Hi Dude. In a previous post, I have written 2 articles about the installing zimbra, which is preparation before installation and the Zimbra installation process itself. And then what next after zimbra installation? This article will help us to list things to do after install Zimbra.
Every person or mail administrator can be different ways. This is my note only.
After the Zimbra installation is complete, what should we do? Is it enough with the default settings.
Of course not, there are parameters that must be set after installing Zimbra.
Setting Transport Map / relay
First thing to do, still in the zimbra console, I usually do relay settings. fortunatelyI’m using the latest version of zimbra for now.
zimbra@mail:~$ zmcontrol -v
Release 8.8.15.GA.4179.UBUNTU20.64 UBUNTU20_64 FOSS edition, Patch 8.8.15_P31.
Before making a relay, I will first check zimbra transport with the command below.
zimbra@mail:~$ zmprov gs `zmhostname` zimbraMtaTransportMaps
# name mail.habibza.in
zimbraMtaTransportMaps: proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
from the results of zimbraMtaTransportMaps
above, we know that there is no file for relay configuration yet. We will create a relay file first.
zimbra@mail:~$ vim /opt/zimbra/common/conf/transportfile
yahoo.com relay:[hostname-relay.domainname.com]
After finished, save file. And postmap
.
postmap /opt/zimbra/common/conf/transportfile
So we will get new file with extension .lmdb. Every change of this file, must be postmap
.
zimbra@mail:~$ ls -al /opt/zimbra/common/conf/transportfile*
-rw-r----- 1 zimbra zimbra 51 Apr 22 11:30 /opt/zimbra/common/conf/transportfile
-rw-r----- 1 zimbra zimbra 12288 Apr 22 11:30 /opt/zimbra/common/conf/transportfile.lmdb
Change Default Email Notify
Default mail notify zimbra is [email protected]. So i wanti change to other.
zimbra@mail:~$ zmlocalconfig | grep admin@habibza
av_notify_user = [email protected]
smtp_destination = [email protected]
smtp_source = [email protected]
Adjust and change according to the domain you have.
[zimbra@webmail ~]$ zmlocalconfig -e [email protected]
[zimbra@webmail ~]$ zmlocalconfig -e [email protected]
[zimbra@webmail ~]$ zmlocalconfig -e [email protected]
Change log rotate Zimbra
Sometime, we need the file /var/log/zimbra.log for longer duration. I usually use it for tracing email.
After install zimbra, edit /etc/logrotate.d/zimbra
and pointed to /var/log/zimbra.log
. Change daily
to weekly
. In my case, i am just comment ‘daily’ and add the line below ‘weekly’.
root@mail:~# vim /etc/logrotate.d/zimbra
/var/log/zimbra.log {
# daily
weekly
missingok
notifempty
create 0644 syslog adm
...
Reject Unlisted Sender dan Reject Unlisted Recipient
By default, any connection made to ZCS postfix and declares “mail from: local sender” (even if it is not) – the connection/email is accepted for local delivery. This wiki provides steps to block such connections.
zimbra@mail:~$ zmprov gcf zimbraMtaSmtpdRejectUnlistedRecipient
zimbraMtaSmtpdRejectUnlistedRecipient: no
zimbra@mail:~$ zmprov gcf zimbraMtaSmtpdRejectUnlistedSender
zimbraMtaSmtpdRejectUnlistedSender: no
And now, we will set and activate zimbraMtaSmtpdRejectUnlistedRecipient
and zimbraMtaSmtpdRejectUnlistedSender
.
zimbra@mail:~$ zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zimbra@mail:~$ zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
zimbra@mail:~$ zmcontrol restart
Automatically Bounce If the quota is full
I always set user quota based on class of service. And usually set the parameter to automatically bounce if the quota is full. So you can tell the sender of the email if the target email quota is full.
zmprov mcf zimbraLmtpPermanentFailureWhenOverQuota TRUE
Change Zimbra mail size
By default, zimbra mail size come with size mail 10 MB. But how we can increase email size? Its easy, we just run command below.
zmprov ms `zmhostname` zimbraFileUploadMaxSize 44040192
zmprov ms `zmhostname` zimbraMailContentMaxSize 44040192
zmprov mcf zimbraMtaMaxMessageSize 44040192
That command, will instruct zimbra to allow email size of 44 MB. Of course we can adjust the amount of email delivery depending on the needs.
Added RBL Online
For rbl online, i usually just use zen.spamhaus.org and barracudacentral.org. Choose a few RBL’s that you think are suitable. Don’t use all RBL’s because the more scanning process, the slower the mail server performance.
zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_client dbl.spamhaus.org"
Whitelist dan Blacklist IP Address RBL
Whitelist
When there is a public ip of the sender who is blacklisted, rbl wants to be bypassed or the public ip of spam that is not filtered by rbl wants to be blacklisted. Can use the following command.
su - zimbra
vim /opt/zimbra/conf/postfix_rbl_override
Input the public ip that you want to whitelist as follows, for example. public ip 111.222.33.44.
111.222.33.44 OK
After finished and save. postmap that file.
postmap /opt/zimbra/conf/postfix_rbl_override
zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override'
Get config to check that setting.
zmprov gacf | grep zimbraMtaRestriction
To remove rbl_override above, do this command.
zmprov mcf -zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override'
Blacklist
Create file postfix_blacklist in directory /opt/zimbra/conf/
su - zimbra
vim /opt/zimbra/conf/postfix_blacklist
Input the public ip that you want to blacklistas follows, for example. public ip 111.222.33.44.
111.222.33.44 REJECT
postmap /opt/zimbra/conf/postfix_blacklist
Run this command to activate blacklist.
zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist'
Actifate DMARC, SPF dan DKIM
DMARC, SPF and DKIM are now a mandatory part of a mail server. See this post to setting DMARC, SPF and DKIM.
Set PTR Record (reverse DNS)
The PTR record is like a reverse version of the A record. A record maps a domain name to an IP address, while PTR maps an IP address to a hostname. However, the two records are independent. For example, the A record from habibza.in points to the IP address 158.21.128.xx, while 23.23.128.xx may map to a different hostname.
PTR records are used in reverse DNS lookups; common uses for reverse DNS include:
Anti-spam: Some email anti-spam filters use reverse DNS to check the domain names of email addresses and see if the associated IP addresses are likely to be used by legitimate email servers.
Troubleshooting email delivery issues: Because anti-spam filters perform these checks, email delivery problems can result from a misconfigured or missing PTR record. If a domain has no PTR record, or if the PTR record contains the wrong domain, email services may block all emails from that domain.
Logging: System logs typically record only IP addresses; a reverse DNS lookup can convert these into domain names for logs that are more human-readable.
MTA Trusted Network
zimbraMtaMyNetworks is a configuration for whitelisting IPs that use Zimbra as a relay or other applications or programs connected to Zimbra. By default zimbraMtaMyNetworks configuration only allows Local IP segments used by Zimbra only in the Trusted Networks list.
When we want to do this.
- Would like to allow machines that are not on the local network to send mail through the zimbra server
- Observing “Relay Access Denied” errors in the MTA log (/var/log/zimbra.log) for hosts or subnets that you trust for relaying.
- Observing “Relay Access Denied” errors in the MTA log (/var/log/zimbra.log) for the zimbra server itself.
Here is how to get zimbraMtaMyNetworks
.
zimbra@mail:~$ zmprov gs `zmhostname` zimbraMtaMyNetworks
# name mail.habibza.in
zimbraMtaMyNetworks: 127.0.0.0/8 [::1]/128 10.12.12.0/24
Enable Clear text Login/PLAIN TEXT AUTHENTICATION
There are various types of email users. The operating system used also varies. From the latest windows, Windows 11, to those who are still using Windows 7.
Sometimes, it’s safer and more secure if we don’t use Zimbra settings to “Enable clear text login”. But due to various user considerations, some OS does not support SSL on Zimbra, so we have to set “Enable clear text login”.
Setting this option Enable Clear text Login after install zimbra. This is checklist to enable clear text login IMAP.
This is checklist to enable clear text login POP3.
Attachment limit extension.
this is featured improving anti spam/anti virus, we can blocked extension file which we can suspect as malware. Setting Attachment limit extension after install zimbra.
Spam Check Setting
This is spam checking in zimbra. We can set value of “Kill Percent” and “Tag Percent”. In my case, i am prefer Kill Percent in 55, and Tag percent in 33.
Tag percent
: Thats mean, if any email come with spam score 6.6 (66 is 33 * 0.2) so that email will tagging as spam dan in subkect will add prefix ****SPAM****.Kill percent
: Thats mean, if any email come with spam score 11, (11 is 55 * 0.2) so that will discard and reject.
And last, “Block Encrypted Archieves” by default is checklist. Alias Active. If this checklist so email with attachment like pdf with password will be rejected. Even though it is the correct email, such as a credit card bill attachment in the form of a pdf file with a password. So i prefer to disable/uncheck it.
That is short article about things to do after install zimbra. May be it’s helpful, please feel free to leave a comment if you have any questions and I’ll appreciate it.
How Attachment files can be viewed in Zimbra logs?
Hi Vipin,
1. as zimbra user, you can create new file as example with /opt/zimbra/conf/custom_header_checks.
su – zimbra
vi /opt/zimbra/conf/custom_header_checks
2. And then add two line below.
/^Subject:/ WARN Subject :
/filename=\”?(.*)\”?$/ WARN
3. Modify zimbraMtaHeaderChecks for include custom_header_checks
zmprov ms `zmhostname` zimbraMtaHeaderChecks “pcre:/opt/zimbra/conf/postfix_header_checks, pcre:/opt/zimbra/conf/custom_header_checks”
zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE
4. postfix reload or zmcontrol restart
Maybe usefull.