imported>Admin: uma edição

2020-08-08T03:12:57Z

uma edição

← Edição anterior		Edição das 03h12min de 8 de agosto de 2020
(Sem diferença)

2532252>Jefferson em 23h52min de 30 de julho de 2019

2019-07-30T23:52:38Z

Página nova

Instalar o Zimbra
Durante a instalação criar o diretorio /opt/zimbra/perl5
colocar como usuario e grupo o diretorio acima zimbra.zimbra
fazer
echo 'Port 9282' > /opt/zimbra/ssl/config
e apos a instalacao fazer:

#su - zimbra
$zmupdateauthkeys
$exit
#/opt/zimbra/libexec/zmsyslogsetup
#su - zimbra
zmprov ms mail.ourominas.net.br zimbraRemoteManagementPort 9282
$exit
#yum clean all
#yum -y update

atrase em 30 segundos o start do zimbra

#init 6

Entrar no Zimbra e liberar que os acessos sejam via http e https

Seguir os passos apresentados em:
https://www.sbarjatiya.com/notes_wiki/index.php/CentOS_7.x_Install_lets_encrypt_automated_SSL_certificate_in_Zimbra

CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra
SSL certificate setup
To setup lets encrypt SSL certificates use:

First stop web and mailbox services as *zimbra user*:
zmproxyctl stop

zmmailboxdctl stop
Download letsencrypt github package as *root user*
yum -y install git epel-release

git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt
Get letsencrypt certificates for domain using:
./letsencrypt-auto certonly --standalone -d mail.zimbra.ourominas.net.br -d zimbra.ourominas.net.br
On various prompts use:
Emergency email - saurabh@ourominas.net.br
Agree/Cancel - A
Yes/No - Y
The important file locations are:
/etc/letsencrypt/live/mail.zimbra.ourominas.net.br/fullchain.pem
/etc/letsencrypt/live/mail.zimbra.ourominas.net.br/privkey.pem
Download Root and intermediate certificates from https://letsencrypt.org/certificates/ Example
cd /etc/letsencrypt/live/mail.zimbra.ourominas.net.br/

wget https://letsencrypt.org/certs/isrgrootx1.pem.txt

wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt
To give access to zimbra to certificates copy them to a sub-folder inside /opt/zimbra *as root*:
cd /etc/letsencrypt/live/mail.zimbra.ourominas.net.br/

cat isrgrootx1.pem.txt letsencryptauthorityx3.pem.txt chain.pem > combined.pem

mkdir /opt/zimbra/ssl/letsencrypt

cp /etc/letsencrypt/live/mail.zimbra.ourominas.net.br/* /opt/zimbra/ssl/letsencrypt/

chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

ls -la /opt/zimbra/ssl/letsencrypt/
Install certificates *as zimbra* user:
cd /opt/zimbra/ssl/letsencrypt/

/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem

#If above validation succeeds

cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem

zmcontrol restart
Open https://mail.zimbra.ourominas.net.br:7071/zimbraAdmin/ and verify that certificate along with root "ISRG Root X1" and Intermediate "Lets Encrypt Authority X3" is coming up properly.
Test certificates using:
openssl s_client -starttls smtp -connect zimbra.ourominas.net.br:25 -showcerts

openssl s_client -connect zimbra.ourominas.net.br:465 -showcerts

openssl s_client -connect zimbra.ourominas.net.br:443 -showcerts

openssl s_client -connect zimbra.ourominas.net.br:993 -showcerts

openssl s_client -starttls imap -connect zimbra.ourominas.net.br:143 -showcerts

Refer:

https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

Listen on port 80 with forced HTTPS redirection
To configure Zimbra to listen on port 80 for forced HTTPS redirection use:

Configure forced HTTPS redirection
su - zimbra

~/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`

zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect
Note that earlier method of simply using 'zmtlsctl redirect' is no longer available in latest versions. Hence above steps are required
Refer:

https://blog.christosoft.de/2015/06/zimbra-redirect-http-to-https/

SSL certificate renewal configuration via crontab
This auto-renewal assumes that chain (Root and Intermediate) remains same.

Create /root/renew-certificate.sh with:
su - zimbra -c "zmcontrol stop"

/root/letsencrypt/letsencrypt-auto renew

cp /etc/letsencrypt/live/mail.zimbra.ourominas.net.br/privkey.pem /opt/zimbra/ssl/letsencrypt/

cp /etc/letsencrypt/live/mail.zimbra.ourominas.net.br/cert.pem /opt/zimbra/ssl/letsencrypt/

cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"

su - zimbra -c "zmcontrol start"
chmod +x /root/renew-certificate.sh
For root user crontab (crontab -e) add:
10 5 * * 0 /root/renew-certificate.sh
where instead of 10 and 5 use a random value between 5 and 55 for minutes (first number) and random value between 1 and 5 for hour (second number)

arq_zimbra.txt

./letsencrypt-auto certonly --standalone -d mail.ourominas.net.br -d mx.ourominas.net.br -d smtp.ourominas.net.br -d imap.ourominas.net.br -d ldap.ourominas.net.br -d pop.ourominas.net.br -d www.ourominas.net.br -d webmail.ourominas.net.br -d ftp.ourominas.net.br -d ourominas.net.br

su - zimbra -c "zmcontrol stop"
/root/letsencrypt/letsencrypt-auto renew
cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/privkey.pem /opt/zimbra/ssl/letsencrypt/
cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/cert.pem /opt/zimbra/ssl/letsencrypt/
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"
su - zimbra -c "zmcontrol start"

[[Category: TI]]
[[Category: ZIMBRA]]

Instalação do ZIMBRA - Histórico de revisão

imported>Admin: uma edição

2532252>Jefferson em 23h52min de 30 de julho de 2019