Welcome back! If you’ve been following up with my previous blogs, it is a continuity to my last blog on how to setup Zimbra mail server in CentOS. Till now, I’ve already covered the preparation and installation of ZCS package. From here, I’ll get into the post-installation part for our mail server setup.
Changing SSH Port
As we all already know, SSH daemon by default runs on port 22. So, it is a good practice to change it to some other non-standard port. In this case, I’m changing it to port 4589. To change this port, we can simply open the config file (/etc/ssh/sshd_config), find the port definition statement and then change it. If we want to change the port for SSH client also, we can do it by editing the file (/etc/ssh/ssd_config).
[root@mail ~]$ sed -i s/"# Port 22"/" Port 4589""/g /etc/ssh/sshd_config [root@mail ~]$ systemctl restart sshd
Note:- While changing SSH port, make sure that SElinux is either disabled or in permissive state. Otherwise, SSH won’t work for newly assigned port.
Doing this will definitely change the port for SSH in our Zimbra server. However, there will arise one issue as soon as we change this port. Actually, there is a monitoring daemon inside Zimbra which is responsible for keeping continuous eye on every activities inside the mail system. And this monitoring is done by using the SSH connection to the local server. Since port 22 is the default SSH port, this monitoring tool also uses 22 for this purpose. Therefore, after we change our SSH port, the monitoring daemon stops working. To make this work, we’ve to tell Zimbra to use the new SSH port for monitoring. This can be done as follows:
[root@mail ~]$ su zimbra [zimbra@mail root]$ zmprov ms mail.sajjan.com.np zimbraRemoteManagementPort 4589 [zimbra@mail root]$ zmmailboxdctl restart
Next, let’s start our firewall and configure it to open all the necessary ports for Zimbra and deny everything else. First, I’m starting the firewalld daemon and then displaying the allowed ports and services. By default, it allows the service called dhcpv6-client, but I don’t need it. So, I’m removing it from allowed services. Then, I add all the required ports for the Zimbra mail server.
[root@mail ~]$ systemctl start firewalld [root@mail ~]$ firewalld --list-all [root@mail ~]$ firewalld --permanent --zone=public --remove-service=dhcpv6-client [root@mail ~]$ firewalld --permanent --zone=public --add-service=https [root@mail ~]$ firewalld --permanent --zone=public --add-port=443 [root@mail ~]$ firewalld --permanent --zone=public --add-port=4589 [root@mail ~]$ firewalld --permanent --zone=public --add-port=7071 [root@mail ~]$ firewalld --permanent --zone=public --add-port=25 [root@mail ~]$ firewalld --permanent --zone=public --add-port=465 [root@mail ~]$ firewalld --permanent --zone=public --add-port=587 [root@mail ~]$ firewalld --permanent --zone=public --add-port=110 [root@mail ~]$ firewalld --permanent --zone=public --add-port=995 [root@mail ~]$ firewalld --permanent --zone=public --add-port=143 [root@mail ~]$ firewalld --permanent --zone=public --add-port=993 [root@mail ~]$ firewalld --reload [root@mail ~]$ firewalld --list-all
Improving Antispam and Antivirus
To increase the efficiency of Antispam feature, let’s enable rule updates for it. Let’s also add a rule in MTA to restrict mails coming from source whose hostname cannot be resolved in reverse direction. Doing these steps will help in enhancing the security of server.
[root@mail ~]$ su zimbra [zimbra@mail root]$ zmlocalconfig -e antispam_enable_rule_updates=true [zimbra@mail root]$ zmlocalconfig -e antispam_enable_restarts=true [zimbra@mail root]$ zmprov ms mail.nmb.com.np +zimbraMtaRestriction reject_unknown_reverse_client_hostname [zimbra@mail root]$ zmamavisdctl restart [zimbra@mail root]$ zmmtactl restart
We can also leverage the help of RBL (Real-time Blackhole List) sites to keep ourselves up-to-date with the spam sources that are recorded worldwide.
[zimbra@mail root]$ <strong>zmprov gacf | grep zimbraMtaRestriction</strong> [zimbra@mail root]$ zmprov mcf zimbraMtaRestriction reject_invalid_hostname zimbraMtaRestriction reject_non-fqdn_hostname zimbraMtaRestriction reject_non_fqdn_sender zimbraMtaRestriction “reject_rbl_client dnsbl.njabl.org” zimbraMtaRestriction “reject_rbl_client cbl.abuseat.org” zimbraMtaRestriction “reject_rbl_client bl.spamcop.net” zimbraMtaRestriction “reject_rbl_client dnsbl.sorbs.net” zimbraMtaRestriction “reject_rbl_client sbl.spamhaus.org” zimbraMtaRestriction “reject_rbl_client relays.mail-abuse.org”
Note:- While adding new RBL site or type, we must first get the existing values and append the new value to it, and only then enter all settings at once.
Tuning up Java Heap Memory Size
This is simple tuning up for our Zimbra Server, which help in effective allocation and management of Java Heap Memory Size.
[zimbra@mail root]$ echo "vm.swappiness=0" >> /etc/sysctl.conf
Zimbra, by default, comes with the self-signed certificate for HTTPS, SSL and TLS communications between clients and server. In case of webmail, it can only be accessed via HTTPS. Nowadays, most of the modern web browsers automatically redirect HTTP request to HTTPS, if available. However, there are still some browsers which don’t rewrite HTTP to HTTPS. So, the Zimbra server should also be able to redirect these connections to more secure medium.
This can be achieved by either using mode mixed or mode redirect. The difference between these two options is that Mixed redirects user’s login request only to HTTPS and then continues to use HTTP for rest of the communication. Whereas in Redirect mode, both user’s login request and all of the communications are taken through HTTPS. So, I personally prefer mode redirect over mode mixed. You may choose as per your requirement.
[zimbra@mail root]$ zmtlsctl mode redirect
If you’re deploying Zimbra as a mail server for production environment, changing logo in webmail is going to be one of the main requirements. However, community edition doesn’t provide a feature to change the logo. Thus, we have to change it from the backend itself. Actually, Zimbra stores all of its logos in the path called /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/skins/_base/logos. So, we need to upload our logos to this same server path using SCP or SFTP or any file transfer tool you like. Then, we need to rename the original logo images to some other name and rename our uploaded images to the names of original logos. At last, let’s change the file ownership for our newly uploaded images.
[root@mail ~]$ cd /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/skins/_base/logos [root@mail logos]$ mv AppBanner_white.png AppBanner_white.png.orig [root@mail logos]$ mv LoginBanner_white.png LoginBanner_white.png.orig [root@mail logos]$ cp custom_logo.png AppBanner_white.png [root@mail logos]$ mv custom_logo.png LoginBanner_white.png [root@mail logos]$ chown zimbra:zimbra AppBanner_white.png [root@mail logos]$ chown zimbra:zimbra LoginBanner_white.png
This should change the logo of Zimbra in webmail login and mailbox pages. Similarly, we can change the logo of admin panel.
Traditional Outlook Integration
You might be wondering why I named it traditional Outlook integration. Well, I called it traditional because most of the old mail servers use no authentication for SMTP, clear text logins for POP or IMAP and no SSL or TLS. So, Outlook clients are also configured in a way to work with the server. However, ZCS 8.6 enables authentication and encryption by default, and doesn’t allow non-authenticated connections and clear text logins.
If you’re setting up your mail server and Email clients for the first time, you simply don’t need to perform this section because you can just go ahead and configure your users’ email clients based on the server’s default configuration. In that case, you’d need to enable outgoing authentication same as Incoming, SSL encryption for both SMTP (port 465) and POP3 (port 995) or IMAP (port 993).
However, there might also be a case where we can be migrating our mail server from one platform or version to another. In that case, all of the users’ email client configuration might be set to use the above mentioned traditional setup. So, after migration to ZCS 8.6, their email clients won’t be able connect to the new server until necessary changes are made. Since it is difficult to implement changes at client side in a large enterprise, we would have to make required changes to the server itself for their existing configuration. Here are the required changes to make this migration as smooth as possible:
- First, let’s disable Authentication for outgoing mails. It can be done by unchecking Enable Authentication within Configure > Global Setting > MTA. After doing this, we don’t need to set Outgoing Authentication same as Incoming inside Outlook.
- Enable Clear Text Login for POP3 and IMAP from Configure > Global Setting > POP3 or IMAP.
- Add our LAN’s network prefix and mask in the mynetworks list.
[zimbra@mail root]$ postconf mynetworks='127.0.0.0/8 192.168.1.0/24' [zimbra@mail root]$ postfix reload
Well, now we have got our Zimbra mail server ready to go online. To finalize the setup, we can set a relay server address for external delivery. It can be set from Configure > Global Setting > MTA. You can leave it empty if you want to use your own server as a relay. Otherwise, you may want to change it to something else. If you’ve got a mail gateway or spam filter appliance, you can use its IP address as a relay server. If you’d like to use the SMTP server of your ISP, then you can use its hostname or IP address here as well.
This completes this blog post. I hope you’ve found it helpful and informative. Please let me know of your suggestion or advise in the Comments section. Thank you for reading!