habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Things to do After Install Zimbra

5 min read

Things-to-do-after-Installing-Zimbra

Hi Dude. In a previous post, I have written 2 articles about the installing zimbra, which is preparation before installation and the Zimbra installation process itself. And then what next after zimbra installation? This article will help us to list things to do after install Zimbra.

Every person or mail administrator can be different ways. This is my note only.
After the Zimbra installation is complete, what should we do? Is it enough with the default settings.
Of course not, there are parameters that must be set after installing Zimbra.

Setting Transport Map / relay

First thing to do, still in the zimbra console, I usually do relay settings. fortunatelyI’m using the latest version of zimbra for now.

zimbra@mail:~$ zmcontrol -v
Release 8.8.15.GA.4179.UBUNTU20.64 UBUNTU20_64 FOSS edition, Patch 8.8.15_P31.

Before making a relay, I will first check zimbra transport with the command below.

zimbra@mail:~$ zmprov gs `zmhostname` zimbraMtaTransportMaps
# name mail.habibza.in
zimbraMtaTransportMaps: proxy:ldap:/opt/zimbra/conf/ldap-transport.cf

from the results of zimbraMtaTransportMaps above, we know that there is no file for relay configuration yet. We will create a relay file first.

zimbra@mail:~$ vim /opt/zimbra/common/conf/transportfile

yahoo.com               relay:[hostname-relay.domainname.com]

After finished, save file. And postmap.

postmap /opt/zimbra/common/conf/transportfile

So we will get new file with extension .lmdb. Every change of this file, must be postmap.

zimbra@mail:~$ ls -al /opt/zimbra/common/conf/transportfile*
-rw-r----- 1 zimbra zimbra    51 Apr 22 11:30 /opt/zimbra/common/conf/transportfile
-rw-r----- 1 zimbra zimbra 12288 Apr 22 11:30 /opt/zimbra/common/conf/transportfile.lmdb

Change Default Email Notify

Default mail notify zimbra is [email protected]. So i wanti change to other.

zimbra@mail:~$ zmlocalconfig | grep admin@habibza
av_notify_user = [email protected]
smtp_destination = [email protected]
smtp_source = [email protected]

Adjust and change according to the domain you have.

[zimbra@webmail ~]$ zmlocalconfig -e [email protected]
[zimbra@webmail ~]$ zmlocalconfig -e [email protected]
[zimbra@webmail ~]$ zmlocalconfig -e [email protected]

Change log rotate Zimbra

Sometime, we need the file /var/log/zimbra.log for longer duration. I usually use it for tracing email.

See also  Amavis Bypass Header Check, Bypass Banned Content

After install zimbra, edit /etc/logrotate.d/zimbra and pointed to /var/log/zimbra.log. Change daily to weekly. In my case, i am just comment ‘daily’ and add the line below ‘weekly’.

root@mail:~# vim /etc/logrotate.d/zimbra

/var/log/zimbra.log {
   # daily
    weekly
    missingok
    notifempty
    create 0644 syslog adm
...

Reject Unlisted Sender dan Reject Unlisted Recipient

By default,  any connection made to ZCS postfix and declares “mail from: local sender” (even if it is not) – the connection/email is accepted for local delivery. This wiki provides steps to block such connections.

zimbra@mail:~$ zmprov gcf zimbraMtaSmtpdRejectUnlistedRecipient
zimbraMtaSmtpdRejectUnlistedRecipient: no
zimbra@mail:~$ zmprov gcf zimbraMtaSmtpdRejectUnlistedSender
zimbraMtaSmtpdRejectUnlistedSender: no

And now, we will set and activate zimbraMtaSmtpdRejectUnlistedRecipient and zimbraMtaSmtpdRejectUnlistedSender.

zimbra@mail:~$ zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zimbra@mail:~$ zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
zimbra@mail:~$ zmcontrol restart

Automatically Bounce If the quota is full

I always set user quota based on class of service. And usually set the parameter to automatically bounce if the quota is full. So you can tell the sender of the email if the target email quota is full.

zmprov mcf zimbraLmtpPermanentFailureWhenOverQuota TRUE

Change Zimbra mail size

By default, zimbra mail size come with size mail 10 MB. But how we can increase email size? Its easy, we just run command below.

zmprov ms `zmhostname` zimbraFileUploadMaxSize 44040192
zmprov ms `zmhostname` zimbraMailContentMaxSize 44040192
zmprov mcf zimbraMtaMaxMessageSize 44040192

That command, will instruct zimbra to allow email size of 44 MB. Of course we can adjust the amount of email delivery depending on the needs.

Added RBL Online

For rbl online, i usually just use zen.spamhaus.org and barracudacentral.org. Choose a few RBL’s that you think are suitable. Don’t use all RBL’s because the more scanning process, the slower the mail server performance.

zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_client dbl.spamhaus.org"

Whitelist dan Blacklist IP Address RBL

Whitelist

When there is a public ip of the sender who is blacklisted, rbl wants to be bypassed or the public ip of spam that is not filtered by rbl wants to be blacklisted. Can use the following command.

su - zimbra
vim /opt/zimbra/conf/postfix_rbl_override

Input the public ip that you want to whitelist as follows, for example. public ip 111.222.33.44.

111.222.33.44 OK

After finished and save. postmap that file.

postmap /opt/zimbra/conf/postfix_rbl_override
zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override'

Get config to check that setting.

zmprov gacf | grep zimbraMtaRestriction

To remove rbl_override above, do this command.

zmprov mcf -zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override'

Blacklist

Create file postfix_blacklist in directory /opt/zimbra/conf/

su - zimbra
vim /opt/zimbra/conf/postfix_blacklist

Input the public ip that you want to blacklistas follows, for example. public ip 111.222.33.44.

 111.222.33.44 REJECT
postmap /opt/zimbra/conf/postfix_blacklist

Run this command to activate blacklist.

zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist'

Actifate DMARC, SPF dan DKIM

DMARC, SPF and DKIM are now a mandatory part of a mail server. See this post to setting DMARC, SPF and DKIM.

See also  Install Unbound Ubuntu 20.04/22.04 with Compile

Set PTR Record (reverse DNS)

The PTR record is like a reverse version of the A record. A record maps a domain name to an IP address, while PTR maps an IP address to a hostname. However, the two records are independent. For example, the A record from habibza.in points to the IP address 158.21.128.xx, while 23.23.128.xx may map to a different hostname.

PTR records are used in reverse DNS lookups; common uses for reverse DNS include:

Anti-spam: Some email anti-spam filters use reverse DNS to check the domain names of email addresses and see if the associated IP addresses are likely to be used by legitimate email servers.

Troubleshooting email delivery issues: Because anti-spam filters perform these checks, email delivery problems can result from a misconfigured or missing PTR record. If a domain has no PTR record, or if the PTR record contains the wrong domain, email services may block all emails from that domain.

Logging: System logs typically record only IP addresses; a reverse DNS lookup can convert these into domain names for logs that are more human-readable.

MTA Trusted Network

zimbraMtaMyNetworks is a configuration for whitelisting IPs that use Zimbra as a relay or other applications or programs connected to Zimbra. By default zimbraMtaMyNetworks configuration only allows Local IP segments used by Zimbra only in the Trusted Networks list.

When we want to do this.

  • Would like to allow machines that are not on the local network to send mail through the zimbra server
  • Observing “Relay Access Denied” errors in the MTA log (/var/log/zimbra.log) for hosts or subnets that you trust for relaying.
  • Observing “Relay Access Denied” errors in the MTA log (/var/log/zimbra.log) for the zimbra server itself.
See also  Amavis Blocking Email with encrypted zip

Here is how to get zimbraMtaMyNetworks.

zimbra@mail:~$ zmprov gs `zmhostname` zimbraMtaMyNetworks
# name mail.habibza.in
zimbraMtaMyNetworks: 127.0.0.0/8 [::1]/128 10.12.12.0/24

Enable Clear text Login/PLAIN TEXT AUTHENTICATION

There are various types of email users. The operating system used also varies. From the latest windows, Windows 11, to those who are still using Windows 7.
Sometimes, it’s safer and more secure if we don’t use Zimbra settings to “Enable clear text login”. But due to various user considerations, some OS does not support SSL on Zimbra, so we have to set “Enable clear text login”.

Setting this option Enable Clear text Login after install zimbra. This is checklist to enable clear text login IMAP.

Things to do After Install Zimbra

This is checklist to enable clear text login POP3.

Things to do After Install Zimbra

Attachment limit extension.

this is featured improving anti spam/anti virus, we can blocked extension file which we can suspect as malware. Setting Attachment limit extension after install zimbra.

Things to do After Install Zimbra

Spam Check Setting

This is spam checking in zimbra. We can set value of “Kill Percent” and “Tag Percent”. In my case, i am prefer Kill Percent in 55, and Tag percent in 33.

Things to do After Install Zimbra
  • Tag percent: Thats mean, if any email come with spam score 6.6 (66 is 33 * 0.2) so that email will tagging as spam dan in subkect will add prefix ****SPAM****.
  • Kill percent: Thats mean, if any email come with spam score 11, (11 is 55 * 0.2) so that will discard and reject.

And last, “Block Encrypted Archieves” by default is checklist. Alias Active. If this checklist so email with attachment like pdf with password will be rejected. Even though it is the correct email, such as a credit card bill attachment in the form of a pdf file with a password. So i prefer to disable/uncheck it.

That is short article about things to do after install zimbra. May be it’s helpful, please feel free to leave a comment if you have any questions and I’ll appreciate it.

habibzain Just husband, father and enthusiastic men about System Administration. Love to write short article about it. Perhaps can help and be useful for others.

Zimbra Relay Amazon SES

Zimbra is a widely used collaboration platform that provides robust email services. When it comes to improving email deliverability and ensuring the security of...
habibzain
1 min read

Install Zimbra 10 Ubuntu 20.04 from Scratch

Zimbra 10 may have had specific installation requirements, and there might be updates or changes beyond that point. Here is simple guide how to...
habibzain
4 min read

Zimbra Cannot start TLS: handshake failure

The Zimbra log show error message “Cannot start TLS handshake” typically indicates an issue with establishing a secure TLS (Transport Layer Security) connection. This...
habibzain
1 min read

2 Replies to “Things to do After Install Zimbra”

    1. Hi Vipin,
      1. as zimbra user, you can create new file as example with /opt/zimbra/conf/custom_header_checks.

      su – zimbra
      vi /opt/zimbra/conf/custom_header_checks

      2. And then add two line below.

      /^Subject:/ WARN Subject :
      /filename=\”?(.*)\”?$/ WARN

      3. Modify zimbraMtaHeaderChecks for include custom_header_checks

      zmprov ms `zmhostname` zimbraMtaHeaderChecks “pcre:/opt/zimbra/conf/postfix_header_checks, pcre:/opt/zimbra/conf/custom_header_checks”
      zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE

      4. postfix reload or zmcontrol restart

      Maybe usefull.

Leave a Reply

Your email address will not be published. Required fields are marked *

Never miss good article from us, get weekly updates in your inbox