave pairs using the instructions included above. Each pair will be responsible for storing a subset of the total key-space.

As in the master-master configuration, all of the pairs in the pool of SSDB servers will be front-ended by a proxy service that understands Redis protocol. It must also be capable of consistently hashing the data keys that are presented such that all requests relating to a particular key always get routed to the same master-slave pair.

One such product is twemproxy from Twitter.

Invalidate all user sessions

Depending on your environment running this command will take some time, there will not be a progress indication. Use the cd command to change into the SSDB installation directory:

./ssdb-cli -h 127.0.0.1 -p 8888
flushdb

SSDB replication may be affected, so it is best to first break replication and run this command on a single master of SSDB and then resume SSDB replication.

LDAP Attributes

The the SSDB backend makes use of a resource pool to manage access to the SSDB server; threads attempting ephemeral data operations must first acquire a resource from this pool. To that end, two LDAP attributes have been introduced to control the pool configuration.

zimbraSSDBResourcePoolSize controls the size of the pool. This determines how many client threads can simultaneously perform ephemeral API operations. By default this is set to 0, which results an unlimited pool size.

zimbraSSDBResourcePoolTimeout controls the amount of time a thread will wait for a resource before throwing an exception. The default is 0, which results in no timeout. This attribute has no effect when the pool size is 0, as threads will never have to wait for resources to be freed in order to perform ephemeral data operations.

A non-zero timeout value is recommended when the pool size is finite. Otherwise, a lost SSDB connection may cause mailboxd threads to remain blocked indefinitely, even after the connection is re-established. In general, the resource pool should be sized such that the mailbox server is not starved for resources.

Scaling SSDB for Production Load with Zimbra Collaboration

The main characteristics of Zimbra Collaboration production load that affects load on SSDB server are the frequency of authentication requests and frequency of SOAP requests sent by Zimbra Collaboration Web Client and 3rd party SOAP clients. Each authentication request results in a 2 or 3 write operations for SSDB. The write operations update zimbraLastLogonTimestamp, zimbraAuthTokens and zimbraCsrfTokenData values. Note, that zimbraCsrfTokenData is updated only when using a CSRF-enabled SOAP client such as Zimbra Collaboration Web Client. Each authenticated SOAP request results in 2 read operations for SSDB.

We recommend that your SSDB server has at least 2GB RAM and 1 CPU. If you plan on running additional tools, such as monitoring and configuration management on your SSDB server, consider increasing memory and adding one more CPU core to accommodate additional software. Check out Zimbra and SSDB Authentication Load Tests for more information.

Conclusion

For installations whose ephemeral data storage requirements will fit in a single instance, simple master-slave replication is the easiest to implement and requires the fewest resources. Master-master replication does allow requests to be load-balanced across both masters; however, each master is also constantly replicating from the other, so SSDB must do additional work to maintain consistency.

Class of Service and Accounts

The Class of Service (COS) assigned to an account determines the default attributes for user accounts, and the features to be enabled or denied. Each account is assigned a COS. The COS controls mailbox quotas, message lifetime, password restrictions, attachment blocking, and server pool usage.

A COS is a global object and is not restricted to a particular domain or set of domains.

You can create and edit the classes of services from the Administration Console:

Admin Console:

Home → Configure → Class of Service → COS

Managing Features and Settings with a COS

A default COS is created when Zimbra Collaboration is installed. You can modify the default COS and create new ones.

From a COS, you can manage the following functions:

  • Features and preferences that users can access.

  • Themes and Zimlets that users can access.

  • Advanced settings including attachment settings, quotas, and password login policies.

  • Web App Versions (Modern Web App and Classic Web App).

  • Web Services and Desktop Clients (EWS, MAPI and more).

  • Offline Mode.

  • Retention policies.

As an example, you could create an Executive COS that is configured to enable all features, provide unlimited mailbox quotas, and never purges messages. Another General-Employee COS may also be created, which enables only the mail feature, sets the mailbox quota, and purges messages every 60 days. Grouping accounts to a specific COS allows you update or change account features in bulk. As such, when the COS is changed, all accounts assigned to the COS are changed.

If a COS is not explicitly set for a new account, or if the COS assigned to a user no longer exists, the default COS is automatically assigned.

You can create a COS and assign that as a default COS for all accounts that are created on that domain. You can create different COSs and specify which ones are available for the domain. If a domain does not have a COS defined, and you do not specify a COS, the original default COS is automatically assigned when an account is created.

Some COS settings can be overridden either by global settings or by user settings. For example:

  • Whether outgoing messages are saved to Sent can be changed from the Zimbra Classic Web App in the user’s preferences.

  • Attachment blocking set as a global setting can override the COS setting.

Some COS settings assigned to an account are not enforced for IMAP clients.

Selecting Features and Preferences

All the features available for a COS are displayed in its Features page. From there, you can select or deselect the features you do not want included in the COS.

Changes made at the account level override the rules in the COS assigned to the account.

You can define the initial preferences for saving and viewing messages, in the Preferences page. You can also select a specific locale for the Classic Web App and Modern Web App. If a locale is not specified, the browser locale is the default.

For a description of the features and preferences, see Customizing Accounts.

Disabling Preferences

By default, Preferences are enabled, and your users can modify the default preferences that are configured for their accounts.

As the Administrator, you can disable Preferences. As a result, the Preferences page will not display in users mailboxes: they therefore cannot modify the default configuration for features that are set up for their accounts.

A user can change their Preferences in the Modern Web App under Settings. Disabling Preferences does not have any impact on the Modern Web App.

Setting Default Time Zone

When using the Classic Web App or the Modern Web App, the time zone setting on the computer is used as the time stamp for displaying received messages and for calendar activities.

The Time Zone value in Calendar settings is used only to identify where the Working Hours start and end times are anchored, and how they appear in Free / Busy information.

Using Server Pools

In an environment with multiple mailbox servers, the COS is used to assign a new account to a mailbox server. When you configure the COS, you select which servers to add to the server pool. Within each pool of servers, a random algorithm assigns new mailboxes to any available server.

You can assign an account to a particular mailbox server when you create an account in the New Account Wizard, Server field. Uncheck auto and enter the mailbox server in the Server field.

Setting Account Quota

An account quota is the storage limit allowed for an account. Email messages, address books, calendars, tasks, and Briefcase files contribute to the volume of the quota. Account quotas can be set for a COS or for individual accounts from the Administration Console.

If you set the quota to 0, accounts do not have a quota.

Viewing Account Quotas

To view account quotas for all accounts on a domain:

Admin Console:

Home → Configure → Domains → domain → Mailbox Quota

Notifying Users When Maximum Quota is Near

Users can be notified that their mailboxes are nearing their quota. The quota percentage can be set and the warning message text can be modified: Go to the Quotas container for a specified Class of Service:

Admin Console:

Home → Configure → Class of Service → COS → Advanced → Quotas

When the displayed/configured threshold is reached, a quota warning message is sent to the user.

Setting Quotas in Domains

You can set a maximum mailbox quota for a domain. The default for the domain mailbox quota is unlimited. The domain quota is the maximum amount of storage that can be used by all mailboxes within the domain.

You can set an aggregate quota as well. The sum of the quotas for all accounts in the domain can exceed the size of the aggregate.

An aggregate quota policy for how to handle messages that are sent or received once the aggregate quota has been reached can be set up. The policy options include:

  • Continue to allow messages to be sent and received as usual.

  • Do not allow messages to be sent.

  • Do not allow messages to be sent or received.

Notifications can be automatically sent when the quota is within a configured percentage of the aggregate quota. A cron tab job runs daily to check the aggregate quota percentage and if the percentage has been reached, the quota warning email is sent.

When a domain quota is set, the effective quota for an account is the minimum quota setting of either the domain or account.

To configure domain quotas, go to the Domain Quota Setting container for a specified domain:

Admin Console:

Home → Configure → Domains → domain → Advanced → Domain Quota Setting

Managing Excess Quota

You can set how message delivery is handled when a user’s mailbox exceeds the configured quota. The default behavior is for the MTA to temporarily send the message to the deferred queue. When the mailbox has sufficient space, the message is delivered. You can change this behavior to either have messages bounce back to the sender instead of being sent to the deferred queue first or you can configure to send the message to the mailbox even if the quota has been exceeded.

To bounce messages instead of sending them to the deferred queue:

zmprov mcf zimbraLmtpPermanentFailureWhenOverQuota TRUE

To send the message to the mailbox even if the quota has been exceeded:

zmprov mc {cos-name} zimbraMailAllowReceiveButNotSendWhenOverQuota TRUE

When this attribute is set to TRUE, a mailbox that exceeds its quota is still allowed to receive new mail and calendar invites. This quote bypass is only implemented for messages. All other mail items are still affected by the quota.

Managing Passwords

If you use internal authentication, you can quickly change an account’s password from the Account’s toolbar. The user must be told the new password to log on.

If Microsoft Active Directory (AD) is used for user authentication, you must disable the Change Password feature in the COS. The AD password policy is not managed by Zimbra.

If you want to make sure users change a password that you create, you can enable Must Change Password for the account. The user must change the password the next time he logs on.

Password restrictions can be set either at the COS level or at the account level. You can configure settings to require users to create strong passwords and change their passwords regularly, and you can set the parameters to lock out accounts when incorrect passwords are entered.

Directing Users to Your Change Password Page

If authentication is configured as external auth, you can configure Zimbra Collaboration to direct users to your password change page when users change their passwords. You can either set this URL as a global setting or a per domain setting.

Set the zimbraChangePasswordURL attribute to the URL of your password change page.

Change Password in the Classic Web App under Preferences → General links to this URL, and when passwords expire, users are sent to this page. In the Modern Web App, Change Password appears under the account avatar menu, and it will also link to the provided URL.

Modifying the password for the domain:

zmprov md example.com zimbraChangePasswordURL https://auth.example.com

Configuring a Password Policy

If internal authentication is configured for the domain, you can require users to create strong passwords to guard against simple password harvest attacks. Users can be locked out of their accounts if they fail to sign in after the maximum number of attempts configured.

To set password policy, use the Password container for a specified Class of Service:

Admin Console:

Home → Configure → Class of Service → COS → Advanced → Password

The password settings that can be configured are listed below.

Table 34. Password Options
Password Options Description

Minimum/Maximum password length

Specifies the required length of a password. The default minimum and maximum are 6 and 64 characters, respectively.

Minimum/Maximum password age

Configures the password expiration date. Users can change their passwords at any time between the minimum and maximum. They must change it when the maximum password age is reached.

The following settings require users to add complexity to their passwords.

Minimum upper case characters

Uppercase A - Z

Minimum lower case characters

Lowercase a - z

Minimum punctuation symbols

Non-alphanumeric, for example !, $, #, &, %

Minimum numeric characters

Base 10 digits 0 - 9

Minimum numeric characters or punctuation

Combined Non-alphanumeric and digits

Minimum number of unique passwords history

Number of unique new passwords that a user must create before an old password can be reused.

Minimum password age (Days)

Minimum days between password changes

Maximum password age (Days)

Maximum days between password changes

Password locked

Users cannot change their passwords. This should be set if authentication is external.

Must change password

User is required to change password at first sign in.

Change password

When enabled, users can change their password at any time within the password age settings from their account Preferences tab.

Block Common Passwords

Block Common Passwords feature enables an organization to restrict the use of the commonly used passwords when creating users. The list of the common passwords is maintained on the server which is referred to when an administrator tries to create a user with a commonly used password.

The feature is controlled by a local config attribute zimbra_block_common_passwords_enabled and the default value is set to FALSE.

When this feature is enabled, it will also prevent end users from setting their password to a commonly used password via these options:

  • Profile → Change Password in Modern Web App at the top right corner.

  • Forgot Password option on the Login page. (If the Forgot Password feature is enabled for the user).

Enabling Block Common Passwords feature
  1. Login as zimbra user:

su - zimbra
  1. Set the localconfig zimbra_block_common_passwords_enabled value to TRUE:

zmlocalconfig -e zimbra_block_common_passwords_enabled=TRUE
  1. Restart mailbox service:

zmmailboxdctl restart

After enabling this feature, if you try to create a user, Password is invalid error is displayed and the user is not created.

Managing Login Policies

You can set the maximum number of failed login attempts before the account is locked out for the specified lockout time. This type of policy is used to prevent password attacks.

To set user login policy, use the Filed Login Policy container for a specified Class of Service:

Admin Console:

Home → Configure → Class of Service → COS → Advanced → Failed Login Policy

Table 35. Login Policy Options
Login Policy Options Description

Enable failed login lockout

This enables "failed login lockout" feature. You can configure the following settings.

Number of consecutive failed logins allowed

Number of failed login attempts before the account is locked out. The default is 10. If set to 0, the account is never locked out.

Time to lockout the account

Amount of time the account is locked out. If this is set to 0, the account is locked out until the correct password is entered, or the administrator manually changes the account status and creates a new password. The default is 1 hour.

Time window in which the failed logins must occur to lock the account

Duration of time after which the number of consecutive failed login attempts is cleared from the log. If this is set to 0, the user can continue attempts to authenticate, no matter how many consecutive failed login attempts have occurred. The default is 1 hour.

About 2 Factor Authentication

With the 2 Factor Authentication (FA) feature you can apply additional security policies to COS and/or user accounts to provide another layer of authentication during attempts to access the system. This feature must be enabled or disabled in the Admin Console, to manage 2FA functions applicable to user mailboxes.

2 Factor Authentication

For more information, see 2 Factor Authentication.

Managing Session Timeout Policies

You can set the period of time to allot for user sessions based on various conditions.

To set the session timeout policy use the Timeout Policy container for a specified Class of Service:

Admin Console:

Home → Configure → Class of Service → COS → Advanced → Timeout Policy

Table 36. Session Timeout Policy Options
Session Timeout Policy Options Description

Admin console auth token lifetime

Sets a browser cookie that contains the admin auth token. Administrators can open the Administration Console without having to log on again until the auth token expires. The default is 12 hours.

Auth token lifetime

Sets a browser cookie that contains the Web App auth token. User can open the Classic Web App or Modern Web App without having to log on again until the auth token expires. The default is 2 days. When it expires, the login page is displayed and the user must log on to continue.

Session idle lifetime

How long a user session remains active, if no activity occurs. Activity includes any clickable mouse action, such as viewing folder contents or clicking a button. The default is unlimited.

You can manually expire a user’s web client session from the Administration Console Expire Sessions link. This forces the current session of the account to expire immediately.

Managing Default External COS

The defaultExternal COS is assigned to external virtual accounts that are created when external users accepts a Zimbra provisioned users' invitation to share their calendar or briefcase items.

This account is not provisioned on the server, but the external user can sign in to the Classic Web App, create a display name and set a password to view the shared items. The only folders available are for the content they have access to.

The defaultExternal COS is configured with the following general features: Change password, Change UI themes, HTML compose, Export and Search. None of the major features are configured.

The Modern Web App does not currently support login by external users.

Customizing Accounts

This chapter describes the features and user preferences that can be configured for an account, either from the assigned COS or in an individual account.

Mailbox features are enabled for Zimbra Classic Web App users. When IMAP or POP clients are used, users might not have these features available.
Some features mentioned in the following sections may not be currently available for the Modern Web App.
For Classic Web App, Offline mode is no more supported for Chrome versions 85 and above (affects Kepler9-Patch9 onwards). Users can still continue to use Offline mode in previous browser versions.

Messaging and Collaboration Applications

Your COS configuration and assignment of a COS to accounts determines the default settings for account features and the restrictions to be applied to groups of accounts. Individual accounts can be configured differently, and any changes you make override the COS setting. When you update the COS, the changes are not reflected in accounts that have COS overrides.

Email Messaging Features

You configure which email messaging features are enabled. Users can then manage many of the enabled features as preferences.

By default, users manage their own preferences, but you can administratively elect not to allow user modifications to their account preferences. Currently supported Web App Email Messaging Features are listed and described in Email Features.

Table 37. Email Features
Email Messaging Feature Description

Mail

Enables the email application. Enabled by default.

See COS → Features → Major Features container in the Admin Console.

Conversations

Messages can be grouped into conversations by a common thread. The default is to thread messages in a conversation by the References header. If there is no References header, the Subject is used to determine the conversation thread.

To change the default, update attribute zimbraMailThreadingAlgorithm from the COS or for individual accounts. See changing conversations thread default.

If this feature is enabled, conversation view is the default. You can change the default on the COS Preferences page. Users can also change the default.

See COS → Features → Mail Features container in the Admin Console.

HTML compose

Users can compose email messages with an HTML editor. They can specify default font settings as a preference.

See COS → Preferences → Composing Mail container in the Admin Console.

Draft auto save interval

Frequency of saving draft messages. The default is every 30 seconds. Users cannot change the frequency, but they can turn off the save draft feature.

See COS → Preferences → Composing Mail container in the Admin Console.

Mail send later

When enabled, users can choose Send Later to send a message at a later time. The user configures the data and time for sending. Messages are saved in the Draft folder.

See COS → Features → Mail Features container in the Admin Console.

Message priority

When enabled, users can set the priority of the message. The recipient viewing from the Web App sees the priority flag if it is high or low.

See COS → Features → Mail Features container in the Admin Console.

Enable Attachment indexing

Attachments are indexed. Indexed attachments can be searched.

See COS → Advanced → Attachment Settings container in the Admin Console.

Allow the user to specify a forwarding address

You can specify a default forwarding address that the user can use. Users can change the forwarding address from their account Preferences tab.

You can also specify forwarding addresses that are hidden from the user. A copy of a message sent to the account is immediately forwarded to the designated forwarding address.

See COS → Features → Mail Features container in the Admin Console.

Out of office reply

Users can create an email message that automatically replies to incoming messages. By default a message is sent to each recipient only once every seven days, regardless of how many messages that person sends to the address. This setting can be changed in the COS Preferences page, Out of office cache lifetime field.

See COS → Features → Mail Features container in the Admin Console.

New mail notification

Allows users the option to specify an address to be notified of new mail. They can turn this feature on or off and designate an address from their account Preferences tab.

See Customize the notification email for an example of changing the email template.

See COS → Features → Mail Features container in the Admin Console.

Persona

When enabled, users can create additional account names to manage different roles. Account aliases can be selected for the From name of messages sent from that persona account and a specific signature can be set for the persona account. The number of personas that can be created is configurable depending on your requirements. The minimum is 0, and the default is 20 (zimbraIdentityMaxNumEntries).

This feature is supported only in the Classic Web App.

See COS → Features → Mail Features container in the Admin Console.

Maximum length of mail signature

The maximum number of characters that can be in a signature. The default is 1024 characters.

The number of signatures users can create is configured in zimbraSignatureMaxNumEntries.

See COS → Preferences → Composing Mail container in the Admin Console.

Advanced search

Allows users to build a complex search by date, domain, status, tags, size, attachment, Zimlets, and folders.

See COS → Features → Search Features container in the Admin Console.

Saved searches

Users can save a search that they have previously executed or built.

See COS → Features → Search Features container in the Admin Console.

Initial search preference

When enabled, the default search mailbox can be changed.

See COS → Features → General Options container in the Admin Console.

External POP access

When enabled, users can retrieve their POP accounts' email messages directly from their Zimbra account. They add the external account address to their account settings.

See COS → Features → Mail Features container in the Admin Console.

External IMAP Access

When enabled, users can retrieve their IMAP accounts' email messages directly from their Zimbra account. They can add the external account address to their account settings.

See COS → Features → Mail Features container in the Admin Console.

Aliases for this account

You can create aliases for the account. Users cannot change this.

Mail filters

Users can define a set of rules and corresponding actions to apply to incoming and outgoing mail and calendar appointments. When an incoming email message matches the conditions of a filter rule, the corresponding actions associated with that rule are applied.

Spam check on a received message is completed before users' mail filters are run. Message identified as spam are moved to the junk folder. To avoid having mail incorrectly marked as spam, users can create a spam whitelist from the Preferences Mail folder to identify email addresses that should not be marked as spam.

See COS → Features → Mail Features container in the Admin Console.

Flagging

Users can create flags and assign them to messages, contacts, and files in Briefcase folders. (This feature is supported only in the Classic Web App.)

See COS → Features → Mail Features container in the Admin Console.

Enable keyboard shortcuts

Users can use keyboard shortcuts within their mailbox. The shortcut list can be viewed in the Classic Web App from the Username drop-down menu.

Keyboard shortcuts are always available in the Modern Web App. The shortcut list can be viewed by typing Ctrl-Q.

See COS → Preferences → General Options container in the Admin Console.

Global Address List (GAL) access

Users can access the company directory to find names for their email messages.

See COS → Features → General Features container in the Admin Console.

Autocomplete from GAL

When enabled, users enter a few letters in their compose header and names listed in the GAL are displayed ranked by usage. See also Autocomplete Ranks Names.

See COS → Features → General Features container in the Admin Console.

Offline support for Web App

When enabled, users can use the offline mode to access their data without network connectivity when using the Zimbra Modern Web App. See also Offline Mode.

See COS → Features → General Features container in the Admin Console.

IMAP access

Users can use third party mail applications to access their mailbox using the IMAP protocol.

You can set the polling interval from the COS or Account Advanced page, Data Source → IMAP polling interval section. The polling interval is not set by default.

See COS → Features → Mail Features container in the Admin Console.

POP3 access

Users can use third party mail applications to access their mailbox using the POP protocol. When they retrieve their POP email messages, the messages and attachments are saved on the Zimbra server.

Users can configure from their Preferences → Mail page

  • How messages are downloaded.

  • Whether to include their junk messages. Junk messages are downloaded to their Inbox.

  • How to delete messages from their POP account.

You can set the polling interval from the COS or Account Advanced page, Data Source → POP3 polling interval section. The polling interval is not set by default.

See COS → Features → Mail Features container in the Admin Console.

Autocomplete Ranks Names

The autocomplete feature displays names ranked with the most frequently recalled contact listed at the top. If the contact name that appears first should not be listed at the top, the user can click Forget and the contact names are re-ranked. (Classic Web App only.)

Email Preferences that Users Manage

The default behavior for many of the preferences listed in this section can be set from either the COS or the Accounts Preferences page. Users can modify the following mail preferences from their account Preferences or Settings in the Classic Web App or Modern Web App.

  • How often, in minutes, that the Web Client checks for new messages:

    Check for new mail every…​

  • Set or change email message alerts. Alerts can be set up to play a sound, highlight the Mail tab when a message arrives, and flash the browser, depending on which Web App they use.

  • Set the display language for the Classic Web App and Modern Web App. If more than one language locale is installed on Zimbra Collaboration, users can select a locale that is different from the browser language settings.

The Modern Web App currently supports a subset of the languages available in the Classic Web App, and will fallback to US English if the user’s language locale is not yet supported.
  • Whether to save copies of outbound messages to the Sent folder.

  • Whether to save a local copy of a message that is forwarded or to have it deleted from their mailbox. (Only the Classic Web App can manage this setting currently.)

  • Whether to compose messages in a separate window. (This feature is supported only in the Classic Web App.)

  • Whether to view mail as HTML for messages that include HTML or to view messages as plain text. (This feature is supported only in the Classic Web App.)

  • Whether to send a read receipt when it is requested.

  • Adjust the default font size for printed messages. The default is 12 points. (This feature is supported only in the Classic Web App.)

  • Users can set up their own Spam mail options of whitelist and blacklist email addresses that are used to filter incoming message from their Preferences Mail folder. The default maximum number of whitelist and blacklist addresses is 100 on each list. This value can be changed using CLI zmprov for accounts and COS. The attributes are zimbraMailWhitelistMaxNumEntries and zimbraMailBlacklistMaxNumEntries.

  • Users can modify the following mail preferences under Signatures:

    • Whether to automatically append a signature to outgoing messages.

    • Preferences for how signatures are applied to messages that are replied to or forwarded.

Using Import and Export to Save User’s Data

From the Preferences Import/Export page in the Classic Web App or under Accounts → Primary account in the Modern Web App users may export all of their account data, including mail, contacts, calendar, and tasks. By selecting export options, they can export specific items in their account and save the data to their computer.

The account data is saved as a tar-gzipped (.tgz) archive file so that it can be imported to restore their account. Individual contacts are saved as .csv files, and individual calendar files are saved as .ics files. The data are copied, not removed from the user’s account.

The exported account data file can be viewed with an archive program such as WinZip. Any of these files can be imported into their account from the same page.

You can turn the Import/Export feature off from the COS or Account Features page, General Features section.

Setting Up RSS Polling Intervals

Users can subscribe to Websites that provide RSS and podcast feeds and receive updated information directly to their mailboxes. The maximum number of feeds that can be returned is 50. RSS feeds count against users' account quota.

The default is to update the RSS data every 12 hours. Users can right-click on an RSS feed folder to manually load new feed.

You can change the polling interval from the Administration Console the COS or Account Advanced page, Data Source → RSS polling interval section.

Contacts Features

Zimbra Contacts allows users to create multiple contact lists and add contact names automatically when mail is received or sent. Users can import contacts into their Address Book.

To allow users to share their mail folders, address books, and calendars, enable Sharing on the General Features container:

Home → Configure → Class of Service → COS → Features → General Features

Table 38. Address Book Features
Feature Description COS/Account Tabs

Address Book

Users can create personal contacts lists. By default, a "Contacts" list and "Emailed Contacts" list are created.

Features

Address book size limit

Maximum number of contacts a user can have in all address books. 0 means unlimited.

Advanced

Users can modify the following Address Book preferences from their account Preferences Address Book page.

To set default behavior:

Admin Console:

Home → Configure → Class of Service → COS → Preferences
Home → Manage → Accounts → account → Preferences

  • Enable auto adding of contacts to automatically add contacts to their Emailed Contact list when they send an email to a new address.

  • Enable the ability to use the Global Access List when using the contact picker to look up names.

  • Enable the options to include the GAL addresses and names in shared address books when using autocomplete to address a message.

Calendar Features

Zimbra Calendar lets users schedule appointments and meetings, establish recurring activities, create multiple calendars, share calendars with others, and delegate manager access to their calendars. They can subscribe to external calendars and view their calendar information from the Zimbra Classic Web App or Modern Web App. They can also use search for appointments in their calendars.

To allow users to share their calendars, address books, and Briefcase files, enable Sharing in the General Features container.

Admin Console:

Home → Configure → Class of Service → COS → Features → General Features

Table 39. Calendar Features
Calendar Feature Description COS/Account Tabs

Calendar

Lets users maintain their calendar, schedule meetings, delegate access to their calendar, create multiple personal calendars, and more.

Features

Group Calendar

When Group Calendar is not checked, users can create personal appointments and accept invitations to meetings only. The Find Attendees, Schedule and Find Resources tabs are not displayed.

Group Calendar features are always available in the Modern Web App.

Features

Nested Calendars

Calendars can be nested within Zimbra folders like Mail, Contact, and Calendar folders. The administrator creates a nested list of calendars using CLI. A nested calendar grouping can be imported through migration as well. See example below.

This feature is supported only in the Classic Web App.

Time zone

Sets the time zone to use for Calendar scheduling. Domain admins set this in the Accounts, General Information page.

Preferences

Forward calendar invitation to specific addresses

You can specify email addresses to forward a user’s calendar invitations. Users can also specify forwarding address from the Preferences Calendar folder.

This feature is supported only in the Classic Web App.

The account the invitation is forwarded to must have admin privileges on the shared calendar to reply to the invitation.

Accounts Forwarding

Create a calendar nested under the "Calendar Name" folder:

zmmailbox -z -m user1 cf -V appointment "/Calendar Name/Sub Calendar"

Troubleshooting Calendar Appointment Problems

Use the zmcalchk command to check for discrepancy between different users' calendars for the same meeting, and send an email notification regarding the discrepancies.

You can also use this command to notify the organizer and/or all attendees when an appointment is out of sync.

Changing Remote Calendar Update Interval

Remote calendars are updated every 12 hours, by default. The frequency can be modified at the Admin Console.

To modify the frequency of calendar updates in the Admin Console go to the desired COS or Account Advanced page, Data Source → Calendar polling interval field.

Disabling Attendee Edits to Appointments

Attendees can edit appointments in their calendars, but their changes do not affect anyone else. If the appointment organizer makes changes, these changes overwrite the attendees edits. You can modify the COS attribute zimbraPrefCalendarApptAllowAtendeeEdit to prevent attendees from editing appointments in their calendar.

zmprov mc <cosname> zimbraPrefCalendarApptAllowAtendeeEdit FALSE
This feature is supported only in the Classic Web App.

Setting Other User Calendar Preferences

Users can modify the Calendar preferences listed in the Calendar Preference table. You can set the default behavior in the COS or Accounts Preferences page.

Calendar Preference Description

Time zone

Time zone displayed in the user’s Preferences. See Setting Default Time Zone. If the time zone is configured in the COS, the time zone configured in the domain is ignored.

Number of minutes before an appointment to show reminder

Sets the minutes before the meeting to send a reminder notice.

Initial calendar view

Sets the default view. Options are Day, Work Week, 7-Day Week, Month, List, or Schedule.

First day of the week

Sets the default first day of a user’s work week.

Default appointment visibility

Options are Public or Private. Sets the default visibility options on the new appointment page.

The default is Public, appointments details can be viewed by others.

When the default is Private, all incoming calendar invites are marked as private on the user’s calendar and details are hidden when the calendar is shared.

Use iCal delegation model for shared calendars for CalDAV

Apple iCal can be configured to access users' calendars using the CalDAV protocol. When enabled, shared calendars are displayed in users' iCal account’s Delegation tab and they can delegate access to their calendars.

For automatic polling, the polling interval can be set up in the COS or Account Advanced page, Data Source → CalDAV polling interval field.

Enable past due reminders

Users log into the Classic Web App or Modern Web App, the reminder notifications for the last two weeks pop up for meeting reminders that were not dismissed. When this is disabled, Zimbra Collaboration silently dismisses the old reminders.

Enable toaster notification for new calendar events

A popup displays in the Classic Web App when new calendar events are received.

This feature is supported only in the Classic Web App.

Allow sending cancellation email to organizer

When users receive an invitation they cannot attend at the scheduled time, they have the option to click Propose New Time and select another time. The meeting organizer receives an email with the proposed time.

This feature is supported only in the Classic Web App.

Automatically add invites with PUBLISH method

A calendar invitation email should have method=REQUEST in the calendar object but some third-party email clients incorrectly set method=PUBLISH. These emails are not processed as invitations by default. You can relax the rules by enabling this option.

Automatically add forwarded invites to calendar

Invites that have been forwarded to users are automatically added to the forwarded recipient’s calendar.

Flash browser title on appointment reminder

When appointment reminders pop up, the browser flashes until the user closes the pop-up.

This feature is supported only in the Classic Web App.

Enable audible appointment notification

When an appointment reminder pops up, users can be notified by a beep on their computer. Users must have either QuickTime or Windows Media installed.

This feature is supported only in the Classic Web App.

Auto-decline invites from users who are denied from inviting this user

Users can configure who can send them calendar invites. When enabled, an auto-reply message is sent to those users to let them know they do not have permission to invite the user.

This feature is supported only in the Classic Web App.

Automatically add appointments when invited

When enabled, appointments are automatically added to user’s Primary calendar.

This setting is not provided in the Modern Web App.

Show declined meetings

When enabled, declined appointments display on the Classic Web App calendar in a faded view.

This setting affects the Zimbra Classic Web App only. Users viewing appointments in the Modern Web App, third-party calendar apps, and mobile devices might not see the declined events.

Notify of changes made via delegated access

Users that delegated their calendar are notified of changes made to an appointment by a delegated access grantee.

This setting is not provided in the Modern Web App.

Always show the mini-calendar

The mini-calendar automatically displays in the Calendar view.

This setting is not provided in the Modern Web App.

Use the QuickAdd dialog when creating new appointments

When is enabled, the QuickAdd dialog displays when users double-click or drag on the calendar in the Zimbra Classic Web App.

QuickAdd is always available in the Modern Web App.

Show time zone list in appointment view

When enabled, a time zones list displays in the event editor along with event time, giving them the opportunity to change time zones while making appointments.

Setting Up Zimbra Tasks

Zimbra Tasks lets users create to-do lists and manage tasks through to completion.

To allow users to share their Task lists, enable Sharing in the Features page. Task lists can be shared with individuals, groups, and the public.
This feature is supported only in the Classic Web App.

To enable or disable the Tasks feature:

Admin Console:

Home → Configure → Class of Service → COS → Features
Home → Manage → Accounts → account → Features

Zimbra Classic Web App User Interface Themes

The appearance of the Zimbra Classic Web App user interface can be changed. A number of Zimbra themes are included with Zimbra, and you can create others. You can select a theme to be the default and the themes that users can select to customize their user experience. To develop themes, see Color and Logo Management.

This feature is supported only in the Classic Web App.

The following theme usage options can be configured either from COS or by individual accounts.

  • Limit users to one theme

    On the Features page, remove the check mark from Change UI Themes. The Classic Web App theme is the theme listed in Current UI theme field on the Themes page.

  • Let users access any of the installed Zimbra themes

    If the Change UI Themes is checked, users can access any of the themes that are listed in the Available UI themes list.

Two Factor Authentication

The Two Factor Authentication (2FA) function allows you to configure a secondary set of security requirements that may be applicable to any or all critical mailboxes or users in the environment. You can set 2FA for user accounts and/or class of service.

2FA for New User Account

In the Wizard setup for a new user account, you will find settings for 2FA with other Advanced options.

Admin Console:

Home → 3 Add Accounts → 1. Add Account
 — Next until Advanced, scroll down to Two Factor Authentication

New Account Two Factor Authentication

See Two Factor Authentication Parameters for parameter descriptions.

2FA for Existing User Account

For an existing user account, you can apply 2FA settings from the Advanced options.

Admin Console:

Home → Manage → Accounts

Locate the Two Factor Authentication container within the editable configurations for an account:

  1. Select an account from the list of accounts.

  2. Select Edit from the Gear icon.

     —  The General Information for the account is now displayed.

  3. Select Advanced from the left panel.

  4. Scroll down to the Two Factor Authentication container in the main panel.

Edit Account Two Factor Authentication

See Two Factor Authentication Parameters for parameter descriptions.

2FA for Class of Service

Parameters you can use to set up 2FA for a Class of Service are included with other Advanced features.

To apply 2FA to a class of service, use the Two Factor Authentication container to set parameters.

Admin Console:

Home → Configure → Class of Service → COS → Advanced → Two Factor Authentication

Class of Service Two Factor Authentication

See Two Factor Authentication Parameters for parameter descriptions.

Table 40. Two Factor Authentication Parameters
Parameters Description

Enable two factor authentication

Enable (check) or disable (un-check) this function for the selected COS account.

Require two-step authentication

Enable (check) or disable (un-check) mandatory use of this function for the selected COS account.

Number of one-time codes to generate

Value to assign maximum number of 6-digit passcodes that may be viewed/used by the account when attempting to access the system. The passcode is presented to the account once the initial login credentials are accepted.

Each passcode has a 15-second life cycle.

Enable application passcodes

Users can generate exception codes for legacy applications that do not support two-factor authentication.

Other Configuration Settings for Accounts

Enable Sharing

When the Sharing feature is enabled, users can share any of their folders, including their mail folders, calendars, address books, task lists, and Briefcase folders.

A users specifies the type of access permissions to give the grantee. They can share with internal users who can be given complete manager access, external guests who must use a password to view the folder content, as well as public access so that anyone who has the URL can view the folder’s content.

When internal users share a mail folder, a copy of the shared folder is put in the grantee’s folder list on the Overview pane. Users can manage their shared folders from their Classic Web App Preferences Sharing page.

At this time, the Modern Web App supports share management from folder and calendar context menus only.

Configure SMS Notification

The Classic Web App Preferences → Notification page lets users configure an email address or SMS alert to their mobile device to receive a reminder message for a task or a meeting on their calendar. Notification by SMS is disabled by default.

SMS notification can be configured by domain, COS or for individual accounts. SMS notification set in a COS overrides SMS notifications set on a domain. In the Administration Console, this is set on the domain, COS or account’s Feature page.

Users select a region and a carrier when setting up their SMS alert. The list of SMS/email gateways is in ZmSMS.properties. You can customize this list to add SMS/email gateways that are not listed.

This feature is supported only in the Classic Web App.

Configure Attachment Viewing

You can set attachment viewing rules as a global setting, by COS, or for a specific account. The global setting takes precedence over COS and account Settings. You can select from four options.

The Modern Web App always provides Hi-Def Attachment Previews, with no user settings required.
Table 41. Attachment Viewing Features
Feature Name Description COS/Account Tabs

Disable attachment viewing from web mail UI

Attachments cannot be viewed. This can also be set as a global setting.

Advanced

Attachments can be viewed in HTML only

Attachments received in another format are opened in HTML view.

Advanced

Attachments can be viewed in their original format only

Users might not be able to open attachments that require a specific application that is not on their computer.

Advanced

Attachments can be viewed in HTML and their original format

Users can select to open either in the original format or as HTML.

Advanced

Display a Warning When Users Try to Navigate Away

Users can click the Back and Forward arrows in the browser, or close their browser without logging out of their account.

  • If this preference is checked, users are asked to confirm that they want to navigate away from their account.

  • If this preference is not checked, the question is not asked.

This setting is not provided in the Modern Web App.

Enabling the Check Box for the Web Client

If Show selection checkbox for selecting email, contact, voicemail items in a list view for batch operations is enabled, when users view email messages,contacts, and tasks lists in the Content pane, a check box displays for each item. Users can select items and then perform an action such as mark as read/unread, move to a specific folder, drag and drop to a folder, delete, and tag for all those selected items.

Checkboxes are enabled by default on the Modern Web App.

Preferences Import/Export

From the Preferences Import/Export page in the Classic Web App or under Accounts → Primary account in the Modern Web App users may export all of their account data, including mail, contacts, calendar, and tasks. By selecting export options, they can export specific items in their account and save the data to their computer.

The account data is saved as a tar-gzipped (.tgz) archive file so that it can be imported to restore their account. Individual contacts are saved as .csv files, and individual calendar files are saved as .ics files. The data are copied, not removed from the user’s account.

The exported account data file can be viewed with an archive program such as WinZip. Any of these files can be imported into their account from the same page.

You can turn the Import/Export feature off from the COS or Account Features page, General Features section.

Adding Words to Spell Dictionary

If Classic Web App users frequently use words, abbreviations or acronyms that are marked as spelling errors during a Classic Web App spell check, you can update the COS or domain attribute zimbraPrefSpellIgnoreWord with the words that should be ignored when spell check is run.

To configure words to ignore for a domain:

zmprov md example.com +zimbraPrefSpellIgnoreWord <word> +zimbraPrefSpellIgnoreWord <word2>
This feature is supported only in the Classic Web App.

Hierarchical Address Book (HAB) in Zimbra

What is a HAB?

The hierarchical address book (HAB) allows users to look for recipients in their address book using organizational hierarchy. Typically, users only see the default global address list (GAL) whose structure doesn’t help understand who reports to whom or to identify one John Doe from another. Being able to customize a HAB, which maps to your organization’s unique business structure, provides your users with an efficient method for locating internal recipients.

Using Hierarchical Address Book

In a Hierarchical Address Book (HAB), your root organization (e.g., Zimbra) is the top-level tier. Under this top-level tier, you can add several child tiers to create a customized HAB that is segmented by division, department, or any other organizational level you want to specify. The following figure illustrates a HAB for Zimbra with the following structure:

  • The top-level tier represents the root organization — Zimbra.

  • The second-level child tiers represent the business divisions within Zimbra — Corporate Office, Engineering, Product Support, and Sales & Marketing.

  • The third-level child tiers represent departments within the Corporate Office division — Human Resources, Accounts, and Administration.

HABHierarchy
Figure 1. Example Hierarchy

Seniority Index

Seniority Index provides an additional level in the hierarchy. When creating a HAB, use this parameter to rank individuals or organizational groups by seniority within these organizational tiers. This ranking specifies the order in which HAB displays recipients or groups. A higher seniority index ensures that a user or group appears above another with a lower seniority index.

  • 100 for Vice President

  • 50 for Administration Operations Manager

  • 25 for Business Administrator

If the Seniority Index parameter isn’t set or is equal for two or more users, the HAB sorting order lists the users and groups in ascending alphabetical order.

Configuring hierarchical address books

Create an organizational unit (OU)

Format
zmprov createHABOrgUnit <domain name of OU> <OU Name>
Example
zmprov createHABOrgUnit example.com ZimbraOU
Explanation

ZimbraOU as an organizational unit created.

Create groups within this OU

You have to create a group and assign an email address for each department.

Format
zmprov createHABGroup <name of the group> <name of OU> <group email address>
Example

In this series of commands, we create 8 HAB groups — as per the Example Hierarchy.

zmprov createHABGroup Zimbra ZimbraOU zimbra@example.com
zmprov createHABGroup CorporateOffice ZimbraOU CorpOffice@example.com
zmprov createHABGroup Engineering ZimbraOU eng@example.com
zmprov createHABGroup ProdSupport ZimbraOU prodsupport@example.com
zmprov createHABGroup SalesAndMarketing ZimbraOU sales-mark@example.com
zmprov createHABGroup HumanResources ZimbraOU hr@example.com
zmprov createHABGroup Accounts ZimbraOU accounts@example.com
zmprov createHABGroup Administration ZimbraOU administration@example.com

Create Hierarchy

Each of these groups (except Zimbra) needs to be assigned a parent group to create a hierarchy.

Format
zmprov addHABGroupMember ParentGroupEmailAddress ChildGroupEmailAddress

In this series of commands, we designate 7 HAB groups — except Zimbra because it is root — as per the hierarchy in the figure Example Hierarchy.

For this, we add Human Resources, Accounts, and Administration to Corporate Office; and add Corporate Office, Engineering, Product Support, and Sales & Marketing to Zimbra.

zmprov addHABGroupMember CorpOffice@example.com hr@example.com
zmprov addHABGroupMember CorpOffice@example.com accounts@example.com
zmprov addHABGroupMember CorpOffice@example.com administration@example.com
zmprov addHABGroupMember zimbra@example.com CorpOffice@example.com
zmprov addHABGroupMember zimbra@example.com eng@example.com
zmprov addHABGroupMember zimbra@example.com prodsupport@example.com
zmprov addHABGroupMember zimbra@example.com sales-mark@example.com

Get Zimbra ID

zimbraId is a unique identifier associated with an email address. It is used to assign users to groups and to specify a group as root.

For this example, and everywhere else we have used a placeholder (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) for zimbraId.
Format
zmprov gdl <group email address> zimbraId
Example
zmprov gdl zimbra@example.com zimbraId
Example Output
# distributionList zimbra@example.com memberCount=4
zimbraId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Explanation

zimbra@example.com is the email address of the group which is to become root.

Add users to Groups

This example adds the users Jane Doe and John Smith to the group named CorporateOffice without affecting other existing members.

Format
zmprov addHABGroupMember <group email address> <user's email address>
Example
zmprov addHABGroupMember hr@example.com jane.doe@example.com
zmprov addHABGroupMember accounts@example.com john.smith@example.com

Set Sort Order

Configure the sort order for groups in the HAB. Groups with higher seniority index appear above groups with lower seniority index.

Format
zmprov modifyHABGroupSeniority <zimbra ID> <seniority index>
Example

To have Engineering appear above CorporateOffice — irrespective of their names and alphabetical order, get Zimbra ID, decide on a number in place of SeniorityIndexNumber, and run the below command.

Assign CorporateOffice a seniority index of 90

zmprov modifyHABGroupSeniority xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 90

Assign Engineering a seniority index of 100

zmprov modifyHABGroupSeniority xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 100
Commands used to set seniority index for groups also set Seniority Index for users.

Specify the root organization for the HAB

A group needs to be specified as root so that other groups can be added as child groups to comply with the organizational hierarchy. Run below command to make zimbra@example.com as root.

Format
zmprov md <domain name> zimbraHierarchicalAddressBookRoot <ZimbraID of the group to be made root>
Example
zmprov md 'example.com' zimbraHierarchicalAddressBookRoot xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Example Output
# distributionList zimbra@example.com memberCount=4
zimbraId: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Did it work?

  1. Log in to Zimbra client.

  2. Click New Message.

  3. In the Compose window, click the To field.

  4. On Select Addresses window, locate the Show Names from: drop-down on the top right corner.

  5. Choose Organizational Address Book.

  6. The address book in a hierarchical format appears in the left pane.

    HABStructure zimbra
  7. Click any group to view and select users of that group.

Manage Organisational Units (OUs)

List Organisational Units (OUs)

There can be multiple organizational units in a domain. This command lists all the OUs in a specified domain.

Format
zmprov listHABOrgUnit <domain name of OU>
Example
zmprov listHABOrgUnit example.com ZimbraOU
Explanation

All OUs in example.com listed.

Rename Organisational Units (OUs)

This command renames the specified OU in a domain.

Format
zmprov renameHABOrgUnit <domain name of OU> <OU Name> <New name for OU>
Example
zmprov renameHABOrgUnit example.com ZimbraOU ZMXOU
Explanation

ZimbraOU renamed to ZMXOU.

Rename Organisational Units (OUs)

This command deletes the specified OU in a domain.

Format
zmprov renameHABOrgUnit <domain name of OU> <OU Name>
Example
zmprov renameHABOrgUnit example.com ZimbraOU
Explanation

ZimbraOU deleted.

Provisioning User Accounts

When an account is provisioned, you create the mailbox, assign the primary account email address, and assign a class of service (COS) to enable Zimbra Collaboration applications and features.

You can configure one account at a time or migrate multiple existing accounts from a server.

Creating a Single User Accounts

Before adding a user account, determine which features and access privileges should be assigned. You can either assign a class of service (COS) with the features enabled when you create the account or you can configure the features for the individual accounts. For a description of the features, see Class of Service and Accounts.

If the COS you assign has the correct functionality for the account, you do not need to perform any additional configuration.

Creating an account sets up the appropriate entries on the Zimbra LDAP directory server. When the user logs in for the first time or when an email is delivered to the user’s account, the mailbox is created on the mailbox server.

Basic user account setup:

Admin Console:

Home → 3 Add Accounts → 1. Add Account

  1. In the Account Name section, enter the account name and the last name as a minimum to configure the account.

    The default COS is assigned to the account.

  2. Click Finish to create the account.

You can continue to configure features and functionality for the individual account. Changes you make to the account override the COS that is assigned to the account.

Migrating Accounts and Importing Account Email

Zimbra Collaboration Account Migration within the Zimbra Admin UI is no longer supported, with End of Technical Guidance set for 17 December 2019. We recommend Audriga’s self-service migration solution as a preferred alternative for all account migrations.

You can provision multiple accounts at one time using the Account Migration Wizard from the Administration Console. You can import accounts from either a generic IMAP server or from another Zimbra server.

Only accounts on Zimbra Collaboration 7.2 or later can be migrated to Zimbra Collaboration 8.

You can also import account names to provision from an XML file that you create.

You can run the migration wizard one time to provision accounts and import data or you can run the migration wizard the first time to provision the accounts and then run the wizard again to import the provisioned accounts' data.

Whether you get the account records from an LDAP directory or use an XML file, you need to set the password requirements for the newly provisioned accounts. The options are to have Zimbra randomly create passwords for each account or to set the same password on each account. You have the option to force users to change the password when they sign in the first time.

When the provisioning is complete, the wizard generates a .csv file with a list of new accounts. This includes the passwords that are generated. You should download this file for future reference. Choose a secure location to store the file as it can contain password information for the user accounts you provisioned.

If you’re running a split-domain configuration, you can set the SMTP host and port in the wizard. For more information about split domains, see the wiki article about split domains at https://wiki.zimbra.com/wiki/Split_Domain.

Migrating Accounts from a Zimbra Server

To migrate accounts from a server running Zimbra Collaboration 7.2 or later to Zimbra Collaboration 8.

Admin Console:

Home → 3 Add Accounts → 3. Migration and Co-existence

  1. In the Type of mail server field, select Zimbra Collaboration.

  2. If you are provisioning accounts, select Yes to import the account’s records. If you are not going to import the data at this time, in the Would you like to import mail, select No.

  3. Click Next.

  4. On the Overview dialog, Import from another Zimbra LDAP directory is selected. Click Next.

  5. On the Bulk provisioning options page, select whether to generate random passwords or to assign the same password for each account.

    Table 42. Bulk Provisioning Features
    Bulk Provisioning Feature Description

    Generate random password

    If you select Generate a random password for each account, set the length for the password. The password can be from 6 to 64 characters.

    Default = 8 characters

    If you select to generate a random password, you must download the .csv file that is created so that you can give the password information to each user.

    Use same password

    If you select Use same password for all new accounts, enter the password to use.

    Require users to change password after first login

    It is recommended that this is checked to force users to change their passwords when they log on the first time.

    SMTP Host / SMTP Port

    For split domain configurations, set the SMTP Host name and port.

  6. Click Next.

  7. On the Directory connection dialog enter the information to connect to the server.

    Table 43. Directory Connection Options
    Directory Connection Options Description

    Automatically create missing domains

    Enable this option to create a domain when an account is imported and the domain they were on is not created.

    If you do not enable this, accounts from domains that do not exist on the server are not created. Disabling this option makes it easy to import accounts from specific domains that have been pre-created.

    Maximum records to fetch

    Enter the maximum number of accounts to import at one time. The default is 0, which means that no limits are set.

    Server name, LDAP URL, Port, and Use of SSL

    • The LDAP URL is entered as: ldap://<ldapdirectory.example.com>

    • The default port is 389, but you can change this.

    • Check SSL if this is used.

    Bind DN

    The Zimbra setting is in the field by default as uid=zimbra,cn=admins,cn=zimbra

    Bind password

    Enter the password for the server.

    LDAP filter

    In this field enter the LDAP search filter to run. Here you can define search criteria to collect the type of account information you want to import. The default filter in the field is (objectclass=zimbraAccount). This filter includes the email address, the account ID, and attributes for the account.

    LDAP search base

    Configure the subsections of the LDAP forest to search.

  8. Click Next.

    The Account Migration Wizard connects to the directory server and generates a report showing the number of domains found; number of accounts found on the server and how many of those accounts are already created on Zimbra. This dialog also shows the password options you configured.

  9. Review the report generated and then click Next. The accounts are provisioned on the Zimbra Collaboration server.

  10. Download the .csv file that lists the provisioned accounts and their passwords. The .csv file is deleted when you close the wizard. If you do not download the file, you cannot access the report later.

Migrating Accounts from Generic IMAP Servers

Use steps in this section to provision accounts on the Zimbra server.

Admin Console:

Home → 3 Add Accounts → 3. Migration and Co-existence

  1. In the Type of mail server field, select Generic IMAP Server.

  2. If you are provisioning accounts, select Yes to import the account’s records. If you are not going to import the data at this time, in the Would you like to import mail, select No.

  3. Click Next.

  4. On the Overview dialog, Import from another LDAP directory is selected. Click Next.

  5. On the Bulk provisioning options page, select whether to generate random passwords or to assign the same password for each account.

    Table 44. Bulk Provisioning Features
    Bulk Provisioning Feature Description

    Generate random password

    If you select Generate a random password for each account, set the length for the password. The password can be from 6 to 64 characters.

    Default = 8 characters

    If you select to generate a random password, you must download the .csv file that is created so that you can give the password information to each user.

    Use same password

    If you select Use same password for all new accounts, enter the password to use.

    Require users to change password after first login

    It is recommended that this is checked to force users to change their passwords when they log on the first time.

    SMTP Host / SMTP Port

    For split domain configurations, set the SMTPHost name and port.

  6. Click Next.

  7. On the Directory connection dialog enter the information to connect to the server.

    Table 45. Directory Connection Options
    Directory Connection Options Description

    Automatically create missing domains

    Enable this option to create a domain when an account is imported and the domain they were on is not created.

    If you do not enable this, accounts from domains that do not exist on the server are not created. Disabling this option makes it easy to import accounts from specific domains that have been pre-created.

    Maximum records to fetch

    Enter the maximum number of accounts to import at one time. The default is 0, which means that no limits are set.

    Server name, LDAP URL, Port, and Use of SSL

    • The LDAP URL is entered as: ldap://<ldapdirectory.example.com>

    • The default port is 389, but you can change this.

    • Check SSL if this is used.

    Bind DN

    The Zimbra setting is in the field by default as uid=zimbra,cn=admins,cn=zimbra

    Bind password

    Enter the password for the server.

    LDAP filter

    In this field enter the LDAP search filter to run. Here you can define search criteria to collect the type of account information you want to import. The default filter in the field is (objectclass=zimbraAccount). This filter includes the email address, the account ID, and attributes for the account.

    LDAP search base

    Configure the subsections of the LDAP forest to search.

  8. Click Next.

    The Migration Wizard connects to the directory server and generates a report showing the number of domains found; number of accounts found on the server and how many of those accounts are already created on Zimbra. This dialog also shows the password options you configured.

  9. Review the report generated and then click Next. The accounts are provisioned on the Zimbra Collaboration server.

  10. Download the .csv file that lists the provisioned accounts and their passwords. The .csv file is deleted when you close the wizard. If you do not download the file, you cannot access the report later.

Migrating Accounts using an XML File

Use steps in this section to create an XML file with the account information and save it to a computer you can access.

Admin Console:

Home → 3 Add Accounts → 3. Migration and Co-existence

  1. In the Type of mail server field, select the type of server your are migrating from.

  2. If you are provisioning accounts, select Yes to import the account’s records. If you are not going to import the data at this time, in the Would you like to import mail, select No.

  3. Click Next.

  4. On the Overview dialog, select Import from an XML file.

  5. Click Next.

  6. The Review options dialog displays the number of domains; number of accounts and the password options configured in the XML file.

  7. If this information is correct, click Next. If this information is not correct, fix your XML file before proceeding.

    If you clicked Next, the accounts are provisioned on the Zimbra Collaboration server.

  8. Download the .csv file that lists the provisioned accounts and their passwords. The .csv file is deleted when you close the wizard. If you do not download the file, you cannot access the report later.

Importing Email for Selected Accounts

Use steps in this section to specify the list of accounts whose mail you want to import by either selecting the accounts to import data or by using an XML file to select the accounts.

Ensure that accounts are provisioned on the Zimbra server before attempting this procedure.
Admin Console:

Home → 3 Add Accounts → 3. Migration and Co-existence

  1. In the Type of mail server field, select the type of server your are importing the data from.

  2. In the Would you like to import account records menu, select No.

  3. In the Would you like to import mail menu, select Yes.

  4. Click Next.

  5. On the Import options dialog box, select which way you are going to specify the accounts whose mail is being imported.

  6. Click Next.

    If you are selecting accounts, go to step 7. If you are using an XML file go to step 9.

  7. If you are selecting the accounts to import, on the Selected Accounts dialog box, search for the accounts to add. You can search by domain or user name. If you click Search without entering text, all accounts are returned.

    Add the accounts to the Accounts for data import column.

  8. Click Next.

  9. If you are using an XML file with the accounts listed, browse to the XML file to use.

  10. Click Next.

  11. In the IMAP Connection details dialog box, enter the information necessary to connect to the exporting server’s IMAP, this includes the IMAP host name, port and administrator login information.

  12. Click Next.

  13. Review the data import options. If the information is correct, click Next.

XML File Examples

This section contains three examples of the XML file structure to provision accounts and import data.

Example 7. Using an XML file to provision accounts

The following example shows an XML file that is used to provision multiple email accounts without importing mail:

<?xml version="1.0" encoding="UTF-8"?>
<ZCSImport>
<ImportUsers>
<User>
<sn>Sample</sn>
<givenName>Sam</givenName>
<displayName>Sam Sample</displayName>
<RemoteEmailAddress>ssample@example.com</RemoteEmailAddress>
<password>test123</password>
<zimbraPasswordMustChange>TRUE</zimbraPasswordMustChange>
</User>
<User>
<sn>Zackry</sn>
<givenName>Zak</givenName>
<displayName>Zak Zackry</displayName>
<RemoteEmailAddress>zzackry@example.com</RemoteEmailAddress>
<password>test123</password>
<zimbraPasswordMustChange>TRUE</zimbraPasswordMustChange>
</User>
</ImportUsers>
</ZCSImport>
Example 8. Using an XML file to provision accounts from externally hosted domains

The following example shows an XML file that is used to provision multiple email accounts for externally hosted domain without importing mail.

In this example, the zimbraMailTransport attribute of newly provisioned accounts will be set to point to external SMTP server instead of the Zimbra server.

<?xml version="1.0" encoding="UTF-8"?>
<ZCSImport>
<SMTPHost>smtp.example.com</SMTPHost>
<SMTPPort>25</SMTPPort>
<ImportUsers>
<User>
<sn>Sample</sn>
<givenName>Sam</givenName>
<displayName>Sam Sample</displayName>
<RemoteEmailAddress>sam@example.com</RemoteEmailAddress>
</User>
<User>
<sn>Zackry</sn>
<givenName>Zak</givenName>
<displayName>Zak Zackry</displayName>
<RemoteEmailAddress>zzackry@example.com</RemoteEmailAddress>
</User>
</ImportUsers>
</ZCSImport>
Example 9. Using an XML file to import email

The following example shows an XML file that is used to import email for one account via IMAP from a gmail account without provisioning the email account in Zimbra. The account must be provisioned on Zimbra before running this type of XML file.

<?xml version="1.0" encoding="UTF-8"?>
<ZCSImport>
<IMAPHost>imap.gmail.com</IMAPHost>
<IMAPPort>993</IMAPPort>
<ConnectionType>ssl</ConnectionType>
<UseAdminLogin>0</UseAdminLogin>
<ImportUsers>
<User>
<sn>Sample</sn>
<givenName>Sam</givenName>
<displayName>Sam Sample</displayName>
<RemoteEmailAddress>sam@example.com</RemoteEmailAddress>
<RemoteIMAPLogin>sam@example.com</RemoteIMAPLogin>
<remoteIMAPPassword>test123</remoteIMAPPassword>
</User>
</ImportUsers>
</ZCSImport>

Auto Provisioning New Accounts from External LDAP

Auto provisioning of new accounts from external LDAP is supported via the CLI. This section describes the supported CLI attributes and auto provisioning methods.

Overview

When an external LDAP authentication mechanism - such as external LDAP authentication, preauth, or SPNEGO - is configured for a Zimbra domain, you can set up Zimbra to automatically create user accounts on Zimbra. Primary email address and account attributes are mapped from an external directory. You can configure how and when new accounts should be created from the external directory data.

Three modes are supported for auto-provisioning configuration.

Mode Description

Eager

Zimbra polls the external directory for accounts to auto provision. For this mode, you configure how often the external directory is polled for new users, the maximum number of users to process at each interval, and which domains are scheduled for account auto provision on specified servers.

Guidelines are provided in Eager Mode Configuration.

Lazy

If a user logs into the Classic Web App the first time through one of the authentication mechanisms supported for auto provisioning, and if the user does not exist in the Zimbra directory, a new account is automatically created in Zimbra for this user.

Guidelines are provided in Lazy Mode Configuration.

Manual

Auto provisioning does not occurs: instead, the administrator manually searches from the configured external auto-provisioning LDAP source and selects an entry from the search result to create the corresponding Zimbra account for the external entry.

Guidelines are provided in Manual Mode Configuration.

When an account is created, the account name (consisting of the characters alongside the @ symbol) is mapped from a user attribute on the external directory that you define in zimbraAutoProvAccountNameMap. Other account information, such as first and last name, phone numbers, and address, is populated from the attributes mapped from the external directory based on zimbraAutoProvAttrMap. You can review the external directory’s attributes to determine those that should be mapped to a Zimbra attribute.

The COS assignment for auto-provisioned accounts is identical to the way that COS is determined for manually provisioned accounts:

  • If a COS is defined for the domain, this COS is assigned to the accounts that are created.

  • If a domain COS is not defined, the Zimbra default COS is assigned.

You can configure a Welcome email message to be sent to newly created accounts. The subject and body of this email can be configured with AutoProvNotification attributes on the domain.

Auto-Provisioning Attributes

The attributes listed in this section can be used with the zmprov command to configure auto provisioning of new accounts with an external LDAP directory.

zimbraAutoProvMode

Set auto provision mode as either EAGER, LAZY, and/or MANUAL. Multiple auto-provisioning modes can be enabled on a domain.

zimbraAutoProvAuthMech

Set type of authentication mechanism - as either LDAP, PREAUTH, KRB5, or SPNEGO - to enable for LAZY mode. Once a user authenticates via the specified authentication mechanism, and if the user account does not yet exist in the Zimbra directory, an account will be automatically created in the Zimbra directory.

zimbraAutoProvLdapURL

Set the LDAP URL of the external LDAP source for auto provisioning

zimbraAutoProvLdapStartTlsEnabled

Enable (TRUE) or disable (FALSE) the StartTLS protocol when accessing the external LDAP server for auto provisioning.
Default = FALSE.

zimbraAutoProvLdapAdminBindDn

Defines the LDAP search bind DN for auto provisioning.

zimbraAutoProvLdapAdminBindPassword

Set the LDAP search admin bind password for auto provisioning.

zimbraAutoProvLdapSearchBase

Set the LDAP search base for auto provisioning, used in conjunction with zimbra zimbraAutoProvLdapSearchFilter.
If not set, LDAP root DSE will be used.

zimbraAutoProvLdapSearchFilter

Defines the LDAP search filter template for account auto provisioning. For LAZY mode, either zimbraAutoProvLdapSearchFilter or zimbraAutoProvLdapBindDn must be set.

If both are set, zimbraAutoProvLdapSearchFilter will take precedence. See Placeholders for supported placeholders.

zimbraAutoProvLdapBindDn

Defines the LDAP external DN template for account auto provisioning. For LAZY mode, either zimbraAutoProvLdapSearchFilter or zimbraAutoProvLdapBindDn must be set.

If both are set, zimbraAutoProvLdapSearchFilter will take precedence. See Placeholders for supported placeholders.

zimbraAutoProvAccountNameMap

Defines the attribute name in the external directory that contains local part of the account name. This is the name used to create the Zimbra account. If this is not specified, the local part of the account name is the principal user used to authenticated to Zimbra.

zimbraAutoProvAttrMap

Defines the attribute map for mapping attribute values from the external entry to Zimbra account attributes. Values are in the format of {external attribute}={zimbra attribute}. If this is not set, no attributes from the external directory are populated in Zimbra account.

Invalid mapping configuration will cause the account creation to fail. Bad mapping may be due to conditions such as:

  • Invalid external attribute name.

  • Invalid Zimbra attribute name.

  • External attribute contains multiple values; the Zimbra attribute contains only a single value.

  • Syntax violation (such as external attribute=string, but Zimbra attribute=integer).

zimbraAutoProvNotificationFromAddress

Defines the email address to put in the From header for the Welcome email sent to the newly created account. If not set, no notification email is sent to the newly created account.

zimbraAutoProvNotificationSubject

Template used to construct the subject of the notification message sent to the user when the user’s account is auto provisioned.

Supported variables: ${ACCOUNT_ADDRESS}, ${ACCOUNT_DISPLAY_NAME}

zimbraAutoProvNotificationBody

Template used to construct the body of the notification message sent to the user when the user’s account is auto provisioned.

Supported variables: ${ACCOUNT_ADDRESS}, ${ACCOUNT_DISPLAY_NAME}

zimbraAutoProvListenerClass

Domain setting to define the class name of auto provision listener. The class must implement the com.zimbra.cs.account.Account.AutoProvisionListener interface. The singleton listener instance is invoked after each account is auto created in Zimbra. Listener can be plugged in as a server extension to handle tasks like updating the account auto provision status in the external LDAP directory.

At each eager provision interval, Zimbra does an LDAP search based on the value configured in zimbraAutoProvLdapSearchFilter. Returned entries from this search are candidates to be auto provisioned in this batch. The zimbraAutoProvLdapSearchFilter should include an assertion that will only hit entries in the external directory that have not yet been provisioned in Zimbra, otherwise it’s likely the same entries will be repeated pulled in to Zimbra. After an account is auto provisioned in Zimbra, com.zimbra.cs.account.Account.AutoProvisionListener.postCreate (Domain domain, Account acct, String external DN) will be called by the auto provisioning framework. Customer can implement the AutoProvisionListener interface in a Zimbra server extension and get their AutoProvisionListener.postCreate() get called. The implementation of customer’s post Create method can be, for example, setting an attribute in the external directory on the account just provisioned in Zimbra. The attribute can be included as a condition in the zimbraAutoProvLdapSearchFilter, so the entry won’t be returned again by the LDAP search in the next interval.

zimbraAutoProvBatchSize

Domain | Global setting to define the maximum number of accounts to process in each interval for EAGER auto provision.

zimbraAutoProvScheduledDomains

Server attribute that lists the domains scheduled for EAGER auto provision on this server. Scheduled domains must have EAGER mode enabled in zimbraAutoProvMode. Multiple domains can be scheduled on a server for EAGER auto provision. Also, a domain can be scheduled on multiple servers for EAGER auto provision.

zimbraAutoProvPollingInterval

Domain | Global setting to define the interval between successive polling and provisioning accounts in EAGER mode. The actual interval might take longer since it can be affected by two other factors: zimbraAutoProvBatchSize and number of domains configured in zimbraAutoProvScheduledDomains.

At each interval, the auto provision thread iterates through all domains in zimbraAutoProvScheduledDomains and auto creates accounts up to domain.zimbraAutoProvBatchSize. If that process takes longer than zimbraAutoProvPollingInterval than the next iteration starts immediately instead of waiting for zimbraAutoProvPollingInterval amount of time.

  • If set to 0 when server starts up, the auto provision thread will not start.

  • If changed from a non-0 value to 0 while server is running, the auto provision thread will be shutdown.

  • If changed from 0 to a non-0 value while server is running, the auto provision thread will be started.

Placeholders

Table 46. Placeholders for use with auto provisioning attributes
Tag Description Result

%/n

User name and the @ symbol

This returns user1@example.com

%u

User name without the @ symbol

This returns user1.

%d

Domain

This returns example.com

%D

Domain as dc

This returns example,dc=com

Eager Mode Configuration

With Eager mode, Zimbra polls the external directory for accounts to auto provision. You configure how often the external directory is polled for new users, the maximum number of users to process at each interval, and the domains to be scheduled for account auto-provisioning on specified servers.

  1. Log in to the Zimbra server as zimbra and type zmprov at the command prompt.

    zmprov
  2. Enable EAGER mode on the domain.

    md <example.com> zimbraAutoProvMode EAGER
  3. Set the maximum number of accounts to process in each interval

    md <example.com> zimbraAutoProvBatchSize <#>
  4. Configure the interval (in minutes) between polling and provisioning of accounts. This must be set to a non-0 value for the auto provisioning thread to start. Default = 15 minutes.

    ms <server.com> zimbraAutoProvPollingInterval <x minutes>
  5. Select the domains to be scheduled for auto provisioning. Multiple domains can be scheduled on the server.

    A domain can be scheduled on multiple servers.

    ms <server.com> +zimbraAutoProvScheduledDomains <domain1.com> \
      +zimbraAutoProvScheduledDomains <domain2.com>
  6. Configure the external LDAP settings:

    1. LDAP URL

      md <example.com> zimbraAutoProvLdapURL "ldap://xxx.xxx.xxx.xxx:<port>"

      The LDAP port is typically 389.

    2. (Optional) Enable StartTls.

      md <example.com> zimbraAutoProvLdapStartTlsEnabled TRUE
    3. LDAP admin bind DN for auto provision:

      md <example.com> zimbraAutoProvLdapAdminBindDn "cn=admin, dc=autoprov, dc=company, dc=com"
    4. Administrator’s LDAP search bind password for auto provision.

      md <example.com> zimbraAutoProvLdapAdminBindPassword <password>
    5. Search template to use when searching for users to auto provision.

      Example using the LDAP search filter:

      md <example.com> zimbraAutoProvLdapSearchFilter "(uid=<%placeholder>)"

      Refer to Placeholders for supported placeholders.

    6. LDAP search base for auto provisioning

      This is the location in the directory from which the LDAP search begins. This is used with zimbraAutoProvLdapSearchFilter. If this is not set, the LDAP directory root, rootDSE, is the starting point.

      md <example.com> zimbraAutoProvLdapSearchBase "dc=autoprov,dc=company,dc=com"
      md <example.com> zimbraAutoProvLdapBindDn <"placeholder1">

      Refer to Placeholders for supported placeholders.

  7. (Optional) Define the attribute name that is mapped to the local part of the account name on the external directory. This is used to define the account name on Zimbra. If this is not specified, the local part of the account name is the principal user name used to authenticate to Zimbra.

    md <example.com> zimbraAutoProvAccountNameMap <value>
  8. (Optional) Map the attribute values from the external entry to the Zimbra account attributes. If this is not set up, no attributes from the external directory are populated in the Zimbra directory. The value is mapped in the form of {external attribute}={zimbra attribute}.

    Invalid mapping configuration will cause the account creating to fail.

    To map the "sn" value on the external entry to "displayName" on the Zimbra account and map description value on the external entry to description on the Zimbra account, type

    md <example.com> +zimbraAutoProvAttrMap sn=displayName +zimbraAutoProvAttrMap description=description
  9. (Optional) If you want to send a Welcome email to new accounts, enter the from address of the originator.

    md <example.com> zimbraAutoProvNotificationFromAddress <name@example.com>
  10. To exit zmprov, type

    exit

Lazy Mode Configuration

Lazy mode auto provisioning automatically creates a new account after a user authenticates from an external authentication mechanisms (LDAP, preauth, Kerberos 5, and/or SPNEGO).

  1. Log in to the Zimbra server as zimbra and type zmprov at the command prompt.

  2. Enable LAZY mode,

    md <example.com> zimbraAutoProvMode LAZY
  3. Select the external authentication mechanism for the LAZY mode: LDAP, PREAUTH, KRB5, SPNEGO. You can specify multiple authentication mechanisms.

    md <example.com> zimbraAutoProvAuthMech <type> +zimbraAutoProvAuthMech <type2>
  4. Configure the external LDAP settings

    1. LDAP URL:

      md <example.com> zimbraAutoProvLdapURL "ldap://xxx.xxx.xxx.xxx:<port>"

      The LDAP port is usually 389.

    2. (Optional) Enable StartTls

      md <example.com> zimbraAutoProvLdapStartTlsEnabled TRUE
    3. LDAP Admin bind DN for auto provision in the format cn=<LDAPadmin_name>, dc=autoprov, dc=<company_name>, dc=<com>

      md <example.com> zimbraAutoProvLdapAdminBindDn <"bindDN">

      For example, "cn=admin, dc=autoprov, dc=company, dc=com"

    4. Administrator’s LDAP search bind password for auto provision.

      md <example.com> zimbraAutoProvLdapAdminBindPassword <password>
    5. (Optional) Search template to use when searching for users to auto provision.

      Example: using LDAP search filter:

      md <example.com> zimbraAutoProvLdapSearchFilter <"placeholder">

      Refer to Placeholders for supported placeholders.

      zimbraAutoProvLdapSearchFilter or zimbraAutoProvLdapBindDn MUST be configured for LAZY mode.
    6. LDAP search base for auto provision. This is the location in the directory from which the LDAP search begins. This is used with zimbraAutoProvLdapSearchFilter. If this is not set, the LDAP directory root, rootDSE, is the starting point.

      md <example.com> zimbraAutoProvLdapSearchBase <"location">

      For example, "dc=autoprov,dc=company,dc-com"

    7. (Optional) Define the LDAP external DN template for account provisioning.

      md <example.com> zimbraAutoProvLdapBindDn "uid=%<placeholder1>, %<placeholder2>"

      Refer to Placeholders for supported placeholders.

  5. (Optional) Identify the attribute name on the external entry that contains the local part of the account name to be provisioned in Zimbra. If this is not specified, the local part of the account name is the principal user used to authenticate to Zimbra.

    md <example.com> zimbraAutoProvAccountNameMap <value>
  6. (Optional) Map the attribute values from the external entry to the Zimbra account attributes. If this is not set up, no attributes from the external directory are populated in the Zimbra directory. Value is in the form of {external attribute}={zimbra attribute}.

    To map the sn value on the external entry to displayName on the Zimbra account and map description value on the external entry to description on the Zimbra account, type as

    md <example.com> +zimbraAutoProvAttrMap sn=displayName +zimbraAutoProvAttrMap description=description
  7. (Optional) If you want to send a Welcome email to new accounts, enter the from address of the originator.

    md <example.com> zimbraAutoProvNotificationFromAddress <name@example.com>
  8. Exit zmprov, type exit.

Manual Mode Configuration

Use the Manual Mode setting to disable auto provisioning with an external LDAP server.

  1. Log in to the Zimbra server as zimbra and type zmprov at the command prompt.

  2. Enable MANUAL mode:

    md <example.com> zimbraAutoProvMode MANUAL

Managing Resources

A resource is a location or equipment that can be scheduled for a meeting. Each meeting room location and other non-location specific resources such as AV equipment is set up as a resource account. The Manage → Resources section in the Administration Console shows all resources that are configured for Zimbra Collaboration.

User accounts with the Calendar feature can select these resources for their meetings. The resource accounts automatically accept or reject invitations based on availability.

Administrators do not need to monitor these mailboxes on a regular basis. The contents of the resource mailboxes are purged according to the mail purge policies.

A Resource Wizard guides you through the resource configuration. You can configure the account with the following details about the resource:

  • Type of resource, either location or equipment

  • Scheduling policy

  • Forwarding address to receive a copy of the invite

  • Description of the resource

  • Contact information, which can be a person to contact if there are issues

  • Location information, including room name, specific building location including building and address, and room capacity

  • Customize auto response message and signatures to be used in the reply email messages

When you create a resource account, a directory account is created in the LDAP server.

To schedule a resource, users invite the equipment resource and/or location to a meeting. When they select the resource, they can view the description of the resource, contact information and free/busy status for the resource, if these are set up.

When the meeting invite is sent, an email is sent to the resource account, and, based on the scheduling policy, if the resource is free the meeting is automatically entered in the resource’s calendar and the resource is shown as Busy.

Set Up the Scheduling Policy

The scheduling policy establishes how the resource’s calendar is maintained. The following resource scheduling values can be set up:

  • Auto decline all recurring appointments — This value is enabled when the resource can be scheduled for only one meeting at a time. No recurring appointments can be scheduled for this resource.

  • Auto accept if available, auto-decline on conflict — When this option is selected, the resource account automatically accepts appointments unless the resource is already scheduled. The free/busy times can be viewed. You can modify the auto-decline rule to accept some meetings that conflict.

  • Manual accept, auto decline on conflict — When this option is selected, the resource account automatically declines all appointments that conflict. Appointment requests that do not conflict are marked as tentative in the resource calendar and must be manually accepted. If you set this up, configure the forwarding address so a copy of the invite is sent to the account that can manually accept the invitation. You can modify the auto-decline rule to accept some meetings that conflict.

  • Auto accept always — The resource account automatically accepts all appointments that are scheduled. In this case, free/busy information is not maintained, thus more than one meeting could schedule the resource at the same time. Because the resource always accepts the invitation, the suggested use for this policy would be for a frequently used location off premises that you want the location address to be included in the invite to attendees.

  • No auto accept or decline — The resource account is manually managed. A delegated user must log into the resource account and accept or decline all requests.

Conflict Rules — For accounts that include the auto decline on conflict value, you can set up a threshold, either as a number of conflicts or as a percentage of all the recurring appointments to partially accept recurring appointments.

Maximum allowed number of conflicts and/or Maximum allowed percent of conflicts are configured to allow a recurring resource to be scheduled even if it is not available for all the requested recurring appointment dates.

The resource accepts appointments even if there are conflicts until either the number of conflicts reaches the maximum allowed or the maximum percentage of conflicts allowed. In order for partial acceptance of a series to work, both fields must be set to nonzero values.

Manage Resource Accounts

You can log on to the resource account and set preferences for the resource. The Resource Accounts Preference → Calendar can be configured to let users manage the Resource’s Calendar. You can configure the following options to manage the resource.

  • An address to forward invites. If the forwarding address was set up when the account was provisioned, you can change the address

  • Who can use this resource. In the Permissions section, Invites, select Allow only the following internal users to invite me to meetings and add the appropriate users' email addresses to the list.

You can share the resource calendar with a user and give the user Manager rights. Users delegated as Manager have full administrative rights for that calendar. They can view, edit, add, remove, accept or decline the invites.

Managing User Accounts

Status of User Accounts

Admin Console:

Home → Manage → Accounts

The status of an account determines whether a user can log in and receive mail. The account status is displayed on the Accounts pane of the Administration Console.

Table 47. Status - User Accounts
Status Description

Active

The normal state for a mailbox account. Mail is delivered and users can log in to the client interface.

Maintenance

Logging is disabled and any mail addressed to this account is queued at the MTA.

Note that this state is automatically set for the account during a backup or when importing/exporting/ restoring the account.

Pending

Assignment for an account when it is created but not yet ready to become active. While pending, the login is disabled and messages are bounced.

Locked

The user cannot log in but mail continues to be delivered to the account. The locked state can be set if you suspect that a mail account has been compromised (used in an unauthorized manner).

Closed

Login is disabled and messaged are bounced. This status is used to soft-delete the account before deleting it from the server. A closed account does not change the account license.

LockOut

The automatic state that occurs if the user attempts to log in with an incorrect password. A LockOut cannot be administratively assigned but will occur after the number of user attempts exceeds the configured number of attempts allowed. The duration of the lockout is also configurable.

The administrator can remove the locked out status at any time.

Deleting an Account

Admin Console:

Home → Manage → Accounts

You can delete accounts from the Administration Console. This removes the account from the server, deletes the messages in the message store, and changes the number of accounts used against your license.

Before you delete an account, run a full backup of that account to save the account information. See also Backup and Restore.

Viewing an Accounts Mailbox

You can view a selected account’s mailbox content, including all folders, calendar entries, and tags from the Administration Console.

Admin Console:

Home → Manage → Accounts → account

Select an account, from the Gear icon select View Mail. The user’s Zimbra account opens in a new browser window.

This feature can be used to assist users who are having trouble with their mail account as you and the account user can be logged on to the account at the same time.

Any View Mail action to access an account is logged to the audit.log file.

Using an Email Alias

An email alias is an email address that redirects all mail to a specified mail account. An alias is not an email account. Each account can have unlimited numbers of aliases.

When you select Aliases from the Manage Aliases navigation pane, all aliases that are configured are displayed in the content pane. You can create an alias, view the account information for a specific alias, move the alias from one account to another, and delete the alias.

Working with Distribution Lists

A distribution list is a group of email addresses contained in a list with a common email address. When users send to a distribution list, they are sending the message to everyone whose address is included in the list. The address line displays the distribution list address; the individual recipient addresses cannot be viewed.

You can create distribution lists that require an administrator to manage the member list and you can create dynamic distribution lists that automatically manages adding and deleting members in the list. For more information about dynamic distribution lists, see Using Dynamic Distribution Lists.

You can see which distribution lists a user is a member of from the user’s account "Member of" page. When a Zimbra user’s email address is added to a distribution list, the user’s account Member Of page is updated with the distribution list name. When a distribution list is deleted, the distribution list name is automatically removed from the account’s "Member Of" page.

Setting Subscription Policies for Distribution Lists

Subscription policies can be set up to manage a distribution list’s membership. Owners of the list manage the subscription policy from the Properties page of a distribution list.

Distribution Option Description

New Subscription Requests

  • Automatically accept — Membership is open to anyone who subscribes.

  • Require list owner approval —  To subscribe, users send an email to the owner of the distribution list and the owner replies to this email request.

  • Automatically reject — No one can be added to this distribution list.

Unsubscription Requests

  • Automatically accept —  Anyone can remove their name from the list.

  • Require list owner approval — To be removed from the distribution list, users send an email to the owner. The owner must accept the email request to remove the name.

  • Automatically reject — Users cannot remove themselves from the list.

Management Options for Owners of Distribution Lists

You can add owners to distribution lists and they manage the list from their Zimbra account’s Address Book, Distribution List folder. Owners of a list can right-click a distribution list and click the Edit Group link to edit a list.

Besides adding and deleting members, distribution list properties that owners can configure include:

  • Marking the list as private so it is hidden in the Global Address List

  • Managing who can send messages to the list

  • Setting a member subscription policy

  • Adding additional owners

Creating a Distribution List

Use steps in this section to create a distribution list:

Admin Console:

Home → Manage → Distribution Lists

  1. From the Gear icon, click New.

  2. On the Members page, add the distribution list name. Do not use spaces. The other fields are optional.

  3. Find members to add to the distribution list in the right column. Select the members to add and click Add Selected. If you want to add all addresses on the page, click Add This Page. If you want to add members that are not in the company list, in the Or enter addresses below section, type a complete mail address.

  4. Click Next to configure the Properties page.

    Table 48. Distribution Properties Options
    Distribution Properties Options Description

    Can receive mail

    Enabled by default. If this distribution list should not receive mail select this box.

    Hide in GAL

    Enable to create distribution lists that do not display in the Global Address List (GAL). You can use this feature to limit the exposure of the distribution list to only those that know the address.

    Mail Server

    This is set to auto by default. To select a specific mail server, uncheck auto and select a specific server from the list.

    Dynamic Group

    If you check this box, the Member URL field displays and you create a dynamic distribution list.

    New Subscription Requests

    Select from:

    • Automatically accept

    • Require list owner approval

    • Automatically reject

    Unsubscription Requests

    Select from:

    • Automatically accept

    • Require list owner approval

    • Automatically reject

  5. In the Members Of page, select distribution lists that should be direct or indirect members of the list.

  6. If the distribution list should have an alias, create it.

  7. If this distribution list can be managed by other users, enter these email addresses in the Owners page.

  8. Set how messages received to the distribution list should be replied to.

  9. Click Finish. The distribution list is enabled and the URL is created.

Managing Access to Distribution Lists

After a distribution list is created, you can manage who can view members of a distribution list and who can send messages to a distribution list. The default is all users have access to all distribution lists. This section describes how to use the CLI to manage access.

To limit who can access distribution lists, grant rights to individual users on a domain or if you want only members of a domain to access distribution lists, you can grant rights on the domain. When you grant the right on the domain, all distribution lists on the domain inherit the grant.

You can grant the right on individual distribution lists and configure specific users that are allowed to access the distribution list.

You can restrict access to a distribution list from the CLI zmprov grantRight (grr) command.

For more information about how granting rights works, see Delegated Administration.
Who Can View Members of a Distribution List

The default is that all users can view members addresses in a distribution list. A distribution list address displays a + in the address bubble. Users can click on this to expand the distribution list. A list of the addresses in the distribution list is displayed. Users can select individual addresses from the expanded list.

Restricting who can view addresses in a distribution list to individuals or to a domain:

  • For individual users:

    zmprov grr domain <domain_name> usr <user1@example.com> viewDistList
  • For all users in a domain:

    zmprov grr domain <domain_name> dom <example.com> viewDistList
  • To grant rights on a distribution list and let specific users view the list:

    zmprov grr dl <dll_name@example.com> usr <user1@example.com>
Who Can Send to a Distribution List

The default is that all users can send messages to all distribution lists. You can grant rights to a distribution list or to a domain that defines who can send messages to a distribution list. When users attempt to send to a distribution list that they are not authorized to use, a message is sent stating that they are not authorized to send messages to the recipient distribution list.

The Milter Server must be enabled from Home → Configure → Global Settings → MTA.

Restricting who can send messages to a distribution list to individuals or to a domain:

  • Granting rights to an individual user in a domain to send messages to all distribution lists.

    zmprov grr domain <domain_name> usr <user1@example.com> sendToDistList
  • Granting rights to all users in a domain to send messages to all distribution lists.

    zmprov grr domain <domain_name> dom <example.com> sendToDistList

Restricting access and to remove the restriction to individual distribution lists for different user types.

  • Access to specific internal users:

    zmprov grr dl <dlname@example.com> usr <username@example.com> sendToDistList

    Revoke access

    zmprov rvr dl <dlname@example.com> usr <username@example.com> sendToDistList
  • Access only to members of the distribution list:

    zmprov grr dl <dlname@example.com> grp <dlname2@example.com> sendToDistList

    Revoke access

    zmprov rvr dl <dlname@example.com> grp <dlname2@example.com> sendToDistList
  • Access only to all users in a domain:

    zmprov grr dl <dlname@example.com> dom <example.com> sendToDistList

    Revoke access

    zmprov rvr dl <dlname@example.com> dom <example.com> sendToDistList
  • Access only to all users in an external domain:

    zmprov grr dl <dlname@example.com> edom <example.com> sendToDistList

    Revoke access

    zmprov rvr dl <dlname@example.com> edom <example.com> sendToDistList
  • Access only to internal users:

    zmprov grr dl <dlname@example.com> all sendToDistList

    Revoke access

    zmprov rvr dl <dlname@example.com> all sendToDistList
  • Access only to all public email addresses:

    zmprov grr dl <dlname@example.com> pub sendToDistList

    Revoke access

    zmprov rvr dl <dlname@example.com> pub sendToDistList
  • Access only to specific external email address:

    zmprov grr dl <dlname@example.com> gst <someone@foo.com> "" sendToDistList

    Revoke access

    zmprov rvr dl <dlname@example.com> gst <someone@foo.com> "" sendToDistList
Enabling View of Distribution List Members for AD Accounts

To view Active Directory distribution list members in messages or in the address book, the GAL group handler for Active Directory must be configured in the Zimbra GALsync account for each Active Directory.

Use steps in this section to update the GALsync account for each Active Directory. This configuration requires that you know the GALsync account name and all data sources on that GALsync account.

  1. Display the Zimbra ID of the GAL sync account:

    zmprov gd {domain} zimbraGalAccountId

    To find the name:

    zmprov ga {zimbraId-of-the-GAL-sync-account} name
  2. Display data sources for the GALsync account:

    zmprov gds {gal-sync-account-name-for-the-domain}
  3. Enable the group handler for the Active Directory:

    zmprov mds {gal-sync-account-name-for-the-domain} {AD-data-source-name} \
     zimbraGalLdapGroupHandlerClass com.zimbra.cs.gal.ADGalGroupHandler

Using Dynamic Distribution Lists

Dynamic distribution lists automatically manage their membership. Users are added and removed from the distribution list automatically. When you create a dynamic distribution list, a member URL is specified. This member URL is used to identify who should be members of the list. You can view this URL from the Administration Console distribution list’s Properties page.

You can create dynamic distribution lists from the Administration Console or from the CLI. In the URL, you specify specific object classes that identify the type of users to be added to the dynamic distribution list. For example, you can configure a dynamic distribution list with the object class= zimbraAccount. In this case, when accounts are provisioned or accounts are deleted, the dynamic distribution list is updated.

You can create dynamic distribution lists for all mobile users or POP/IMAP users.

You can modify a distribution list to change the filter rules. When you modify a distribution list, the members in the list are changed to reflect the new rule.

Create Dynamic Distribution Lists

You can create a dynamic distribution list with the admin console or with the CLI, as described in this section.

Admin Console:

Home → Manage → Distribution Lists.

  1. From the Gear icon, click New.

  2. On the Members page, add the dynamic distribution list name. Do not use spaces. Do not add members to the list.

  3. Click Next to configure the Properties page.

    Table 49. Dynamic Distribution Lists Options
    Option Description

    Can receive mail

    Enabled by default. If this distribution list should not receive mail select this box.

    Hide in GAL

    Enable to create distribution lists that do not display in the Global Address List (GAL). You can use this feature to limit the exposure of the distribution list to only those that know the address.

    Mail Server

    This is set to auto by default. To select a specific mail server, uncheck auto and select a specific server from the list.

    Dynamic Group

    Check this box.

    Can be used in right management

    Uncheck this box.

    Member URL

    The Member URL is an LDAP-type URL defining a filter that determines which users are added to and removed from the list.

    Type the URL for this list. In the command, ldap://??sub? is the URL. You can add any combination of filters to this to create different types of dynamic distribution lists.

    Example 10. All users, GAL account names, and spam/ham account list
    ldap:///??sub?(objectClass=zimbraAccount)
    Example 11. Delegated administrators list
    ldap:///??sub?(&(objectClass=zimbraAccount)(zimbraIsDelegatedAdminAccount=TRUE))
    Example 12. All active accounts
    ldap:///??sub?(&(objectClass=zimbraAccount)(ZimbraAccountStatus=active))
    Example 13. All users with the title manager

    The title is taken from the account’s Contact Information Job Title field. In this example, this field would be set to "Manager".

    ldap:///??sub?(&(objectClass=zimbraAccount)(title=Manager))

    New Subscription Requests

    Select Automatically reject.

    Unsubscription Requests

    Select Automatically reject.

  4. If the dynamic distribution list should have an alias, create it.

  5. If this dynamic distribution list can be managed by other users, enter these email addresses in the Owners page.

  6. If you want to set up a reply to address, enter it here. Any replies to this distribution list are sent to this address.

  7. Click Finish. The dynamic distribution list is created.

Users are added automatically to the list based on the filter you specified. If you add or delete users, the list is updated.

If you use the CLI to modify a dynamic distribution list originally created on the Administration Console, you must set zimbraIsACLGroup FALSE for that dynamic distribution list.

Use the CLI zmprov command to manage dynamic distribution lists. In the command, ldap:///??sub? is the URL. You can add any combination of filters to this to create different types of dynamic distribution lists.

  1. Creating a dynamic distribution list of all new and existing accounts

    All users, GAL account names, and spam/ham account names are included. When user accounts are deleted, they are removed from the list.

    zmprov cddl <all@domain.com> zimbraIsACLGroup FALSE \
      memberURL 'ldap:///??sub?(objectClass=zimbraAccount)'
  2. Creating a COS and Assign Users

    If you create COSs and assign users to the COS based on specific criteria, such as all managers, you can quickly modify a dynamic distribution list to be used for a specific COS.

    Example 14. A dynamic distribution list that includes all users that have active accounts in a specific COS
    zmprov cddl <allusers@domain.com>  zimbraIsACLGroup FALSE \
      memberURL 'ldap:///??sub?(&(objectClass-zimbraAccount) (zimbraCOSId=513e02e-9abc-4acf-863a-6dccf38252e3) (zimbraAccountStatus=active))'
    Example 15. A dynamic distribution list that includes all users based on job titles

    To use this, the account’s Contact Information Job Title field must include the title. In this example it would be set to "Manager".

    zmprov cddl <allmanagers@domain.com> zimbraIsACLGroup FALSE' \
      memberURL ldap:///??sub?(&(objectClass-zimbraAccount) (zimbraCOSId=513e02e-9abc-4acf-863a-6dccf38252e3) (title=Manager))'
    Example 16. A dynamic distribution list for all delegated administrators
    zmprov cddl <alldelegatedadmins@domain.com> zimbraIsACLGroup FALSE \
      memberURL 'ldap:///??sub?(&(objectClass-zimbraAccount) (zimbraCOSId=513e02e-9abc-4acf-863a-6dccf38252e3) (zimbraIsDelegatedADminAccount=TRUE))'

Moving a Mailbox

Mailboxes can be moved between Zimbra servers that share the same LDAP server.

You can move a mailbox from either the Administration Console or use the CLI command zmmboxmove to reposition a mailbox from one server to another, without taking down the servers.

The destination server manages the mailbox move process. The move runs in the background and the account remains in active mode until most of the data has been moved. The account is locked briefly to move the last data and then returned to active mode.

The mailbox move process goes through the following steps:

  • Mailbox blobs are moved to the new server

  • When most of the content has been moved, the account is put into maintenance mode

  • Database tables, index directories, and any changed blobs are moved

  • The account is put back into active mode

After the mailbox is moved to a new server, a copy still remains on the older server, but the status of the old mailbox is closed. Users cannot log on and mail is not delivered. Check to see that all the mailbox content was moved successfully before purging the old mailbox.

  • Moving a mailbox to a new server

    zmmboxmove -a <email@address> --from <servername> --to <servername>
  • Purging the mailbox from the old server

    zmpurgeoldmbox -a <email@address> -s <servernamee>

Global Configuration Options for Moving Mailboxes

Global configuration options for moving a mailbox can be set to exclude search indexes, blobs, and HSM blobs when mailboxes are moved. The following configuration options can be set on either the exporting server or the destination server:

  • zimbraMailboxMoveSkipSearchIndex — If you do not include the search index data, the mailbox will have to be reindexed after the move.

  • zimbraMailboxMoveSkipBlobs — Blobs associated with the mailbox, including primary and secondary volumes (HSM) are excluded.

  • zimbraMailboxMoveSkipHsmBlobs — This is useful when HSM blobs already exist for the mailbox being moved. Set this if zimbraMailboxMoveSkipBlobs is not configured, but you want to skip blobs on HSM volumes.

Delegated Administration (*)

Starting with Zimbra 8.8, there are two versions of this feature, Standard and New Generation (NG) versions. Zimbra 8.7 and earlier included only the Standard version, which is explained below. To use and enable the NG version of this feature with Zimbra 8.8 and later, refer to the specific NG chapter later in this Guide.

The global administrator can create different delegated administrator roles.

Delegated administrator roles can be as simple as having the rights to manage one or more distribution lists or reset forgotten passwords for one or more users, to having domain administration rights on one or more domains.

Two frequently used delegated administrator roles, domain administrator and distribution list administrator, are already defined. You can add administrators to these predefined roles with no other configuration necessary.

Target Types for Granting Administrative Rights

Delegated administration provides a way to define access control limits on targets and grant rights to administrators to perform tasks on the target.

A target is a Zimbra Collaboration object on which rights can be granted. Each target is associated with a target type that identifies the type of access control entries you can grant on the target.

When selecting a target type for a target consider the following:

  • Target. Which specific target are you granting rights? For example, if the target type you select is "domain", which domain do you mean? You specify a specific domain’s name (Target Name = example.com). Access Control Entries (ACE) are granted on that target. An ACE is stored in an LDAP attribute on the target entry.

  • Is the right you want to grant applicable to the selected target type? A right can only be applied on the relevant target type. For example, creating an account can only apply to a domain target type, and the setting passwords can only apply to accounts and calendar resources target types. If a right is granted on a target that is not applicable to the target, the grant is ignored.

  • When defining rights, you need to consider the scope of targets in which granted rights are effective. For example, the right to set the password is applicable only to accounts and calendar resources, but if this right is included in the domain targets list of rights, it is effective for all accounts or calendar resource in the domain.

Table 50. Targets for rights
Target Type Description of Target Scope

Account

An account entry (a specific user)

Calendar Resource

A calendar resource entry

COS

COS entry

Distribution List

Includes the distribution list and all distribution lists under this distribution list.

If the right is applicable to accounts and calendar resources, all accounts and calendar resources that are direct or indirect members of this distribution list.

Domain

Applicable to a specific domain, not to any sub-domains.

Sub-domains must be explicitly marked as targets.

When domain is the target, the rights are granted for all accounts, calendar resources and distribution lists in the domain.

Config

Grants specific to global config

Global ACL

Administrator rights for all entries in a target type. For example, you could add an ACE to the Global Access Control List (ACL) that grants the right to create accounts on domains.

Delegated administrator accounts that are granted this right can create accounts in all domains in the system.

Server

Server entry

Zimlet

Zimlet entry

Rights

Rights are the functions that a delegated administrator can or cannot perform on a named target. A right is either system-defined or granted at the attribute level.

System-defined rights

Types of system defined rights include:

  • Preset rights (preset). For example, createAccount creates an account; renameDomain, renames the domain.

    Preset rights are associated with a fixed target type. For example, createAccount is a right only on a domain; renameAccount is a right on an account; getServer is a right on a server

    No other rights are required to administer that action on the target.

    Preset rights could involve accessing multiple targets. The grantee needs to have adequate rights on all pertinent targets. For example, to create an alias for an account, the grantee must have rights to add an alias to an account and to create an alias on a domain.

Attribute Right

Granting rights at the attribute level allow a delegated administrator/ administrator group to modify or view (or not modify or view) a specific attribute on a target.

Types of attributes rights include:

  • Attribute (setAttrs) rights allow the domain administrator to modify and view an attribute value. For example, the modifyAccount right allows the domain administrator to modify all attributes of the account.

  • Get attribute rights (getAttrs) let the domain administrator view an attribute value. For example, the getAccount right shows all the attributes for a user’s account.

The specific attribute being granted is configured on the target and the type of permission, read (get) or write (set), is specified.

Attribute rights can be granted in any combination of attributes to grant positive or negative rights. This lets you negate some attributes from a grant.

Combo Rights

Combo rights can be assigned to any target type and can include preset rights and attribute rights. You can use combo right to grant multiple attribute rights quickly on targets.

Negative Rights

Rights can be either positive or negative. Negative rights are rights specifically denied to a grantee.

  • When a negative right is granted to an admin group, all administrators in the group are denied that right for the target and sub-targets on which the right is granted.

  • When a negative right is granted to an administrator who may or may not be in an admin group, the specific administrator is denied that right for the target and sub-targets on which the right is granted.

An admin group is granted domain administrator rights, including the right to create accounts on Domain1. AdminA is in this admin group, but you want AdminA to have all domain administrator rights, except the right to create accounts. You would grant a negative createAccount right to AdminA on the target Domain1.

For grants on the same level, negative rights always take precedence. For example, AdminGroup1 is granted a positive right to view accounts in a domain; AdminGroup2 is granted a negative right to view accounts in the same domain. AdminA is a member in both admin groups. AdminA cannot view any account in this domain because the negative right takes precedence.

For grants on different levels, the most specific grant takes precedence. For example, AdminA is granted the negative right to view accounts in GroupDistributionList1, which User1 is a member. AdminA is also granted the positive right to view account directly on User1’s account. In this case, AdminA can view User1’s account as the grant on the account target is more specific than the grant on the distribution list.

Using the Rights List

System rights are listed and described in the Rights folder in the Administration Console Overview pane. You can use the Rights folder to help you define which system-defined rights to grant to delegated administrators. This folder displays the name of the right, the target types associated with that right, the right type and a brief description.

When you select a right on the page and click on it, another page displays more information:

  • For combo rights, a list of the rights associated with the combo right are listed.

  • For the other system rights, a list of attributes associated with the right are listed

You can use zmprov commands to view combo rights.

  • Direct sub-rights of a combo right

    zmprov gr adminConsoleDLRights
  • Second level sub-rights of the combo

    zmprov gr adminConsoleDLRights -e

Viewing System Defined Rights Lists

You can use zmprov commands to view system defined rights for a specific topic:

Table 51. Viewing Combo Rights with zmprov
To View This Use This zmprov Command

Account

zmprov gar -t account

Calendar Resources

zmprov gar -t calresource

COS

zmprov gar -t cos

Distribution List [1]


1. All rights for account and calendar resources can also be granted on distribution list targets. When these rights are granted on a distribution list, the ACEs apply the right to all direct or indirect account or calendar resource members of the distribution list.
zmprov gar -t dl

Domain

zmprov gar -t domain

Global Config [2]


2. All rights for accounts and calendar resources can also be granted on domain targets. All rights for distribution list can also be granted on domain targets. When rights are granted on a domain, the ACEs apply the right to all direct or indirect account calendar resources, and members of the distribution list in the domain.
zmprov gar -t config

Global Grant [3]


3. All rights for all other targets can also be granted on the global targets. When any rights are granted on a global grant entry, the ACEs apply the right to all entries on the system. For example, if you grant a createAccount (which is a domain right) to AdminA on the global grant entry, AdminA can create accounts in all domains on the system.
zmprov gar -t global

Server

zmprov gar -t server

Zimlets

zmprov gar -t zimlet

Implementing Delegated Administration

Before you create delegated administrators and grant rights, define the role and which rights to assign to the targets the administrator will manage.

For more efficient management of delegated administrators, create administrator groups and add individual administrator accounts to the group. An administrator group allows you to create role-based access control. Administrators with the same or almost the same responsibilities can be grouped into an admin group.

Delegated administration rights can be set up in one of the following methods:

  • Create an administrator or an administrator group and grant rights to the account using the Administrator Wizard.

  • Configure grants on existing administrator accounts. Add new rights or modify rights to an existing delegated administrator or administrator group account.

  • Add, modify and delete rights directly in a target’s Access Control List page.

Administrator Groups and Administrators

Administrator and group administrator accounts are created in the Administration Console.

Use the administration wizard to

  1. Create the create either an Admin Group or an Admin Account.

    1. Admin Groups are distribution lists (DL) that have Admin Group enabled, which flags it as a delegated administrator DL. After the admin group administrator is created and configured with rights and admin views, you add administrator user accounts to the admin group.

    2. Admin Account is a user account that has Administrator enabled on the account.

  2. Configure the admin views for the account. You select the views from the Directly Assigned Admin views list. An admin view represent the items the delegated administrator sees when logged on to the Administration Console.

    A directly assigned admin view is the view set on the admin account. An inherited admin view is the view set on the admin group the account belongs to.

  3. Configure the Grants. The Grants dialog displays a list the grants requiredto display the items you selected in the Directly Assigned Views column. You can accept these rights and add additional rights, skip this page to not configure these rights, or click Finish to accept these rights and quit the wizard.

Configure Grants on Administrator Accounts or Admin Groups

You can manage the rights granted to an administrator or an administrator group through the Configure Grants link on the accounts toolbar. When you click Configure Grant on the Manage Accounts Addresses toolbar, the Content pane shows a list of direct and inherited grants. You can grant rights, modify rights or delete rights on existing administrator accounts.

Grant ACLs to a Target

When you want to add a specific grantee or specific rights on a target you can edit the target directly. Each target has an ACL page which lists the granted ACLs. You can add, edit or delete the target’s grants. The administration account (grantee) is updated to reflect the change.

Revoking Rights

Global administrators can revoke any rights granted to an administrator.

Admin Console:

Home → Manage → Accounts

Open the desired administrator account and click Configure Grants.

  1. Select the right to revoke and click Delete.

  2. When the dialog asks if are sure, click Yes.

Delegated administrators can revoke rights if the right was created with the Can Grant the right to other admins enabled.

Temporarily Revoke Delegated Admin Rights

To temporarily revoke rights to a delegated administrator account, you can edit the administrator account and remove the check next to the Administrator field. The ACLs are not removed from the account.

View Rights Granted to Administrators

The View Rights link from an admin account or admin group account toolbar displays the granted rights, readable attributes and modifiable attributes associated with a specific target. Click on the tabs to view rights for different targets.

Predefined Delegated Administrator Role

The following pre-configured administrator groups are created automatically. You can assign administrator accounts to these groups.

Domain Administration Group

The zimbradomainadmins delegated admin group grants all the rights necessary to support Zimbra Collaboration domain administration for accounts, aliases, distribution lists and resources.

Administrators who are part of the zimbradomainadmins group can create and manage accounts including setting the account quota, aliases, distribution lists, and resources accounts in their domain.

When domain administrators log onto the Administration Console, only the functions they are authorized to manage are displayed on the console’s Navigation pane.

For domain administrators, all tasks are performed from the Administration Console. To facilitate easy log in, when a delegated administrator account is created, their Classic Web App account can have a link to the Administration Console.

The link is created from the zmprov CLI

zmprov md {server.example.com} zimbraWebClientAdminReference {https://server.example.com:7071/}
This feature is supported only in the Classic Web App.

Distribution List Administration Group

The zimbradladmin delegated admin group grants all the rights necessary to log on to the Administration Console and manage distribution lists.

Administrators who are part of this group can

  • View the account list

  • Create new distribution lists and delete distribution lists

  • Add, edit and remove members in a distribution list

Creating Delegated Administrator Roles

Manage multiple domains

To have one domain administrator manage more than one domain, you assign the rights to manage individual domains to the administrator account or administrator group.

For example, to set up domanadministrator1@example.com to manage domainexample1.com and domainexample2.com. Create a new administrator account on one of the domains to be managed.

  1. Create the administrator account on one of the domains to be managed (domainexample1.com)

  2. Select the views that domain administrators need to manage a domain. When the views are selected, the rights associated with these views automatically display on the Configure the Grants dialog.

  3. Configure the grants for this domain if they are different from the grants associated with the views you select.

  4. To add another domain to be managed (domainexample2.com).

    • On the Configure Grants page, click Add

    • Select the target type as domain

    • Enter the target’s domain name (domainexample2.com)

    • For Right Type, select System Defined Right

    • For Right Name type, adminConsoleAccountRights. Is Positive Right should be selected.

    • Click Add and More

    • The Add ACE page displays again and the Right Name field is empty. Type, adminConsoleDLRights and click Add and More.

    • Continue to add the following right names:

      • adminConsoleAliasRights

      • adminConsoleResourceRights

      • adminConsoleSavedSearchRights

      • adminConsoleDomainRights

    • After the last right, click Add and Finish. The Configure the Grants dialog displays these rights associated with the target domain. If you are adding another domain to manage, click Add and More. Repeat Step 4. If not, click Finish.

Manage Distribution Lists

To assign a user to manage a distribution list, you create a distribution list and enable Admin Group, select the view, grant the distribution list rights, add the user to the list and make that user an administrator.

  1. Create a new distribution list:

    • Check Admin Group

    • Add the user who will be the administrator as a member of the DL.

    • Go to the Admin Views page and check Distribution List View so the admin can view the distribution list.

    • Click Save.

  2. In the Configure Grants page, add the following rights.

    Table 52. Rights
    Right Name Target Type Target Right Type

    The following right let the administrator manage distribution lists.

    listDistributionList

    dl

    DL email address

    SD Right

    addDistributionListAlias

    dl

    DL email address

    SD Right

    addDistributionListMember

    dl

    DL email address

    SD Right

    modifyDistributionList

    dl

    DL email address

    SD Right

    getDistributionListMembership

    dl

    DL email address

    SD Right

    removeDistributionListMember

    dl

    DL email address

    SD Right

    This domain right displays user account list that the administrator can select from to add to a distribution list.

    listAccount

    domain

    DL email address

    SD Right

Change Passwords

To create delegated administrators who only change passwords, you create the admin or admin group, select the views and grant the set Account Password combo right.

  1. Select the following views

    • Account List view to be able to select accounts to change passwords

    • Alias List view to be able to find users who use an alias instead of account name.

  2. The Configure the Grants page displays recommended grants for the views you have chosen. For Change Password rights, do not configure these grants. Select Skip. Click Add to add the following right:

    Right Name Target Type Target Right Type

    setAccountPassword

    domain

    domain name

    SD Right

View Mail Access Right

View Mail access right can be granted on accounts, domains, and distribution lists.

Right Name Target Type Target Right Type

adminLoginAs

account, domain, dl

account, domain, or distribution list address

SD Right [4]


4. To deny the View Mail right on the target, check the box for Is Negative Right (Deny)

To prevent administrators from viewing an account with a domain or distribution list, assign the Is Negative Right to the account.

Manage Class of Service Assigned to Users

You can expand the domain administrator role to be able to view and change the class of service (COS) assigned to a user. To add the rights to manage the COS for a domain, add the following rights to the domain administrator account or domain administrator admin group.

Add the System Defined Rights to each COS in the domain.

Table 53. System Defined Rights for COS
Right Name Target Type Target Right Type

listCos

cos

COS name

SD Right

getCos

cos

COS name

SD Right

assignCos

cos

COS name

SD Right

This domain right displays the COS information in the user account’s General Information page.

zimbraCOSId

domain

domain name

Attribute Right
Verb: Write
AR Target: account

This role creates a delegated administrator role that can run the Search Mail tool to search mail archives or live mail for accounts. This also allows the administrator to create, abort, delete, purge or get status of a cross mailbox search request.

The Archiving and Discovery feature must be installed for this feature to work.
Right Name Target Type Target Right Type

adminConsoleCrossMailboxSearchRights

(combo)

server name where cross mailbox searches can be run

SD Right

For full functionality, this role includes the ability to create new accounts so that the admin can create the target mailbox to receive the search results. If you do not want this role to have the ability to create accounts, grant the following negative right as well.

Right Name Target Type Target Right Type

CreateAccount

domain

domain name

SD Right [5]


5. To deny the Create Account right on the target, check the box for Is Negative Right (Deny)

If you want this admin to also view the target mailbox with the results of the cross mailbox search, grant the right to view that mailbox only.

Right Name Target Type Target Right Type

adminLoginAs

account

cross mailbox search target account name

SD Right [6]


6. To deny the View Mail right on the target, check the box for Is Negative Right (Deny)

Manage Zimlets

This role creates a delegated administrator role that can create, deploy and view Zimlets.

Right Name Target Type Target Right Type

adminConsoleZimletRights

server, domain

server name or domain name

SD Right

adminConsoleAccountsZimletsTabRights

server, domain

server name or domain name

SD Right

Manage Resources

This role creates a delegated administrator that can create and manage resources.

Right Name Target Type Target Right Type

adminConsoleResourceRights

combo

server name or domain name

SD Right

Access to the Saved Searches

This role creates a delegated administrator that can access all the searches saved in the Administration Console Navigation pane, Search section.

Right Name Target Type Target Right Type

adminConsoleSavedSearchRights

combo

server name or domain name

SD Right

Access to the Server Status Pages

This role creates a delegated administrator that can access the Server Status page. In addition to granting this right, you must also select the Admin View, Global Server Status View.

Right Name Target Type Target Right Type

adminConsoleServerStatusRights

global

SD Right

Accounts that are configured as global administrator accounts cannot be granted ACLs. Global administrator accounts automatically have full rights on Zimbra Collaboration. If an ACL is added to a global administrator account, it is ignored. If a delegated administrator account is changed to a global administrator account, any ACLs associated with the account are ignored.

Monitoring Zimbra Servers

The Zimbra Collaboration (Zimbra) includes the following to help you monitor the Zimbra servers, usage, and mail flow:

  • Zimbra Logger package to capture and display server statistics and server status, and to create nightly reports

  • Mailbox quota monitoring

  • MTA mail queue monitoring

  • Log files

Also, selected error messages generate SNMP traps, which can be monitored using an SNMP tool.

Checking the overall health of the system as a whole is beyond the scope of this document.

Zimbra Logger

The Logger includes tools for syslog aggregation and reporting. Installing the Logger is optional, but if you do not install it, server statistics and server status information are not captured.

In environments with more than one Zimbra Collaboration server, Logger is enabled on one mailbox server only. This server is designated as the monitor host. The Zimbra Collaboration monitor host is responsible for checking the status of all the other Zimbra Collaboration servers and presenting this information on the Zimbra administration console. Real-time service status, MTA, spam, virus traffic and performance statistics can be displayed. The Logger creates a daily report about mail activity, such as the number of messages, average delivery delay, and errors generated.

In a multi-server installation, you must set up the syslog configuration files on each server to enable Logger to display the server statistics on the Administration Console, and you must enable the Logger host. If you did not configure this when you installed Zimbra Collaboration, do so now.

Enabling Server Statistics

Enable server statistics to show both system- wide and server specific data about the inbound message volume, inbound message count, anti-spam/anti-virus activity and disk usage for messages processed in the last 48 hours, 30 days, 60 days, and the last year.

  1. On each server, as root, type /opt/zimbra/libexec/zmsyslogsetup. This updates the syslog configuration to enable gathering server statistics.

  2. On the logger monitor host, you must configure syslog to accept syslog messages from remote machines. See https://wiki.zimbra.com/wiki/Configuring-Logger-Host for details.

These steps are not necessary for a single-node installation.

Reviewing Server Status

Admin Console:

Home → Monitor

The Server Status page lists all servers and services, their status, and when the server status was last checked. The servers include the MTA, LDAP, and mailbox server. The services include MTA, LDAP, Mailbox, SNMP, Anti-Spam, Anti-Virus, Spell checker, and Logger.

To start a server if it is not running, use the zmcontrol CLI command. You can stop and start services from the Administration Console.

Enabling or Disabling Server Services

Admin Console:

Home → Configure → Servers → server

Server services are enabled or disabled from the Servers → server page. Select Services in the Navigation pane and select to enable or disable services.

Viewing Server Performance Statistics

If the Logger package is installed on a Zimbra mailbox server, Server Statistics shows bar graphs of the message count, message volume, anti-spam, and anti-virus activity. The information is displayed for the last 48 hours, and 30 days, 60 days, and 365 days.

When Server Statistics is selected in the Navigation pane, consolidated statistics for all mailbox servers is displayed. Selecting a specific server in the expanded view shows statistics for that server only. Server specific information also includes disk usage, session information, and mailbox quota details.

The following display system-wide information:

  • Message Count — counts message transactions. A transaction is defined as either the SMTP receipt of a message per person (by Postfix) or a LMTP delivery of it (by mailboxd) per person. For example, if a message is sent to three people, six transactions are displayed. Three for SMTP to Postfix and three for LMTP to mailboxd. The message count is increased by six.

  • Message Volume — displays the aggregate size in bytes of transactions sentand received per hour and per day. Graphs show the total inbound data by volume in bytes.

  • Anti-Spam/Anti-Virus Activity — displays the number of messages that werechecked for spam or viruses and the number of messages that were tagged as spam or deemed to contain a virus. The AS/AV count is increased by one per message scanned. One message sent to three people counts as only one message processed by AS/AV.

    The Message Count and the Anti-spam/Anti-virus Activity graphs display a different message count because:

    • Outbound messages may not go through the Amavisd filter, as the system architecture might not require outbound messages to be checked.

    • Messages are received and checked by Amavisd for spam and viruses before being delivered to all recipients in the message. The message count shows the number of recipients who received messages.

Server-specific statistics also include the following details:

  • Disk — for a selected server displays the disk used and the disk space available. The information is displayed for the last hour, day, month, and year.

  • Session — displays information about the active Web client, administrator and IMAP sessions. You can see how many active sessions are opened, who is logged on, when the session was created and the last time the session was accessed.

  • Mailbox Quota — displays information about each account sorted by mailbox size in descending order. See Monitoring Mailbox Quotas.

Configuring Logger Mail Reports

The Logger generates a report about mail activity daily at 11:30 p.m. and sends it to the administrator’s email address.

You can configure the number of accounts to include in the report. The default is 25 sender and 25 recipient accounts.

  • Changing the number of recipients to add to the report:

    zmlocalconfig -e zimbra_mtareport_max_recipients=<number>
  • Changing the number of senders to add to the report:

    zmlocalconfig -e zimbra_mtareport_max_senders=<number>

Configuring Disk Space Notifications

You should regularly review your disk capacity and when disks are getting full, take preventative measures to maintain service. A warning alert email notification is sent to the administrator account when disk space is low. The default is to send a warning alert when the threshold reaches 85% and a critical alert when the threshold reaches 95%.

You can change these values. Use zmlocalconfig to configure the disk warning thresholds.

  • Warning alerts

    zmdisklog_warn_threshold
  • Critical alert:

    zmdisklog_critical_threshold

When starting services with zmcontrol, if the threshold is exceeded a warning is displayed before the services are started. You should clean up your disk to free up space.

Monitoring Servers

The Zimbra Collaboration server collects many performance related statistics that can help you diagnose problems and load issues.

Admin Console:

Home → Monitor → Advanced Statistics

The Advanced Statistics page includes advanced graphing options that lets you generate various charts based on statistical information for the CPU, IO, mailboxd, MTA queue, MariaDB and other components.

To chart the graphics in Advanced Statistics, select one of these groups and then select from the list of specific counters for the type of information to display.

The information covers a wide array of data:

  • cpu.csv — CPU utilization. This group contains counters to keep track ofCPU usage (iowait, idle, system, user, time etc.). CPU information can be tracked both at the server level and the process level.

  • df.csv — Captures disk usage. Disk utilization is tracked for each diskpartition.

  • fd.csv — file descriptor count. Keeps track of system file descriptor usageover time. This is primarily used to track down "out-of-file descriptor" errors.

  • mailboxd.csv — Zimbra Collaboration server and JVM statistics. Mailboxdstores almost all of its statistics here. Interesting numbers to keep track of are heap_used, heap_free, imap_conn, soap_sessions, pop_conn, db_conn_count.

  • mtaqueue.csv — Postfix queue. This measures the mail queue size innumber of messages and the size in bytes.

  • proc.csv — Process statistics for Zimbra processes. For example mailboxd/java, MariaDB, OpenLDAP, etc.)

  • soap.csv — SOAP request processing time.

  • threads.csv — JVM thread counts. Counts the number of threads with acommon name prefix.

  • vm.csv — Linux VM statistics (from the vmstat command).

  • io-x.csv and io.csv — store data from the iostat(1) command (io-x.csv with iostat -x).

Configuring Denial of Service Filter Parameters

The denial-of-service filter (DoSFilter) limits exposure to requests flooding over HTTP/HTTPS. The DoSFilter throttles clients sending a large number of requests over a short period of time.

DosFilter is only applied to HTTP and HTTPS requests, in other words, it does not affect requests for any other protocols like POP3, IMAP or SMTP. You can modify the configuration to accommodate your specific environmental needs. DoSFilter is enabled by default on Zimbra. Disabling the DoSFilter is not recommended. For information on preventing multiple failed login attempts see Password Policy

Identifying False Positives

Sometimes Zimbra Connector for Outlook (ZCO), mobile ActiveSync clients, or running some zmprov commands trigger the DoSFilter. When this happens, the Zimbra mailbox service is unavailable. You can review the following logs to see if the DoSFilter was applied.

  • /opt/zimbra/log/sync.log.

Example 17. sync.log entry showing the DoSFilter
2021-01-15 15:52:20,426 WARN [qtp1635701107-91:https://x.x.x.x/
Microsoft-Server-ActiveSync?User=zsupport2&DeviceId=Appl5ddddd3NR&DeviceType=iPhone&Cmd=FolderSync][name=zsupport2@domain.com;mid=64;ip=10.1.2.3;Cmd=FolderSync;DeviceID=Appl5K0113UN3NR;Version=12.1;] sync - Service exception com.zimbra.common.service.ServiceException: error while proxying request to target server: HTTP/1.1 503 Service Unavailable
ExceptionId:qtp1635701107-91:https://10.10.0.54:443/Microsoft-Server-ActiveSync?User=zsupport2&DeviceId=Appl5K0113UN3NR&DeviceType=iPhone&Cmd=FolderSync:1358286740426:c5ca7f36bb0a038f Code:service.PROXY_ERROR Arg:(url, STR,"http://mail.domain.com:80/service/soap/SyncRequest"
  • /opt/zimbra/log/zmmailboxd.out

Example 18. zmmailboxd.out entry showing the DoSFilter
2021-01-15 15:57:32.537:WARN:oejs.DoSFilter:DOS ALERT:ip=127.0.1.1,session=null,user=null

Customizing DoSFilter Configuration

The following attributes are used with zmprov to configure the DoSFilter. These attributes can be configured as global settings and as server settings. If these attributes are set in the server, the server settings override the global settings.

You can modify these settings, but the default configuration is recommended.

Attribute Description

DoSFilter Delay
zimbraHttpDosFilterDelay-Millis

The delay given to all requests over the rate limit before they are considered. The default is -1.

  • -1 = Reject request

  • 0 = No delay

  • Any other value = Delay is in ms

zmprov mcf zimbraHttpDosFilterDelayMillis {x}

DoSFilter Maximum Requests Per Second
zimbraHttpDosFilterMaxRequestsPerSec

The maximum number of requests from a connection per second. Requests in excess of this are throttled. The default is 30 and the minimum is 1.

zmprov mcf zimbraHttpDosFilterMaxRequestsPerSec {x}

DoSFilter IP Addresses Whitelist
zmprov mcf zimbraHttpThrottleSafeIPs {x.x.x.x,192.168.x.x}

IP addresses to ignore when applying the DosFilter. This attribute does not have a default value, however the following loopback IPs are whitelisted by default.

  • 127.0.0.1

  • ::1

The IP addresses should be comma separated.

zmprov mcf zimbraHttpThrottleSafeIPs {addresses}

A mailbox server restart is required after modifying these attributes. Type:

zmmailboxdctl restart

Tuning Considerations for Zimbra Collaboration 8.0.3 and later

  • Zimbra Member Servers — Zimbra servers under the control of a single masterLDAP server are automatically whitelisted by IP address. These hosts are discovered using a GetAllServersRequest. Type as zmprov gas.

  • External Provisioning Hosts/SOAP API — External provisioning hosts can be added to the IP whitelist to ensure that the DoSFilter does not block some requests. For example, a mailbox reindex might make several calls per second that can trigger the DoSFilter.

Working with Mail Queues

When the Zimbra MTA receives mail, it routes the mail through a series of queues to manage delivery; incoming, active, deferred, held, and corrupt.

The incoming message queue holds the new mail that has been received. Each message is identified with a unique file name. Messages are moved to the active queue when there is room. If there are no problems, message move through this queue very quickly.

The active message queue holds messages that are ready to be sent. The MTA sets a limit to the number of messages that can be in the active queue at any one time. From here, messages are moved to and from the anti-virus and anti-spam filters before being delivered to another queue.

Messages that cannot be delivered are placed in the deferred queue. The reasons for the delivery failures are documented in a file in the deferred queue. This queue is scanned frequently to resend the message. If the message cannot be sent after the set number of delivery attempts, the message fails. The message is bounced back to the original sender. The default for the bounce queue lifetime is five days.

The held message queue keeps mail that could not be processed. Messages stay in this queue until the administrator moves them. No periodic delivery attempts are made for messages in the held queue.

The corrupt queue stores damaged unreadable messages.

Change the Bounce Queue Lifetime

  • The MTA server’s bounce queue lifetime is set for five days. To change the default queue lifetime setting

    zmlocalconfig -e bounce_queue_lifetime={#}
  • To permanently have messages bounced back to the sender, instead of being sent to the deferred queue first

    zmlocalconfig -e zimbraLmtpPermanentFailureWhenOverQuota=TRUE

Notifying Senders of Bounced Messages

Before the bounce queue lifetime sends the message back to the sender, senders can be notified that the message they sent is in the deferred queue and has not been delivered.

Configure the following attributes to send a warning message to the sender.

  • Configure the time after which the sender receives the message headers of email that is still queued.

    zmlocalconfig -c postfix_delay_warning_time=0h
  • Configure the recipient of postmaster notifications with the message headers of mail that the MTA did not deliver.

    zmlocalconfig -c postfix_bounce_notice_recipient=postmaster
  • Configure the list of error classes that are reported to the postmaster.

    zmlocalconfig -c postfix_notify_classes=resource,software
See Postfix documentation for details on the impact of changes to these Postfix attributes.

You can monitor the mail queues for delivery problems from the Administration Console.

Viewing Mail Queues

Admin Console:

Home → Monitor → Mail Queues

If you are having problems with mail delivery, you can view the mail queues from the Mail Queues page in the Administration Console to see if you can fix the mail delivery problem. When you open mail queues, the content of the deferred, incoming, active, hold, and corrupt queues at that point in time can be viewed. You can view the number of messages and where they are coming from and going to.

For each queue, the Summary pane shows a summary of messages by receiver domain, origin IP, sender domain, receiver address, sender address, and for the deferred queue, by error type. You can select any of the summaries to see detailed envelope information by message in the Messages pane.

The Messages pane displays individual message envelope information for search filters selected from the Summary pane.

The following mailbox queue functions can be performed for all the messages in a queue:

  • Hold to select a set of messages that you want to hold. Incoming, active,deferred, and corrupt messages can be moved to the Held queue. Messages stay in this queue until the administrator moves them.

  • Release to remove all message from the Held queue. Messages are moved to the Deferred queue.

  • Requeue all messages in the queue being viewed. Requeuing messages can be used to send messages that were deferred because of a configuration problem that has been fixed. Messages are re-evaluated and earlier penalties are forgotten.

  • Delete all messages in the queue being viewed.

The Zimbra MTA, Postfix queue file IDs are reused. If you requeue or delete a message, note the message envelope information, not the queue ID. It is possible that when you refresh the mail queues, the queue ID could be used on a different message.

Flushing Message Queues

You can flush the server of all messages. When you click Flush on the Mail Queue toolbar, delivery is immediately attempted for all messages in the Deferred, Incoming and Active queues.

Monitoring Mailbox Quotas

Mailbox quotas apply to email messages, attachments, calendar appointments, and tasks in a user’s account. When an account quota is reached, all mail messages are rejected. Users must delete mail from their account to get below their quota limit - this includes emptying their Trash, or you can increase their quota.

Viewing Quota

You can check mailbox quotas for individual accounts from Server Statistics on the Administration Console. Mailbox Quota gives you an instant view of the Mailbox Size and Quota Used information for each account.

Admin Console:

Home → Monitor → Server Statistics

  1. Select the server for which you want to view statistics.

  2. In the Navigation pane, select Mailbox Quota. The Mailbox Quota page displays with the following information:

    • Quota column shows the mailbox quota allocated to the account. Quotas are configured either in the COS or by account.

    • Mailbox Size column shows the disk space used.

    • Quota Used column shows what percentage of quota is used.

Increase or Decrease Quota

From a COS or Account, you can configure a quota threshold that, when reached, sends a message alerting users that they are about to reach their mailbox quota.

Admin Console:

Home → Configure → Class of Service → COS → Advanced
Home → Manage → Accounts → account → Advanced

  1. Scroll down to the Quota section.

  2. Modify the quota settings.

  3. Click Save.

Viewing MobileSync Statistics

The MobileSync Statistics page in the Monitor section in the admin console displays the number of currently connected ActiveSync devices that are on the Zimbra Collaboration system.

Monitoring Authentication Failures

To protect against dictionary-based and distributed attacks, you can configure the zmauditwatch. The script attempts to detect more advanced attacks by looking at where the authentication failures are coming from and how frequently they are happening for all accounts on a Zimbra mailbox server and sends an email alert to the administrator’s mailbox.

The types of authentication failures checked include:

  • IP/Account hash check — The default is to send an email alert if 10authenticating failures from an IP/account combination occur within a 60 second window.

  • Account check — The default is to send an email alert if 15 authentication failures from any IP address occur within a 60 second window. This check attempts to detect a distributed hijack based attack on a single account.

  • IP check — The default is to send an email alert if 20 authentication failures to any account occur within a 60 second window. This check attempts to detect a single host based attack across multiple accounts.

  • Total authentication failure check — The default is to send an email alert if1000 auth failures from any IP address to any account occurs within 60 seconds. The default should be modified to be 1% of the active accounts on the mailbox server.

The default values that trigger an email alert are changed in the following zmlocalconfig parameters:

  • IP/Account value, change zimbra_swatch_ipacct_threshold

  • Account check, change zimbra_swatch_acct_threshold

  • IP check, change zimbra_swatch_ip_threshold

  • Total authentication failure check, change zimbra_swatch_total_threshold

Configure zimbra_swatch_notice_user with the email address that should receive the alerts.

Viewing Log Files

Zimbra Collaboration logs its activities and errors to a combination of system logs through the syslog daemon as well as Zimbra specific logs on the local file system. The logs described below are the primary logs that are used for analysis and troubleshooting.

Local logs containing Zimbra Collaboration activity are in the /opt/zimbra/log directory.

  • audit.log — This log contains authentication activity of users and administrators and login failures. In addition, it logs admin activity to be able to track configuration changes.

  • clamd.log — This log contains activity from the anti-virus application clamd.

  • freshclam.log — This log contains log information related to the updating of the clamd virus definitions.

  • mailbox.log — This log is a mailboxd log4j server log containing the logs from the mailbox server. This includes the mailbox store, LMTP server, IMAP and POP servers, and Index server.

  • myslow.log — This slow query log consists of all SQL statements from the mailbox server that took more then long_query_time seconds to execute.

    long_query_time is defined in /opt/zimbra/conf/my.cnf.
  • spamtrain.log — This log contains output from zmtrainsa during regularly scheduled executions from the cron.

  • sync.log — This log contains information about Zimbra Collaboration mobilesync operations.

Other logs include:

  • /opt/zimbra/jetty/logs/ — This is where Jetty-specific activity is logged.

  • /opt/zimbra/db/data/<hostname>.err — This is the message store database error log.

  • /opt/zimbra/logger/db/data/<hostname>.err — This is the Logger database error log.

Zimbra Collaboration activity logged to System syslog

  • /var/log/zimbra.log — The Zimbra syslog details the activities of the ZimbraMTA (Postfix, amavisd, anti-spam, anti-virus), Logger, Authentication (cyrus-sasl), and Directory (OpenLDAP). By default LDAP activity is logged to zimbra.log.

Syslog

Zimbra Collaboration modifies the systems syslog daemon to capture data from the mail and local syslog facility to /var/log/zimbra.log. This allows syslogd to capture data from several Zimbra Collaboration components including Postfix, Amavis, ClamAV, mailboxd, zmconfigd, and logger. The SNMP module uses the data from the log file to generate traps for critical errors. The zmlogger daemon also collects a subset of the data in this file to provide statistics on the utilization of Zimbra Collaboration via the Administration Console.

By default, mailboxd is configured to log its output to /opt/zimbra/log/mailbox.log. You can enable mailboxd to take advantage of a centralized syslogd infrastructure by enabling the following either globally or by server:

zmprov mcf zimbraLogToSysLog TRUE

Using log4j to Configure Logging

The Zimbra Collaboration server uses log4j, a Java logging package as the log manager. By default, the Zimbra Collaboration server has log4j configured to log to the local file system. You can configure log4j to direct output to another location. Go to the Log4j website for information about using log4j.

Zimbra does not check the log4j changes. To remove all account loggers and reloads in /opt/zimbra/conf/log4j.properties, use the zmprov resetAllLoggers command.

Logging Levels

The default logging level is set to include logs that are generated for INFO, WARNING, ERROR and FATAL. When problems start to occur, you can turn on the DEBUG or TRACE log levels.

To change the logging levels, edit the log4j properties, log4j.properties, log4j.logger.zimbra.

When enabling DEBUG, you can specify a specific category to debug. For example, to see debug details for POP activity, you would type logger.zimbra.pop=DEBUG.

The following categories are predefined in log4j:

zimbra.account

Account operations

zimbra.acl

ACL operations

zimbra.backup

Backup and restore

zimbra.cache

Inmemory cache operations

zimbra.calendar

Calendar operations

zimbra.dav

DAV operations

zimbra.dbconn

Database connection tracing

zimbra.extensions

Server extension loading

zimbra.filter

Mail filtering

zimbra.gal

GAL operations

zimbra.imap

IMAP protocol operations

zimbra.index

Index operations

zimbra.io

Filesystem operations

zimbra.ldap

LDAP operations

zimbra.lmtp

LMTP operations (incoming mail)

zimbra.mailbox

General mailbox operations

zimbra.misc

Miscellaneous

zimbra.op

Changes to mailbox state

zimbra.pop

POP protocol operations

zimbra.redolog

Redo log operations

zimbra.security

Security events

zimbra.session

User session tracking

zimbra.smtp

SMTP operations (outgoing mail)

zimbra.soap

SOAP protocol

zimbra.sqltrace

SQL tracing

zimbra.store

Mail store disk operations

zimbra.sync

Sync client operations

zimbra.system

Startup/shutdown and other system messages

zimbra.wiki

Wiki operations

zimbra.zimlet

Zimlet operations

Changes to the log level take affect immediately.
Table 54. Logging Events
Level Local? Syslog SNMP Trap When Used

FATAL

Y

Y

Y

Designates very severe error events that the application to abort or impact a large number of users. For example, being unable to contact the MariaDB database.

ERROR

Y

Y

N

Designates error events that might still allow the application to continue running or impact a single user. For example, a single mailbox having a corrupt index or being unable to delete a message from a mailbox.

WARN

Y

N

N

Designates potentially harmful situations but are usually recoverable or can be ignored. For example, user log in failed.

INFO

Y

N

N

Designates information messages that highlight the progress of the application, basic transaction-level logging. For example, server start-ups, mailbox creation/deletion, account creation.

DEBUG

Y

N

N

Events that would generally be useful to help a customer debug problems.

(*) A few non-critical messages such, as service startup messages, will generate traps.

Protocol Trace

Protocol trace is available in the following logging categories:

zimbra.smtp
zimbra.lmtp
zimbra.soap
zimbra.imap
zimbra.imap-client
zimbra.pop
zimbra.pop-client

Reviewing mailbox.log Records

The mailbox.log file contains every action taken on the mailbox server, including authentication sessions, LMTP, POP3, and IMAP servers, and Index server. Review the mailbox.log to find information about the health of your server and to help identify problems.

mailbox.log records valid and invalid login attempts, account activity such as opening email, deleting items, creating items, indexing of new mail, server activities including start and stop. The progress of an activity on the mail server is logged as INFO. If the expected results of the activity fails and errors occurs, an exception is written to the log.

You can set up logging options for a single account in order to trace account activity for one user without filling up mailbox.log with log messages for unrelated accounts. See Command-Line Utilities, the zmprov miscellaneous section.

Log pattern

by default log entries in mailbox.log have the following Log4j pattern:

%d %-5p [%t] [%z] %c{1} - %m%n

This pattern consists of 6 blocks of data:

  • Date and time (e.g.: 2021-01-22 19:23:07,100)

  • Log level (e.g. INFO)

  • Thread name (e.g. [qtp1043351526-547:https:https://localhost:7071/service/admin/soap/DeleteAccountRequest], [Index-9], etc.)

  • Zimbra Collaboration context

  • Component name (e.g. soap, mailbox, mbxmgr, etc.)

  • Log message. Note: the log message section may span multiple lines. When a log message contains an exception, the stack trace will always start on a new line below the error message.

You can read more about Log4j patterns in Log4j PatternLayout documentation.

Thread name in mailbox.log

Thread names in mailbox.log are prefixed to identify internal components. Most threads have one of the following naming convention: "{thread prefix}-{thread number}" or "{thread prefix}-{thread number}:{url}".

The following {thread prefix} values are currently used for thread names in Zimbra Collaboration: btpool, pool, LmtpServer, ImapServer,ImapSSLServer, Pop3Server, Pop3SSLServer, ScheduledTask, Timer, AnonymousIoService, CloudRoutingReaderThread, GC, SocketAcceptor, Thread, qtp.

Threads with prefix qtp are created by Jetty QueuedThreadPool and have the following naming convention: "qtp{hash code}-{thread number}:{url}" where {hash code}` is the hash code value of the instance of QueuedThreadPool that owns the thread (see Object::hashCode in Java platform documentation).

{thread number} in thread names is an integer that monotonically increases within each thread factory. Thread numbers are reset when mailboxd process is stopped or restarted.

Log records reported by threads that serve SOAP requests will usually contain URL of the request being served in {url} part of thread name, as in the following example:

Mailbox Log Entry for SOAP

Due to a known bug in Zimbra Collaboration {url} part of the thread name may contain duplicate protocol identifier, as in the following example:

[qtp1043351526-547:https:https://localhost:7071/service/admin/soap/DeleteAccountRequest]

Zimbra Collaboration Context in mailbox.log

[%z] section in the log pattern describes Zimbra Collaboration context and consists of key-value pairs in the format key=value, separated by semi-colons (;). In cases where a value contains a semi-colon, the semi-colon is replaced with a double semi-colon (;;). E.g., browser UserAgent strings often include semi-colons, such as this one "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36". In mailbox.log, this UserAgent string will appear as following:

ua value with double semi-colon

The following key value pairs are currently supported and may be recorded in log entries in any order and any combination:

  • ip — IP of the TCP/IP client making a request

  • oip — originating IP address. When a request is made through NGINX proxy, this value will contain the IP address of the client application, while ip value will contain the IP address of the proxy server

  • cid — connection id of a server that is monotonically increasing - useful for tracking individual connections

  • id — ID of the target account

  • name — name of the target account (email address)

  • aid — ID of the authenticated account. Only present if target account is different then authenticated account

  • aname — name of the authenticated account. Only present if target account is different then authenticated account

  • mid — ID of requested mailbox. Only present if request is dealing with a mailbox

  • ua  — name of the client application (i.e. User Agent)

  • via — list of IP addresses and user-agents of the request’s proxy chain

  • soapId — ID assigned to a SOAP request to track proxied hops for a particular request

  • msgid — value of Message-ID header of the message being operated on

  • ds — name of the Data Source being operated on

  • port — server port to which the client connected

  • oport — originating port number of request

  • oproto — originating protocol of request. This can be passed by internal components that make SOAP requests on behalf of a user (e.g. MTA)

The example below is a record showing that on October 25, 2021, 28 minutes after midnight, a POP3 client with IP address 222.173.186.17 has contacted the Zimbra Collaboration server and that the request was proxied through a local proxy server with IP 10.1.1.136.

Mailbox Log Entry for POP

The following example shows a record of a failed IMAP STATUS request sent by user1@mydomain.com using AquaMail mobile app. The user’s device has IP address 72.83.144.255 (as reported in oip field). The request came to IMAP server via Zimbra Collaboration nginx proxy, which has IP address 10.4.4.138 (as reported in ip and via fields).

Mailbox Log Entry for IMAP

The following example shows a record of LMTP server delivering a message. The IP address in this log message most likely belongs to Zimbra Collaboration MTA running on local network.

Mailbox Log Entry for LMTP

The next example shows a record of MailboxPurge thread purging message with ID 462 from the mailbox of test@mydomain.net. This log message does not have ip, oip, port or via fields, because it originates from an internal process rather than from an external request.

Mailbox Log Entry for Purge

Handler Exceptions and Stack Traces

If an error occurs during the progress of an activity, a handler exception is added to the end of the log record to notify you that an event occurred during the execution of the process that disrupted the normal flow. This signals that some type of error was detected.

Example 19. Handler Exception
007-06-25 00:00:10,379 INFO [btpool0-1064] [name=nriers@example.com;mid=228;ip=10.2.3.4;ua=zimbra Desktop/0.38;] SoapEngine - handler exception

Sometimes a stack trace is displayed after the exceptions notification. A stack trace reports the threads and monitors in Zimbra’s mailboxd service. This information aids in debugging, because the trace shows where the error occurred. The last few entries in the stack often indicate the origin of the problem. When the caused by descriptor is included in the log line, this is the root of the error. In the example below, the error was caused by 501, bad address syntax.

Example 20. Stack Trace
com.example.cs.mailbox.MailServiceException: Invalid address: Jon R
at com.example.cs.mailbox.MailServiceException.internal_SEND_FAILURE (MailServiceException.java:412)
at com.example.cs.mailbox.MailServiceException.SEND_ABORTED_ADDRESS_FAILURE MailServiceException.java:416)
...
at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)

Caused by: com.example.cs.mailbox.MailSender$SafeSendFailedException: 501 Bad address syntax; chained exception is: com.sun.mail.smtp.SMTPAddressFailedException: 501 Bad address syntax
at com.sun.mail.smtp.SMTPTransport.rcptTo(SMTPTransport.java:1196)
at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:584)
at javax.mail.Transport.send0(Transport.java:169)
at javax.mail.Transport.send(Transport.java:98)
at com.example.cs.mailbox.MailSender.sendMessage(MailSender.java:409)
at com.example.cs.mailbox.MailSender.sendMimeMessage(MailSender.java:262)
... 30 more
Mailbox log files

The mailbox.log files rotate daily. The mailbox log files are saved in /opt/zimbra/log. Previous mailbox.log file names include the date the file was made. The log without a date is the current log file. You can back up and remove these files.

Troubleshooting Mail Problems

To review the mailbox.log for errors, search for the email address or the service that is experiencing the problem. Also, search for WARN or ERROR log levels, read the text of the message. When you find the error, review the records, tracing the events that happened before the problem was recorded.

System Crashing

When your system crashes, locate the startup message and then look for errors before the startup message date. This example shows an out-of-memory error on June 17, 2021.

Example 21. Startup message
2021-06-25 01:56:18,725 INFO [main] [] soap - Servlet SoapServlet starting up

Look for errors before the startup message.

Example 22. Error message
2021-06-17 20:11:34,194 FATAL [btpool0-3335] [name=samd@example.com;aname=abcadmin@example.com;mid=142;ip=10.3.4.5;ua=zimbraConnectorForBES/5.0.207;] system - handler exception java.lang.OutOfMemoryError: PermGen space
Mail Delivery Problem

Locate the "LmtpServer" service. This example includes a stack trace report with a caused by explanation that the recipient address was rejected as the address must be a fully-qualified address.

Example 23. Mail delivery problem
2021-06-25 10:47:43,008 INFO [LmtpServer-250]
[name=bigen@example.com;mid=30;msgid=<1291804360.35481182793659172.JavaMail.root@example.com>;] lmtp - rejecting message bigen@example.com: exception occurred
com.zimbra.cs.mailbox.MailServiceException: redirect to too failed
at com.zimbra.cs.mailbox.MailServiceException.internal_SEND_FAILURE (MailServiceException.java:412)
at com.zimbra.cs.mailbox.MailServiceException.SEND_FAILURE(MailServiceException.java:424)
at com.zimbra.cs.filter.zimbraMailAdapter.executeActions(zimbraMailAdapter.java:286)
at org.apache.jsieve.SieveFactory.evaluate(SieveFactory.java:151)
at com.zimbra.cs.filter.RuleManager.applyRules(RuleManager.java:177)
at com.zimbra.cs.lmtpserver.zimbraLmtpBackend.deliverMessageToLocalMailboxes(zimbraLmtpBackend.java:325)
at com.zimbra.cs.lmtpserver.zimbraLmtpBackend.deliver(zimbraLmtpBackend.java:140)
at com.zimbra.cs.lmtpserver.LmtpHandler.doDATA(LmtpHandler.java:441)
at com.zimbra.cs.lmtpserver.LmtpHandler.processCommand(LmtpHandler.java:205)
at com.zimbra.cs.tcpserver.ProtocolHandler.processConnection(ProtocolHandler.java:231)
at com.zimbra.cs.tcpserver.ProtocolHandler.run(ProtocolHandler.java:198)
at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Thread.java:619)

Caused by:
com.zimbra.cs.mailbox.MailSender$SafeSendFailedException: 504 <too>: Recipient address rejected: need fully-qualified address ;
chained exception is: com.sun.mail.smtp.SMTPAddressFailedException: 504 <too>: Recipient address rejected: need fully-qualified address
at com.sun.mail.smtp.SMTPTransport.rcptTo(SMTPTransport.java:1196)
at com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:584)
at javax.mail.Transport.send0(Transport.java:169)
at javax.mail.Transport.send(Transport.java:120)
at com.zimbra.cs.filter.zimbraMailAdapter.executeActions(zimbraMailAdapter.java:281)
... 10 more
Account Error - Login error

mailbox.log logs any successful or unsuccessful login attempts from IMAP, POP3 or ZWC. When you are looking for a login error, start by looking for "Auth." This example shows that someone from IP address 10.4.5.6 was trying to log in as admin on the Zimbra Classic Web App, using Firefox in a Windows OS. Permission was denied because it was not an admin account.

Example 24. Account Error - Login error
2021-06-25 09:16:11,483 INFO [btpool0-251] [ip=10.4.5.6;ua=zimbraWebClient - FFX.X (Win);] SoapEngine - handler exception
com.zimbra.common.service.ServiceException: permission denied: not an admin account
at com.zimbra.common.service.ServiceException.PERM_DENIED(ServiceException.java:205)
at com.zimbra.cs.service.admin.Auth.handle(Auth.java:103)

When you are looking for a log because of an IMAP or POP issue, look for "ImapServer/Pop3Server." This example shows a fatal IMAP server error occurred while trying to connect siress@example.com.

Example 25. Account Error - IMAP error
mailbox.log.2021-06-19:2021-06-19 15:33:56,832 FATAL [ImapServer-2444] [name=sires@example.com;ip=127.0.0.1;] system - Fatal error occurred while handling connection

Reading a Message Header

Each email message includes a header that shows the path of an email from its origin to destination. This information is used to trace a message’s route when there is a problem with the message. The Zimbra email message header can be viewed from the Zimbra Classic Web App Message view. Right-click on a message and select Show Original.

The following lines are in the message header:

  • Date — The date and time the message was sent. When you specify time, you can specify range by adding start and stop time to search for messages.

  • From — The name of the sender and the email address

  • To — The name of the recipient and the email address. Indicates primary recipients.

  • Message-ID — Unique number used for tracing mail routing

  • In-Reply-To — Message ID of the message that is a reply to. Used to link related messages together.

  • Received: from — The name and IP address the message was sent from. The header displays Received: from information from the MTA to the LMTP and from the local host.

Fixing Corrupted Mailbox Index

Mail messages and attachments are automatically indexed before messages are deposited in a mailbox. Each mailbox has an index file associated with it. This index file is required to retrieve search results from the mailbox.

If a mailbox’s index file becomes corrupt or is accidentally deleted, you can re-index the messages in the mailbox from the Administration Console.

Text searches on an account might or might not fail with errors when the index is corrupt. You cannot count on a user reporting a failed text search to identify that the index is corrupt. You must monitor the index log for messages about corrupt indexes. If the server detects a corrupt index, a message is logged to the Zimbra mailbox.log at the WARN logging level. The message starts with Possibly corrupt index. When this message is displayed, the administrator must correct the problem. In many cases correcting the problem might mean reindexing the mailbox.

Reindexing a mailbox’s content can take some time, depending on the number of messages in the mailbox. Users can still access their mailbox while reindexing is running, but because searches cannot return results for messages that are not indexed, searches may not find all results.

Checking for Index Corruption

Run a sanity check on a specific mailbox index using the zmprov verifyIndex command.

zmprov verifyIndex <user@example.com>

If problems are detected, a failure status is returned and a repair can be performed on the index.

Repairing and Reindexing a Corrupt Index

Use the reIndexMailbox command to repair and reindex a corrupt index.

zmprov reIndexMailbox <user@example.com> start

This returns a status of started.

SNMP Monitoring and Configuration

SNMP Monitoring Tools

You will probably want to implement server monitoring software in order to monitor system logs, CPU and disk usage, and other runtime information.

Zimbra Collaboration uses swatch to watch the syslog output to generate SNMP traps.

SNMP Configuration

Zimbra Collaboration includes an installer package with SNMP monitoring. This package should be run on every server (Zimbra Collaboration, OpenLDAP, and Postfix) that is part of the Zimbra Collaboration configuration.

The only SNMP configuration is the destination host to which traps should be sent.

Errors Generating SNMP Traps

The Zimbra Collaboration error message generates SNMP traps when a service is stopped or is started. You can capture these messages using third-party SNMP monitoring software and direct selected messages to a pager or other alert system.

Checking MariaDB

The MariaDB database is automatically checked weekly to verify the health of the database. This check takes about an hour. If any errors are found, a report is sent to the administrator’s account. The report name that runs the MariaDB check is zmbintegrityreport, and the crontab is automatically configured to run this report once a week.

When the MariaDB database is checked, running this report can consume a significant amount of I/O. This should not present a problem, but if you find that running this report does affect your operation, you can change the frequency with which zmbintegrityreport is run. See Zimbra Crontab Jobs.

Checking for Zimbra Collaboration Software Updates

When Zimbra Collaboration is installed, the Zimbra Collaboration software update utility is automatically configured to check for the latest Zimbra Collaboration version once a day and if there is an update, to send notification to the address that is configured in the Administration Console’s Server Updates.

The dates and times Zimbra Collaboration checked for updates is saved to the Updates tab and an email notification is sent out until you update the Zimbra version. If you do not want to receive an email notification of updates, disable Send notification email when updates are available.

You can configure the following:

  • Server that checks for updates — Available servers are listed and only one server is configured. The selected server checks for updates and the result of the update response from www.zimbra.com is stored in LDAP.

  • Check for updates every x — The default is to check once a day. You can change the frequency interval to check every x hours, minutes, or seconds. A cron job is configured to check for new updates. If the frequency interval is less than 2 hours, the crontab file must be modified.

  • Updates URL — This address is the URL that the server connects to when checking for updates. When a Zimbra Collaboration server checks for updates, it transmits its version, platform, and build number to Zimbra. Normally, this URL is not changed.

  • To be notified of updates, check the Send notification email when updates are available and enter the send to and send from addresses. The default address is the administrator’s address.

  • A generic email is created. The subject and content of the email can be changed.

  • When a server polls the URL specified, the response is displayed.

Updating Zimbra Connector for Microsoft Outlook

The Zimbra Connector for Microsoft Outlook (ZCO) msi file is available from the Zimbra Utilities Downloads page on the Administration Console. When a newer version of ZCO is released before a new version of Zimbra, you can upload the newer ZCO msi file to the Zimbra server from the Administration Console. The file is uploaded to the /opt/zimbra/jetty/webapps/zimbra/downloads folder.

Admin Console:

Home → Tools and Migration → Client Upload

  1. Download the new ZCO file to a computer that you can access from Client Upload in the Administration Console

  2. Click Browse to locate the ZCO file to upload.

  3. Restart Zimbra:

    zmcontrol restart

    or run

    /opt/zimbra/libexec/zmupdatedownload

The downloads/index.html file is updated with the latest ZCO client version. This new file can be downloaded from the ZCO link on the Administration Console Home → Tools and Migration → Download page.

If you do not restart the server, the ZCO download link on the Zimbra Utilities Download page does not select the newer version to download.

Notifications and Alerts Sent by Zimbra Collaboration

Service status change notification

This notification is sent when service are stopped or restarted.

Server Start Notification Message
Subject: Service <service_name> started on <zimbra_host>

Service status change: <zimbra_host> <service> changed from stopped to running
Server Stop Notification Message
Subject: Service <service_name> stopped on <zimbra_host>

Service status change: <zimbra_host> <service> changed from running to stopped
Disk usage notification

A warning alert email notification is sent to the admin account when disk space is low. The default is to send a warning alert when the threshold reaches 85% and a critical alert when the threshold reaches 95%

Subject: Disk <volume> at ##% on <zimbra_host>

Disk warning: <zimbra_host> <volume> on device <device_name> at ##%

Duplicate mysqld processes running notification

A script is executed to see if mysqld process is running to detect cases where corruption is likely to be caused. An email is generated if it finds more than 1 mysqld process running.

Subject: ZCS: Duplicate mysqld processes detected!

PID:$pid PPID:$ppid PGRP:$pgrp

CMD: $cmdline

More then $maxcnt mysqld processes are running Parent processes
include: $procs This should be investigated immediately as it may lead to
database corruption

SSL certificates expiration notification

A report runs on the first of each month and warns of certificates expiring with the next 30 days.

Subject: ZCS: SSL Certificates approaching expiration!

The Administration Console and CLI Certificate Tools guide provides
instructions on how to replace you self-signed or commercial certificate.

https://wiki.zimbra.com/index.php?title=Administration_Console_and_CLI_Certificate_Tools SSL Certificate expiration checked with $0 on <zimbra_host>.

Daily report notification

When the logger package is installed, a daily mail report is automatically scheduled in the crontab. The report is sent daily to the administrator’s mailbox.

Subject: Daily mail report for <day>

<daily report data>

Database integrity check notification

The MariaDB database can be checked by running the zmdbintegrityreport automatically scheduled in the crontab to run on a weekly basis. A report is sent to the administrator’s mailbox.

Subject: Database Integrity check report for <zimbra_host>

Generating report can't run $cmd: $!

Database errors found.

$cmd --password=XXXXXXXX

<cmd output>

No errors found

command failed $!

Backup completion notification

When configuring the type of backups that should be run, you can set up to receive notification about the results of a backup session.

Subject: ZCS BackupReport:SUCCESS

Server: <server>

Type: incremental

Status: completed

Started: Fri, 2021/07/13 01:00:05.488 PDT

Ended: Fri, 2021/07/13 01:10:09.842 PDT

Redo log sequence range: 2 ..  2

Number of accounts: 500

Archiving and Discovery

Zimbra Archiving and Discovery is an optional feature that enables archiving of messages that were delivered to or sent by Zimbra Collaboration and to search across mailboxes.

The installation of the archiving feature provides the Zimbra Collaboration discovery tool (also known as cross mailbox search) and sets the attributes that allow archiving to be enabled on the Zimbra MTAs.

Archiving is configured on a per account basis. Each account enabled for archiving requires a Zimbra archive license. When archiving is enabled for an account, a copy of all email from or to that account is forked at the MTA and a copy of the message is delivered to a predefined archive mailbox. The archiving process is transparent to account users.

Discovery allows you to conduct a search for email messages across live and archived mailboxes and copy the results to a specified mailbox.

How Archiving Works

When a message is sent or received by a user, the message is always routed through the Postfix MTA. The Postfix MTA allows integrating software that can perform actions on messages that are in flight. When archiving is enabled for the sender or the recipient of messages, Zimbra Archiving integrates with an MTA hook and the Amavisd-New utility to fork a copy of the message.

The “does recipient or sender have archiving enabled” check is performed on the SMTP standard envelope and not on the From or To/Cc headers. Since checks are performed on the envelope, Bcc copies and messages sent to distribution lists are captured.

Example 26. Sending messages with archiving enabled

For example, if User A sends a message to User B, and if User B has archiving enabled, the MTA delivers two messages — one to User B’s mailbox and one to User B’s archive mailbox. The message received in User B’s mailbox looks normal, as shown in the following example:

Received: from localhost (localhost.localdomain [127.0.0.1])…
From: userA@example.com
To:userB@example.com
Subject: New License Key
Message-ID: <015f01c717fe$70f042d1$b1d6f61d@thom>
Date: Mon, 04 Nov 2021 23:48:18 -0000

Hi B,

Can you send me the license key for the software again?

Thanks, A

The message received in User B’s archive mailbox contains additional X-Envelope-From and X-Envelope-To headers. These headers show the real email address the message was sent from and each of the email addresses that the message was sent to.

Received: from localhost (localhost.localdomain [127.0.0.1])…
From: userA@example.com
To:userB@example.com
Subject: New License Key
Message-ID: <015f01c717fe$70f042d1$b1d6f61d@thom>
X-Envelope-From: userA@example.com
X-Envelope-To: userB@example.com
Date: Mon, 04 Nov 2021 23:48:18 -0000

Hi B,

Can you send me the license key for the software again?

Thanks, A

Zimbra archiving can be set up to create archiving accounts that are maintained within Zimbra Collaboration or to work with third-party archiving systems using SMTP forwarding to send messages to a third-party archive server. For third-party archiving, Zimbra Collaboration is configured to act as the forwarding agent.

How Discovery Works

The discovery feature of Archiving and Discovery is used to search across live* and archive mailboxes for email messages and attachments. The discovery tool can be run from the Administration Console and the results are copied to a target mailbox that you specify.

* A live mailbox is an account on the system other than archive accounts and system accounts.

You can search outgoing and incoming email by date, from, to, cc, subject, keywords, and attachments. You can also create queries to search by name, dates and time ranges, distribution list, aliases.

Search results are placed in a target mailbox. You can organize your search results by creating different target mailboxes or by creating individual folders within a target mailbox for each search you run. X-zimbra-Source header information is added to each message header that is copied to the targeted mailbox. This header label includes the account ID, the account name, and the server that the account resides on.

You can see the results of the search by logging on to the target mailbox address.

Installing the Archiving Package

You can install the archiving package on an existing single-server deployment or on a multi-server deployment.

If the mailbox server and the MTA server reside on the same node, you configure and enable archiving as a single process. If your mailbox and MTA servers are on separate nodes, the zimbra-archive package is installed first on at least one mailbox server and then the archiving component is enabled on each MTA in the deployment.

Installing zimbra-archiving in a Single-Server Environment

The following scenario assumes that the LDAP, MTA, mailstore and archiving servers are on the same node.

  1. Refer to the Zimbra Collaboration Single Server Installation Guide to open an SSH connection to the Zimbra Collaboration server. Log on to the server as root and run the ./install.sh command to begin the upgrade process.

  2. Accept the license agreement and type Yes to run the upgrade.

  3. Type Yes for zimbra-archiving when presented with the packages to be installed.

The upgrade process begins and the archiving package is installed. At this point, the Discovery feature is installed and can be used.

To enable archiving, switch to the zimbra user and enable archiving on the MTA server.

zmprov ms <zmhostname> +zimbraServiceEnabled archiving

Restart the server.

zmcontrol restart

Installing zimbra-archiving in a Multi-Server Environment

The following upgrade scenario is adding a new server that is dedicated as an archiving server to your Zimbra Collaboration environment.

Before beginning the install process, record the following information. You need this information when you install the archiving server. Run the zmlocalconfig -s command to find the information.

LDAP Admin Password _____________________
LDAP Hostname       _____________________
LDAP Port           _____________________

Refer to the Multiple-Server Installation chapter in the Zimbra Collaboration Multi-Server Installation guide for detailed steps on installing the packages.

  1. Open an SSH connection to the mailbox server that is being configured for archiving. Log on to the server as root and unpack the Zimbra software. Run the ./install.sh command to begin the install process.

  2. Type y and press Enter to install the following packages:

    • zimbra-store

    • zimbra-archiving

      The zimbra-core package is installed by default.

  3. Type y and press Enter to modify the system.

  4. The Main menu displays the default entries for the Zimbra component you are installing. To expand the menu, type x and press Enter.

  5. Select the Common Configuration menu and configure the LDAP Hostname, LDAP password, and LDAP port.

  6. Select the zimbra-store menu and configure the Admin password and the License file location.

Complete the installation process following the steps in the Multi-server Installation guide, under Installing Zimbra Mailbox Server.

At this point, the Discovery feature is installed and can be used.

Manage Archiving From the Administration Console

After Archiving is installed, you can set up archiving and manage it from the Administration Console.

Enable Archiving

Admin Console:

Home → Configure → Global Settings → MTA, from Archiving Configuration check Enable archiving

Restart Zimbra from the command line

zmcontrol restart

Creating a Dedicated Archive COS

You can configure attributes in the COS to set mailbox features, quotas, and passwords, turn off spam and virus checks, and hide the archive accounts from GAL.

Admin Console:

Home → Configure → Class of Service, from the Gear icon select New

  1. Change Features and Preferences as required for an Archiving COS.

  2. If you have a dedicated archive server, in the Server Pool page, deselect the archiver server from the list. In a multi-server deployment with a dedicated archive server, the server should be removed from the COS server pool so that the archive server is not randomly assigned to new accounts.

    These steps to remove the server from the server pool are not done in a single-server deployment. Creating a dedicated archiving COS is a good idea as this makes it easy to create archive mailboxes that are configured the same.
  3. Modify the options on the Advanced page if required.

  4. In the Archiving page, check the Enable archiving box to make this COS an archiving cos.

  5. If you want to change the format for the naming scheme for archive accounts, modify the two template fields. See the Setting Up an Archive Account Name section for more information.

  6. Click Finish.

Setting Up an Archive Account Name

You use attributes to create and manage the naming scheme for archive accounts. You can set up these attributes either by COS or by account. For COS, these attributes can be changed from the Administration Console, COS or individual account’s Archiving page.

  • Account date template. Sets the date format used in the name template. The default is yyyyMMdd. Adding the date to the account name makes it easier to roll off older data from the system to backups.

  • Account name template. Sets up how the archive mailbox name is created. The default value is ${USER} ${DATE}@${DOMAIN}.archive.

The archive account address would be similar to the following example:

user-20210510@example.com.archive

If you change the default value, you must use syntax that creates a valid email address. We recommend that you add .archive to all archive accounts to create archive mailboxes in a non-routable domain to prevent spoofing of the archives.

When the template based on the zimbraArchiveAccountDateTemplate attribute is set up, amavisArchiveQuarantineAccount is updated to the new template name when zmconfigarchive is run.

Administering the archive server

The amavisd-new server process controls account archiving as well as antivirus and anti-spam processes. The zmarchivectl command can be used to start, stop, restart or obtain the status of the amavisd-new server process that controls account archiving. Caution should be taken when starting or stopping the archiving process as it is a shared server process between archiving, antivirus, and anti-spam processes. Performing actions on any of them affect any of the other services that may be enabled in your deployment.

If you want to disable archiving but not antivirus or anti-spam services, disable the respective service either through the CLI or through the Administration Console.

Set Up Archiving for a Users Mailbox

Four attributes are related to the archive feature for accounts. Two that configure a mailbox and two template attributes to construct the archive account names.

To set up archiving for a mailbox two attributes are configured on the primary user’s mailbox. One attributed enables archiving and the second shows where messages are being archived.

  • Currently archived to — The current archive address. Archiving is to a single account. If this is unset, archiving is not enabled.

  • Archived accounts — Any previous and current archive addresses that this mailbox was archived to. containing all the accounts that have been archived for the given account.

Archive Mailboxes

You can create an archive mailbox with or without an assigned COS. You can also forward archive email to a third-party.

Accounts with archiving enabled are counted against the number of Zimbra licenses purchased for archiving. Archive mailboxes are listed in the Administration Console along with the live accounts. To see current license information, go to the Administration Console:
Home → Configure → Global Settings → License.

Creating an archive mailbox and assigning a COS

Archive accounts are created based on the Zimbra Archive name templates.

  • The attribute — zimbraIsSystemResource — is added to the archive account and set to TRUE.

  • The archive account is displayed in the Administration Console.

  • When a message is received in a mailbox with archiving enabled, a copy of the message is sent to the archive mailbox.

Log on as zimbra, and use the zmarchiveconfig command:

zmarchiveconfig enable <account@example.com> archive-cos <archive>

Creating an Archive Mailbox with No COS or Password

If the archive account is not assigned a COS, the following settings are set by default.

  • Mailbox quota is set to 0, unlimited quota.

  • Spam and virus checks are disabled.

  • Hide in GAL is enabled, so the archive account does not display in the GAL

Log on as zimbra, and use the zmarchiveconfig command:

zmarchiveconfig enable <user@example.com>

Enabling Archive Forwarding to a Third-party Archiving Server

If the archive account is not maintained within Zimbra Collaboration, you do not need to set a password, COS, or other attributes.

Log on as zimbra, and use the zmarchiveconfig command:

zmarchiveconfig enable <account@example.com> \
 archive-address account-archive@offsite.com \
 archive-create false

Searching Across Mailboxes

When the archiving and discovery feature is installed, you can search across mailboxes either from the Administration Console or through the command line interface.

You do not need to have any archive mailboxes configured to search across mailboxes, but the Archive package must be installed.

You can assign a user to run the mailbox searches from the Administration Console by creating a delegated administrator with rights to access the mailbox search tool.

Cross Mailbox Search from the Administration Console

The discovery tool, Search Mail, is added to Tools and Migration on the Navigation pane when the archiving package is added. To set up a cross-mailbox search you configure the following information.

Admin Console:

Home → Tools and Migration → Search Mail, from the Gear icon select New

  • Server name. The server name to be searched.

  • Target mailbox and folders. One target mailbox and folder are created automatically. You can use this mailbox for all your search results and create new folders for each search, or you can create a new target mailbox for each separate search.

    A target mailbox is like any other mailbox and can have any features or preferences that are defined by the COS or by account. Target mailboxes are listed in the Administration Console Accounts list. You might want to give the target mailboxes account names that identify them as target mailboxes for cross-mailbox searches and configure a COS specific for target mailboxes to be able to manage access.

  • Limit the number of messages returned by the search. The default is 500 results.

  • You can select to send an email notification when the search is completed. The email notification includes the search task ID and status on the subject line and you can specify the type of information to include in the message, such as the number of messages found, the list of addresses resulting from the search and the search query used.

  • Select which mailboxes to search. When you check Select accounts to search, you select which account addresses to search.

  • Create the search query. You can search outgoing and incoming email by date, from, to, cc, subject, keywords, and attachments. Advanced can be used to quickly create a query to search by name, dates and time ranges, distribution list, aliases.

    When searching archive messages, you can search by the envelope address using the envfrom and envto query language extensions.

As the search runs, the Search Mailbox Content pane lists the search and the status. Click Refresh to update this page.

Delete the search task when it is completed because it occupies server memory. When the server is restarted, past searches are deleted.

When you use the discovery feature in the Administration Console, the tool makes copies of messages in the target mailbox you create. The messages occupy server space, increasing the size of your server. You might want to delete these messages from the target mailbox when they are no longer needed.

The Legal Intercept feature makes copies of email messages sent, received, or saved as drafts from targeted accounts and sends these messages to a designated “shadow” email address.

Legal Intercept can be configured to send the complete content of the message or to send only the header information. When a targeted account sends, receives, or saves a draft message, an intercept message is automatically created to forward copies of the messages as attachments to the specified email address.

The Legal Intercept feature can be configured either for a Class of Service or an individual account. The feature is configured from the CLI, using zmprov.

The only required configuration to set up Legal Intercept is to enable the feature — zimbraInterceptAddress — on target accounts or COS.

You can enable the attribute zimbraInterceptSendHeadersOnly to send only the header information of the email message instead of sending the complete message.

Specify the intercept address to receive intercepted messages.

  • If enabling intercept by COS:

    zmprov mc <cosname> zimbraInterceptAddress <account@intercept.example.com>
  • If enabling Intercept for an account:

    zmprov ma <accountname@example.com> zimbraInterceptAddress <account@intercept.example.com>

If you are going to use the default intercept message template and From address (postmaster@<yourdomain.com>`), a Legal Intercept is set up.

To forward the header information, instead of the complete message for an account:

zmprov ma <accountname@example.com> zimbraInterceptSendHeadersOnly TRUE

Modifying the Intercept Cover Email Message

An email message is automatically created to forward copies of the intercepted messages as attachments. The default message includes:

  • From address is “postmaster@<yourdomain.com>”

  • Subject line “Intercept message for <account@yourdomain.com> <interceptedmessage subject>”

  • Message “Intercept message for <account@yourdomain.com>.
    Operation=<type of message>, folder=<foldername>, folder ID=<#>”.

The cover email message can be modified. Use the following parameters to modify the email message.

ACCOUNT_DOMAIN

Domain of the account being intercepted.

ACCOUNT_ADDRESS

Address being intercepted

MESSAGE_SUBJECT

Subject of the message being intercepted.

OPERATION

Operation that the user is performing, “add message”, “send message”, or “save draft”.

FOLDER_NAME

Name of the folder to which the message was saved.

FOLDER_ID

ID of the folder to which the message was saved.

NEWLINE

Used for formatting multi-line message bodies.

Use steps in this section to change the from-name, the subject line, or text in the message body:

  • To change the From name:

    zmprov ma <accountname@example.com> zimbraInterceptFrom '<newname@example.com>'
  • To change the text of the Subject line:

    zmprov ma <accountname@example.com> zimbraInterceptSubject \
     '<Intercepted message subject text> parameter <text> parameter'
  • To change the text in the message body:

    zmprov ma <accountname@example.com> zimbraInterceptBody \
     '<Intercepted message text> parameter <text> parameter'
To modify by COS, type zmprov mc {cosname} …​.

You can create a query for the user’s mailbox using the REST URL format to search for specific types of email messages and attachments and have these messages zipped and saved to your computer. This zip file can be forwarded to a requesting law enforcement agency.

The email message appears as an .eml file name after the subject line. The attachments get saved in the format that they were delivered.

Creating a Mailbox Snapshot zip File

You must be logged into the Zimbra Administration Console to create the zip file. You create a query for one account at a time.

  1. In the Administration Console address field of the browser, after the port number 7071/, type:

    home/<username>?fmt=zip&query=<searchquerystring>

    For example:

    Address Bar

    In the above example, the search query is requesting a zip file of all accounts called user1.

    You can use any search operators supported for searching in Zimbra. For example, you can search by folder (in:folder_name), by sender’s name (from:<someone>), and you can use multiple search terms. See the Search Tips wiki page for keyword examples, https://wiki.zimbra.com/wiki/Search_Tips.

  2. Press Enter or the arrow to create the zip. A Confirm box displays, asking if you want to navigate away from this page.

  3. Click OK.

  4. Choose where you want to save the zip file. This zip file is ready to be delivered.

Color and Logo Management

You can change the logo and base colors of the Zimbra Classic Web App themes without having to customize individual Zimbra Collaboration themes. This can be done from the administration console or the CLI.

Changing Theme Color and Logos on the Zimbra Classic Web App

This sections deals with customizations related to Classic Web App. For customizations related to the Modern Web App, refer to Customizing Modern Web App

Base colors for themes, and custom logos can be configured as a global setting or as a domain setting.

  • When the global settings are changed, the changes apply to themes on all servers.

  • When the domain settings are changed, the base color and logos for themes on the domain are changed.

If global settings and domain-level settings for theme base colors or logos are not identical, the domain values are displayed for the domain.

If the logo and base colors are customized in multi-domain Zimbra Collaboration environments, you must set a virtual host as the base color: logo attributes are displayed based on the Host header sent by the browser.
Various themes are included with Zimbra Collaboration. Some of these themes - such as lemongrass, Hot Rod, and Waves - have been designed with graphics or color codes that do not change when you modify the base color. You might want to disable those themes from user’s Theme preferences selection.

Customizing Base Theme Colors

The following base colors in Zimbra Classic Web App themes can be changed:

  • The primary background color displayed in the client. This color is the background of the page. Variants of the color are used for buttons, background color of the Content and panes, tabs, and selection highlight. In the following image, the background color displays with the logo, the variant of the background color displays in the login area.

  • The secondary color is the color used for the toolbar.

  • The selection color is the color displayed for a selected item such as a message or an item in the Overview pane.

  • The foreground color is the text color displayed. The default text color is black. The text color usually does not need to be changed.

You can replace the logo with your company’s logo globally or per domain.

Graphics to Replace

The following logo files can be changed. Your logos must be the same size as specified here or the image might not display correctly. These graphic files can be saved on another server or in a directory that is not overwritten when Zimbra Collaboration is upgraded.

  • Company logo that displays on the login and splash screens for Zimbra Classic Web App and the Zimbra Collaboration administration console. The dimension of the graphic must be exactly 300 x 30.

  • Small company logo in the upper-left of the Zimbra Classic Web App application and the administration console. The dimension of the graphic must be exactly 170 x 35.

  • Company Web address that links from the company logos.

Graphics not replaced

The icon that displays in the Advanced search toolbar and the favicon.ico that displays in the URL browser address field cannot be changed at this time.

On the administration console, the Global Settings and the Domains settings include a Themes page that can be configured to customize the color scheme and to add a company logo and logo URL. You upload your company logo to be used on the Zimbra Classic Web App and administration console pages.

Changing Base Theme Colors

You can either select colors from popup view of predefined colors, or enter the six-digit hexadecimal color value for an exact color match to set theme colors for the following categories:

  • Foreground, which is the text color.

  • Background, which is the primary background color displayed in the client.

  • Secondary, which is the color used for the toolbar and selection headers in the pane.

  • Selection, which is the color displayed for a selected item such as a message, right-click, or drop down menu selection.

Changes to theme settings require the server theme cache to be flushed. To flush a server, go to Home → Configure → Servers to get the list of servers. Right-click on a server and select Flush Cache from the popup menu.

Use the Customize the theme colors container to set colors for your theme categories:

Admin Console:

Home → Configure → Global Settings → Themes or
Home → Configure → Domains → domain → Themes

  1. Click on the field alongside the theme category to be modified, then use the popup color selector to define the color for your selection.

    You can either click directly on a color, or use the entry field to write the hexadecimal value of the color. In either case, your selection will be displayed in the field. If you opt out of your color selections, click reset all theme colors to discard your settings.

  2. Navigating away from this page results in query for save of the settings.

    Click Yes (to save) or No (to discard your settings).

You can replace the Zimbra Collaboration logo with your company’s logo globally or per domain from the appropriate Themes page. Your logos must be the same size as specified in the Graphics to Replace section or the images might not display correctly. The graphic files are saved on another server or in a directory that is not overwritten when Zimbra Collaboration is upgraded.

When you configure the Customize the logo of the themes section in the Global Settings → Theme page, all fields in this section must be completed to display the graphics correctly.

The Zimlet icon that displays in the Advanced search toolbar and the favicon.ico that displays in the URL browser address field are not changed.

Use the Customize the logo of the themes container to a logo to accompany the theme:

Admin Console:

Home → Configure → Global Settings → Themes or
Home → Configure → Domains → domain → Themes

Table 55. Logo Settings
Option Description

Logo URL of the themes

The company web address to be linked from the logo.

Application logo banner URL of the themes

The company logo that displays on the login and splash screens for the Zimbra Classic Web App and admin console. the dimension of the graphic must be exactly 450x100.

Application logo banner preview (200x35)

The company logo in the upper-left of the Zimbra Classic Web App application and the administration console. the dimension of the graphics must be exactly 120x35.

Login logo banner URL of the themes

Login logo banner preview (440x60)

To change the Zimbra Classic Web App theme base colors and logos, use the zmprov command. The following attributes are configured either as a global config setting or as a domain settings. Color values are entered as a six-digit hexadecimal codes.

Table 56. Color Attributes
Attribute Description

zimbraSkinBackgroundColor

The hex color value for the primary background color displayed in the client.

zimbraSkinSecondaryColor

The hex color value for the toolbar and selected tabs.

zimbraSkinSelectionColor

The hex color value for the color of the selected item.

zimbraSkinForegroundColor

The hex color value for the text. This usually does not need to be changed as the default is black.

Changing base colors for themes

Before you begin, identify the six-digit hexadecimal base color values for the various elements you are changing. You will be using these in your command entries.

Global Settings
zmprov modifyConfig <attribute-name> [“#HEX_6digit_colorcode”]
Domain Settings
zmprov modifyDomain <domain> <attribute-name> [“#HEX_6digit_colorcode”]

Modifying a domain

The example in this section demonstrates how to change to the following base colors:

  • Background color = Coral, #FF7F50

  • Secondary color = turquoise, #ADEAEA

  • Selection color = yellow, #FFFF00

    1. Specify the skin colors: Log in as the zimbra user and use zmprov to modify the domain:

      zmprov modifyDomain example.com \
       zimbraSkinBackgroundColor "#FF7F50" \
       zimbraSkinSecondaryColor "#ADEAEA" \
       zimbraSkinSelectionColor "#FFFF00"

      The quote marks, "", are required so the use of the # sign does not comment out the text that follows.

    2. Use the zmmailboxdctl command to apply the changes by restarting the mailbox server process:

      zmmailboxdctl restart

      Reload the Classic Web App, and Zimbra Collaboration themes for that domain should now display these colors.

Adding Your Logos

You add the company logo information and URL by modifying these the following attributes for logos:

Table 57. Logo Settings
Attribute Description

zimbraSkinLogoURL

The company Web address that you want linked from the logo.

zimbraSkinLogoLoginBanner

The company logo file name that is displayed on the login and splash screens for the Classic Web App and the Zimbra Collaboration administration console.

zimbraSkinLogoAppBanner

The logo graphic file name for the graphic in the upper-left of the Classic Web App application and the administration console.

To add logos for a domain

If logo files are saved in the Zimbra Collaboration server, they must be in a subdirectory of /opt/zimbra/jetty/webapps/zimbra.

If the logos are hosted on another machine, enter the full URL when identifying the logo.

Use steps in this section to update the logo(s) displayed over a domain:

  1. Change the URL link:

    zmprov modifyDomain zimbraSkinLogoURL https://url.example.com/
  2. Modify the logo display:

    To change the logo displayed in the login and splash screens:

    zmprov modifyDomain zimbraSkinLogoLoginBanner /zimbra/loginlogo.png

    To change the logo displayed on the Zimbra Classic Web App main page:

    zmprov modifyDomain zimbraSkinLogoAppBanner /zimbra/applogo.png
  3. Stop/start the server:

    zmcontrol restart
Not currently supported: Logo modification for the Zimbra Classic Web App.

Customizing Modern Web App

This section is applicable only for Modern Web App.

In this section, we guide you through customizing Modern Web App and deploying your customization. We’re going to address customization by overriding dynamic layouts.

Review your organization’s branding guidelines for icons and colors to use in the Zimbra’s Modern Web App.

What can be customized

As a general rule, you can customize the following within the branding framework:

  • Logos

  • Color and border of various widgets such as Buttons, links, and Tabs

  • Text fonts, colors, and sizes

  • The basic appearance of the Modern Web App

What cannot be customized

There are several sections of the Modern Web App user interface that require a significant amount of Javascript coding to change. Customizing these segments is beyond the scope of this document:

  • Changing the behavior of something (e.g., a button)

  • Order of application tabs

  • Order of toolbar buttons

  • Adding new toolbar buttons

  • Adding search locations to the Search toolbar

Setup

Before we start customizing the Modern Web App, we need to create an empty Modern Web App bundle.

You should also have the following knowledge and skillsets:

  • Familiarity with usage of linux terminal and commands

  • Familiarity with basic HTML and CSS concepts and associated terminologies

  • Familiarity with terms like font, font size, and line-height

  • Familiarity with logos, images, color codes, and other styling elements

  • Familiarity with your organization’s branding guidelines

Creating an Empty Bundle

We first create an empty folder and its contents locally. Once done, we copy the folder to the Zimbra server.

Folder Name

Naming the folder is a crucial first step.

  • Keeping the folder name same as the hostname, the customizations reflect on all domains and, by extension, all the accounts on those domains.

  • If the folder name is the same as the domain name, the customizations appear on all accounts on that domain.

  • In case there is a virtual host setup, the folder name must be the domain name on which you have configured the virtual host.

    For Example, consider a domain named example.com that has a virtual host mail.example.com; in such a case, you must create a folder mail.example.com.

    Finding hostname
    1. Log in using ssh to your Zimbra server.

    2. Switch to user zimbra.

      su - zimbra
    3. Run this command to get the hostname.

      zmhostname
    Finding Domain Name
    1. Log in using ssh to your Zimbra server.

    2. Switch to user zimbra.

      su - zimbra
    3. Run this command to get the domain name(s).

      zmprov gad

For this document, we consider mail.example.com as the folder name.

Folder contents

The folder (mail.example.com in our case) must have the following hierarchy and contents.

Use mkdir to create new directories and touch to create new files.
Files and Folder Hierarchy
mail.example.com
   ├── config.json
   ├── index.css
   ├── palette.css
   ├── assets
   │   ├── favicon.ico
   │   ├── icon.png
   │   ├── icon.svg
   │   ├── login-page-background.png
   │   └── logo.svg
   └── pwa
        ├── manifest.json
        └── icons
              ├── icon_300x300.svg
              ├── ios
              │    ├── icon_16x16.png
              │    ├── icon_32x32.png
              │    ├── icon_57x57.png
              │    ├── icon_72x72.png
              │    ├── icon_114x114.png
              │    └── icon_180x180.png
              └── non-ios
                     ├── icon_16x16.png
                     ├── icon_32x32.png
                     ├── icon_36x36.png
                     ├── icon_48x48.png
                     ├── icon_72x72.png
                     ├── icon_96x96.png
                     ├── icon_144x144.png
                     ├── icon_150x150.png
                     ├── icon_192x192.png
                     ├── icon_256x256.png
                     └── icon_512x512.png

Customize Logos

The Zimbra’s Modern Web App uses the primary logo of your organization unless you specify a secondary logo.

  1. Save the primary logo as logo.svg.

  2. Save the secondary logo as secondarylogo.svg.

Along with the logo, you also need your organization’s emblem to use it as an icon.

Create multiple icons — of different sizes — using this emblem. Refer to the below table for the file name, size, and destination of each icon.

Icon File name Icon Size (in px) Destination Folder

favicon.ico

48x48

/mail.example.com/assets

icon.png

512x512

/mail.example.com/assets

icon.svg

NA

/mail.example.com/assets

logo.svg

NA

/mail.example.com/assets

secondarylogo.svg

NA

/mail.example.com/assets

icon_16x16.png

16x16x

/mail.example.com/pwa/icons/ios

icon_32x32.png

32x32x

/mail.example.com/pwa/icons/ios

icon_57x57.png

57x57

/mail.example.com/pwa/icons/ios

icon_72x72.png

72x72

/mail.example.com/pwa/icons/ios

icon_114x114.png

114x114

/mail.example.com/pwa/icons/ios

icon_180x180.png

180x180

/mail.example.com/pwa/icons/ios

icon_16x16.png

16x16x

/mail.example.com/pwa/icons/non-ios

icon_32x32.png

32x32x

/mail.example.com/pwa/icons/non-ios

icon_36x36.png

36x36

/mail.example.com/pwa/icons/non-ios

icon_48x48.png

48x48

/mail.example.com/pwa/icons/non-ios

icon_72x72.png

72x72

/mail.example.com/pwa/icons/non-ios

icon_96x96.png

96x96

/mail.example.com/pwa/icons/non-ios

icon_144x144.png

144x144

/mail.example.com/pwa/icons/non-ios

icon_150x150.png

150x150

/mail.example.com/pwa/icons/non-ios

icon_192x192.png

192x192

/mail.example.com/pwa/icons/non-ios

icon_256x256.png

256x256

/mail.example.com/pwa/icons/non-ios

icon_512x512.png

512x512

/mail.example.com/pwa/icons/non-ios

Customizable Segments

Consider the below Zimbra’s Modern Web App screenshot.

labeled ss
Figure 2. Customizable components

This labeled screenshot shows the customizable segments of Modern Web App.

  1. Title

  2. Navigation bar containing the links

  3. Left-side links on the navigation bar

  4. Right-side links on the navigation bar

  5. Left Sidebar

  6. Right Sidebar

  7. Header

The items marked 1, 2, 3, and 4 are text and links. Instructions to change them are in the section Customize Text & Links.

The colors for items marked 5, 6, and 7 are customizable. Instructions to change these, and other colors, are in Customize Colors & Sizes.

  1. Copy and paste Sample config.json in mail.example.com/config.json

  2. To change the title text ( marked 1 in Customizable components) edit the value against "title" in Sample config.json.

  3. To replace the text Zimbra with your organization’s name ("Example" in this case) throughout the application, change the value against`"clientName"` in Sample config.json.

  4. To hide and remove the Forgot Password link, set "disableForgotPassword" as "true" in Sample config.json.

  5. To insert links and hypertext in the navigation bar (2) edit "left"(3) and "right"(4) under "nav" in Sample config.json.

    • To remove the navigation bar altogether remove the below snippet:

"nav":
  {
    .
    .
    .
  }
Sample config.json
{
    "title": "Example Mail",
    "version": "1",
    "clientName": "Example",
    "userHelpPath": "https://www.example.com/userguide/",
    "nav": {
        "left": [
            {
                "name": "Example Link 1",
                "href": "https://www.example.com/1"
            },
            {
                "name": "Example Link 2",
                "href": "https://www.example.com/2"
            }
        ],
        "right": [
            {
                "name": "Example Link 1",
                "href": "https://www.example.com/1"
            },
            {
                "name": "Example Link 2",
                "href": "https://www.example.com/2"
            }
        ]
    }
}

Customize Colors & Sizes

This section handles colors and sizes of fonts, logos, and sidebars — among other things.

Palette.css

This file helps you to create a palette of colors to use throughout the application.

  1. Navigate to palette generator and enter the hex code for Primary, Secondary and Tertiary colors.

  2. Specify hex code for colors associated with Success, Informative, Warning, and Danger messages.

  3. Click Generate.

  4. A ready styling template with color codes appears.

  5. Click Copy.

  6. Paste the contents generated in mail.example.com/palette.css.

Index.css

Copy the below segment and paste as is in the mail.example.com/index.css file. Change the values to change various aspects of the Modern Web App as it appears to the user.

:root {
     --sidebar-bg-color: var(--gray-lightest);
     --rightbar-bg-color: var(--gray-lightest);
     --line-height-base: 1.42857143;
     --link-color: var(--brand-primary-500);
     --link-hover-color: var(--brand-primary-800);
     --link-hover-decoration: underline;
     --logo-height: 32px;
     --logo-max-width: 200px;
     --header-bg: var(--gray-lightest);
     --header-fg: var(--gray-darker);
     --external-header-bg: var(--brand-tertiary-700);
     --external-header-fg: #FFFFFF;
}

The various variable names used are self-explanatory. However, the below table offers a brief description. The number against some of the variables refer to the figure Customizable components.

Table 58. index.css options
Parameters Description

--sidebar-bg-color (5)

Changes the background color of the pane that lists email and contact folders.

--rightbar-bg-color (6)

Change the background color of the right sidebar.

--line-height-base

Change the base line-height that changes the line-height everywhere in the application.

--link-color

Change the link color.

--link-hover-color

Change the link color on mouse hover.

--link-hover-decoration

Change the way link behaves (underline, overline, or strikethrough) when mouse hovers.

--logo-height

Change the logo height. This value cannot be more than 72px.

--logo-max-width

Change the maximum width of the logo.

--header-bg (7)

Change the header background color.

--header-fg

Change header’s text color.

--external-header-bg

Change the navigation bar’s background color.

--external-header-fg

Change the navigation bar’s text color.

Make all color customizations (overrides) in index.css and not in palette.css to avoid palette overwrites.

Customizing the PWA

This section helps customize certain aspects of Progressive Web App (PWA). For more information on PWAs, refer What is a Progressive Web App.

Sample manifest.json
{
    "icons": [
        {
            "src": "/pwa/icons/icon_300x300.svg",
            "sizes": "300x300",
            "type": "image/svg+xml"
        },
        {
            "src": "/pwa/icons/non-ios/icon_512x512.png",
            "sizes": "512x512",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/non-ios/icon_256x256.png",
            "sizes": "256x256",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/non-ios/icon_192x192.png",
            "sizes": "192x192",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/non-ios/icon_150x150.png",
            "sizes": "150x150",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/non-ios/icon_144x144.png",
            "sizes": "144x144",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/non-ios/icon_96x96.png",
            "sizes": "96x96",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/non-ios/icon_72x72.png",
            "sizes": "72x72",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/non-ios/icon_48x48.png",
            "sizes": "48x48",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/non-ios/icon_36x36.png",
            "sizes": "36x36",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/non-ios/icon_32x32.png",
            "sizes": "32x32",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/non-ios/icon_16x16.png",
            "sizes": "16x16",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/ios/icon_180x180.png",
            "sizes": "180x180",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/ios/icon_114x114.png",
            "sizes": "114x114",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/ios/icon_72x72.png",
            "sizes": "72x72",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/ios/icon_57x57.png",
            "sizes": "57x57",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/ios/icon_32x32.png",
            "sizes": "32x32",
            "type": "image/png"
        },
        {
            "src": "/pwa/icons/ios/icon_16x16.png",
            "sizes": "16x16",
            "type": "image/png"
        }
    ],
    "name": "Example Mail",
    "short_name": "Example Mail",
    "orientation": "portrait",
    "display": "standalone",
    "start_url": "/",
    "background_color": "#ffffff",
    "theme_color": "#e92d28"
}
  1. Copy and paste Sample manifest.json in mail.example.com/pwa/manifest.json.

  2. Edit all instances of mail.example.com to the folder name as decided in the section Folder Name.

  3. Edit "name" and "short_name" to have the same value as "title" from Sample config.json.

    • "name" represents the name of the web application as it appears to users in list of mobile applications.

    • "short_name" represents the name of the web application as it appears to users if there is not enough space to display "name".

  4. Set the "background_color" to background-color in Palette.css.

  5. Set the "theme_color" to the same value as primary color in Palette.css.

Do not change the values of "orientation", "display" and "start_url".

Customizing the Login Page

This section helps you change the way Zimbra Modern Web App login page appears to users.

Before you begin login (or ssh) on the Zimbra server.

Changing the Background Image
  1. Copy a background image to

    /opt/zimbra/jetty_base/webapps/zimbra/img/
  2. Open and edit

    /opt/zimbra/jetty_base/webapps/zimbra/skins/_base/base3/skin.properties
  3. Locate the entry LoginScreen.

  4. Replace new-back-ground-image.png with the file name of the image you just copied.

The Modern Web App references the logo it uses from :

/opt/zimbra/jetty_base/webapps/zimbra/img/new-logo.png

You have to overwrite this file with the logo you prefer to use.

To keep provisions for reverting to the default logo, rename the above file (add .old to the filename).
  1. Rename your organization’s logo that you have as new-logo.png.

  2. Copy this file to :

    /opt/zimbra/jetty_base/webapps/zimbra/img/

Deployment Instructions

  1. Navigate to and open the mail.example.com folder.

  2. Edit config.json to change the version. Do not use a previously used value.

    • Enter a unique positive number.

    • Use a new value every time for your customizations to reflect on users' Modern Web App.

    • Enclose the text in quotes.

  3. Save the file.

    All instances of mail.example.com should be replaced with the folder name as decided in the section Folder Name.
  4. Copy mail.example.com to /opt/zimbra/jetty/webapps/zimbra/modern/clients/ on Zimbra server.

Restart Zimbra mailbox server

To apply the changes you have made, restart Zimbra’s mailbox server.

  1. Login to your Zimbra installation as root.

  2. Switch to user zimbra.

    su - zimbra
  3. Restart Zimbra’s mailbox server.

    zmmailboxdctl restart
  4. Refresh Zimbra’s Modern Web App login page to see the changes

You might need to clear the cache if the changes do not appear.

Zimlets

Zimlets are a mechanism to integrate Zimbra with different third-party applications to enhance the user experience from the Zimbra Classic Web App. With Zimlets, users can look at information and interact with the third-party application from within their email messages. Zimlets can be made available from the Zimbra Classic Web App Overview Pane to users by modifying the Class of Service (COS).

Classic Web App lists only the classic zimlets.

Zimbra includes several predefined Zimlets. You can also create Zimlets or download them from the Zimlet Gallery located on the Zimbra Web site.

In Admin ConsoleHomeConfigureZimlets, zimlets developed for Modern Web App have (Modern) in Description.

Default zimlets in Classic Web App

Classic Web App lists only th

Predefined Zimlets, when enabled, let users preview the following in Classic Web App:

  • Mouse over a date or time and see what is in calendar.

  • Mouse over a name or email address and see details from the address book for this name.

  • Right-click on a phone number to make a call with your soft-phone.

  • Right-click on a date to schedule a meeting.

  • Right-click on a name, address, or phone number to update address book information.

Managing Zimlets from the Administration Console

The following Zimlet management tasks are available from the Zimbra Administration Console.

  • Deploy a Zimlet, which creates the Zimlet entry in the LDAP server, installs the Zimlet files on the server, enables the Zimlet and makes it available to the members of the default COS.

  • Make a Zimlet available or not available per COS or account.

  • Make a Zimlet mandatory.

  • Disable a Zimlet, which leaves it on the server, but the Zimlet is not used.

  • Undeploy a Zimlet, which removes it from the COS listings and the Zimlets list but does not uninstall the Zimlet from the server.

You cannot uninstall a Zimlet from the Administration Console.

Deploying Custom Zimlets

You can download and deploy custom Zimlets from the Zimlet Gallery located on the Zimbra Web site. When a Zimlet is deployed, it is available immediately to everyone in the default COS. If a Zimlet is not deployed to another COS directly, the COS displays the Zimlets but they are not enabled.

Admin Console:

Home → Configure → Zimlets, from the Gear icon select Deploy

  1. Browse to the Zimlet you want to deploy, then click Deploy.

    The Zimlet deploys to the server. A dialog displays indicating the server name where the Zimlet is deployed and the status of the deployment.

  2. Click Finish.

    Verify the Zimlet is enabled by viewing the Zimlets page.

Enable, Disable, or Make Zimlets Mandatory

You can enable, disable, or make Zimlets mandatory. You can also use the toggle feature to choose if an installed Zimlet will be made available for users to choose from.

Admin Console:

Home → Configure → Class of Service → COS → Zimlets

Table 59. Zimlet Operational Status Settings.
Setting Description

Mandatory

Zimlet will always be enabled in user accounts. Users do not see these Zimlets on their Zimlet page.

Disabled

Zimlet will not be immediately available to users in the associated COS.

Enabled

All deployed Zimlets will be enabled.

Users can enable or disable optional Zimlets from their account’s Preferences → Zimlets page. If you select a Zimlet as mandatory, it cannot be disabled by the user.

Undeploying a Zimlet

When a Zimlet is undeployed, it is removed from all COSs and then removed from the LDAP.

Admin Console:

Home → Configure → Zimlets

  1. Select a Zimlet to undeploy.

  2. From the Gear icon menu select Undeploy.

  3. Click Yes to confirm.

Adding Proxy-Allowed Domains to a Zimlet

Proxy Allowed Domains lets you configure which external domains can be accessed through a Zimlet. For the Zimlets that are included in Zimbra, proxy allowed domains are already configured. If you download and deploy other Zimlets, you can add additional proxy domain names.

Admin Console:

Home → Configure → Class of Service

  1. Select the COS to edit.

  2. In the Advanced page, scroll down to the Proxy Allowed Domains section.

  3. Click Add Domain to add domains.

  4. Click Save.

Upgrading a Zimlet

Use the same steps as deploying a new Zimlet to upgrade a customized Zimlet. The new Zimlet zip file should have the same name as the existing Zimlet zip file.

Admin Console:

Home → Configure → Zimlets, from the Gear icon select Deploy

  1. Check Flush Zimlet cache, so that the upgraded zimlet will be used.

  2. Browse to the Zimlet you want to upgrade, then click Deploy.

  3. Click Finish.

Managing Zimlets from the Command Line Interface

The following Zimlet management tasks are available from the command line interface.

Deploying Zimlets

When a Zimlet is deployed, it is available immediately to everyone in the default COS. If a Zimlet is not deployed to another COS directly, the COS displays the Zimlets but they are not enabled.

Deploy a Zimlet using the CLI, including modifying the COS before deploying.

  1. Select a Zimlet and copy the Zimlet zip file to /tmp folder on your Zimbra server.

  2. Login as the zimbra user su - zimbra

  3. Deploy the Zimlet

    zmzimletctl deploy /tmp/<zimlet>.zip

Adding Proxy Allowed Domains to a Zimlet

When deploying a Zimlet, the COS attributes, zimbraProxyAllowedDomains, must be set for the domain address that the Zimlet might call to get information.

To set the zimbraProxyAllowedDomains attribute, type:

zmprov mc <COSname> +zimbraProxyAllowedDomains '*.example.com'

The * must be added before the example.com.

This must be applied to all COSs that have your Zimlet enabled.

Deploying a Zimlet and Granting Access to a COS

Use steps in this section to deploy a Zimlet to one or more COSs other than the default:

  1. Login as zimbra user: su – zimbra

  2. Copy the Zimlet file from Gallery to /tmp folder.

  3. Install the Zimlet to the default COS:

    zmzimletctl deploy /tmp/<zimlet>.zip
  4. To deploy the zimlet to additional COSs, run:

    zmzimletctl acl <zimletname> <cosname1> grant

    This will grant permission to cosname1. You can also grant access to more than one COS on the same command line:

    zmzimletctl acl <zimletname> <cosname1> grant <cosname2> grant
  5. To allow this zimlet to use the allowed proxy domains, run the following on each COS and add the allowed domains.

    zmprov mc <COSname1> +zimbraProxyAllowedDomains '*.example.com'
    zmprov mc <COSname2> +zimbraProxyAllowedDomains '*.example.com'

Viewing Installed Zimlets

Use the zmzimletctl command to view currently installed Zimlets:

zmzimletctl listZimlets all

The output from this command displays the Zimlets installed on the server, installed in LDAP, and those available by COS.

Changing Zimlet Configurations

Some Zimlets may require additional configuration after they are deployed.

The Zimlet configuration template allows you to make changes on the configuration template and then install the new configuration file on the Zimbra server.

Use steps in this section to change a Zimlet configuration:

  1. Extract the configuration template:

    zmzimletctl getConfigTemplate <zimlet.zip>
  2. Make the required changes in the template, taking care to change only the required areas, then save the file.

    If you have more than one custom Zimlet, rename the config template.xml file before updating the configuration in LDAP so that files are not overwritten.
  3. Use the zmzimletctl command to update the configuration in the LDAP. If you changed the name of the configuration template, replace config_template.xml with the new name.

    zmzimletctl configure config_template.xml

Upgrading a Zimlet

Upgrading a customized Zimlet is performed by using the same steps as those used to deploy a new Zimlet.

The new Zimlet zip file should be named identically to the existing Zimlet zip file.

Use steps in this section upgrade a Zimlet:

  1. Copy the Zimlet zip file to the /opt/zimbra/zimlets-extra folder, replacing the older version.

  2. Deploy the Zimlet

    zmzimletctl deploy <zimlet.zip file name>

    The Zimlet is copied to the /opt/zimbra/zimlets-deployed folder. If your Zimlet includes a .jsp file, the .jsp file is also copied to the /opt/zimbra/jetty/webapps/zimlet/<zimletnamefolder>.

  3. To ensure availability of the newer version, flush the cache:

    zmprov flushCache zimlet

You can download and deploy Zimlets from the Zimlet Gallery located on the Zimbra web site. Go to https://www.zimbra.org/extend/ and scroll through the Extensions from the Zimbra Gallery section.

Developing Customized Zimlets

To develop your own custom Zimlets, see the Zimlet Developers Guide on the Zimbra Wiki at https://wiki.zimbra.com.

Configuring Zimlets for Modern Web App

Zimlets are plugins which enhance the Modern Web App’s functionalities. The zimlets need to be configured and authorized before you can use them with the Modern Web App.

Modern Web App lists only the modern zimlets.

Default zimlets in Modern Web App

Default Zimlets, for Modern Web App, let users perform the following tasks:

  • Restore contacts from previous backups

  • Add additional signatures for replies, forwards, or new emails

  • Detect dates from given content and provide event list of that day on mouse hover

  • Use Zimbra as a progressive web app

  • Subscribe to external calendar feeds

  • Add an option in settings to change default client in Zimbra

Zimlets developed for Modern Web App have (Modern) in description.

Configuring LDAP

This section is a basic guide to configuring the necessary LDAP properties for zm-oauth-social. Assumes basic Zimbra Collaboration CLI knowledge.

The following examples may be used as a starting point for configuring the required LDAP properties to enable use of the zm-oauth services.

As the Zimbra Collaboration user, these properties can be applied globally as in the following examples, or applied to specific domains.

Basic Info

Basic Template For User OAuth Token Configuration

zimbraOAuthConsumerRedirectUri is the app’s relay during the oauth flow (i.e. where the social media site will send the user with a one-time use code to continue the oauth flow). The left part of the LDAP value must match the app’s whitelist.

zmprov mcf +zimbraOAuthConsumerRedirectUri 'https://<zimbra-hostname>:<port>/service/extension/oauth2/authenticate/<client>:<client>'

zimbraOAuthConsumerCredentials is the app’s credentials — provided by the social media app setup. verification_token may be left out for all clients except Zoom. These credentials tie the oauth flow to a specific app. The clientId is used by an end-user to request an oauth code, then the clientId + clientSecret are both used by the Zimbra Collaboration server to exchange that code for an access_token.

zmprov mcf +zimbraOAuthConsumerCredentials '<clientId>:<clientSecret>[:<verification_token>]:<client>'

zimbraOAuthConsumerAPIScope is the app’s required scopes for the specified auth type (caldav,contact,noop). These scopes determine what permissions are requested from an authorizing user during the social media site leg of the oauth flow.

zmprov mcf +zimbraOAuthConsumerAPIScope '<scope><delimiter><scope><delimiter>. . .:<client>_<type>'

Client Examples

Dropbox Example
The following is required configuration for dropbox.
zmprov mcf +zimbraOAuthConsumerRedirectUri 'https://your.mail.server.host.here/service/extension/oauth2/authenticate/dropbox:dropbox'
zmprov mcf +zimbraOAuthConsumerCredentials 'yourDropboxClientIdHere:yourDropboxClientSecretHere:dropbox'

See Setting Up Dropbox for instructions on obtaining a Client Id, and Client Secret.

Google Example
The following is required basic google configuration.
zmprov mcf +zimbraOAuthConsumerRedirectUri 'https://your.mail.server.host.here/service/extension/oauth2/authenticate/google:google'
zmprov mcf +zimbraOAuthConsumerCredentials 'yourGoogleClientIdHere:yourGoogleClientSecretHere:google'
zmprov mcf +zimbraOAuthConsumerAPIScope 'https://www.googleapis.com/auth/drive:google_noop'

See Setting Up Google Drive for instructions on obtaining a Client Id and Client Secret.

Microsoft Example
The following is required basic microsoft configuration.
zmprov mcf +zimbraOAuthConsumerRedirectUri 'https://your.mail.server.host.here/service/extension/oauth2/authenticate/outlook:outlook'
zmprov mcf +zimbraOAuthConsumerCredentials 'yourMSClientIdHere:yourMSClientSecretHere:outlook'
zmprov mcf +zimbraOAuthConsumerAPIScope 'profile+User.Read+Files.ReadWrite.All:outlook_noop'

See Setting Up OneDrive for instructions on obtaining a Client Id, and Client Secret.

Slack Example
The following is required configuration for slack. The scopes are only applied when authorization is performed for the noop scope.
zmprov mcf +zimbraOAuthConsumerRedirectUri 'https://your.mail.server.host.here/service/extension/oauth2/authenticate/slack:slack'
zmprov mcf +zimbraOAuthConsumerCredentials 'yourSlackClientIdHere:yourSlackClientSecretHere:slack'
zmprov mcf +zimbraOAuthConsumerAPIScope 'groups:write,team:read,users:read,users:read.email,chat:write,mpim:write:slack_noop'

See Setting Up Slack for instructions on obtaining a Client Id and Client Secret.

Zoom Example
The following is required configuration for zoom. The scopes are only applied when authorization is performed for the noop scope.
zmprov mcf +zimbraOAuthConsumerRedirectUri 'https://your.mail.server.host.here/service/extension/oauth2/authenticate/zoom:zoom'
zmprov mcf +zimbraOAuthConsumerCredentials 'yourZoomClientIdHere:yourZoomClientSecretHere:yourZoomVerificationTokenHere:zoom'
zmprov mcf +zimbraOAuthConsumerAPIScope 'meeting:write:zoom_noop'
zmprov mc default +zimbraProxyAllowedDomains 'api.zoom.us'

The last line of the above code block allows Zimbra Collaboration to perform proxy requests for the Zoom zimlet to the Zoom API on behalf of default class of service Zimbra Collaboration accounts. This is necessary for the Zoom Zimlet’s basic operations. If users on other class of services should have access, this may be applied on those as well.

See Setting Up Zoom for instructions on obtaining a Client Id, Client Secret, and Verification Token.

Domain Configuration
Details

Configuring the credentials of a single domain will override the credentials inherited from global configuration for that domain. Because of this, it is possible to configure just the credentials, and allow the domain to inherit the redirect uri and scopes if neither of these configurations should differ between the global and domain app.

Dropbox Example
The following is an example for applying dropbox app credentials, which has no additional scope requirements, on the Zimbra Collaboration domain example.zimbra.com:
zmprov md example.zimbra.com +zimbraOAuthConsumerRedirectUri 'https://your.mail.server.host.here/service/extension/oauth2/authenticate/dropbox:dropbox'
zmprov md example.zimbra.com +zimbraOAuthConsumerCredentials 'yourDropboxClientIdHere:yourDropboxClientSecretHere:dropbox'

Setting Up Dropbox

Create a Dropbox Application
  1. Visit Dropbox App Console

  2. Choose Create app.

  3. Choose Dropbox API with Full Dropbox access, name your app, then click create app.

  4. Adjust and configure the following Redirect URLs in the OAuth 2 section:

    1. https://<hostname>/service/extension/oauth2/authenticate/dropbox

    2. https://<hostname>/@zimbra/service/extension/oauth2/authenticate/dropbox

  5. Adjust and configure the relevant hostnames in the Chooser/saver domains section.

  6. Fill out the application Branding information and descriptions.

  7. Click Enable additional users so that others may authorize with the app.

Configure the new Application Credentials in Zimbra Collaboration
  1. Acquire the App key and App Secret from the Settings tab.

  2. See Configuring LDAP.

Setting Up Google Drive

Create a Google APIs Application
  1. Visit Google API Console.

  2. Select Select a project from the project dropdown menu in the top navigation bar.

  3. Select New Project.

  4. Configure the project name (and optionally organization location).

  5. Select + Enable APIs and Services

  6. Search for Google Drive then select Google Drive API.

  7. Select Enable.

  8. Select Google APIs to return to the APIs & Services menu.

  9. Navigate to the APIs & Services section: OAuth consent screen via the left navigation menu.

  10. Choose either internal or external application type, then configure the basic application information.

  11. Select Add scope then enable all of the scopes related to Google Drive.

  12. Add your mail server’s host as an authorized domain.

  13. Select Save.

  14. Navigate to the APIs & Services section: Credentials via the left navigation menu.

  15. Select + Create Credentials, then select OAuth client ID.

  16. Choose Web application as the Application type.

  17. Configure the application name.

  18. Under Authorized JavaScript origins select + Add URI then adjust and add your mail server’s hostname (Replace "hostname" with the public hostname of your Zimbra Collaboration server):

    1. https://hostname

  19. Under Authorized redirect URIs select + Add URI then adjust and add the following redirect URIs (Replace "<hostname>" with the public hostname of your Zimbra Collaboration server):

    1. https://<hostname>/service/extension/oauth2/authenticate/google

    2. https://<hostname>/@zimbra/service/extension/oauth2/authenticate/google

  20. Select Create, then copy the Client ID and Client Secret.

Configure the new Application Credentials in Zimbra Collaboration
  1. Acquire the App key and App Secret from the Settings tab.

  2. See Configuring LDAP.

Setting Up OneDrive

Create a Microsoft Azure Application
  1. Visit Azure Portal.

  2. Search for and select App Registrations.

  3. Select New registration.

  4. Configure the application name.

  5. Under Supported account types, select Accounts in any organizational directory and personal Microsoft account.

  6. Adjust and add the following Redirect URL (Replace "<hostname>" with the public hostname of your Zimbra Collaboration server):

    1. https://<hostname>/service/extension/oauth2/authenticate/outlook

  7. Select Register.

  8. Navigate to the Manage section: Authentication via the left navigation menu.

  9. Select Add URI then adjust and add the following Redirect URL (Replace "<hostname>" with the public hostname of your Zimbra Collaboration server), then click Save:

    1. https://<hostname>/%40zimbra/service/extension/oauth2/authenticate/outlook

  10. Navigate to the Manage section: API Permissions via the left navigation menu.

  11. Add the required Microsoft Graph Delegated Permissions, then click Save:

    1. email

    2. offline_access

    3. openid

    4. profile

    5. Files.ReadWrite.All

    6. User.Read

  12. Navigate to the Manage section: Certificates & secrets via the left navigation menu.

  13. Select New client secret, add a description, and no expiration.

  14. Repeat this task, removing previously created entries, until a Value without a : is created (secret must not contain colons for compatibility reasons), then click Save.

    Configure the new Application Credentials in Zimbra

  15. Acquire the Application (client) ID from the Overview via the left navigation menu, and Client Secret from the Manage section: Certificates & secrets via the left navigation menu.

Configure the new Application Credentials in Zimbra Collaboration
  1. Acquire the App key and App Secret from the Settings tab.

  2. See Configuring LDAP.

Setting Up Slack

Create a Slack Application
  1. Visit Slack App Management

  2. Configure the Basic Information section after creating the Application.

  3. Navigate to the Features section: OAuth & Permissions via the left navigation menu.

  4. Add the required Bot Token Scopes:

    1. chat:write

  5. Add the required User Token Scopes:

    1. chat:write

    2. groups:write

    3. mpim:write

    4. team:read

    5. users:read

    6. users:read.email

  6. Adjust and add the following Redirect URLs (Replace "<hostname>" with the public hostname of your Zimbra Collaboration server):

    1. https://<hostname>/service/extension/oauth2/authenticate/slack

    2. https://<hostname>/@zimbra/service/extension/oauth2/authenticate/slack

  7. Configure the Bot Name in Features section: App Home.

Configure the new Application Credentials in Zimbra Collaboration
  1. Acquire the App key and App Secret from the Settings tab.

  2. See Configuring LDAP.

Setting Up Zoom

For Zoom to work with Zimbra Collaboration, the server must have ephemeral storage configured.
Create a Zoom Application
  1. Sign-in to Zoom as your organization‘s owner or an organization account with the developer role.

  2. Visit Zoom App Management

  3. Choose Develop → Build App → OAuth → Create

  4. Configure the App name, turn on User-managed app, leave on the intent to publish, then click Create.

  5. Navigate to the App Credentials section via the left navigation menu.

  6. Add the following Redirect URL to the Production section (Replace "<hostname>" with the public hostname of your Zimbra Collaboration server):

    1. https://<hostname>/service/extension/oauth2/authenticate/zoom

  7. Add the following Whitelist URLs (Replace "<hostname>" with the public hostname of your Zimbra Collaboration server):

    1. https://<hostname>/service/extension/oauth2/authenticate/zoom

    2. https://<hostname>/@zimbra/service/extension/oauth2/authenticate/zoom

  8. Navigate to the Information section via the left navigation menu.

  9. Configure the Deauthorization Notification Endpoint URL (Replace "<hostname>" with the public hostname of your Zimbra Collaboration server):

    1. https://<hostname>/service/extension/oauth2/deauthorization/zoom

  10. Navigate to the Scopes section via the left navigation menu.

  11. Add the required Scopes:

    1. meeting:write

    2. user:read

  12. Navigate to the Submit section via the left navigation menu.

  13. Generate a Publishable URL then leave the Submit page (do not submit the app if using for a single Zoom Organization account).

Configure the new Application Credentials in Zimbra Collaboration
  1. Acquire the App key and App Secret from the Settings tab.

  2. See Configuring LDAP.

Setting up NextCloud

For easy understanding of the steps, we will refer to following examples throughout the section:

NextCloud Server - nextcloud.server.com

Zimbra Server - myzimbra.server.com

Domain - example.com

You can skip step #1 if you already have NextCloud server setup available.
  1. Setup a NextCloud server by following this video - https://www.youtube.com/watch?v=QXfsi0pwgYw

  2. Install NextCloud zimlet and its dependencies on Zimbra Server:

    1. To install on Red Hat and CentOS, run:

      yum install zimbra-zimlet-nextcloud
    2. To install on Ubuntu, run:

      apt-get install zimbra-zimlet-nextcloud
    3. Restart zmmailbox server:

      su - zimbra
      zmmailboxdctl restart
  3. On NextCloud server, update the below configuration in /etc/httpd/conf.d/nextcloud-ssl.conf

    RewriteEngine On
    RewriteCond %{HTTP:Authorization} ^(.*)
    RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
  4. Login to NextCloud server URL https://nextcloud.server.com and navigate to Settings → Administration → Security.

    1. In Brute-force IP whitelist section, specify the Zimbra server’s IP Range.

    2. In OAuth 2.0 clients section, specify the Name and Redirection URL of the Zimbra server. For e.g.:

      Specify Name - My Zimbra Server

    3. Copy the Client Identifier and Client Secret fields for the above entered Client. This will be used to update LDAP related configuration in the next step.

  5. To enable NextCloud for domain example.com, add LDAP entries for it by executing the following commands:

    zmprov md example.com zimbraOAuthConsumerCredentials <Client Identifier>:<Client Secret>:nextcloud
    zmprov md example.com zimbraOAuthConsumerRedirectUri https://myzimbra.server.com/service/extension/oauth2/authenticate/nextcloud:nextcloud
    zmprov md example.com zimbraOAuthConsumerAPIScope  'https://nextcloud.server.com/nextcloud/index.php:nextcloud_noop'
zimbraOAuthConsumerAPIScope holds the URL to your Nextcloud instance, in our example we have set-up Nextcloud in a folder /nextcloud on nextcloud.server.com. If your Nextcloud is installed directly in the root / of your domain, make sure to use https://nextcloud.server.com/index.php:nextcloud_noop as zimbraOAuthConsumerAPIScope.

Setting up Jitsi Videoconferencing Solution

Jitsi is a fully encrypted, 100% open-source, video conferencing solution. Jitsi integration is available in the Modern Web App allowing end-users to set up video conferencing directly in their calendar; i.e. just click a button to add a Jitsi link to a meeting invite and then launch into that video meeting.

Administrators must install/enable the zimlet and define what video server instance they plan to use. Administrators can deploy their own Jitsi video server instance. Even if administrators have not set up a Jitsi server instance, the Jitsi integration zimlet can use Jitsi’s publicly available free video conferencing solution to schedule meetings for the end users.

No configuration changes are required if Jitsi’s publicly available free video conferencing solution is used for setting up events.
  1. Install Jitsi zimlet and its dependencies on Zimbra Server:

    1. To install on Red Hat or CentOS, run:

      yum install zimbra-zimlet-jitsi
    2. To install on Ubuntu, run:

      apt-get install zimbra-zimlet-jitsi
    3. Restart zmmailbox server:

      su - zimbra
      zmmailboxdctl restart

Setting up separate Jitsi server for the organization

If an organization do not intend to use Jitsi’s publicly available free video conferencing solution and wants to set up their own Jitsi server, they can refer to this setup guide

Once the Jitsi server is set up, configuration changes would be required on the Zimbra server to update the organization’s Jitsi server URL.

In this example, we will assume your organization’s Jitsi server URL as https://my-org-jitsi-server.com.

  1. The following CLI commands need to be run as zimbra user.

    su - zimbra
  2. Go to /opt/zimbra/zimlets-deployed/zimbra-zimlet-jitsi.

  3. Edit config_template.xml and change the value of jitUrl parameter to https://my-org-jitsi-server.com.

  4. Example of the global block in the file after the update.

    <zimletConfig name="zimbra-zimlet-jitsi" version="0.0.1">
       <global>
           <property name="jitsiUrl"> https://my-org-jitsi-server.com</property>
       </global>
    </zimletConfig>
  5. Execute these commands to apply the changes:

    zmzimletctl configure config_template.xml
    zmprov fc all
For already logged in users, they will have to reload the Modern UI to apply configuration changes.

Setting up Signature Template

The Signature Template Zimlet offers a globally configured email signature template that users can use to configure their email signature. This way all users in an organization can have a uniform signature.

The Administrator must install the zimlet and enable it for the users.

In case of images in HTML, those should be on a public URL that does not change, as that will be fetched by the recipients.
  1. The following CLI commands need to be run as zimbra user.

    su - zimbra
  2. Copy and paste the below config file in /tmp/zimbra-zimlet-signature-template.xml:

    <zimletConfig name="zimbra-zimlet-signature-template" version="0.0.1">
        <global>
            <property name="htmlTemplate">PGRpdj48c3BhbiBzdHlsZT0iY29sb3I6ICNlMDNlMmQ7Ij48c3Ryb25nPk5BTUU8L3N0cm9uZz48L3NwYW4+PC9kaXY+PGRpdj48ZW0+PHNwYW4gc3R5bGU9ImNvbG9yOiAjN2U4YzhkOyI+RlVOQ1RJT048L3NwYW4+PC9lbT48YnIvPjxici8+PGltZyBzcmM9Imh0dHBzOi8vczIyLnE0Y2RuLmNvbS80NzYzMjUxMzcvZmlsZXMvZGVzaWduL3N5bmFjb3ItbG9nby0yMDE2LXJnYi5wbmciPjwvaW1nPjwvZGl2Pgo=</property>
        </global>
    </zimletConfig>
  3. Use base64 decoder to decode the htmlTemplate value.

  4. Make the required changes in htmlTemplate block. Re-encode it and paste it in /tmp/zimbra-zimlet-signature-template.xml

  5. Deploy the changes:

    zmzimletctl configure  /tmp/zimbra-zimlet-signature-template.xml

Using the Voice Service

Unified Communications (UC) is the integration of multiple modes of communication services, allowing users to receive communication from one service, such as voice mail, and respond using another service, such as Click-to-Call.

This feature is supported only in the Classic Web App.

Zimbra uses real-time communications services such as voice, telephony and presence to inter-operate with non-real-time services such as email and voice mail. The Zimbra Collaboration Voice Service feature includes Visual Voice Mail, Click-to-Call, and Presence (Cisco only). Zimbra Collaboration uses Cisco or Mitel servers, as a third-party voice server, or UC server, to bridge calls between Zimbra Collaboration and the Zimbra Classic Web App.

Note: UC system administrators are responsible for configuring the UC server based on that UC server’s documentation.

You enable the voice service from the administration console. Users use the voice service feature from the Voice tab in the Classic Web App.

When users sign into the voice service from their Zimbra account, they are actually logging into a UC server. After the initial user set-up, the voice service is seamless and requires no additional account configuration.

Voice service features include:

  • Visual Voice Mail: From the Voice tab, users can easily view and listen to voice mails and view details such as caller name, time details, and length of message. Users can call back the person that left the message, forward or reply to the message by email, save or delete the message, and select how to be notified of a new voice message. Supported audio formats include WAV and MP3.

  • Click-to-Call: The ability to make a phone call from a the Zimbra account. Users can highlight and click phone number in their email to dial, or select a contact’s phone number from their contact lists. The call is bridged from the registered physical or soft phone the user selects to use to call the recipient. Click-to-Call eliminates the use for a dial pad on a phone.

  • Click-to-Chat: (Cisco clients only) The ability to chat with a contact using the Cisco Jabber client and Zimbra. Users must have the recipient’s IM address stored in their contact information. They can then access the recipient’s contact card and click the IM link to initiate a chat session.

  • Presence: (Cisco clients only) The ability to display in real time the availability information about users or contacts. When using Cisco Jabber, users can manually set their presence status or it is automatically set for them. For example, when users are on a phone call their presence status is automatically set to “on a call”. Presence status is displayed as available, away, on a call, or do not disturb.

Order of Configuration

To create voice service, follow the order of configuration as follows:

  1. Access URLs, as described in Using a Third-Party Unified Communications Server.

  2. Create the voice service, as described in Creating the Voice/Chat Service.

  3. Enable the voice service and the voice feature, as described in Enabling the Voice/Chat Service. Enabling the voice feature allows the Voice tab to display in the Classic Web App.

  4. Enable the appropriate Zimlets for the vendor server you are using, as described in Enabling the Voice/Chat Zimlets.

Voice Service Requirements

The following are required for Zimbra Collaboration voice service:

  • Voice Service license: A Zimbra Collaboration license with the voice service feature is required. To obtain this license, see the Zimbra Collaboration Server License section for more information.

  • Unified Communications Server: Third-Party Unified Communications server requirements for either Cisco or Mitel are listed below. URLs from the UC server are used in the configuration of the Zimbra Collaboration voice service, as described in Using a Third-Party Unified Communications Server.

    • For Cisco:

      • Cisco Unity Connection (UC) 8.5 and above. Cisco UC generates the Voice URL used in the voice service configuration.

      • Cisco Unified Communications Manager (CUCM) 7.1(3): Enable Web Dialer service for Click-to-Call functionality. Cisco CUCM generates the Call URL used in the voice service configuration.

      • Cisco Unified Presence Server (CUPS) 8.0: Cisco CUPS requires Presence Web Service to be enabled, and an application user must be created for viewing the presence. This is done in Cisco Communications Manager (CUCM) → User Management. Cisco CUPS generates the Presence URL used in the voice service configuration.

      • Cisco Jabber client provided to users for UC collaboration.

    • For Mitel:

      • Mitel Unified Communicator Advanced (Mitel UCA) 5.0.23.0 release and above. Mitel UCA generates the URLs used in the voice service configuration.

  • Zimbra Collaboration Zimlets: Voice Preferences Zimlet, Cisco Click2Call Zimlet or Mitel Click2Call Zimlet

Using a Third-Party Unified Communications Server

The Zimbra Collaboration Voice Service uses a third-party Unified Communications (UC) server to bridge calls between Zimbra Collaboration and the UC server. UC server domain information is added to the Zimbra Collaboration administrator console as a Proxy Allowed Domain. This allows Zimlets that are used in the configuration of the voice service to send requests to the UC servers, such as for the Click-To-Call and/or Presence feature. The following URLs from the UC server are used to configure the voice service.

Cisco URLs

  • Voice URL: The Voice URL is the URL of the Cisco UC server. For example, https://xx.xx.xxx.xx. This URL is used by the Zimbra Collaboration server to fetch user’s voice mails from the Cisco UC server on behalf of users.

  • Call URL: The Call URL is the URL of the Cisco CUCM server. For example, https://xx.xx.xxx.xx/webdialer/services/WebdialerSoapService70. This URL is used by the Zimbra Collaboration Cisco Click2Call Zimlet to send requests to the Cisco CUCM server to bridge calls.

  • Presence URL: The Presence URL is the URL of the Cisco CUPS server and used to generate a session ID. For example, http://xx.xx.xxx.xx:8082/presence-service/users. This URL is used by the Zimbra Collaboration Email Zimlet to send fetch requests to the contact’s presence from the Cisco CUPS server.

Note: Provision an application user name and password using the Cisco Unified Presence Server (CUPS).

Mitel URLs

  • Voice URL: The Voice URL is the URL of the Mitel server. For example https://xx.xx.xxx.xx. This URL is used by the Zimbra Collaboration server to fetch user’s voice mails from the Mitel Voice server on behalf of users.

  • Call URL: The Call URL is the URL of the Mitel server. For example, https://xx.xx.xxx.xx/webdialer/services/WebdialerSoapService70. This URL is used by the Zimbra Collaboration Mitel Click2Call Zimlet to send requests to the Mitel server to bridge calls.

  • User URL: The User URL is the URL of the Mitel server. This URL is used by Zimbra Collaboration for user identification/authentication.

Creating the Voice/Chat Service

When creating the voice/chat service in Zimbra, you are enabling the bridge between Zimbra Collaboration and a third-party UC server. You create a service for a domain, Class of Service (COS), or user.

  1. In the Zimbra Collaboration administrator console, go to the Home>Configure>Voice/Chat Service page.

  2. From the gear icon menu, select New.

  3. On the Choose Voice/Chat Vendor, select your vendor from the drop-down menu.

  4. Click OK.

  5. Add a Display name for the domain, COS, or user you are creating.

  6. Add the URLs for the voice services you want to enable.

  7. Click OK.

Configure Presence (Cisco only)

If configuring Presence, you must generate a Presence Session ID.

  1. Go to Configure>Voice/Chat Service page.

  2. Select the voice service for which you want to generate a Presence Session ID.

  3. Click the gear icon drop down menu and select Generate Session ID from the menu.

  4. Enter the Presence User Name and Presence Password, which are the credentials for the presence server to authenticate the voice connection between Zimbra Collaboration and the UC server. This allows Zimbra to retrieve presence information for users.

  5. Click OK. A presence session ID is generated and displays as the Presence Session ID.

Enabling the Voice/Chat Service

After you create the voice/chat service for a domain, COS, or user, you must enable the voice/chat service. For COS and User accounts, you also enable the voice feature which displays the Voice tab in the Classic Web App.

Enable Voice/Chat Service on a Domain

For Voice/Chat service on a domain, enable the service on the Domains>General Information page.

  1. Go to the Configure>Domains page.

  2. Select the domain for which you want to enable voice service.

  3. Click the gear icon menu and select Edit.

  4. Scroll down to Voice and Chat section and from the Voice/Chat Service drop-down menu select the voice service to enable.

  5. Click Save.

Enable Voice/Chat Service on a COS

For Voice/Chat service on a COS, you must first enable the voice/chat service and then enable the voice feature.

  1. Go to the Configure>Class of Service page.

  2. Select the COS for which you want to enable the voice service.

  3. Click the gear icon drop and select Edit.

  4. On the General Information page, scroll down to Voice and Chat section and from the Voice/Chat Service drop-down menu select the voice service to enable.

  5. In the Navigation pane, click Features.

  6. On the Features page, scroll down to Voice and Chat Features section and click Enable Voice Feature. This displays the Voice tab in the Classic Web App.

  7. Click Save.

Enable Voice/Chat Service on a User Account

For Voice/Chat service on a User Account, you must first enable the voice/chat service and then enable the voice feature.

  1. Go to the Home>Manage>Accounts page.

  2. Select the account for which you want to enable voice service.

  3. Click the gear icon drop and select Edit.

  4. On the General Information page, scroll down to Voice and Chat section.

  5. From the Voice/Chat Service menu select the voice service to enable.

  6. Enter a Chat/Voice Username for the user. This is the user account name in the third-party UC server. If you do not provide a name, the default name is used. For example for email account user1@domain.com, the default voice username is “user1”.

  7. From the Voice/Chat Service menu select the voice service to enable.

  8. In the Navigation pane, click Features.

  9. On the Features page, scroll down to Voice and Chat Features section and click Enable Voice Feature. This displays the Voice tab in the Classic Web App.

  10. Click Save.

Enabling the Voice/Chat Zimlets

Zimlets are used in the configuration of the voice service to enable the service and send requests to the UC servers. The Voice Preferences Zimlet adds a voice page to the user interface, and the vendor specific Click2Call Zimlets provide the click to call capability.

  1. Go to the Home>Configure>Zimlets page.

  2. Enable the Voice Preferences Zimlet.

    • Select the Voice Preferences Zimlet in the Content pane.

    • Go to the gear icon menu and select Deploy.

  3. Enable the vendor Zimlet for Click2Call.

    • Select the Zimlet appropriate to the vender server you are using:

  4. If you are using Cisco, select the Cisco Click2Call Zimlet.

  5. If you are using Mitel, select the Mitel Click2Call Zimlet.

    • Go to the gear icon menu and select Deploy.

If you want to undeploy a Zimlet, select the Zimlet and go to the gear icon drop down menu and select Undeploy, or you can toggle the Zimlet.

Backup NG

Real-Time Scan

What is the Real-Time Scanner?

The Real-Time Scanner is the most significant innovation in Backup NG. Each event on the system is recorded live to Zimbra’s RedoLog and saved by Backup NG, which means that it is always possible to rollback an account to a previous state. Thanks to the Real-Time Scanner, all the restore modes work with split-second precision.

How Does it Work?

The Real-Time Scanner reads all the events of the mail server almost real-time by following the flow of information provided by the RedoLog. Then it 'replicates' the same operations on its data structure, creating items or updating their metadata. No information in the backup gets overwritten, so every item has its complete history.

Managing the Real-Time Scanner

Enabling the Real-Time Scanner
Via the Administration Zimlet
  • Select the Backup NG Tab.

  • Under Real-Time Scanner, press the Enable button.

When the Real-Time Scanner is enabled for the first time or re-enabled after a stop, a SmartScan is required. A warning gets displayed after enabling the Real-Time Scanner, prompting you to start the SmartScan either via the CLI or the Admin Console.
Via the CLI

The ZxBackup_RealTimeScanner property of the Backup NG module must be set to true to enable the Real-Time Scanner via the CLI:

zxsuite backup setProperty ZxBackup_RealTimeScanner TRUE
Disabling the Real-Time Scanner
Via the Administration Zimlet
  • Select the Backup NG Tab.

  • Under Real-Time Scanner, press the Disable button.

Via the CLI

The ZxBackup_RealTimeScanner property of the Backup NG module must be set to false to disable the Real-Time Scanner via the CLI:

zxsuite backup setProperty ZxBackup_RealTimeScanner FALSE
Why Should I Disable the Real-Time Scanner?

The only time you should disable the Real-Time Scanner is while performing an External Restore of multiple domains, as a safety measure to avoid high load on your server. After the import, re-enable the Real-Time Scanner and perform a SmartScan when prompted.

Limitations and Safety Scan

The main limitation when restoring data acquired via the Real-Time Scanner is:

  • Emptied Folder - when a user uses the Empty Folder button in the right-click context menu

In this case, and any time Backup NG cannot determine the status of an item by reading the metadata saved by the Real-Time Scan, an Account Scan on the given account is triggered BEFORE the restore.

Doing so fixes any misaligned data and sanitizes the backed up metadata for the mailbox.

Blobless Backup Mode

Blobless Backup Mode is a new feature that avoids backing up item blobs while still safeguarding all other item-related information.

This mode takes advantage of advanced storage capabilities of the storage solution, such as built-in backup or data replication, optimizing both the backup module’s disk space usage and restore speed.

Blobless Backup Requirements

These are the requirements to enable Blobless Backup Mode:

  • The server is running Zimbra 8.8.15 or higher.

  • No "independent" third-party volumes must exist: Blobless Backup Mode is only compatible with local volumes and centralized third-party volumes.

Blobless Backup Mode is storage-agnostic and can be enabled on any server or infrastructure that meets the requirements above regardless of the specific storage vendor.

How Blobless Backup Mode works

Blobless Backup Mode works exactly as its default counterpart: the RealTime Scanner takes care of backing up item changes while the SmartScan manages domain/cos/account consistency. The only difference between the two is that in Blobless Backup Mode, the backup contains no items of kind blob while still saving all metadata and transaction history.

It’s essential to consider that once enabled, Blobless Backup Mode affects the entire server, and no blobs get backed up regardless of the target volume and HSM policies.

Restoring Data from a Blobless Backup dataset

To date, Blobless Backup Mode is only compatible with the "Raw Restore" operation. In the future, additional restore operations will become compatible with blobless datasets.

Enabling Blobless Backup Mode

Blobless Backup Mode can be enabled or disabled through the backupBloblessMode NG attribute at global and server level:

zxsuite config global set attribute backupBloblessMode value true
zxsuite config server set mail.example.com attribute backupBloblessMode value true

SmartScan

What is the SmartScan?

The SmartScan is the primary coherency check for the health of your backup system. It’s Smart because it operates only on accounts modified since the last SmartScan, hence improving system performance and decreasing scan time exponentially.

The default SmartScan schedule executes each night (if Scan Operation Scheduling is enabled in the Backup NG section of the Administration Zimlet). Once a week, on a day set by the user, a Purge executes together with the SmartScan to clear Backup NG’s datastore from any deleted item that exceeded the retention period.

How Does it Work?

The Backup NG engine scans all the items on the Zimbra Datastore, looking for items modified after the last SmartScan. It updates any outdated entry and creates any item not yet present in the backup while flagging as deleted any item found in the backup and not in the Zimbra datastore.

Finally, it updates all configuration metadata in the backup to store domains, accounts, COSs, and server configurations along with a dump of all LDAP data and config.

When is a SmartScan Executed?

  • When the Backup NG module starts.

  • Daily, if the Scan Operation Scheduling is enabled in the Administration Zimlet.

  • When re-enabling the Real-Time Scanner via the Administration Zimlet after being previously disabled.

Running a SmartScan

Starting the Scan via the Administration Zimlet

To start a SmartScan via the Administration Zimlet,

  • Open the Administration Zimlet.

  • Click the Backup NG tab (be sure to have a valid license).

  • Click Run Smartscan.

Starting the Scan via the CLI

To start a FullScan via the CLI, use the doSmartScan command:

Syntax:
   zxsuite backup doSmartScan [attr1 value1 [attr2 value2...


PARAMETER LIST

NAME                TYPE
notifications(O)    Email Address[,..]

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite backup dosmartscan notifications user1@example.com,user2@example.com
Performs a smart scan and sends notifications to user1@example.com and user2@example.com
Checking the Status of a Running Scan

To check the status of a running scan via the CLI, use the monitor command:

Syntax:
   zxsuite backup monitor {operation_uuid} [attr1 value1 [attr2 value2...


PARAMETER LIST

NAME                 TYPE
operation_uuid(M)    Uiid
operation_host(O)    String

(M) == mandatory parameter, (O) == optional parameter

Purge

What is the Backup Purge?

The Backup Purge is a cleanup operation that removes from the Backup Path any deleted item that exceeded the retention time defined by the Data Retention Policy.

How Does it Work?

The Purge engine scans the metadata of all deleted items, and it removes any item whose last update (deletion) timestamp is higher than the retention time.

Any item BLOB still referenced by one or more valid metadata files is not deleted, thanks to Backup NG’s built-in deduplication.

SPostfix customizations backed up by Backup NG also follow the backup path’s purge policies. Change policies in the Backup NG section of the Administration Zimlet by unchecking the Purge old customizations checkbox.

When is a Backup Purge Executed?

  • Weekly, if the Scan Operation Scheduling is enabled in the Administration Zimlet.

  • When manually started either via the Administration Console or the CLI.

Infinite Retention

When the Data Retention Policy is set to 0, meaning infinite retention, the Backup Purge immediately exits since no deleted item can exceed an infinite retention time.

Running a Backup Purge

Starting the Backup Purge via the Administration Zimlet

To start a BackupPurge via the Administration Zimlet:

  • Click the Backup NG tab (be sure to have a valid license).

  • Click the Run Purge button in the top-right part of the UI.

Starting the Backup Purge via the CLI

To start a BackupPurge via the CLI, use the doPurge command:

Syntax:
   zxsuite backup doPurge [attr1 value1 [attr2 value2...


PARAMETER LIST

NAME              TYPE
purgeDays(O)      String
backup_path(O)    Path

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite backup dopurge purgeDays 30 backup_path /opt/zimbra/backup/backup_name
Checking the Status of a Running Backup Purge

To check the status of a running Purge via the CLI, use the monitor command:

Syntax:
   zxsuite backup monitor {operation_uuid} [attr1 value1 [attr2 value2...


PARAMETER LIST

NAME                 TYPE
operation_uuid(M)    Uiid
operation_host(O)    String

(M) == mandatory parameter, (O) == optional parameter

External Backup

What is the External Backup?

The External Backup is one of the Backup Methods of Backup NG. It creates a snapshot of the mail system, which is ready for migration or Disaster Recovery. Exported data is deduplicated and compressed to optimize disk utilization, transfer times, and I/O rates.

How Does it Work?

The Backup NG engine scans all the data in the Zimbra datastore, saving all the items (deduplicated and compressed) into a folder of your choice.

Folder Permissions

The destination folder must be readable and writable by the zimbra user.

To create a valid export directory, run the following commands:

mkdir /opt/zimbra/backup/yourdestfolder

chown -R zimbra:zimbra /opt/zimbra/backup/yourdestfolder

Preparing the Migration

To minimize the risk of errors, please perform the following maintenance procedures before migrating:

  • Double check Zimbra permissions with the following command (must run as root): /opt/zimbra/libexec/zmfixperms --verbose --extended

  • Reindex all mailboxes.

  • Check the BLOB consistency with the zxsuite hsm doCheckBlobs utility.

Running an External Backup

Via the Administration Zimlet

To start an External Backup via the Administration Zimlet:

  • Click the Backup NG tab.

  • Click the Export Backup button under Import/Export to open the Export Backup wizard.

  • Enter the Destination Path in the textbox, and press Next. The software checks if the destination folder is empty and whether the 'zimbra' user has R/W permissions.

  • Select the domains you want to export, and press Next.

  • Verify all your choices in the Operation Summary window. You can also add additional email addresses for notification when the restore operation finishes. Please note that the system sends notifications by default to the Admin account and the user who started the restore procedure.

Via the CLI

To start an External Backup via the CLI, use doExport command:

Syntax:
   zxsuite backup doExport {destination_path} [attr1 value1 [attr2 value2...


PARAMETER LIST

NAME                   TYPE                  DEFAULT
destination_path(M)    Path
domains(O)             Domain Name[,..]      all
notifications(O)       Email Address[,..]

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite backup doexport /opt/zimbra/backup/ domains example.com notifications john@example.com
Exports a backup of example.com to /opt/zimbra/backup/ and notifies john@example.com

Scheduling Script

You can use the NG CLI to schedule External Backup operations. Scheduling is handy; for example, when you need to keep a daily/weekly/monthly backup for corporate or legal reasons.

Restore on New Account

What is the Restore on New Account?

The Restore on New Account procedure allows you to restore the contents and preferences of a mailbox as it was in a moment in time, into a completely new account. The source account is unchanged in any way, so it is possible to recover one or more deleted items in a user’s account without actually rolling back the whole mailbox. When you run this kind of restore, you can choose to hide the newly created account from the GAL as a security measure.

How Does it Work?

When a Restore on New Account starts, a new account gets created (the Destination Account), with all the items existing in the source account at the moment selected, including the folder structure and all the user’s data. All restored items are created in the current primary store unless you check the Obey HSM Policy box.

When restoring data on a new account, shared items consistency is lost, as the original share rules refer to the source account’s ID, not to the new (restored) account.

Running a Restore on New Account via the Administration Zimlet

A Restore on New Account can run in two ways.

From the Account List

Running Restore from the Accounts tab in the Zimbra Administration Console allows you to operate on users currently existing on the server.
If you need to restore a deleted user, please proceed to Restore via the Administration Zimlet.

  • Select Accounts in the left pane of the Administration Console to show the Accounts List.

  • Browse the list and click the account to restore (Source).

  • On the top bar, press the wheel and then the `Restore ` button.

  • Select Restore on New Account as the Restore Mode and enter the name of the new account (Destination) into the text box. You can then choose whether to Hide in GAL the new account or not, then press Next.

  • Choose the restore date. Day/Month/Year can be selected via a minical, the hour via a drop-down menu and minute and second via two text boxes. Click Next.

  • Verify all your choice in the Operation Summary window. You can also add additional email addresses for notification when the restore operation finishes. Please note that the system sends notifications by default to the Admin account and the user who started the restore procedure.

Click Finish to start the restore.

Running a Restore on New Account via the CLI

To start a Restore on New Account via the CLI, use the doRestoreOnNewAccount command:

Syntax:
   zxsuite backup doRestoreOnNewAccount {source_account} {destination_account} {"dd/MM/yyyy HH:mm:ss"|last} [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME                       TYPE                  EXPECTED VALUES
source_account(M)          Account Name
destination_account(M)     Account Name/ID
date(M)                    Date                  `dd/MM/yyyy HH:mm:ss`|last
restore_chat_buddies(O)    Boolean               true|false
notifications(O)           Email Address[,..]

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite backup dorestoreonnewaccount John NewJohn `28/09/2021 10:15:10`
Restores John's account in a new account named NewJohn

Undelete Restore

What is Undelete Restore?

Undelete Restore is one of the Restore Modes available in Backup NG. It allows an administrator to restore all items deleted from a mailbox during a given period and put them into a dedicated Zimbra folder inside the mailbox itself.

How Does it Work?

During an Undelete Restore, the Backup NG engine searches the backup datastore for items flagged as DELETED and restores them in a dedicated folder in the selected mailbox.

The IMAP deleted flag is stripped from restored items so that they are visible for the user in the Zimbra Classic Web App.

Running an Undelete Restore

Via the Administration Console
  • Select Accounts in the left pane of the Administration Console to show the Accounts List.

  • Browse the list and click the account to restore (Source).

  • On the top bar, press the wheel and then the `Restore ` button".

  • Select Undelete as the Restore Mode and press Next.

  • Choose the restore date-time slot. Day/Month/Year can be selected via a minical, the hour via a drop-down menu and the minute and second via two text boxes. Click Next.

  • Verify your choices in the Operation Summary window. You can also add additional email addresses for notification when the restore operation finishes. Please note that the system sends notifications by default to the Admin account and the user who started the restore procedure.

  • Click Finish to start the Restore.

Via the CLI

To start an Undelete Restore operation, use the doUndelete command:

Syntax:
   zxsuite backup doUndelete {account} {"dd/MM/yyyy HH:mm:ss"|first} {"dd/MM/yyyy HH:mm:ss"|last} [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME                TYPE                  EXPECTED VALUES
account(M)          Account Name
start_date(M)       Date                  `dd/MM/yyyy HH:mm:ss`|first
end_date(M)         Date                  `dd/MM/yyyy HH:mm:ss`|last
notifications(O)    Email Address[,..]

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite backup doundelete John `08/10/2021 10:15:00` last
Performs an undelete on John's account of all items created between 08/10/2021 10:15:00 and the latest data available

External Restore

What is the External Restore?

The External Restore is one of the Restore Modes of Backup NG.

How Does it Work?

The External Restore adds to the current Zimbra server all the data, metadata, and configuration data stored on an external backup.

The workflow of the import procedure is as follows:

PHASE1

  • ''Operation Started'' notification

  • Read Server Backup Data

  • Create empty Domains

  • Create needed COS (only those effectively used by the imported accounts)

  • Create empty DLs

  • Create empty Accounts

  • Restore all Accounts' attributes

  • Restore all Domains' attributes

  • Restore all DLs' attributes and share information

  • ''PHASE1 Feedback'' Notification

PHASE2

  • Restore all Items

PHASE3

  • Restore all Mountpoints and Datasources

  • ''Operation Ended'' notification with complete feedback

Before You Start

If Backup NG previously initialized on the destination server, disable the RealTime Scanner to improve both memory usage and I/O performance.

To reduce the I/O overhead and the amount of disk space used for the migration, advanced users may tweak or disable Zimbra’s RedoLog for the duration of the import.

To further reduce the amount of disk space used, it’s possible to enable compression on your current primary volume before starting the import. If you do not wish to use a compressed primary volume after migration, it’s possible to create a new and uncompressed primary volume. Set the new volume to Current and the old one to Secondary. All of this is supported using the HSM NG module.

Running an External Restore

Via the Administration Zimlet
  • Click the Backup NG tab.

  • Click the Import Backup button under Import/Export to open the Import Backup wizard.

  • Enter the Destination Path into the text box and press Forward. The software checks if the destination folder contains a valid backup and whether the 'zimbra' user has Read permissions.

  • Select the domains you want to import and press Forward.

  • Select the accounts you want to import and press Forward.

  • Verify all your choices in the Operation Summary window. You can also add additional email addresses for notification when the restore operation finishes. Please note that the system sends notifications by default to the Admin account and the user who started the restore procedure.

Via the CLI

To start an External Restore operation, use the doExternalRestore command:

Syntax:
   zxsuite backup doExternalRestore {source_path} [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME                          TYPE                 EXPECTED VALUES    DEFAULT
source_path(M)                Path
accounts(O)                   Account Name[,..]                       all
domains(O)                    Domain Name[,..]                        all
filter_deleted(O)             Boolean              true|false         true
skip_system_accounts(O)       Boolean              true|false         true
skip_aliases(O)               Boolean              true|false         false
skip_distribution_lists(O)    Boolean              true|false         false
provisioning_only(O)          Boolean              true|false         false
skip_coses(O)                 Boolean              true|false         false
notifications(O)              Email Address

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite backup doexternalrestore /opt/zimbra/backup/restorePath/ accounts john@example.com,jack@example.com domains example.com filter_deleted false skip_system_accounts false
Restores the example.com domain, including all system accounts, and the john@example.com and jack@example.com accounts from a backup located in /opt/zimbra/backup/restorePath/

Speeding up the Restore through Multithreading

The concurrent_accounts parameter allows you to restore multiple accounts at the same time, thus greatly speeding up the restore process. This feature is not available via the Administration Console.

Although resource consumption does not grow linearly with the number of accounts restored at once, it can easily become taxing. Start from a low number of concurrent accounts and raise it according to your server’s performance.
Usage example:

zxsuite backup doExternalRestore /tmp/external1 domains example0.com,example1.com concurrent_accounts 5

Restores the example0.com and example1.com domain, excluding system accounts, restoring 5 accounts at the same time from a backup located in /tmp/external1

After the Restore: Message Deduplication

We strongly recommend running volume-wide deduplication with the HSM NG module after an External Restore. The native deduplication system can be ineffective when sequentially importing accounts.

Restore Deleted Account

What is the Restore Deleted Account?

The Restore Deleted Account procedure allows you to restore the contents and preferences of a mailbox into a completely new account, as it was when deleting the said mailbox.

How Does it Work?

When a Restore Deleted Account starts, a new account gets created (the Destination Account), with all the items existing in the source account at the moment of the deletion, including the folder structure and all the user’s data. All restored items are created in the current primary store unless you’ve checked the Obey HSM Policy box.

When restoring data on a new account, shared items consistency is lost, as the original share rules refer to the source account’s ID, not to the new (restored) account.
From the Backup NG tab
  • Select Backup NG in the left pane of the Administration Console to show the Backup NG tab.

  • On the top bar, push the Restore Deleted Account button.

  • Choose the restore date. Day/Month/Year can be selected via a minical, the hour via a drop-down menu and the minute and second via two text boxes. Click Next.

  • Browse the list and click the account to restore (Source).

  • Enter the name of the new account (Destination) in the text box. You can then choose whether to Hide in GAL the new account or not then press Next.

  • Verify all your choices in the Operation Summary window. You can also add additional email addresses for notification when the restore operation finishes. Please note that the system sends notifications by default to the Admin account and the user who started the restore procedure.

  • Click Finish to start the Restore.

Item Restore

What is the Item Restore?

The Item Restore is one of the Restore Modes of Backup NG.

How Does it Work?

A single item restores from the backup to the owner’s account. You may restore any type of item this way.

Running an Item Restore

Via the Administration Zimlet

Item Restore is only available through the CLI.

Via the CLI

To start an Item Restore operation, use the doItemRestore command:

Syntax:
   zxsuite backup doItemRestore {account_name} {item_id} [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME                 TYPE
account_name(M)      Account Name
item_id(M)           Integer
restore_folder(O)    String

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite backup doitemrestore john@example.com 4784
Restores item 4784 in the `john@example.com` mailbox
How to Obtain the itemID

The itemID is part of the metadata of an item, consisting of a unique code that identifies an item in a mailbox.

It resides along with all other metadata in a file inside the items directory of the proper account in

[backup path]/accounts/[accountID]/items/[last 2 digits of itemID]/[itemID]

e.g.:

Item 2057 of account 4a217bb3-6861-4c9f-80f8-f345ae2897b5, default backup path
/opt/zimbra/backup/ng/accounts/4a217bb3-6861-4c9f-80f8-f345ae2897b5/items/57/2057

Metadata storage uses a plain text file, so tools like grep and find are effective for searching contents. To see the metadata contained in a file in a more readable format, you can use the zxsuite backup getItem command:

Syntax:
   zxsuite backup getItem {account} {item} [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME              TYPE               EXPECTED VALUES            DEFAULT
account(M)        Account Name/ID
item(M)           Integer
backup_path(O)    Path                                          /opt/zimbra/backup/ng/
dump_blob(O)      Boolean            true|false                 false
date(O)           Date               dd/mm/yyyy hh:mm:ss|all    last

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite backup getitem a7300a00-56ec-46c3-9773-c6ef7c4f3636 1
Shows item with id = 1 belonging to account a7300a00-56ec-46c3-9773-c6ef7c4f3636
zimbra@simone:~$ zxsuite backup getitem

command getItem requires more parameters

Syntax:
   zxsuite backup getItem {account} {item} [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME              TYPE               EXPECTED VALUES            DEFAULT
account(M)        Account Name/ID
item(M)           Integer
backup_path(O)    Path                                          /opt/zimbra/backup/ng/
dump_blob(O)      Boolean            true|false                 false
date(O)           Date               dd/mm/yyyy hh:mm:ss|all    last

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite backup getitem a7300a00-56ec-46c3-9773-c6ef7c4f3636 1
Shows item with id = 1 belonging to account a7300a00-56ec-46c3-9773-c6ef7c4f3636

''Real Life'' Example

Let’s say a user moves one item to the trash:

2021-07-18 15:22:01,495 INFO  [btpool0-4361://localhost/service/soap/MsgActionRequest [name=user@domain.com;mid=2538;oip=258.236.789.647;ua=zclient/7.2.4_GA_2900;] mailop - moving Message (id=339) to Folder Trash (id=3)

and then empties the trash.

2021-07-18 15:25:08,962 INFO  [btpool0-4364://localhost/service/soap/FolderActionRequest] [name=user@domain.com;mid=2538;oip=258.236.789.647;ua=zclient/7.2.4_GA_2900;] mailbox - Emptying 9 items from /Trash, removeSubfolders=true.

She then calls the Administrator to restore the deleted item. Knowing the itemID and the email address, the Administrator runs the following as the zimbra user to restore the missing item:

zxsuite backup doItemRestore user@domain.com 339

Raw Restore

The "Raw Restore" operation is a DR-type restore operation compatible with both standard and blobless backup. In contrast to similar restore modes such as the External Restore, Raw Restore operates at a lower level to restore all item metadata, thus maintaining the original IDs for all objects restored.

The Raw Restore restores the source server’s Centralized Storage configuration. This step ensures that any data stored inside of a Centralized Storage is immediately available. If you are using local or independent third-party volumes, it is easy to move the item BLOBs from the primary storage or to restore those from a backup using the Blob Restore operation.

Differences between External Restore and Raw Restore

External Restore Raw Restore

Useable on any Zimbra version regardless of the source

Must match the very same Zimbra version and patch level as those on the source server

Does not restore any setting

Restores Centralized Storage settings

Does not support blobless Backup Paths

Is designed for blobless Backup Paths and compatible with standard Backup Paths

Does restore item BLOBs

Does not restore item BLOBs

Restored objects get created anew

Restored objects maintain their original ID

What will be restored
  • Centralized Storage configuration and settings

  • Domains

  • Classes of Service

  • Distribution lists

  • Mailboxes

  • Mailbox preferences

  • Item metadata

What will not be restored
  • Item Blobs

Running a Raw Restore

The Raw Restore is only available through the zxsuite CLI tool:

[zimbra@mail ~]$ zxsuite backup doRawRestore
Perform a disaster recovery

Syntax:
   zxsuite backup doRawRestore {source_path} [attr1 value1 [attr2 value2...]]


PARAMETER LIST

NAME                     TYPE                  EXPECTED VALUES    DEFAULT
source_path(M)           String
notifications(O)         Email Address[,..]
skipProvisioning(O)      Boolean               true|false         false
deleteWhenConflict(O)    Boolean               true|false         false

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite backup doRawRestore /my/backup/path notifications user1@example.com,user2@example.com skipProvisioning false deleteWhenConflict false
Performs a Raw Restore without restoring provisioning or deleting a mailbox when ids are conflicting, and sends notifications to user1@example.com and user2@example.com
The disaster recovery operation does not perform blob restore, use doRestoreBlobs when needed.

Usage scenarios

Restore of a single-server infrastructure

  1. Set up a new server (install Zimbra, configure Global and Server settings).

  2. Manually create any local or independent 3rd-party volume as it was on the original server.

  3. Start a Raw Restore using to restore domains, CoS mailboxes, and item metadata (mailboxes won’t be accessible until this step completes).

  4. If the source backup was not running in Blobless Mode, run zxsuite backup doRestoreBlobs for all volumes to restore item BLOBS.

Loss of a single mailbox node in a multiserver infrastructure

  1. Add a new mailbox node to the infrastructure.

  2. Manually create any local or independent 3rd-party volume as it was on the original server.

  3. Start a Raw Restore using the skipProvisioning true parameter to restore item metadata (mailboxes won’t be accessible until this step completes).

  4. If the source backup was not running in Blobless Mode, run zxsuite backup doRestoreBlobs for all volumes to restore item BLOBS.

Loss of multiple mailbox servers in an infrastructure

  1. Setup a new empty infrastructure (all servers and roles, setting up Global and Server configuration).

  2. Delete default admin, gal, ham, and spam accounts.

  3. On all mailbox servers, manually create any local or independent 3rd-party volume as it was on the original server.

  4. On the first mailbox server, start a Raw Restore using to restore domains, CoS mailboxes, and item metadata (mailboxes won’t be accessible until this step completes).

  5. On all other mailbox servers, start a Raw Restore using the skipProvisioning true parameter to restore item metadata.

  6. Once steps 3 and 4 complete, If the source backup was not running in Blobless Mode, run zxsuite backup doRestoreBlobs for all volumes on all mailbox servers to restore item BLOBS.

Disaster Recovery

The Disaster

What Can go Wrong

Any of these occurrences serve to classify a problem as a Disaster:

  • Hardware failure of one or more vital filesystems (such as / or /opt/zimbra/)

  • Contents of a vital filesystem made unusable by internal or external factors (like a careless rm * or an external intrusion)

  • Hardware failure of the physical machine hosting the Zimbra service or of the related virtualization infrastructure

  • A critical failure on a software or OS update/upgrade

Minimizing the Chances

Some suggestions to minimize the chances of a disaster:

  • Always keep vital filesystems on different drives (namely /, /opt/zimbra/ and your Backup NG path)

  • Use a monitoring/alerting tool for your server to become aware of problems as soon as they appear

  • Carefully plan your updates and migrations

The Recovery

How to Recover Your System

Consider the recovery of a system divided into 2 steps:

  • Base system recovery (OS installation and configuration, Zimbra installation and base configuration)

  • Data recovery (reimporting the last available data to the Zimbra server, including domain and user configurations, COS data and mailbox contents)

How can Backup NG Help with Recovery?

The Import Backup feature of Backup NG provides an easy and safe way to perform step 2 of recovery.

Using the old server’s backup path as the import path allows you to restore a basic installation of Zimbra to the last valid moment of your old server.

Here we’ve seen just one possible Disaster Recovery scenario: more advanced scenarios and techniques appear in the Zimbra Wiki.

The Recovery Process
  • Install Zimbra on a new server and configure the Server and Global settings.

  • Install Network NG modules on the new server.

  • Mount the backup folder of the old server onto the new one. If this is not available, use the last external backup available or the latest copy of either.

  • Begin an External Restore on the new server using the following CLI command:

zxsuite backup doExternalRestore /path/to/the/old/store

  • The External Restore operation creates the domains, accounts and distribution lists, so as soon as the first part of the Restore completes (check your Network NG Modules Notifications), the system is ready for your users. Emails and other mailbox items restore afterward.

Settings and Configs

Server and Global settings are backed up but not restored automatically. Backup NG’s high-level integration with Zimbra allows you to restore your data to a server with a different OS/Zimbra Release/Networking/Storage setup without any constraints other than the minimum Zimbra version required to run Network NG Modules.

Whether you wish to create a perfect copy of the old server or just take a cue from the old server’s settings to adapt those to a new environment, Backup NG comes with a very handy CLI command: getServerConfig.

zimbra@test:~$ zxsuite backup getServerConfig
command getServerConfig requires more parameters


Syntax:
   zxsuite backup getServerConfig {standard|customizations} [attr1 value1 [attr2 value2...


PARAMETER LIST


NAME              TYPE               EXPECTED VALUES                       DEFAULT
type(M)           Multiple choice    standard|customizations
date(O)           String             `dd/MM/yyyy HH:mm:ss`|"last"|"all"
backup_path(O)    Path                                                     /opt/zimbra/backup/ng/
file(O)           String             Path to backup file
query(O)          String             section/id/key
verbose(O)        String                                                   false
colors(O)         String                                                   false


(M) == mandatory parameter, (O) == optional parameter


Usage example:


zxsuite backup getserverconfig standard date last
 Display the latest backup data for Server and Global configuration.
zxsuite backup getserverconfig standard file /path/to/backup/file
 Display the contents of a backup file instead of the current server backup.
zxsuite backup getserverconfig standard date last query zimlets/com_zimbra_ymemoticons colors true verbose true
 Displays all settings for the com_zimbra_ymemoticons zimlet, using colored output and high verbosity.

Specifically, this will display the latest backed up configurations:

zxsuite backup getServerConfig standard backup_path /your/backup/path/ date last query / | less

You can change the query argument to display specific settings, e.g.

zimbra@test:~$ zxsuite backup getServerConfig standard date last backup_path /opt/zimbra/backup/ng/ query serverConfig/zimbraMailMode/test.domain.com


config date_______________________________________________________________________________________________28/02/2021 04:01:14 CET
test.domain.com____________________________________________________________________________________________________________both

The {zimbrahome}/conf/ and {zimbrahome}/postfix/conf/ directories are backed up as well:

zimbra@test:~$ zxsuite backup getServerConfig customizations date last verbose true
ATTENTION: These files contain the directories {zimbraHome}/conf/ and {zimbraHome}/postfix/conf/ compressed into a single archive.
           Restore can only be performed manually. Do it only if you know what you're doing.




        archives


                filename                                                    customizations_28_02_14#04_01_14.tar.gz
                path                                                        /opt/zimbra/backup/ng/server/
                modify date                                                 28/02/2021 04:01:14 CET

VMs and Snapshots

Thanks to the advent of highly evolved virtualization solutions in the past years, virtual machines are now the most common way to deploy server solutions such as Zimbra Collaboration Suite.

Most hypervisors feature customizable snapshot capabilities and snapshot-based VM backup systems. In case of a disaster, it’s always possible to roll back to the latest snapshot and import the missing data using the External Restore feature of Backup NG - using the server’s backup path as the import path.

Disaster Recovery from a Previous VM State

Snapshot-based backup systems allow you to keep a frozen copy of a VM in a valid state and rollback to it at will. To 100% ensure data consistency, it’s better to take snapshot copies of switched off VMs, but this is not mandatory.

When using these kinds of systems, it’s vital to make sure that the Backup Path isn’t either part of the snapshot (e.g., by setting the vdisk to `Independent Persistent in VMWare ESX/i) or altered in any way when rolling back, so the missing data is available for import.

To perform a disaster recovery from a previous machine state with Backup NG, you need to:

  • Restore the last valid backup into a separate (clone) VM in an isolated network, making sure that users can’t access it and that both incoming and outgoing emails are not delivered.

  • Switch on the clone and wait for Zimbra to start.

  • Disable Backup NG’s RealTime Scanner.

  • Connect the Virtual Disk containing the untampered Backup Path to the clone and mount it (on a different path).

  • Start an External Restore using the Backup Path as the Import Path.

Doing so parses all items in the Backup Path, and import the missing ones, speeding up the disaster recovery. These steps can be repeated as many times as needed as long as you suppress user access and mail traffic.

After the restore completes, make sure that everything is functional and restore user access and mail traffic.

The Aftermath

What Now?

Should you need to restore any content from before the disaster, just initialize a new Backup Path and store the old one.

Unrestorable Items

How can I check if all of my items have been restored?

It’s very easy. Check the appropriate Operation Completed notification you received as soon as the restore operation finished. The notification is shown in the Notifications section of the Administration Zimlet and emailed to the Notification E-Mail recipient address you specified in the Core section of the Administration Zimlet.

The skipped items section contains a per-account list of unrestored items:

  [...]
  - stats -
  Restored Items: 15233
  Skipped Items:  125
  Unrestored Items: 10

  - unrestored items -
  account: account1@domain.com
  unrestored items: 1255,1369

  account: account2@domain.com
  unrestored items: 49965

  account: account14@domain.com
  unrestored items: 856,13339,45200, 45655
  [...]
Skipped Items vs. Unrestored Items
  • Skipped item: An item previously restored, either during the current restore or in a previous one.

  • Unrestored item: An item not restored due to an issue in the restore process.

Why have some of my items not been restored?

There are different possible causes, the most common of which are:

  • Read Error: Either the raw item or the metadata file is not readable due to an I/O exception or a permission issue.

  • Broken item: Both the raw item and the metadata file are readable by Backup NG, but their content is broken/corrupted.

  • Invalid item: Both the raw item and the metadata file are readable, and the content is correct, but Zimbra refuses to inject the item.

How Can I Identify Unrestored Items?

There are two ways to do so: via the CLI to search for the item within the backup/import path or via the Zimbra Classic Web App to view the items in the source server.

Identifying Unrestorable Items through the CLI

The getItem CLI command can display an item and the related metadata, extracting all information from a backup path/external backup.

The syntax of the command is:

   zxsuite backup getItem {account} {item} [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME              TYPE               EXPECTED VALUES            DEFAULT
account(M)        Account Name/ID
item(M)           Integer
backup_path(O)    Path                                          /opt/zimbra/backup/ng/
dump_blob(O)      Boolean            true|false                 false
date(O)           Date               dd/mm/yyyy hh:mm:ss|all    last

(M) == mandatory parameter, (O) == optional parameter

To extract the raw data and metadata information of the item whose itemID is 49965 belonging to account2@domain.com, also including the full dump of the item’s BLOB, the command would be:

zxsuite backup getItem account2@domain.com 49965 dump_blob true

Identifying Unrestorable Items through the Zimbra WebClient

The comma-separated list of unrestored items displayed in the Operation Complete notification can serve as a search argument in the Zimbra Classic Web App to perform an item search.

To do so:

  • Log into the Zimbra Administration Console in the source server.

  • Use the View Mail feature to access the account containing the unrestored items.

  • In the search box, enter item: followed by the comma-separated list of itemIDs.

e.g.
item: 856,13339,45200,45655

Remember that any search executes only within its tab, so if you are running the search from the Email tab and get no results try to run the same search in the Address Book, Calendar, Tasks and Briefcase tabs.

How Can I Restore Unrestored Items?

An item not being restored is a clear sign of an issue, either with the item itself or with your current Zimbra setup. In some cases, there are good chances of being able to restore an item through subsequent attempts.

The following paragraphs contain a collection of tips and tricks that can be helpful when dealing with different kinds of unrestorable items.

Items Not Restored because of a Read Error

Carefully distinguish the read errors that can cause items not to restore:

  • hard errors: Hardware failures and all other destructive errors that cause an unrecoverable data loss.

  • soft errors: non-destructive errors such as wrong permissions, filesystem errors, RAID issues (e.g., broken RAID1 mirroring).

While there is nothing much to do about hard errors, you can prevent or mitigate soft errors by following these guidelines:

  • Run a filesystem check.

  • If using a RAID disk setup, check the array for possible issues (depending on RAID level).

  • Make sure that the 'zimbra' user has r/w access to the backup/import path, all its subfolders, and all thereby contained files.

  • Carefully check the link quality of network-shared filesystems. If link quality is poor, consider transferring the data with rsync.

  • If using SSHfs to remotely mount the backup/import path, make sure to run the mount command as root using the -o allow_other option.

Items Not Restored because Identified as Broken Items

Unfortunately, this is the worst category of unrestored items in terms of salvageability.

Based on the degree of corruption of the item, it might be possible to recover either a previous state or the raw object (this is only valid for emails). To identify the degree of corruption, use the getItem CLI command:

   zxsuite backup getItem {account} {item} [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME              TYPE               EXPECTED VALUES            DEFAULT
account(M)        Account Name/ID
item(M)           Integer
backup_path(O)    Path                                          /opt/zimbra/backup/ng/
dump_blob(O)      Boolean            true|false                 false
date(O)           Date               dd/mm/yyyy hh:mm:ss|all    last

(M) == mandatory parameter, (O) == optional parameter

Searching for the broken item, setting the backup_path parameter to the import path, and the date parameter to all, displays all valid states for the item.

zimbra@test:~$ zxsuite backup getItem admin@example.com 24700 backup_path /mnt/import/ date all
       itemStates                              
               start_date                                                  12/07/2021 16:35:44
               type                                                        message
               deleted                                                     true
               blob path /mnt/import/items/c0/c0,gUlvzQfE21z6YRXJnNkKL85PrRHw0KMQUqo,pMmQ=
               start_date                                                  12/07/2021 17:04:33
               type                                                        message
               deleted                                                     true
               blob path /mnt/import/items/c0/c0,gUlvzQfE21z6YRXJnNkKL85PrRHw0KMQUqo,pMmQ=
               start_date                                                  15/07/2021 10:03:26
               type                                                        message
               deleted                                                     true
               blob path /mnt/import/items/c0/c0,gUlvzQfE21z6YRXJnNkKL85PrRHw0KMQUqo,pMmQ=

If the item is an email, you are able to recover a standard .eml file through the following steps:

  • Identify the latest valid state

/mnt/import/items/c0/c0,gUlvzQfE21z6YRXJnNkKL85PrRHw0KMQUqo,pMmQ=
              start_date                                                  15/07/2021 10:03:26
              type                                                        message
              deleted                                                     true
              blob path /mnt/import/items/c0/c0,gUlvzQfE21z6YRXJnNkKL85PrRHw0KMQUqo,pMmQ=
  • Identify the blob path

blob path /mnt/import/items/c0/c0,gUlvzQfE21z6YRXJnNkKL85PrRHw0KMQUqo,pMmQ=

  • Use gzip to uncompress the BLOB file into an .eml file

zimbra@test:~$ gunzip -c /mnt/import/items/c0/c0,gUlvzQfE21z6YRXJnNkKL85PrRHw0KMQUqo,pMmQ= > /tmp/restored.eml

zimbra@test:~$ cat /tmp/restored.eml

Return-Path: zimbra@test.example.com

Received: from test.example.com (LHLO test.example.com) (192.168.1.123)
by test.example.com with LMTP; Fri, 12 Jul 2021 16:35:43 +0200 (CEST)

Received: by test.example.com (Postfix, from userid 1001) id 4F34A120CC4; 
Fri, 12 Jul 2021 16:35:43 +0200 (CEST)
To: admin@example.com
From: admin@example.com
Subject: Service mailboxd started on test.example.com
Message-Id: <20210712143543.4F34A120CC4@test.example.com>
Date: Fri, 12 Jul 2021 16:35:43 +0200 (CEST)

Jul 12 16:35:42 test zmconfigd[14198]: Service status change: test.example.com mailboxd changed from stopped to running
  • Done! You can now import the .eml file into the appropriate mailbox using your favorite client.

Items Not Restored because Identified as Invalid Items

An item is identified as Invalid when, albeit being formally correct, it is discarded by Zimbra’s LMTP Validator upon injection. This behavior is common when importing items created on an older version of Zimbra to a newer one; Validation rules update very often, so some messages considered valid by a certain Zimbra version may not be considered valid by a newer version.

If you experience a lot of unrestored items during an import, momentarily disable the LMTP validator and repeat the import:

  • To disable Zimbra’s LMTP Validator, run the following command as the Zimbra user:

zmlocalconfig -e zimbra_lmtp_validate_messages=false

  • Once the import completes, you can enable the LMTP validator running

zmlocalconfig -e zimbra_lmtp_validate_messages=true

This is a dirty workaround, as items deemed invalid by the LMTP validator might cause display or mobile synchronization errors. Use it at your own risk.

doCoherencyCheck

What is the Coherency Check?

The Coherency Check performs a deeper check of a Backup Path than the one done by the SmartScan.

While the SmartScan works incrementally by only checking items that changed since the last SmartScan, the Coherency Check performs a thorough check of all metadata and BLOBs in the backup path.

The objective is to detect corrupted metadata and BLOBs.

How Does it Work?

The Coherency Check verifies the integrity of all metadata in the backup path and the related BLOBs. Should any errors be found, try running the check with the fixBackup option to move any orphaned or corrupted metadata/BLOB to a dedicated directory within the backup path.

When Should a Coherency Check be Executed?

  • At interval periods to make sure that everything is ok (e.g. every 3 or 6 months).

  • After a system crash.

  • After the filesystem or storage device containing the backup path experiences any issue.

Should the SmartScan detect a possible item corruption, a Coherency Check starts automatically.

The Coherency Check is highly I/O consuming, so make sure to run it only during off-peak periods

Running a Coherency Check

Starting the Check via the Administration Zimlet

The Coherency Check is not available via the Administration Zimlet.

Starting the Check via the CLI

To start a Coherency Check via the CLI, use the doCoherencyCheck command:

Syntax:
   zxsuite backup doCoherencyCheck {backup_path} [attr1 value1 [attr2 value2...


PARAMETER LIST

NAME                TYPE                    EXPECTED VALUES    DEFAULT
backup_path(M)      Path
accounts(O)         Account Name/ID[,..]                       all
checkZimbra(O)      Boolean                 true|false         false
fixBackup(O)        Boolean                 true|false         false
notifications(O)    Email Address[,..]

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite backup docoherencycheck /opt/zimbra/backup/ng/ accounts jack@exmaple.com,john@exmaple.com
Performs a coherency check on /opt/zimbra/backup/ng/ for Jack's and John's accounts
zxsuite backup docoherencycheck /opt/zimbra/backup/ng/ fixBackup true
Performs a coherency check on /opt/zimbra/backup/ng/ and moves corrupted backup files and blob files not referenced by any metadata out of backup
Checking the Status of a Running Check

To check the status of a running scan via the CLI, use the monitor command:

Syntax:
   zxsuite backup monitor {operation_uuid} [attr1 value1 [attr2 value2...


PARAMETER LIST

NAME                 TYPE
operation_uuid(M)    Uiid
operation_host(O)    String

(M) == mandatory parameter, (O) == optional parameter

Taking Additional and Offsite Backups of Backup NG’s Datastore

Who Watches the Watchmen?

Having backup systems is a great safety measure against data loss. Still, each backup system must be part of a broader backup strategy to ensure the highest possible level of reliability. The lack of a proper backup strategy gives a false sense of security while turning even the best backup systems in the world into yet another breaking point.

Devising a backup strategy is no easy matter, and at some point, you will most likely face the following question: What if I lose the data I backed up?. The chances of this happening ultimately only depend on how you make and manage your backups. You are more likely lose all of your backed up data if you store both your data and your backups in a single SATAII disk than if you store your backed up data on a dedicated SAN using a RAID 1+0 setup.

Here are some suggestions and best practices to improve your backup strategy by making a backup of the Backup NG’s datastore and storing it offsite.

Making an Additional Backup of Backup NG’s Datastore

  • Atomicity: Any transaction is committed and written to the disk only when completed.

  • Consistency: Any committed transaction is valid, and no invalid transaction is committed and written to the disk.

  • Isolation: All transactions execute sequentially so that no more than 1 transaction can affect the same item at once.

  • Durability: A committed transaction remains so even in case of a crash (e.g., power loss or hardware failure).

Due to this, it’s very easy to make a backup. The best (and easiest) way to do so is by using rsync. Specific options and parameters depend on many factors, such as the amount of data to sync and the storage in use, while connecting to an rsync daemon instead of using a remote shell as a mode of transport is usually much faster in transferring the data.

You can leave both Zimbra and the Real-Time Scanner running, yet make an additional backup of Backup NG’s datastore using rsync, and you are always able to stop the sync at any time and reprise it afterward if needed.

Storing Your Backup NG’s Datastore Backup Offsite

As seen in the previous section, making a backup of Backup NG’s Datastore is very easy, and the use of rsync makes it just as easy to store your backup in a remote location.

We recommend the following best practices to optimize your backup strategy when dealing with this kind of setup:

  • If you schedule your rsync backups, make sure that you leave enough time between an rsync instance and the next one for the transfer to complete.

  • Use the --delete options, so that deleted files in the source server are deleted in the destination server to avoid inconsistencies.

    • If you notice that using the --delete option takes too much time, schedule two different rsync instances: one with --delete to run after the weekly purge and one without this option.

  • Make sure you transfer the whole folder tree recursively starting from Backup NG’s Backup Path, and include server config backups and mapfiles.

  • Make sure the destination filesystem is case sensitive (just as Backup NG’s Backup Path must be).

  • If you plan to restore directly from the remote location, make sure that the zimbra user on your server has read and write permissions on the transferred data.

  • Expect to experience slowness if your transfer speed is much higher than your storage throughput (or vice versa).

Additional/Offsite Backup F.A.Q.

Q: Why shouldn’t I use the Export Backup feature of Backup NG instead of rsync?

For many reasons:

  • The Export Backup feature is designed to perform migrations. It exports a snapshot that is an end in itself with no capacity for incremental management. Each Export Backup run time remains more-or-less constant while using rsync is much more time-efficient.

  • Being a Backup NG operation, any other operation started while the Export Backup is running is queued until the Export Backup completes.

  • An Export Backup operation has a higher impact on system resources than an rsync.

  • Should you need to stop an Export Backup operation, you won’t be able to reprise it, and you’ll need to start from scratch.

Q: Can I use this for Disaster Recovery?

Yes. If your Backup Path is still available, it’s better to use that, as it restores all items and settings to the last valid state. However, should your Backup Path be lost, you’ll be able to use your additional/offsite backup.

Q: Can I use this to restore data back to the server that produced the backup copy?

Yes, but not through the External Restore operation, since item and folder IDs are the same.

The most appropriate steps to restore data from a copy of the backup path to the very same server are as follows:

  • Stop the RealTime Scanner.

  • Change the Backup Path to the copy you wish to restore your data from.

  • Run either Restore on New Account or a Restore Deleted Account.

  • Once the restore is over, change the backup path to the original one.

  • Start the RealTime Scanner. A SmartScan triggers to update the backup data.

Q: Can I use this to create an Active/Standby infrastructure?

No, because the External Restore operation does not perform any deletions. By running several External Restores, you’ll end up filling up your mailboxes with unwanted content, since items deleted from the original mailbox persist on the standby server.

The External Restore operation’s design ensures that accounts are available for use as soon as the operation starts, so your users are able to send and receive emails even if the restore is running.

Q: Are there any other ways to do an Additional/Offsite backup of my system?

There are for sure, and some of them might even be better than the one described here. These are just guidelines that apply to the majority of cases.

Multistore Information

Backup NG in a Multistore Environment

Command Execution in a Multistore Environment

The new Network Administration Zimlet makes the management of multiple servers very easy. You can select a server from the Backup NG tab and perform all backup operations on that server, even when logged into the Zimbra Administration Console of another server.

Specific differences between SingleStore and MultiStore environments are:

  • In a Multistore environment, Restore on New Account operations ALWAYS create the new account in the Source account’s mailbox server.

  • All operations are logged on the target server, not in the server that launched the operation.

  • If a target server for an operation is inappropriate, Zimbra automatically proxies the operation request to the correct server.

Backup and Restore

Backup and Restore in a Multistore environment works exactly like in a SingleStore environment.

The different servers are configured and managed separately via the Administration Zimlet, but certain operations like Live Full Scan and Stop All Operations can be 'broadcast' to all the mailstores via the zxsuite_ CLI using the --hostname all_servers option. Backup NG settings support this, too. (See the CLI wiki page for more details.)

Backup and Restore operations behave as follows:

  • Smartscans can be executed on single servers via the Administration Zimlet or on multiple servers via the CLI.

  • Restores can start from the Accounts tab in the Zimbra Admin Console, from each server tab in the Backup NG menu of the Administration Zimlet and via the CLI. The differences between these methods are:

Operation started from: Options

Accounts tab

The selected account’s restore is automatically started in the proper server.

Server tab

Any accounts eligible for a restore on the selected server can serve as the restore 'source'.

CLI

Any account on any server can restored, but there is no automatic server selection.

Export and Import

Export and Import functions are those that differ the most when performed on a Multistore environment.

Here are the basic scenarios.

Export from a Singlestore and Import to a Multistore

Importing multiple accounts of a single domain to a different store breaks the consistency of ALL items shared from/to a mailbox on a different server.

A command in the CLI is available to fix the shares for accounts imported on different servers.

Export from a Multistore and Import to a Single or Multistore

Two different scenarios apply here:

  • Mirror import: Same number of source and destination mailstores. Each source mailstore import occurs on a different server. This import breaks the consistency of ALL items shared from/to a mailbox on a different server. The doCheckShares and doFixShares CLI commands are available to check and fix share consistency (see below).

  • Composite import: Same or different number of source and destination servers. Domains or accounts get manually imported into different servers. This import breaks the consistency of ALL items shared from/to a mailbox on a different server. The doCheckShares and doFixShares CLI commands are available to check and fix share consistency (see below)

The doCheckShares and doFixShares Commands

The doCheckShares command parses all share information in local accounts and report any error:

zimbra@test:~$ zxsuite help backup doCheckShares

Syntax:
   zxsuite backup doCheckShares


Usage example:

zxsuite backup doCheckShares
Check all shares on local accounts

The doFixShares fixes all share inconsistencies using a migration.

zimbra@test:~$ zxsuite help backup doFixShares

Syntax:
   zxsuite backup doFixShares {import_idmap_file}


PARAMETER LIST

NAME                    TYPE
import_idmap_file(M)    String

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite backup doFixShares idmap_file
Fixes the shares' consistency after an import according to the
mapping contained in the /opt/zimbra/backup/ng/idmap_file

Operation Queue and Queue Management

Backup NG’s Operation Queue

Every time a Backup NG operation starts, either manually or through scheduling, it queues in a dedicated, unprioritized FIFO queue. Each operation executes as soon as any preceding operation is dequeued (either because it completes or terminates).

The queue system affects the following operations:

  • External backup

  • All restore operations

  • Smartscan

Changes to Backup NG’s configuration are not enqueued and are applied immediately.

Operation Queue Management

Through the Administration Console
Viewing the Queue

To view the operation queue, access the Notifications tab in the Administration Zimlet and click the Operation Queue button.

The Administration Zimlet displays operations queued both by Backup NG and HSM NG in a single view. No dependency should be inferred by that view, as the two queues are completely separate, in that one Backup NG operation and one HSM NG operation can run at the same time.
Emptying the Queue

To stop the current operation and empty Backup NG’s operation queue, enter the Backup NG tab in the Administration Zimlet and click the Stop all Operations button.

Through the CLI
Viewing the Queue

To view Backup NG’s operation queue, use the getAllOperations command:

zimbra@server:~$ zxsuite help backup getAllOperations

Syntax:
   zxsuite backup getAllOperations [attr1 value1 [attr2 value2...


PARAMETER LIST

NAME          TYPE       EXPECTED VALUES    DEFAULT
verbose(O)    Boolean    true|false         false

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite backup getAllOperations
Shows all running and queued operations
Emptying the Queue

To stop the current operation and empty Backup NG’s operation queue, use the doStopAllOperations command:

zimbra@mail:~$ zxsuite help backup doStopAllOperations

Syntax:
   zxsuite backup doStopAllOperations


Usage example:

zxsuite backup doStopAllOperations
Stops all running operations
Removing a Single Operation from the Queue

To stop the current operation or to remove a specific operation from the queue, use the doStopOperation command:

zimbra@mail:~$ zxsuite help backup doStopOperation

Syntax:
   zxsuite backup doStopOperation {operation_uuid}


PARAMETER LIST

NAME                 TYPE
operation_uuid(M)    Uiid

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite backup doStopOperation 30ed9eb9-eb28-4ca6-b65e-9940654b8601
Stops operation with id = 30ed9eb9-eb28-4ca6-b65e-9940654b8601

COS-level Backup Management

What is COS-level Backup Management?

COS-level Backup Management allows the administrator to disable ALL Backup NG functions for a whole Class of Service to lower storage usage.

How Does COS-level Backup Management Work?

What happens if I disable the Backup NG Module for a Class of Service?
  • The Real-Time Scanner ignores all accounts in the COS.

  • The Export Backup function DOES NOT EXPORT accounts in the COS.

  • The backup system treats accounts in the COS as Deleted. After the data retention period expires, all data for such accounts gets purged from the backup store. Re-enabling the backup for a Class of Service resets this.

How is the backup enabled/backup disabled information saved?

Disabling the backup for a Class of Service adds the following marker to the Class of Service’s Notes field: ${ZxBackup_Disabled}

While the Notes field remains fully editable and usable, changing or deleting this marker re-enables the backup for the COS.

Incremental Migration with Backup NG

Description

  • This guide describes how to perform an Incremental Migration using Backup NG.

  • Incremental Migration is specifically designed for the migration of a production environment, minimizing the downtime and aiming to be transparent for the users.

  • If correctly planned and executed, your mail system won’t suffer any downtime, and the impact on the users is close to zero.

All the CLI commands in this guide must be executed as the zimbra user unless otherwise specified.

What Gets Migrated?

  • Emails and email folders

  • Contacts and address books

  • Appointments and calendars

  • Tasks and task lists

  • Files and briefcases

  • Share information

  • User preferences

  • User settings

  • Class of Service settings

  • Domain settings

What Will NOT be Migrated?

  • Server settings (migrated for reference but not restored)

  • Global settings (migrated for reference but not restored)

  • Customizations (e.g., Postfix, Jetty.)

  • Items moved or deleted during the process are not moved or deleted on the destination server.

  • Preferences (e.g., passwords) changed during the process are reset upon each import

Avoid using incremental migration to set up a server-to-server mirroring. Using multiple imports to create a mirrored copy of the source server won’t create a mirrored copy at all, since the import process performs no deletions.

Pre-Migration Checks

Servers
  • Source Server: Any Zimbra server can be the source of your migration, provided that it’s running Backup NG or Zimbra Suite Plus.

  • Destination Server: Any Zimbra server can be the destination of your migration, provided that it’s running Backup NG.

Storage
  • On the Source server: Before enabling Backup NG on the source server, make sure you have an amount of free disk space comparable to the size of the /opt/zimbra/store/ folder. Compressing the exported data using the gzip algorithm and deduplicating all Zimbra items typically reduces the exported size to 70% of the original size.

  • On the Destination server: Make sure you free space greater than the size of the /opt/zimbra/store/ and of the export folders on the source server combined.

Data Transfer

While you can choose to transfer the data in any other way, rsync is our method of choice because it’s a good compromise between speed and convenience.

The main data transfer executes, while the source server is still active and functional. Since the transfer is via the network, carefully plan your transfer so that you’ll transfer all of your data before migrating.

Alternative Ways to Transfer Your Data

Anything from a remote mount to a physical drive move is ok as long as it suits your needs.

Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.

— Andrew S. Tanenbaum(1996)
Computer Networks. New Jersey: Prentice-Hall. p. 83. ISBN 0-13-349945-6

DNS

Set the TTL value of your MX record to 300 on your real DNS to allow a fast switch between source and destination servers.

The Setup

Step 1: Coherency Checks

To avoid any possible data-related issues, run the following checks on the source server:

Repair any error found.

Running a reindex of all mailboxes is also suggested.

Step 2: Network NG Modules Setup

Disable the Real-Time Scanner on both servers:

zxsuite backup setProperty ZxBackup_RealTimeScanner false
We strongly recommend a dedicated device for data export for the best performance and least impact on the running system.

Mount any such device on the /opt/zimbra/backup/ path, and the ensure the zimbra user has r/w permissions for it.

Step 3: Data Export (SmartScan)

Run a SmartScan on the source server:

zxsuite backup doSmartScan

All your data is exported to the default backup path (/opt/zimbra/backup/ng/).

Pro-Tip: Single Domains Export

You can also choose to only migrate one or more domains instead of all of them. To do so, run the following command instead of the SmartScan:

zxsuite backup doExport /path/to/export/folder/ domains yourdomain.com,yourdomain2.com[..]

Mind that if you start with the SmartScan method, you’ll have to carry on the migration with this method. If you start with the Single Domains method, you’ll have to carry on the migration with this method. Do not mix the two methods.

Data Export (SmartScan) via the Administration Zimlet

You can also choose to export your data using the Administration Zimlet.

Step 4: Data Synchronization

If Backup NG is used or planned for use on the destination server, ensure the destination folder is not in Backup NG’s backup path there, to avoid unnecessary backup activity.

(You can skip this step if you choose to transfer your data by other means than rsync.)

Using rsync, copy the data contained in the /opt/zimbra/backup/ng/ onto a directory in the destination server (make sure the Zimbra user has r/w permissions on the folder). Use a terminal multiplexer like screen or tmux. This process might need considerable time depending on network speed and amount of data involved.

[run this command as Root]
rsync -avH /opt/zimbra/backup/ng/ root@desinationserver:/path/for/the/data/
Alternate Synchronization Method

While the suggested method is great for high-bandwidth situations, the first synchronization can involve large amounts of data. If the rsync method is too slow, you might consider a physical move of the device (or the proper disk file if running on a virtual environment).

After moving the disk, you can remotely mount it back to the source server (e.g., via SSHFS), as the additional synchronizations needed for the migration involves substantially less data. In this case, be sure to remount the device on the source server as /opt/zimbra/backup/ng/ with all due permissions.

Step 5: First Import

Import all previously exported data to the destination server.

zxsuite backup doExternalRestore /path/for/the/data/

Network NG imports your data onto the destination server.

Do not edit or delete the backup path after this step.
First Import via the Administration Zimlet

You can also choose to import your data using the Administration Zimlet. While importing via the Administration Zimlet, be sure to remove all system accounts (like GalSync, Ham, Spam, and Quarantine.) from the imported account list.

Step 5 (alternate): First Import for Large Migrations [ADVANCED Users Only]

If you are planning to migrate a very large infrastructure where an export/import lasts for hours or even days, there is an alternative way to handle the migration from this point forward.

Instead of importing all of your data to the destination server, you can run a Provisioning Only import that only creates Domains, classes of service, and accounts on the destination server, skipping all mailbox contents.

zxsuite backup doExternalRestore /path/for/the/data/ provisioning_only TRUE

After doing this, switch the mail flow to the new server. When the switch completes, start the real import.

zxsuite backup doExternalRestore /path/for/the/data/

Your users may now connect to the new server where new emails are delivered while restoring old emails.

This approach has pros and cons.

Pros

  • Since items are only imported once and never modified or deleted afterward, using this method results in fewer discrepancies than the standard incremental migration.

  • This is the option that has less impact on the source server (e.g. good if you are in a hurry to decommission it).

Cons

  • Items are restored to users' mailboxes while they work on it. Depending on the scheduling of the operation, this method has a higher impact on your users.

  • Since the import uses compute resources on a running system, you might notice some slowdowns.

The Situation so Far

Now the vast majority of the data has already been imported to the destination server. The source server is still active and functional, and you are ready to perform the actual migration.

The Migration

Step 6: Pre-Migration Checks

Before switching the mail flow, ALWAYS make sure that the new server is ready to become active (check things like your firewall, your DNS settings, and your security systems.)

Step 7: The Switch

At the end of this step, the destination server is active and functional.

  • Repeat step 3, step 4, and step 5 (only new data is exported and synchronized).

  • Switch the mail flow to the new server.

  • Once NO MORE EMAILS arrive at the source server, repeat step 3, step 4 and step 5.

The Destination server is now active and functional.

Step 8: Post-Migration Checks

Run the following command to check for inconsistencies with shares:

zxsuite backup doCheckShares

Should this command report any inconsistency, this command parses the import mapfile used as the first argument and fix any broken share:

zxsuite backup doFixShares

Mapfiles reside in the Backup Path of the destination server as map_[source_serverID].

Step 9: Galsync

Delete any imported GalSync accounts from the Zimbra Administration Console. Then, if needed, create new GalSync accounts on all the imported domains and resync all the GalSync accounts with the following command:

zmgsautil forceSync -a galsync.randomstring@domain.com -n [resourcename]

Step 10: Message Deduplication

Running a Volume Deduplication using the HSM NG module is highly suggested after a migration.

What Now?

  • Initialize Backup NG on the new server to make sure all of your data is safe.

Incremental Migration FAQ

Q: Do I need a valid license to perform an incremental migration?

Yes. It can be either a trial license or a purchased one.

Q: What gets migrated?

Everything except the server configuration is migrated, including:

  • User data

  • User preferences

  • Classes of Service configurations

  • Domain configurations

Q: Will I lose my shares? Will I need to re-configure all my shares?

Not at all!

Q: How should I transfer the exported data between my servers?

Again, anything that suits your needs is ok. You just need to be very sure about what your needs are.

Do you need to move the data very fast? Physically moving a USB disk between your servers might not be a good idea.

Do you need to move the data in a very reliable way? Mounting the export folder via SSHFS to the destination server might not be a good idea if your internet connection is sloppy.

Mobile NG

Enable Mobile NG Synchronization for a COS

By enabling Mobile NG for a all users in a Class of Service, you authorize all users in that COS to use all the mobile functions of Mobile NG.

How to Enable Mobile NG for all Users in a Class Of Service

From the Administration Console

To enable Mobile NG for all users in a COS from the Administration Console:

  • Open the Zimbra Administration Console.

  • Double-click the Class Of Service you want to edit (on the left, under Configuration → Class of Service).

  • Click the Mobile tab.

  • Check the Enable mobile synchronization button.

From the Zimbra CLI

To enable Mobile NG for all users in a COS from the CLI:

  • As the 'zimbra' user run: zmprov mc COSName zimbraFeatureMobileSyncEnabled TRUE

How to Disable Mobile NG for all Users in a Class Of Service

From the Administration Console

To disable Mobile NG for all users in a COS from the Administration Console:

  • Open the Zimbra Administration Console.

  • Double-click the Class Of Service you want to edit (on the left, under Configuration → Class of Service).

  • Click the Mobile tab and uncheck the Enable mobile synchronization button.

From the Zimbra CLI

To disable Mobile NG for all users in a COS from the CLI:

  • As the 'zimbra' user run: zmprov mc COSName zimbraFeatureMobileSyncEnabled FALSE

Note about Settings Hierarchy

COS-level settings are overridden by user-level settings.

Enable Mobile NG for a Single User

By enabling the Mobile NG Module for a single user you authorize a single user to use all the mobile functions of the Mobile NG Module.

How to Enable Mobile NG for a Single User

From the Zimbra Administration Console

To enable Mobile NG for a single user from the Administration Console:

  • Open the Zimbra Administration Console.

  • Double-click the user you want to edit (on the left, under Manage → Accounts).

  • Click the Mobile tab.

  • Check Enable mobile synchronization.

From the Zimbra CLI

To enable Mobile NG for a single user from the CLI:

  • As the 'zimbra' user run: zmprov ma user@domain.tld zimbraFeatureMobileSyncEnabled TRUE

How to Disable Mobile NG for a Single User

From the Zimbra Administration Console

To disable Mobile NG for a single user from the CLI:

  • Open the Zimbra Administration Console.

  • Double-click the user you want to edit (on the left, under Manage → Accounts).

  • Click the Mobile NG tab and uncheck Enable mobile synchronization.

From the Zimbra CLI

To disable Mobile NG for a single user from the CLI:

  • As the 'zimbra' user run: zmprov ma user@domain.tld zimbraFeatureMobileSyncEnabled FALSE

Note about Settings Hierarchy

User-level settings override COS-level settings.

The Mobile Password Feature

Mobile Passwords and You

The Mobile Password feature allows to set an additional password for an account to be used for Exchange ActiveSync authentications only.

The main benefits of using this feature are:

  • Enforce set-and-forget safe passwords, regardless of any other password policy, so that you won’t need to change the password saved on all mobile devices synchronized with an account should this account’s Zimbra password change.

  • Avoid the real password to be disclosed in case of unauthorized access to the device/client.

A Mobile Password will not be valid for Webmail/POP3/IMAP/SMTP logins, and the account password will not be valid for mobile logins.

Data Storage

Both Mobile Passwords and QR Code data is saved in a local HSQL database.

All passwords, tokens and sensitive information are stored in hashed form using the SHA256 algorithm using auto-generated keys and no credential or sensitive information is ever stored cleartext.

How to Set a Mobile Password for a Mailbox

versions up to 9.0.0 patch8

  • Open the Zimbra Administration Console.

  • Right-click the user for which you want to set a Mobile Password and select Edit.

  • In the Mobile tab within the user’s settings, check the Enable mobile password checkbox.

  • Enter the desired password in the Mobile password field and enter it again in the Confirm mobile password field. You can also choose to generate a random mobile password by clicking Generate random password.

  • Save.

Zimbra 9.0.0 patch9+ (Classic UI) Starting from Zimbra 9.0.0-P9, Mobile Passwords are now managed by the user via the new Auth Zimlet, which can be installed by running zxsuite auth doDeployAuthZimlet.

This new Mobile Password management system allows the user to set multiple independent Mobile Passwords for an account, to be used with different devices.

Once the Zimlet is deployed and enabled, the user can create a new Mobile Password following this steps:

  • Open the Zextras Auth Zimlet and click on "New Password";

  • Enter an easy to remember identifier for the password in the "Password Label" field and select "Text code" as the Password Type;

  • Click "Next";

  • The new Mobile Password will be displayed;

Mobile Passwords are randomly generated and cannot be displayed again after the creation is complete.
  • Click on "Done" to close the Zextras Auth window. An entry for the new Mobile Password is now visible in the "Active Passwords" list of the Zextras Auth Zimlet.

Admins can also create a Mobile Password from the CLI, use the zxsuite auth credential command with the following attributes:

  • password: enter the password you wish to set as the Mobile Password

  • label: enter the label for the Mobile Password

  • service: use eas to set a Mobile Password

E.g. To add the gn89hg95hvmn59..] Mobile Password to the john.doe@domain.com account, labeled as "Personal Phone", run:

zxsuite auth credential add john.doe@domain.com password "gn89hg95hvmn59..]" label "Personal Phone" service eas

The system will confirm the success of the operation and display all the password’s information:

Credential correctly added

        values
            generated                                               0
            created                                                 1603120995372
            label                                                   Personal Phone
            id                                                      Fr2jM
            services

                    service                                                         EAS
            hash                                                    +Crk6YcPL7IapCg6xfT6oXWP977uTeZdJTVQDQZd+Io=
            enabled                                                 true
            algorithm                                               SHA256
        text_data
            auth_method                                             password
            password                                                gn89hg95hvmn59..]
            user                                                    john.doe@domain.com

List existing Mobile Passwords

Any user can see the list of active Mobile Passwords in the Zextras Auth Zimlet. Each entry of the list displays the label of the password, its status, the service it is valid for and its creation date.

Specifically, all passwords valid for the "EAS" service are Mobile Passwords.

System Administrators, on the other hand, can view an extended list of all credentials, including Mobile Passwords,

Editing a Mobile Password

While a Mobile Password itself cannot be edited, the System Administrator can edit its label and properties using the zxsuite auth credential update command

Application Password (QR Code)

The Auth Zimlet can speed up and manage Application logins, such as those for the Drive and Team/Connect apps made by Zextras.

This is achieved through the creation of a QR Code in the Zimbra WebClient, which the user can then scan from the App’s login page to log in.

QR Codes are a one-time credential only, meaning that once generated it will grant access to the app until the relevant credential itself is deleted from the account. Once generated, the QR Code can only be viewed once.

QR Code Requirements

The QR Code Application Password feature requires the following properties to be set at domain level in order to be functional:

  • zimbraPublicServiceHostname

  • zimbraPublicServicePort

  • zimbraPublicServiceProtocol

Should one or more of the properties be unset, a notification will be delivered to the Admin reporting the affected domains and their missing properties.

Creating a new QR Code Credential

While, as all credentials, QR Codes can be created from both the Zextras Auth Zimlet and Zextras CLI, only the former allows the user to use the QR code itself so the latter will not be taken into consideration in this guide.

Creating a QR Code Credential from the Zextras Auth Zimlet

To create a new QR Code, open the Auth Zimlet and click on "New Password";:

  • Enter an easy to remember identifier for the password in the "Password Label" field and select "QR code" as the Password Type;

  • Click "Next";

  • The new QR Code will be displayed;

QR Codes are randomly generated and cannot be displayed again after the creation is complete.
  • Click on "Done" to close the Auth Zimlet. An entry for the new QR Code is now visible in the "Active Passwords" list of the Auth Zimlet.

Mobile Device Management a.k.a. Mobile Provisioning

What is Mobile Device Management?

Mobile Device Management (MDM - also known as provisioning) allows an administrator to define a set of rules and security settings that are applied Over The Air to one or more mobile devices, ranging from PIN policies to Allowed/Blocked app lists and including one time commands, such as the remote wipe of the entire device.

MDM effectively allows administrators to limit and restrict the use of corporate mobile devices to avoid risky or improper behaviors.

MDM is also a priceless aid for Bring Your Own Device corporate policies, allowing users to connect their personal mobile devices to the corporate servers, while minimizing the risk of security breaches.

Provisioning Features Available on Your Client

Not all provisioning features are available on all clients.

Network NG and MDM

Network NG features advanced MDM features through the Exchange ActiveSync protocol version 14+.

Mobile policies can be enabled at COS and mailbox levels, allowing both a quick 'one-for-many' setup and user-based customized management. In both cases, Mobile Management Options are available in the Mobile tab.

Provisioning Options

The following provisioning options are available:

  • Enable Mobile Device Management: Enable or disable the use of mobile policies for the current user/COS.

  • Allow non-provisionable devices: Allow the user to synchronize any device that does not support provisioning.

  • Allow partial policy enforcement on device: Allow the user to synchronize any device that does not support one or more applicable policies.

By default, MDM is disabled in NG MobileSync. To enable navigate to Network Modules NG → Mobile → Advanced Settings and check the “Enable Mobile Device Management” option
Enforceable Policies

Enforceable Policies are available right below the Mobile Devices list, grouped in the following categories:

  • Sync Settings: Set synchronization spans and limits.

  • Device Settings: Enable or disable device features such as camera, WiFi, removable storage or Bluetooth.

  • Device Security Settings: Force an unlock code and define the minimum requirements for the code itself.

  • Device Applications: Enable or disable standard device applications such as the Browser and POP/IMAP client or unsigned apps.

Two lists are also available for application whitelist/blacklist management:

  • Approved Applications: A customizable list of approved applications.

  • Blocked Applications: A customizable list of blocked applications that won’t be usable on the device.

Mobile Password

While conceptually similar, the mobile password feature is not part of Mobile Device Management and can be used with any version of the EAS protocol.

SyncStates

Mobile NG and the SyncState

The SyncState (short for Synchronization Status) is a set of information kept on the server about the synchronization with a mobile device. Each time a device establishes a connection with Mobile NG, the following steps take place:

  • 1. The device requests a folderSync operation to synchronize the local Folders with the ones on the server.

    One SyncKey per local folder is sent (or a single SyncKey set to '0' if this is the first connection between the device and the server)   

  • 2. The server replies with a list of available folders.

    One SyncKey per folder is sent by the server.

  • 3. Then, the device requests an itemSync operation to synchronize all due items.

    The server stores the items synchronized in the SyncState.

  • 4. After completing the itemSync operation, the device sends a 'ping' command to keep the connection alive.

    Step 4 is repeated as long as no changes happen to the synchronized account.

Every time a new item is stored on the mailbox or an old item is modified, the server notifies the availability to the device, which closes the active connection (the one kept alive by the ping command) and repeats steps 3 and 4.

The SyncState is the combination of the SyncKeys saved on step 2 and the itemIds saved on step 3. It’s saved by the server per the userId/deviceId unique pair.

Sync Request

The Sync Request is the actual synchronization process, started by either Mobile NG or by the client. During a sync request, any change in the mailbox that happened since the last request is synchronized to the device and vice versa.

A sync request is issued when:

  • The SyncState changes.

  • A sync is forced client-side.

  • The current ping expires and a new one is sent by the device (the keepalive duration is defined by the client).

Managing the SyncStates

Via the Administration Zimlet

Mobile NG provides two options in the Administration Zimlet to manage the SyncStates of synchronized mobile devices:

  • Reset Device: Resets the device’s SyncState for a single account, forcing a full re-synchronization the next time the device connects to the server.

  • Wipe Device: Removes all the device’s SyncState and history from the server. Useful when a mobile device is not used anymore or is assigned to a different employee in the same company.

Via the CLI

To manage the SyncStates of synchronized mobile devices via the CLI, use one of the following commands:

The doRemoveDevice command
Syntax:
   zxsuite mobile doRemoveDevice {account} {device_id}

PARAMETER LIST

NAME            TYPE
account(M)      Account Name
device_id(M)    String

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite mobile doRemoveDevice john@example.com Appl79032X2WA4S
Removes John's Appl79032X2WA4S device SyncState
The doResetAccount command
Syntax:
   zxsuite mobile doResetAccount {account}

PARAMETER LIST

NAME          TYPE
account(M)    Account Name

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite mobile doResetAccount john@example.com
Resets all the device states for John's account
The doResetDevice command
Syntax:
   zxsuite mobile doResetDevice {account} [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME            TYPE            DEFAULT
account(M)      Account Name
device_id(O)    String          all

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite mobile doResetDevice john@example.com Appl79032X2WA4S
Resets John's Appl79032X2WA4S device SyncState

Advanced Settings

Mobile NG Performance Tuning

Mobile NG provides three useful options to fine-tune Mobile NG according to system performance.

Performance Tuning Settings

Available Settings
  • Notifications Latency (ZxMobile_NotificationsLatency): The seconds of delay between an event on the server and its notification to the mobile device.

  • Use Instant Notifications (ZxMobile_UseInstantNotficiations): Enable/Disable instant notifications. Overrides Notifications Latency if true.

  • Max Ping Heartbeat (ZxMobile_MaxPingHeartbeat): Maximum interval between 'ping' commands.

All settings can be edited in the Administration Zimlet or via CLI using the setProperty command.

When to Edit the Performance Tuning Settings

Default settings should be optimal for most situations. If you experience one or more of the problems below, please apply the proper solution.

Problem Solution

High system load

Disable instant notifications

High system load after disabling instant notifications

Raise notification latency

Mobile users experience high network usage

Disable instant notifications and tweak notifications latency

Devices can connect but sessions are interrupted frequently

Adjust Max Ping Heartbeat according to your network configuration

Items are synchronized from server-to-device with an excessive delay

Lower notification latency or enable instant notifications

Shared Folders

Shared Folders and You (and Your Mobile)

With Network NG, it’s possible to synchronize folders that are not owned by the user itself to mobile devices. This applies to all item types available through the Exchange ActiveSync protocol, so you’ll be able to sync any shared email folder, address book, calendar or task list to mobile devices.

Specific features available on mobile devices might differ, based on the client in use.

Not all clients support the synchronization of multiple address books, calendars or task lists via Exchange ActiveSync.

How to Sync a Shared Folder to Your Mobile Devices

To allow a higher level of control over synchronization, users are allowed to choose which shared folders are to be synchronized with their mobile devices.

Enable Mobile Synchronization for a Folder

To enable mobile synchronization for a shared folder:

  • Log in to the Zimbra Classic Web App. You cannot view or change synchronization settings using the Modern Web App.

  • Right-click the shared folder you want to sync.

  • Select Folder Sync Settings in the drop-down menu.

  • Check the Enable synchronization for this folder checkbox.

  • Press OK.

The new folder will be synchronized to any mobile device connected to the account.

Restrictions

The following restrictions apply to shared folder synchronization:

  • It’s not possible to sync a mountpoint referring to a full account share.

  • It’s not possible to sync a subfolder of a shared folder, as doing so would return an incomplete folder tree.

  • It’s not possible to sync a read-only share, as the Exchange ActiveSync protocol does not envision the concept of a read-only resource. Synchronizing a read-only folder will cause severe inconsistencies between the client and the server, along with many errors.

EAS Filters

In the EAS protocol, the protocol version used for the synchronization is defined during the initial handshake and never changed. The server presents a list of all available protocol versions and the client chooses one among that list.

EAS filters are a way to limit the EAS version available to a subset of users or clients to ensure that the proper version is used.

Multiple EAS filters can be set up and will be evaluated in sequential order (see the getAllEASFilters and doMoveEASFilter commands below).

Anatomy of an EAS Filter

An EAS filter is composed of 5 parts:

  • Type: Defines the type of filter rule.

  • Parameter: The filtering identifier (e.g. device brand or email address).

  • Mode: Defines whether the software will limit the available versions or provide a fixed list.

  • easversions field: Contains the protocol versions enforced by the filter.

  • Blocking boolean value: Defines whether other filters are executed once the current one is successfully matched.

Managing EAS Filters

EAS filters are managed through the CLI using the following four dedicated commands.

zxsuite mobile getAllEASFilters

This command lists all existing filters.

Sample Output:

        filters

                ID                                                          0
                mode                                                        fixed
                rule                                                        [type = or; rules = [[type = contains; rule = outlook/] OR [type = contains; rule = microsoft.outlook]]
                easversions                                                 14.0
                blocking                                                    true

                ID                                                          1
                mode                                                        limit
                rule                                                        [type = contains; rule = samsung]
                easversions                                                 2.5
                blocking                                                    false

                ID                                                          2
                mode                                                        limit
                rule                                                        [type = always]
                easversions                                                 14.1
                blocking                                                    false
zxsuite mobile doAddEASFilter

This command adds a new EAS filter.

zxsuite mobile doAddEASFilter

Syntax:
   zxsuite mobile doAddEASFilter {and|or|regex|contains|account} {text|people@example.com|account=example@ff.com,contains=android} {add|subtract|fixed|limit} {easversions} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME              TYPE               EXPECTED VALUES
type(M)           Multiple choice    and|or|regex|contains|account
parameter(M)      String             text|people@example.com|account=example@ff.com,contains=android
mode(M)           Multiple choice    add|subtract|fixed|limit
easversions(M)    String[,..]
blocking(O)       Boolean            true|false

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite mobile doAddEASFilter contains android fixed 2.5,12.0,14.1
Adds a protocol filter that will restrict the pool of available EAS versions to 2.5, 12.0 and 14.1 if the user agent name
contains the string 'android'.

zxsuite mobile doAddEASFilter and account=user@example.com,contains=android fixed 14.1 blocking true
Adds a protocol filter that will restrict the pool of available EAS versions to 14.1 if the user agent name
contains the string 'android' only for user@example.com. No more EAS filters will be evaluated after this one due to the 'blocking' directive.
zxsuite mobile doDeleteEASFilter

This command deletes an existing EAS Filter.

zxsuite mobile doDeleteEASFilter
command doDeleteEASFilter requires more parameters

Syntax:
   zxsuite mobile doDeleteEASFilter {id}

PARAMETER LIST

NAME     TYPE
id(M)    Integer

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite mobile doDeleteEASFilter 2
Removes the filter with id = 2.
To show a list of the filters, use the
	zxsuite mobile getAllEASFilters
command.
zxsuite mobile doMoveEASFilter

This command is used to move EAS filters to a different position in the filter queue.

zxsuite mobile doMoveEASFilter
command doMoveEASFilter requires more parameters

Syntax:
   zxsuite mobile doMoveEASFilter {from} {to}

PARAMETER LIST

NAME       TYPE
from(M)    Integer
to(M)      Integer

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite mobile doMoveEASFilter 0 5
Moves the filter with id = 0 to the position 5.
To show a list of the filters, use the
	zxsuite mobile getAllEASFilters
command.

Mobile Account Loggers

Mobile account loggers are dedicated loggers that can output the entirety of a user’s EAS logs into a dedicated logfile, with a different verbosity than the one of the sync.log. This allows for quicker troubleshooting.

When creating an account logger, the following parameters must be specified:

  • The target account.

  • The log_level (verbosity) of the log.

  • The dedicated log_file.

  • The window_size to enforce on all devices synchronizing with the account while the logger is running.

Account loggers are removed automatically when the mailboxd is stopped or restarted and do not usually survive a mailboxd crash. Log files won’t be affected.

Account Logger Management

Account loggers can only be managed via the CLI through the following commands:

zxsuite mobile doAddAccountLogger
zxsuite mobile doAddAccountLogger
command doAddAccountLogger requires more parameters

Syntax:
   zxsuite mobile doAddAccountLogger {account} {debug|info|warn|err|crit} {log_file} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME              TYPE               EXPECTED VALUES
account(M)        Account Name
log_level(M)      Multiple choice    debug|info|warn|err|crit
log_file(M)       Path
window_size(O)    Integer            a value > 0

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite mobile doaddaccountlogger john@example.com info /tmp/john_logger
Creates an info account logger for john's account to file /tmp/john_logger

zxsuite mobile doaddaccountlogger john@example.com info /tmp/john_logger window_size 1
Creates an info account logger for john's account to file /tmp/john_logger with window size set to 1.
zxsuite mobile doRemoveLogger
zxsuite mobile doRemoveLogger
command doRemoveLogger requires more parameters

Syntax:
   zxsuite mobile doRemoveLogger {logger_id|"all_loggers"}

PARAMETER LIST

NAME            TYPE               EXPECTED VALUES
logger_id(M)    Multiple choice    logger_id|"all_loggers"

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite mobile doremovelogger 5
Removes the account logger with ID = 5
zxsuite mobile getAccountLoggers

Sample output:

zxsuite mobile getAccountLoggers

        loggers

                id                                                          7
                level                                                       DEBUG
                name                                                        AccountLogger
                description                                                 Logging account user@domain.com using level debug, log file /tmp/user.log
                remove command                                              zxsuite mobile doRemoveLogger 7

HSM NG

Hierarchical Storage Management

The Hierarchical Storage Management Technique

HSM is a data storage technique that moves data between different stores according to a defined policy.

The most common use of the HSM technique is the move of older data from a faster-but-expensive storage device to a slower-but-cheaper one based on the following premises:

  • Fast storage costs more.

  • Slow storage costs less.

  • Old data will be accessed much less frequently than new data.

The advantages of the HSM technique are clear: Lowering the overall storage cost since only a small part of your data needs to be on costly storage, and improving the overall user experience.

Stores, Volumes and Policies

Using HSM requires a clear understanding of some related terms:

  • Primary Store: The fast-but-expensive store where all your data is initially placed.

  • Secondary Store: The slow-but-cheap store where older data will be moved to.

Zimbra Stores

The Basics: Types of Stores and Their Uses

Zimbra allows for two different types of stores:

  • Index Store: A store that contains information about your data that is used by Apache Lucene to provide indexing and search functions.

  • Data Store: A store that contains all your Zimbra data organized in a MySql database.

You can have multiple stores of each type, but only one Index Store, one Primary Data Store and one Secondary Data Store can be set as Current (meaning that is currently used by Zimbra).

Primary and Secondary Data Stores

A data store in Zimbra can be either a Primary Data Store or a Secondary Data Store.

Data is moved between the current Primary Data Store and the current Secondary Data Store according to a defined policy.

HSM NG: Moving Items between Stores

The main feature of the HSM NG module is the ability to apply defined HSM policies.

The move can be triggered in three ways:

  • Click the Apply Policy button in the Administration Zimlet.

  • Start the doMoveBlobs operation through the CLI.

  • Enable Policy Application Scheduling in the Administration Zimlet and wait for it to start automatically.

Once the move is started, the following operations are performed:

  • HSM NG scans through the Primary Store to see which items comply with the defined policy.

  • All the Blobs of the items found in the first step are copied to the Secondary Store.

  • The database entries related to the copied items are updated to reflect the move.

  • If the second and the third steps are completed successfully (and only in this case), the old Blobs are deleted from the Primary Store.

The Move operation is stateful - each step is executed only if the previous step has been completed successfully - so the risk of data loss during a Move operation is nonexistent.

doMoveBlobs

The doMoveBlobs Operation of HSM NG

The doMoveBlobs is the heart of HSM NG.

It moves items between the Current Primary Store and the Current Secondary Store according to the proper HSM policy.

The move is performed by a transactional algorithm. Should an error occur during one of the steps of the operation, a rollback takes place and no change will be made to the data.

Once HSM NG identifies the items to be moved, the following steps are performed:

  • A copy of the Blob to the Current Secondary Store is created.

  • The Zimbra Database is updated to notify Zimbra of the item’s new position.

  • The original Blob is deleted from the Current Primary Store.

What is Moved?

Every item that complies with the specified HSM policy is moved.

Example:

The following policy

message,document:before:-20day
message:before:-10day has:attachment

will move all emails and documents older than 20 days along with all emails older than 10 days that contain an attachment.

Policy Order

All conditions for a policy are executed in the exact order they are specified. HSM NG will loop on all items in the Current Primary Store and apply each separate condition before starting the next one.

This means that the following policies

message,document:before:-20day
message:before:-10day has:attachment
message:before:-10day has:attachment
message,document:before:-20day

applied daily on a sample server that sends/receives a total of 1000 emails per day, 100 of which contain one or more attachments, will have the same final result. However, the execution time of the second policy will probably be slightly higher (or much higher, depending on the number and size of the emails on the server).

This is because in the first policy, the first condition (message,document:before:-20day) will loop on all items and move many of them to the Current Secondary Store, leaving fewer items for the second condition to loop on.

Likewise, having the message:before:-10day has:attachment as the first condition will leave more items for the second condition to loop on.

This is just an example and does not apply to all cases, but gives an idea of the need to carefully plan your HSM policy.

Executing the doMoveBlobs Operation (a.k.a. Applying the HSM Policy)

Applying a policy means running the doMoveBlobs operation in order to move items between the Primary and Secondary store according to the defined policy.

HSM NG gives you three different options:

  • Via the Administration Zimlet

  • Via the CLI

  • Through Scheduling

Apply the HSM Policy via the Administration Zimlet

To apply the HSM Policy via the Administration Zimlet:

  • Log into the Zimbra Administration Console.

  • Click the HSM NG entry in the Administration Zimlet.

  • Click the Apply Policy button.

Apply the HSM Policy via the CLI

To apply the HSM Policy via the CLI, run the following command as the zimbra user:

` zxsuite hsm doMoveBlobs`

Apply the HSM Policy through Scheduling

To schedule a daily execution of the doMoveBlobs operation:

  • Log into the Zimbra Administration Console.

  • Click the HSM NG entry in the Administration Zimlet.

  • Enable scheduling by selecting the Enable HSM Session scheduling: button.

  • Select the hour to run the operation under HSM Session scheduled for:.

doMoveBlobs Stats and Info

Information about disk space savings, operation performances and more are available by clicking the Stats button under the Secondary Volumes list in the HSM NG tab of the Administration Zimlet.

Volume Management

Both primary and secondary volumes can be created on either local storage or on supported third-party storage solutions.

Zimbra Volumes

A volume is a distinct entity (path) on a filesystem with all the associated properties that contain Zimbra Blobs.

Volume Properties

All Zimbra volumes are defined by the following properties:

  • Name: A unique identifier for the volume.

  • Path: The path where the data is going to be saved.

    The zimbra user must have r/w permissions on this path.
  • Compression: Enable or Disable the file compression for the volume.

  • Compression Threshold: The minimum file size that will trigger the compression. 'Files under this size will never be compressed even if the compression is enabled.'

  • Current: A Current volume is a volume where data will be written upon arrival (Primary Current) or HSM policy application (Secondary Current).

Volume Management with HSM NG - Administration Zimlet
Creating a New Volume with the Administration Zimlet

To create a new volume from the HSM NG tab of the Administration Zimlet:

  • Click the appropriate Add option in the Volumes Management section according to the type of volume you want to create.

  • Select the store type, choosing between local mount point or S3 Bucket.

  • Enter the new volume’s name.

  • Enter a path for the new volume.

  • Check the Enable Compression button if you wish to activate data compression on the new volume.

  • Select the Compression Threshold.

  • If you are using an S3 Bucket, it’s possible to store information for multiple buckets.

  • Press OK to create the new volume. Should the operation fail, a notification containing any related errors will be generated.

Editing a Volume with the Administration Zimlet

To edit a volume from the Administration Zimlet, simply select an existing volume and press the appropriate Edit button.

Deleting a Volume with the Administration Zimlet

To delete a volume from the Administration Zimlet, select an existing volume and press the appropriate Delete button. Remember that only empty volumes can be deleted.

Volume Management with HSM NG - From the CLI
Beginning with release 8.8.9, all volume creation and update commands have been updated, as the storeType argument is now required.

The storeType argument is mandatory, it is always the on the first position and accepts any one value corresponding to the S3-Compatible Services listed previously. The arguments that follow in the command now depend on the selected storeType.

FileBlob (Local)

Updated zxsuite syntax to create new FileBlob zimbra volume:

# Add volume, run as zimbra user
zxsuite hsm doCreateVolume FileBlob name secondary /path/to/store
# Delete volume
zxsuite hsm doDeleteVolume name
# set current
zxsuite hsm doUpdateVolume FileBlob name current_volume true

zxsuite hsm doCreateVolume FileBlob

Syntax:
    zxsuite hsm doCreateVolume FileBlob {volume_name} {primary|secondary|index} {volume_path} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME                            TYPE                EXPECTED VALUES             DEFAULT
volume_name(M)                  String
volume_type(M)                  Multiple choice     primary|secondary|index
volume_path(M)                  Path
volume_compressed(O)            Boolean             true|false                  false
compression_threshold_bytes(O)  Long                                            4096

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite hsm doCreateVolume FileBlob volumeName secondary /path/to/store volume_compressed true compression_threshold_bytes 4096

zxsuite hsm doUpdateVolume FileBlob

Syntax:
    zxsuite hsm doUpdateVolume FileBlob {current_volume_name} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME                            TYPE                EXPECTED VALUES             DEFAULT
current_volume_name(M)          String
volume_type(O)                  String              primary|secondary|index
volume_name(O)                  String
volume_path(O)                  Path
current_volume(O)               Boolean             true|false                  false
volume_compressed(O)            String
compression_threshold(O)        String

(M) == mandatory parameter, (O) == optional parameter
S3 (Amazon and any S3-compatible solution not explicitly supported)
# Add volume, run as zimbra user
zxsuite hsm doCreateVolume S3 name secondary bucket_name bucket access_key accessKey secret secretString region EU_WEST_1
# Delete volume
zxsuite hsm doDeleteVolume name
# set current
zxsuite hsm doUpdateVolume S3 name current_volume true

zxsuite hsm doCreateVolume S3

Syntax:
    zxsuite hsm doCreateVolume S3 {Name of the zimbra store} {primary|secondary} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME                            TYPE                EXPECTED VALUES
volume_name(M)                  String              Name of the zimbra store
volume_type(M)                  Multiple choice     primary|secondary
bucket_name(O)                  String              Amazon AWS bucket
access_key(O)                   String              Service username
secret(O)                       String              Service password
server_prefix(O)                String              Prefix to the server id used in all objects keys
bucket_configuration_id(O)      String              UUID for already existing S3 service credentials
                                                    (zxsuite config global get attribute s3BucketConfigurations)
region(O)                       String              Amazon AWS Region
url(O)                          String              S3 API compatible service url (ex: s3api.service.com)
prefix(O)                       String              Prefix added to blobs keys
use_infrequent_access(O)        Boolean             true|false
infrequent_access_threshold(O)  String

(M) == mandatory parameter, (O) == optional parameter

Usage example:

S3 AWS Bucket:
    zxsuite hsm doCreateVolume S3 volumeName primary bucket_name bucket access_key accessKey secret secretKey prefix objectKeysPrefix region EU_WEST_1 user_infrequent_access TRUE infrequent_access_threshold 4096

S3 compatible object storage:
    zxsuite hsm doCreateVolume S3 volumeName primary bucket_name bucket access_key accessKey secret secretKey url http://host/service

Using existing bucket configuration:
    zxsuite hsm doCreateVolume S3 volumeName primary bucket_configuration_id 316813fb-d3ef-4775-b5c8-f7d236fc629c

zxsuite hsm doUpdateVolume S3

Syntax:
    zxsuite hsm doUpdateVolume S3 {current_volume_name} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME                            TYPE                EXPECTED VALUES             DEFAULT
current_volume_name(M)          String
volume_name(O)                  String
volume_type(O)                  String              primary|secondary
server_prefix(O)                String              Prefix to the server id used in all objects keys
bucket_configuration_id(O)      String              UUID for already existing service credentials
                                                    (zxsuite config global get attribute s3BucketConfigurations)
use_infrequent_access(O)        Boolean             true|false
infrequent_access_threshold(O)  String
current_volume(O)               Boolean             true|false                  false

(M) == mandatory parameter, (O) == optional parameter
Scality (S3 compatible object storage)
# Add volume, run as zimbra user
zxsuite hsm doCreateVolume ScalityS3 name secondary bucket_name mybucket access_key accessKey1 secret verySecretKey1 url http://{IP_ADDRESS}:{PORT}
# Delete volume
zxsuite hsm doDeleteVolume name
# set current
zxsuite hsm doUpdateVolume ScalityS3 name current_volume true

zxsuite hsm doCreateVolume ScalityS3

Syntax:
    zxsuite hsm doCreateVolume ScalityS3 {volume_name} {primary|secondary} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME                            TYPE                EXPECTED VALUES
volume_name(M)                  String
volume_type(M)                  Multiple choice     primary|secondary
bucket_name(O)                  String              Bucket name
url(O)                          String              S3 API compatible service url (ex: s3api.service.com)
access_key(O)                   String              Service username
secret(O)                       String              Service password
server_prefix(O)                String              Prefix to the server id used in all objects keys
bucket_configuration_id(O)      String              UUID for already existing service credentials
                                                    (zxsuite config global get attribute s3BucketConfigurations)
prefix(O)                       String              Prefix added to blobs keys

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite hsm doCreateVolume ScalityS3 volumeName primary bucket_name bucket url http://host/service access_key accessKey secret secretKet
zxsuite hsm doCreateVolume ScalityS3 volumeName primary bucket_configuration_id uuid

zxsuite hsm doUpdateVolume ScalityS3

Syntax:
    zxsuite hsm doUpdateVolume ScalityS3 {current_volume_name} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME                            TYPE                EXPECTED VALUES             DEFAULT
current_volume_name(M)          String
volume_name(O)                  String
volume_type(O)                  String              primary|secondary
server_prefix(O)                String              Prefix to the server id used in all objects keys
bucket_configuration_id(O)      String              UUID for already existing S3 service credentials
                                                    (zxsuite config global get attribute s3BucketConfigurations)
current_volume(O)               Boolean             true|false                  false

(M) == mandatory parameter, (O) == optional parameter
EMC (S3 compatible object storage)
# Add volume, run as zimbra user
zxsuite hsm docreatevolume EMC name secondary bucket_name bucket access_key ACCESSKEY secret SECRET url https://url.of.storage
# Delete volume
zxsuite hsm doDeleteVolume name
# set current
zxsuite hsm doUpdateVolume EMC name current_volume true

zxsuite hsm doCreateVolume EMC

Syntax:
    zxsuite hsm doCreateVolume EMC {volume_name} {primary|secondary} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME                            TYPE                EXPECTED VALUES
volume_name(M)                  String
volume_type(M)                  Multiple choice     primary|secondary
bucket_name(O)                  String              Bucket name
url(O)                          String              S3 API compatible service url (ex: s3api.service.com)
access_key(O)                   String              Service username
secret(O)                       String              Service password
server_prefix(O)                String              Prefix to the server id used in all objects keys
bucket_configuration_id(O)      String              UUID for already existing service credentials
                                                    (zxsuite config global get attribute s3BucketConfigurations)
prefix(O)                       String              Prefix added to blobs keys

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite hsm doCreateVolume EMC volumeName primary bucket_name bucket url http://host/service access_key accessKey secret secretKet
zxsuite hsm doCreateVolume EMC volumeName primary bucket_configuration_id uuid

zxsuite hsm doUpdateVolume EMC

Syntax:
    zxsuite hsm doUpdateVolume EMC {current_volume_name} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME                            TYPE                EXPECTED VALUES             DEFAULT
current_volume_name(M)          String
volume_name(O)                  String
volume_type(O)                  String              primary|secondary
server_prefix(O)                String              Prefix to the server id used in all objects keys
bucket_configuration_id(O)      String              UUID for already existing service credentials
                                                    (zxsuite config global get attribute s3BucketConfigurations)
current_volume(O)               Boolean             true|false                  false

(M) == mandatory parameter, (O) == optional parameter
OpenIO
# add volume, run as zimbra user
zxsuite hsm doCreateVolume OpenIO name secondary http://{IP_ADDRESS} ZeXtras OPENIO
# Delete volume
zxsuite hsm doDeleteVolume name
# set current
zxsuite hsm doUpdateVolume OpenIO name current_volume true

zxsuite hsm doCreateVolume OpenIO

Syntax:
    zxsuite hsm doCreateVolume OpenIO {volume_name} {primary|secondary} {url} {account} {namespace} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME                            TYPE                EXPECTED VALUES
volume_name(M)                  String
volume_type(M)                  Multiple choice     primary|secondary
url(M)                          String
account(M)                      String
namespace(M)                    String
proxy_port(O)                   Integer
account_port(O)                 Integer

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite hsm doCreateVolume OpenIO volumeName primary http://host/service

accountName namespaceString proxy_port 6006 account_port 6009

Syntax:
zxsuite hsm doUpdateVolume OpenIO {current_volume_name} [attr1 value1
[attr2 value2...]]
PARAMETER LIST
NAME                            TYPE                EXPECTED VALUES             DEFAULT
current_volume_name(M)          String
volume_name(O)                  String
volume_type(O)                  String              primary|secondary
url(O)                          String
account(O)                      String
namespace(O)                    String
proxy_port(O)                   Integer
account_port(O)                 Integer
current_volume(O)               Boolean             true|false                  false

(M) == mandatory parameter, (O) == optional parameter
Swift
# add volume, run as zimbra user
zxsuite hsm doCreateVolume Swift name secondary http://{IP_ADDRESS}:8080/auth/v1.0/ user:username password maxDeleteObjectsCount 100
# Delete volume
zxsuite hsm doDeleteVolume name
# set current
zxsuite hsm doUpdateVolume Swift name current_volume true

zxsuite hsm doCreateVolume Swift

Syntax:
    zxsuite hsm doCreateVolume Swift {volume_name} {primary|secondary} {url} {username} {password} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME                        TYPE        EXPECTED VALUES             DEFAULT
volume_name(O)              String
volume_type(O)              String      primary|secondary
url(O)                      String
username(O)                 String
password(O)                 String
maxDeleteObjectsCount(O)    Integer     Number of object in a single bulk delete request
                                                                    500

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite hsm doCreateVolume Swift volumeName primary http://host/service accountName password max_delete_objects_count 100

zxsuite hsm doUpdateVolume Swift

Syntax:
    zxsuite hsm doUpdateVolume Swift {current_volume_name} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME                        TYPE        EXPECTED VALUES             DEFAULT
current_volume_name(M)      String
volume_name(O)              String
volume_type(O)              String      primary|secondary
url(O)                      String
username(O)                 String
password(O)                 String
maxDeleteObjectsCount(O)    Integer     Number of object in a single bulk delete request
                                                                    500
current_volume(O)           Boolean     true|false                  false

(M) == mandatory parameter, (O) == optional parameter
Cloudian (S3 compatible object storage)
# add volume, run as zimbra user
zxsuite hsm doCreateVolume Cloudian name secondary bucket_name bucket access_key ACCESSKEY secret SECRET url https://url.of.storage
# Delete volume
zxsuite hsm doDeleteVolume name
# set current
zxsuite hsm doUpdateVolume Cloudian name current_volume true

zxsuite hsm doCreateVolume Cloudian

Syntax:
    zxsuite hsm doCreateVolume Cloudian {volume_name} {primary|secondary} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME                            TYPE                EXPECTED VALUES
volume_name(M)                  String
volume_type(M)                  Multiple choice     primary|secondary
bucket_name(O)                  String              Bucket name
url(O)                          String              S3 API compatible service url (ex: s3api.service.com)
access_key(O)                   String              Service username
secret(O)                       String              Service password
server_prefix(O)                String              Prefix to the server id used in all objects keys
bucket_configuration_id(O)      String              UUID for already existing service credentials
                                                    (zxsuite config global get attribute s3BucketConfigurations)
prefix(O)                       String              Prefix added to blobs keys

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite hsm doCreateVolume Cloudian volumeName primary bucket_name bucket url http://host/service access_key accessKey secret secretKet
zxsuite hsm doCreateVolume Cloudian volumeName primary bucket_configuration_id uuid

zxsuite hsm doUpdateVolume Cloudian

Syntax:
    zxsuite hsm doUpdateVolume Cloudian {current_volume_name} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME                            TYPE                EXPECTED VALUES             DEFAULT
current_volume_name(M)          String
volume_name(O)                  String
volume_type(O)                  String              primary|secondary
server_prefix(O)                String              Prefix to the server id used in all objects keys
bucket_configuration_id(O)      String              UUID for already existing service credentials
                                                    (zxsuite config global get attribute s3BucketConfigurations)
current_volume(O)               Boolean             true|false                  false

(M) == mandatory parameter, (O) == optional parameter
Volume Deletion

zxsuite hsm doDeleteVolume

Syntax:
    zxsuite hsm doDeleteVolume {volume_name}

PARAMETER LIST

NAME                            TYPE
volume_name(M)                  String

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite hsm dodeletevolume hsm
Deletes volume with name hsm
Move all data from a volume to another
Syntax:
    zxsuite hsm doVolumeToVolumeMove {source_volume_name} {destination_volume_name}

PARAMETER LIST

NAME                            TYPE
source_volume_name(M)           String
destination_volume_name(M)      String

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite hsm doVolumeToVolumeMove sourceVolume destVolume
Moves the whole contents of sourceVolume to destVolume

Centralized Storage

The Centralized Storage feature allows to use an S3 bucket to host data coming from multiple servers at the same time sharing the same directory structure, as opposed to "independent" volumes which are self-contained and whose directory structure is strictly related to the server and volume itself.

This allows for better data management in large multistore environments and greatly improves mailbox move speed.

Enabling Centralized Storage

  1. Create the centralized volume on any one of your servers using the zxsuite hsm doCreateVolume command.

    1. All volume types except for FileBlob are compatible;

    2. Make sure to add the centralized TRUE flag to set the volume as a Centralized Storage;

    3. The full syntax for the command depends on the storage type;

  2. Once the Centralized Volume has been created, use the zxsuite doCreateVolume Centralized command on all other mailbox servers to copy the Centralized Volume’s configuration from the first server and add it to the volume list.

    1. The full syntax for the command is zxsuite hsm doCreateVolume Centralized {server_name} {volume_name}

Centralized Storage Structure

Storage Structure Data is stored in a Centralized Volume plainly, as the main directory of the volume contains a single empty directory for each server connected to the volume and a directory for each mailbox stored in it at the very same level.

In the following example, servers 3aa2d376-1c59-4b5a-94f6-101602fa69c6 and 595a4409-6aa1-413f-9f45-3ef0f1e560f5 are both connected to the same Centralized volume, where 3 mailboxes are stored. As you can see, the effective server where the mailboxes are hosted is irrelevant to the storage.

_
|- 3aa2d376-1c59-4b5a-94f6-101602fa69c6/
|- 595a4409-6aa1-413f-9f45-3ef0f1e560f5/
|- ff46e039-28e3-4343-9d66-92adc60e60c9/
\
 |-- 357-104.msg
 |-- 368-115.msg
 |-- 369-116.msg
 |-- 373-120.msg
 |-- 374-121.msg
 |-- 375-122.msg
 |-- 376-123.msg
 |-- 383-130.msg
|- 4c022592-f67d-439c-9ff9-e3d48a8c801b/
\
 |-- 315-63.msg
 |-- 339-87.msg
 |-- 857-607.msg
 |-- 858-608.msg
 |-- 859-609.msg
 |-- 861-611.msg
 |-- 862-612.msg
 |-- 863-613.msg
 |-- 864-614.msg
 |-- 865-615.msg
 |-- 866-616.msg
 |-- 867-617.msg
 |-- 868-618.msg
|- dafd5569-4114-4268-9201-14f4a895a3d5/
\
 |-- 357-104.msg
 |-- 368-115.msg
 |-- 369-116.msg
 |-- 373-120.msg
 |-- 374-121.msg
 |-- 375-122.msg
 |-- 376-123.msg
 |-- 383-130.msg
 |-- 384-131.msg

Policy Management

What is a Policy?

An HSM policy is a set of rules that define what items will be moved from the Primary Store to the Secondary Store when the doMoveBlobs operation of HSM NG is triggered, either manually or by scheduling.

A policy can consist of a single rule that is valid for all item types (Simple policy) or multiple rules valid for one or more item types (Composite policy). Also, an additional sub-rule can be defined using Zimbra’s search syntax.

Policy Examples

Here are some policy examples. To see how to create the policies in the HSM NG module, see below.

  • Move all items older than 30 days

  • Move emails older than 15 days and items of all other kinds older than 30 days

  • Move calendar items older than 15 days, briefcase items older than 20 days and all emails in the "Archive" folder

Defining a Policy

Policies can be defined both from the HSM NG tab of the Administration Zimlet and from the CLI. You can specify a Zimbra Search in both cases.

From the Administration Zimlet

To define a policy from the Administration Zimlet:

  • Log into the Zimbra Administration Console.

  • Click HSM NG on the Administration Zimlet.

  • Click the Add button in the Storage Management Policy section.

  • Select the Item Types from the Items to Move: list.

  • Enter the Item Age from the Move Items older than: box.

  • OPTIONAL: Add a Zimbra Search in the Additional Options box.

  • You can add multiple lines to narrow down your policy. Every line will be evaluated and executed after the line before has been applied.

From the CLI

Two policy management commands are available in the CLI:

  • setHsmPolicy

  • +setHsmPolicy

zxsuite hsm setHsmPolicy {policy}

This command resets the current policy and creates a new one as specified by the policy parameter.

The policy parameter must be specified in the following syntax

itemType1[,itemType2,itemtype3,etc]:query

zxsuite hsm +setHsmPolicy {policy}

This command adds the query specified by the policy parameter to the current HSM Policy.

The policy parameter must be specified in the following syntax

itemType1[,itemType2,itemtype3,etc]:query

Volumes on Amazon S3 Compatible Services

HSM NG and S3 buckets

Primary and Secondary volumes created with HSM NG can be hosted on S3 buckets, effectively moving the largest part of your data to secure and durable cloud storage.

S3-compatible Services

While any storage service compatible with the Amazon S3 API should work out of the box with HSM NG, listed here are the only officially supported platforms:

  • FileBlob (standard local volume)

  • Amazon S3

  • EMC

  • OpenIO

  • Swift

  • Scality S3

  • Cloudian

  • Custom S3 (any unsupported S3-compliant solution)

Primary Volumes and the "Incoming" directory

In order to create a remote Primary Store on a mailbox server a local "Incoming" directory must exist on that server. The default directory is /opt/zimbra/incoming, but you can check or modify the current value using these commands:

zxsuite config server get $(zmhostname) attribute incomingPath
zxsuite config server set $(zmhostname) attribute incomingPath value /path/to/dir
Local Cache

Storing a volume on third-party remote storage solutions requires a local directory to be used for item caching, which must be readable and writable by the zimbra user.

The local directory must be created manually and its path must be entered in the HSM NG section of the Administration Zimlet in the Zimbra Administration Console.

If the Local Cache directory is not set, you won’t be able to create any secondary volume on an S3-compatible device or service.

Failing to correctly configure the cache directory will cause items to be unretrievable, meaning that users will get a No such BLOB error when trying to access any item stored on an S3 volume.

Local Volumes

Local Volumes (i.e. FileBlob type) can be hosted on any mountpoint on the system regardless of the mountpoint’s destination and are defined by the following properties:

  • Name: A unique identifier for the volume.

  • Path: The path where the data is going to be saved. The zimbra user must have r/w permissions on this path.

  • Compression: Enable or Disable file compression for the volume.

  • Compression Threshold: the minimum file size that will trigger the compression.

    Files under this size will never be compressed even if compression is enabled.

Current Volumes

A Current Volume is a volume where data will be written upon arrival (Primary Current) or HSM Policy Application (Secondary Current). Volumes not set as Current won’t be written upon except by specific manual operations such as the Volume-to-Volume move.

Bucket Setup

HSM NG doesn’t need any dedicated setting or configuration on the S3 side, so setting up a bucket for your volumes is easy. Although creating a dedicated user bucket and access policy are not required, they are strongly suggested because they make it much easier to manage.

All you need to start storing your secondary volumes on S3 is:

  • An S3 bucket. You need to know the bucket’s name and region in order to use it.

  • A user’s Access Key and Secret.

  • A policy that grants the user full rights on your bucket.

Bucket Management

A centralized Bucket Management UI is available in the Zimbra Administration Console. This facilitates saving bucket information to be reused when creating a new volume on an S3-compatible storage instead of entering the information each time.

To access the Bucket Management UI:

  • Access the Zimbra Administration Console

  • Select the "Configure" entry on the left menu

  • Select the "Global Settings" entry

  • Select the S3 Buckets entry

Any bucket added to the system will be available when creating a new volume of the following type: Amazon S3, Cloudian, EMC, Scality S3, Custom S3.

Bucket paths and naming

Files are stored in a bucket according to a well-defined path, which can be customized at will in order to make your bucket’s contents easier to understand even on multi-server environments with multiple secondary volumes:

/Bucket Name/Destination Path/[Volume Prefix-]serverID/

  • The Bucket Name and Destination Path are not tied to the volume itself, and there can be as many volumes under the same destination path as you wish.

  • The Volume Prefix, on the other hand, is specific to each volume and it’s a quick way to differentiate and recognize different volumes within the bucket.

Creating Volumes with HSM NG

To create a new volume with HSM NG from the Zimbra Administration Console:

  • Enter the HSM Section of the NG Administration Zimlet in the Zimbra Administration Console

  • Click on Add under either the Primary Volumes or Secondary Volumes list

  • Select the Volume Type among the available storage choices

  • Enter the required volume information

    Each volume type will require different information to be set up, please refer to your storage provider’s online resources to obtain those details.

Editing Volumes with HSM NG

To edit a volume with HSM NG from the Zimbra Administration Console:

  • Enter the HSM Section of the NG Administration Zimlet in the Zimbra Administration Console

  • Select a volume

  • Click on Edit

  • When done, click Save

Deleting Volumes with HSM NG

To delete a volume with HSM NG from the Zimbra Administration Console:

  • Enter the HSM Section of the NG Administration Zimlet in the Zimbra Administration Console

  • Select a volume

  • Click on Delete

Only empty volumes can be deleted.

Amazon S3 Tips

Bucket

Storing your secondary Zimbra volumes on Amazon S3 doesn’t have any specific bucket requirements, but we suggest that you create a dedicated bucket and disable Static Website Hosting for easier management.

User

To obtain an Access Key and the related Secret, a Programmatic Access user is needed. We suggest that you create a dedicated user in Amazon’s IAM Service for easier management.

Rights Management

In Amazon’s IAM, you can set access policies for your users. It’s mandatory that the user of your Access Key and Secret has a set of appropriate rights both on the bucket itself and on its contents. For easier management, we recommend granting full rights as shown in the following example:

{
    `Version`: `[LATEST API VERSION]`,
    `Statement`: [
        {
            `Sid`: `[AUTOMATICALLY GENERATED]`,
            `Effect`: `Allow`,
            `Action`: [
                `s3:*`
            ],
            `Resource`: [
                `[BUCKET ARN]/*`,
                `[BUCKET ARN]`
            ]
        }
    ]
}
This is not a valid configuration policy. Don’t copy and paste it into your user’s settings as it won’t be validated.

If you only wish to grant minimal permissions, change the Action section to:

"Action": [
                `s3:PutObject`,
                `s3:GetObject`,
                `s3:DeleteObject`,
                `s3:AbortMultipartUpload`
              ],

The bucket’s ARN is expressed according to Amazon’s standard naming format: arn:partition:service:region:account-id:resource. For more information about this topic, please see Amazon’s documentation.

Bucket Paths and Naming

Files are stored in a bucket according to a well-defined path, which can be customized at will to make your bucket’s contents easier to understand (even on multi-server environments with multiple secondary volumes):

/Bucket Name/Destination Path/serverID/

The Bucket Name and Destination Path are not tied to the volume itself, and there can be as many volumes under the same destination path as you wish.

The Volume Prefix, on the other hand, is specific to each volume and it’s a quick way to differentiate and recognize different volumes within the bucket.

Infrequent Access Storage Class

HSM NG is compatible with the Amazon S3 Standard - Infrequent access storage class and will set any file larger than the Infrequent Access Threshold value to this storage class as long as the option has been enabled on the volume.

For more information about Infrequent Access, please refer to the official Amazon S3 Documentation.

Intelligent Tiering Storage Class

HSM NG is compatible with the Amazon S3 - Intelligent Tiering storage class and will set the appropriate Intelligent Tiering flag on all files, as long as the option has been enabled on the volume.

For more information about Intelligent Tiering, please refer to the official Amazon S3 Documentation.

Item Deduplication

What is Item Deduplication

Item deduplication is a technique that allows you to save disk space by storing a single copy of an item and referencing it multiple times instead of storing multiple copies of the same item and referencing each copy only once.

This might seem like a minor improvement. However, in practical use, it makes a significant difference.

Item Deduplication in Zimbra

Item deduplication is performed by Zimbra at the moment of storing a new item in the Current Primary Volume.

When a new item is being created, its message ID is compared to a list of cached items. If there is a match, a hard link to the cached message’s BLOB is created instead of a whole new BLOB for the message.

The dedupe cache is managed in Zimbra through the following config attributes:

zimbraPrefDedupeMessagesSentToSelf

Used to set the deduplication behavior for sent-to-self messages.

<attr id="144" name="zimbraPrefDedupeMessagesSentToSelf" type="enum" value="dedupeNone,secondCopyifOnToOrCC,dedupeAll" cardinality="single"
optionalIn="account,cos" flags="accountInherited,domainAdminModifiable">
  <defaultCOSValue>dedupeNone</defaultCOSValue>
  <desc>dedupeNone|secondCopyIfOnToOrCC|moveSentMessageToInbox|dedupeAll</desc>
</attr>

zimbraMessageIdDedupeCacheSize

Number of cached Message IDs.

<attr id="334" name="zimbraMessageIdDedupeCacheSize" type="integer" cardinality="single" optionalIn="globalConfig" min="0">
  <globalConfigValue>3000</globalConfigValue>
  <desc>
    Number of Message-Id header values to keep in the LMTP dedupe cache.
    Subsequent attempts to deliver a message with a matching Message-Id
    to the same mailbox will be ignored.  A value of 0 disables deduping.
  </desc>
</attr>

zimbraPrefMessageIdDedupingEnabled

Manage deduplication at account or COS-level.

<attr id="1198" name="zimbraPrefMessageIdDedupingEnabled" type="boolean" cardinality="single" optionalIn="account,cos" flags="accountInherited"
 since="8.0.0">
  <defaultCOSValue>TRUE</defaultCOSValue>
  <desc>
    Account-level switch that enables message deduping.  See zimbraMessageIdDedupeCacheSize for more details.
  </desc>
</attr>

zimbraMessageIdDedupeCacheTimeout

Timeout for each entry in the dedupe cache.

<attr id="1340" name="zimbraMessageIdDedupeCacheTimeout" type="duration" cardinality="single" optionalIn="globalConfig" since="7.1.4">
  <globalConfigValue>0</globalConfigValue>
  <desc>
    Timeout for a Message-Id entry in the LMTP dedupe cache. A value of 0 indicates no timeout.
    zimbraMessageIdDedupeCacheSize limit is ignored when this is set to a non-zero value.
  </desc>
</attr>

(older Zimbra versions might use different attributes or lack some of them)

Item Deduplication and HSM NG

The HSM NG features a doDeduplicate operation that parses a target volume to find and deduplicate any duplicated item.

Doing so you will save even more disk space, as while Zimbra’s automatic deduplication is bound to a limited cache, HSM NG’s deduplication will also find and take care of multiple copies of the same email regardless of any cache or timing.

Running the doDeduplicate operation is also highly suggested after a migration or a large data import in order to optimize your storage usage.

Running a Volume Deduplication
Via the Administration Zimlet

To run a volume deduplication via the Administration Zimlet, simply click on the HSM NG tab, select the volume you wish to deduplicate and press the Deduplicate button.

Via the CLI

To run a volume deduplication through the CLI, use the doDeduplicate command:

zimbra@mailserver:~$ zxsuite hsm doDeduplicate

command doDeduplicate requires more parameters

Syntax:
   zxsuite hsm doDeduplicate {volume_name} [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME              TYPE           EXPECTED VALUES    DEFAULT
volume_name(M)    String[,..]
dry_run(O)        Boolean        true|false         false

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite hsm dodeduplicate secondvolume
Starts a deduplication on volume secondvolume

To list all available volumes, you can use the `zxsuite hsm getAllVolumes` command.

doDeduplicate Stats

The doDeduplicate operation is a valid target for the monitor command, meaning that you can watch the command’s statistics while it’s running through the zxsuite hsm monitor [operationID] command.

Sample Output

Current Pass (Digest Prefix):  63/64
 Checked Mailboxes:             148/148
 Deduplicated/duplicated Blobs: 64868/137089
 Already Deduplicated Blobs:    71178
 Skipped Blobs:                 0
 Invalid Digests:               0
 Total Space Saved:             21.88 GB
  • Current Pass (Digest Prefix): The doDeduplicate command will analyze the BLOBS in groups based on the first character of their digest (name).

  • Checked Mailboxes: The number of mailboxes analyzed for the current pass.

  • Deduplicated/duplicated Blobs: Number of BLOBS deduplicated by the current operation / Number of total duplicated items on the volume.

  • Already Deduplicated Blobs: Number of deduplicated blobs on the volume (duplicated blobs that have been deduplicated by a previous run).

  • Skipped Blobs: BLOBs that have not been analyzed, usually because of a read error or missing file.

  • Invalid Digests: BLOBs with a bad digest (name different from the actual digest of the file).

  • Total Space Saved: Amount of disk space freed by the doDeduplicate operation.

Looking at the sample output above we can see that:

  • The operation is running the second to last pass on the last mailbox.

  • 137089 duplicated BLOBs have been found, 71178 of which have already been deduplicated previously.

  • The current operation deduplicated 64868 BLOBs, for a total disk space saving of 21.88GB.

Advanced Volume Operations

HSM NG: More than Meets the Eye

At first sight, HSM NG seems to be strictly dedicated to HSM. However, it also features some highly useful volume-related tools that are not directly related to HSM.

Due to the implicit risks in volume management, these tools are only available through the CLI.

Volume Operations at a Glance

The following volume operations are available:

doCheckBlobs: Perform BLOB coherency checks on one or more volumes.

doDeduplicate: Start Item Deduplication on a volume.

doVolumeToVolumeMove: Move all items from one volume to another.

getVolumeStats: Display information about a volume’s size and number of thereby contained items/blobs.

Volume Operation Analysis

doCheckBlobs

Usage

zimbra@mail:~$ zxsuite hsm doCheckBlobs

command doCheckBlobs requires more parameters

Syntax:
   zxsuite hsm doCheckBlobs {start} [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME                           TYPE            EXPECTED VALUES    DEFAULT
action(M)                      String          start
volume_ids(O)                  Integer[,..]    1,3
mailbox_ids(O)                 Integer[,..]    2,9,27
missing_blobs_crosscheck(O)    Boolean         true|false         true
traced(O)                      Boolean         true|false         false

(M) == mandatory parameter, (O) == optional parameter

Usage example:

Usage examples:
zxsuite hsm doCheckBlobs start: Perform a BLOB coherency check on all message volumes.

zxsuite hsm doCheckBlobs start volume_ids 1,3: Perform a BLOB coherency check on volumes 1 and 3.

zxsuite hsm doCheckBlobs start mailbox_ids 2,9,27: Perform a BLOB coherency check on mailboxes 2,9 and 27.

zxsuite hsm doCheckBlobs start missing_blobs_crosscheck false: Perform a BLOB coherency check without checking on other volumes.

zxsuite hsm doCheckBlobs start traced true: Perform a BLOB coherency check, logging even the correct checked items.

Description and Tips

The doCheckBlobs operation can be used to run BLOB coherency checks on volumes and mailboxes. This can be useful when experiencing issues related to broken or unviewable items, which are often caused because either Zimbra cannot find or access the BLOB file related to an item or there is an issue with the BLOB content itself.

Specifically, the following checks are made:

  • DB-to-BLOB coherency: For every Item entry in Zimbra’s DB, check whether the appropriate BLOB file exists.

  • BLOB-to-DB coherency: For every BLOB file in a volume/mailbox, check whether the appropriate DB data exists.

  • Filename coherency: Checks the coherency of each BLOB’s filename with its content (as BLOBs are named after their file’s SHA hash).

  • Size coherency: For every BLOB file in a volume/mailbox, checks whether the BLOB file’s size is coherent with the expected size (stored in the DB).

The old zmblobchk command is deprecated and replaced by zxsuite hsm doCheckBlobs on all infrastructures using HSM NG module.
doDeduplicate

Usage

zimbra@mail:~$ zxsuite hsm doDeduplicate

command doDeduplicate requires more parameters

Syntax:
   zxsuite hsm doDeduplicate {volume_name} [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME              TYPE           EXPECTED VALUES    DEFAULT
volume_name(M)    String[,..]
dry_run(O)        Boolean        true|false         false

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite hsm dodeduplicate secondvolume
Starts a deduplication on volume secondvolume
doVolumeToVolumeMove

Usage

zimbra@mail:~$ zxsuite hsm doVolumeToVolumeMove

command doVolumeToVolumeMove requires more parameters

Syntax:
   zxsuite hsm doVolumeToVolumeMove {source_volume_name} {destination_volume_name}

PARAMETER LIST

NAME                          TYPE
source_volume_name(M)         String
destination_volume_name(M)    String

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite hsm doVolumeToVolumeMove sourceVolume destVolume
Moves the whole sourceVolume to destVolume

Description and Tips

This command can prove highly useful in all situations where you need to stop using a volume, such as:

  • Decommissioning old hardware: If you want to get rid of an old disk in a physical server, create new volumes on other/newer disks and move your data there.

  • Fixing little mistakes: If you accidentally create a new volume in the wrong place, move the data to another volume.

  • Centralize volumes: Centralize and move volumes as you please, for example, if you redesigned your storage infrastructure or you are tidying up your Zimbra volumes.

getVolumeStats

Usage

zimbra@mail:~$ zxsuite hsm getVolumeStats

command getVolumeStats requires more parameters

Syntax:
   zxsuite hsm getVolumeStats {volume_id} [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME                   TYPE       EXPECTED VALUES    DEFAULT
volume_id(M)           Integer
show_volume_size(O)    Boolean    true|false         false
show_blob_num(O)       Boolean    true|false         false

(M) == mandatory parameter, (O) == optional parameter

Usage example:

**BE CAREFUL** show_volume_size and show_blob_num options are IO intensive and thus disabled by default

zxsuite hsm getVolumeStats 2
Shows stats for the volume with ID equal to 2

Description and Tips

This command provides the following information about a volume:

name description

id

The ID of the volume

name

The Name of the volume

path

The Path of the volume

compressed

Compression enabled/disabled

threshold

Compression threshold (in bytes)

lastMoveOutcome

Exit status of the latest doMoveBlobs operation

lastMoveTimestamp

End timestamp of the latest doMoveBlobs operation

lastMoveDuration

Duration of the last doMoveBlobs operation

lastItemMovedCount

Number of items moved to the current secondary volume during the latest doMoveBlobs operation

bytesSaved

Total amount of disk space freed up thanks to deduplication and compression

bytesSavedLast

Amount of disk space freed up thanks to deduplication and compression during the latest doMoveBlobs operation

The show_volume_size and show_blob_num options will add the following data to the output:

option name description

show_volume_size

totSize

Total disk space used up by the volume

show_blob_num

blobNumber

Number of BLOB files in the volume

Moving Mailboxes Between Mailstores

The doMailboxMove command allows you to move a single mailbox or all accounts from a given domain, from one mailbox server to another within the same Zimbra infrastructure.

If the HSM NG module is installed and enabled, this command replaces the old zmmboxmove and zmmailboxmove commands. Using any of the legacy commands will return an error and won’t move any data.

Syntax

Syntax:
   zxsuite hsm doMailboxMove {destinationHost} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME                           TYPE             EXPECTED VALUES                                      DEFAULT
destinationHost(M)             String
accounts(O)                    String[,..]      john@example.com,smith@example.com[,...]
domains(O)                     String[,..]      example.com,test.com[,...]
input_file(O)                  String
stages(O)                      String[,..]      blobs|backup|data|account data=blobs+backup[,...]    blobs,backup,account
compress(O)                    Boolean          true|false                                           true
checkDigest(O)                 Boolean          if false skip digest calculation and check           false
overwrite(O)                   Boolean          true|false                                           true
threads(O)                     Integer                                                               1
hsm(O)                         Boolean          true|false                                           false
notifications(O)               Email Address
ignore_partial(O)              Boolean          true|false                                           false
drop_network_backup(O)         Boolean          true|false                                           false
read_error_threshold(O)        Integer
blob_destination_volume(O)     String           current_primary|current_secondary|6                  current_primary
drive_destination_volume(O)    String           drive_primary|drive_secondary|same_as_blob|7         same_as_blob

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite hsm doMailboxMove mail2.example.com accounts john@example.com stages data,account
Move mailbox for account john@example.com to mail2.example.com host
Table 60. Parameter List

destinationHost(M)

The host where the mailbox must be moved to.

accounts(O)

Comma separated list of mailbox(es) to move. Can be combined with the "domains" option.

domains(O)

Comma separated list of domain(s) to move. Can be combined with the "accounts" option.

input_file(O)

File containing the list of mailboxes to move, one per line.

stages(O)

The stages of the move to perform among blobs, backup, data, account. The "Data" stage will move both blobs and backup, while the "account" stage will effectively move the mailbox information.

compress(O)

Whether to compress the moved blobs on the destination host or not.

checkDigest(O)

Whether to check item digests during the move or not. Safer but slower.

overwrite(O)

Whether to overwrite previously moved items for the same mailbox.

threads(O)

Number of threads to use for the move. Higher threads mean faster moves but with more impact on the system’s performances.

hsm(O)

Whether to apply the HSM policies on the destination host when moving the blobs.

notifications(O)

Comma separated list of email addresses to notify about the outcome of the operation.

ignore_partial(O)

Ignore previous move attempts.

drop_network_backup(O)

Delete Legacy Backup data during the move

read_error_threshold(O)

Maximum amount of read I/O errors to allow before stopping the operation.

doMailboxMove Details

  • When moving a domain, each account from the current server is enumerated and moved sequentially.

  • The mailbox is set to maintenance mode only during the 'account' stage.

  • The move will be stopped if 5% or more write errors are encountered on items being moved.

    • When multiple mailboxes are moved within the same operation, the error count is global and not per-mailbox.

  • Moves will not start if the destination server does not have enough space available to host the mailbox.

    • When a single operation is used to move multiple mailboxes, the space check will be performed before moving each mailbox.

  • All data is moved at a low-level and will not be changed except for the mailbox id.

  • The operation is made up of 3 stages: blobs|backup|account. For each mailbox:

    • blobs: All blobs are copied from the source server to the destination server.

    • backup: All backup entries are copied from the source server to the destination server.

    • account: All database entries are moved as-is and LDAP entries are updated, effectively moving the mailbox.

  • All of the stages are executed sequentially.

  • On the reindex stage’s completion, a new HSM operation is submitted to the destination server, if not specified otherwise.

  • All volumes' compression options are taken.

  • The MailboxMove operation can be executed if and only if no others operations are running on the source server.

  • A move will not start if the destination server does not have enough space available or the user just belongs to the destination host.

  • By default, items are placed in the Current Primary volume of the destination server.

    • The hsm true option can be used to apply the HSM policies of the destination server after a mailbox is successfully moved.

  • If, for any reason, the move stops before it is completed the original account will still be active and the appropriate notificaton will be issued.

  • Should the mailboxd crash during move, the "Operation Interrupted" notification is issued as for all operations, warning the users about the interrupted operation.

  • Index information are moved during the 'account' stage, so no manual reindexing is needed nor one will be triggered automatically.

HSM NG Attachment Indexing

How Indexing Works

A new indexing engine has been added to HSM NG to index attachment contents.

The indexing engine works together with Zimbra’s default engine. The main Zimbra indexing process analyzes the contents of an item, splitting it into several parts based on the MIME parts of the object. Next, Zimbra handles the indexing of known contents - plaintext - and passes the datastream on to the HSM NG handlers for all other content.

The indexing engine includes an indexing cache that speeds up the indexing process of any content that has already been analyzed. Datastreams over 10Kb are cached by default, and the cache hold 10000 entries, while smaller datastreams are not cached as the cache benefits only apply to large datastreams.

Indexed Formats

Web
Extension Parser Content-type

asp

HtmlParser

application/x-asp

htm

HtmlParser

application/xhtml+xml

html

HtmlParser

application/xhtml+xml, text/html

shtml

HtmlParser

application/xhtml+xml

xhtml

HtmlParser

application/xhtml+xml

Documents
Extension Parser Content-type

rtf

RTFParser

application/rtf

pdf

PDFParser

application/pdf

pub

OfficeParser

application/x-mspublisher

xls

OfficeParser

application/vnd.ms-excel

xlt

OfficeParser

application/vnd.ms-excel

xlw

OfficeParser

application/vnd.ms-excel

ppt

OfficeParser

application/vnd.ms-powerpoint

pps

OfficeParser

application/vnd.ms-powerpoint

mpp

OfficeParser

application/vnd.ms-project

doc

OfficeParser

application/msword

dot

OfficeParser

application/msword

msg

OfficeParser

application/vnd.ms-outlook

vsd

OfficeParser

application/vnd.visio

vst

OfficeParser

application/vnd.visio

vss

OfficeParser

application/vnd.visio

vsw

OfficeParser

application/vnd.visio

xlsm

OOXMLParser

application/vnd.ms-excel.sheet.macroenabled.12

pptm

OOXMLParser

application/vnd.ms-powerpoint.presentation.macroenabled.12

xltx

OOXMLParser

application/vnd.openxmlformats-officedocument.spreadsheetml.template

docx

OOXMLParser

application/vnd.openxmlformats-officedocument.wordprocessingml.document

potx

OOXMLParser

application/vnd.openxmlformats-officedocument.presentationml.template

xlsx

OOXMLParser

application/vnd.openxmlformats-officedocument.spreadsheetml.sheet

pptx

OOXMLParser

application/vnd.openxmlformats-officedocument.presentationml.presentation

xlam

OOXMLParser

application/vnd.ms-excel.addin.macroenabled.12

docm

OOXMLParser

application/vnd.ms-word.document.macroenabled.12

xltm

OOXMLParser

application/vnd.ms-excel.template.macroenabled.12

dotx

OOXMLParser

application/vnd.openxmlformats-officedocument.wordprocessingml.template

ppsm

OOXMLParser

application/vnd.ms-powerpoint.slideshow.macroenabled.12

ppam

OOXMLParser

application/vnd.ms-powerpoint.addin.macroenabled.12

dotm

OOXMLParser

application/vnd.ms-word.template.macroenabled.12

ppsx

OOXMLParser

application/vnd.openxmlformats-officedocument.presentationml.slideshow

odt

OpenDocumentParser

application/vnd.oasis.opendocument.text

ods

OpenDocumentParser

application/vnd.oasis.opendocument.spreadsheet

odp

OpenDocumentParser

application/vnd.oasis.opendocument.presentation

odg

OpenDocumentParser

application/vnd.oasis.opendocument.graphics

odc

OpenDocumentParser

application/vnd.oasis.opendocument.chart

odf

OpenDocumentParser

application/vnd.oasis.opendocument.formula

odi

OpenDocumentParser

application/vnd.oasis.opendocument.image

odm

OpenDocumentParser

application/vnd.oasis.opendocument.text-master

ott

OpenDocumentParser

application/vnd.oasis.opendocument.text-template

ots

OpenDocumentParser

application/vnd.oasis.opendocument.spreadsheet-template

otp

OpenDocumentParser

application/vnd.oasis.opendocument.presentation-template

otg

OpenDocumentParser

application/vnd.oasis.opendocument.graphics-template

otc

OpenDocumentParser

application/vnd.oasis.opendocument.chart-template

otf

OpenDocumentParser

application/vnd.oasis.opendocument.formula-template

oti

OpenDocumentParser

application/vnd.oasis.opendocument.image-template

oth

OpenDocumentParser

application/vnd.oasis.opendocument.text-web

sxw

OpenDocumentParser

application/vnd.sun.xml.writer

Packages and Archives
Extension Parser Content-Type

z

CompressorParser

application/x-compress

bz

CompressorParser

application/x-bzip

boz

CompressorParser

application/x-bzip2

bz2

CompressorParser

application/x-bzip2

gz

CompressorParser

application/gzip

gz

CompressorParser

application/x-gzip

gzip

CompressorParser

application/x-gzip

xz

CompressorParser

application/x-xz

tar

PackageParser

application/x-tar

jar

PackageParser

application/java-archive

7z

PackageParser

application/x-7z-compressed

cpio

PackageParser

application/x-cpio

zip

PackageParser

application/zip

rar

RarParser

application/x-rar-compressed

txt

TXTParser

text/plain

Parser Controls

Parsers can be turned on or off by changing the related value to true or false via the zxsuite config CLI command.

Attribute Parsers

pdfParsingEnabled

PDFParser

odfParsingEnabled

OpenDocumentParser

archivesParsingEnabled

CompressorParser, PackageParser, RarParser

microsoftParsingEnabled

OfficeParser, OOXMLParser, OldExcelParser

rtfParsingEnabled

RTFParser

e.g. to disable PDF parsing run:

zxsuite config server set server.domain.com attribute pdfParsingEnabled value false

By default, all parsers are active.

ABQ Service

The "Allow/Block/Quarantine" feature allows for granular access control of mobile devices connecting to the server. It’s a "pre-emptive" type of security feature, meaning that it acts upon the first connection to the server and it’s made to ensure that only authorized devices can finalize synchronization with server. This allows a full administrator to keep track of all mobile device used in their network. Presently only CLI tools are provided; a web GUI will be released in the future.

Components

The ABQ feature is composed of three main logical components:

  • a Device Control List

  • an Authorization Engine

  • a set of CLI tools

Device Control List

The Device Control List, also known as the "ABQ List", holds the information about allowed devices within the NG config engine. Devices can be added to the Device Control List via CLI based on their “Device ID” which can be obtained via CLI.

It is also possible to further limit access by limiting the accounts that can synchronise with the server on a specific device.

On module startup, if the Device Control List is empty all mobile devices previously recognized by the Zimbra server will be imported as Allowed.

Authorization Engine

The Authorization Engine takes care of checking devices against the Device Control List and setting their ABQ status to the appropriate value.

Each rule is applied to all accounts connecting using a device it is a device id. It applies to a specific account connecting using that device if it has the format device_id/account_id or device_id/accountName

CLI Toolset.

The CLI Toolset allows administrators to interact with the device control list and with the synchronization status of a device, specifically to:

  • Display the Device Control List

  • Display all Quarantined and Blocked Devices

  • Add one or more devices to the Device Control List

  • Move a device from “Quarantine” to “Allowed” or “Blocked”

  • Change the synchronization status of a device

Every time the administrator changes a device’s status in an ABQ-enabled environment, depending on the issued state the device will be forced to re-sync folders with the server resulting in an immediate re-route to either a dummy virtual mailbox that will explain to the user what’s happened, or to the real mailbox to perform the re-sync.

ABQ Modes

The ABQ feature is triggered for every mobile device that tries to synchronize with server, and can be set to one of four possible modes: "Permissive", "Interactive", "Strict” and "Disabled". This attribute is Global for all the cluster.

"Permissive" mode:

The Authorization Engine is not active, so after authenticating the user and checking their account status for safety reasons, the synchronization will continue. It is still possible to block specific devices but non-blocked devices will always be allowed to sync.

"Interactive" mode:

After authenticating the user and checking their account status for safety reasons, the Device Control system will check the "Device ID" sent by the device against the list of allowed devices:

  • if the device/user couple is in the "allowed" list the synchronization will continue.

  • if the device/user couple is not in the device list but device is in the "allowed" list the synchronization will continue.

  • if the device is not in the “allowed” list the synchronization will be paused, a dummy email notifying the user of its "Quarantine" status will be sent and the connection will be set to "Quarantine" status.

Administrators can be notified at regular intervals, and every notification email will only include new Quarantined devices. They will then be able to allow or deny the synchronization for each device using the appropriate CLI tools.

"Strict" mode:

After authenticating the user and checking their account status for safety reasons, the Device Control system will check the "Device ID" sent by the device against the list of allowed devices:

  • if the device/user couple or the device by itself is in the "allowed" list the synchronization will continue.

  • if the device is not in the “allowed” list the synchronization will be put in "Blocked" state, no data will be synchronized and a dummy email notifying the user of the device’s "Blocked" status will be sent.

"Disabled" mode:

ABQ is disabled, no checks are triggered and no policies are enforced.

ABQ Mode Control

The current mode can be checked by running the following command:

zxsuite config global get attribute abqMode

The ABQ mode can be changed running the following command:

zxsuite config global set attribute abqMode value [Permissive|Interactive|Strict|Disabled]

Dummy data

The feature makes use of “Dummy emails” and a “Dummy mailbox” to put devices on hold while waiting for authorization (Interactive Mode) or to notify their “Blocked” status (Permissive Mode, Interactive Mode and Strict Mode).

The Dummy Mailbox is a virtual mailbox consisting of only an “Inbox” folder that will be synchronized to the device while this is in either Quarantine or Block status. Dummy Emails are predefined email messages that are synchronized to a device in Quarantine or Block status to alert the user. For now these messages aren’t customizable, and will be localized in the future. Whenever the ABQ status of a device is changed, the device’s sync state will be reset.

This was designed to make sure the user knows what’s happening, the alternative being forcing the synchronization to fail with no descriptive response for the user itself – which would likely cause a significant overhead on support calls.

Custom ABQ emails

Quarantine and block dummy emails can be customized by using the zxsuite mobile setABQMessage message command.

Messages can be customized globally or by domain, and multiple languages can be set.

The zxsuite mobile setABQMessage command accepts the following parameters:

Parameter Type Value Default

configLevel

string

global,domain

global

domain

string

only if config != global

messageClass

enum

blocked,quarantined

language

enum

locale (e.g. "en-us")

system default

from

string

Admin Address

reply_to

string

N/A

subject

string

Built-in default

body_plain

string

Built-in default

body_plain_file

path

Path to the file to use as plain text body

N/A

body_html

string

Built-in default

body_html_file

path

Path to the file to use as html body

N/A

Setup Example

Given two files, /tmp/quarantine_body.txt and /tmp/quarantine_body.html containing the French language plaintext and html message bodies and the support@domain.com support email address, the following command will set the quarantine message for the domain.com domain without affecting other domains or users:

zxsuite mobile setABQMessage domain domain.com quarantined fr from support@domain.com body_plain_file /tmp/quarantine_body.txt body_html_file /tmp/quarantine_body.html

Before being able to customize the ABQ messages, a default must be set using default as the language in the command, e.g.

zxsuite mobile setABQMessage global quarantined default […​]

Notifications

Administrators can be notified via email of quarantined devices at a specific interval defined by the abqNotificationsInterval NG configuration attribute, expressed in milliseconds:

The interval can be checked by running the following command:

zxsuite config global get attribute abqNotificationsInterval

The interval can be changed running the following command:

zxsuite config global set attribute abqNotificationsInterval value [delay in milliseconds]

By default, the abqNotificationsInterval is set to 0 - meaning that no notifications will be delivered.

ABQ Service Status

The ABQ service status can be checked running the following command:

zxsuite mobile getServices

The service can be stopped or started using the default service control of the Mobile NG module:

zxsuite mobile doStartService abq
zxsuite mobile doStopService abq

When mode is Disabled ABQ service won’t automatically start and devices are always allowed to sync.

ABQ CLI

A list of all ABQ CLI commands can be displayed running:

$ zxsuite mobile abq

Allow/Block/Quarantine mobile devices management

    list                    - List devices.
                              zxsuite mobile ABQ list [attr1 value1 [attr2 value2...] ]

    add                     - add/import devices
                              zxsuite mobile ABQ add [attr1 value1 [attr2 value2...] ]

    allow                   - Allow synchronization for a quarantined device
                              zxsuite mobile ABQ allow {device_id}

    block                   - Deny synchronization for a quarantined device
                              zxsuite mobile ABQ block {device_id}

    set                     - Set synchronization status for a device
                              zxsuite mobile ABQ set {device_id} {Allowed|Blocked|Quarantined}

    delete                  - Delete device from ABQ
                              zxsuite mobile ABQ delete {device_id}

    setNotificationInterval - Set the notification interval for new quarantined devices
                              zxsuite mobile ABQ setNotificationInterval {45m|6h|1d|0}

ABQ "list" Command

List all devices ABQ status. The "status" argument will filter the list in order to only show devices in that specific status.

$ zxsuite mobile abq list
List devices.

Syntax:
   zxsuite mobile ABQ list [attr1 value1 [attr2 value2...] ]


PARAMETER LIST

NAME        TYPE    EXPECTED VALUES
status(O)   String  Allowed|Blocked|Quarantined

(M) == mandatory parameter, (O) == optional parameter

Example:

[zimbra@mail ~]$ zxsuite mobile abq list

        devices

                device_id   androidc133785981
                status      Quarantined

                device_id   androidc1024711770
                status      Blocked

                device_id   SAMSUNG1239862958
                status      Allowed

ABQ "import" Command

This command imports a list of device ids from a file, and always requires two parameters: an Input File with a list of Device IDs separated by a newline and the "status" the imported device(s) will be set to.

[zimbra@mail ~]$ zxsuite mobile abq import
command import requires more parameters

Syntax:
    zxsuite mobile ABQ import {Path to file} {Allowed|Blocked|Quarantined}

PARAMETER LIST

NAME            TYPE        EXPECTED VALUES
input_file(M)   String      Path to file
status(M)       String      Allowed|Blocked|Quarantined

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite mobile ABQ import /path/to/file Allowed

Example:

[zimbra@mail ~]$ zxsuite mobile abq import /tmp/list Allowed
3 devices added

[zimbra@mail ~]$ cat /tmp/list
androidc133785981
androidc1024711770
SAMSUNG1239862958/user@domain.com

In the example above, devices androidc133785981 and androidc1024711770 are allowed to sync entirely regardless of the account, while device SAMSUNG1239862958 can only synchronize the user@domain.com account

ABQ "allow" Command

This is a specific command for quarantined device, and sets device status to Allowed.

$ zxsuite mobile abq allow
Allow synchronization for a quarantined device

Syntax:
   zxsuite mobile ABQ allow {device_id} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME            TYPE      EXPECTED VALUES
device_id(M)    String
account(O)      String    27ee8dd9-d813-4ca7-a988-580df0027a58|user1@example.com


(M) == mandatory parameter, (O) == optional parameter

ABQ "block" Command

This is a specific command for quarantined device, and sets device status to Blocked.

$ zxsuite mobile abq block
Deny synchronization for a quarantined device

Syntax:
   zxsuite mobile ABQ block {device_id} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME            TYPE      EXPECTED VALUES
device_id(M)    String
account(O)      String    27ee8dd9-d813-4ca7-a988-580df0027a58|user1@example.com

(M) == mandatory parameter, (O) == optional parameter

ABQ "set" Command

Set any status for any single device (either known or unknown).

$ zxsuite mobile abq set
Set synchronization status for a device

Syntax:
   zxsuite mobile ABQ set {device_id} {Allowed|Blocked|Quarantined} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME            TYPE      EXPECTED VALUES
device_id(M)    String
status(M)       String    Allowed|Blocked|Quarantined
account(O)      String    27ee8dd9-d813-4ca7-a988-580df0027a58|user1@example.com

(M) == mandatory parameter, (O) == optional parameter

ABQ "delete" Command

Delete a device from all lists.

$ zxsuite help mobile abq delete
Delete device from ABQ

Syntax:
   zxsuite mobile ABQ delete {device_id} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME            TYPE      EXPECTED VALUES
device_id(M)    String
account(O)      String    27ee8dd9-d813-4ca7-a988-580df0027a58|user1@example.com

(M) == mandatory parameter, (O) == optional parameter

ABQ "setNotificationInterval" Command

Set notification interval for new quarantined devices.

$ zxsuite mobile abq setNotificationInterval
command setNotificationInterval requires more parameters

Syntax:
    zxsuite mobile ABQ setNotificationInterval {45m|6h|1d}

PARAMETER LIST

NAME            TYPE        EXPECTED VALUES
interval(M)     String      45m|6h|1d

(M) == mandatory parameter, (O) == optional parameter

Usage example:

Set notification of new quarantined devices every 45 minutes
    zxsuite mobile abq setNotificationInterval 45m
Set notification of new quarantined devices every 6 hours
    zxsuite mobile abq setNotificationInterval 6h
Set notification of new quarantined devices once every day
    zxsuite mobile abq setNotificationInterval 1d
Disable notifications of new quarantined devices
    zxsuite mobile abq setNotificationInterval 0

Admin NG

Delegated Admin Provisioning

What is Delegated Admin Provisioning?

Delegated Admin Provisioning is the set of operations that allow you to grant, edit and revoke Domain Admin rights to a user.

All Delegated Admin Provisioning operations can be performed:

  • From the Admin NG tab of the Administration Zimlet

  • From the CLI, running the appropriate zxsuite command as the zimbra user

Granting Delegated Admin Rights to a User

From the Administration Zimlet

In the Delegated Admins section of the Admin NG tab in the Administration Zimlet, click the Add button.

You will be prompted for the following information:

  • Account: The email address to which you want to grant Delegated Admin rights.

  • Domain: The domain on which the Delegated Admin will have control.

  • Delegated Auth: Check this box to allow the Delegated Admin to use the View Mail features on any mailbox in the selected domain.

  • Grant Limit: The maximum mailbox quota this Delegated Admin can assign to a user.

  • Edit Features: Defines whether the Delegated Admin is able to edit the contents of the Features tab for its assigned users.

If the Domain Quota is lower than the Grant Limit, the Grant Limit value will be ignored.
Disk space and Quota limits can be entered in Gigabytes (gb), Megabytes (mb) or Kilobytes (kb).
From the CLI

To grant Delegated Admin rights to a user, use the doAddDelegationSettings command:

Syntax:
   zxsuite admin doAddDelegationSettings {account} {domain} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME               TYPE       EXPECTED VALUES    DEFAULT
account(M)         String
domain(M)          String
viewMail(O)        Boolean    true|false         false
editFeatures(O)    Boolean    true|false         false
adminQuota(O)      String                        -1

(M) == mandatory parameter, (O) == optional parameter

Usage example:


zxsuite admin doAddDelegationSettings john@example.com example.com viewMail true adminQuota -1
Adds John as delegated administrator of domain example.com, with the right to view user mail on such domain and
no right to grant quotas to users.

zxsuite admin doAddDelegationSettings john@example.com example.com adminQuota 0
Adds John as delegated administrator of domain example.com, with the right to assign unlimited quotas to users.

zxsuite admin doAddDelegationSettings john@example.com example.com adminQuota 10gb
Adds John as delegated administrator of domain example.com, with the right to assign quotas up to 10gb to each user.

Editing the Rights of an Existing Delegated Admin

From the Administration Zimlet

In the Delegated Admins section of the Admin NG tab in the Administration Zimlet, select an entry in the list and click the Edit button.

You can also double click an entry on the list to edit it.

From the CLI

To edit the rights of an existing Delegated Admin, use the doEditDelegationSettings command:

Syntax:
   zxsuite admin doEditDelegationSettings {account} {domain} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME               TYPE       EXPECTED VALUES
account(M)         String
domain(M)          String
viewMail(O)        Boolean    true|false
editFeatures(O)    Boolean    true|false
adminQuota(O)      String

(M) == mandatory parameter, (O) == optional parameter

Usage example:


zxsuite admin doEditDelegationSettings john@example.com example.com viewMail true adminQuota -1
Edits John's delegation rights for domain example.com, with the right to view user mail on such domain and
no right to grand quotas to users.

zxsuite admin doEditDelegationSettings john@example.com example.com adminQuota 0
Edits John's delegation rights for domain example.com, with the right to assign unlimited quotas to users.

zxsuite admin doEditDelegationSettings john@example.com example.com adminQuota 10gb
Edits John's delegation rights for domain example.com, with the right to assign quotas up to 10gb to each user.

Revoke Delegated Admin Rights from a User

From the Administration Zimlet

In the Delegated Admins section of the Admin NG Tab in the Administration Zimlet, select an entry in the list and click the Delete button.

From the CLI

To revoke Delegated Admin rights from a user, use the doRemoveDelegationSettings command:

zxsuite admin doRemoveDelegationSettings {account} {domain}

PARAMETER LIST

NAME          TYPE
account(M)    String
domain(M)     String

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite admin doRemoveDelegationSettings john@example.com example.com
John no longer administers domain example.com

Quota Management

What is Quota Management?

Admin NG allows the Global Administrator to set two different types of quota limits: the Grant Limit and the Domain Quota.

Neither the Domain Quota nor the Grant Limit are mandatory, meaning that a Delegated Admin can be allowed to grant any quota to a user and that a domain can lack a maximum quota limit.

The Grant Limit

The Grant Limit is one of the properties of a Delegated Admin.

It specifies the maximum mailbox quota that the Delegated Admin can grant to a mailbox and can be set and changed in the Delegated Admin’s settings.

Three options are available:

  • None: The Delegated Admin cannot edit the Quota attribute of a mailbox.

  • Custom: The Delegated Admin can grant up to the specified value. This overrides any domain/COS quota setting.

  • Unlimited: The Delegated Admin can grant any quota to the mailbox. This overrides any domain/COS quota setting.

The Domain Quota

The Domain Quota is a property that specifies the maximum mailbox quota that any Administrator can grant to a mailbox in the domain.

Assigning an unlimited quota to a mailbox will override the Domain Quota setting.

Grant Limit vs Domain Quota

The Grant Limit and Domain Quota properties are mutually exclusive on a restrictive basis.

This means that the following scenarios may occur:

  • A Global Admin grants a user a higher quota than the allowed Domain Quota

  • A Delegated Admin grants a user a higher quota than the allowed Domain Quota

  • A Delegated Admin’s Grant Limit is lower than the Domain Quota

Let’s examine these scenario one by one.

A Global Admin grants a user a higher quota than the allowed Domain Quota

Since the Domain Quota applies to a given domain, not to a given Admin, the effective quota for the user will be the maximum quota allowed by the Domain Quota setting.

A Delegated Admin grants a user a higher quota than the allowed Domain Quota

In this case, the effective quota for the user will be the maximum quota allowed by the Domain Quota setting, even if the Delegated Admin’s Grant Limit is higher than the Domain Quota.

A Delegated Admin’s Grant Limit is lower than the Domain Quota

In this case, the maximum quota that the Delegated Admin can grant to a user will be the one defined by the Grant Limit, even if the Domain Quota is higher. A Global Admin, which is not bound to any Grant Limit restriction, will be allowed to assign any mailbox quota to the user up to the limit allowed by the Domain Quota.

Domain Limits

What is Domain Limit Management (a.k.a. Domain Settings)?

Domain Limit Management is a feature of the Admin NG module. It allows a Global Administrator to set domain level limits that cannot be exceeded by any Administrator.

The only way to exceed a Domain Limit is to change the Domain Limit itself.

Domain Limits
  • Global Account Limit: The maximum number of accounts that can be created on this domain.

  • Domain Quota: The maximum mailbox quota that any Administrator can grant to a mailbox in the domain.

  • COS Limits: Define which Classes of Service can be used for users in the domain and the maximum number of users per Class of Service.

Edit the Limits of a Domain

From the Administration Zimlet

All the domains in the Zimbra infrastructure are listed in the Domain Settings list in the Admin NG tab of the Administration Zimlet.

To edit the limits of a domain, select the domain from the Domain Settings list and press the Edit button.

From the CLI

To edit the limits of a domain through the CLI, use the setDomainSettings command:

Syntax:
   zxsuite admin setDomainSettings {domain} [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME                       TYPE       EXPECTED VALUES                   DEFAULT
domain(M)                  String
account_limit(O)           Integer                                       don't change setting
domain_account_quota(O)    String                                        don't change setting
cos_limits(O)              String     cosname1:limit1,cosname2:limit2    don't change setting

(M) == mandatory parameter, (O) == optional parameter

Usage example:


zxsuite admin setDomainSettings example.com account_limit 100 domain_account_quota 100mb cos_limits cos1:30,cos2:80

Sets a global account limit on the domain example.com of 100 accounts,
with a domain account quota of 100 megabytes
and with cos account limits of 30 for cos1 and 80 for cos2.

Note: A cos limit of -1 removes the limit for the cos.

Reset the Limits of a Domain

From the Administration Zimlet

All the domains in the Zimbra infrastructure are listed in the Domain Settings list in the Admin NG tab of the Administration Zimlet.

To reset the limits of a domain, select the domain from the Domain Settings list and press the Reset button, then click Ok in the confirmation pop-up.

From the CLI

To reset the limits of a Domain through the CLI, use the resetDomainSettings command:

Syntax:
   zxsuite admin resetDomainSettings {domain}

PARAMETER LIST

NAME         TYPE
domain(M)    String

(M) == mandatory parameter, (O) == optional parameter

Zimbra Administration as a Delegated Admin

Accessing the Zimbra Administration Console as a Delegated Admin

To access the Zimbra Administration Console, connect to port 7071 of your mailserver with a web browser and login with your Zimbra credentials.

Delegated Admin CAN and CAN’T Table

Here is a quick reference of what a Delegated Admin CAN and CAN’T do through the Admin NG module.

CAN CAN’T

View the account list of any domain for which they are granted Delegate Admin rights

View the account list belonging to any other domain

Edit any user account in any domain for which they are granted Delegate Admin rights

Edit any user account belonging to any other domain

Edit any alias, distribution list or resource in any domain for which they are granted Delegate Admin rights

Edit any alias, distribution list or resource belonging to any other domain

Edit any Global Admin account

Grant Global Admin or Delegated Admin rights to any user

Create an account on a domain for which they are granted Delegated Admin rights

Create an account on any other domain

Select the Class Of Service of an account between those available for that account’s domain

Arbitrarily set the Class of Service of an account between those available on the server

Edit COS settings

Edit Domain Settings that may interfere with the proper functioning of the server

See or edit any server setting

See or edit any global setting

Overview of the Zimbra Administration Console for Delegated Admins

  • Manage:

    • Accounts: Manage the Accounts belonging to any domain for which delegated admin rights have been granted.

    • Aliases: Manage Aliases of accounts belonging to any domain for which delegated admin rights have been granted.

    • Distribution Lists: Manage the Distribution Lists belonging to any domain for which delegated admin rights have been granted.

    • Resources: Manage the Resources belonging to any domain for which delegated admin rights have been granted.

  • Configure: View the configuration of any domain for which delegated admin rights have been granted.

  • Search: Perform advanced Searches.

  • Network NG

    • Mobile NG: Manage the synchronization of mobile devices and clients belonging to any domain for which delegated admin rights have been granted.

    • "Admin NG: View the list of Delegated Admins belonging to any domain for which delegated admin rights have been granted as well as quota usage informations.

  • Search Bar: Perform quick searches.

  • [username]: Log Out from the Zimbra Administration Console.

Delegated Admin Log Browsing

What is Delegated Admin Log Browsing?

The Admin NG allows a Global Admin to easily keep track of all Admins' activity through a search-based graphical log browser.

The Admin NG Log Browser

The Admin NG Log Browser can be accessed by clicking Browse Logs in the Admin NG tab of the Administration Zimlet. The Filter Log pop-up dialog will open, allowing you to apply some filters to the logs you want to browse.

The available filters are:

  • Basic filters

    • Admin: Filter the logs to only view operations performed by a single Domain Admin.

    • Action: Filter the logs to only view one particular action. See below for the available actions.

  • Advanced filters

    • Client IP: Filters the logs to only show operations performed from a determined IP address.

    • Show Logins: Select this checkbox to also show when the Domain Admins log into the Zimbra Classic Web App.

    • Outcome: Filters the logs to either show all operations, successful operations or failed operations.

    • Start and End: Limits the logs shown to a specific timespan (default: the current day).

Clicking the Details button will apply the selected filters and show the log browser.

The Action filter

Any operation an Administrator can perform is available in the drop-down menu of the Action filter.

All of these operations are important to keep track of your admin’s actions and to troubleshoot issues.

  • Auth: All authentications.

  • DelegateAuth: All Delegated Authentications, either through the View Mail button or through the -z option of the zmmailbox command.

  • CreateAccount: All account creations.

  • DeleteAccount: All account deletions.

  • Set Password: All mailbox password changes.

  • RemoveAccountAlias: All alias deletions.

  • DeleteDistributionList: All distribution lists deletions.

Reports and Information

Admin NG Monthly Reports

The Admin NG module includes a very useful Monthly Reports feature that allows Global Administrators to keep track of both Delegated Admin operations and domain status for a given month.

How does the Monthly Report system work?

On the first day of each month, the Admin NG module automatically creates a report based on the data gathered in the Admin NG Log.

This monthly report includes:

GLOBAL REPORT

First logged action

Timestamp of the first action performed by an Admin this month

Last logged action

Timestamp of the last action performed by an Admin this month

Last admin login by

Latest administrative login timestamp

Most active admin

Name of the Admin with the highest number of actions logged

Most used address

Most common IP Address for admin logins

Total accounts

Total number of mailboxes

Total created accounts

Number of mailboxes created during the month

Total deleted accounts

Number of mailboxes deleted during the month

Total created domains

Number of domains created during the month

Total created distribution lists

Number of distribution lists created during the month

Total deleted distribution lists

Number of distribution lists deleted during the month

DOMAIN REPORT

Domain

The name of the domain this data refers to

Last admin login

Latest administrative login timestamp

Account/max accounts

Current and maximum number of accounts

Current Domain Size

Sum of the quotas used by all mailboxes in the domain

Maximum Domain Size

Sum of the maximum quota of all mailboxes (excluding Unlimited mailboxes)

Accounts with no quota limit

Number of mailboxes that don’t have a quota limit

Total size of accounts with no quota limit

Sum of the quotas used by all mailboxes with no quota limit

System Resources in the domain

Number of system resource accounts in the domain

Calendar Resources in the domain

Number of calendar resource accounts in the domain

Successful domain actions

Number of successful actions done by admins on this domain

Unsuccessful domain actions

Number of unsuccessful actions done by admins on this domain

ADMIN REPORT

Admin

The name of the admin this data refers to

Successful logins

Number of successful logins into the Admin Console

Unsuccessful logins

Number of unsuccessful logins into the Admin Console

View mails

Number of times this admin used the View Mail feature during the month

Last login

Timestamp of the last login of this admin into the Administration Console

Most used address

The email address most used by this admin to login

Total actions

The number of actions performed by this admin during the month

Accounts created

Number of accounts created by this admin during the month

Accounts deleted

Number of accounts deleted by this admin during the month

How to Access the Monthly Reports

From the Administration Zimlet

To access the Monthly Reports:

  • Log into the Zimbra Administration Console as a Global Admin.

  • On the Admin NG tab of the Administration Zimlet, click the Monthly Reports button on the top-right of the page.

  • Select the month you wish to view and click Show Report.

From the CLI

To view the Monthly Reports from the CLI, use the getMonthlyReport command:

zxsuite admin getMonthlyReport [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME        TYPE       EXPECTED VALUES    DEFAULT
month(O)    String     mm/yyyy            12/2021
local(O)    Boolean    true|false         false

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite admin getMonthlyReport
Shows the monthly report for the previous month

zxsuite admin getMonthlyReport month 11/2021
Shows the monthly report for the month '11/2021'

Partial Reports

To create a partial report for the current month, use the doMonthlyReport command:

zxsuite admin doMonthlyReport [attr1 value1 [attr2 value2...

PARAMETER LIST

NAME        TYPE       EXPECTED VALUES    DEFAULT
month(O)    String     mm/yyyy            12/2021
force(O)    Boolean    true|false         false

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite admin doMonthlyReport
Generates the monthly report for the previous month and saves it in the current Admin NG log path

zxsuite admin doMonthlyReport month 01/2021
Generates a PARTIAL monthly report for the current month, without saving it to disk

** NOTE**

This command is automatically executed once a month to generate a file containing
the report for the
previous month. To overwrite an existing report file, set the 'force' parameter to true.

The Admin NG Log Path

The Admin NG Module stores all monthly reports, together with the logs used to generate the Monthly reports and to provide information via the Admin Log Browser feature, in a path inside the /opt/zimbra/conf/ folder (default /opt/zimbra/conf/zextras/zxadmin/). This particular default path has been chosen because it is the only directory that CANNOT be deleted during a Zimbra update.

The Admin NG Log Path Structure and Contents

The Admin NG log path is a flat directory containing the following files:

  • One or more YYYY_MM files containing the logs for the file’s namesake month.

  • Zero or more YYYY_MM.report files containing the monthly report for the file’s namesake month.

  • Zero or more YYYY_MM.X files containing partial logs for the file’s namesake month. These files are created when changing the Admin NG Log Path.

Changing the Admin NG Log Path
Carefully read this paragraph before changing the Admin NG Log Path. Any error on the procedure will cause a potential log loss that will render the Monthly Report and Show Admin Logs features highly unreliable.

To safely change the Admin NG Log Path, follow these steps:

  • Create the folder that will contain the logs:

    • The folder’s ownership must be zimbra:zimbra.

    • The 'zimbra' user must have read and write permissions to the folder.

    • The folder must be empty.

  • Log into the Zimbra Administration Console as a Global Admin.

  • Open the Admin NG tab in the Administration Zimlet.

  • In the Basic Module Configuration section, click the Change button near the Admin Log Path line.

  • Enter the new path and click Change Path.

  • If no errors are shown, move all the contents of the old log path.

    • It’s perfectly normal to only see .report and .X files in the old log path, as the current log file will be given the .1 extension to mark it as a partial. Any previous .X files will have their extension number increased by 1.

Configuration Reset

What is the Admin NG Configuration Reset?

The Admin NG Configuration Reset is a free feature of the Admin NG module that allows a Global Administrator to completely wipe all delegation rights from the server.

This is not a rollback feature that cleans the Admin NG module’s configuration. Resetting the Admin Configuration will affect both Admin NG and Zimbra delegation rights.

Using the Admin Configuration Reset feature will completely wipe all delegation configuration from the server, bringing it back to the state of a fresh installation. Only Admin Delegation settings will be wiped, no other kind of data will be affected.
What does the Admin Configuration Reset clear?

The Admin Configuration Reset clears the following configurations:

  • The isDelegatedAdmin account property for all accounts on the server

  • All Access Control Entries and all Access Control Lists for

    • Users

    • Domains

    • Classes of service

    • Local configuration

    • Server configuration

    • Zimlets

When should I use the Admin Config Reset?

The Admin Config Reset should only be used in the following cases:

  • To completely reset a compromised situation

    • If one or more wrong ACL or ACE settings cause your Zimbra Administration Console to be unstable or not to properly show (e.g. displaying a blank page or missing one or more UI elements), use the Admin Configuration Reset as a final resolution.

  • If you plan to stop using the Admin NG module

    • The reset option is available even if no valid Network NG license is active. Remember that this will also wipe any manually set Delegation settings.

How do I use the Admin Configuration Reset?

If you really want to reset the Admin Delegation configuration, simply run this CLI command:

zxsuite core doDeleteAllDelegatedRights

You will be asked to enter a confirmation string to avoid any accidental use of the command.

NG Modules CLI

Network NG Modules CLI

zxsuite - Network NG Modules Command-Line Interface

Basic Usage

Every module of Network NG, including the core, has its own set of zxsuite commands. All zxsuite commands are invoked with the following syntax:

:: zxsuite [--host|--offline] [--json] [--progress] [--sync] {module} {action} [options]

Available switches:

  • --host [hostname|ip] - Specify a target host for the command. Leave blank for localhost. Use all_servers to broadcast the command to all servers.

  • --offline - Use if Zimbra is not started. Some commands will not work

  • --json - The output of the command will be presented in JSON format. Good for scripting.

  • --progress - Prints the operation’s feedback directly to STDOUT. Press Ctrl+C to interrupt the output. The operation itself won’t be interrupted.

  • --sync - Runs the command in synchronous mode, waiting for the operation’s execution to end and returning an exit code relevant with the operation’s result among the following:

    • 0 - Successful

    • 1 - Failed

    • 2 - Stopped

    • 3 - Removed

    • 4 - Interrupted

Online Help: An Online Help for every command is available through zxsuite help {module} [command]. Omitting the command will display the full list of available commands.

Core CLI

Basic Usage:

zxsuite core {action} [options]

Core Commands

:: getVersion - Display Network NG Modules version

zxsuite core getVersion

:: getProperty - Get configuration properties

zxsuite core getProperty [attr1 value1 [attr2 value2…​

:: setProperty - Set configuration property

zxsuite core setProperty {property_name} {property_value}

:: getLicenseInfo - Display Network NG Modules license informations

zxsuite core getLicenseInfo core getLicenseInfo

:: doUploadLicense - Upload a Network NG license

zxsuite core doUploadLicense {license_path}

:: doLicenseChecks - Force Network NG license checks

zxsuite core doLicenseChecks

:: getAccountStats - Show statistic informations about provided account name or ID

zxsuite core getAccountStats {account}

:: getNotification - Shows Network NG notifications

zxsuite core getNotification [attr1 value1 [attr2 value2…​

:: doDeleteAllDelegatedRights - This command deletes both Admin NG and Zimbra’s own Admin Delegation settings

zxsuite core doDeleteAllDelegatedRights {confirmation string}

Update CLI

Basic Usage:

zxsuite update {action} [options]

Update Commands

:: doCheckUpdate - Fetch update information

zxsuite update doCheckUpdate

:: doStartService - start a given service

zxsuite update doStartService {service_name}

:: doStopService - stop a given service

zxsuite update doStopService {service_name}

:: download - [BETA] Update Network NG with the latest update available, the version will be loaded on the next mailboxd restart

zxsuite update download

:: enable - [BETA] Enable Network NG automatic update capabilities

zxsuite update enable

:: getServices - show current status of all services for this module

zxsuite update getServices

:: info - Info on Network NG updates

zxsuite update info

:: start - [BETA] Load a new Network NG version

zxsuite update start [attr1 value1 [attr2 value2…​

Backup NG CLI

Basic Usage:

zxsuite backup {action} [options]

Backup NG Commands

:: getProperty - Get configuration properties

zxsuite backup getProperty [attr1 value1 [attr2 value2…​

:: setProperty - Set configuration property

zxsuite backup setProperty {property_name} {property_value}

:: doSmartScan - Perform a Smart Scan

zxsuite backup doSmartScan [attr1 value1 [attr2 value2…​

:: doAccountScan - Perform a Full Scan on a single account

zxsuite backup doAccountScan {account} [attr1 value1 [attr2 value2…​

:: doExport - Perform an Export limited by domains

zxsuite backup doExport {destination_path} [attr1 value1 [attr2 value2…​

:: doRestoreOnNewAccount - Perform a Restore on New Account

zxsuite backup doRestoreOnNewAccount {source_account} {destination_account} {dd/MM/yyyy HH:mm:ss|last} [attr1 value1 [attr2 value2…​

:: doEnableDisableCOS - Enable or disable the backup for a specific COS

zxsuite backup doEnableDisableCOS {cos_name} {enable|disable}

:: doUndelete - Perform an Undelete Restore

zxsuite backup doUndelete {account} dd/MM/yyyy HH:mm:ss|first} dd/MM/yyyy HH:mm:ss|last} [attr1 value1 [attr2 value2…​

:: doItemSearch - Search for an item

zxsuite backup doItemSearch {account} [attr1 value1 [attr2 value2…​

:: doItemRestore - Restores a single item

zxsuite backup doItemRestore {account_name} {item_id}

:: doExternalRestore - Perform an External Restore

zxsuite backup doExternalRestore {source_path} [attr1 value1 [attr2 value2…​

:: doStopOperation - Stop a single running operation

zxsuite backup doStopOperation {operation_uuid}

:: doStopAllOperations - Stops all running operations and empties the operations queue

zxsuite backup doStopAllOperations

:: doCheckShares - Check all shares on local accounts

zxsuite backup doCheckShares

:: doFixShares - Try to fix all shares on local accounts

zxsuite backup doFixShares {import_idmap_file}

:: doFixOrphans - Delete orphan digest files

zxsuite backup doFixOrphans [attr1 value1 [attr2 value2…​

:: doCoherencyCheck - Check backup coherency

zxsuite backup doCoherencyCheck {backup_path} [attr1 value1 [attr2 value2…​

:: getAccountInfo - Shows an account’s information

zxsuite backup getAccountInfo {account} [attr1 value1 [attr2 value2…​

:: getBackupInfo - Displays informations about the backup system

zxsuite backup getBackupInfo [attr1 value1 [attr2 value2…​

:: getMap - Show binary Map object as human readable table

zxsuite backup getMap {file_path}

:: getItem - Display an item in a human-readable format.

zxsuite backup getItem {account} {item} [attr1 value1 [attr2 value2…​

:: getAvailableAccounts - Displays all accounts available for restore

zxsuite backup getAvailableAccounts [attr1 value1 [attr2 value2…​

:: getAvailableDomains - Displays all domains available for restore

zxsuite backup getAvailableDomains {dd/MM/yyyy HH:mm:ss|last} {backup_path}

:: getServerConfig - Provides a list of stored server configs

zxsuite backup getServerConfig dd/MM/yyyy HH:mm:ss|last|all} {standard|customizations} [attr1 value1 [attr2 value2…​

:: getCOSBackupStatus - Displays the backup status of all COS

zxsuite backup getCOSBackupStatus [attr1 value1 [attr2 value2…​

:: getAllOperations - Displays all running and queued operations

zxsuite backup getAllOperations

:: monitor - Monitor a running operation

zxsuite backup monitor {operation_uuid} [attr1 value1 [attr2 value2…​

:: getServices - Show the current status of all the module’s services

zxsuite backup getServices

:: doBackupLDAP - Backup LDAP

zxsuite backup doBackupLDAP

:: doRestartService - Restart one given service

zxsuite backup doRestartService {service_name}

:: doRestoreBlobs - Start a "restore blobs" operation which tries to restore broken zimbra blobs.

zxsuite backup doRestoreBlobs {volume_id} [attr1 value1 [attr2 value2…​]]

Mobile NG CLI

Basic Usage:

zxsuite mobile {action} [options]

Mobile NG Commands

:: getProperty - Get configuration properties

zxsuite mobile getProperty [attr1 value1 [attr2 value2…​

:: setProperty - Set configuration property

zxsuite mobile setProperty {property_name} {property_value}

:: getDeviceList - Display all devices for the provided account

zxsuite mobile getDeviceList {account}

:: getDeviceInfo - Display information about the provided device

zxsuite mobile getDeviceInfo {account} {device_id}

:: doResetAccount - Reset ALL device states for the provided account

zxsuite mobile doResetAccount {account}

:: doResetDevice - Resets the device’s SyncState for a single account

zxsuite mobile doResetDevice {account} [attr1 value1 [attr2 value2…​

:: getAllSessions - Returns informations about all stored mobile sessions

zxsuite mobile getAllSessions

:: getActiveSessions - Returns all active mobile sessions

zxsuite mobile getActiveSessions

:: doRemoveDevice - Removes all the device’s SyncState and history from the server

zxsuite mobile doRemoveDevice {account} {device_id}

:: getAccountLoggers - Returns informations about all account loggers

zxsuite mobile getAccountLoggers

:: doRemoveLogger - Removes an account logger

zxsuite mobile doRemoveLogger {logger_id|all_loggers}

:: doAddAccountLogger - Add an account logger

zxsuite mobile doAddAccountLogger {account} {debug|info|warn|err|crit} {log_file}

HSM NG CLI

Basic Usage:

zxsuite hsm {action} [options]

HSM NG Commands

:: +setHsmPolicy - Add an additional policy to HSM.

zxsuite hsm +setHsmPolicy {hsm_policy}

:: addS3Store - Add an S3 compatible store

zxsuite hsm addS3Store {Name of the zimbra store} [attr1 value1 [attr2 value2…​

:: doCheckBlobs - Start the doCheckBlobs operation.

zxsuite hsm doCheckBlobs {start} [attr1 value1 [attr2 value2…​

:: doCreateVolume - Create a volume on the server

zxsuite hsm doCreateVolume {primary|secondary|index} {volume_name} {volume_path} {true|false} {compression_threshold_bytes}

:: doDeduplicate - Start a deduplication operation.

zxsuite hsm doDeduplicate {volume_name} [attr1 value1 [attr2 value2…​

:: doDeleteVolume - Delete a specific volume on the server

zxsuite hsm doDeleteVolume {volume_id}

:: doMoveBlobs - Start the doMoveBlob operation.

zxsuite hsm doMoveBlobs [attr1 value1 [attr2 value2…​

:: doRemoveHsmPolicy - Remove a policy from HSM.

zxsuite hsm doRemoveHsmPolicy {hsm_policy}

:: doRestartService - restart a given service

zxsuite hsm doRestartService {service_name}

:: doStartService - start a given service

zxsuite hsm doStartService {service_name}

:: doStopAllOperations - Stops all running operations and empties the operations queue

zxsuite hsm doStopAllOperations

:: doStopOperation - Stop a single running operation

zxsuite hsm doStopOperation {operation_uuid}

:: doStopService - stop a given service

zxsuite hsm doStopService {service_name}

:: doUpdateVolume - Update a specific volume on the server

zxsuite hsm doUpdateVolume {volume_id} [attr1 value1 [attr2 value2…​

:: doVolumeToVolumeMove - Start the doMoveVolumeBlobs operation.

zxsuite hsm doVolumeToVolumeMove {source_volume_name} {destination_volume_name}

:: getAllOperations - Displays all running and queued operations

zxsuite hsm getAllOperations [attr1 value1 [attr2 value2…​

:: getAllVolumes - Prints all the volumes present in the server

zxsuite hsm getAllVolumes

:: getHsmPolicy - Prints all the policies

zxsuite hsm getHsmPolicy

:: getProperty - Get configuration properties

zxsuite hsm getProperty [attr1 value1 [attr2 value2…​

:: getServices - show current status of all services for this module

zxsuite hsm getServices

:: getVolumeStats - Show space occupation, number of items and blobs contained in a volume

zxsuite hsm getVolumeStats {volume_id} [attr1 value1 [attr2 value2…​

:: monitor - Monitor a running operation

zxsuite hsm monitor {operation_uuid} [attr1 value1 [attr2 value2…​

:: setHSMPolicy - Set the default HSM policy

zxsuite hsm setHSMPolicy {hsm_policy}

:: setProperty - Set configuration property

zxsuite hsm setProperty {property_name} {property_value}

:: testS3Connection - Test the connection to an S3 bucket.

zxsuite hsm testS3Connection {s3BucketConfigurationUuid}

Admin NG CLI

Basic Usage:

zxsuite admin {action} [options]

Admin NG Commands

:: getDelegationSettings - Shows delegated admins with their domains of competency, the viewMail attribute and the admin-assignable quota

zxsuite admin getDelegationSettings [attr1 value1 [attr2 value2…​

:: doEditDelegationSettings

zxsuite admin doEditDelegationSettings {account} {domain} [attr1 value1 [attr2 value2…​

:: doAddDelegationSettings

zxsuite admin doAddDelegationSettings {account} {domain} [attr1 value1 [attr2 value2…​

:: *doRemoveDelegationSettings

zxsuite admin doRemoveDelegationSettings {account} {domain}

:: getDomainSettings - Shows all domains' name, account number limit, and max account quota

zxsuite admin getDomainSettings

:: setDomainSettings - Sets domain max account quota and account limit

zxsuite admin setDomainSettings {domain} [attr1 value1 [attr2 value2…​

:: resetDomainSettings - Resets global account limit, account limit per cos, and domain account quota for the selected domain

zxsuite admin resetDomainSettings {domain}

:: doShowAdminActivity - Shows all recorded admin activity

zxsuite admin doShowAdminActivity [attr1 value1 [attr2 value2…​

:: doEnableDisableAdminLogging - Enables or disables the logging of admin activities

zxsuite admin doEnableDisableAdminLogging {enable|disable}

:: setProperty - Set configuration property

zxsuite admin setProperty {property_name} {property_value}

:: getProperty - Get configuration properties

zxsuite admin getProperty [attr1 value1 [attr2 value2…​

:: doMonthlyReport - Generate a report of admin activity in the specified month

zxsuite admin doMonthlyReport [attr1 value1 [attr2 value2…​

:: getMonthlyReport - Shows a report of admin activity in the specified *month

zxsuite admin getMonthlyReport [attr1 value1 [attr2 value2…​

:: doSetZimletRights - Fixes the Administration Zimlet rights for all delegated admins.

zxsuite admin doSetZimletRights

:: getAllOperations - Displays all running and queued operations

zxsuite admin getAllOperations

:: doStopAllOperations - Stops all running operations and empties the operations queue

zxsuite admin doStopAllOperations

:: doStopOperation - Stop a single running operation

zxsuite admin doStopOperation {operation_uuid}

:: monitor - Monitor a running operation

zxsuite admin monitor {operation_uuid} [attr1 value1 [attr2 value2…​

Incremental Migration to Zimbra 8.8.0 with Backup NG

Description

  • This guide describes how to perform an Incremental Migration using Backup NG.

  • It’s specifically designed for the migration of a production environment, minimizing the downtime and aiming to be transparent for the users.

    • If correctly planned and executed, your mail system won’t suffer any downtime, and the impact on the users will be close to zero.

  • The source server of the migration requires either the Zextras Suite or Zimbra Suite Plus.

    • This guide applies for migrations from any Zimbra version supported by either of those to Zimbra 8.8.

  • All the CLI commands in this Guide must be executed as the Zimbra user unless otherwise specified.

What Will be Migrated?

  • Email and email folders

  • Contacts and address books

  • Appointments and calendars

  • Tasks and task lists

  • Files and briefcases

  • Share informations

  • User preferences

  • User settings

  • Class of Service settings

  • Domain settings

What Will NOT be Migrated?

  • Server settings (migrated for reference but not restored)

  • Global settings (migrated for reference but not restored)

  • Customizations (Postfix, Jetty, etc…​).

  • Items moved or deleted during the process will not be moved or deleted on the destination server.

  • Preferences (e.g. passwords) changed during the process will be reset upon each import.

The incremental migration is not designed to set up a server-to-server mirroring. Using multiple imports to create a mirrored copy of the source server won’t create a mirrored copy at all, since no deletions are performed by the import process.

Source Data

Data from the source server is obtained through either Zextras Suite or Zimbra Suite Plus.

Software Installation

Once you obtain either Zextras Suite or Zimbra Suite Plus, follow this installation process:

  • Copy the package to your server, in a directory owned by the root user.

  • Unpack the package using tar zxf.

  • Enter the newly created directory called either zextras_suite-[version] or zimbra_suite_plus-[version].

  • As root, run the installation script ./install.sh all.

  • Follow the installation wizard, accepting the software EULA and installing both the Core and the Zimlet component.

  • Once the installation is complete, proceed with the Guide.

Installing Zimbra Suite Plus or Zextras Suite requires a mailboxd service restart, which will be performed during the installation.

Pre-migration Checks

Servers

  • Source server: Any Zimbra server can be the source of your migration, provided that it’s running Backup NG or Zimbra Suite Plus.

  • Destination server: Any Zimbra server can be the destination of your migration, provided that it’s running Backup NG.

Storage

  • Source server: If Backup NG is not currently enabled on the source server, make sure you have an amount of free disk space comparable to the size of the /opt/zimbra/store/ folder (the exported data is compressed through the gzip algorithm, and all zimbra items are deduplicated, usually reducing the size of exported to the 70% of the original size).

  • Destination server: Make sure you have an amount of free space greater than the size of the /opt/zimbra/store/ and of the export folders on the source server combined.

Data Transfer

While you can choose to transfer the data in any way, rsync is our method of choice as it’s a good compromise between speed and convenience.

The main data transfer is executed while the source server is still active and functional. However, since the transfer is performed via the network, carefully plan your transfer in advance so that you’ll have transferred all of your data before migrating.

Alternative Ways to Transfer Your Data

Anything spanning from remote mount to physical move of the drive is ok, as long as it suits your needs.

Never underestimate the bandwidth of a station wagon full of tapes hurtling 
down the highway.
--Tanenbaum, Andrew S. (1996). Computer Networks. New Jersey: Prentice-Hall. 
p. 83. ISBN 0-13-349945-6.

DNS

Set the TTL value of your MX record to 300 on your real DNS. This will allow a fast switch between source and destination servers.

Setting up the Migration

Step 1: Coherency Checks

To avoid any possible data-related issues, run the following checks on the source server:

  • zmblobchk: Checks the consistency between Zimbra’s metadata and BLOBs.

  • zmdbintegrityreport: Checks the integrity of the Zimbra’s database.

Repair any error found as described in Zimbra’s official documentation.

Running a reindex of all mailboxes is also suggested.

Step 2: Network NG Setup

Disable the Real Time Scanner on both servers:

zxsuite backup setProperty ZxBackup_RealTimeScanner false
A dedicated device for the data export is strongly recommended to improve the export performance and to lower the impact on the performance of the running system.

Any device must be mounted on the /opt/zimbra/backup/ path, and the Zimbra user must have r/w permissions on it.

Step 3: Data Export (SmartScan)

Run a SmartScan on the source server:

zxsuite backup doSmartScan

All of your data will be exported to the default backup path (/opt/zimbra/backup/ng/).

Pro-Tip: Single Domains Export

You can also choose to only migrate one or more domains instead of all of them. To do so, run the following command instead of the SmartScan:

zxsuite backup doExport /path/to/export/folder/ domains yourdomain.com,yourdomain2.com[..]

Mind that if you start with the SmartScan method, you’ll have to carry on the migration with such method. If you start with the Single Domains method ,you’ll have to carry on the migration with this one. The two methods cannot be mixed.

Data Export (SmartScan) via the Administration Zimlet

You can also choose to export your data using the Administration Zimlet as follows:

Step 4: Data Synchronization

When you move the exported data to the destination server, make sure that the destination folder is not Backup NG’s backup path on the destination server, to avoid any issues if you already use Backup NG or plan to do so on the destination server.

(You can skip this step if you choose to transfer your data by other means than rsync.)

Using rsync, copy the data contained in /opt/zimbra/backup/ng/ to a directory in the destination server (make sure the Zimbra user has r/w permissions on the folder). Use a terminal multiplexer like screen or tmux. This process command might need A LOT of time depending on network speed and amount of data involved.

[run this command as Root]
rsync -avH /opt/zimbra/backup/ng/ root@desinationserver:/path/for/the/data/
Alternate Synchronization Method

While the suggested method is great for high-bandwidth situations, the first synchronization can involve a lot of data. If you feel that the rsync method is too slow, you might consider a physical move of the device (or the proper disk file if running on a virtual environment).

After moving the disk, you can remotely mount it back to the source server (e.g. via SSHFS), as the additional synchronizations needed for the migration will involve much less data. In this case, be sure to remount the device on the source server as /opt/zimbra/backup/ng/ with all due permissions.

Step 5: First Import

Import all exported data to the destination server:

zxsuite backup doExternalRestore /path/for/the/data/

Now sit back and relax while Network NG imports your data on the destination server.

''Warning: Do not edit or delete the backup path after this step.''

First Import via the Administration Zimlet

You can also choose to import your data using the Administration Zimlet. While importing via the Administration Zimlet, be sure to remove all system accounts (like GalSync, Ham, Spam, Quarantine etc.) from the imported account list.

Step 5 (alternate): First Import for Large Migrations

If you are to migrate a very large infrastructure where an export/import lasts for hours or even days, there is an alternative way to handle the migration from this point forward.

Instead of importing all of your data to the destination server, you can run a Provisioning Only import that will only create domains, Classes of Service and accounts on the destination server, skipping all mailbox contents.

zxsuite backup doExternalRestore /path/for/the/data/ provisioning_only TRUE

After doing this, switch the mailflow to the new server and, when the switch is completed, start the real import.

zxsuite backup doExternalRestore /path/for/the/data/

This way, your users will now connect to the new server where new emails will be delivered while old emails are being restored.

This approach has it’s pros and cons, namely:

Pros

  • Since items are only imported once and never modified or deleted afterwards, using this method will result in less discrepancies than the standard incremental migration.

  • This is the option that has less impact on the source server (e.g. good if you are in a hurry to decommission it).

Cons

  • Depending on the timing of the operation, this method has a higher impact on your users due to the fact that items are restored WHILE they work on their mailbox.

  • Since the import is done on a running system, you might notice some slowdowns.

The Situation so Far

Right now, the vast majority of the data has already been imported to the destination server. The source server is still active and functional, and you are ready to perform the actual migration.

The Migration

Step 6: Pre-migration Checks

Before switching the mail flow, ALWAYS make sure that the new server is ready to become active (check your firewall, your DNS settings, your security systems etc.).

Step 7: The Switch

This is it, the migration moment has come! At the end of this step the destination server will be active and functional.

  • Repeat step 3, step 4 and step 5 (only new data will be exported and synchronized).

  • Switch the mail flow to the new server.

  • Once NO MORE EMAILS arrive to the source server, repeat step 3, step 4 and step 5.

The Destination server is now active and functional.

Step 8: Post-migration Checks

Run the following command to check for shares inconsistencies:

zxsuite backup doCheckShares

Should this command report any inconsistency, use the following command to parse the import mapfile used as the first argument and fix any broken shares.

zxsuite backup doFixShares

Mapfiles can be found in the backup path of the destination server as map_[source_serverID].

Step 9: Galsync

Delete any imported GalSync accounts from the Zimbra Administration Console, then if needed, create new GalSync accounts on all the imported domains and re-sync all the GalSync accounts with the following command:

zmgsautil forceSync -a galsync.randomstring@domain.com -n [resourcename]

Step 10: Message Deduplication

Running a Volume Deduplication using HSM NG is highly suggested after a migration.

What Now?

  • Initialize Backup NG on the new server to make sure all of your data is safe.

Incremental Migration FAQ

Q: Do I need a valid license to perform an incremental migration?

Yes. It can be either a trial License or a purchased one.

Q: What will be migrated?

Everything except for the server configuration. This includes:

  • User data

  • User preferences

  • Classes of Service configuration

  • Domain configurations

Q: Will I lose my shares? Will I need to re-configure all my shares?

Absolutely not!

Q: How should I transfer the exported data between my servers?

Again, anything that suits your needs is ok. You just need to be very sure about what your needs are.

Do you need to move the data very fast? Physically moving an USB disk between your servers might not be a good idea.

Do you need to move the data in a very reliable way? Mounting the export folder via SSHFS to the destination server might not be a good idea if your internet connection is sloppy.

Tools

Google Chrome Developer Tools

If the user is experiencing unexpected Zimlet behavior in the Zimbra Classic Web App, use Google Chrome Developer Tools to figure out the source of the issue.

To open the Google Chrome Developer Tools: * Open the main menu. * Find the Other tools menu option. * Select Developer Tools.

A new panel with many tabs should appear. These tabs are:

  • Console:: Like the server console, this tab will display some log information and allow you to interact with the JS Runtime.

  • Network:: This tab will show any network activity, and it can be used to identify the requests to the mailbox and the responses from it.

Firefox Developer Tools

To open the Firefox Developer Tools, open the main menu and click the Developer Tools button.

A new panel with many tabs should appear. These tabs are:

  • Console:: Like the server console, this tab will display some log information and you allow to interact with the JS Runtime.

  • Network:: This tab will show any network activity, and it can be used to identify the requests to the mailbox and the responses from it.

Gathering System Information

Gathering System information is a vital part of the troubleshooting process. This section helps the administrator collect useful system information required to correctly report an issue (as described in the "How to escalate and issue" section).

Zimbra Version

To see the version of Zimbra, type this command:

# As zimbra
zmcontrol -v

Extension and Zimlet Version

To see the version of the Extension and the Zimlet, type this command:

# As zimbra
java -cp /opt/zimbra/lib/ext/openchat/openchat.jar com.zextras.lib.OpenChat

List of the Deployed Zimlets

To see the list of deployed Zimlets, type this command:

# As zimbra
zmzimletctl listZimlets

List of the Zimlets Enabled for the User

To see the list of Zimlets enabled for a user, type this command:

# As zimbra
zmprov getAccount user@domain.tld zimbraZimletAvailableZimlets

List of Zimlet User Preferences

To see the list of the preferences for the Zimlets enabled for a user, type this command:

# As zimbra
zmprov getAccount user@domain.tld zimbraZimletUserProperties

Zimbra Connect

What is Zimbra Connect

zimbra-connect replaces zimbra-talk in Zimbra.

Zimbra Connect integrates a fully fledged corporate instant messaging platform inside the Zimbra WebClient, including Group and Corporate Messaging, File Sharing, Screen Sharing and informal Video Chat capabilities.

Differences with Zimbra Talk V2

The main differences between Zimbra Connect and Zimbra Talk V2 implementation are the following:

Table 61. Back-end
Zimbra Talk V2 Zimbra Connect

Supports XMPP

No XMPP Support

No dedicated API Set

Features a dedicated API set and client protocol

Client/Server communication is SOAP-based

Client/Server communication is based on WebSockets

Table 62. Front-end
Zimbra Talk V2 Zimbra Connect

User interaction is based on a buddy list

User interaction is based on the GAL

Buddy-list-based minimal UI

History-based minimal UI

Bulkier, more crowded UI

Lighter, less cluttered UI

Space settings are defined in the Space itself

Space settings are defined by the Space’s "General" channel

User-based video and audio feed control - users can autonomously mute/stop other user’s audio and video feed only affecting themselves.

Host-based video and audio feed control - host can mute a participant or stop a video feed affecting all participants. Users can still mute/stop their feeds.

Table 63. Features
Zimbra Talk V2 Zimbra Connect

File exchange is available in Chats, Groups, and Channels

File exchange is available in Chats and Groups starting with Zimbra 8.8.15p3

Instant Meeting is available

Instant Meeting is available starting with Zimbra 8.8.15p1

Frontend Features

Zimbra Connect includes the following front-end features:

  • Message delivery and read awareness

  • 1-to-1 Instant Messaging

  • Group Messaging

  • Corporate Messaging (Spaces and Channels)

  • Group Video Calls

  • Channel Video calls

  • File Sharing

  • Screen Sharing

  • Emojis

Backend Features

Zimbra Connect includes the following backend features:

  • COS and User availability

  • Built-in TURN server compatibility

  • No core installation needed. Zimlet installation through a package manager.

  • No configuration required

  • Peer-to-Peer WebRTC protocol to avoid server load

  • Dedicated audit log

Licensing

Zimbra Connect is licensed on a per-user basis. License information is included in the Zimbra Collaboration 9.0.0 license file just as for any other feature. Global Admins can enable its Advanced features for any number of users up to the limit allowed by the license, and only "advanced" users count towards any licensing limit.

The total number of users who have the Advanced features active can be seen in the output of the zxsuite core getLicenseInfo command under teamChatActiveCount:

zimbra@129efa51bd95:~$ zxsuite core getLicenseInfo

        dateStart                                           2021-06-11 00:00:00 UTC
        dateEnd                                             2021-12-31 17:00:00 UTC
        expired                                             false
        type                                                regular - Network Edition
        [...]
        teamchatActiveCount                                 999
        [...]

This count is updated every 15 minutes.

Zimbra Connect

Zimbra Connect includes all basic IM features, which automatically gets enabled for all users who don’t have access to the advanced Zimbra Connect features. Advanced users can use all of the product’s features with other advanced users and can use 1-to-1 Instant Messaging with basic users. Basic users can use 1-to-1 features with all other users.

All users start as Basic users. Global and Delegated admins can enable Advanced features.

Zimbra Connect Zimlet installation

The Zimbra Connect Zimlet is available in the Zimbra repository and can be easily installed and upgraded through the operating system’s package manager.

Zimbra Connect Zimlet installation on Red Hat and CentOS

To install the Zimlet on Red Hat and CentOS, run:

yum install zimbra-connect

Zimbra Connect Zimlet installation on Ubuntu

To install the Zimlet on Ubuntu, run:

apt-get install zimbra-connect

URLs and Ports

To build URLs and links (e.g., for External Shares) Zimbra Connect uses the default Zimbra settings for the domain of the account in use - the zimbraPublicServiceHostname property is used for the URL itself while the zimbraPublicServicePort property is used for the port.

Should either of the two not be set up, the system falls back to the zimbraServiceHostname and zimbraMailPort or zimbraMailSSLPort server-level properties.

For Video Chats and Instant Meetings, the following rules apply:

  • Zimbra Connect will work through firewalls and NATs as long as the peers can communicate each with the other - either directly or through a TURN server (which together with proper network rules is usually the solution to any WebRTC connection problem).

  • When no TURN server is set up is not being used, a default STUN server is used so clients should be able to send outbound traffic to ports 19305/19307. The actual P2P connection is established between the clients on a random port between 0 and 65535 based on the client configuration and network.

  • The default handshake/negotiation port used by most TURN servers is 3478 (incoming, UDP), but a different port can be used as long as it is properly set up - on the Zimbra Connect side the port is specified when adding the TURN server and the clients clients will be instructed to connect through it. The default P2P connection range when using a TURN server is 49152-65535 (usually configurable on the TURN side) so clients should be able to send data to that port range to the TURN server.

    • Most TURN servers can also be configured to use TCP insted of UDP.

Zimbra Connect administration

Zimbra Connect features can be enabled and disabled via the zxsuite config command line utility:

  • Enable Zimbra Connect «Advanced» features

    • Property: teamChatEnabled

    • Available in: COS, account

  • Enable or disable the chat history

    • Property: historyEnabled

    • Available in: global, server, COS, account

  • Enable or disable Video Chat

    • Property: videoChatEnabled

    • Available in: global, server, COS, account

Browser compatibility

Zimbra Connect features are available on all browsers officially supported by the Zimbra Classic Web App, with some client-side limitations:

Browser Version OS Supported

Microsoft Edge (Chromium)

Latest

Windows

Yes

Microsoft Edge (Chromium)

Others

Windows

Limited

Microsoft Edge (EdgeHTML)

Any

Windows

No

Internet Explorer

Any

Windows

No

Mozilla Firefox

Latest

Windows/Linux/OSX

Yes

Mozilla Firefox

ESR

Windows/Linux/OSX

Yes

Mozilla Firefox

Others

Windows/Linux/OSX

Limited

Google Chrome

Latest

Windows/Linux/OSX

Yes

Google Chrome

Others

Windows/Linux/OSX

Limited

Safari

Latest

OSX

Yes

Safari

Others

OSX

Limited

While likely to work, items marked as " Limited" are only supported on the browser’s two previous stable releases to the current one.

Google Chrome users must install the "Zextras Companion" extension to use the Screen Sharing feature, publicly available in the Chrome Web Store.

Firefox users must be sure to be running at least version 66 of the browser to be able to use the Screen Sharing feature.

UI

The Zimbra Connect UI is developed in PREACT and seamlessly integrated with the Zimbra Classic Web App. It is composed of two client-side components: the Quick Access Sidebar and the fully-featured Connect Tab.

The Quick Access Sidebar allows for quick Instant Messaging, both for 1-to-1 and group conversations. Advanced Zimbra Connect features such as File Sharing and Video Chat are available in the IM Pane only for users who have the Zimbra Connect feature set enabled either at an account or COS level.

The Connect Tab is the full-sized Zimbra Connect UI, which contains all corporate instant messaging features such as Spaces and Channels. The tab itself is available for both Basic and Advanced users, but corporate features are only available to Advanced users.

Quick Access Sidebar

The Quick Access Sidebar displays the last people, groups, and channels the user has interacted with and allows to open a quick chat window with all of those.

It is available for both "Basic" users and "Advanced" users and provides additional features for the latter.

connect_quick_chat_1.png connect_quickaccess_sidebar_1.png

Connect Tab

The Connect Tab is a fully-fledged Zimbra feature tab that behaves similarly to all other feature tabs (e.g., Mail or Calendar).

connect_home_1.jpg

Instant Messaging and Corporate Communication

1-to-1 chat

One-to-one Chats can start from either the Quick Access Sidebar or the Connect Tab:

  • on the former, select one of the available entries (based on your chat history) and start chatting with that person right away

connect_new_chat_2.png

  • on the latter click on "New," then "New Chat" and select the person you want to chat with from the GAL

connect_new_chat_1.png

Recent 1-to-1 chats appear in the "Conversations" section of the Connect Tab and the Quick Access Sidebar (round icon).

Groups

Groups are how users communicate with multiple people at the same time (by default up to 5 total). Those are non-persistent entities not tied to any specific space. Any user can create a group inviting people, and any group member can invite more people in the same way. When all users leave a group, the group itself ceases to exist.

Groups Features
  • A user in a Group can add more users to the Group itself up to the allowed limit.

  • A user in a Group can chat with all of the others. All members of that Group can view all messages sent to the Group.

  • A user in a Group can send files to all of the others. Files sent in a Group are available to all members of that Group.

  • An user in a Group can start a video chat with all of the others. Group video chats can be joined at any time by all members of the Group.

Global Administrators can change the allowed maximum number of group members in the Zimbra Connect section of the Global Settings in the Admin Console.

Groups UI

Recent Group chats appear in the "Conversations" section of the Connect Tab and the Quick Access Sidebar (rounded square icon).

  • Creating a Group

    To create a new Group, click on the "New" button in the Connect Tab, and select "New Group."

    connect_create_new_group_1.jpg

    then, add the Group’s title, select the buddies you wish to invite and click on "Create."

    connect_create_new_group_2.jpg

  • Inviting a participant to a Group

    To invite one or more buddies to a Group expand the Group’s Info, select the users to be added and click on "Save."

    connect_add_user_to_group_1.jpg

  • Starting a Group Video Chat

    To start a Group video chat, click on the "Camera" icon on the top of the Group’s chat window.

    connect_group_start_videochat_1.jpg

    Any member of the Group can join the call at any time by clicking on the same button.

  • Leaving a Group

    To leave a Group, first, click on "Leave Group" in the Group’s Info

    connect_leave_group_1.png

    then, click on "Yes" under the warning message.

    connect_leave_group_2.png

Spaces

Spaces are a themed container that can hold any number of Channels. Think of a Space as a community center where people gather to discuss different topics in dedicated areas (named Channels).

Spaces Features
  • Each space has a unique name and topic. You may change both the name and the Topic by clicking on the relevant field in the Space’s settings.

  • Members can leave a space at any time.

  • Space Administrators can create new channels and invite new people to the space using the appropriate buttons.

Spaces UI

Spaces appear in a dedicated section of the Connect Tab, which gives access to all Space-related features:

  • Creating a Space

    To create a new Space, click on the "New" button in the Connect Tab, and select "New Space."

    connect_new_space_1.jpg

    then, enter the Space’s name and topic, select any users to invite and finally, click on "Save."

    connect_new_space_2.jpg

  • Leaving a Space

    To leave a Space, click on the "Leave Space" in the Space’s General Channel Info.

Participants can leave a space at any time, while a Space Administrator can only leave a space if there is at least one other Space Administrator.

Both need to be invited to join the space again, and former Space Administrators get invited as regular participants but can be granted Administrator rights again.

Space Settings

The General Channel Info in each Space defines its settings (see below).

The Space’s creator is also the first Space Administrator and can grant the same rights to any other user by clicking on the crown icon in the appropriate entry of the participant list.

connect_space_acls_1.png

Only Space Administrators can invite new participants, create new channels, kick people, and delete channels within the space.

Channels

Channels are topic-defined areas inside of the same space. Those can contain any number of users, and unlike Groups, users can autonomously join any Channel in a Space they are in instead of being invited to it by a member.

Each new Space has a "General" channel automatically created within it, which defines the space’s properties (e.g., Title and Topic) and which all users automatically join when they join the Space.

Channels Features
  • A user in a Channel can chat with all of the others. All members of that channel can view all messages sent on the Channel.

  • A user in a Channel can start a video chat with all of the others. Channel video chats can be joined at any time by all members of the Channel.

Channnels UI

Channels appear in Spaces within the Connect Tab, and all of the Channel-related features are managed there, by:

  • Creating a Channel

    To create a new Channel, click on the "New" button, and select "New Channel."

    connect_new_channel_1.png

    then select:

    1. the Space that should contain the Channel (mandatory)

    2. the Channel’s name (mandatory)

    3. the Channel’s topic (optional)

      finally, click on "Save."

  • Joining a Channel

    To join a Channel, click on the Channel label and then on "Join Channel."

  • Starting a Channel video chat

    To start a Channel video chat, click on the "Camera" icon on the Channel’s chat window.

    connect_group_start_videochat_1.jpg

    Any member of the Channel can join the call at any time by clicking on the same button.

  • Leaving a Channel

    To leave a Channel, first, click on the red "Leave Channel" entry in the Channel’s Info

    connect_leave_channel_1.png

Both normal users and Space Admins can leave a channel at any time and join it afterward.

File sharing

Users can easily share files via Connect to Chats and Groups by dragging and dropping the files directly into the chat interface (both in the minichat and in the Connect tab) or by clicking the "paperclip" icon on the right of the message input field. Multiple files can be uploaded at once, and image files will show a preview of the file while other common filetypes will display a custom icon.

Clicking on a file within a chat window will download it to the local client using the browser’s own download interface.

Files shared via Connect will be stored inside a protected root folder on the sender’s Drive called Connect sent files, thus counting towards the sender’s mailbox quota, and will remain available for download in the chat window for all participants until deleted from Drive by the sender.

Video Chat

Video Chat features are available in 1-to-1 chats, Groups, and Channels, allowing multiple people to communicate in real-time using a webcam and a headset, as well as allowing them to share their screen with all other attendees.

The WebRTC protocol is the foundation for this feature. WebRTC is a peer-to-peer auto-adaptive technology that allows clients to communicate directly without overloading the server. Call quality is automatically tweaked based on the available bandwidth, with the maximum quality being Full HD for both video and audio. When starting their first video chat, users need to grant their browser access permissions to their camera and microphone.

Video Chat UI

connect_group_videochat.png

The video chat UI has three main areas:

  • The center displays video streams with a single (main) stream on the top and multiple secondary streams on the bottom. The total number depends on the screen’s resolution and window size.

  • On the left is the Group’s or Channel’s instant messaging chat. This chat is visible and entirely usable, and its history gets retained in the group’s or channel’s chat history.

  • On the bottom left appear the user’s video feed and controls (disable video, mute microphone, and share screen).

Users can disconnect from an ongoing video chat by pressing the "Hang up" button in their video stream’s frame on the bottom left of the screen. Whenever a video chat is on, users belonging to the Group or Channel of the video chat see a "Call in progress" message below the name of the Group or Channel and may join by clicking on the "Camera" icon in the chat.

Video Stream Control

Video streams are displayed in a "first come, first served" basis according to the connection order between the peers.

Every participant can mute their audio stream or stop their video stream.

Screen Sharing

connect_videochat_screensharing_1.png

When clicking on the Screen Share button, a pop-up window appears asking the user whether to share their entire screen or just a specific window. After choosing, the screen sharing feed replaces the user’s webcam feed for all participants.

Instant Meetings

Instant Meetings are one-shot Video Chats that can be attended by external users as well as internal users. Only users with the Advanced Connect features enabled can start Instant Meetings, but any internal or external user can attend.

To create an Instant Meeting, click on the "New" button in the Connect Tab, and select Instant Meeting.

Then, fill in the attendee list by entering any internal or external email address in the text box and pressing enter to add it to the list. Once all attendees are added, press "Save" to send an email notification to all participants and start the Instant Meeting.

Instant Meeting URLs

Both external and internal users can join an Instant Meetings through a dedicated URL that can be found both in the invitation email and in the information section of the Instant Meeting itself.

Such URLs are uniquely generated for each Instant Meeting and expire 10 minutes after the host leaves the meeting.

Instant Meeting UI

The Instant Meeting feature uses the very same UI as any internal Video Chat session.

Autocomplete

Autocomplete in Zimbra Connect is split in two different categories: Internal Autocomplete and External autocomplete.

Internal autocomplete kicks in when selecting a target for 1-1 Chats, Group Chats, Spaces and Channels, while External autocomplete is only used for Instant Meeting attendees.

This can be changed by setting the teamCrossDomainSearchMode COS property to either local, extended or global using the zxsuite config [get/set/empty] CLI toolset.

  • local mode, in which Internal Autocomplete will draw its information from the GAL, while External autocomplete will draw its information from the user’s Contacts and GAL.

  • extended mode is a superset of local that also matches full email addresses of any user in the same infrastructure as internal users.

    • This allows to initiate a 1-1 Chat with or to add to a Group/Space/Channel any user that is on the same infrastructure but out of the GAL as long as the exact email address is entered.

  • global mode is a superset of extended that does not require an exact match on the email address to autocomplete users in the same infrastructure.

    • This allows to autocomplete any user in the infrastructure as opposed to the strict email addres match required in extended mode.

connect_autocomplete_management.jpeg

The default setting inherited by all COS is local.

Presence

Presence is managed automatically in Zimbra Connect: whenever a user logs in, regardless of whether the Connect Tab has the focus, they appear as online.

As part of the user presence system, all messages get displayed with a variable number of check symbols: connect_message_delivered_1.png

  • 0 checks, message not delivered to the server

  • 1 check, message delivered to the server

  • 2 checks, message viewed by all users

Unread Messages

The number of unread messages in any conversation, Group or Channel appears on the right side of the conversation, Group, or Channel.

connect_unread_messages_1.png

Chat History

Chat History for each 1-to-1 Chat, Group, and Channel is available in the very same window (e.g., enter a Channel to see all of that channel’s history) and messages delivered to offline users appear in the appropriate IM conversation, Group or Channel.

STUN/TURN Server

Since WebRTC is a peer-to-peer protocol, all users in a video chat must be able to reach each other’s client for the connections to get established.

Should this not be possible, because of NAT rules on the network or because of a Service Provider’s policy, using a TURN server ensures proper communication between all peers. Zimbra Connect is designed to allow using a STUN/TURN server out of the box by simply adding the TURN server’s URL and login information in the zimlet configuration.

Setting up Zimbra Connect to use a TURN server

A dedicated set of TURN configuration tools is available via CLI through the zxsuite connect iceServer command:

zimbra@mailserver:~$ zxsuite connect iceServer

Edit the list of ICE servers used to establish connections for video calls.
Configuration scope can be global(default), cos, or account.

  add                      - add ice server candidates using global (default), cos or account
                             zxsuite connect iceServer add {turn:turn.example.com:3478?transport=udp} [attr1 value1 [attr2 value2...]]

  remove                   - remove ice server candidates using global (default), cos or account
                             zxsuite connect iceServer remove {turn:turn.example.com:3478?transport=udp} [attr1 value1 [attr2 value2...]]

  get                      - get ice server candidates using global (default), cos or account
                             zxsuite connect iceServer get [attr1 value1 [attr2 value2...]]

The "add" subcommand is used to add a new TURN server:

Syntax:
   zxsuite connect iceServer add {turn:turn.example.com:3478?transport=udp} [attr1 value1 [attr2 value2...]]

PARAMETER LIST

NAME             TYPE      EXPECTED VALUES
url(M)           String    turn:turn.example.com:3478?transport=udp
username(O)      String    myuser
credential(O)    String    mysecretkey
account(O)       String    user@example.com
cos(O)           String    default

(M) == mandatory parameter, (O) == optional parameter

Usage example:

zxsuite connect iceServer add turn:turn.example.com credential mysecret username myuser
zxsuite connect iceServer add turn:turn.example.com credential mysecret username myuser account testaccount@example.com

Multiple TURN servers can be added to handle different users or Classes of Service (defined through the user and cos optional parameters of the command above).

On the TURN-server side, it is strongly recommended to have a single user, authenticated with a username and secret key, for ease-of-use reasons as a 1:1 correspondence between Zimbra users and TURN users is not necessary.

Zimbra Connect Video Server

The Zimbra Connect Video Server is a WebRTC stream aggregator that improves Connect’s performance by merging and decoding/re-encoding all streams in a Meeting.

While the default WebRTC creates one incoming and one outgoing stream per meeting participant, with the Zimbra Connect Video Server, each client will only have one aggregated inbound stream and one aggregated outbound stream. This applies for both video and audio.

E.g. - 5 people meeting

  • Without Video Server: each client generates 4x outgoing video/audio streams and receives 4 incoming video/audio streams

  • With Video Server: each client generates 1 outgoing video/audio stream and receives 1 incoming video/audio stream

Video Server Incoming Connections Outgoing Connections

No

4 (1 from each other client)

4 (1 to each other client)

Yes

1

1

By default, the Video Server uses conservative Codecs (VP8 and Opus) to ensure the broadest compatibility, but more codecs can be enabled. It also splits the Webcam and Screen Sharing streams and reserves the same bandwidth for both.

A properly set up Video Server will supersede the need of a TURN server, provided that all clients can reach the Video Server’s public IP and that UDP traffic is not filtered.

Requirements

The Zimbra Connect Video Server must be installed on a dedicated server and has the following requirements:

System

  • Minimum 4 CPU cores, suggested at least 8 to handle more than 100 users at the same time

  • 1024mb of ram + 1mb of ram for each connected user

The Zimbra Connect Video Server mainly scales on the CPU, so more CPU cores and power means more connected users.

Network

  • A public IP

  • A publicly resolvable FQDN

  • With the default settings, 200kb/s (0.2 mb/s) bandwidth for each connected user

  • WebSockets

Ports

  • The mailbox server will establish a WebSocket on port 8188 to communicate with the Video Server

  • Clients will use a random UDP port between 20000 and 40000

Hostname configuration

In order for the installer to be fully functional, it’s advised to set up the Video Server’s hostname internally using hostnamectl before the installation in order to avoid a wrong or short-form hostname to be passed on from the OS to the Installer and to update the /etc/hosts and /etc/hostnames files accordingly to make the change permanent.

e.g.

sudo hostnamectl set-hostname hostname.domain.tld

sudo vi /etc/hostname
  video-hostname.domain.tld

sudo vi /etc/hosts
  127.0.0.1 localhost
  ...
  xxx.yyy.zzz.zzz video-hostname.domain.tld
  ...

Based on your system configuration, a system or service restart will be needed to apply the new configuration.

Adding the appropriate information to the /etc/hosts file the mailbox server will also ensure the correct resolution of the Video Server.

e.g.

/etc/hosts (mailbox)
...
xxx.yyy.zzz.zzz video-hostname.domain.tls
...

It’s not necessary to add the mailbox server to the /etc/hosts of the Video Server as the connection is one way only, mailbox to video.

Client Configuration

No client configuration is needed, as the Connect Zimlet will autonomously detect whether a video server is set up an use it if available.

Installation

  • Update your OS and packages through apt-update && apt-upgrade (Ubuntu) or yum update (CentOS)

  • Download the installer package

  • Copy the installer package to the server

  • Unpack the installer package with tar zxvf videoserver-[OS]-installer.tgz

  • Enter the unpacked direcotry: cd videoserver-installer

  • Run the installation script: ./install.sh

root@196252589efe:~/videoserver-installer# ./install.sh

This script will install VideoServer, and all its runtime
dependencies onto the running system.

To complete the process a working network connection is required.


System will be modified, would you like to proceed? [Y]
  • The installer will first check for the needed dependencies and install any missing ones:

software-properties-common not found. Would you like to install it? [Y]

[...]
The following additional packages will be installed:
  cron dirmngr distro-info-data gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm iso-codes libapt-inst2.0 libasn1-8-heimdal libassuan0 libgssapi3-heimdal
  libhcrypto4-heimdal libheimbase1-heimdal libheimntlm0-heimdal libhx509-5-heimdal libkrb5-26-heimdal libksba8 libldap-2.4-2 libldap-common libnpth0 libroken18-heimdal libsasl2-2 libsasl2-modules
  libsasl2-modules-db libwind0-heimdal lsb-release pinentry-curses powermgmt-base python-apt-common python3-apt python3-software-properties unattended-upgrades
Suggested packages:
  anacron logrotate checksecurity exim4 | postfix | mail-transport-agent dbus-user-session pinentry-gnome3 tor parcimonie xloadimage scdaemon isoquery libsasl2-modules-gssapi-mit
  | libsasl2-modules-gssapi-heimdal libsasl2-modules-ldap libsasl2-modules-otp libsasl2-modules-sql lsb pinentry-doc python3-apt-dbg python-apt-doc bsd-mailx default-mta | mail-transport-agent needrestart
The following NEW packages will be installed:
  cron dirmngr distro-info-data gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm iso-codes libapt-inst2.0 libasn1-8-heimdal libassuan0 libgssapi3-heimdal
  libhcrypto4-heimdal libheimbase1-heimdal libheimntlm0-heimdal libhx509-5-heimdal libkrb5-26-heimdal libksba8 libldap-2.4-2 libldap-common libnpth0 libroken18-heimdal libsasl2-2 libsasl2-modules
  libsasl2-modules-db libwind0-heimdal lsb-release pinentry-curses powermgmt-base python-apt-common python3-apt python3-software-properties software-properties-common unattended-upgrades
0 upgraded, 39 newly installed, 0 to remove and 4 not upgraded.
[...]
  • You will be then prompted to install the actual Video Server packages:

Would you like to install VideoServer? [Y]
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'zimbra-ffmpeg' instead of '/root/videoserver-installer/packages/zimbra-ffmpeg_4.3.1-1_amd64.deb'
Note, selecting 'zimbra-libfdk-aac' instead of '/root/videoserver-installer/packages/zimbra-libfdk-aac_2.0.1-1_amd64.deb'
Note, selecting 'zimbra-libnice' instead of '/root/videoserver-installer/packages/zimbra-libnice_0.1.18-1_amd64.deb'
Note, selecting 'zimbra-libopus' instead of '/root/videoserver-installer/packages/zimbra-libopus_1.3.1-1_amd64.deb'
Note, selecting 'zimbra-libsrtp' instead of '/root/videoserver-installer/packages/zimbra-libsrtp_2.3.0-1_amd64.deb'
Note, selecting 'zimbra-libusrsctp' instead of '/root/videoserver-installer/packages/zimbra-libusrsctp_0.9.3.0-1_amd64.deb'
Note, selecting 'zimbra-libvpx' instead of '/root/videoserver-installer/packages/zimbra-libvpx_1.9.0-1_amd64.deb'
Note, selecting 'zimbra-libwebsockets' instead of '/root/videoserver-installer/packages/zimbra-libwebsockets_4.1.4-1_amd64.deb'
Note, selecting 'zimbra-videoserver-confs' instead of '/root/videoserver-installer/packages/zimbra-videoserver-confs_0.10.5-1_amd64.deb'
Note, selecting 'zimbra-videoserver' instead of '/root/videoserver-installer/packages/zimbra-videoserver_0.10.5-1_amd64.deb'
[...]
  • Once all packages are installed, you will be asked the Public IP Address of the video server itself:

Configuring zimbra-videoserver
------------------------------



Please insert the Public IP server to bind with.

.: Public IP server :.
  • This is the only bit of configuration required. The installer will set up the Video Server and then return two commands that must be executed on any Mailbox Server of the infrastructure to set up the connection with the Video Server and enable it for all servers:

Please execute these commands in a mailbox node as zimbra user to complete the setup of the video server:

zxsuite config global set attribute teamVideoServerSharedSecret value [SERVER HASH]
zxsuite config global set attribute teamVideoServerHostname value [HOSTNAME]:8188

Service Control

The Video Server service can be controlled through the zxsuite connect CLI from any mailbox server.

To stop the service run zxsuite connect doStopService team-videoserver-pool, to start it run zxsuite connect doStartService team-videoserver-pool.

To check the Video Server’s status, run zxsuite connect clusterstatus:

[zimbra@mail ~]$ zxsuite connect clusterstatus

        isFullySynced                                       true
        servers
        meeting_servers
            <ip_videoserver>:8188
                id                                                          123
                hostname                                                    <ip_videoserver>:8188
                status                                                      online
                last_failure
                num_meetings                                                -1

Should the remote Video Server be offline or unreachable, an output similar to the following will be displayed:

[zimbra@mail ~]$ zxsuite connect clusterstatus

[...]
                status                                                      offline
                last_failure
                num_meetings                                                -1

Bandwidth and Codecs

Video Bandwidth

The administrator can set the webcam stream quality and the screenshare stream quality specifing the relative bitrate in Kbps. The values must be at least 100 Kbps and can be increased as desired.

Higher values mean more quality but more used bandwidth.

  • zxsuite config global set attribute teamChatWebcamBitrateCap value 200: is the command for the webcam stream quality/bandwidth

  • zxsuite config global set attribute teamChatScreenBitrateCap value 200: is the command for the screenshare stream qualitybandwidth

By default both the webcam bandwidth and the screen sharing bandwidth are set to 200 Kbps.

Video Codecs

By default, the VP8 video codec is used. This is to ensure the best compatibility, as this codec is available in all supported browsers, but other codecs can be enabled:

  • AV1: zxsuite config global set attribute teamChatVideoCodecAV1 value true

  • H264: zxsuite config global set attribute teamChatVideoCodecH264 value true

  • H265: zxsuite config global set attribute teamChatVideoCodecH265 value true

  • VP8: zxsuite config global set attribute teamChatVideoCodecVP8 value true

  • VP9: zxsuite config global set attribute teamChatVideoCodecVP9 value true

Only one codec can be enabled at the time, so before enabling a new codec remember to disable the previous one using the same command as the one in the list above but substituting value true with value false.

E.g. to enable the H264 codec run:

zxsuite config global set attribute teamChatVideoCodecVP8 value false

zxsuite config global set attribute teamChatVideoCodecH264 value true

Audio Codec

The audio codec used by the Zimbra Connect Video Server is Opus. No other codecs are supported, as Opus is currently the only reliable one available across all supported browsers.

Advanced settings

The following settings influence the audio experience,

Audio Quality

The administrator can set the Opus audio quality by setting the sampling rate (in Hz) in the teamChatAudioSamplingRate global attribute.

The available values are:

  • 8000 → represents the narrowband bandwidth

  • 12000 → represents the mediumband bandwidth

  • 16000 → represents the wideband bandwidth

  • 24000 → represents the superwideband bandwidth

  • 48000 → represents the fullband bandwidth

The 16000 Hz is the default value.

Audio Sensitivity

The administrator can optimize the audio sensitivity with these two commands:

zxsuite config global set attribute teamChatAudioLevelSensitivity value 25

zxsuite config global set attribute teamChatAudioSamplingSensitivityInterval value 2

The audio level sensitivity defines how much the audio should be normalized between all the audio sources. The value has a range between 0 and 100 where 0 represents the audio muted and 100 the maximum audio level (too loud).

By default the value is set to 25.

The audio sampling sensitivity interval defines the interval in seconds used to compute the audio sensitivity level. By default the value is set to 2 seconds, this means that the video server normalizes the audio level considering the audio sources of the last 2 seconds.

The value should be at least 0.

Uninstallation

In order to uninstall the Video Server, use the system’s package manager to remove the following packages:

zimbra-libvpx, zimbra-libopus, zimbra-libfdk-aac, zimbra-ffmpeg, zimbra-libwebsockets, zimbra-libsrtp, zimbra-libnice, zimbra-libusrsctp, zimbra-videoserver

On CentOS, run:

sudo systemctl stop videoserver.service
sudo systemctl disable videoserver.service
sudo yum remove zimbra-libvpx zimbra-libopus zimbra-libfdk-aac zimbra-ffmpeg zimbra-libwebsockets zimbra-libsrtp zimbra-libnice zimbra-libusrsctp zimbra-videoserver

On Ubuntu, run:

sudo systemctl stop videoserver.service
sudo systemctl disable videoserver.service
sudo apt remove zimbra-libvpx zimbra-libopus zimbra-libfdk-aac zimbra-ffmpeg zimbra-libwebsockets zimbra-libsrtp zimbra-libnice zimbra-libusrsctp zimbra-videoserver

Zimbra Drive

Introduction

Zimbra Drive is an optional Zimbra component that provides both a fully-fledged file storage system integrated with the Zimbra WebClient, and a replacement for the old "Briefcase" component.

Browser compatibility

Zimbra Drive features are available on all browsers officially supported by the Zimbra Classic Web App, with some client-side limitations:

Browser Version OS Supported

Microsoft Edge (Chromium)

Latest

Windows

Yes

Microsoft Edge (Chromium)

Others

Windows

Limited

Microsoft Edge (EdgeHTML)

Any

Windows

No

Internet Explorer

Any

Windows

No

Mozilla Firefox

Latest

Windows/Linux/OSX

Yes

Mozilla Firefox

ESR

Windows/Linux/OSX

Yes

Mozilla Firefox

Others

Windows/Linux/OSX

Limited

Google Chrome

Latest

Windows/Linux/OSX

Yes

Google Chrome

Others

Windows/Linux/OSX

Limited

Safari

Latest

OSX

Yes

Safari

Others

OSX

Limited

While likely to work, items marked as " Limited" are only supported on the browser’s two previous stable releases to the current one.

Features

Frontend

  • Upload, manage and download files

  • Organize files within navigable folders

  • Preview files

  • Mark files as "preferred" for quick access

  • Add custom notes (descriptions) to files

  • Share files to internal users

  • Share files to external users (NYI)

  • Integration with Zimbra Docs

  • File search

  • Folder-based navigation

  • Quick "stateful" navigation

Backend

  • Option to store files on dedicated Zimbra volumes

  • zxsuite drive CLI

Differences between Briefcase and Zimbra Drive

Zimbra Drive does not follow the usual mailbox-driven behaviors when it comes to file storage, navigation, sharing, and item deletion. See each feature’s dedicated paragraph for a complete explanation of the differences and of the features themselves.

Zimbra Drive UI

Zimbra Drive UI
  1. Quick Access navigation panel;

  2. Folder navigation panel;

  3. InfoBox control;

  4. New, Upload and Search features;

  5. Folder list;

  6. File list;

Feature Description

Upload and Download

To upload a file to Zimbra Drive, either click on the "Upload" button above the file list or drag and drop any number of files from your computer to the main Zimbra Drive window.

Upload a file

To download a file from Zimbra Drive, right-click on it and select "Download":

Download a file

Any file and folder in Zimbra Drive can be renamed by right-clicking on it and selecting the "Rename" option in the context menu.

Navigation

Briefcase items are part of the mailbox’s folder and item hierarchy, while Zimbra Drive has its own internal folder structure and navigation. Navigating through Zimbra Drive folders is done through the Navigation Bar on top of the UI instead of through a tree view and folders are visible in the main section of the UI above files.

Navigate through folders and files

On top of the standard folder-based navigation, a "Quick Access" menu is available on the left side of the UI, which allows to quickly view the following types of items: • "Preferred Items" – items marked with the "Star" option available in the right-click context menu; • "Recently Edited" – items edited recently, sorted from the most recently edited; • "Shared with me" – items shared by other users • "Shared by me" – items shared to other users • "Marked for deletion" – items marked for deletion

Folder Creation

To create a folder in Zimbra Drive, click on the "New" button above the file list and select "Folder":

Create a new folder

File and Folder naming

The following characters cannot be used in Zimbra Drive folders and files:

  • Slash - /

  • Backslash - \

  • Semicolon - :

  • Question Mark - ?

  • Plus sign - +

  • Asterisk - *

  • Percent sign - %

Sharing

Being separated from the mailbox’s item hierarchy, Zimbra Drive files and folders can be shared independently. Sharing permissions can be chosen among 3 options: "View", "Edit" and "Edit and Share" – the latter two options include the "View" right by default.

To share a file or a folder, right-click on it and select "Edit Shares". After entering the email address of the destination user and selecting the sharing permissions, click the (+) button to add the share to the list:

Share an item (folder or file)

To edit or delete a share, simply click on the dropdown permission selector to change the sharing permissions of the file/folder or click the trash bin icon to delete the share:

Edit an existing share

In Zimbra Drive, sharing rights are only "additive", so it’s not possible to share an item with a lower permission than its parent, e.g. if a folder is shared with "Edit" permissions it’s not possible to share one of its items with "View" rights with the same person.

Item Deletion

When deleted, Zimbra Drive items are not put into the Trash like every other item type in Zimbra, as such items are marked for deletion instead. To mark a file or a folder for deletion, right-click on it and select "Mark for Deletion":

Mark an item for deletion

Items marked for deletion are displayed on the bottom of the file list with a strikethrough line and can be deleted permanently clicking on the "Delete Permanently" entry within the right-click context menu of a file marked for deletion while the "Restore" entry will unmark the file:

Restore or permanently delete a file

While any user with "Edit" or "Edit and Share" rights on an item or folder can mark it for deletion, only the original owner can delete it permanently.

Items marked for deletion cannot be accessed, so should a user try to do so a pop-up message will ask whether to restore the item and access it or to stop the attempt and leave it as marked for deletion.

InfoBox

The InfoBox is a collapsible element that contains all information and controls for the selected file or folder, as well as a preview of the file itself if in a compatible format (pictures, PDFs and more).

To display the Infobox, click on the "(i)" button on the top-right of the Zimbra Drive UI:

Open the InfoBox

The infobox will appear on the right side of the screen:

The InfoBox

Top-to-bottom, the InfoBox contains:

  • The name of the selected file

  • The preview of the file (or a format icon for unsupported formats)

  • All action items available in the right-click context menu

  • Share information

  • Creation and edit information

  • A customizable "Description" field

Technical information

File Storage

While Briefcase files are stored as mail-like items within the mailbox’s folder tree, Zimbra Drive features a detached folder hierarchy based on nodes: thus, Zimbra Drive folders do not appear as mailbox folders (e.g. in the output of zmmailbox getAllFolders). Zimbra Drive metadata are stored in a dedicated HSQL Database while all files (including previous file versions and file previews) are stored in a dedicated folder within a volume’s root. File naming is now hash-based instead of id-based to achieve native deduplication, compression rules follow the volume’s settings

e.g. Filesystem path for a briefcase file: /opt/zimbra/store/0/[mID]/msg/0/[itemid]-[revision].msg Filesystem path for a Zimbra Drive file: /opt/zimbra/store/drive/[hash]-[revision].[extension]

Volumes

As of this release, Zimbra Drive files are stored in the Current Primary volume as any other item.

Integration with Zimbra Docs If the Zimbra Docs zimlet is correctly installed, dedicated document options will appear in the "New" button above the file list:

Create documents with Zimbra Docs

When right-clicking on a compatible file, an "Open with Docs" option will also appear:

Open files stored in Zimbra Drive with Zimbra Docs

Furthermore, Zimbra Docs will also allow for previews of compatible document formats to be displayed in the InfoBox.

URLs and Ports

To build URLs and links (e.g. for External Shares) Zimbra Drive uses the default Zimbra settings for the domain of the account in use - the zimbraPublicServiceHostname property is used for the URL itself while the zimbraPublicServicePort property is used for the port.

Should any of the two not be set up, the system will always fall back to the zimbraServiceHostname and zimbraMailPort or zimbraMailSSLPort server-level properties.

Zimbra Drive Backup and HSM

Backup NG

Zimbra Drive files are included in Backup NG, and both the RealTime Scanner and the SmartScan are aware of those and no additional actions must be taken in order to ensure the files' safety.

The Restore on New Account and External Restore modes will also restore Zimbra Drive files, while other restore modes such as the Undelete Restore do not operate on such files.

HSM NG

Zimbra Drive can store its data on a different volume than the default Current Primary one, and HSM policies can move Zimbra Drive files onto a different volume than the Current Secondary one, thus effectively allowing independent storage management for Zimbra Drive files.

When an HSM policy is applied, Zimbra Drive files will be handled under the "document" item type.

This setting is applied at the server level so that different mailbox servers can use different volumes.

Setting the Zimbra Drive Primary volume

To set the Zimbra Drive Primary volume, first find out the volumeID of the target volume by running zxsuite hsm getAllVolumes.

Once the volumeID has been identified, simply run

zxsuite config server set `zmhostname` attribute driveStore value [volumeID]

(where [volumeID] is the ID found with the previous command)

Setting the Zimbra Drive Secondary volume

To set the Zimbra Drive Secondary volume, find out the volumeID of the target volume as described in the previous paragraph and then run the following command

zxsuite config server set `zmhostname` attribute driveSecondaryStore value [volumeID]

Zimbra Drive Installation and Migration

Manually Install or Upgrade zimbra-drive-ng

  1. As the root user, instruct yum to install the package.

    yum install zimbra-drive-ng
  2. Switch to user zimbra.

    su - zimbra
  3. Restart the Zimbra mailbox service for changes to take effect.

    zmmailboxdctl restart
    zxsuite config server set `zmhostname` attribute driveAllowOnUnsupportedZimbraVersion value true
    zxsuite drive doStartService module

Briefcase Migration

Briefcase data can be migrated to Zimbra Drive using the dedicated doImport CLI command:

zimbra@test:~$ zxsuite drive doImport

Syntax:
   zxsuite drive doImport {john@example.com,test.com[,...]} [attr1 value1 [attr2 value2...]]

The command accepts a comma-separated list of targets to migrate, which can be either mailboxes or domains, and different target types can be used on the same command.

The following attributes can be used to customize the migration:

NAME TYPE EXPECTED VALUES DEFAULT DESCRIPTION

targets(M)

String[,..]

john@example.com,test.com[,…​]

Comma separated list of targets to migrate

dryRun(O)

Boolean

true or false

false

Only perform a test run without affecting the data

allVersions(O)

Boolean

true or false

false

Migrate all versions of every file

deleteSources(O)

Boolean

true or false

false

Delete migrated files from the Briefcase

overwrite(O)

Boolean

true or false

false

Overwrite existing files

showIgnoredAccounts(O)

Boolean

true or false

false

ignoreQuota(O)

Boolean

true or false

false

Ignore mailbox quota when migrating

Zimbra Docs

Introduction

Zimbra Docs is based on a customized LibreOffice online (LOOL) package that allows collaborative editing of documents, spreadsheets and presentations from within the Zimbra WebClient.

Components

Zimbra Docs Server

The Zimbra Docs server is the heart of the service. The service hosts each document opened through a LibreOffice engine and responds to the client with every keystroke and change.

Install this component on one or more dedicated nodes running Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, or Red Hat CentOS 7.

Zimbra Docs Extension

The extension is the component that coordinates everything. Its main tasks are:

  • Select which Docs server upon which to open the next document.

  • Redirect the client when it needs to open a document.

  • Read and write documents to and from system storage on behalf of the Docs server.

  • Connect to each Docs server via an administrative WebSocket. Keep track of the availability and the resource usage of each.

  • Orchestrate concurrent user connections to the same document in the same server. (document sharing)

The NG Modules package contains the Zimbra Docs Extension together with the NG Core.

Zimbra Docs Zimlet

A Zimbra Docs Zimlet handles the integration with Briefcase and with email attachments. It is a thin web client that connects to a native server instance via WebSocket, renders a document, and only sends changes to the client to keep the fidelity of the document on par with a desktop client while limiting network bandwidth consumption to the bare minimum.

Documents in preview and attachments are shown in read-only mode with a simplified interface, while edit mode has a full interface.

Its main tasks are:

  • Change the Create button in the Classic Web App or Modern Web App to the related Docs feature.

  • Change the Classic Web App preview feature to use Docs.

  • Allow the preview of documents.

Browser compatibility

Zimbra Docs features are available on all browsers officially supported by the Zimbra Classic Web App, with some client-side limitations:

Browser Version OS Supported

Microsoft Edge (Chromium)

Latest

Windows

Yes

Microsoft Edge (Chromium)

Others

Windows

Limited

Microsoft Edge (EdgeHTML)

Any

Windows

No

Internet Explorer

Any

Windows

No

Mozilla Firefox

Latest

Windows/Linux/OSX

Yes

Mozilla Firefox

ESR

Windows/Linux/OSX

Yes

Mozilla Firefox

Others

Windows/Linux/OSX

Limited

Google Chrome

Latest

Windows/Linux/OSX

Yes

Google Chrome

Others

Windows/Linux/OSX

Limited

Safari

Latest

OSX

Yes

Safari

Others

OSX

Limited

While likely to work, items marked as " Limited" are only supported on the browser’s two previous stable releases to the current one.

Document Management Flow

Here is what happens behind the scenes when a user creates a document:

  1. The Zimlet prompts the Extension to create a new, empty document

  2. The Extension creates the document and returns its ID to the client

  3. The Zimlet opens a new Zimbra tab containing an iframe pointing towards /service/extension/wopi-proxy

  4. The extension receives the request from the client, creates a unique token for the needed document, and replies with a new URL

  5. The URL points toward /docs/[docs-node-id]/[token], which will be proxied by nginx to the specific Docs Server node

  6. The Docs Server will respond with the web application in Javascript

  7. The web application opens a WebSocket connection, going through nginx

  8. Docs Server receives the WebSocket connection along with a token, sends a read wopi command towards the mailbox URL indicated in the parameters (after validating the URL against allowed nodes)

  9. The Extension validates the token and replies with information and content

  10. The Docs Server node parses the document, renders it, and sends it back to the client.

  11. The document is fully opened and editable.

Open document
                                  redirect to docs
    +------------------------+             +----------------------+
    |     Zimbra Proxy       |             |       Mailbox        |
    |                        +------------->                      |
    |      Nginx             |             | Zimbra Docs Extension|
    +------------------------+             +----------------------+
                      |                        |              ^
                      |                        |              |
                      |                        |             WOPI:
                      |                   Admin Web          Read/Write
                      |                   Socket             Documents
                      |                        |              |
                      |                        |              |
                      |                        |              |
                      |                    +---v----------------+
                      |                    |                    |
                      +-------------------->   Docs Server      |
                   Load Client             |                    |
                   Open client websocket   +--------------------+

Networking and ports

All mailbox servers will need to be able to directly communicate with the Docs Server over port 8443 (HTTPS Backend), which must be open on both ends.

The Docs Server communicates with the Extension through port 9980, so incoming traffic from all mailbox and proxy servers to that port must be allowed. The Docs Server component must also be able to directly communicate with the master LDAP server as well as with all Mailbox servers.

Installation and Configuration

Docs Nodes

Download the standalone installer as per your preferred OS, extract it and as the root user execute the install.sh script contained in the package:

To obtain the information required for the initial Docs Server setup, run the following command on any mailbox server:

zimbra@mbx1:~$ zmlocalconfig -s ldap_master_url zimbra_ldap_user zimbra_ldap_userdn zimbra_ldap_password

This will return the info you need in the following format:

ldap_master_url = ldap://ldap01.cfd6a9e5.test.domain.com:389
zimbra_ldap_user = zimbra
zimbra_ldap_userdn = uid=zimbra,cn=admins,cn=zimbra
zimbra_ldap_password = Deyked4ofMarj

The script will install the Zimbra Docs package and then ask for information about the master LDAP, URL, username, and password, all needed to add a new server in the LDAP with just the 'docs' service installed/enabled. Every Docs Server will be visible by every node, and will read the LDAP to write the configuration in /opt/zimbra/conf/docs/loolwsd.xml.

After completing the setup, you need no other configuration.

Adding Custom Fonts to the Docs Server To add Custom Fonts to your Docs Server, simply copy the .ttf font files in the /opt/zimbra/docs/zimbra-docs-core/share/fonts/custom/ directory, then generate the new font cache and restart the docs server running zdocs restart as root.

To generate the new font cache, run the following command based on the Docs Server’s Operating System:

Ubuntu 16 and Ubuntu 18

dpkg-reconfigure zimbra-docs-server

CentOS 7

fc-cache /opt/zimbra/docs/zimbra-docs-core/share/fonts

The server will briefly be unavailable during a restart, and clients will need to close and re-open documents to see the new fonts in the list.

Mailbox Nodes

While the NG modules contain the Zimbra Docs extension, the com_zextras_docs Zimlet needs to be deployed on the server and enabled for all users and COS that need to have access to the Zimbra Docs features.

The com_zextras_docs Zimlet is available in the Zimbra repository, so it can be easily downloaded and deployed by running apt-get install zimbra-docs.

No configuration on the mailboxd side is needed after the Zimlet has been deployed and enabled.

Proxy Nodes

The proxy configuration must be re-generated after adding one or more Zimbra Docs Servers to the infrastructure: to do so, run /opt/zimbra/libexec/zmproxyconfgen as the zimbra user and then restart the proxy service running zmproxyctl restart as the same user.

The new docs nodes' addresses get distributed via LDAP, so no manual configuration is needed.

Licensing

Zimbra Docs will be available on every NG for the same amount of users allowed by the Zimbra Collaboration 9.0.0 license.

The standalone installer is released under the MPLv2 license while the extension and Zimlet are under a proprietary license.

Removal

Before uninstalling the software, the node must be removed from LDAP either from the docs node via the command:

zdocs remove-local-server

or via the zmprov command from any Zimbra node

zmprov deleteServer {servername}

Commands

Zimbra Docs Server CLI - zdocs

On a Docs server, the zdocs (/usr/local/bin/zdocs as root) command can generate the config for LOOL (it’s already on cron), add/remove the docs server from LDAP, test configuration and manage the service.

zdocs command
usage: zdocs [-h] [--auto-restart] [--ldap-dn LDAP_DN] [--ldap-pass LDAP_PASS]
             [--ldap-url LDAP_URL] [--hostname HOSTNAME] [--debug][--cron]

{genkey,write-local-server,remove-local-server,generate-config,ldap-write-config,ldap-test,start,stop,restart,status,setup}

Manage Zimbra Docs service.

Available commands:
  genkey                Generate a private key needed for authentication between docs and mailbox servers.
  write-local-server    Add or update in ldap the necessary server entry for this server in order to be reachable from other servers.
  remove-local-server   Remove local server entry in LDAP.
  generate-config       Populate the config template with LDAP values and write a new configuration file.
  ldap-write-config     Write new configuration about the ldap access needed to generate the docs configuration file.
  ldap-test             Check the ldap connection.
  start                 Start the service.
  stop                  Stop the service.
  restart               Restart the service.
  status                Print service status.
  setup                 Start the initial setup.

positional arguments:
{genkey,write-local-server,remove-local-server,generate-config,ldap-write-config,ldap-test,start,stop,restart,status,setup}                                   Command to execute

optional arguments:
  -h, --help            show this help message and exit
  --auto-restart        Automatically restart the service if configuration is changed (to be used with generate-config)
  --ldap-dn LDAP_DN     Ldap dn (distinguish name) to bind to (to be used with ldap-test and ldap-settings)
  --ldap-pass LDAP_PASS Ldap password used of the DN (to be used with ldap-test and ldap-settings)
  --ldap-url LDAP_URL   Ldap url completed with schema (ex.: ldaps://ldap.example.com, to be used with ldap-test and ldap-settings)
  --hostname HOSTNAME   Hostname of this server (to be used with add-local-server)
  --debug               Show complete errors when things go bad.
  --cron                Start in cron mode, avoid any output unless there is an error (to be used with generate-config).

examples:
#regenerate the config and restart the server if config changed
  zdocs --auto-restart generate-config
#restart the service
  zdocs restart
#check ldap connection availability using current settings
  zdocs ldap-test
#check ldap connection using custom settings
  zdocs --ldap-url ldaps://ldap.example.com/ --ldap-dn 'uid=zimbra,cn=admins,cn=zimbra' --ldap-pass password ldap-test
#change the ldap connection settings
  zdocs --ldap-url ldap://ldap2.example.com/ --ldap-dn 'uid=zimbra,cn=admins,cn=zimbra' --ldap-pass password
ldap-write-config
#add the local server
  zdocs write-local-server
#add the local server with a custom hostname in LDAP, this command should be already invoked during setup.
  zdocs --hostname myhostname write-local-server
#remove the local server from LDAP, useful when destroying the server, you can also use 'zmprov deleteServer' from a mailbox server.
  zdocs remove-local-server

Zimbra Docs Extension CLI - zxsuite docs

On a Mailbox server, the zxsuite docs command is available. This command allows you to check and control the Docs service’s status, to force a configuration to reload, and to see the Docs Servers' status.

zxsuite docs
zxsuite docs

Commands regarding docs module

  doReloadConfig           - reload docs configuration from ldap, which
would happen once a minute.
                             zxsuite docs doReloadConfig

  doRestartService         - restart a given service
                             zxsuite docs doRestartService
{service_name}

  doStartService           - start a given service
                             zxsuite docs doStartService {service_name}

  doStopService            - stop a given service
                             zxsuite docs doStopService {service_name}

  getServices              - show current status of all services for
this module
                             zxsuite docs getServices

  status                   - show zimbra docs servers status with their
resource usage (if connected).
                             zxsuite docs status

Troubleshooting

Nothing happens when opening a document/extension requests returns 503.

This problem is most likely due to a connection issue between the mailbox server and the Docs server. Check the mailbox.log and see the reason for the connection failure. If there are no connection errors, check the Docs server with zdocs status on the docs node.

The mailbox will log every connection and disconnection for each Docs server.

404 error code instead of docs

The proxy configuration needs to be re-generated, and the proxy restarted.

Docs opens but a message “this is embarrassing…​” appears instead of the document.

You may see this happen if the Docs server cannot connect back to the mailbox server to read and write the document. Check name resolution and SSL certificate of mailboxd, which must be valid for the Docs server that does not inherit Zimbra certificate management.

Appendix A: Command Line Utilities

Command Line Interface (CLI) can be used to create, modify and delete certain features and functions of the Zimbra Collaboration. The Administration Console is the main tool for maintaining the Zimbra Collaboration, but some functions can only be changed from CLI utilities.

The CLI utilities can be used for the following purposes:

  • Provisioning accounts

  • Backup and Restore

  • Starting and stopping a service

  • Move mailboxes

  • Cross-mailbox searches

  • Installing self-signed certificates

  • Local configuration

In general, provisioning and managing accounts should be performed from the Administration Console.

General Tool Information

The Zimbra Collaboration command-line utilities follow standard UNIX command-line conventions. Use the following general guidelines with the CLI:

  • CLI commands are run as the zimbra user:
    su - zimbra

  • The CLI commands are case-sensitive. You must type them in lower case.

  • Press ENTER after you type a command.

  • To display usage information about a command, type the CLI command with -h.

    Example: zmprov -h lists all the options available for the zmprov utility.

  • Each operation is invoked through command-line options. Many have a long name and a short name. For example, these two commands are equivalent:

    zmprov createAccount joe@domain.com test123
    
    zmprov ca joe@domain.com test123

Syntax Conventions

When demonstrating the syntax of each tool, the following conventions indicate required, optional, and alternate values:

  • {attribute} in curly brackets is required information.

  • [attribute] in square brackets are optional arguments or information.

  • {a|b|c} or [a|b|c] options separated by the pipe character | means "a" OR "b" OR "c"

  • For attribute names that may contain spaces, surround the name with double quotes.

Location of Command-Line Utilities

The command-line tools available for administrators are all located in the /opt/zimbra/bin folder on the Zimbra Collaboration server.

Zimbra CLI Commands

CLI

The table below lists the CLI commands in /opt/zimbra/bin.

CLI Description

antispam-mysqladmin

anti-spam SQL server admin utility

antispam-mysql

anti-spam SQL client

antispam-mysql.server

Start, stop the anti-spam SQL instance

ldap

Start, stop, or find the status of Zimbra LDAP

ldapsearch

Perform a search on an LDAP server

logmysqladmin

Send mysqladmin commands to the logger SQL instance

mysql

Enters interactive command-line for the mailbox SQL instance

mysql.server

Start, stop the mailbox SQL instance

mysqladmin

Send admin commands to the mailbox SQL instance

postconf

Postfix command to view or modify the postfix configuration

postfix

Start, stop, reload, flush, check, upgrade-configuration of postfix

qshape

Examine postfix queue in relation to time and sender/recipient domain

zmaccts

Lists the accounts and gives the status of accounts on domain

zmamavisdctl

Start, stop, restart, or find the status of the Amavis-D New

zmantispamctl

Start, stop, reload, status for anti-spam service

zmantivirusctl

Start, stop, reload, status for the anti-virus service

zmantispamdbpasswd

Changes anti-spam SQL database password

zmapachectl

Start, stop, reload, or check status of Apache service (for spell check)

zmarchiveconfig

Command to view, modify, or configure archiving

zmarchivectl

Start, stop, reload, status for archiving

zmarchivesearch

Search archives on the account

zmauditswatchctl

Start, stop, restart, reload, status of the auditswatch

zmbackup

Performs full backups and incremental backups for a designated mail host.

zmbackupabort

Stops a backup that is in process.

zmbackupquery

Find a specific full backup set

zmblobchk

Check consistency of the Zimbra blob store

zmcalchk

Check consistency of appointments and attendees in the Zimbra calendar

zmcbpolicydctl

Start, stop, and restart the cluebringer policyd service, if enabled

zmconfigdctl

Start, stop, kill, restart status of the MTA configuration daemon.

zmcertmgr

Manage self-signed and commercial certificates

zmclamdctl

Start, stop, or find the status of Clam AV

zmcleaniplanetics

Clean iPlanet ICS calendar files

zmcontrol

Start, stop, restart, status of the Zimbra servers. Also can use to find the Zimbra version installed

zmconvertctl

Start, stop, the conversion server or find the status of the converted attachments conversion/indexing

zmdevicesstats

Number of unique ActiveSync device IDs per server

zmgdcutil

(get devices count) gives the total devices system wide without the need of specifying individual servers.

zmdumpenv

General information about the server environment is displayed

zmgsautil

Global Address Book (GAL) synchronization utility. Create, delete the GAL sync account and initiate manual syncs.

zmhostname

Find the hostname of the Zimbra server

zmhsm

Start, stop and status of a HSM session.

zmitemdatafile

Extracts and packs tgz files that Zimbra uses for REST import/export

zmjava

Execute Java with Zimbra-specific environment settings

zmjavaext

Execute Java and Zimbra-specific environment settings including extension based jars.

zmldappasswd

Changes the LDAP password

zmlicense

View and install your Zimbra license

zmlmtpinject

Testing tool

zmlocalconfig

Used to set or get the local configuration of a Zimbra server

zmloggerctl

Start, stop, reload, or find the status of the Zimbra logger service

zmloggerhostmap

Used to manually map a DNS hostname to a zmhostname.

zmlogswatchctl

Start, stop, status of the swatch that is monitoring logging.

zmmailbox

Performs mailbox management tasks

zmmailboxdctl

Start, stop, reload, or find the status of the mailbox components (zmmailboxd, MariaDB, convert)

zmmboxsearch

(Cross Mailbox Search) Search across mailboxes to find messages and attachments

zmmboxmove

7.1.3 and later. Used to move selected mailboxes from one Zimbra server to another.

zmmboxmovequery

7.1.3 and later. Used to query ongoing mailbox moves on a server

zmpurgeoldmbox

7.1.3 and later. Purges a mailbox from the old server after a mailbox move

zmmemcachedctl

Start, stop, and restart

zmmetadump

Support tool that dumps an item’s metadata in a human-readable form

zmmilterctl

Start, stop, and restart the Zimbra milter server if enabled

zmmtaconfigdctl

Beginning in Zimbra Collaboration 7.0, this command is not used. Use zmconfigdctl.

zmmtactl

Start, stop, or find the status of the MTA

zmmypasswd

Change SQL passwords

zmmysqlstatus

Status of mailbox SQL instance

zmnginxconf

Output the reverse proxy configuration

zmnginxctl

Start, stop, and restart the Zimbra reverse proxy

zmplayredo

Performs data restore using backed up snapshots taken periodically. Users who use snapshots to backup and restore their information from a standby site use this command.

zmprov

Performs all provisioning tasks in Zimbra LDAP, including creating accounts, domains, distribution lists and aliases

zmproxyconfgen

Generates configuration for the nginx proxy

zmproxyctl

Start, stop, restart, and find the status of the IMAP proxy service

zmproxypurge

Purges POP/IMAP routing information from one or more memcached servers

zmpython

Ability to write Python scripts that access Zimbra Java libraries. It sets the Zimbra class path and starts the Jython interpreter.

zmredodump

Support tool for dumping contents of a redolog file for debugging purposes

zmrestore

Performs full restores and incremental restores for a designated mail host

zmrestoreldap

Restore accounts from the LDAP backup

zmrestoreoffline

(Offline Restore) Performs full restore when the Zimbra server (i.e., the mailboxd process) is down

zmsaslauthdctl

Start, stop, or find the status of saslauthd (authentication)

zmschedulebackup

Schedule backups and add the command to your cron table

zmshutil

Used for other zm scripts, do not use

zmskindeploy

Deploy skins

zmsoap

Print mail, account, and admin information in the SOAP format

zmspellctl

Start, stop, or find the status of the spell check server

zmsshkeygen

Generate Zimbra’s SSH encryption keys

zmstat-chart

Generate charts from zmstat data collected in a directory

zmstat-chart-config

Outputs an XML configuration that describes the current state of the data gathered from zmstat-chart to generate charts on the Administration Console.

zmstatctl

Start, stop, check status, or rotate logs of zmstat data collectors

zmstorectl

Start, stop, or find the status of Zimbra store services

zmswatchctl

Start, stop, or find the status of the Swatch process, which is used in monitoring

zmsyncreverseproxy

Decodes the sync request/responses and logs them when verbose mode is turned on.

zmthrdump

Initiate a thread dump and save the data to a file with a timestamp

zmtlsctl

Set the Web server mode to the communication protocol options: HTTP, HTTPS or mixed

zmtrainsa

Used to train the anti-spam filter to recognize what is spam or ham

zmtzupdate

Provides mechanism to process time zone changes

zmupdateauthkeys

Used to fetch the ssh encryption keys created by zmsshkeygen

zmvolume

Manage storage volumes on your Zimbra Mailbox server

zmzimletctl

Deploy and configure Zimlets

Using non-ASCII Characters in CLIs

If you use non-ASCII characters in the CLI, in order for the characters to display correctly, you must change this setting to the desired UTF-8 before running the CLI command. To change this, type

export LC_All=<UTF_locale>

The default locale on the zimbra user system account is LANG=C. This setting is necessary for starting Zimbra services. Changing the default LANG=C setting may cause performance issues with amavisd-new.

zmprov (Provisioning)

The zmprov tool performs all provisioning tasks in Zimbra LDAP, including creating accounts, aliases, domains, COS, distribution lists, and calendar resources. Each operation is invoked through command-line options, each of which has a long name and a short name.

The syntax is zmprov [cmd] [argument].

The syntax for modify can include the prefix “+” or “-” so that you can make changes to the attributes affected and do not need to reenter attributes that are not changing.

  • Use + to add a new instance of the specified attribute name without changing any existing attributes.

  • Use - to remove a particular instance of an attribute.

The following example would add the attribute zimbraZimletUserProperties with the value "blue" to user 1 and would not change the value of any other instances of that attribute.

zmprov ma user1 +zimbraZimletUserProperties "com_company_testing:favoriteColor:blue"

The attributes for the tasks zmprov can be used with are listed when you type zmprov -h. The task area divided into the following sections:

Long Name Short Name Syntax, Example, and Notes

--help

-h

display usage

--file

-f

use file as input stream

--server

-s

{host}[:{port}] server hostname and optional port

--ldap

-l

provision via LDAP instead of SOAP

--logpropertyfile

-L

log4j property file, valid only with -l

--account {name}

-a

account name to auth as

--password {pass}

-p

password for account

--passfile {file}

-P

read password from file

--zadmin

-z

use Zimbra admin name/password from localconfig for admin/password

--authtoken {authtoken}

-y

use auth token string (has to be in JSON format) from command line

--authtokenfile {authtoken-file}

-Y

use auth token string (has to be in JSON format) from a file

--verbose

-v

verbose mode (dumps full exception stack trace)

--debug

-d

debug mode (dumps SOAP messages)

--master

-m

use LDAP master. This only valid with -l

--replace

-r

allow replacement of safe-guarded multi-value attribute configured in localconfig key zmprov_saveguarded_attrs

The commands are categorized and briefly described in the following topics:

Account Provisioning Commands
Table 64. zmprov — Account Provisioning Commands
Command Syntax Example/Notes

addAccountAlias (aaa)

{name@domain | id | adminName} {alias@domain}

zmprov aaa joe@domain.com joe.smith@engr.domain.com

checkPasswordStrength (cps)

{name@doman | id} {password}

zmprov cps joe@domain.com test123
This command does not check the password age or history.

createAccount (ca)

{name@domain} {password} [attr1 value1]…​

zmprov ca joe@domain.com test123 displayName JSmith

createDataSource (cds)

{name@domain} {ds-type} {ds-name} zimbraDataSourceEnabled {TRUE | FALSE} zimbraDataSourceFolderId {folder-id} [attr1 value1 [attr2 value2]…​]

createIdentity (cid)

{name@domain} {identity-name} [attr1 value1 [attr2 value2]…​]

createSignature (csig)

{name@domain} {signature-name} [attr1 value1 [attr2 value2]…​]

deleteAccount (da)

{name@domain | id | adminName}

zmprov da joe@domain.com

deleteDataSource (dds)

{name@domain | id} {ds-name | ds-id}

deleteIdentity (did)

{name@domain | id} {identity-name}

deleteSignature (dsig)

{name@domain | id} {signature-name}

getAccount (ga)

{name@domain | id | adminName}

zmprov ga joe@domain.com

getAccountMembership (gam)

{name@domain | id}

getAllAccounts (gaa)

[-v] [domain]

Must include -l/--ldap

zmprov -l gaa
zmprov -l gaa -v domain.com

getAllAdminAccounts (gaaa)

zmprov gaaa

getDataSources (gds)

{name@domain | id} [arg1 [arg2]…​]

getIdentities (gid)

{name@domain | id} [arg1 [arg2]…​]

getSignatures (gsig)

{name@domain | id} [arg1 [arg2]…​]

modifyAccount (ma)

{name@domain | id | adminName} [attr1 value1]…​

zmprov ma joe@domain.com zimbraAccountStatus maintenance

modifyDataSource (mds)

{name@domain | id} {ds-name | ds-id} [attr1 value1 [attr2 value2]…​]

modifyIdentity (mid)

{name@domain | id} {identity-name} [attr1 value1 [attr2 value 2]…​]

modifySignature (msig)

{name@domain | id} {signature-name | signature-id} [attr1 value1 [attr2 value2]…​]

removeAccountAlias (raa)

{name@domain | id | adminName} {alias@domain}

zmprov raa joe@domain.com joe.smith@engr.domain.com

renameAccount (ra)

{name@domain | id} {newname@domain}

zmprov ra joe@domain.com joe23@domain.com
After you rename an account, you should run a full backup for that account.
zmbackup -f -s <servername.com> -a <newaccountname@servername.com>

setAccountCOS (sac)

{name@domain | id | adminName} {cos-name | cos-id}

zmprov sac joe@domain.com FieldTechnician

setPassword (sp)

{name@domain | id | adminName} {password}

zmprov sp joe@domain.com test321
Passwords cannot included accented characters in the string. Example of accented characters that cannot be used: ã, é, í, ú, ü, ñ.
Calendar Resource Provisioning Commands
Table 65. zmprov — Calendar Resource Provisioning Commands
Command Syntax

createCalendarResource (ccr)

{name@domain} [attr1 value1 [attr2 value2]…​]

deleteCalendarResource (dcr)

{name@domain | id}

getAllCalendarResources (gacr)

[-v] [domain]

getCalendarResource (gcr)

{name@domain | id}

modifyCalendarResource (mcr)

{name@domain | id} [attr1 value1 {attr2 value2]…​]

purgeAccountCalendarCache (pacc)

{name@domain} […​]

renameCalendarResource (rcr)

{name@domain | id} {newName@domain}

Free Busy Commands
Table 66. zmprov — Free Busy Commands
Command Syntax

getAllFbp (gafbp)

[-v]

getFreebusyQueueInfo (gfbqi)

[{provider-name}]

pushFreebusy (pfb)

{domain | account-id} [account-id…​]

pushFreebusyDomain (pfbd)

{domain}

purgeFreebusyQueue (pfbg)

[{provider-name}]

Domain Provisioning Commands
Table 67. zmprov — Domain Provisioning Commands
Command Syntax Example/Notes

countAccount (cta)

{domain | id}

This lists each COS, the COS ID and the number of accounts assigned to each COS

createAliasDomain (cad)

{alias-domain-name} {local-domain-name | id} [attr1 value1 [attr2 value2]…​]

createDomain (cd)

{domain} [attr1 value1]…​

zmprov cd mktng.domain.com zimbraAuthMech zimbra

deleteDomain (dd)

{domain | id}

zmprov dd mktng.domain.com

getDomain (gd)

{domain | id}

zmprov gd mktng.domain.com

getDomainInfo (gdi)

name | id | virtualHostname {value} [attr1 [attr2]…​]

getAllDomains (gad)

[-v]

modifyDomain (md)

{domain | id} [attr1 value1]…​

zmprov md domain.com zimbraGalMaxResults 500
Do not modify zimbraDomainRenameInfo manually. This is automatically updated when a domain is renamed.

renameDomain (rd)

{domain | id} {newDomain}

renameDomain can only be used with zmprov -l/--ldap
COS Provisioning Commands
Table 68. zmprov — COS Provisioning Commands
Command Syntax Example/Notes

copyCos (cpc)

{src-cos-name | id} {dest-cos-name}

createCos (cc)

{name} [attr1 value1]…​

zmprov cc Executive zimbraAttachmentsBlocked FALSE zimbraAuthTokenLifetime 60m zimbraMailQuota 100M zimbraMailMessageLifetime 0

deleteCos (dc)

{name | id}

zmprov dc Executive

getCos (gc)

{name | id}

zmprov gc Executive

getAllCos (gac)

[-v]

zmprov gac -v

modifyCos (mc)

{name | id} [attr1 value1]…​

zmprov mc Executive zimbraAttachmentsBlocked TRUE

renameCos (rc)

{name | id} {newName}

zmprov rc Executive Business
Server Provisioning Commands
Table 69. zmprov — Server Provisioning Commands
Command Syntax Example/Notes

createServer (cs)

{name} [attr1 value1]…​

deleteServer (ds)

{name | id}

zmprov ds domain.com

getServer (gs)

{name | id}

zmprov gs domain.com

getAllServers (gas)

[-v]

zmprov gas

modifyServer (ms)

{name | id} [attr1 value1]…​

zmprov ms domain.com zimbraVirusDefinitionsUpdateFrequency 2h

getAllMtaAuthURLs (gamau)

Used to publish into saslauthd.conf what servers should be used for saslauthd.conf MTA auth

getAllMemcachedServers (gamcs)

Used to list memcached servers (for nginix use).

Config Provisioning Commands
Table 70. zmprov — Config Provisioning Commands
Command Syntax Example/Notes

getAllConfig (gacf)

[-v]

All LDAP settings are displayed

getConfig (gcf)

{name}

modifyConfig (mcf)

attr1 value1

Modifies the LDAP settings.

createXMPPComponent (csc)

{short-name} {domain} {server} {classname} {category} {type} [attr1 value1 [attr2 value2]…​]

deleteXMPPComponent (dxc)

{xmpp-component-name}

getXMPPComponent (gxc)

{name@domain} [attr1 [attr2]…​]

modifyXMPPComponent (mxc)

{name@domain} [attr1 value1 [attr2 value2]…​]

Distribution List Provisioning Commands
Table 71. zmprov — Distribution List Provisioning Commands
Command Syntax Example/Notes

createDistributionList (cdl)

{list@domain}

zmprov cdl needlepoint-list@domain.com

addDistributionListMember (adlm)

{list@domain | id} {member@domain}

zmprov adlm needlepoint-list@domain.com singer23@mail.free.net

removeDistributionListMember (rdlm)

{list@domain | id}

zmprov rdlm needlepoint-list@domain.com singer23@mail.free.net

getAlldistributionLists (gadl)

[-v]

getDistributionListmembership (gdlm)

{name@domain | id}

gdlm can not be used for gynamic groups, as dynamic groups cannot be nested.

getDistributionList (gdl)

{list@domain | id}

zmprov gdl list@domain.com

modifyDistributionList (mdl)

{list@domain | id} attr1 value1 [attr2 value2]…​

zmprov md list@domain.com

deleteDistributionList (ddl)

{list@domain | id}

addDistributionListAlias (adla)

{list@domain | id} {alias@domain}

removeDistributionListAlias (rdla)

{list@domain | id} {alias@domain}

renameDistributionList (rdl)

{list@domain | id} {newName@domain}

Mailbox Commands
Table 72. zmprov — Mailbox Commands
Command Syntax Example/Notes

getMailboxInfo (gmi)

{account}

getQuotaUsage (gqu)

{server}

recalculateMailboxCounts (rmc)

{name@domain | id}

When unread message count and quota usage are out of sync with the data in the mailbox, use this command to immediately recalculate the mailbox quota usage and unread messages count.

Recalculating mailbox quota usage and message count should be schedule to run in off peak hours and used on one mailbox at a time.

reIndexMailbox (rim)

{name@domain | id} {start | status | cancel} [type | id]…​

compactIndexMailbox (cim)

{name@domain | id} {start | status}

verifyIndex (vi)

{name@domain | id}

getIndexStats (gis)

{name@domain | id}

selectMailbox (sm)

{account-name} [{zmmailbox commands}]

unlockMailbox (ulm)

{name@domain | id} [hostname]

Only specify the hostname parameter when unlocking a mailbox after a failed move attempt.

Miscellaneous Provisioning Commands
Table 73. zmprov — Miscellaneous Provisioning Commands
Command Syntax Example/Notes

countObjects (cto)

{type} [-d {domain | id}]

countObjects can only be used with zmprov -l/--ldap

createBulkAccounts (cabulk)

{domain} {namemask} {number of accounts to create}

describe (desc)

[[-v] [-ni] [{entry-type}]] | [-a {attribute-name}]

Prints all attribute names (account, domain, COS, servers, etc.).

flushCache (fc)

[-a] {acl | locale | skin | uistrings | license | all | account | config | glo | balgrant | cos | domain | galgroup | group | mime | server | zimlet | <extension-cache-type>} [name1 | id1 [name2 | i d2]…​]

Flush cached LDAP entries for a type. See Zimbra LDAP Service.

generateDomainPreAuth Key (gdpak)

{domain | id}

Generates a pre-authentication key to enable a trusted third party to authenticate to allow for single-sign on. Used in conjunction with GenerateDomainPreAuth.

generateDomainPreAuth (gdpa)

{domain | id} {name} {name | id | foreignPrincipal} {timestamp | 0} {expires | 0}

Generates preAuth values for comparison.

syncGal (syg)

{domain} [{token}]

getAccountLogger (gal)

[-s /--server hostname] {name@domain | id}

Logs Commands
Table 74. zmprov — Logs Commands
Command Syntax Example/Notes

addAccountLogger (aal)

{name@domain | id} {logging-category} {debug | info | warn | error}

Creates custom logging for a single account.

getAccountLoggers (gal)

[-s/--server hostname] {name@domain | id} {logging-category} {debug | info | warn | error}

getAllAccountLoggers (gaal)

[-s/--server hostname]

Shows all individual custom logger account.

removeAccountLogger (ral)

[-s/ --server hostname] {name@domain | id} {logging-category}

When name@domain is specified, removes the custom logger created for the account otherwise removes all accounts all account loggers from the system.

resetAllLoggers (rlog)

[-s/--server hostname]

This command removes all account loggers and reloads /opt/zimbra/conf/log4j.properties.

See the zmprov Log Categories for a list of logging categories.

Search Commands
Table 75. zmprov — Search Commands
Command Syntax Example/Notes

searchGAL (sg)

{domain} {name}

zmprov sg joe

autoCompleteGal (acg)

{domain} {name}

searchAccounts (sa)

[-v] {ldap-query} [limit] [offset] [sortBy {attribute}] [sortAscending 0 | 1] [domain {domain}]

searchCalendarResources (scr)

[-v] domain {attr op value} [attr op value]…​

Share Provisioning Commands
Table 76. zmprov — Share Provisioning Commands
Command Syntax Example/Notes

getShareInfo (gsi)

{owner-name | owner-id}

Unified Communication Service Commands
Table 77. zmprov — Unified Communication Service Commands
Command Syntax Example/Notes

createUCService (cucs)

{name} [attr1 value1 [attr2 value2]…​]

deleteUCService (ducs)

{name | id}

getAllUCServices (gaucs)

[-v]

getUCService (gucs)

[-e] {name | id} [attr1 [attr2]…​]

modifyUCService (mucs)

{name | id} [attr1 value1 [attr2 value2]…​]

renameUCService (rucs)

{name | id} {newName}

IMAP/POP Proxy Commands
Table 78. zmprov — IMAP/POP Proxy Commands
Command Example/Notes

getAllReverseProxyURLs (garpu)

Used to publish into nginx.conf the servers that should be used for reverse proxy lookup.

getAllReverseProxy Backends (garpb)

Returns the list of servers that have zimbraReverseProxyLookupTarget=TRUE.

Indicates whether a mailbox server is available for lookup requests from the proxy.

getAllReverseProxyDomains (garpd)

Returns a list of all domains configured with ZimbraSSLCertificate zimbraVirtualHostname and zimbraVirtualIPAddress configured. This allows the proxy to configure a list of domains to serve customized/domain certificates for.

Examples — using zmprov
Example 27. Creating an account with a password that is assigned to the default COS
zmprov ca name@domain.com password
Example 28. Creating an account with a password that is assigned to a specified COS

You must know the COS ID number. To find a COS ID:

zmprov gc <COSname>

zmprov ca name@domain.com password zimbraCOS cosIDnumberstring
Example 29. Creating an account when the password is not authenticated internally
zmprov ca name@domain.com ''

The empty single quote is required and indicates that there is no local password.

Example 30. Using a batch process to create accounts

See Provisioning User Accounts for the procedure.

Example 31. Bulk provisioning

See the Zimbra wiki page Bulk_Provisioning.

Example 32. Adding an alias to an account
zmprov aaa accountname@domain.com aliasname@domain.com
Example 33. Creating a distribution list
zmprov cdl listname@domain.com

The ID of the distribution list is returned.

Example 34. Adding a member to a distribution list
zmprov adlm listname@domain.com member@domain.com
You can add multiple members to a list from the Administration Console.
Example 35. Changing the administrator’s password

Use this command to change any password. Enter the address of the password to be changed.

zmprov sp admin@domain.com password
Example 36. Creating a domain that authenticates against Zimbra LDAP
zmprov cd marketing.domain.com zimbraAuthMech zimbra
Example 37. Setting the default domain
zmprov mcf zimbraDefaultDomain domain1.com
Example 38. Listing all COSs and their attribute values
zmprov gac -v
Example 39. Listing all user accounts in a domain (domain.com)
zmprov gaa domain.com
Example 40. Listing all user accounts and their configurations
zmprov gaa -v domain.com
Example 41. Enabling logger on a single server
zmprov ms server.com +zimbraServiceEnabled logger

Then type zmloggerctl start, to start the logger.

Example 42. Querying a value for a multi-valued attribute
zmprov gs server.com attribute=value

For example, zmprov gs example.com zimbraServiceEnabled=ldap to find out if the ldap service is enabled.

Example 43. Modify the purge interval

To modify the purge interval, set zimbraMailPurgeSleepInterval to the duration of time that the server should "sleep" between every two mailboxes.

zmprov ms server.com zimbraMailPurgeSleepInterval <Xm>

X is the duration of time between mailbox purges; m represents minutes. You could also set <xh> for hours.

Example 44. Customize the notification email

Modify zimbraNewMailNotification to customize the notification email template. A default email is sent from Postmaster notifying users that they have received mail in another mailbox. To change the template, you modify the receiving mailbox account. The variables are

  • ${SENDER_ADDRESS}

  • ${RECIPIENT_ADDRESS}

  • ${RECIPIENT_DOMAIN}

  • ${NOTIFICATION_ADDRESSS}

  • ${SUBJECT}

  • ${NEWLINE}

You can specify which of the above variables appear in the Subject, From, or Body of the email. The following example is changing the appearance of the message in the body of the notification email that is received at name@domain.com. You can also change the template in a class ofservice, use zmprov mc. The command is written on one line.

zmprov ma name@domain.com zimbraNewMailNotificationBody 'Important message from ${SENDER_ADDRESS}.${NEWLINE}Subject:${SUBJECT}'
Example 45. Enable the SMS notification by COS, account or domain
zmprov mc <default> zimbingaFeatureCalendarReminderDeviceEmailEnabled TRUE
zmprov ma <user1> zimbraFeatureCalendarReminderDeviceEmailEnabled TRUE
zmprov md <domain> zimbraFeatureCalendarReminderDeviceEmailEnabled TRUE
Example 46. Enable the Activity Stream feature for a COS or set of users
zmprov mc <default> zimbraFeaturePriorityInboxEnabled TRUE
zmprov ma <user1> zimbraFeaturePriorityInboxEnabled TRUE
Configure Auto-Grouped Backup from the CLI

Set the backup method in the global configuration, and you can override the configuration on a per server basis if you do not want a server to use the auto-grouped backup method.

To set up auto-grouped backup, you modify LDAP attributes using the zmprov CLI. Type the command as

zmprov mcf <ldap_attribute> <arg>

You can also set the attributes at the server level using zmprov ms.

The following LDAP attributes are modified:

  • zimbraBackupMode —  Set it to be Auto-Grouped. The default is Standard.

  • zimbraBackupAutoGroupedInterval — Set this to the interval in either days or weeks that backup sessions should run for a group. The default is `1d. Backup intervals can be 1 or more days, entered as xd (1d); or 1 or more weeks, entered as xw (1w).

  • zimbraBackupAutoGroupedNumGroups — This the number of groups to spread mailboxes over. The default is 7 groups.

Changing Conversations Thread Default

Messages can be grouped into conversations by a common thread. The default is to thread messages in a conversation by the References header. If there is no References header, the Subject is used to determine the conversation thread. The default options can be changed from the COS or for individual accounts.

zmprov mc [cosname] zimbraMailThreadingAlgorithm [type]

The types include:

  • none — no conversation threading is performed.

  • subject — the message will be threaded based solely on its normalized subject.

  • strict — only the threading message headers (References, In-Reply-To, Message-ID, and Resent-Message-ID) are used to correlate messages. No checking of normalized subjects is performed.

  • references — the same logic as "strict" with the constraints slightly altered so that the non-standard Thread-Index header is considered when threading messages and that a reply message lacking References and In-Reply-To headers will fall back to using subject-based threading.

  • subjrefs — the same logic as "references" with the further caveat thatchanges in the normalized subject will break a thread in two.

Detecting Corrupted Indexes

Run zmprov verifyIndex as a sanity check for the specified mailbox index. Diagnostic information is written to stdout. If problems are detected, a failure status is returned.

verifyIndex locks the index while it’s running, and checks every byte in the index. Therefore, it’s not recommended to run this on a regular basis such as in a cron job. The zmprov verifyIndex command should be used only when you need to make a diagnosis.

zmprov verifyIndex <user@example.com>

If verifyIndex reports that the index is corrupted, you can repair the mailbox index by running reIndexMailbox (rim).

zmprov rim <user@example.com> start
Table 79. zmprov — Log Categories

zimbra.account

Account operations

zimbra.acl

ACL operations

zimbra.backup

Backup and restore

zimbra.cache

Inmemory cache operations

zimbra.calendar

Calendar operations

zimbra.dav

DAV operations

zimbra.dbconn

Database connection tracing

zimbra.extensions

Server extension loading

zimbra.filter

Mail filtering

zimbra.gal

GAL operations

zimbra.imap

IMAP protocol operations

zimbra.index

Index operations

zimbra.io

Filesystem operations

zimbra.ldap

LDAP operations

zimbra.lmtp

LMTP operations (incoming mail)

zimbra.mailbox

General mailbox operations

zimbra.misc

Miscellaneous

zimbra.op

Changes to mailbox state

zimbra.pop

POP protocol operations

zimbra.redolog

Redo log operations

zimbra.security

Security events

zimbra.session

User session tracking

zimbra.smtp

SMTP operations (outgoing mail)

zimbra.soap

SOAP protocol

zimbra.sqltrace

SQL tracing

zimbra.store

Mail store disk operations

zimbra.sync

Sync client operations

zimbra.system

Startup/shutdown and other system messages

zimbra.wiki

Wiki operations

zimbra.zimlet

Zimlet operations

zmaccts

Use zmaccts to run a report that lists all the accounts, their status, when they were created and the last time anyone logged on. The domain summary shows the total number of accounts and their status.

Syntax
zmaccts

zmarchiveconfig

Use zmarchiveconfig for configuring the archiving mailbox. It has the option of using short commands or full names for commands that lead to the same function being carried out.

Syntax
zmarchiveconfig [args] [cmd] [cmd-args]...
Description
Long Name Short Name Description

--help

-h

Displays the usage options for this command

--server

-s

(host)[:(port)] Displays the server hostname and optional port

--account

-a

(name) Returns the value of the account name to be authorized

--ldap

-l

Allows archiving to be provisioned via LDAP

--password

-p

(pass) Returns the password for auth account

--passfile

-P

(file) Allows password to be read from file

--zadmin

-z

Allows use of Zimbra admin/password from local

--debug

-d

Activates debug mode (dumps SOAP messages)

Command in …​

enable <account>

[archive-address <aaddr> [archive-cos <cos>] [archive-create <TRUE/FALSE>] [archive-password <pa [zimbraAccountAttrName <archive-attr-value]+

disable <account>

zmarchivectl

Use zmarchivectl to start, stop, reload, or check the status of the Zimbra account archive.

Syntax
zmarchivectl start|stop|reload|status

zmarchivesearch

Use zmarchivesearch to search across account archives. You can search for archives that match specific criteria and save copies to a directory.

Syntax
zmarchivesearch {-m <user@domain.com>} {-q <query_string>} [-o <offset>] [-l <limit>] [-d <output_directory>]
Description
Long Name Short Name Description

--dir

-d

<arg> Folder to write messages to. If none is specified, then only the headers are fetched. Filenames are generated in the form RESULTNUM_ACCOUNT-ID_MAILITEMID

--help

-h

Displays help messages

--limit

-l

<arg> Sets the limit for the number of results returned. The default is 25

--mbox

-m

<arg> Name of archive account to search

--offset

-o

<arg> Specifies where the hit list should begin. The default is 0

--query

-q

<arg> The query string for archive search

--server

-s

<arg> Mail server hostname. Default is localhost

--verbose

-v

Allows printing of status messages while the search is being executed

Example 47. Search archives on a specified server and put a copy of the archive in a specified directory
zmarchivesearch -m user1@yourdomain.com -q "in:sent" -o 0 -l 30 -d /var/tmp

zmbackup

Use zmbackup to perform full backups and incremental backups for a designated mail host.

This utility has short option names and full names. The short option is preceded by a single dash, while the full option is preceded by a double dash. For example, -f is the same as --fullBackup.

Syntax

One of -f, -i, or -del must be specified.

zmbackup {-f | -i | del} {-a <arg>} [options]
Description
Long Name Short Name Description

--account

-a

<arg> Account email addresses separated by white space or all for all accounts. This option is not specified for auto-grouped backups since the system knows which accounts to backup every night.

--debug

-d

Display diagnostics for debugging purposes.

--delete

-del

<arg> Deletes the backups including and prior to the specified label, date (YYYY/MM/DD[-hh:mm:ss]) or period (nn(d | m | y]).

--excludeBlobs

Exclude blobs from full backup. If unspecified, use server config

--excludeHsmBlobs

Exclude blobs on HSM volumes from full backup; if unspecified, use server config

--excludeSearchIndex

Exclude search index from full backup; if unspecified, use server config

--fullBackup

-f

Starts a full backup. In auto-grouped backup mode, this option also copies the redologs since the last backup (which is the main function of an incremental backup).

--help

-h

Displays the usage options for this command.

--incrementalBackup

-i

Starts an incremental backup. This option is not available in the auto-grouped backup mode.

--includeBlobs

Include blobs in full backup. If this is unspecified, the server config is used.

--includeHsmBlobs

Include blobs on HSM volumes in full backup. If this is unspecified, the server config is used.

--includeSearchIndex

Include search index in full backup. If this is unspecified, the server config is used.

--noZip

Backs up blobs as individual files rather than in zip files.

--server

-s

<arg> Mail server host name. For format, use either the plain host name or the server.domain.com name. The default is the localhost name.

--sync

-sync

Runs full backup synchronously.

--target

-t

<arg> Specifies the target backup location. The default is /opt/zimbra/backup.

--zip

-z

Backs up blobs in compressed zip files. Ignored if --zipStore is specified.

--zipStore

Backup blobs in zip file without compression. (default)

Examples

In these examples, the server (-s) is server1.domain.com. The (-t) is not required if the target is the default directory, (/opt/zimbra/backup).

Example 48. Perform a full backup of all mailboxes on server1
zmbackup -f -a all -s server1.domain.com
Example 49. Perform incremental backup of all mailboxes on server1 since last full backup
zmbackup -i -a all -s server1.domain.com
Example 50. Perform full backup of only user1's mailbox on server1.
zmbackup -f -a user1@domain.com -s server1
Hostname does not need full domain if account is used.
Example 51. Perform incremental backup of user1's mailbox on server1
zmbackup -i -a user1@domain.com -s server1

zmblobchk

Use zmblobchk to check the consistency of the Zimbra blob store (/opt/zimbra/store). This command checks and records notes of files without matching database metadata. It also checks to make sure that size information is correct for the files.

Syntax
zmblobchk [options] start

The start command is required to avoid unintentionally running a blob check. The ID values are separated by commas.

Description
Long Name Short Name Description

--export-dir

<path> Target directory for database export files.

--help

-h

Displays help messages

--mailboxes

-m

<mailbox-ids> Specify which mailboxes to check. If not specified, check all mailboxes.

--missing-blob-delete-item

Delete any items that have a missing blob.

--no-export

Delete items without exporting

--skip-size-check

Skip blob size check

--unexpected-blob-list

<path> Write the paths of any unexpected blobs to a file

--verbose

-v

Display verbose output; display stack trace on error

--volumes

<volume-ids> Specify which volumes to check. If not specified, check all volumes

zmcalchk

Use zmcalchk to check the consistency of appointments on the Zimbra calendar and sends an email notification regarding inconsistencies. For example, it checks if all attendees and organizers of an event on the calendar agree on start/stop times and occurrences of a meeting.

See the output of zmmailbox help appointment for details on time-specs.

Syntax
zmcalchk [-d] [-n <type>] <user> <start-time-spec> <end-time-spec>
Description
Short Name Description

-d

Debugs verbose details

-m

Allows the user to specify the maximum number of attendees to check. The default value is 50.

-n

-n none | user | organizer | attendee | all

Send email notifications to selected users if they are out of sync for an appointment

zmschedulebackup

Use zmschedulebackup to schedule backups and add the command to your cron table.

The default schedule is as follows:

  • Full backup, every Saturday at 1:00 a.m. (0 1 * * 6)

  • Incremental backup, Sunday through Friday at 1:00 a.m. (0 1 * * 0-5)

Each crontab entry is a single line composed of five fields separated by a blank space. Specify the fields as follows:

  • minute — 0 through 59

  • hour — 0 through 23

  • day of the (month) — 1 through 31

  • month — 1 through 12

  • day of the (week) — 0 through 7 (0 or 7 is Sunday, or use names)

Type an asterisk (*) in the fields you are not using.

This command automatically writes the schedule to the crontab.

Syntax
zmschedulebackup {-q|-s|-A|-R|-F|-D}[f|i|d|] ["schedule"]
Description
Name Command Name Description

help

-h

Displays the usage options for this command.

query

-q

Default command. Displays the existing Zimbra backup schedule.

save

-s

Save the schedule. Allows you to save the schedule command to a text file so that you can quickly regenerate the backup schedule when the system is restored.

flush

-F

Removes the current schedule and cancels all scheduled backups.

append

-A

Adds an additional specified backup to the current schedule.

replace

-R

Replaces the current schedule with the specified schedule.

default

-D

Replaces the current schedule with the default schedule.

Options that will be passed to zmbackup

no compression

-n

Backs up blobs as individual files rather than in zip files

compress

-z

Backs up blobs in compressed zip files. Ignored if --zipStore is specified.

--zipStore

Backs up blobs in zip file without compression.

target

-t

Can be used only to designate a full back target location. The default is /opt/zimbra/backup.

You cannot designate a target for incremental backups. If a target (-t) location is added for incremental scheduled backups, it is ignored.

account

-a

Account specific. The default is all accounts.

--mail-report

Send an email report to the admin user.

--server

server - Mail server hostname. Default is localhost.

--sync

Runs full backup synchronously.

--excludeBlobs

Exclude blobs from full backup. If unspecified, server config is used.

--includeBlobs

Include blobs in full backup. If unspecified, the server config is used.

--excludeHsmBlobs

Exclude blobs on HSM volumes from full backup. If unspecified, the server config is used.

--includeHsmBlobs

Include blobs on HSM volumes in full backup. If unspecified, the server config is used.

--excludeSearchIndex

Exclude search index form full backup. If unspecified, the server config is used.

--includeSearchIndex

Include search index in full backup. If unspecified, the server config is used.

Cron schedule — backup-type: <i | f | d arg>

incremental backup

i

<time specifier> Incremental backup.

Incremental backup is not used with the auto-grouped backup mode.

full backup

f

Full backup

delete

d <arg>

Delete backups. <arg> is n(d | m | y)

Backup Scheduling Examples
Example 52. Schedule the default full and incremental backup
zmschedulebackup -D
Example 53. Replace the existing schedule with a new schedule
zmschedulebackup -R f ["schedule"]
Example 54. Add an additional full backup to the existing schedule
zmschedulebackup -A f ["schedule"]
Example 55. Add an additional incremental backup to the existing schedule
zmschedulebackup -A i ["schedule"]
Example 56. Display the existing schedules
zmschedulebackup -q
Example 57. Display the schedules on one line

Display the schedules on one line as a command, so that they can be copied to a text file and saved to be used if the application needs to be restored.

zmschedulebackup -s

zmbackupabort

Use zmbackupabort to stop a backup process. Before you can abort an account you must know its backup label. This label is displayed after you start the backup procedure. If you do not know the label, use zmbackupquery to find the label name.

To stop the restore process:

The zmbackupabort -r interrupts an ongoing restore. The restore process is stopped after the current account is restored. The command displays message showing which accounts were not restored.

Syntax
zmbackupabort [options]
Description
Long Name Short Name Description

--debug

-d

Display diagnostics for debugging purposes

--help

-h

Displays the usage options for this command

--label

-lb

<arg> Label of the full backup to be aborted.

Use zmbackupquery, to find the label name.

--restore

-r

Abort the restore in process

--server

-s

<arg> Mail server host name. For format, use either the plain host name or the server.domain.com name. The default is the localhost name.

--target

-t

<arg> Specifies the target backup location.

The default is /opt/zimbra/backup.

zmbackupquery

Use zmbackupquery to find full backup sets. The command can be used to find a specific full backup set or full backup sets since a specific date, or all backup sets in the backup directory.

To find out the best full backup to use as the basis for point-in-time restore of an account, run a command like this:

zmbackupquery -a <account email> --type full --to <restore-to time>
Syntax
zmbackupquery [options]
Description
Long Name Short Name Description

--account

-a

<arg> Account email addresses separated by white space or all for all accounts

--debug

-d

Display diagnostics for debugging purposes

--help

-h

Displays the usage options for this command

--from

<arg> List backups whose start date/time is at or after the date/time specified here.

--label

-lb

<arg> The label of the full backup session to query. An example of a label is backup202107121559510.

--server

-s

<arg> Mail server host name. For format, use either the plain host name or the server.domain.com name. The default is the localhost name.

--target

-t

<arg> Specifies the backup target location (The default is /opt/zimbra/backup.)

--to

<arg> List backups whose start date/time is at or before the date/time specified here.

--type

<arg> Backup set type to query. "full" or "incremental", both are queried if one is not specified.

--verbose

-v

Returns detailed status information

Specify date/time in one of these formats:

2021/12/16 12:19:23

2021/12/16 12:19:23 257

2021/12/16 12:19:23.257

2021/12/16-12:19:23-257

2021/12/16-12:19:23

20211216.121923.257

20211216.121923

20211216121923257

20211216121923

Specify year, month, date, hour, minute, second, and optionally millisecond.

Month/date/hour/minute/second are 0-padded to 2 digits, millisecond to 3 digits.

Hour must be specified in 24-hour format, and time is in local time zone.

zmrestore

Use zmrestore to perform full restores and incremental restores for a designated mail host. You can either specify specific accounts, or, if no accounts are specified, all accounts are in the backup are restored. In addition, you can restore to a specific point in time.

This utility has short option names and full names. The short option is preceded by a single dash, the full option is proceeded by a double dash. For example, -rf is the same as --restorefullBackupOnly.

Syntax
zmrestore [options]
Description
Long Name Short Name Description

--account

-a

<arg> Specifies the account email addresses. Separate accounts with a blank space or type all to restore all accounts.

--backedupRedologs

-br

Replays the redo logs in backup only, which Only excludes archived and current redo logs of the system.

--continueOnError

-c

Continue to restore other accounts when an error occurs.

--createAccount

-ca

Restores accounts to target accounts whose names are prepended with prefix.

(Can only be used in commands that use the -pre option.)

--debug

-d

Display diagnostics for debugging purposes.

--excludeBlobs

Do not restore blobs (HSM or not).

--excludeHsmBlobs

Do not restore HSM blobs.

--excludeSearchIndex

Do not restore search index.

--help

-h

Displays the usage options for this command.

--label

-lb

<arg> The label of the full backup to restore. Restores to the latest full backup if this is omitted.

--prefix

-pre

<arg> The prefix to pre-pend to the original account names.

--restoreAccount

-ra

Restores the account in directory service.

--restoreToIncrLabel

<arg> Replay redo logs up to and including this incremental backup

--restoreToRedoSeq

<arg> Replay up to and including this redo log sequence.

--restoreToTime

<arg> Replay redo logs until this time.

--restorefullBackupOnly

-rf

Restores to the full backup only, not any incremental backups since that backup.

--server

-s

<arg> Mail server host name. For format, use either the plain host name or the server.domain.com name. The default is the localhost name.

--skipDeletes

If true, do not execute delete operation during redo log replay.

--skipDeletedAccounts

Do not restore if named accounts were deleted or did not exist at backup time. (This option is always enabled with -a all)

--systemData

-sys

Restores global tables and local config.

--target

-t

<arg> Specifies the backup target location. The default is /opt/zimbra/backup.

Examples
Example 58. Perform complete restore of all accounts on server1

Perform complete restore of all accounts on server1, including last full backup and any incremental backups since last full backup.

zmrestore -a all -s server1.domain.com
Example 59. Perform restore only to last full backup

Perform restore only to last full backup, excluding incremental backups since then, for all accounts on server1.

zmrestore -rf -a all -s server1.domain.com
Example 60. Create a new account from a backup of the target account

The name of the new account will be new_user1@domain.com.

zmrestore -a user1@domain.com -ca -pre new_

zmrestoreoffline (Offline Restore)

zmrestoreoffline requires that the following is true:

  • mailboxd IS NOT running

  • SQL database IS RUNNING

  • LDAP directory IS RUNNING

Pre-requisites

Syntax
zmrestoreoffline [options]
Description
Long Name Short Name Description

--account

-a

<arg> Specifies the account email addresses. Separate accounts with a blank space or state all for restoring all accounts. Required.

--backedupRedologsOnly

-br

Replays the redo logs in backup only, which excludes archived and current redo logs of the system.

--continueOnError

-c

Continue to restore other accounts when an error occurs.

--createAccount

-ca

Restores accounts to new target accounts whose names are pre-pended with prefix.

--debug

-d

Display diagnostics for debugging purposes.

--help

-h

Displays the usage options for this command.

--ignoreRedoErrors

If true, ignore all errors during redo log replay.

--label

-lb

<arg> The label of the full backup to restore. Type this label to specify a backup file other then the latest.

--prefix

-pre

<prefix> The prefix to pre-pend to the original account names.

--restoreAccount

-ra

Restores the account in directory service.

--restoreToIncrLabel

<arg> Replay redo logs up to and including this incremental backup.

--restoreToRedoSeq

<arg> Replay up to and including this redo log sequence.

--restoreToTime

<arg> Replay redo logs until this time.

--restoreFullBackupOnly

-rf

Restores to the full backup only, not any incremental backups since that backup.

--server

-s

<arg> Mail server host name. For format, use either the plain host name or the server.domain.com name. The default is the localhost name. If -s is specified, this must be localhost.

--skipDeletedAccounts

-skipDeletedAccounts

Do not restore if named accounts were deleted or did not exist at backup time. (This option is always enabled with -a all)

--systemData

-sys

Restores global tables and local config.

--target

-t

<arg> Specifies the backup target location. The default is /opt/zimbra/backup.

Examples

Before you begin zmrestoreoffline, the LDAP directory server must be running.

Example 61. Perform a complete restore of all accounts on server1

Perform a complete restore of all accounts on server1, including last full backup and any incremental backups since last full backup.

zmrestoreoffline -s server1.domain.com

zmrestoreldap

Use zmrestoreldap to restore accounts from the LDAP backup.

Syntax
zmrestoreldap {-lb <arg>} {-t <arg>} [options]
Description
Short Name Description

-lb

<arg> Session label to restore from. For example, full202112291821113.

-t

<arg> Specifies the backup target location. The default is /opt/zimbra/backup.

-lbs

Lists all session labels in backup.

-l

Lists accounts in file.

-a

<arg> Restores named account(s). List account names separated by white space.

zmcontrol (Start/Stop/Restart Service)

Use zmcontrol to start, to stop, or to restart services. You can also find which version of the Zimbra Collaboration is installed.

Syntax
zmcontrol [ -v -h ] command [args]
Description
Long Name Short Name Description

-v

Displays Zimbra software version.

-h

Displays the usage options for this command.

-H

Host name (localhost).

Command in…​

maintenance

Toggle maintenance mode.

restart

Restarts all services and manager on this host.

shutdown

Shutdown all services and manager on this host. When the manager is shutdown, you cannot query that status.

start

Startup manager and all services on this host.

startup

Startup manager and all services on this host.

status

Returns services information for the named host.

stop

Stop all services but leaves the manager running.

Use zmmboxsearch is used to search across mailboxes. You can search across mailboxes to find messages and attachments that match specific criteria and save copies of these messages to a directory.

Syntax
zmmboxsearch {-m <arg>} {-q <arg>} [-o <arg>] [-l <arg>] [-d <arg>] [options]
Description
Long Name Short Name Description

--dir

-d

<arg> Folder to write the messages to. If none is specified, then only the headers are fetched. Files names are generated in the form RESULTNUM_ACCOUNT-ID_MAILITEMID.

--help

-h

Displays help information.

--limit

-l

Sets the limit for the number of results returned. The default is 25.

--mbox

-m

<arg> Comma-separated list of mailboxes to search. UIDs or email-address or /SERVER/MAILBOXID or *.

--offset

-o

<arg> Specify where the hit list should start. The default is 0.

--query

-q

<arg> The query string for the search.

--server

-s

<arg> Mail server hostname. default is the localhost

--verbose

-v

Request that the status message print while the search is being executed.

Example

The following example performs a cross-mailbox search in the inbox folder of two different mailboxes on the specified server and puts a copy of the found messages in to the specified directory.

Example 62. Cross-mailbox search
zmmboxsearch -m user1@yourdomain.com,user2@yourdomain.com -q "in:inbox" -d /var/tmp

zmmboxmove

Use zmmboxmove to move mailboxes. The destination server manages the overall move process. Using the zmmboxmove command significantly reduces the account lockout time.

The CLI command zmmboxmove is used to move mailboxes from one Zimbra server to another. Mailboxes can be moved between Zimbra servers that share the same LDAP server. All the files are copied to the new server and the LDAP is updated. After the mailbox is moved to a new server a copy still remains on the older server, but the status of the old mailbox is closed. Users cannot log on and mail is not delivered. You should check to see that all the mailbox content was moved successfully before purging the old mailbox.

Syntax
zmmboxmove -a <email> --from <src> --to <dest> [--sync]
Description
Long Name Short Name Description

--account

-a

<arg> Email address of account to move.

--help

-h

Displays the usage options for this command.

--from

-f

<arg> Mail server hostname. Server where the --account mailbox is located.

--to

-t

<arg> Destination server.

--sync

-sync

Run synchronously

zmmboxmovequery

Use zmmboxmovequery to query ongoing mailbox moves on a server, both move-ins and move-outs.

Syntax
zmmboxmovequery -a <account email> [-s <server to query>]

zmpurgeoldmbox

Use zmpurgeoldmbox to purge the mailbox from the older server after a mailbox move.

Syntax
zmpurgeoldmbox -a <account email> [-s <server to purge>]
Description
Long Name Short Name Description

--account

-a

<arg> Email address of account to purge.

--help

-h

Displays the usage options for this command

--server

-s

<arg> Mail server hostname. Old server where the account existed

zmgsautil

Use zmgsautil to create or delete the GAL sync account, and to force syncing of the LDAP data to the GAL sync account.

A GAL sync account is created when the GAL is configured on a domain. This account is created and the polling interval for performing a full sync is managed from the Administration Console.

To see attributes and settings for a GAL sync account, run zmprov gds against the account.

Long Name Description

createAccount

Creates the GAL sync account. This should be done from the Administration Console.

The parameter "server" is required.

-a {account-name} -n {datasource-name} --domain {domain-name} -t zimbra|ldap -s {server} [-f {folder-name}] [-p {polling-interval}]

addDataSource

When configuring a datasource for a server, specify a folder name other than /Contacts. The datasource folder name must be unique.

-a {account-name} -n {datasource-name} --domain {domain-name} -t zimbra|ldap [-f {folder-name}] [-p {polling-interval}]

deleteAccount

Deletes the GAL sync account and the references to the LDAP server. The account can also be deleted from the Administration Console.

deleteAccount [-a {galsynceaccountname}|-i {account-id}]

trickleSync

This syncs new and updated contact data only.

[-a {galsynceaccountname}|-i {account-id}]
[-d {datasource-id}] [-n {datsource-name}]

The datasource ID the LDAP datasource ID. The datasource name is the name of the address book (folder) in the GAL account created to sync LDAP to.

A cron job can be set up to run trickleSync.

fullSync

This syncs all LDAP contact data. You can also set this from the Administration Console.

[-a {galsynceaccountname}|-i {account-id}]
[-d {datasource-id}] [-n {datsource-name}]

forceSync

This should be used to reload the entire GAL if there is change in the filter, attribute mapping or LDAP server parameters.

[-a {galsynceaccountname}|-i {account-id}]
[-d {datasource-id}] [-n {datsource-name}]

zmldappasswd

Use zmldappasswd to change the LDAP password on the local server. In multi node environments, this command must be run on the LDAP master server only.

This CLI command used with options changes other passwords.

For better security and audit trails the following passwords are generated in Zimbra:

  • LDAP Admin password. This is the master LDAP password.

  • LDAP Root password. This is used for internal LDAP operations.

  • LDAP Postfix password. This is the password used by the postfix user to identify itself to the LDAP server and must be configured on the MTA server to be the same as the password on the LDAP master server.

  • LDAP Amavis password. This is the password used by the amavis user to identify itself to the LDAP server and must be configured on the MTA server to be the same as the password on the LDAP server.

  • LDAP Replication password. This is the password used by the LDAPreplication user to identify itself to the LDAP master and must be the same as the password on the LDAP master server.

Syntax
zmldappasswd [-h] [-r] [-p] [-l] new-password
Description
Name Syntax, Example, Notes

-h

Displays the help.

-a

Changes ldap_amavis-password.

-b

Changes ldap_bes_searcher_password.

-l

Changes ldap_replication_password.

-p

Changes ldap_postfix_password.

-n

Changes ldap_nginx_password.

-r

Changes ldap_root_passwd.

-c

Updates the password in the config database on replicas. Must be used with -1 and must be run on a replica after changing the password on the master.

Only one of a, l, p, or r can be specified. If options are not included, the zimbra_ldap_password is changed.

zmlocalconfig

Use zmlocalconfig to set or get the local configuration for a Zimbra server. Use zmlocalconfig -i to see a list of supported properties that can be configured by an administrator.

Syntax
zmlocalconfig [options]

To see the local config type zmlocalconfig.

Description
Long Name Short Name Description

--config

-c

<arg> File in which the configuration is stored.

--default

-d

Show default values for keys listed in [args].

--edit

-e

Edit the configuration file, change keys and values specified. The [args] is in the key=value form.

--force

-f

Edit the keys whose change is known to be potentially dangerous.

--help

-h

Shows the help for the usage options for this tool.

--info

-i

Shows the list of supported properties.

--format

-m

<arg> Shows the values in one of these formats: plain (default), xml, shell, nokey.

--changed

-n

Shows the values for only those keys listed in the [args] that have been changed from their defaults.

--path

-p

Shows which configuration file will be used.

--quiet

-q

Suppress logging.

--random

-r

This option is used with the edit option. Specified key is set to a random password string.

--show

-s

Forces the display of the password strings.

--unset

-u

Remove a configuration key. If this is a key with compiled-in defaults, set its value to the empty string.

--expand

-x

Expand values.

--zimbraAmavisMaxServers

Allows control of the concurrency of Amavisd (default 10).

--zimbraClamAVMaxThreads

Allows control of the concurrency of ClamAV (default 10).

zmmailbox

Use zmmailbox for mailbox management. The command can help administrators provision new mailboxes along with accounts, debug issues with a mailbox, and help with migrations.

You can invoke the zmmailbox command from within the zmprov command. You enter selectMailbox within zmprov to access the zmmailbox command connected to that specified mailbox. You can then enter zmmailbox commands until you type exit. Exit returns you to zmprov. This is useful when you want to create accounts and also pre-create some folders, tags, or saved searches at the same time.

Syntax
zmmailbox [args] [cmd] [cmd-args]...
Description
Short Name Long Name Syntax, Example, and Notes

-h

--help

Display usage.

-f

--file

Use file as input stream.

-u

--url

http[s]://{host}[:{port}] server hostname and optional port. Must use admin port with -z/-a.

-a

--account

Account name to auth as {name}.

-z

--zadmin

Use zimbra admin name/password from localconfig for admin/password.

-y

--authtoken {authtoken}

Use authtoken string (has to be in JSON format) from command line.

-Y

--authtoken {authtoken-file}

Use authtoken string (has to be in JSON format) from a file.

-m

--mailbox {name}

Mailbox to open. Can be used as both authenticated and targeted unless other options are specified.

--auth {name}

Account name to authorize as. Defaults to --mailbox unless --admin-priv is used.

-A

--admin-priv

Execute requests with admin privilege.

-p

--password {pass}

Password for admin account and or mailbox.

-P

--passfile {file}

Read password from file.

-t

--timeout

Timeout (in seconds).

-v

--verbose

Verbose mode (dumps full exception stack trace)

-d

--debug

Debug mode (dumps SOAP messages)

Specific CLI tools are available for the different components of a mailbox. Usage is described in the CLI help for the following.

zmmailbox help admin

Help on admin-related commands.

zmmailbox help commands

Help on all zmmailbox commands.

zmmailbox help appointment

Help on appointment-related commands.

zmmailbox help contact

Help on contact-related commands (address book).

zmmailbox help conversation

Help on conversation-related commands.

zmmailbox help filter

Help on filter-related commands.

zmmailbox help folder

Help on folder-related commands.

zmmailbox help item

Help on item-related commands.

zmmailbox help message

Help on message-related commands.

zmmailbox help misc

Help on miscellaneous commands.

zmmailbox help right

Help on right commands.

zmmailbox help search

Help on search-related commands.

zmmailbox help tag

Help on tag-related commands.

Examples
Example 63. Create tags and folders

When you create an account, you may want to pre-create some tags and folders. You can invoke zmmailbox inside of zmprov by using selectMailbox(sm).

$ zmprov
prov> ca user10@domain.example.com test123
9a993516-aa49-4fa5-bc0d-f740a474f7a8
prov> sm user10@domain.example.com
mailbox: user10@domain.example.com, size: 0 B, messages: 0, unread: 0
mbox user10@domain.example.com> createFolder /Archive
257
mbox user10@domain.example.com> createTag TODO
64
mbox user10@domain.example.com> createSearchFolder /unread "is:unread"
258
mbox user10@domain.example.com> exit
prov>
Example 64. Find the mailbox size for an account
zmmailbox -z-m user@example.com gms
Example 65. Send requests to a mailbox using the admin auth token

This is required when using the command emptyDumpster. Use --admin-priv to skip delegated auth as the target mailbox.

zmmailbox -z --admin-priv -m foo@example.com emptyDumpster
Example 66. Use --admin-priv with select Mailbox command
zmmailbox -z
mbox> sm --admin-priv foo@domain.com
Example 67. Authenticate as a delegated admin user

This lets one user login to another user’s mailbox. The authenticating user must be a delegated admin account and must have the adminLoginAs right on the target mailbox. This auth option uses a non-admin auth token. Use the --auth option to specify the authenticating account. To login as user bar and open mailbox foo:

$ zmmailbox --auth bar@example.com -p password -m foo@example.com
Example 68. Find the mailbox size for an account
zmmailbox -z -m user@example.com gms
Example 69. Backup mailbox content in a zip file

When you use zmmailbox to backup individual mailboxes, you can save the file as either a zip file or a tgz file. The default settings for the information that is saved in these formats is different.

File TGZ ZIP

Briefcase

X

X

Calendar

X

Conversations

X

Contacts

X

X

Deleted Messages

X

X

Emailed Contacts

X

Inbox

X

X

Sent

X

X

Sent Messages

X

X

Tasks

X

To include all the mailbox content in a zip file, you must enable the meta data. Type as:

zmmailbox -z -m user@example.com gru "?fmt=zip&meta=1" > <filename.zip>

zmtlsctl

Use zmtlsctl to set the Web server zimbraMailMode to the communication protocol options: HTTP, HTTPS, Mixed, Both and Redirect. The default setting is HTTPS.

The zmtlsctl setting also impacts the ZCO’s Use Secure Connection setting. ZCO users in a self-signed environment will encounter warnings about connection security unless the root CA certificate is added to Window Certificate Store. See the Zimbra Wiki article ZCO Connection Security for more information.
  • HTTP. HTTP only, the user would browse to http://zimbra.domain.com.

  • HTTPS. HTTPS only (default), the user would browse to https://zimbra.domain.com. http:// is denied.

  • Mixed If the user goes to http:// it will switch to https:// for the login only,then will revert to http:// for normal session traffic. If the user browses to https://, then the user will stay https://

  • Both A user can go to http:// or https:// and will keep that mode for the entire session.

  • Redirect Like mixed if the user goes to http:// it will switch to https:// but they will stay https:// for their entire session.

All modes use TLS encryption for back-end administrative traffic.

Only zimbraMailMode HTTPS can ensure that no listener will be available on HTTP/port 80, that no client application will try to auth over HTTP, and that all data exchanged with the client application will be encrypted.

Note, mailboxd has to be stopped and restarted for the change to take effect.

If you switch to HTTPS, you use the self-signed certificate generated during Zimbra installation in /opt/zimbra/ssl/zimbra/server/server.crt. For ZCO users, secure ZCO profiles will display Certificate Trust dialogs unless the root CA certificate is deployed to the server. For more information about ZCO certificates, see the Zimbra Wiki page ZCO Connection Security.
Syntax
zmtlsctl [mode]

mode = http, https, mixed, both, redirect

Steps to run
  1. Type zmtlsctl [mode] and press ENTER.

  2. Type zmmailboxdctl stop and press ENTER.

  3. When mailboxd is stopped, type zmmailboxdctl start and press ENTER.

Limitations When Using Redirect
  • Many client applications send an auth request in the initial HTTP request to the Server ("blind auth"). The implications of this are that this auth request is sent in the clear/unencrypted prior to any possible opportunity to redirect the client application to HTTPS.

  • Redirect mode allows for the possibility of a man-in-the-middle attack, international/unintentional redirection to a non-valid server, or the possibility that a user will mis type the server name and not have certificate-based validity of the server.

  • In many client applications, it is impossible for users to tell if they have been redirected (for example, ActiveSync), and therefore the users continue to use HTTP even if the auth request is being sent unencrypted.

zmhsm

Use zmhsm to start, stop (abort), and see the status of a HSM session. The threshold for when messages are moved to a storage volume is configured from the Administration Console, ServersVolumes page.

Syntax
zmhsm {abort|start|status} {server} <name>
Description
Long Name Short Name Description

--abort

-a

Aborts the current HSM session. If all the messages in a mailbox being processed were not moved before you clicked Abort, no messages from that mailbox are moved from the primary volume. Messages for mailboxes that have completed the move to the secondary volume are not moved back to the primary volume.

--help

-h

Shows the help for the usage options for this tool.

--server

-s

<arg> The mail server host name. The default is the localhost [args].

--start

-t

Manually starts the HSM process.

--status

-u

The status of the last HSM session is displayed.

zmlicense

Use zmlicense to view and install your Zimbra license. The license can be viewed and installed from the Administration Console, Global Settings → License page.

Syntax
zmlicense [options]
Description
Long Name Short Name Description

--check

-c

Check to see if a valid license is installed.

--help

-h

Shows the help for the usage options for this tool.

--install

-i

<arg> Installs the specified license file.

--ldap

-l

Install on LDAP only.

--print

-p

Displays the license information.

zmmetadump

The zmmetadump command is a support tool that dumps the contents of an item’s metadata in a human readable form.

Syntax
zmmetadump -m <mailbox id/email> -i <item id>

or

zmmetadump -f <file containing encoded metadata>

zmmypasswd

Use zmmypasswd to change zimbra_mysql_password. If the --root option is specified, the mysql_root_passwd is changed. In both cases, MariaDB is updated with the new passwords. Refer to the MariaDB documentation to see how you can start the MariaDB server temporarily to skip grant tables, to override the root password.

This requires a restart for the change to take effect.
Syntax
zmmypasswd [--root] <new_password>

zmplayredo

Users who maintain a backup and restore mechanism using the snapshot facility of the storage layer use zmplayredo to restore backed up data. This command brings all backed up data to the current state so that there is no loss of information during the restore process.

Syntax
zmplayredo <option>
Description
Long Name Short Name Description

--fromSeq

<arg> Replays snapshots from the specified redolog sequence.

--fromTime

<arg> Replays snapshots from the specified time.

--help

-h

Shows the help information for this command.

--logfiles

<arg> Replays the specified logfiles in order.

--mailboxId

<arg> Replays snapshots for the specified mailbox.

--queueCapacity

<arg> Used for specifying the queue capacity per player thread. The default value is 100.

--stopOnError

Stops the replay on occurrence of any error.

--threads

<arg> Specifies the number of parallel redo threads. The default value is 50.

--toSeq

<arg> Replays snapshots to the specified redolog sequence.

--toTime

<arg> Replays snapshots to the specified time.

Time is specified in the local time zone. The year, month, date, hour, minute, second, and optionally millisecond should be specified. Month/date/hour/ minute/second are 0-padded to 2 digits, millisecond to 3 digits. The hour must be specified in a 24-hour format.

zmproxyconfgen

Use zmproxyconfgen to generate the Nginx proxy configuration files. It reads LDAP settings to replace template variables and generates the final Nginx configuration.

Syntax
ProxyConfGen [options]
Description
Long Name Short Name Description

--config

-c

<arg> Overrides a config variable. The <arg> format should be name=value. To see a list of names, use -d or -D.

--defaults

-d

Prints the default variable map.

--definitions

-D

Prints the Definitions variable map after loading LDAP configuration and processing overrides.

--help

-h

Displays help information.

--include-dir

-i

<arg> Displays the directory path (relative to $workdir/conf), where included configuration files are written.

--dry-run

-n

Specifies not to write configuration and only display the files that would be written.

--prefix

-p

<arg> Displays the config file prefix. The default value is nginx.conf

--template-prefix

-P

<arg> Displays the template file prefix. The default value is $prefix.

--server

-s

<arg> Specifies a valid server object. Configuration is generated based on the specified server’s attributes. The default is to generate configuration based on global configuration values.

--templatedir

-t

<arg> Specifies the proxy template directory. The default value is $workdir/conf/nginx/templates.

--verbose

-v

Displays verbose data.

--workdir

-w

<arg> Specifies the proxy working directory. The default value is /opt/zimbra.

zmproxypurge

Use zmproxypurge to purge POP/IMAP proxy routing information from one or more memcached servers. Available memcached servers are discovered by the zmprov gamcs function. Others can be specified if necessary using the server port.

Syntax
ProxyPurgeUtil [-v] [-i] -a account [-L accountlist] [cache1] [cache2]...]
Description
Long Name Short Name Description

--help

-h

Shows the help for the usage options for this tool.

--verbose

-v

Displays verbose data.

--info

-i

Displays account routing information.

--account

-a

Displays account name.

--list

-L

Displays file containing list of accounts, one per line.

--output

-o

Specifies the format to be used for printing routing information with information. The fields that display by default are

  • cache server

  • account name

  • route information

cacheN

(optional command) Specifies additional memcache server in the form of server:port.

zmredodump

Use zmredodump for debugging purposes and to dump the contents of a redolog file. When users are debugging a problem, Zimbra support might ask them to run zmredodump with specific options.

Multiple log files/directories can be specified with all redolog files under each directory being sorted in ascending order and processed.

Syntax
zmredodump [options] <redolog file/directory> [...]
Description
Long Name Short Name Description

--help

-h

Displays help messages.

-m

Specifies the mailbox ids separated by a comma or a space. The entire list of mailbox ids must be quoted if using space as a separator.

To dump contents of all the redolog files, omit this option.

--no-offset

Specifies if file offsets and size for each redolog dump should not be shown.

--quiet

-q

Activates the quiet mode. Used to only print the log filename and errors, if any. Useful for verifying integrity of redologs with minimal output.

--show-blob

Shows blob content. The specified item’s blob is printed with <START OF BLOB> and <END OF BLOB> marking the start and end of the blob.

zmskindeploy

Use zmskindeploy to simplify the process of deploying skins for the Classic Web App. This tool processes the available skins, enables them for all users of the Zimbra deployment, and restarts the web server so that it recognizes the new skins.

Syntax
zmskindeploy <path/to/skin/dir/or/zipfile>

zmsoap

Use zmsoap to print mail, account, and admin information in the SOAP format.

Syntax
zmsoap [options] {path1} [path2]...
Description
Long Name Short Name Description

--help

-h

Prints usage information.

--mailbox

-m

<name> Displays mailbox account name. Mail and account requests are sent to this account. This attribute is also used for authentication if -a and -z are not specified.

--target

<name> Displays the target account name to which the requests are sent. Used only for non-admin sessions.

--admin name

-a

<name> Displays the admin account name to authenticate as.

--zadmin

-z

Displays the Zimbra admin name and password to authenticate as.

--password

-p

<pass> Displays account password.

--passfile

-P

<path> Reads password from a file.

--element

-e

<path> Displays the root element path. If specified, all path arguments that do not start with a slash (/) are relative to this element.

--type

-t

<type> Displays the SOAP request type. Can either be mail, account, or admin.

--url

-u

<http[s]://…​> Displays the server hostname and optional port value.

--verbose

-v

Prints the SOAP request and other status information.

path

<[path]…​> Displays the element or attribute path and value. Roughly follows the XPath syntax as: [/]element1[/element2][/@attr][=value].

zmstat-chart

Use zmstat-chart to collect statistical information for the CPU, IO, mailboxd, MTAqueue, MariaDB, and other components and to run a script on the csv files to display the usage details in various charts. These csv files are saved to /opt/zimbra/zmstat/.

You must enable zmstat to collect the performance charts data:

  1. Enter zmprov ms {hostname} zimbraServerEnable stats.

  2. Restart the server, Enter:

    zmcontrol stop
    zmcontrol start
Syntax
zmstat-chart -s <arg> -d <arg> [options]
Description
Long Name Short Name Description

--aggregate-end-at

<arg> If this is specified, the aggregate computation ends at this timestamp. Usage is MM/dd/yyyy HH:mm:ss.

--aggregate-start-at

<arg> If this is specified, the aggregate computation starts at this timestamp. Usage is MM/dd/yyyy HH:mm:ss.

--end-at

<arg> If this is specified, all samples after the specified timestamp are ignored. Usage is MM/dd/yyyy HH:mm:ss.

--start-at

<arg> If this is specified, all samples before this timestamp are ignored.

--title

<arg> This gives the chart a title that displays. Defaults to the last directory name of srcdir.

--no-summary

Summary data generation is not included.

--conf

-c

<arg> Chart the configuration xml files.

--destdir

-d

<arg> The directory where the generated chart files are saved.

--srcdir

One or more directories where the csv files are located. The csv files are moved to directories listed by date under zmstat/.

zmstat-chart-config

Use zmstat-chart-config to generate an xml file /opt/zimbra/conf/zmstat-chart.xml from a template, taking into account the server setup including theLDAP node and the processes run, among other specifications.

zmstatctl

Use zmstatctl to run a control script for checking zmstat data collectors. This instruction starts or stops monitoring processes, and checks status or rotates logs.

Syntax
zmstatctl start|stop|status|rotate

zmthrdump

Use zmthrdump to invoke a thread dump in the Zimbra server process and print the output file. This command also gives the option of saving the thread dump to a file and inserts a timestamp on the logfile.

Syntax
zmthrdump [-h] [-i] [-t <timeout seconds>] [-p <pid file>] [-f <file>] [-o <out-file>]
Description
Short Name Description

-h

Displays help messages.

-i

Appends the timestamp to the LOGFILE before invoking SIGQUIT.

-p

Returns the PID to send SIGQUIT. The default value can be found in zmmailboxd_java.pid

-f

Specifies the LOGFILE to save the thread dump output in. The default value is zmmailbox.out.

-o

Specifies the output file of the thread dump. The default value is stdout.

-t

Specifies the timeout value (in seconds) to exit if the process becomes unresponsive. The default value is 30 seconds.

zmtrainsa

Use zmtrainsa to train the anti-spam filter. This command is run automatically every night to train the SpamAssasin filter from messages users mark as "junk" / "not junk" from their mailbox. See SpamAssassin’s sa-update tool, which is included with SpamAssassin. This tool updates SpamAssassin rules from the SA organization. The tool is installed into /opt/zimbra/common/bin.

The zmtrainsa command can be run manually to forward any folder from any mailbox to the spam training mailboxes. If you do not enter a folder name when you manually run zmtrainsa for an account, for spam, the default folder is Junk. For ham, the default folder is Inbox.

Syntax
zmtrainsa <user> <spam|ham> [folder]

zmtzupdate

Use zmtzupdate to update time zone changes in existing appointments for specific users or all users. An .ics rule file should first be created to run with this command. A rule file lists a series of rules to match a time zone and the replacement time zone definitions. More information about this command can be found at: https://wiki.zimbra.com/wiki/Changing_ZCS_Time_Zones.

Syntax
zmtzupdate --rulefile <rule file> -a <"all" or list of specific email addresses> [--sync] [--after <date/time stamp>]
Description
Long Name* Short Name Description

--account

-a

<arg> account email addresses separated by a white space. Use "all" for all accounts to be updated.

--after

<arg> Appointments occurring after the specified date/time in this field are updated. The default cut off time is January 1st, 2008.

--help

-h

Displays help information.

--rulefile

Specifies the .ics XML file that should be used to update time zone definitions.

--server

-s

<arg> Specifies the mail server hostname. The default value is localhost.

--sync

If specified, this option causes the zmtzupdate command to block till the server processes all requested accounts. The default value is no.

zmvolume

Use zmvolume to manage storage volumes from the CLI. Note that volumes can be managed from the Administration Console, ServerVolumes page.

Syntax
zmvolume {-a|-d|-l|-e|-dc|-sc} [options]
Description
Long Name Short Name Description

--add

-a

Adds a volume.

--compress

-c

<arg> Compress BLOBs; "true" or "false".

--compressionThreshold

-ct

Compression threshold; default 4KB.

--delete

-d

Deletes a volume.

--displayCurrent

-dc

Displays the current volume.

--edit

-e

Edits a volume.

--help

-h

Shows the help for the usage options for this tool.

--id

-id

<arg> Volume ID.

--list

-l

Lists volumes.

--name

-n

<arg> Volume name.

--path

-p

<arg> Root path.

--server

-s

<arg> Mail server hostname. Default is localhost.

--setCurrent

-sc

Sets the current volume.

--type

-t

<arg> Volume type (primaryMessage, secondaryMessage, or index)

--turnOffSecondary

-ts

Turns off the current secondary message volume.

zmzimletctl

Use zmzimletctl to manage Zimlets and to list all Zimlets on the server. Additional information is provided in Zimlets. Most Zimlet deployment can be completed from the Zimbra Administration Console.

Syntax
zmzimletctl [-l] {command} [<zimlet.zip>|<config.xml>|<zimlet>]
Description
Long Name Description

deploy

<zimlet.zip> Creates the Zimlet entry in the LDAP server, installs the zimlet files on the Server, grants, access to the members of the default COS, and turns on the Zimlet.

undeploy

<zimlet> Uninstall a zimlet from the Zimbra server.

install

<zimlet.zip> Installs the Zimlet files on the host.

ldapDeploy

<zimlet> Adds the Zimlet entry to the LDAP.

enable

<zimlet> Enables the Zimlet.

disable

<zimlet> Disables the Zimlet.

acl

<zimlet> <cos1> {grant | deny} | [<cos2> {grant|deny}…​]

Sets the access control, grant|deny, to a COS.

listAcls

<zimlet> Lists the ACLs for the Zimlets.

listZimlets

View details about all Zimlets on the server.

getConfigTemplate

<zimlet.zip> Extracts the configuration template from the Zimlet.zip file.

configure

<config.xml> Installs the configuration.

listPriority

Shows the current Zimlet priorities (0 is high, 9 is low)

setPriority

<zimlet> Sets the Zimlet priority.

zmproxyconfig

Use zmproxyconfig to manage Zimbra proxy and should only be used when you have to make changes to Zimbra proxy after it has been installed. See Zimbra Proxy Server.

Previous to Zimbra Collaboration 6.0, this command was called zmproxyinit.
Syntax
/opt/zimbra/libexec/zmproxyconfig [-h] [-o] [-m] [-w] [-d [-r] [-s] [-a w1:w2:w3:w4] [-i p1:p2:p3:p4] [-p p1:p2:p3:p4] [-x mailmode]] [-e [-a w1:w2:w3:w4] [-i p1:p2:p3:p4] [-p p1:p2:p3:p4] [-x mailmode]] [-f] -H hostname
Description
Short Name Description

-h

Displays help messages.

-H

Hostname of the server on which enable/disable proxy functionality.

-a

Colon separated list of Web ports to use. Format: HTTP-STORE:HTTP-PROXY:HTTPS-STORE:HTTPS-PROXY (Ex: 8080:80:8443:443)

-d

Disable proxy.

-e

Enable proxy.

-f

Full reset on memcached port and search queries and POP/IMAP throttling.

-i

Colon separated list of IMAP ports to use. Format: IMAP-STORE:IMAP-PROXY:IMAPS-STORE:IMAPS-PROXY (Ex: 7143:143:7993:993)

-m

Toggle mail proxy portions.

-o

Override enabled checks.

-p

Colon separated list of POP ports to use. Format: POP-STORE:POP-PROXY:POPS-STORE:POPS-PROXY (Ex: 7110:110:7995:995)

-r

Run against a remote host. Note that this requires the server to be properly configured in the LDAP master.

-s

Set Cleartext to FALSE (secure mode) on disable.

-t

Disable reverse proxy lookup target for the store server. Only valid with -d. Make sure that you intend for all proxy functions for the server to be disabled.

-w

Toggle Web proxy portions.

-x

zimbraMailMode to use on disable (Default is HTTP)

hostname is the value of the zimbra_server_hostname LC key for the server being modified.

Required options are -f by itself, or -f with -d or -e.

Note that

  • -d or -e require one or both of -m and -w.

  • -i or -p require -m.

  • -a requires -w.

  • -x requires -w and -d for store.

  • -x requires -w for proxy.

The following are the defaults for -a, -i, -p, and -x if they are not supplied as options.

-a

default on enable: 8080:80:8443:443

default on disable: 80:0:443:0

-i

default on enable: 7143:143:7993:993

default on disable: 143:7143:993:7993

-p

default on enable: 7110:110:7995:995

default on disable: 110:7110:995:7995

-x

default on store disable: http

default on proxy enable/disable: http

zmsyncreverseproxy

Use zmsyncreverseproxy to reverse proxy mobile sync HTTP traffic between the source and forwarding server and port. Decodes the sync requests/responses and logs them when verbose mode is turned on.

Syntax
zmsyncreverseproxy [-v] [-d] [-L log4j.properties] -p <port number> -fs <fwd server> -fp <fwd port> [-sv syncversions]
Description
Long Name Short Description

--help

-h

Displays help.

--verbose

-v

Verbose mode, dumps full exception stack trace.

--debug

-d

Debug mode, dumps decoded sync messages.

--port

-p

The port this service listens on.

--forwardserver

-fs

The server host to forward requests to.

--forwardport

-fp

The server port to forward requests to.

--syncversions

-sv

Active sync versions supported.

--logpropertyfile

-L

log4j property file, valid only with -l.

Appendix B: Configuring SPNEGO Single Sign-On

The SPNEGO protocol mechanism can be configured on Zimbra for single sign-on authentication to the Zimbra Classic Web App, Modern Web App, and to the Zimbra Connector for Outlook (ZCO). For ZCO configuration see Setting Up Single Sign-On Options for ZCO.

When users have authenticated to their Intranet through Active Directory, they can enter their Zimbra mailbox using Classic Web App or Modern Web App without having to re-authenticate.

SPNEGO Architecture

The Zimbra server configuration will redirect users attempting to log on to the Classic Web App or Modern Web App to a URL under SPNEGO protection. The server asks for authentication with Kerberos through SPNEGO, and redirects users to their Zimbra mailbox. When users log out, they get redirected to a logout URL that displays a Launch button. When users click it, they get directed to the Zimbra login page.

When users log on to their Zimbra accounts from the Internet, the Zimbra login page displays and they must enter their Zimbra password to log on.
With SPNEGO SSO enabled on a domain, corresponding browser configuration is essential. See Configure Your Browser. Improperly configured browsers may bypass SPNEGO by opening an authentication dialog, thereby allowing a user to log in to the Zimbra mailbox by entering their correct AD domain username/password. Some other browsers may display a "401 Unauthorized" error in that situation.

Configuration Process

  1. Create the Kerberos keytab file.

    • Create an Active Directory service account. You use this account to generate the Kerberos keytab file.

    • Add the service Principal Names (SPN) directory property for an Active Directory service account.

    • Create the keytab file.

  2. Enable and configure the SPNEGO protocol on the Zimbra server.

  3. Configure browsers

Create the Kerberos Keytab File

Create an Active Directory service Domain account for each mailstore server.

  1. Create an Active Directory service account. You use this account to generate the Kerberos keytab file to add to the Zimbra server.

    1. Go to the Active Directory Start → Programs → Administrative Tools → Active Directory Users and Computers console.

    2. To create the service account, click the AD Domain name and from the expanded content right-click Users and select New → User. Complete the New Object – User dialog.

      AD New User
      • Full name: Enter the user display name for the AD service account. We recommend using the Zimbra mailbox server name as the full name.

        Example: Zimbra SPNEGO.

      • User Logon Name: This name is the value set for the zimbraSpnegoAuthTargetName server attribute in LDAP. Write it down.

        Example: zimbraspnego/zimbralab.local.

      • User Logon Name (pre-Windows2000): This name is used for the –mapUser parameter in the setspn and ktpass commands.

        Example: ZIMBRALAB\zimbraspnego.

        New AD User Dialog
      • Click Next.

    3. Enter and confirm the password for the –pass {AD-user-password} parameter in the ktpass command, configured below.

    4. Check Password never expires and User cannot change password, and click Next.

    5. Click Finish to create the user. The service account name displays in the Users directory.

  2. Use the setspn command to map the mailbox server name to the user account as the Service Principal Name (SPN). The SPN features in the process of mutual authentication between the client and the server hosting a particular service.

    1. From the command prompt, type setspn –a {userlogonname} {serviceaccountname}

      Example 70. Map mailbox server name as servie Principal Names to user account
      setspn –a HTTP/mail1.example.com mail1
    2. To verify that the SPN is registered, type C:\>setspn –l {accountname}
      A list of registered SPNs is displayed.

  3. Create the keytab file used when signing into the Kerberos domain. Use the ktpass tool from the Windows Server toolkit to create the Kerberos keytab.

    A Kerberos keytab file contains a list of keys that are analogous to user passwords. Restrict and monitor permissions on any keytab files you create.

    The command to type follows:

    ktpass -out {keytab-file-to-produce} -princ {Service-Principal-Name}@\{the-kerberos-realm} -mapUser {AD-user} -mapOp set -pass {AD-user-password} -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

    ktpass -out

    The key is written to this output file.

    Enter the directory location and keytab file name. The keytab file name is jetty.keytab.

    For example, C:\Temp\spengo\jetty.keytab.

    -princ

    The principal name.

    Enter the service Principal Name as used in Step 2 of Create the Kerberos Keytab File.

    For example, HTTP/mail1.example.com@MY_COMPANY.COM.

    -mapUser

    Maps the principal name from the -princ parameter to this user account.

    Enter the name of the AD service account previously set as the User Logon Name (pre-Windows2000) in Step 1.b of Create the Kerberos Keytab File.

    -mapOp

    This option sets the mapping. The value for this parameter is set.

    -pass

    Specifies the password to use with the -princ account.

    Enter the password entered in the User Logon Name (pre-Windows2000) set in Step 1.c of Create the Kerberos Keytab File.

    -crypto

    The cryptosystem to use.

    Enter RC4-HMAC-NT.

    -pType

    Enter KRB5_NT_PRINCIPAL.

    To avoid warning messages from the toolkit, enter this value.

  4. Using ktpass to create a jetty.keytab file

    ktpass -out C: \Temp\spengo\jetty.keytab -princ HTTP/mail1.example.com@MY_COMPANY.COM -mapUser mail1 -mapOp set - pass password123 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

    The command confirmation comes with something similar to the example below.

    Targeting domain controller:
       ...
    
        Using legacy password setting method
        Successfully mapped HTTP/mail1.example.com to mail1.
        Key created.
        Output keytab to c:\Temp\spengo\jetty.keytab:
        Keytab version: 0x502
    
        keysize 71 HTTP HTTP/mail1.example.com@MY_COMPANY.COM ptype 1 (KRB5_NT_PRINCIPAL) vno3 etype 0x17 (RC4-HMAC) keylength 16 (0xc383f6a25f1e195d5aef495c980c2bfe)
    `spnegofile.keytab`
  5. Transfer the keytab file (jetty.keytab) to the Zimbra server. Copy the file created in step 3 to the following Zimbra server location: /opt/zimbra/data/mailboxd/spnego/jetty.keytab.

Do not rename the jetty.keytab file. Many configuration files reference this filename.

Repeat steps 1 to 4 to create an create the keytab file (jetty.keytab) for each Zimbra mailstore server.

Configure Zimbra

SPNEGO attributes get configured in Global Config and on each Zimbra server, and domain pre-authentication gets configured for the domain. Use the zmprov command to modify the Zimbra server.

A Zimbra installation may support only one Kerberos REALM.
  1. Modify the following global config attributes, with the zmprov mcf command.

    zimbraSpnegoAuthEnabled

    Set to TRUE.

    zimbraSpnegoAuthErrorURL

    This value is the URL that users get redirected to when SPNEGO auth fails. Setting it to /zimbra/?ignoreLoginURL=1 redirects the user to the regular Zimbra login page, where the user enters their Zimbra user name and password.

    zimbraSpnegoAuthRealm

    The Kerberos realm in the domain controller; the domain name in the Active Directory. (MY_COMPANY.COM)

    To modify the global config attributes, type:

    1. zmprov mcf zimbraSpnegoAuthEnabled TRUE

    2. zmprov mcf zimbraSpnegoAuthErrorURL '/zimbra/?ignoreLoginURL=1'

    3. zmprov mcf zimbraSpnegoAuthRealm <MY_COMPANY.COM>

  2. On each Zimbra server, modify the following global config attributes with the zmprov ms command.

    zimbraSpnegoAuthTargetName

    This is the user logon name from Step 1 B, User Logon Name.

    zimbraSpnegoAuthPrincipal

    Enter the user logon name set in zimbraSpnegoAuthTargetName and the address set in global config zimbraSpnegoAuthRealm.

    Type as zimbraSpnegoAuthTargetName@zimbraSpnegoAuthRealm.

    For example, HTTP/mail1.example.com@MY_COMPANY.COM.

    To modify the server global config attributes, type:

    1. zmprov ms mail1.example.com zimbraSpnegoAuthTargetName HTTP/mail1.example.com

    2. zmprov ms mail1.example.com zimbraSpnegoAuthPrincipal HTTP/mail1.example.com@MY_COMPANY.COM

  3. Set up the following for the domain.

    • Kerberos Realm

    • Virtual host

    • Web client login URL and UAs

    • Web client logout URL and UAs

      1. Set up the Kerberos Realm for the domain as the same realm set in the global config attribute zimbraSpnegoAuthRealm. Type zmprov md {domain} zimbraAuthKerberos5Realm {kerberosrealm}.

      2. Set up the virtual hosts for the domain. Virtual-hostname-* are the hostnames you can browse to for the Zimbra Classic Web App UI. Type:

        zmprov md {domain} +zimbraVirtualHostname {virtual-hostname-1} +zimbraVirtualHostname {virtual-hostname-2}
        ...
      3. Setup the web client login URL, and UAs allowed for the login URL on the domain.

        • Set the login URL. The login URL is the URL to redirect users to when the Zimbra auth token is expired. zmprov md {domain} zimbraWebClientLoginURL '../service/spnego'.

        • Honor only supported platforms and browsers.

          zimbraWebClientLoginURLAllowedUA is a multi-valued attribute,values are regex. If this is not set, all UAs are allowed. If multiple values are set, an UA is allowed as long as it matches any one of the values.

          zmprov md {domain} +zimbraWebClientLoginURLAllowedUA {UA-regex-1} +zimbraWebClientLoginURLAllowedUA {UA-regex-2} ...

          For example, to honor zimbraWebClientLoginURL only for Firefox, Internet Explorer, Chrome, and Safari on computers running Windows, and Safari on Apple Mac computers, type the following commands.

          zmprov md {domain} +zimbraWebClientLoginURLAllowedUA '._Windows._Firefox/3.*'
          zmprov md {domain} +zimbraWebClientLoginURLAllowedUA '._MSIE._Windows.*'
          zmprov md {domain} +zimbraWebClientLoginURLAllowedUA '._Windows._Chrome.*'
          zmprov md {domain} +zimbraWebClientLoginURLAllowedUA '._Windows._Safari.*'
          zmprov md {domain} +zimbraWebClientLoginURLAllowedUA '._Macintosh._Safari.*'
      4. Setup the web client logout URL and UAs allowed for the logout URL on the domain.

        • Set the logout URL. The logout URL is the URL to redirect users to when users click Logout.

          zmprov md {domain} zimbraWebClientLogoutURL '../?sso=1'
        • Honor only supported platforms and browsers. zimbraWebClientLogoutURLAllowedUA is a multi-valued attribute, where the accepted values are regex. If this attribute has no set value, all UAs are allowed. When it has multiple values, a UA is allowed as long as it matches any one of the values.

          zmprov md {domain} +zimbraWebClientLogoutURLAllowedUA {UA-regex-1} +zimbraWebClientLogoutURLAllowedUA {UA-regex-2} ...

          For example, to honor zimbraWebClientLogoutURL only for Firefox, Internet Explorer, Chrome, and Safari on computers running Windows, and Safari on Apple Mac computers, type the following commands.

          zmprov md {domain} +zimbraWebClientLogoutURLAllowedUA '._Windows._Firefox/3.*'
          zmprov md {domain} +zimbraWebClientLogoutURLAllowedUA '._MSIE._Windows.*'
          zmprov md {domain} +zimbraWebClientLogoutURLAllowedUA '._Windows._Chrome.*'
          zmprov md {domain} +zimbraWebClientLogoutURLAllowedUA '._Windows._Safari.*'

Configure Your Browser

With the SPNEGO SSO feature enabled on your domain, you must configure users' browsers to use its Authentication mechanism. Improperly configured browsers exhibit different behaviors depending on the browser.

The following browsers are supported:

  • For computers running Windows: Edge, Firefox 52 or later, Chrome, Safari

  • Apple Mac computer: Safari

Configuration steps:

  1. Firefox browser for computers running Windows

    1. In the Firefox browser address field, type about:config. The warning — This might void your warranty, is now displayed.

    2. Click I’ll be careful, I promise!

    3. Search in Filters, type network.n. Enter a comma-delimited list of trusted domains or URLs.

      Double-click network.negotiate-auth.delegation-uris. Enter http://,https://.

      Double-click network.negotiate-auth.trusted-uris. Enter http://,https://.

      Or, to set specific URLs,

      Double-click network.negotiate-auth.delegation-uris. Enter the domain addresses. For example, http://mail1.example.com,https://mail2.example.com.

      Double-click network.negotiate-auth.trusted-uris. Enter the domain addresses. For example, http://mail1.example.com,https://mail2.example.com.

  2. Internet Explorer, Chrome, and Safari for computers running Windows

    1. In these browsers, go to Tools → Internet Options → Security → Local Intranet >Sites. In the "Sites" dialog, check all items.

    2. Select Advanced. Add the domain server (hostname) URL, both http:// and https://.

    3. Click OK to close the file.

    4. Go to Tools → Options → Advanced → Security. Locate and check Enable Integrated Windows Authentication.

    5. Click OK and close the browser.

  3. Safari for Apple Mac computers. No configuration is necessary.

Test your setup

  1. On a Windows computer or an Apple Mac computer, log in to the computer as a domain user.

    Your domain user token gets saved on the computer. The token gets picked up by the SPNEGO-aware browser and sent to the Zimbra server in the Authorization header.

  2. Browse to the Zimbra Classic Web App login page. You should get redirected to your inbox without being prompted for your user name and password.

    If SPNEGO auth fails, the user gets redirected to an error URL.

Troubleshooting setup

Make sure the following are true.

  • The browser is in the Intranet zone.

  • The user is accessing the server using a Hostname rather than an IP address.

  • Integrated Windows Authentication has been enabled in Internet Explorer, and the host has been "trusted" in Firefox.

  • The server is not local to the browser.

  • The client’s Kerberos system is authenticated to a domain controller.

  • If the browser displays "401 Unauthorized", it’s most likely that the browser either did not send another request with Authorization in response to the 401 or had sent an Authorization without using the GSS-API/SPNEGO scheme.

    Check your browser settings and make sure it is one of the supported browsers/platforms.

  • If you get redirected to the error URL specified in zimbraSpnegoAuthErrorURL, it means that the SPNEGO authentication sequence does not work.

    Take a network trace, make sure the browser sends Authorization header in response to the 401. Make sure the Negotiate is using GSS-API/ SPNEGO, not NTLM (use a network packet decoder like Wireshark).

    After verifying that the browser is sending the correct Negotiate, if it still does not work, turn on the following debug and check Zimbra logs:

    • Add (do not replace) -DDEBUG=true -Dsun.security.spnego.debug=all to local config key spnego_java_options.

    • Add log4j.logger.org.mortbay.log=DEBUG in log4j.

    Then restart the mailbox server.

    Browse to the debug snoop page (http://{server}:{port}/spnego/snoop.jsp). See if you can access snoop.jsp.

    Check zmmailboxd.out and mailox.log for debugging output.

    • One of the errors at this stage could be because of clock skew on the jetty server. If this is the case, it should get shown in zmmailboxd.out. Fix the clock skew and try again.

Configure Kerberos Auth with SPNEGO Auth

Kerberos auth and SPNEGO can co-exist on a domain. In this use case, you are using Kerberos as the mechanism for verifying a user’s principal/password against a KDC, instead of the native Zimbra LDAP, when the user cannot get in by SPNEGO.

In a properly configured browser, users are redirected to the Zimbra sign-in page when SPNEGO auth fails. Users can enter their Zimbra username and password on the sign-in page to sign in manually. The Domain attribute zimbraAuthMech controls the mechanism for verifying passwords. If zimbraAuthMech is "kerberos5", the entered user name is used first to identify a valid Zimbra user (users must appear in the Zimbra LDAP). The Zimbra user gets mapped to a Kerberos principal, and then the Kerberos principal + password is validated against a KDC. This KDC could be different from, or the same as, the KDC used by the Active Directory domain controller (for SPNEGO auth).

Every Microsoft Active Directory domain controller acts as Kerberos KDC. For SPNEGO auth, KDC does not get contacted by the mailbox server. The Kerberos token sent from the Authorization HTTP header along with jetty’s keytab file can identify/authenticate the user.

For Kerberos auth (zimbraAuthMech*="kerberos5"), the mailbox server needs to contact KDC to validate principal+password. For the java Kerberos client (i.e., Zimbra mailbox server), the default realm and KDC for the realm get specified in a Kerberos config file. Specify the location of this config file in the optional JVM argument as java.security.krb5.conf. If it is not specified, the default is /etc/krb5.conf. When SPNEGO gets enabled in Zimbra, java.security.krb5.conf for the mailbox server is set to /opt/zimbra/jetty/etc/krb5.ini. Therefore, that is the active file for configuring Kerberos auth.

Note that /opt/zimbra/jetty/etc/krb5.ini gets rewritten from /opt/zimbra/jetty/etc/krb5.ini.in each time the mailbox server restarts. For persistent configuration then, you need to modify the /opt/zimbra/jetty/etc/krb5.ini.in file, not /opt/zimbra/jetty/etc/krb5.ini.

Under the [realms] section, KDC and admin_server get left unset for SPNEGO auth, but Kerberos auth requires them.

To configure:

  1. Edit /opt/zimbra/jetty/etc/krb5.ini.in.

  2. Change:

    [realms]
    %%zimbraSpnegoAuthRealm%% = {
    default_domain = %%zimbraSpnegoAuthRealm%%
    }

    to

    %%zimbraSpnegoAuthRealm%% = {
                 kdc = YOUR-KDC
                 admin_server = YOUR-ADMIN-SERVER
                 default_domain = %%zimbraSpnegoAuthRealm%%
    }
  3. Replace YOUR-KDC and YOUR-ADMIN-SERVER to the hostname on which the kdc/admin_server for Kerberos auth is running.

  4. Save the file and restart the mailbox server.

An important restriction is that the realm for SPNEGO and Kerberos auth must be the same. For SPNEGO auth, the Kerberos principal in the Authorization header gets mapped to a unique Zimbra account. For Kerberos auth, the Zimbra account gets mapped to a unique Kerberos principal. The mapping (by domain attribute zimbraAuthKerberos5Realm) is the same for both.

Setting Up Single Sign-On Options for ZCO

To use SSO, SPNEGO must be configured on the Zimbra server to use this option.

The single sign-on option works with a specific server. The server name used in the ZCO profile must match that in the SPNEGO configuration. Make sure that the server name gets incorporated into the .msi file before installation.

To set up the single sign-on option in the .msi customization script:

  1. Set the server name to be the server name configured for SPNEGO, enter -sn <spnegoserver.example.com>.

  2. Set the password rule, enter -pw 0.

cscript ZmCustomizeMsi.js <path/msi-filename> -sn <spnegoserver.example.com> -pw 0

Appendix C: Zimbra Crontab Jobs

The crontab is used to schedule commands to be executed periodically on the Zimbra servers.

How to read the crontab

Each entry in a crontab file consists of six fields, specified in the following order: minute, hour, day, month, weekday, command

The fields are separated by blank spaces or tabs.

Field Description

minute

0 through 59

hour

0 through 23

day of the (month)

1 through 31

month

1 through 12

day of the (week)

0 through 7 (0 or 7 is Sunday, 1 is Monday, etc., or use names)

command

This is the complete sequence of commands to be executed for the job

When an asterisk (*) is displayed, it means all possible values for the field. For example, an asterisk in the hour time field would be equivalent to "every hour".

Zimbra Cron Jobs

You can view the Zimbra crontab by logging on as zimbra and typing crontab -l.

Scheduled jobs

The following cron jobs are scheduled to run for Zimbra:

Log pruning

The log pruning deletes logs from /opt/zimbra/log that are over eight days old. The job runs at 2:30 a.m.

Status logging

zmstatuslog calls zmcontrol status and outputs it data into syslog.

This is primarily so that logger can read the data and keep the administration console status up-to-date.

Status logging job runs every 2 minutes.

Backups

Full and increment backups are scheduled to run according to the schedule defined by zmschedulebackup command. By default the full backup is scheduled for 1:00 a.m., every Saturday. The incremental backups are scheduled for 1:00 a.m., Sunday through Friday.

By default, backups older then a month are deleted on the first of each month at 12 a.m.

Jobs for crontab.store

Log pruning

The log pruning deletes logs from /opt/zimbra/mailboxd/logs that are over eight days old. The job runs at 2:30 a.m.

Clean up the quarantine dir

Mail identified with a virus or spam are not dropped immediately, but are put in quarantine. Messages older than seven days are deleted at 1:00 a.m daily.

Table maintenance

The ANALYZE TABLE statement is run on all tables in the database to update the statistics for all indexes. This is done to make sure that the SQL query optimizer picks the correct indexes when executing SQL statements. This script is run 1:30 a.m. on Sunday.

Report on any database inconsistencies

zmdbintegrityreport is run weekly to check the SQL database for corruption and will notify the administrator if any corruption is found. When this is run, it may consume a significant amount of I/O. If you find that it is an issue, you may want to change the frequency with which zmdbintegrityreport is run by editing the Zimbra crontab entry. This report runs at 11:00 p.m. Sundays.

Large sites may opt to disable this by setting:

zmlocalconfig -e zmdbintegrityreport_disabled=TRUE

If you choose to disable this, it is recommended that the integrity report be run by hand during the normal maintenance windows and prior to running any Zimbra upgrades.

Monitor for multiple mysqld to prevent corruption

A script is executed to see if mysqld process is running to detect cases where corruption is likely to be caused. An email is generated if it finds more than 1 mysqld process running. The script runs every 5 minutes.

Jobs for crontab.logger

process logs

zmlogprocess runs every 10 minutes to parse logs and produce MTA metrics (as/av, volume, count, etc).

Daily reports

When the logger package is installed, a daily mail report is automatically scheduled in the crontab. The report runs every morning at 11:30 and is sent to the administrator’s email address.

Jobs for crontab.mta

Queue logging

The zmqueue report status via the syslog is reviewed. This is logger data. The status is updated every 10 minutes.

Spam training

The zmtrainsa script is enabled to feed mail that has been classified as spam or a non-spam to the SpamAssassin application. SpamAssassin learns what signs are likely to mean spam or ham. This job should run only on one Zimbra MTA. The job runs at 11:00 p.m.

Spam training cleanup

zmtrainsa empties the spam and ham mailboxes each day. The job runs at 11:45 p.m.

Spam Bayes auto-expiry

Spam bayes auto-expiry maintains the SpamAssassin Bayes database. This keeps the database to manageable size ensuring spam processing remains as quick as possible. This runs every day at 11:20 p.m.

Clean up amavisd/tmp

This job is used to clean up the amavisd temp files. It runs at 5:15 a.m. and at 8:15 p.m.

Single Server Crontab -l Example

Example 71. Output of crontab -l
# ZIMBRASTART -- DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRAEND
#
# Log pruning
#
30 2 * * * find /opt/zimbra/log/ -type f -name *.log* -mtime +8 -exec rm {} \; > /dev/null 2>&1
35 2 * * * find /opt/zimbra/log/ -type f -name *.out.???????????? -mtime +8 -exec rm {} \; > /dev/null 2>&1
#
# Status logging
#
*/2 * * * * /opt/zimbra/libexec/zmstatuslog
#
# Backups
#
# BACKUP BEGIN
# BACKUP END
#
# crontab.ldap
#
#
#
# crontab.store
#
# Log pruning
#
30 2 * * * find /opt/zimbra/mailboxd/logs/ -type f -name \*log\* -mtime +8 -exec rm {} \; > /dev/null 2>&1
30 2 * * * find /opt/zimbra/log/ -type f -name stacktrace.\* -mtime +8 -exec rm {} \; > /dev/null 2>&1
#
# Table maintenance
#
30 1 * * 7 /opt/zimbra/libexec/zmmaintaintables >> /dev/null 2>&1
#

# # Report on any database inconsistencies
#
0 23 * * 7 /opt/zimbra/libexec/zmdbintegrityreport -m
#
# Monitor for multiple mysqld to prevent corruption

*/5 * * * * /opt/zimbra/libexec/zmcheckduplicatemysqld -e > /dev/null 2>&1
#
# crontab.logger
#
# process logs
#
00,10,20,30,40,50 * * * * /opt/zimbra/libexec/zmlogprocess > /tmp/logprocess.out 2>&1
#
# Graph generation
#
10 * * * * /opt/zimbra/libexec/zmgengraphs >> /tmp/gengraphs.out 2>&1
#
# Daily reports
10 1 * * * /opt/zimbra/libexec/zmdailyreport -m
#

#
crontab.mta
#
#
# Queue logging
#
0,10,20,30,40,50 * * * * /opt/zimbra/libexec/zmqueuelog
#
# Spam training
0 23 * * * /opt/zimbra/bin/zmtrainsa >> /opt/zimbra/log/spamtrain.log 2>&1
#
# Spam training cleanup
#
45 23 * * * /opt/zimbra/bin/zmtrainsa --cleanup >> /opt/zimbra/log/spamtrain.log 2>&1
#
# Dspam cleanup
#
0 1 * * * [ -d /opt/zimbra/data/dspam/data/z/i/zimbra/zimbra.sig ] && find /opt/zimbra/dspam/var/dspam/data/z/i/zimbra/zimbra.sig/ -type f -name \*sig -mtime +7 -exec rm {} \; > /dev/null 2>&1
8 4 * * * [ -f /opt/zimbra/data/dspam/system.log ] && /opt/zimbra/dspam/bin/dspam_logrotate -a 60 -l /opt/zimbra/data/dspam/system.log
8 8 * * * [ -f /opt/zimbra/data/dspam/data/z/i/zimbra/zimbra.log ] && /opt/zimbra/dspam/bin/dspam_logrotate -a 60 -l /opt/zimbra/data/dspam/data/z/i/zimbra/zimbra.log
#
# Spam Bayes auto-expiry
#
20 23 * * * /opt/zimbra/libexec/sa-learn -p /opt/zimbra/conf/salocal.cf --dbpath /opt/zimbra/data/amavisd/.spamassassin --siteconfigpath /opt/zimbra/conf/spamassassin --force-expire --sync > /dev/null 2>&1
#
# Clean up amavisd/tmp
#
15 5,20 * * * find /opt/zimbra/data/amavisd/tmp -maxdepth 1 -type d -name 'amavis-*' -mtime +1 -exec rm -rf {} \; > /dev/null 2>&1
#
# Clean up the quarantine dir
#
0 1 * * * find /opt/zimbra/data/amavisd/quarantine -type f -mtime +7 -exec rm -f {} \; > /dev/null 2>&1

ZIMBRAEND -- DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART

Appendix D: ABQ - SOAP API

Introduction

The "Allow/Block/Quarantine" feature allows for granular access control of mobile devices connecting to the server. For more details about the feature, refer to the ABQ Service documentation.

This appendix introduces the SOAP API support for the ABQ service.

Zimbra SOAP

Zimbra implements the Simple Object Access Protocol (SOAP) for integration with clients. For more information:

Zimbra’s SOAP implementation comprises a soap:Header and a soap:Body, as in this example of a SOAP request:

<?xml version="1.0" encoding="utf-8" ?>
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Header>
        <context xmlns="urn:zimbra">
            <authToken>$token</authToken>
            <format type="xml"/>
        </context>
    </soap:Header>
    <soap:Body>
        $xml
    </soap:Body>
</soap:Envelope>

Here $xml should replaced with the SOAP request that we want to issue, and $token should be a valid token granted by Zimbra after the client has successfully authenticated.

Login

To get access to Zimbra, first authenticate yourself and obtain a valid token. Here is the XML request to do so:

<AuthRequest xmlns="urn:zimbraAdmin">
    <account by="name">"user@example.com"</account>
    <password>password</password>
</AuthRequest>

Here an example of a reply:

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Header>
        <context xmlns="urn:zimbra">
        <change token="699"/>
        </context>
    </soap:Header>
    <soap:Body>
        <AuthResponse xmlns="urn:zimbraAdmin">
            <authToken>0_2ebb6bdada2b1987c4fa625f95862d2a299b2e4c_69643d33363a34623065356237342d366135612d343435372d393032662d6630313833343131386666363b6578703d31333a313532393335333836373330303b61646d696e3d313a313b747970653d363a7a696d6272613b753d313a613b7469643d31303a313031323636373733383b76657273696f6e3d31333a382e382e385f47415f323030393b</authToken>
            <lifetime>43199998</lifetime>
        </AuthResponse>
    </soap:Body>
</soap:Envelope>

After we have a valid token we can use it in subsequent calls placing it into the <authToken>$token</authToken> of soap:Header.

ABQ API

All ABQ calls have a common XML:

<zextras xmlns="urn:zimbraAdmin">
    <module>ZxMobile</module>
    <action>$action</action>
</zextras>

where $action can be: getDeviceControlList, getDeviceStatus or setDeviceStatus followed by a parameter if needed. Here is an example of a reply:

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
    <soap:Header>
        <context xmlns="urn:zimbra">
        <change token="699"/>
        </context>
    </soap:Header>
    <soap:Body>
        <response content="{"response":{"devices":[{"device_id":"device4","status":"device1=allowed;device2=quarantined;device3=Blocked"}]},
        "ok":true}"/>
    </soap:Body>
</soap:Envelope>

All ABQ replies are standard and they are placed into a <response> tag with a content attribute. Content is formatted as JSON with only one JSONObject: "response" and Boolean: "ok". The former contains the reply and the latter indicates if the request succeeded or not.

getDeviceControlList

Returns a list of all ABQ devices filtered by status: “all”, ”allowed”, ”quarantined” or ”blocked” (case insensitive)

<zextras xmlns="urn:zimbraAdmin">
    <module>ZxMobile</module>
    <action>getDeviceControlList</action>
    <status>all</status>
</zextras>

getDeviceStatus

Returns a list of ABQ devices status given a device list (semicolon separated)

<zextras xmlns="urn:zimbraAdmin">
    <module>ZxMobile</module>
    <action>getDeviceStatus</action>
    <device>device01;device02</device>
</zextras>

The reply contains a JSON array called devices, each with a pair of string attributes : "device_id" and "status". Here is an example:

{"response":{"devices":[{"device_id":"device1","status":"Allowed"}]},"ok":true}

If the requested device is not found in ABQ, it is simply omitted from the response.

setDeviceStatus

Sets the device status for a given device or list of devices. The list is semicolon separated and each element is composed of device_id = $status where $status can be Allowed, Quarantined or Blocked (case insensitive). Returns a list of failed devices.

<zextras xmlns="urn:zimbraAdmin">
    <module>ZxMobile</module>
    <action>setDeviceStatus</action>
    <deviceStatus>device01=allowed;device02=blocked</deviceStatus>
</zextras>

The reply contains a JSON array called devices, each with a pair of string attributes : "device_id" and "status". Here is an example:

    {"response":{"devices":[{"device_id":"device4","status":"wrong"}]},"ok":true}
Example

AbqClient is a simple java example to show access to ABQ api. It’s self contained and can be build with ant:

$ ant build

and executed by:

$ ant run

Zimbra Single Sign-On using SAML with SimpleSAMLphp

Did you know that Zimbra supports SAML single sign-on? SAML is an open standard that allows you to have a single login page for all applications in your organization. SAML is a Zimbra Network Edition feature. Once you have set-up your SAML portal you can easily add [Multi Factor Authentication](multi-factor authentication).

Set up Zimbra SP in SimpleSAMLphp

In SAML terms applications are called Service Providers or SP’s. The service that provides your user database and takes care of your authentication is in SAML terms called Identity Provider or IDP. Usually, you only have one IDP and as many SP’s as you have applications. In this example, we will set-up Zimbra as a SAML SP and use SimpleSAMLphp as IDP. This is the configuration needed on SimpleSAMLphp (in /etc/simplesamlphp/metadata/saml20-sp-remote.php):

$metadata['https://zm-zimbra9.barrydegraaff.tk/service/extension/samlreceiver'] = array(
         'simplesaml.attributes'	 => true,
            'debug' => TRUE,
             'AssertionConsumerService' => 'https://zm-zimbra9.barrydegraaff.tk/service/extension/samlreceiver',
             'SingleLogoutService' => 'https://zm-zimbra9.barrydegraaff.tk/service/extension/samlslo',
             'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
             'authproc' => array (
                     10 => array(
             'class' => 'saml:AttributeNameID',
             'attribute' => 'emailAddress',
             'Format' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
              ),
          )
     );

You will also need to get the X.509 public certificate that is used for signing the SAML request from the IDP to Zimbra. You will need to download it and save it on your Zimbra server. This guide will assume you store your cert in /tmp/idpcert.pem, don’t forget to chown zimbra:zimbra /tmp/idpcert.pem. If you followed the SimpleSAMLphp setup guide you can find the certificate at /etc/simplesamlphp/cert/server.crt.

Set up Zimbra

Add the file /opt/zimbra/conf/saml/saml-config.properties to configure SAML in Zimbra add the contents:

# Issuer
     saml_sp_entity_id=https://zm-zimbra9.barrydegraaff.tk/service/extension/samlreceiver
     # Login receiver for the service provider
     saml_acs=https://zm-zimbra9.barrydegraaff.tk/service/extension/samlreceiver
     # Name ID format for the IDP to use in the SAMLResponse
     saml_name_id_format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
     # Date format for issue instant
     saml_date_format_instant=yyyy-MM-dd'T'HH:mm:ss'Z'
     # Identity provider login endpoint for redirect method
     saml_redirect_login_destination=https://saml.barrydegraaff.tk/simplesaml/saml2/idp/SSOService.php?spentityid=https://zm-zimbra9.barrydegraaff.tk/service/extension/samlreceiver
     # Identity provider login endpoint for POST method
     saml_post_login_destination=
     # Identity provider logout endpoint for redirect method
     saml_redirect_logout_destination=https://saml.barrydegraaff.tk/simplesaml/saml2/idp/SingleLogoutService.php
     # Identity provider logout endpoint for POST method
     saml_post_logout_destination=
     # Logout redirect page if we are the landing page logout endpoint
     saml_landing_logout_redirect_url=/
     # Disable the audience path check
     saml_skip_audience_restriction=true
     # URL to send the user with error_code, error_msg query params. Default results in HTTP error code pages.
     saml_error_redirect_url=
     # The SAML logout document encoding, and SAML login receiver parameter encoding.
     saml_document_encoding=ASCII
     # Set to true to disable the audience path check.
     saml_skip_audience_restriction=false
     # The redirect location to send the user if their Zimbra account is not active.
     saml_inactive_account_redirect_url

From command line as user root, copy the samlextn.jar and set up the IDP certificate:

mkdir /opt/zimbra/lib/ext/saml
cp /opt/zimbra/extensions-network-extra/saml/samlextn.jar /opt/zimbra/lib/ext/saml/
su - zimbra
cat /tmp/idpcert.pem |xargs -0 zmprov md exampledomain.com zimbraMyoneloginSamlSigningCert
zmprov mcf zimbraCsrfRefererCheckEnabled FALSE
zmmailboxdctl restart

Create users

Your user accounts must be manually created in Zimbra and be available in your IDP user database. It is important that the E-mail attribute in your IDP is set exactly the same as the Zimbra account name. Or the user will not be able to log-in. If it does not work run a tail -f /opt/zimbra/log/* while doing the authentication request and dig through to log to find out what the issue may be. Keywords to grep for: SAML, Audience and assertion.

Configurable Properties in saml-config.properties

The samlextn.jar uses a property file located at: ${zimbra_home}/conf/saml/saml-config.properties.

The following properties are supported:

Key Description Default Optional

saml_sp_entity_id

Issuer

saml_acs

Login receiver for the service provider

saml_redirect_login_destination

Identity provider login endpoint for redirect method

saml_redirect_logout_destination

Identity provider logout endpoint for redirect method

saml_post_login_destination

Identity provider login endpoint for POST method (unused)

saml_post_logout_destination

Identity provider logout endpoint for POST method (unused)

saml_name_id_format

Name ID format for the IDP to use in the SAMLResponse

urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

saml_date_format_instant

Date format for issue instant

yyyy-MM-dd’T’HH:mm:ss’Z'

saml_error_redirect_url

URL to send the user with i`error_code`, error_msg query params. Default results in HTTP error code pages.

saml_landing_logout_redirect_url

Logout redirect landing page if we are the last logout service.

/

saml_document_encoding

The SAML logout document encoding, and SAML login receiver parameter encoding.

ASCII

saml_skip_audience_restriction

Set to true to disable the audience path check.

false

saml_inactive_account_redirect_url

The redirect location to send the user if their Zimbra account is not active.

/service/extension/samllogout

SLO Endpoint

In case you need to support SLO initiated from the IDP you need the SLO URL: https://zimbraserver.example.com/service/extension/samlslo

Also if you want to trigger the IDP to log-out when the user clicks logout in Zimbra you have to configure Zimbra to use this log-out URL: https://zimbraserver.example.com/service/extension/samllogout.

CsrfRefererCheck

On Zimbra 9 in most cases, you will need to disable CsrfRefererCheck for the SAML and restart Mailbox service to work.

su - zimbra
zmprov mcf zimbraCsrfRefererCheckEnabled FALSE
zmmailboxdctl restart

Glossary

The Glossary lists terms and acronyms used in this document, and includes both industry terms and application-specific terms. If a general industry concept or practice has been implemented in a specific way within the product, that is noted as well.

A record

A (for "Address") records map the hostname to the numeric IP address. For Zimbra, the A record is the IP address for the Zimbra server.

ABQ

The Allow/Block/Quarantine function provided by the NG Modules gives system administrators control over which devices are allowed to sync via ActiveSync.

Account Policy

Class of Service as exposed in Zimbra administration console.

AD

Microsoft Active Directory Server. Used in Zimbra Collaboration as an optional choice for authentication and GAL, along with OpenLDAP for all other Zimbra Collaboration functions.

Alias

An “also known as” email address, which should be routed to a user at a different email address.

Attribute

Contains object-related data for directory server entries. Attributes store information such as a server host name or email forwarding address.

Authentication

Process by which user-supplied login information is used to validate that user’s authority to enter a system.

Blacklist

Anti-spam term, indicates a known bad IP address. This could be one that has been hijacked by spammers, or also one from a poorly maintained but legitimate site that allows mail relaying from unauthorized parties.

BLOB

Binary Large Object.

Class of Service (COS)

Describes an object in the Zimbra Collaboration LDAP data schema, which contains settings for things like user mail quotas. Each Zimbra Collaboration account includes a COS, and the account inherits all the settings from the selected COS.

CLI

Command-Line Interface. Used to refer to the collective set of Zimbra Collaboration command-line tools, such as zmprov.

Cluster

A type of network configuration for high availability, using clusters of servers (nodes). If one server fails or drops off the network, a spare takes over.

Contacts

Within Zimbra Collaboration, Contacts are a user-interface feature listing that user’s personal collection of address and contact information.

Conversation

Within Zimbra Collaboration, Conversations are a user-interface feature that presents email threads (emails sharing the same subject line) as a single Conversation listing. Users can expand the Conversation to view all emails within it.

DHTML

Dynamic HTML. A technology employed in the Zimbra Classic Web App.

DNS

Domain Name System is an Internet directory service. DNS is how domain names are translated into IP addresses and DNS also controls email delivery. Correctly configured DNS is required for Postfix to route messages to remote destinations

Edge MTA

Generic term used to refer to any mail transfer agent that is the first line of defense in handling incoming email traffic. Functions that may occur on the Edge MTA include spam filtering.

Entry

An item in the directory server, such as an account or mail host.

Ephemeral Data

Data which is short lived or fast changing in nature. Login timestamps, authentication tokens, etc.

Failover

Takeover process where a spare server machine detects that a main server is unavailable, and the spare takes over processing for that server.

FQDN

Fully qualified domain name. The hostname and the path to the host. For example, www.zimbra.com is a fully qualified domain name where www is the host, zimbra is the second-level domain, and .com is the top level domain.

GAL

Global Address List, the Outlook version of a company directory. Lists contact information, including email addresses, for all employees within an organization.

Global Configuration

A Zimbra Collaboration object containing default settings for servers and Class of Service.

High Availability

Abbreviated as HA, high availability refers to the availability of resources in a computer system in the wake of component failures in the system.

HTTP

HyperText Transfer Protocol, used along with SOAP for UI integration.

IMAP

Internet Message Access Protocol is a method of accessing mail from a remote message store as if the users were local.

Store

Within Zimbra Collaboration, a directory area that stores all the indexing information for mail messages on a particular mailbox server.

Indexing

The process of parsing incoming email messages for search words.

Java

Java is an industry standard object-oriented programming language. Used for the core Zimbra Collaboration application server.

JavaScript

Scripting largely developed by Netscape that can interact with HTML source code. Technology used in the Zimbra Classic Web App.

LDAP

Lightweight Directory Access Protocol, an industry standard protocol used for authentication.

LMTP

Local Mail Transfer Protocol, used for transferring messages from Postfix MTA to the Zimbra Collaboration server for final delivery.

Mailbox Server

Alternative term for Zimbra Collaboration server.

MAPI

Messaging Application Programming Interface. A system built into Microsoft Windows to enable different email applications to work together.

Message Store

Within Zimbra Collaboration, a directory area that stores the mail messages on a particular mailbox server.

MDA

Mail Delivery Agent, sometimes known as a mail host. The Zimbra Collaboration server functions as an MDA.

Metadata

Data that describes other data, rather than actual content. Within Zimbra Collaboration, metadata consists of user folders, threads, message titles and tags, and pointers.

MIME

Multipurpose Internet Mail Extensions, a specification for formatting non-ASCII Internet message content such as image files. Format used to store messages in Message Store.

MTA

Message Transfer Agent. MTA is a program that delivers mail and transports it between machines. A Zimbra Collaboration deployment assumes both the Postfix MTA and an edge MTA.

MX Record

Mail eXchange. An MX record is an entry in a domain name database that identifies the mail server that is responsible for handling emails for that domain name. The email system relies on DNS MX records to transmit emails between domains. When mail is processed, the MX record is checked before the A record for the destination address.

OOTO

Common shorthand for “out of the office”, used when sending vacation messages.

Open Source

Refers to software created by groups of users for non-commercial distribution, where source code is published rather than proprietary.

OS

Operating system, such as Linux, UNIX, or Microsoft Windows.

POP

Post Office Protocol is used to retrieve email from a remote server over TCP/IP and save it to the local computer.

Provisioning

The process of creating accounts or other data, usually in batch or automated fashion.

RBH

Real-time black hole. Usually refers to web sites that, as a public service, provide lists of known bad IP addresses from which mail should be blocked, because the servers are either known to be spammers, or are unsecured and exploited by spammers.

Responsive (web app)

This approach to design ensures that the application displays and functions well on a variety of devices and window or screen sizes. The Modern Web App is a Responsive Web App, facilitating a consistent user experience on any screen.

Redo Logs

Detailed transaction log for the Zimbra Collaboration server, used for replay and replication.

SAN

Storage Array Network. A high-availability data storage area.

Schema

Describes the data structures in use for by directory services at a particular organizational site.

SMTP

Simple Mail Transfer Protocol. Used in Zimbra Collaboration deployments between the Edge MTA and the Postfix MTA.

SNMP

Simple Network Monitoring Protocol. Used by monitoring software to pick up critical errors from system logs.

SOAP

Simple Object Access Protocol, an XML-based messaging protocol used for sending requests for Web services. The Zimbra Collaboration servers use SOAP for receiving and processing requests, which can come from Zimbra Collaboration command-line tools or Zimbra Collaboration user interfaces.

Spam

Unsolicited commercial email. Spammers refer to their output as “bulk business email”.

SQL

Structured Query Language, used to look up messages in the Message Store.

SSL

Secure Sockets Layer.

Tags

A Zimbra Classic Web App feature. Users can define tags and apply them to mail messages for searching.

TCO

Total Cost of Ownership. Zimbra Collaboration reduces total cost of ownership (TCO) by reducing requirements for server hardware, OS licensing fees, supporting application license fees, disk storage requirements, and personnel (IT, help desk, consulting).

TLS

Transport Layer Security.

UCE

Unsolicited commercial email, also known as spam.

Virtual Alias

A type of mail alias recognized in the Postfix MTA.

Whitelist

Anti-spam term for a known good mail or IP address. Mail coming from such an address may be “automatically trusted”.

XML

eXtended Markup Language.

Zimbra administration console

The Zimbra Collaboration administrator interface.

Zimbra Web Client

Refers to any of the end-user interfaces provided over the Web as part of a Zimbra server.