This guide is to help you perform a Zimbra Multi-Server Installation on CentOS 7. Zimbra has been rated as the best open-source Mail collaboration suite. It can only be matched with Exchange and other commercial email products.
Installation of single server Zimbra is a straightforward process, but getting a multi-server setup is a bit of a process with many moving parts and need to be performed in the following order.
- Install LDAP server(s) – Multi-Master Replication (MMR) or Replication
- Install Zimbra Mailbox Server(s)
- Install MTA Server(s)
- Install Proxy Server(s)
My setup will have the following servers:
- 2 LDAP Servers – with Multi-Master Replication (MMR)
- 2 Mailbox servers
- 2 MTA Servers
- 2 Proxy servers – with keepalived and VIP
So the total number of servers for this setup is 7. Hostnames use the following formats
- LDAP Servers – ldap-01.domain.com & ldap-02.domain.com
- Mailbox servers – mx-01.domain.com & mx-02.domain.com
- 2 MTA servers – mta-01.domain.com & mta-02.domain.com
- 2 Proxy servers – proxy-01.domain.com & proxy-02.domain.com. VIP on mail.domain.com
You may need to replace domain.com with your active domain name if you are following this guide strictly. Or modify it to fit your environment.
Lab Environment Setup and Installation
Below steps will cover OS setup and installation of various Zimbra services.
Step 1: Install CentOS 7 on all servers
Step one is to install CentOS 7 on all target servers and update packages to the latest release by running:
# yum -y update
Step 2: Install Zimbra Prerequisite packages and set hostnames
Install all packages required for Zimbra installation and set hostnames on all servers. These packages can be installed by running the command:
# yum -y install perl-core unzip libaio nmap-ncat sysstat openssh-clients
Set hostnames using the command:
# hostnamectl set-hostname <hostname>
E.g
# hostnamectl set-hostname ldap-01.domain.com
Step 3: Modify /etc/hosts with the hostname and IP address
Now that you have correct hostname set on each server, edit hosts file to have the IP address and hostname. You can use echo command for this:
# echo <IP Address> <Hostname> >> /etc/hosts
E.g
# echo 192.168.1.20 mta-01.domain.com >> /etc/hosts
Do this on all servers you have
Step 4: Download latest Zimbra release locally on all servers
Download Zimbra compressed package to each server and extract it to make it ready for the installation process. For this installation, I’m using Zimbra 8.8
# wget https://files.zimbra.com/downloads/8.8.8_GA/zcs-8.8.8_GA_2009.RHEL7_64.20180322150747.tgz # tar -xvf zcs-8.8.8_GA_2009.RHEL7_64.20180322150747.tgz
I like retaining the full name of the file and directory since it helps later when doing an upgrade. If downloading the same version of Zimbra, you should have a directory named zcs-8.8.8_GA_2009.RHEL7_64.20180322150747/.
Step 4: Install Zimbra LDAP Server 1 (ldap-01.domain.com)
We’ll start with the first installation of Zimbra on LDAP server. The other LDAP server we’ll configure multi-master replication for it.
# cd zcs-8.8.8_GA_2009.RHEL7_64.20180322150747/
Start the installation process:
# ./install.sh
Fill information like below:
The download of packages should now start. My configs are as below:
Double-check the setting for Ldap master host, hostname, and domain to create. Once you’re convinced with the settings, press a to start the installation and configuration process.
Once the installation is complete, pull password credentials that you’ll need for all the next steps:
Step 5: Enable LDAP MMR on ldap-01 server
Since we’re setting both LDAP servers to act as masters, we need to enable this functionality on the first master server we just installed.
Enabling Multi-Master replication on an existing Single node master:
On Ldap Server 2, install Zimbra like the first once, but its configuration should look like below:
The following should be configured:
- Ldap Admin password
- Ldap replication password
- Ldap replication type: mmr
- All other passwords
Refer to step 4 for how to obtain all passwords required.
Step 6: Install Zimbra Mailbox Server(s)
Now install two mailbox servers by running installer.
# ./install.sh
The packages to install are:
Please note that you need to install logger on only one server. For me, the logger is installed on mx-01. Configs look like below:
Under Common configuration, set:
- Hostname: mx-01.domain.com
- Ldap master host: ldap-01.domain.com
- Ldap Admin password:
Under zimbra-store make sure the following items are configured:
- Admin Password:
- SMTP host:
- Configure for use with mail proxy: TRUE
- Configure for use with web proxy: TRUE
- Install UI (zimbra,zimbraAdmin webapps): yes
- Install mailstore (service webapp): yes
You can modify any other settings you see necessary and start the installation process. For the other Mailbox server, repeat same steps but don’t install the logger, it will run on mx-01.
Step 7: Install Zimbra MTA Server(s)
The next phase is the installation of MTA servers. Your package selection should be as below:
On the configurations window, make sure to set the following:
Under 1) Common Configuration, set:
- Hostname:
- Ldap master host:
- Ldap Admin password:
Under 2) zimbra-mta set
- Bind password for postfix ldap user:
- Bind password for amavis ldap user:
Look at step 4 for how to obtain them.
Under zimbra-dnscache, configure master DNS ip addresses separated by space:
Once done, save the settings and type a to begin Zimbra MTA setup.
Step 7: Install Zimbra Proxy Server(s)
For installation of Zimbra Proxy server(s), you need to select the following packages during installation:
Fill all required information:
For Proxy Server mode you can choose http, https, both, redirect or mixed depending on your requirements. In my case, I’m using a redirect.
Once all Zimbra proxy servers are installed, enable proxy console on port 9071 by running the following command on proxy servers as Zimbra user:
# su - zimbra $ /opt/zimbra/libexec/zmproxyconfig -e -w -C -H `zmhostname`
- This will enable admin console proxy port 9071 on the proxy server.
- Make sure mailbox server’s admin console is configured on port 7071 (default).
You need to restart proxy service after making the changes:
$ zmproxyctl restart
The service should bind to port 9071, you can confirm this with ss command:
$ ss -tunelp | grep 9071
To access admin console over a proxy, the URL should be https://proxy-0x.domain.com:9071/
Step 8: Configure Zimbra Logger Service
As mentioned earlier, our logger service will run on mailbox server 1 (mx-01.domain.com). For this, we need to first install and configure rsyslog service on this server.
Uncomment the following lines on /etc/rsyslog.conf
$ModLoad imudp $UDPServerRun 514
Also, add this line after $UDPServerRun 514:
SYSLOGD_options="-r -m 0"
Then setup Zimbra syslog and restart rsyslog service:
Verify the LogHostname using commands below. (it should be set to name of logger monitor host on all servers)
# su - zimbra $ zmprov gacf | grep zimbraLogHostname zimbraLogHostname: mx-01.domain.com
If it is different, change the same to Logger monitor Host using below command.
$ zmprov mcf zimbraLogHostname <Logger monitor Hostname>
Configure each Zimbra server to log to newly set logger server.
# /opt/zimbra/libexec/zmfixperms -e -v # su - zimbra $ /opt/zimbra/bin/zmupdateauthkeys ; exit # /opt/zimbra/libexec/zmsyslogsetup # systemctl restart rsyslog # su - zimbra -c "zmcontrol restart"
Step 9: Configure Zimbra Proxy HA with Keepalived
Since we have two Zimbra proxy servers, we need to ensure that we have HA for the proxy server. My setup for the proxy is:
- 2 Proxy servers – proxy-01.domain.com & proxy-02.domain.com
- Both will be served using mail.domain.com
The target solution diagram is
In a nutshell, this is how it works:
- The Proxy Master as the VIP
- The Proxy Master become unavailable
- The VIP is passed to the Backup server who will handle the service
I will configure proxy-01 as master, and proxy-02 as a Backup server.
Install Keepalived on both servers.
# yum -y install keepalived
Configure Keepalived on Master Server (proxy-01)
Configure Keepalived on Backup Server (proxy-01)
Enable IP forwarding and configure firewalld:
Keepalived requires IP forwarding configured and some firewall rules added for VRRP packets to come through.
Enable IP forwarding:
# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf # sysctl -p net.ipv4.ip_forward = 1
Add firewall rules to allow VRRP communication using the multicast IP address 224.0.0.18 and the VRRP protocol (112) on each network interface that Keepalived will control, for example:
Enable and start the keepalived service on each server:
# systemctl enable keepalived # systemctl start keepalived
If you change the Keepalived configuration, reload the keepalived service:
# systemctl reload keepalived
You can test keepalived functionality by killing nginx process on the master server and see if the Virtual IP will be switched to the backup server:
# killall nginx # ip add > Run on Backup server to check IP address configuration
Step 10: Reset admin password and Access Web UI
Reset admin password:
# su - zimbra $ zmprov sp [email protected] strongpassword
Access Web UI through direct access to proxy servers or hostname that points to proxy servers. Admin dashboard is accessible from port 9071.
You can configure firewall rules for proxy servers using:
firewall-cmd --add-service={http,https,smtp,smtps,imap,imaps,pop3,pop3s} --permanent
firewall-cmd --add-port=11211/tcp --permanent
firewall-cmd --add-port=9071/tcp --permanent
firewall-cmd --reload
To restrict access or admin interface from specific IP address, use firewalld rich rules instead:
firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=source-ip-address/32 \ destination address=dest-ip-address/32 port port=9071 protocol=tcp accept"
Remember to replace source-ip-address with source IP address and dest-ip-address with the proxy server destination IP address.
You should now be ready to roll, reset admin password and login to Admin dashboard to start making changes and doing further configurations to your Zimbra installation. Also, read our previous guide on Zimbra Firewall Configuration with ufw for Ubuntu and firewalld for CentOS.
