(Last Updated On: April 16, 2018)

This guide is to help you perform a Zimbra Multi-Server Installation on CentOS 7. Zimbra has been rated as the best open-source Mail collaboration suite. It can only be matched with Exchange and other commercial email products.

Installation of single server Zimbra is a straightforward process, but getting a multi-server setup is a bit of a process with many moving parts and need to be performed in the following order.

  1. Install LDAP server(s) – Multi-Master Replication (MMR) or Replication
  2. Install Zimbra Mailbox Server(s)
  3. Install MTA Server(s)
  4. Install Proxy Server(s)

My setup will have the following servers:

  • 2 LDAP Servers – with Multi-Master Replication (MMR)
  • 2 Mailbox servers
  • 2 MTA Servers
  • 2 Proxy servers – with keepalived and VIP

So the total number of servers for this setup is 7. Hostnames use the following formats

  • LDAP Servers – ldap-01.domain.com & ldap-02.domain.com
  • Mailbox servers – mx-01.domain.com & mx-02.domain.com
  • 2 MTA servers – mta-01.domain.com & mta-02.domain.com
  • 2 Proxy servers – proxy-01.domain.com & proxy-02.domain.com. VIP on mail.domain.com

You may need to replace domain.com with your active domain name if you are following this guide strictly. Or modify it to fit your environment.

Lab Environment Setup and Installation

Below steps will cover OS setup and installation of various Zimbra services.

Step 1: Install CentOS 7 on all servers

Step one is to install CentOS 7 on all target servers and update packages to the latest release by running:

# yum -y update

Step 2: Install Zimbra Prerequisite packages and set hostnames

Install all packages required for Zimbra installation and set hostnames on all servers. These packages can be installed by running the command:

# yum -y install perl-core unzip libaio nmap-ncat sysstat openssh-clients

Set hostnames using the command:

# hostnamectl set-hostname <hostname>

E.g

# hostnamectl set-hostname ldap-01.domain.com

Step 3: Modify /etc/hosts with the hostname and IP address

Now that you have correct hostname set on each server,  edit hosts file to have the IP address and hostname. You can use echo command for this:

# echo <IP Address> <Hostname> >> /etc/hosts

E.g

# echo  192.168.1.20 mta-01.domain.com >> /etc/hosts

Do this on all servers you have

Step 4: Download latest Zimbra release locally on all servers

Download Zimbra compressed package to each server and extract it to make it ready for the installation process. For this installation, I’m using Zimbra 8.8

# wget https://files.zimbra.com/downloads/8.8.8_GA/zcs-8.8.8_GA_2009.RHEL7_64.20180322150747.tgz
# tar -xvf zcs-8.8.8_GA_2009.RHEL7_64.20180322150747.tgz

I like retaining the full name of the file and directory since it helps later when doing an upgrade. If downloading the same version of Zimbra, you should have a directory named zcs-8.8.8_GA_2009.RHEL7_64.20180322150747/.

Step 4: Install Zimbra LDAP Server 1 (ldap-01.domain.com)

We’ll start with the first installation of Zimbra on LDAP server. The other LDAP server we’ll configure multi-master replication for it.

# cd zcs-8.8.8_GA_2009.RHEL7_64.20180322150747/

Start the installation process:

# ./install.sh

Fill information like below:

Do you agree with the terms of the software license agreement? [N] y       
Use Zimbra's package repository [Y] y

Select the packages to install
Install zimbra-ldap [Y] y       

Install zimbra-logger [Y] n

Install zimbra-mta [Y] n

Install zimbra-dnscache [N] n

Install zimbra-snmp [Y] y

Install zimbra-store [Y] n

Install zimbra-apache [Y] n

Install zimbra-spell [Y] n

Install zimbra-memcached [Y] n

Install zimbra-proxy [Y] n

Install zimbra-chat [N] n

Install zimbra-drive [N] n
Checking required space for zimbra-core

Installing:
    zimbra-core
    zimbra-ldap
    zimbra-snmp

The system will be modified.  Continue? [N] Y

The download of packages should now start. My configs are as below:

Common configuration

   1) Hostname:                                ldap-01.domain.com
   2) Ldap master host:                        ldap-01.domain.com
   3) Ldap port:                               389                           
   4) Ldap Admin password:                     set                           
   5) Store ephemeral attributes outside Ldap: no                            
   6) Secure interprocess communications:      yes                           
   7) TimeZone:                                UTC                           
   8) IP Mode:                                 ipv4                          
   9) Default SSL digest:                      sha256 

Ldap configuration

   1) Status:                                  Enabled                       
   2) Create Domain:                           yes                           
   3) Domain to create:                        mail.domain.com
   4) Ldap root password:                      set                           
   5) Ldap replication password:               set                           
   6) Ldap postfix password:                   set                           
   7) Ldap amavis password:                    set                           
   8) Ldap nginx password:                     set                           
   9) Ldap Bes Searcher password:              set 

Double-check the setting for Ldap master host, hostname, and domain to create. Once you’re convinced with the settings, press to start the installation and configuration process.

*** CONFIGURATION COMPLETE - press 'a' to apply
Select from menu, or press 'a' to apply config (? - help) a
Save configuration data to a file? [Yes] 
Save config in file: [/opt/zimbra/config.31786] 
Saving config in /opt/zimbra/config.31786...done.
The system will be modified - continue? [No] Yes

Once the installation is complete, pull password credentials that you’ll need for all the next steps:

ldap_amavis_password = 4Y9WzugHAz
ldap_bes_searcher_password = 4Y9WzugHAz
ldap_nginx_password = 4Y9WzugHAz
ldap_postfix_password = 4Y9WzugHAz
ldap_replication_password = 4Y9WzugHAz
ldap_root_password = 4Y9WzugHAz
zimbra_ldap_password = 4Y9WzugHAz

Step 5: Enable LDAP MMR on ldap-01 server

Since we’re setting both LDAP servers to act as masters, we need to enable this functionality on the first master server we just installed.

Enabling Multi-Master replication on an existing Single node master:

[[email protected] ~]# su - zimbra
[[email protected] ~]$ ./libexec/zmldapenable-mmr -s 1 -m ldap://ldap-02.domain.com:389/
[[email protected] ~]$ ./libexec/zmldapenable-mmr -r 101 -m ldap://dap-02.domain.com:389/
[[email protected] ~]$ /opt/zimbra/libexec/zmldapmmrtool -q
Master Server ID: 1
Master replication agreement: 1
rid: 100 URI: ldap://ldap-02.domain.com:389/ TLS: critical
Master replication agreement: 2
rid: 101 URI: ldap://ldap-02.domain.com:389/ TLS: critical
[[email protected] ~]$

On Ldap Server 2, install Zimbra like the first once, but its configuration should look like below:

Common configuration

   1) Hostname:                                ldap-02.domain.com
   2) Ldap master host:                        ldap-01.domain.com
   3) Ldap port:                               389                           
   4) Ldap Admin password:                     set                           
   5) Store ephemeral attributes outside Ldap: no                            
   6) Secure interprocess communications:      yes                           
   7) TimeZone:                                UTC                           
   8) IP Mode:                                 ipv4                          
   9) Default SSL digest:                      sha256 


Ldap configuration

   1) Status:                                  Enabled                       
   2) Create Domain:                           yes                           
   3) Domain to create:                        mail.domain.com
   4) Ldap replication type:                   mmr                           
   5) Ldap Server ID:                          2                             
   6) Ldap root password:                      set                           
   7) Ldap replication password:               set                           
   8) Ldap postfix password:                   set                           
   9) Ldap amavis password:                    set                           
  10) Ldap nginx password:                     set                           
  11) Ldap Bes Searcher password:              set  

The following should be configured:

  • Ldap Admin password
  • Ldap replication password
  • Ldap replication type: mmr
  • All other passwords

Refer to step 4 for how to obtain all passwords required.

Step 6: Install Zimbra Mailbox Server(s)

Now install two mailbox servers by running installer.

# ./install.sh

The packages to install are:

Do you agree with the terms of the software license agreement? [N] y       
Use Zimbra's package repository [Y] y

Select the packages to install
Install zimbra-ldap [Y] n      

Install zimbra-logger [Y] y

Install zimbra-mta [Y] n

Install zimbra-dnscache [N] n

Install zimbra-snmp [Y] y

Install zimbra-store [Y] y

Install zimbra-apache [Y] y

Install zimbra-spell [Y] y

Install zimbra-memcached [Y] n

Install zimbra-proxy [Y] n

Install zimbra-chat [N] n

Install zimbra-drive [N] n
Install zimbra-imapd (BETA - for evaluation only) [N] n
Checking required space for zimbra-core

Installing:
    zimbra-core
    zimbra-logger
    zimbra-snmp
    zimbra-store
    zimbra-apache
    zimbra-spell
    zimbra-convertd
    zimbra-archiving
    zimbra-drive

The system will be modified.  Continue? [N] Y

Please note that you need to install logger on only one server. For me, the logger is installed on mx-01. Configs look like below:


Common configuration

   1) Hostname:                                mx-01.domain.com
   2) Ldap master host:                        ldap-01.domain.com
   3) Ldap port:                               389                           
   4) Ldap Admin password:                     set                           
   5) LDAP Base DN:                            cn=zimbra                     
   6) Store ephemeral attributes outside Ldap: yes                           
   7) Value for zimbraEphemeralBackendURL:     ldap://default                
   8) Secure interprocess communications:      yes                           
   9) TimeZone:                                UTC                           
  10) IP Mode:                                 ipv4                          
  11) Default SSL digest:                      sha256 

Under Common configuration, set:

  • Hostname: mx-01.domain.com
  • Ldap master host: ldap-01.domain.com
  • Ldap Admin password:

Under zimbra-store make sure the following items are configured:

  • Admin Password:
  • SMTP host:
  • Configure for use with mail proxy: TRUE
  • Configure for use with web proxy: TRUE
  • Install UI (zimbra,zimbraAdmin webapps): yes
  • Install mailstore (service webapp): yes

You can modify any other settings you see necessary and start the installation process. For the other Mailbox server, repeat same steps but don’t install the logger, it will run on mx-01.

Step 7: Install Zimbra MTA Server(s)

The next phase is the installation of MTA servers. Your package selection should be as below:

Select the packages to install

Install zimbra-ldap [Y] n
Install zimbra-logger [Y] n
Install zimbra-mta [Y] y
Install zimbra-dnscache [Y] y
Install zimbra-snmp [Y] y
Install zimbra-store [Y] n
Install zimbra-apache [Y] n
Install zimbra-spell [Y] n
Install zimbra-memcached [Y] n
Install zimbra-proxy [Y] n
Install zimbra-chat [N] n
Install zimbra-drive [N] n

Checking required space for zimbra-core

Installing:
    zimbra-core
    zimbra-mta
    zimbra-snmp
    zimbra-dnscache

The system will be modified.  Continue? [N] y

On the configurations window, make sure to set the following:

Under 1) Common Configuration, set:

  • Hostname:
  • Ldap master host:
  • Ldap Admin password:
   1) Hostname:                                mta-01.domain.com
   2) Ldap master host:                        ldap-01.domain.com
   3) Ldap port:                               389                           
   4) Ldap Admin password:                     set                           
   5) LDAP Base DN:                            cn=zimbra                     
   6) Store ephemeral attributes outside Ldap: yes                           
   7) Value for zimbraEphemeralBackendURL:     ldap://default                
   8) Secure interprocess communications:      yes                           
   9) TimeZone:                                UTC                           
  10) IP Mode:                                 ipv4                          
  11) Default SSL digest:                      sha256  

Under 2) zimbra-mta set

  • Bind password for postfix ldap user:
  • Bind password for amavis ldap user:

Look at step 4 for how to obtain them.

Mta configuration

   1) Status:                                  Enabled                       
   2) Enable Spamassassin:                     yes                           
   3) Enable Clam AV:                          yes                           
   4) Enable OpenDKIM:                         yes                           
   5) Notification address for AV alerts:      [email protected]
   6) Bind password for postfix ldap user:     set                           
   7) Bind password for amavis ldap user:      set 

Under zimbra-dnscache, configure master DNS ip addresses separated by space:

DNS Cache configuration

   1) Status:                                  Enabled                       
   2) Master DNS IP address(es):               8.8.4.4 1.1.1.1  8.8.8.8 
   3) Enable DNS lookups over TCP:             yes                           
   4) Enable DNS lookups over UDP:             yes                           
   5) Only allow TCP to communicate with Master DNS: no 

Once done, save the settings and type to begin Zimbra MTA setup.

Step 7: Install Zimbra Proxy Server(s)

For installation of Zimbra Proxy server(s), you need to select the following packages during installation:

Select the packages to install

Install zimbra-ldap [Y] n

Install zimbra-logger [Y] n

Install zimbra-mta [Y] n

Install zimbra-dnscache [N] n

Install zimbra-snmp [Y] y

Install zimbra-store [Y] n

Install zimbra-apache [Y] n

Install zimbra-spell [Y] n

Install zimbra-memcached [Y] y

Install zimbra-proxy [Y] y

Install zimbra-chat [N] n

Install zimbra-drive [N] n
Checking required space for zimbra-core

Installing:
    zimbra-core
    zimbra-snmp
    zimbra-memcached
    zimbra-proxy

The system will be modified.  Continue? [N] y

Fill all required information:


Common configuration

   1) Hostname:                                proxy-01.domain.com
   2) Ldap master host:                        ldap-01.domain.com
   3) Ldap port:                               389                           
   4) Ldap Admin password:                     set                           
   5) LDAP Base DN:                            cn=zimbra                     
   6) Store ephemeral attributes outside Ldap: yes                           
   7) Value for zimbraEphemeralBackendURL:     ldap://default                
   8) Secure interprocess communications:      yes                           
   9) TimeZone:                                UTC                           
  10) IP Mode:                                 ipv4                          
  11) Default SSL digest:                      sha256  

Proxy configuration

   1) Status:                                  Enabled                       
   2) Enable POP/IMAP Proxy:                   TRUE                          
   3) Enable strict server name enforcement?   TRUE                          
   4) IMAP server port:                        7143                          
   5) IMAP server SSL port:                    7993                          
   6) IMAP proxy port:                         143                           
   7) IMAP SSL proxy port:                     993                           
   8) POP server port:                         7110                          
   9) POP server SSL port:                     7995                          
  10) POP proxy port:                          110                           
  11) POP SSL proxy port:                      995                           
  12) Bind password for nginx ldap user:       set                           
  13) Enable HTTP[S] Proxy:                    TRUE                          
  14) Web server HTTP port:                    8080                          
  15) Web server HTTPS port:                   8443                          
  16) HTTP proxy port:                         80                            
  17) HTTPS proxy port:                        443                           
  18) Proxy server mode:                       redirect 

For Proxy Server mode you can choose http, https, both, redirect or mixed depending on your requirements. In my case, I’m using a redirect.

Once all Zimbra proxy servers are installed, enable proxy console on port 9071 by running the following command on proxy servers as Zimbra user:

# su - zimbra
$ /opt/zimbra/libexec/zmproxyconfig -e -w -C -H `zmhostname`
  • This will enable admin console proxy port 9071 on the proxy server.
  • Make sure mailbox server’s admin console is configured on port 7071 (default).

You need to restart proxy service after making the changes:

$ zmproxyctl restart

The service should bind to port 9071, you can confirm this with ss command:

$ ss -tunelp | grep 9071

To access admin console over a proxy, the URL should be https://proxy-0x.domain.com:9071/

Step 8: Configure Zimbra Logger Service

As mentioned earlier, our logger service will run on mailbox server 1 (mx-01.domain.com). For this, we need to first install and configure rsyslog service on this server.

Uncomment the following lines on /etc/rsyslog.conf

$ModLoad imudp
$UDPServerRun 514

Also, add this line after $UDPServerRun 514:

SYSLOGD_options="-r -m 0"

Then setup Zimbra syslog and restart rsyslog service:

 

# /opt/zimbra/libexec/zmfixperms -e -v
# /opt/zimbra/libexec/zmsyslogsetup

updateSyslog: Updating /etc/rsyslog.conf...done.
# systemctl restart rsyslog.service
# su - zimbra
$ /opt/zimbra/libexec/zmloggerinit

Stopping logswatch...done.
Starting logswatch...done.
$ /opt/zimbra/bin/zmupdateauthkeys

Verify the LogHostname using commands below. (it should be set to name of logger monitor host on all servers)

# su - zimbra
$ zmprov gacf | grep zimbraLogHostname
zimbraLogHostname: mx-01.domain.com

If it is different, change the same to Logger monitor Host using below command.

$ zmprov mcf zimbraLogHostname <Logger monitor Hostname>

Configure each Zimbra server to log to newly set logger server.

# /opt/zimbra/libexec/zmfixperms -e -v
# su - zimbra
$ /opt/zimbra/bin/zmupdateauthkeys ; exit
# /opt/zimbra/libexec/zmsyslogsetup
# systemctl restart rsyslog
# su - zimbra -c "zmcontrol restart"

Step 9: Configure Zimbra Proxy HA with Keepalived

Since we have two Zimbra proxy servers, we need to ensure that we have HA for the proxy server. My setup for the proxy is:

  • 2 Proxy servers – proxy-01.domain.com & proxy-02.domain.com
  • Both will be served using mail.domain.com

The target solution diagram is

 

In a nutshell, this is how it works:

  1. The Proxy Master as the VIP
  2. The Proxy Master become unavailable
  3. The VIP is passed to the Backup server who will handle the service

I will configure proxy-01 as master, and proxy-02 as a Backup server.

Install Keepalived on both servers.

# yum -y install keepalived

Configure Keepalived on Master Server (proxy-01)

# cat /etc/keepalived/keepalived.conf
vrrp_script chk_zimbra_nginx {
  script "killall -0 nginx" # check the zimbra nginx process  interval 2 # every 2 seconds
  weight 2 # add 2 points if OK}vrrp_instance VI_1 {
  interface eth0 # interface to monitor
  state MASTER # MASTER on proxy-01, BACKUP on proxy-02
  virtual_router_id 51
  priority 101 # 101 on proxy-01, 100 on proxy-02
  virtual_ipaddress {
   192.168.1.23/24
  }
  track_script {
    chk_zimbra_nginx
  }
}

Configure Keepalived on Backup Server (proxy-01)

# cat /etc/keepalived/keepalived.conf
vrrp_script chk_zimbra_nginx {
  script "killall -0 nginx" # check the zimbra nginx process
  interval 2 # every 2 seconds
  weight 2 # add 2 points if OK
}

vrrp_instance VI_1 {
  interface eth0 # interface to monitor
  state BACKUP # MASTER on proxy-01, BACKUP on proxy-02
  virtual_router_id 51
  priority 100 # 101 on proxy-01, 100 on proxy-02
  virtual_ipaddress {
    192.168.1.23/24
  }
  track_script {
    chk_zimbra_nginx
  }
}

Enable IP forwarding and configure firewalld:

Keepalived requires IP forwarding configured and some firewall rules added for VRRP packets to come through.

Enable IP forwarding:

# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
# sysctl -p
net.ipv4.ip_forward = 1

Add firewall rules to allow VRRP communication using the multicast IP address 224.0.0.18 and the VRRP protocol (112) on each network interface that Keepalived will control, for example:

# firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 \ 
--in-interface eth0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT 
# firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 \ 
--out-interface eth0 --destination 224.0.0.18 --protocol vrrp -j ACCEPT 
# firewall-cmd --reload

Enable and start the keepalived service on each server:

# systemctl enable keepalived
# systemctl start keepalived

If you change the Keepalived configuration, reload the keepalived service:

# systemctl reload keepalived

You can test keepalived functionality by killing nginx process on the master server and see if the Virtual IP will be switched to the backup server:

# killall nginx
# ip add > Run on Backup server to check IP address configuration

Step 10: Reset admin password and Access Web UI

Reset admin password:

# su - zimbra
$ zmprov sp [email protected] strongpassword

Access Web UI through direct access to proxy servers or hostname that points to proxy servers. Admin dashboard is accessible from port 9071.

You can configure firewall rules for proxy servers using:

firewall-cmd --add-service={http,https,smtp,smtps,imap,imaps,pop3,pop3s} --permanent
firewall-cmd --add-port=11211/tcp --permanent
firewall-cmd --add-port=9071/tcp --permanent
firewall-cmd --reload

To restrict access or admin interface from specific IP address, use firewalld rich rules instead:

firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=source-ip-address/32 \
destination address=dest-ip-address/32 port port=9071 protocol=tcp accept"

Remember to replace source-ip-address with source IP address and dest-ip-address with the proxy server destination IP address.

You should now be ready to roll, reset admin password and login to Admin dashboard to start making changes and doing further configurations to your Zimbra installation. Also, read our previous guide on Zimbra Firewall Configuration with ufw for Ubuntu and firewalld for CentOS.