This guide is to help you perform a Zimbra Multi-Server Installation on CentOS 7. Zimbra has been rated as the best open-source Mail collaboration suite. It can only be matched with Exchange and other commercial email products.

Installation of single server Zimbra is a straightforward process, but getting a multi-server setup is a bit of a process with many moving parts and need to be performed in the following order.

  1. Install LDAP server(s) – Multi-Master Replication (MMR) or Replication
  2. Install Zimbra Mailbox Server(s)
  3. Install MTA Server(s)
  4. Install Proxy Server(s)

My setup will have the following servers:

  • 2 LDAP Servers – with Multi-Master Replication (MMR)
  • 2 Mailbox servers
  • 2 MTA Servers
  • 2 Proxy servers – with keepalived and VIP

So the total number of servers for this setup is 7. Hostnames use the following formats

You may need to replace domain.com with your active domain name if you are following this guide strictly. Or modify it to fit your environment.

Lab Environment Setup and Installation

Below steps will cover OS setup and installation of various Zimbra services.

Step 1: Install CentOS 7 on all servers

Step one is to install CentOS 7 on all target servers and update packages to the latest release by running:

sudo yum -y update

Step 2: Install Zimbra Prerequisite packages and set hostnames

Install all packages required for Zimbra installation and set hostnames on all servers. These packages can be installed by running the command:

sudo yum -y install perl-core unzip libaio nmap-ncat sysstat openssh-clients

Set hostnames using the command:

$ sudo hostnamectl set-hostname <hostname>

E.g

sudo hostnamectl set-hostname ldap-01.domain.com

Step 3: Modify /etc/hosts with the hostname and IP address

Now that you have correct hostname set on each server,  edit hosts file to have the IP address and hostname. You can use echo command for this:

$ sudo vim /etc/hosts
192.168.1.20 mta-01.domain.com 

Do this on all servers you have

Step 4: Download latest Zimbra release locally on all servers

Download Zimbra compressed package to each server and extract it to make it ready for the installation process. For this installation, I’m using Zimbra 8.8.

wget https://files.zimbra.com/downloads/8.8.15_GA/zcs-8.8.15_GA_3869.RHEL7_64.20190918004220.tgz
tar xvf zcs-8.8.15_GA_3869.RHEL7_64.20190918004220.tgz

I like retaining the full name of the file and directory since it helps later when doing an upgrade. If downloading the same version of Zimbra, you should have a directory named zcs-8.8.8_GA_2009.RHEL7_64.20180322150747/.

Step 4: Install Zimbra LDAP Server 1 (ldap-01.domain.com)

We’ll start with the first installation of Zimbra on LDAP server. The other LDAP server we’ll configure multi-master replication for it.

cd zcs-8.8.15_GA_3869.RHEL7_64.20190918004220

Start the installation process:

sudo ./install.sh

Fill information like below:

Do you agree with the terms of the software license agreement? [N] y       
Use Zimbra's package repository [Y] y

Select the packages to install
Install zimbra-ldap [Y] y       

Install zimbra-logger [Y] n

Install zimbra-mta [Y] n

Install zimbra-dnscache [N] n

Install zimbra-snmp [Y] y

Install zimbra-store [Y] n

Install zimbra-apache [Y] n

Install zimbra-spell [Y] n

Install zimbra-memcached [Y] n

Install zimbra-proxy [Y] n

Install zimbra-chat [N] n

Install zimbra-drive [N] n
Checking required space for zimbra-core

Installing:
    zimbra-core
    zimbra-ldap
    zimbra-snmp

The system will be modified.  Continue? [N] Y

The download of packages should now start. My configs are as below:

Common configuration

   1) Hostname:                                ldap-01.domain.com
   2) Ldap master host:                        ldap-01.domain.com
   3) Ldap port:                               389                           
   4) Ldap Admin password:                     set                           
   5) Store ephemeral attributes outside Ldap: no                            
   6) Secure interprocess communications:      yes                           
   7) TimeZone:                                UTC                           
   8) IP Mode:                                 ipv4                          
   9) Default SSL digest:                      sha256 

Ldap configuration

   1) Status:                                  Enabled                       
   2) Create Domain:                           yes                           
   3) Domain to create:                        mail.domain.com
   4) Ldap root password:                      set                           
   5) Ldap replication password:               set                           
   6) Ldap postfix password:                   set                           
   7) Ldap amavis password:                    set                           
   8) Ldap nginx password:                     set                           
   9) Ldap Bes Searcher password:              set 

Double-check the setting for Ldap master host, hostname, and domain to create. Once you’re convinced with the settings, press to start the installation and configuration process.

*** CONFIGURATION COMPLETE - press 'a' to apply
Select from menu, or press 'a' to apply config (? - help) a
Save configuration data to a file? [Yes] 
Save config in file: [/opt/zimbra/config.31786] 
Saving config in /opt/zimbra/config.31786...done.
The system will be modified - continue? [No] Yes

Once the installation is complete, pull password credentials that you’ll need for all the next steps:

ldap_amavis_password = 4Y9WzugHAz
ldap_bes_searcher_password = 4Y9WzugHAz
ldap_nginx_password = 4Y9WzugHAz
ldap_postfix_password = 4Y9WzugHAz
ldap_replication_password = 4Y9WzugHAz
ldap_root_password = 4Y9WzugHAz
zimbra_ldap_password = 4Y9WzugHAz

Step 5: Enable LDAP MMR on ldap-01 server

Since we’re setting both LDAP servers to act as masters, we need to enable this functionality on the first master server we just installed.

Enabling Multi-Master replication on an existing Single node master:

[[email protected] ~]# su - zimbra
[[email protected] ~]$ ./libexec/zmldapenable-mmr -s 1 -m ldap://ldap-02.domain.com:389/
[[email protected] ~]$ ./libexec/zmldapenable-mmr -r 101 -m ldap://dap-02.domain.com:389/
[[email protected] ~]$ /opt/zimbra/libexec/zmldapmmrtool -q
Master Server ID: 1
Master replication agreement: 1
rid: 100 URI: ldap://ldap-02.domain.com:389/ TLS: critical
Master replication agreement: 2
rid: 101 URI: ldap://ldap-02.domain.com:389/ TLS: critical
[[email protected] ~]$

On Ldap Server 2, install Zimbra like the first once, but its configuration should look like below:

Common configuration

   1) Hostname:                                ldap-02.domain.com
   2) Ldap master host:                        ldap-01.domain.com
   3) Ldap port:                               389                           
   4) Ldap Admin password:                     set                           
   5) Store ephemeral attributes outside Ldap: no                            
   6) Secure interprocess communications:      yes                           
   7) TimeZone:                                UTC                           
   8) IP Mode:                                 ipv4                          
   9) Default SSL digest:                      sha256 


Ldap configuration

   1) Status:                                  Enabled                       
   2) Create Domain:                           yes                           
   3) Domain to create:                        mail.domain.com
   4) Ldap replication type:                   mmr                           
   5) Ldap Server ID:                          2                             
   6) Ldap root password:                      set                           
   7) Ldap replication password:               set                           
   8) Ldap postfix password:                   set                           
   9) Ldap amavis password:                    set                           
  10) Ldap nginx password:                     set                           
  11) Ldap Bes Searcher password:              set  

The following should be configured:

  • Ldap Admin password
  • Ldap replication password
  • Ldap replication type: mmr
  • All other passwords

Refer to step 4 for how to obtain all passwords required.

Step 6: Install Zimbra Mailbox Server(s)

Now install two mailbox servers by running installer.

sudo ./install.sh

The packages to install are:

Do you agree with the terms of the software license agreement? [N] y       
Use Zimbra's package repository [Y] y

Select the packages to install
Install zimbra-ldap [Y] n      

Install zimbra-logger [Y] y

Install zimbra-mta [Y] n

Install zimbra-dnscache [N] n

Install zimbra-snmp [Y] y

Install zimbra-store [Y] y

Install zimbra-apache [Y] y

Install zimbra-spell [Y] y

Install zimbra-memcached [Y] n

Install zimbra-proxy [Y] n

Install zimbra-chat [N] n

Install zimbra-drive [N] n
Install zimbra-imapd (BETA - for evaluation only) [N] n
Checking required space for zimbra-core

Installing:
    zimbra-core
    zimbra-logger
    zimbra-snmp
    zimbra-store
    zimbra-apache
    zimbra-spell
    zimbra-convertd
    zimbra-archiving
    zimbra-drive

The system will be modified.  Continue? [N] Y

Please note that you need to install logger on only one server. For me, the logger is installed on mx-01. Configs look like below:


Common configuration

   1) Hostname:                                mx-01.domain.com
   2) Ldap master host:                        ldap-01.domain.com
   3) Ldap port:                               389                           
   4) Ldap Admin password:                     set                           
   5) LDAP Base DN:                            cn=zimbra                     
   6) Store ephemeral attributes outside Ldap: yes                           
   7) Value for zimbraEphemeralBackendURL:     ldap://default                
   8) Secure interprocess communications:      yes                           
   9) TimeZone:                                UTC                           
  10) IP Mode:                                 ipv4                          
  11) Default SSL digest:                      sha256 

Under Common configuration, set:

Under zimbra-store make sure the following items are configured:

  • Admin Password:
  • SMTP host:
  • Configure for use with mail proxy: TRUE
  • Configure for use with web proxy: TRUE
  • Install UI (zimbra,zimbraAdmin webapps): yes
  • Install mailstore (service webapp): yes

You can modify any other settings you see necessary and start the installation process. For the other Mailbox server, repeat same steps but don’t install the logger, it will run on mx-01.

Step 7: Install Zimbra MTA Server(s)

The next phase is the installation of MTA servers. Your package selection should be as below:

Select the packages to install

Install zimbra-ldap [Y] n
Install zimbra-logger [Y] n
Install zimbra-mta [Y] y
Install zimbra-dnscache [Y] y
Install zimbra-snmp [Y] y
Install zimbra-store [Y] n
Install zimbra-apache [Y] n
Install zimbra-spell [Y] n
Install zimbra-memcached [Y] n
Install zimbra-proxy [Y] n
Install zimbra-chat [N] n
Install zimbra-drive [N] n

Checking required space for zimbra-core

Installing:
    zimbra-core
    zimbra-mta
    zimbra-snmp
    zimbra-dnscache

The system will be modified.  Continue? [N] y

On the configurations window, make sure to set the following:

Under 1) Common Configuration, set:

  • Hostname:
  • Ldap master host:
  • Ldap Admin password:
 1) Hostname:                                mta-01.domain.com
 2) Ldap master host:                        ldap-01.domain.com
 3) Ldap port:                               389                           
 4) Ldap Admin password:                     set                           
 5) LDAP Base DN:                            cn=zimbra                     
 6) Store ephemeral attributes outside Ldap: yes                           
 7) Value for zimbraEphemeralBackendURL:     ldap://default                
 8) Secure interprocess communications:      yes                           
 9) TimeZone:                                UTC                           
10) IP Mode:                                 ipv4                          
11) Default SSL digest:                      sha256  

Under 2) zimbra-mta set

  • Bind password for postfix ldap user:
  • Bind password for amavis ldap user:

Look at step 4 for how to obtain them.

Mta configuration

   1) Status:                                  Enabled                       
   2) Enable Spamassassin:                     yes                           
   3) Enable Clam AV:                          yes                           
   4) Enable OpenDKIM:                         yes                           
   5) Notification address for AV alerts:      [email protected]
   6) Bind password for postfix ldap user:     set                           
   7) Bind password for amavis ldap user:      set 

Under zimbra-dnscache, configure master DNS ip addresses separated by space:

DNS Cache configuration

   1) Status:                                  Enabled                       
   2) Master DNS IP address(es):               8.8.4.4 1.1.1.1  8.8.8.8 
   3) Enable DNS lookups over TCP:             yes                           
   4) Enable DNS lookups over UDP:             yes                           
   5) Only allow TCP to communicate with Master DNS: no 

Once done, save the settings and type to begin Zimbra MTA setup.

Step 7: Install Zimbra Proxy Server(s)

For installation of Zimbra Proxy server(s), you need to select the following packages during installation:

Select the packages to install

Install zimbra-ldap [Y] n

Install zimbra-logger [Y] n

Install zimbra-mta [Y] n

Install zimbra-dnscache [N] n

Install zimbra-snmp [Y] y

Install zimbra-store [Y] n

Install zimbra-apache [Y] n

Install zimbra-spell [Y] n

Install zimbra-memcached [Y] y

Install zimbra-proxy [Y] y

Install zimbra-chat [N] n

Install zimbra-drive [N] n
Checking required space for zimbra-core

Installing:
    zimbra-core
    zimbra-snmp
    zimbra-memcached
    zimbra-proxy

The system will be modified.  Continue? [N] y

Fill all required information:


Common configuration

   1) Hostname:                                proxy-01.domain.com
   2) Ldap master host:                        ldap-01.domain.com
   3) Ldap port:                               389                           
   4) Ldap Admin password:                     set                           
   5) LDAP Base DN:                            cn=zimbra                     
   6) Store ephemeral attributes outside Ldap: yes                           
   7) Value for zimbraEphemeralBackendURL:     ldap://default                
   8) Secure interprocess communications:      yes                           
   9) TimeZone:                                UTC                           
  10) IP Mode:                                 ipv4                          
  11) Default SSL digest:                      sha256  

Proxy configuration

   1) Status:                                  Enabled                       
   2) Enable POP/IMAP Proxy:                   TRUE                          
   3) Enable strict server name enforcement?   TRUE                          
   4) IMAP server port:                        7143                          
   5) IMAP server SSL port:                    7993                          
   6) IMAP proxy port:                         143                           
   7) IMAP SSL proxy port:                     993                           
   8) POP server port:                         7110                          
   9) POP server SSL port:                     7995                          
  10) POP proxy port:                          110                           
  11) POP SSL proxy port:                      995                           
  12) Bind password for nginx ldap user:       set                           
  13) Enable HTTP[S] Proxy:                    TRUE                          
  14) Web server HTTP port:                    8080                          
  15) Web server HTTPS port:                   8443                          
  16) HTTP proxy port:                         80                            
  17) HTTPS proxy port:                        443                           
  18) Proxy server mode:                       redirect 

For Proxy Server mode you can choose http, https, both, redirect or mixed depending on your requirements. In my case, I’m using a redirect.

Once all Zimbra proxy servers are installed, enable proxy console on port 9071 by running the following command on proxy servers as Zimbra user:

$ sudo  su - zimbra
$ /opt/zimbra/libexec/zmproxyconfig -e -w -C -H `zmhostname`
  • This will enable admin console proxy port 9071 on the proxy server.
  • Make sure mailbox server’s admin console is configured on port 7071 (default).

You need to restart proxy service after making the changes:

$ zmproxyctl restart

The service should bind to port 9071, you can confirm this with ss command:

$ ss -tunelp | grep 9071

To access admin console over a proxy, the URL should be https://proxy-0x.domain.com:9071/

Step 8: Configure Zimbra Logger Service

As mentioned earlier, our logger service will run on mailbox server 1 (mx-01.domain.com). For this, we need to first install and configure rsyslog service on this server.

Uncomment the following lines on /etc/rsyslog.conf

$ModLoad imudp
$UDPServerRun 514

Also, add this line after $UDPServerRun 514:

SYSLOGD_options="-r -m 0"

Then setup Zimbra syslog and restart rsyslog service:

$ /opt/zimbra/libexec/zmfixperms -e -v
$ /opt/zimbra/libexec/zmsyslogsetup

updateSyslog: Updating /etc/rsyslog.conf...done.

$ sudo systemctl restart rsyslog.service
$ sudo su - zimbra
$ /opt/zimbra/libexec/zmloggerinit

Stopping logswatch...done.
Starting logswatch...done.
$ /opt/zimbra/bin/zmupdateauthkeys

Verify the LogHostname using commands below. (it should be set to name of logger monitor host on all servers)

$ sudo su - zimbra
$ zmprov gacf | grep zimbraLogHostname
zimbraLogHostname: mx-01.domain.com

If it is different, change the same to Logger monitor Host using below command.

$ zmprov mcf zimbraLogHostname <Logger monitor Hostname>

Configure each Zimbra server to log to newly set logger server.

$ sudo /opt/zimbra/libexec/zmfixperms -e -v
$ sudo su - zimbra
/opt/zimbra/bin/zmupdateauthkeys ; exit

$ /opt/zimbra/libexec/zmsyslogsetup
$ sudo systemctl restart rsyslog
$ sudo su - zimbra -c "zmcontrol restart"

Step 9: Configure Zimbra Proxy HA with Keepalived

Since we have two Zimbra proxy servers, we need to ensure that we have HA for the proxy server. My setup for the proxy is:

The target solution diagram is

In a nutshell, this is how it works:

  1. The Proxy Master as the VIP
  2. The Proxy Master become unavailable
  3. The VIP is passed to the Backup server who will handle the service

I will configure proxy-01 as master, and proxy-02 as a Backup server.

Install Keepalived on both servers.

sudo yum -y install keepalived

Configure Keepalived on Master Server (proxy-01)

$ sudo vim /etc/keepalived/keepalived.conf
vrrp_script chk_zimbra_nginx {
  script "killall -0 nginx" # check the zimbra nginx process  interval 2 # every 2 seconds
  weight 2 # add 2 points if OK}vrrp_instance VI_1 {
  interface eth0 # interface to monitor
  state MASTER # MASTER on proxy-01, BACKUP on proxy-02
  virtual_router_id 51
  priority 101 # 101 on proxy-01, 100 on proxy-02
  virtual_ipaddress {
   192.168.1.23/24
  }
  track_script {
    chk_zimbra_nginx
  }
}

Configure Keepalived on Backup Server (proxy-01)

$ sudo vim /etc/keepalived/keepalived.conf
vrrp_script chk_zimbra_nginx {
  script "killall -0 nginx" # check the zimbra nginx process
  interval 2 # every 2 seconds
  weight 2 # add 2 points if OK
}

vrrp_instance VI_1 {
  interface eth0 # interface to monitor
  state BACKUP # MASTER on proxy-01, BACKUP on proxy-02
  virtual_router_id 51
  priority 100 # 101 on proxy-01, 100 on proxy-02
  virtual_ipaddress {
    192.168.1.23/24
  }
  track_script {
    chk_zimbra_nginx
  }
}

Enable IP forwarding and configure firewalld:

Keepalived requires IP forwarding configured and some firewall rules added for VRRP packets to come through.

Enable IP forwarding:

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Add firewall rules to allow VRRP communication using the multicast IP address 224.0.0.18 and the VRRP protocol (112) on each network interface that Keepalived will control, for example:

sudo firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 --in-interface eth0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT 

sudo firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 --out-interface eth0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT 

sudo firewall-cmd --reload

Enable and start the keepalived service on each server:

sudo systemctl enable keepalived
sudo systemctl start keepalived

If you change the Keepalived configuration, reload the keepalived service:

sudo systemctl reload keepalived

You can test keepalived functionality by killing nginx process on the master server and see if the Virtual IP will be switched to the backup server:

$ sudo killall nginx
$ ip add > Run on Backup server to check IP address configuration

Step 10: Reset admin password and Access Web UI

Reset admin password:

$ sudo su - zimbra
$ zmprov sp [email protected] strongpassword

Access Web UI through direct access to proxy servers or hostname that points to proxy servers. Admin dashboard is accessible from port 9071.

You can configure firewall rules for proxy servers using:

sudo firewall-cmd --add-service={http,https,smtp,smtps,imap,imaps,pop3,pop3s} --permanent
sudo firewall-cmd --add-port=11211/tcp --permanent
sudo firewall-cmd --add-port=9071/tcp --permanent
sudo firewall-cmd --reload

To restrict access or admin interface from specific IP address, use firewalld rich rules instead:

sudo firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=source-ip-address/32 \
destination address=dest-ip-address/32 port port=9071 protocol=tcp accept"

Remember to replace source-ip-address with source IP address and dest-ip-address with the proxy server destination IP address.

zimbra cluster setup

You should now be ready to roll, reset admin password and login to Admin dashboard to start making changes and doing further configurations to your Zimbra installation. Also, read our previous guide on Zimbra Firewall Configuration with ufw for Ubuntu and firewalld for CentOS.

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!


As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.

2 COMMENTS

  1. Hi Kim,

    My name is Landi i have been following some of your documentions, Good Job,

    I have a failed zimbra instance which i would like to resuscitate please.

    Are you available ?

LEAVE A REPLY

Please enter your comment!
Please enter your name here