如果使用云服务器搭建邮箱服务器的话,根据相关规定。需要申请开通25端口,阿里云管控很严格,所以我使用的是自己的IDC机房服务器搭建,如果使用电信的网络需要申请开通25端口
1、关闭防火墙
2、关闭selinux
3、内网IP :192.168.2.222 公网IP 221.12.155.245
开始安装
yum -y update
安装zimbra所需要的包和库
yum -y install perl perl-core nmap sudo libidn gmp libaio libstdc++ unzip sysstat sqlite nc
关闭安装的MTA服务
systemctl stop postfix.service
systemctl disable postfix.service
安装bind
yum -y install bind bind-utils
修改主机名
修改 /etc/hosts
修改/etc/resolv.conf
chown -R named.named /var/named/
修改 /etc/named.conf
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "zimbra.com" IN { type master; file "zimbra.com.zone"; }; zone "2.168.192.in-addr.arpa" IN { type master; file "192.168.2.arpa"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
创建DNS正向解析
$TTL 86400 @ IN SOA mail mail.zimbra.com. ( 0 ; Serial 43200 ; Refresh 3600 ; Retry 3600000 ; Expire 2592000 ) ; Minimum IN NS ns.zimbra.com. IN A 192.168.2.222 IN MX 10 mail.zimbra.com. mail IN A 192.168.2.222 ns IN A 192.168.2.222
创建反向解析
$TTL 1D @ IN SOA zimbra.com. mail.zimbra.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum 2.168.192.in-addr.arpa. IN NS ns.zimbra.com. 222 IN PTR ns.zimbra.com. 222 IN PTR mail.zimbra.com.
测试DNS解析
测试DNS解析
dig zimbra.com MX
dig -x 192.168.2.222
启动named.service
systemctl start named.service
systemctl enable named.service
下载、上传zimbra安装包至/opt 目录,我使用的是zcs-8.6.0版本
地址: http://www.zimbra.com/downloads/os-downloads.html
解压安装zimbra
cd /opt
tar zxvf zcs-8.6.0_GA_1153.RHEL7_64.20141215151110.tgz
cd zcs-8.6.0_GA_1153.RHEL7_64.20141215151110 ./install.sh --platform-override
显示如下
Operations logged to /tmp/install.log.31333 Checking for existing installation... zimbra-ldap...NOT FOUND zimbra-logger...NOT FOUND zimbra-mta...NOT FOUND zimbra-dnscache...NOT FOUND zimbra-snmp...NOT FOUND zimbra-store...NOT FOUND zimbra-apache...NOT FOUND zimbra-spell...NOT FOUND zimbra-convertd...NOT FOUND zimbra-memcached...NOT FOUND zimbra-proxy...NOT FOUND zimbra-archiving...NOT FOUND zimbra-core...NOT FOUND PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE. ZIMBRA, INC. ("ZIMBRA") WILL ONLY LICENSE THIS SOFTWARE TO YOU IF YOU FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY DOWNLOADING OR INSTALLING THE SOFTWARE, OR USING THE PRODUCT, YOU ARE CONSENTING TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THEN DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT. License Terms for the Zimbra Collaboration Suite: http://www.zimbra.com/license/zimbra-public-eula-2-5.html
# 输入y同意安装
Do you agree with the terms of the software license agreement? [N] y
Checking for prerequisites...
FOUND: NPTL
FOUND: nmap-ncat-6.40-7
FOUND: sudo-1.8.6p7-16
FOUND: libidn-1.28-4
FOUND: gmp-6.0.0-12
FOUND: libaio-0.3.109-13
FOUND: libstdc++-4.8.5-4
FOUND: unzip-6.0-15
FOUND: perl-core-5.16.3-286
Checking for suggested prerequisites...
FOUND: perl-5.16.3
FOUND: sysstat
FOUND: sqlite
Prerequisite check complete.
Checking for installable packages
Found zimbra-core
Found zimbra-ldap
Found zimbra-logger
Found zimbra-mta
Found zimbra-dnscache
Found zimbra-snmp
Found zimbra-store
Found zimbra-apache
Found zimbra-spell
Found zimbra-memcached
Found zimbra-proxy
#输入Y安装zimbra所需组件
Select the packages to install
Install zimbra-ldap [Y]
Install zimbra-logger [Y] Y
Install zimbra-mta [Y] Y
Install zimbra-dnscache [Y] Y
Install zimbra-snmp [Y] Y
Install zimbra-store [Y] Y
Install zimbra-apache [Y] Y
Install zimbra-spell [Y] Y
Install zimbra-memcached [Y] Y
Install zimbra-proxy [Y] Y
Checking required space for zimbra-core
Checking space for zimbra-store
Checking required packages for zimbra-store
zimbra-store package check complete.
Installing:
zimbra-core
zimbra-ldap
zimbra-logger
zimbra-mta
zimbra-dnscache
zimbra-snmp
zimbra-store
zimbra-apache
zimbra-spell
zimbra-memcached
zimbra-proxy
# 输入Y确认操作修改
The system will be modified. Continue? [N] Y
Removing /opt/zimbra
Removing zimbra crontab entry...done.
Cleaning up zimbra init scripts...done.
Cleaning up /etc/ld.so.conf...done.
Cleaning up /etc/security/limits.conf...done.
Finished removing Zimbra Collaboration Server.
Installing packages
zimbra-core......zimbra-core-8.6.0_GA_1153.RHEL7_64-20141215151110.x86_64.rpm...done
zimbra-ldap......zimbra-ldap-8.6.0_GA_1153.RHEL7_64-20141215151110.x86_64.rpm...done
zimbra-logger......zimbra-logger-8.6.0_GA_1153.RHEL7_64-20141215151110.x86_64.rpm...done
zimbra-mta......zimbra-mta-8.6.0_GA_1153.RHEL7_64-20141215151110.x86_64.rpm...done
zimbra-dnscache......zimbra-dnscache-8.6.0_GA_1153.RHEL7_64-20141215151110.x86_64.rpm...done
zimbra-snmp......zimbra-snmp-8.6.0_GA_1153.RHEL7_64-20141215151110.x86_64.rpm...done
zimbra-store......zimbra-store-8.6.0_GA_1153.RHEL7_64-20141215151110.x86_64.rpm...done
zimbra-apache......zimbra-apache-8.6.0_GA_1153.RHEL7_64-20141215151110.x86_64.rpm...done
zimbra-spell......zimbra-spell-8.6.0_GA_1153.RHEL7_64-20141215151110.x86_64.rpm...done
zimbra-memcached......zimbra-memcached-8.6.0_GA_1153.RHEL7_64-20141215151110.x86_64.rpm...done
zimbra-proxy......zimbra-proxy-8.6.0_GA_1153.RHEL7_64-20141215151110.x86_64.rpm...done
Operations logged to /tmp/zmsetup02252016-105150.log
Installing LDAP configuration database...done.
Setting defaults... MX: smtp.asia.secureserver.net (182.50.144.66)
MX: mailstore1.asia.secureserver.net (182.50.144.67)
Interface: 127.0.0.1
Interface: ::1
Interface: 10.1.0.100
182.50.144.66
182.50.144.66
182.50.144.66
182.50.144.67
182.50.144.67
182.50.144.67
DNS ERROR resolving MX for mail.zimbra.com
It is suggested that the domain name have an MX record configured in DNS
Change domain name? [Yes]
Create domain: [mail.zimbra.com] zimbra.com
MX: mail.zimbra.com (192.168.1.109)
Interface: 127.0.0.1
Interface: ::1
Interface: 192.168.1.109
done.
Checking for port conflicts
Main menu
1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-logger: Enabled
4) zimbra-mta: Enabled
5) zimbra-dnscache: Enabled
6) zimbra-snmp: Enabled
7) zimbra-store: Enabled
+Create Admin User: yes
+Admin user to create: [email protected]
******* +Admin Password UNSET
+Anti-virus quarantine user: [email protected]
+Enable automated spam training: yes
+Spam training user: [email protected]
+Non-spam(Ham) training user: [email protected]
+SMTP host: hongxue.com
+Web server HTTP port: 8080
+Web server HTTPS port: 8443
+Web server mode: https
+IMAP server port: 7143
+IMAP server SSL port: 7993
+POP server port: 7110
+POP server SSL port: 7995
+Use spell check server: yes
+Spell server URL: http://hongxue.com:7780/aspell.php
+Enable version update checks: TRUE
+Enable version update notifications: TRUE
+Version update notification email: [email protected]
+Version update source email: [email protected]
+Install mailstore (service webapp): yes
+Install UI (zimbra,zimbraAdmin webapps): yes
8) zimbra-spell: Enabled
9) zimbra-proxy: Enabled
10) Default Class of Service Configuration:
s) Save config to file
x) Expand menu
q) Quit
# 这边我们先选择7
Address unconfigured (**) items (? - help) 7
Store configuration
1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: [email protected]
** 4) Admin Password UNSET
5) Anti-virus quarantine user: [email protected]
6) Enable automated spam training: yes
7) Spam training user: [email protected]
8) Non-spam(Ham) training user: [email protected]
9) SMTP host: hongxue.com
10) Web server HTTP port: 8080
11) Web server HTTPS port: 8443
12) Web server mode: https
13) IMAP server port: 7143
14) IMAP server SSL port: 7993
15) POP server port: 7110
16) POP server SSL port: 7995
17) Use spell check server: yes
18) Spell server URL: http://hongxue.com:7780/aspell.php
19) Enable version update checks: TRUE
20) Enable version update notifications: TRUE
21) Version update notification email: [email protected]
22) Version update source email: [email protected]
23) Install mailstore (service webapp): yes
24) Install UI (zimbra,zimbraAdmin webapps): yes
# 接着选择4,设置 admin password
Select, or 'r' for previous menu [r] 4
Password for [email protected] (min 6 characters): [1ewBUZwGo] hongxuepassword
Store configuration
1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: [email protected]
4) Admin Password set
5) Anti-virus quarantine user: [email protected]
6) Enable automated spam training: yes
7) Spam training user: [email protected]
8) Non-spam(Ham) training user: [email protected]
9) SMTP host: hongxue.com
10) Web server HTTP port: 8080
11) Web server HTTPS port: 8443
12) Web server mode: https
13) IMAP server port: 7143
14) IMAP server SSL port: 7993
15) POP server port: 7110
16) POP server SSL port: 7995
17) Use spell check server: yes
18) Spell server URL: http://hongxue.com:7780/aspell.php
19) Enable version update checks: TRUE
20) Enable version update notifications: TRUE
21) Version update notification email: [email protected]
22) Version update source email: [email protected]
23) Install mailstore (service webapp): yes
24) Install UI (zimbra,zimbraAdmin webapps): yes
# 按r回到上一级菜单
Select, or 'r' for previous menu [r] r
Main menu
1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-logger: Enabled
4) zimbra-mta: Enabled
5) zimbra-dnscache: Enabled
6) zimbra-snmp: Enabled
7) zimbra-store: Enabled
8) zimbra-spell: Enabled
9) zimbra-proxy: Enabled
10) Default Class of Service Configuration:
s) Save config to file
x) Expand menu
q) Quit
# 下面按a以完成配置,并且yes下去,继续修改即可。之后就是zimbra自动一系列的配置了~
*** CONFIGURATION COMPLETE - press 'a' to apply
Select from menu, or press 'a' to apply config (? - help) a
Save configuration data to a file? [Yes] yes
Save config in file: [/opt/zimbra/config.41215]
Saving config in /opt/zimbra/config.41215...done.
The system will be modified - continue? [No] yes
Operations logged to /tmp/zmsetup02252016-105150.log
Setting local config values...done.
Initializing core config...Setting up CA...done.
Deploying CA to /opt/zimbra/conf/ca ...done.
Creating SSL zimbra-store certificate...done.
Creating new zimbra-ldap SSL certificate...done.
Creating new zimbra-mta SSL certificate...done.
Creating new zimbra-proxy SSL certificate...done.
Installing mailboxd SSL certificates...done.
Installing MTA SSL certificates...done.
Installing LDAP SSL certificate...done.
Installing Proxy SSL certificate...done.
Initializing ldap...done.
Setting replication password...done.
Setting Postfix password...done.
Setting amavis password...done.
Setting nginx password...done.
Setting BES searcher password...done.
Creating server entry for hongxue.com...done.
Setting Zimbra IP Mode...done.
Saving CA in ldap ...done.
Saving SSL Certificate in ldap ...done.
Setting spell check URL...done.
Setting service ports on hongxue.com...done.
Setting zimbraFeatureTasksEnabled=TRUE...done.
Setting zimbraFeatureBriefcasesEnabled=TRUE...done.
Setting Master DNS IP address(es)...done.
Setting DNS cache tcp lookup preference...done.
Setting DNS cache udp lookup preference...done.
Setting DNS tcp upstream preference...done.
Setting TimeZone Preference...done.
Initializing mta config...done.
Setting services on hongxue.com...done.
Adding hongxue.com to zimbraMailHostPool in default COS...done.
Creating domain hongxue.com...done.
Setting default domain name...done.
Creating domain hongxue.com...already exists.
Creating admin account [email protected].
Creating root alias...done.
Creating postmaster alias...done.
Creating user [email protected].
Creating user [email protected].
Creating user [email protected].
Setting spam training and Anti-virus quarantine accounts...done.
Initializing store sql database...done.
Setting zimbraSmtpHostname for hongxue.com...done.
Configuring SNMP...done.
Setting up syslog.conf...done.
Starting servers...done.
Installing common zimlets...
com_zimbra_adminversioncheck...done.
com_zimbra_attachcontacts...done.
com_zimbra_attachmail...done.
com_zimbra_bulkprovision...done.
com_zimbra_cert_manager...done.
com_zimbra_clientuploader...done.
com_zimbra_date...done.
com_zimbra_email...done.
com_zimbra_mailarchive...done.
com_zimbra_phone...done.
com_zimbra_proxy_config...done.
com_zimbra_srchhighlighter...done.
com_zimbra_tooltip...done.
com_zimbra_url...done.
com_zimbra_viewmail...done.
com_zimbra_webex...done.
com_zimbra_ymemoticons...done.
Finished installing common zimlets.
Restarting mailboxd...done.
Creating galsync account for default domain...done.
You have the option of notifying Zimbra of your installation.
This helps us to track the uptake of the Zimbra Collaboration Server.
The only information that will be transmitted is:
The VERSION of zcs installed (8.6.0_GA_1153_RHEL7_64)
The ADMIN EMAIL ADDRESS created ([email protected])
# 跳过通知zimbra
Notify Zimbra of your installation? [Yes] no
Notification skipped
Setting up zimbra crontab...done.
Moving /tmp/zmsetup02252016-105150.log to /opt/zimbra/log
Configuration complete - press return to exit
7、ok,上一步已经完成安装,下面我们来查看服务启动状态,服务已经启动~
8、查看管理员界面
https://192.168.2.222:7071/zimbraAdmin/
https://192.168.2.222
创建一个普通用户
https://192.168.2.222登录用户界面
发送测试邮件
添加云解析
使用域名登录
https://mail.grabchatapp.com:7071/zimbraAdmin/
https://mail.grabchatapp.com
配置证书:
安装使用阿里云免费ssl证书脚本
https://www.itgeeker.net/zimbra-8-x安装使用阿里云免费ssl证书脚本/
首先当然要去阿里云申请的ssl证书下载其他类型证书,解压缩后有两个文件上传到相应目录,这里是/opt/zimbra/ssl/aliyunssl/,文件名类似18131-domain.key和.pem
对比Let’s Encrypt和Wosign的证书,这里会涉及到转换阿里云的RSA密钥到PKCS#8的格式,两者的区别,在于开头和结尾的内容。zimbra是不能验证RSA秘钥的
我们可以通过openssl命令把阿里云的私钥转成zimbra能接受的格式。
openssl pkcs8 -topk8 -inform PEM -in 18131XXXXXXXXX.key -outform PEM -nocrypt -out privkey.pem
完整脚本如下:
#!/bin/bash# Note: create by itgeeker domain=mail.itgeeker.net su - zimbra -c 'zmproxyctl stop'su - zimbra -c 'zmmailboxdctl stop' mkdir /opt/zimbra/ssl/aliyunssl/echo "up load aliyun ssl other to this folder first !!!!!!!"cd /opt/zimbra/ssl/aliyunssl/openssl pkcs8 -topk8 -inform PEM -in 18131XXXXXXXXX.key -outform PEM -nocrypt -out privkey.pemmv 1813131_mail.geekerconsulting.com.pem cert.pemchown zimbra:zimbra /opt/zimbra/ssl/aliyunssl/* su - zimbra -c 'cd /opt/zimbra/ssl/aliyunssl/ && /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem ' echo "Backup Zimbra SSL directory"cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d") echo "Copy the private key under Zimbra SSL path"cp /opt/zimbra/ssl/aliyunssl/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key echo "Final SSL deployment"su - zimbra -c 'cd /opt/zimbra/ssl/aliyunssl/ /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem' echo "restart zimbra"su - zimbra -c 'zmcontrol restart'gist link:
https://gist.github.com/alanljj/2f90ca543dc2f2e45319ac13c30bbf72
验证zimbra ssl证书命令:
su - zimbra -c '/opt/zimbra/bin/zmcertmgr viewdeployedcrt'更新
通过上面的方法虽然没有提示任何错误,但可能无法更新证书,使用验证命令,仍然会显示老的证书。那么就需要以下的复杂流程了。
zimbra证书的三个文件,目录/opt/zimbra/ssl/zimbra/commercial/:
- commercial_ca.crt
- commercial.crt
- commercial.key
zimbra ssl证书制作方法:
commercial_ca.crt – 阿里云下载证书1813131_domain.pem的第二部分,也就是第二个—–BEGIN CERTIFICATE—–到—–END CERTIFICATE—– 也就是中级证书(mid-digicert-ca) + 根证书(root-digiert-ca)
两者中间不能有空行
阿里云免费ssl的根证书分享,不同发证机构根证书会有所不同:
-----BEGIN CERTIFICATE-----MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBhMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsBCSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7PT19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbRTLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/EsrhMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJFPnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0lsYSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQkCAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=-----END CERTIFICATE-----https://gist.github.com/alanljj/26b12b591173b3ba7c3c51edea09cad6
commercial.crt – 1813131_domain.pem的第一部分,也就是第一个—–BEGIN CERTIFICATE—–到—–END CERTIFICATE—–部分。
commercial.key – 就是1813131_domain.key,用上面的RSA密钥到PKCS#8 转换方法先转换,然后改名字就可以了。
开始部署
上传三个文件到/opt/zimbra/ssl/zimbra/commercial/目录,上传前检查、检查、再检查是否已经正确,如果老的文件已存在,先删除老的三个文件(技术奇客有碰到未删除,生成的文件格式不对导致无法更新ssl证书的情况)
验证证书。进入/opt/zimbra/ssl/zimbra/commercial/目录后,使用zimbra用户执行:
/opt/zimbra/common/bin/openssl verify -CAfile commercial_ca.crt commercial.crt
部署证书。 使用zimbra用户执行 :
/opt/zimbra/bin/zmcertmgr deploycrt comm commercial.crt commercial_ca.crt
重启zimbra服务。
su - zimbra -c 'zmcontrol restart'
查看新证书。
su - zimbra -c '/opt/zimbra/bin/zmcertmgr viewdeployedcrt'