Instalação do ZIMBRA: mudanças entre as edições

Instalar o Zimbra Durante a instalação criar o diretorio /opt/zimbra/perl5 colocar como usuario e grupo o diretorio acima zimbra.zimbra fazer echo 'Port 9282' > /opt/zimbra/ssl/config e apos a instalacao fazer:

1. su - zimbra

$zmupdateauthkeys $exit

1. /opt/zimbra/libexec/zmsyslogsetup
2. su - zimbra

zmprov ms mail.ourominas.net.br zimbraRemoteManagementPort 9282 $exit

1. yum clean all
2. yum -y update

atrase em 30 segundos o start do zimbra

1. init 6

Entrar no Zimbra e liberar que os acessos sejam via http e https

Seguir os passos apresentados em: https://www.sbarjatiya.com/notes_wiki/index.php/CentOS_7.x_Install_lets_encrypt_automated_SSL_certificate_in_Zimbra

CentOS 7.x Install lets encrypt automated SSL certificate in Zimbra SSL certificate setup To setup lets encrypt SSL certificates use:

First stop web and mailbox services as *zimbra user*: zmproxyctl stop

zmmailboxdctl stop Download letsencrypt github package as *root user* yum -y install git epel-release

git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt Get letsencrypt certificates for domain using: ./letsencrypt-auto certonly --standalone -d mail.zimbra.ourominas.net.br -d zimbra.ourominas.net.br On various prompts use: Emergency email - saurabh@ourominas.net.br Agree/Cancel - A Yes/No - Y The important file locations are: /etc/letsencrypt/live/mail.zimbra.ourominas.net.br/fullchain.pem /etc/letsencrypt/live/mail.zimbra.ourominas.net.br/privkey.pem Download Root and intermediate certificates from https://letsencrypt.org/certificates/ Example cd /etc/letsencrypt/live/mail.zimbra.ourominas.net.br/

wget https://letsencrypt.org/certs/isrgrootx1.pem.txt

wget https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt To give access to zimbra to certificates copy them to a sub-folder inside /opt/zimbra *as root*: cd /etc/letsencrypt/live/mail.zimbra.ourominas.net.br/

cat isrgrootx1.pem.txt letsencryptauthorityx3.pem.txt chain.pem > combined.pem

mkdir /opt/zimbra/ssl/letsencrypt

cp /etc/letsencrypt/live/mail.zimbra.ourominas.net.br/* /opt/zimbra/ssl/letsencrypt/

chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

ls -la /opt/zimbra/ssl/letsencrypt/ Install certificates *as zimbra* user: cd /opt/zimbra/ssl/letsencrypt/

/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem combined.pem

1. If above validation succeeds

cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem

zmcontrol restart Open https://mail.zimbra.ourominas.net.br:7071/zimbraAdmin/ and verify that certificate along with root "ISRG Root X1" and Intermediate "Lets Encrypt Authority X3" is coming up properly. Test certificates using: openssl s_client -starttls smtp -connect zimbra.ourominas.net.br:25 -showcerts

openssl s_client -connect zimbra.ourominas.net.br:465 -showcerts

openssl s_client -connect zimbra.ourominas.net.br:443 -showcerts

openssl s_client -connect zimbra.ourominas.net.br:993 -showcerts

openssl s_client -starttls imap -connect zimbra.ourominas.net.br:143 -showcerts

Refer:

https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate

Listen on port 80 with forced HTTPS redirection To configure Zimbra to listen on port 80 for forced HTTPS redirection use:

Configure forced HTTPS redirection su - zimbra

~/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`

zmprov ms `zmhostname` zimbraReverseProxyMailMode redirect Note that earlier method of simply using 'zmtlsctl redirect' is no longer available in latest versions. Hence above steps are required Refer:

https://blog.christosoft.de/2015/06/zimbra-redirect-http-to-https/

SSL certificate renewal configuration via crontab This auto-renewal assumes that chain (Root and Intermediate) remains same.

Create /root/renew-certificate.sh with: su - zimbra -c "zmcontrol stop"

/root/letsencrypt/letsencrypt-auto renew

cp /etc/letsencrypt/live/mail.zimbra.ourominas.net.br/privkey.pem /opt/zimbra/ssl/letsencrypt/

cp /etc/letsencrypt/live/mail.zimbra.ourominas.net.br/cert.pem /opt/zimbra/ssl/letsencrypt/

cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem"

su - zimbra -c "zmcontrol start" chmod +x /root/renew-certificate.sh For root user crontab (crontab -e) add: 10 5 * * 0 /root/renew-certificate.sh where instead of 10 and 5 use a random value between 5 and 55 for minutes (first number) and random value between 1 and 5 for hour (second number)

arq_zimbra.txt

./letsencrypt-auto certonly --standalone -d mail.ourominas.net.br -d mx.ourominas.net.br -d smtp.ourominas.net.br -d imap.ourominas.net.br -d ldap.ourominas.net.br -d pop.ourominas.net.br -d www.ourominas.net.br -d webmail.ourominas.net.br -d ftp.ourominas.net.br -d ourominas.net.br

su - zimbra -c "zmcontrol stop" /root/letsencrypt/letsencrypt-auto renew cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/privkey.pem /opt/zimbra/ssl/letsencrypt/ cp /etc/letsencrypt/live/mail.zimbra.sbarjatiya.com/cert.pem /opt/zimbra/ssl/letsencrypt/ cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/* su - zimbra -c "cd /opt/zimbra/ssl/letsencrypt/; /opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem combined.pem" su - zimbra -c "zmcontrol start"