Mise en place d’un certificat Let’s Encrypt pour Zimbra 8.8.9 Article original Publié le : 11 août 2018 Mise a jour le : 30 novembre 2019 Suite a la mise a jour de mon serveur et au renouvellement du certificat, je mets a jour la procédure moins confuse que la précédente. /!\ […]
Catégorie : Zimbra
[Zimbra] Lenteur et accès dégradé au Webmail
Lenteur et accès dégradé au Webmail Zimbra Article original Publié le : 09 novembre 2019 Mise a jour le : – Comme pour un contrôleur raid en mode dégradé, notre serveur Zimbra est devenu jour après jour de plus en plus lent aux accès jusqu’à devenir inaccessible. On a constaté que le fichier […]
[Zimbra] Clamd failed to start Zimbra version 8.8
Clamd failed to start zimbra 8.8 Article original Publié le : 09 novembre2019 Mise a jour le : – Ce n’est pas vraiment lié à la version, mais au fil des évolutions Zimbra est de plus en plus gourmand en ressource. Ma serveur ayant subi une panne, une fois le service rétabli, je […]
[Zimbra] Quelques infos en vrac ..
Quelques infos en vrac pour Zimbra Article original Publié le : 17 avril 2017 Mise a jour le : 07 septembre 2019 Réseaux MTA de confiance Vérifier la liste des mta de confiance
1 |
$ zmprov gs `zmhostname` zimbraMtaMyNetworks |
Ajouter une machine ou un réseau dans les mta de confiance
1 |
$ zmprov ms <strong>nom_du_serveur_zimbra</strong> zimbraMtaMyNetworks "127.0.0.0/8 [::1]/128 <strong>151.xxx.xxx.xxx/32 54.xxx.xxx.xxx/32</strong>" |
Redémarrer le service pour prendre en […]
[Zimbra] Patcher vulnerability ou mettre a jour en 8.8.12
Patcher vulnerability Zimbra ou mettre a jour en 8.8.12 Article original Publié le : 05 juin 2019 Mise a jour le : – Suite a une faille critique (CVE-2019-9621) concernant les versions 7.0 a 8.8.11 patch2 https://www.cvedetails.com/cve/CVE-2019-9621 Les patchs sont disponibles ici : https://wiki.zimbra.com/wiki/Security_Center Last release de Zimbra en 8.8.12 ici: https://www.zimbra.org/download/zimbra-collaboration […]
[Zimbra] Obtenir l’information sur la taille des boites mails
Obtenir l’information sur la taille des boites mails Un script complet trouvé sur wiki Zimbra A lancer en user zimbra ou en root avec le chemin complet pour la commande zmprov.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
#!/usr/bin/perl my $hostname = localhost; my @quotas = `/opt/zimbra/bin/zmprov gqu $hostname`; foreach my $quotaline(@quotas) { chop($quotaline); my ($email, $quota, $usage) = split(' ', $quotaline); $quota=utils_convert_bytes_to_optimal_unit($quota); $usage=utils_convert_bytes_to_optimal_unit($usage); print "$email - $usage\n"; } sub utils_convert_bytes_to_optimal_unit{ my($bytes) = @_; return '' if $bytes eq ''; my $size; $size = $bytes . ' Bytes' if $bytes < 1024; $size = sprintf("%.2f", $bytes/1024) . ' KB' if $bytes >= 1024 && $bytes < 1048576; $size = sprintf("%.2f", $bytes/1048576) . ' MB' if $bytes >= 1048576 && $bytes < 1073741824; $size = sprintf("%.2f", $bytes/1073741824) . ' GB' if $bytes >= 1073741824 && $bytes < 1099511627776; $size = sprintf("%.2f", $bytes/1099511627776) . ' TB' if $bytes >= 1099511627776; return $size; } |
Qui renvoi le résultat suivant
1 2 3 4 5 6 7 8 9 10 11 |
user1@mondomaine.tld - 3.31 GB user2@mondomaine.tld - 3.30 GB user3@mondomaine.tld - 3.27 GB user4@mondomaine.tld - 3.26 GB user5@mondomaine.tld - 3.23 GB user6@mondomaine.tld - 2.83 GB user7@mondomaine.tld - 2.82 GB user1@mondomaine.tld - 2.78 GB user1@mondomaine.tld - 2.71 GB user1@mondomaine.tld - 2.50 GB ... |
Un autre script plus léger qui donne des résultats en mb
1 2 3 4 5 6 7 |
#!/bin/bash all_account=`zmprov -l gaa`; for account in ${all_account} do mb_size=`zmmailbox -z -m ${account} gms`; echo - boite émail de ${account} = ${mb_size}.; done |
Qui […]
[Zimbra] Importer licence
Importer licence Mon serveur Zimbra est composé de plusieurs VMs, il faut importer la licence sur la vm qui exécute le service Zimbraadmin Pour s’en assurer exécuter la commande avec le user Zimbra
1 |
$ zmprov gs `zmhostname` | grep zimbraServiceEnabled |
Qui me renvoi
1 2 3 4 5 6 7 8 9 10 |
zimbraServiceEnabled: service zimbraServiceEnabled: zimbra zimbraServiceEnabled: zimbraAdmin zimbraServiceEnabled: zimlet zimbraServiceEnabled: mailbox zimbraServiceEnabled: convertd zimbraServiceEnabled: stats zimbraServiceEnabled: spell zimbraServiceEnabled: archiving zimbraServiceEnabled: logger |
Sur une vm, qui n’exécute pas ce service, cela renvoi l’erreur suivante
1 |
$ zmlicense -i /tmp/ZCSLicense.xml |
[…]
[Zimbra] Mise en place de l’archivage en version ZCS
Mise en place de l’archivage en version ZCS L’archivage est uniquement possible pour la version ZCS et soumis a licence. Pour la mise en place, se connecter avec l’utilisateur zimbra puis lancer la commande suivante.
1 |
$ zmprov ms <strong>nomduserveur.domaine.tld</strong> +zimbraServiceEnabled archiving |
Pour archiver ensuite les boites aux lettres, (définir la cos également).
1 |
$ zmarchiveconfig enable <strong>utilisateur@domaine.tld</strong> archive-cos <strong>cos_utilisateur</strong> |
Noter […]
[Zabbix] Ajout d’un template pour Zimbra
Pour monitorer les différentes services du serveur Zimbra. Il y a un script sur github https://github.com/YetOpen/zabbix-scripts/tree/master/zabbix-zimbra Sur le serveur Zimbra, après avoir installer l’agent Zabbix il faut créer un fichier de conf et y copier le contenu ci-dessous.
1 |
$ sudo vim /etc/zabbix/zabbix_agentd.d/yo-zimbra.conf |
1 2 3 4 5 |
UserParameter=zimbra.status[*],/etc/zabbix/scripts/zbx_zimbra.sh "$1" UserParameter=zimbra.version,/etc/zabbix/scripts/zbx_zimbra.sh version UserParameter=zimbra.discovery,/etc/zabbix/scripts/zbx_zimbra.sh discover # zmcontrol takes some time... Timeout=15 |
Le script requis des privilèges, créer et copier le contenu suivant dans sudoers […]
[Zimbra] Mise a jour serveur 8.7.7
Mise a jour serveur 8.7.7 Actuellement je suis en 8.7.3 Rien de bien compliqué, j’en profiterais pour installer le module drive et le module de chat, je l’avais testé il y a quelques années en bêta sur la version 7. Il est possible de de configurer un client lourd en XMPP. […]
[Certificat] Mise en place d’un certificat Let’s Encrypt pour Zimbra
Mise en place d’un certificat Let’s Encrypt pour Zimbra Déprécié, voir l’article plus récent https://it.izero.fr/certificat-mise-en-place-dun-certificat-lets-encrypt-pour-zimbra-8-8-9/ Pré requis Voir article Installation de Let’s Encrypt /!\ Avant tout il faut récupérer la root CA (certificat racine) qui est disponible sur https://www.identrust.com/certificates/trustid/root-download-x3.html Créer le fichier, puis ajouter la chaine certificat racine
1 |
$ sudo vim /tmp/root-ca.pem |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
-----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE----- |
[…]
[Zimbra] Installation serveur Zimbra
Installation de Zimbra Version de l’OS: Centos 6.8 Version de Zimbra: 8.7 Pré-requis Voir l’article Préparation d’une machine Centos 6.x /!\ Désactiver postfix, Zimbra utilise son propre mta /!\ Vérifier si le port 25 n’est pas bloqué chez le FAI !!! Commencer par télécharger les paquets additionnels suivants
1 |
# yum install perl sysstat nc |
Puis télécharger […]
[GAL] Récupérer la Global Adress List de Zimbra sous Thunderbird
Configurer le LDAP sur Thunderbird comme ci dessous Name : Societe Hostname : hostname.domaine.tld Base DN : ou=people,dc=domaine,dc=tld Port number : 389 Bind DN : uid=”id de messagerie”, ou=people,dc=domaine,dc=tld
[Zimbra] Mise en place de Fail2ban
Fail2ban Version de l’OS: Centos 6.8 Logiciel de messagerie: Zimbra 8.7.5 Pour bloquer les tentatives de connexions par brute force et autres Il faut installer le paquet epel-release
1 |
$ sudo yum install epel-release |
puis lancer l’installation de fail2ban
1 |
$ sudo yum install fail2ban |
Ensuite faire une sauvegarde et éditer le fichier jail.conf
1 |
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local |
1 |
$ sudo vim /etc/fail2ban/jail.local |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 |
# # WARNING: heavily refactored in 0.9.0 release. Please review and # customize settings for your setup. # # Changes: in most of the cases you should not modify this # file, but provide customizations in jail.local file, # or separate .conf files under jail.d/ directory, e.g.: # # HOW TO ACTIVATE JAILS: # # YOU SHOULD NOT MODIFY THIS FILE. # # It will probably be overwritten or improved in a distribution update. # # Provide customizations in a jail.local file or a jail.d/customisation.local. # For example to change the default bantime for all jails and to enable the # ssh-iptables jail the following (uncommented) would appear in the .local file. # See man 5 jail.conf for details. # # [DEFAULT] # bantime = 3600 # # [sshd] # enabled = true # # See jail.conf(5) man page for more information # Comments: use '#' for comment lines and ';' (following a space) for inline comments [INCLUDES] #before = paths-distro.conf before = paths-fedora.conf # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # # MISCELLANEOUS OPTIONS # # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space (and/or comma) separator. ignoreip = 127.0.0.1/8 <span style="color: #ff0000;">ippublic/et/ou/local</span> # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = -1 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3 # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # systemd: uses systemd python library to access the systemd journal. # Specifying "logpath" is not valid for this backend. # See "journalmatch" in the jails associated filter config # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. # # Note: if systemd backend is chosen as the default but you enable a jail # for which logs are present only in its own log files, specify some other # backend for that jail (e.g. polling) and provide empty value for # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 backend = auto # "usedns" specifies if jails should trust hostnames in logs, # warn when DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a DNS lookup will be performed. # warn: if a hostname is encountered, a DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. usedns = no # "logencoding" specifies the encoding of the log files handled by the jail # This is used to decode the lines from the log file. # Typical examples: "ascii", "utf-8" # # auto: will use the system locale setting logencoding = auto # "enabled" enables the jails. # By default all jails are disabled, and it should stay this way. # Enable only relevant to your setup jails in your .local or jail.d/*.conf # # true: jail will be enabled and log files will get monitored for changes # false: jail is not enabled enabled = false # "filter" defines the filter to use by the jail. # By default jails have names matching their filter name # filter = %(__name__)s # # ACTIONS # # Some options used for actions # Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files. #destemail = adressemail # Sender email address used solely for some actions #sender = root@localhost # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the # mailing. Change mta configuration parameter to mail if you want to # revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = INPUT # Ports to be banned # Usually should be overridden in a particular jail port = 0:65535 # Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3 fail2ban_agent = Fail2Ban/%(fail2ban_version)s # # Action shortcuts. To be used to define action parameter # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport banaction_allports = iptables-allports # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action # # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines # to the destemail. action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines # to the destemail. action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API # # See the IMPORTANT note in action.d/blocklist_de.conf for when to # use this action. Create a file jail.d/blocklist_de.local containing # [Init] # blocklist_de_apikey = {api key from registration] # action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] # Report ban via badips.com, and use as blacklist # # See BadIPsAction docstring in config/action.d/badips.py for # documentation for this action. # # NOTE: This action relies on banaction being present on start and therefore # should be last action defined for a jail. # action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] # # Report ban via badips.com (uses action.d/badips.conf for reporting only) # action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %(action_)s # # JAILS # # # SSH servers # [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=<span style="color: #ff0000;">adressemail</span>, sender=fail2ban@localhost] logpath = /var/log/secure maxretry = 3 # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" # option is overridden in this jail. Moreover, the action "mail-whois" defines # the variable "name" which contains a comma using "". The characters '' are # valid too. [zimbra-account] enabled = true filter = zimbra action = iptables-allports[name=zimbra-account] sendmail-whois[name=Zimbra-account, dest=<span style="color: #ff0000;">adressemail</span>, sender=fail2ban@localhost] logpath = /opt/zimbra/log/mailbox.log bantime = -1 maxretry = 3 [zimbra-audit] enabled = true filter = zimbra action = iptables-allports[name=zimbra-audit] sendmail-whois[name=Zimbra-audit, dest=<span style="color: #ff0000;">adressemail</span>, sender=fail2ban@localhost] logpath = /opt/zimbra/log/audit.log bantime = -1 maxretry = 3 [zimbra-recipient] enabled = true filter = zimbra action = iptables-allports[name=zimbra-recipient] sendmail-whois[name=Zimbra-recipient, dest=<span style="color: #ff0000;">adressemail</span>, sender=fail2ban@localhost] logpath = /var/log/zimbra.log #findtime = 604800 bantime = -1 maxretry = 3 [postfix] enabled = true filter = postfix action = iptables-multiport[name=postfix, port=smtp, protocol=tcp] sendmail-whois[name=Zimbra-postfix, dest=<span style="color: #ff0000;">adressemail</span>, sender=fail2ban@localhost] logpath = /var/log/zimbra.log maxretry = 3 |
Puis créer le fichier zimbra.conf […]