Zimbra Collaboration System Administration - March2014

Zimbra Collaboration
System Administration
May 28, 2014 1

• Day 1:
• General Information
• Zimbra Architecture Overview & Licensing
• Installing ZC & Troubleshooting Install
• Zimbra Administration Console Demo & Overview
• CLI Commands
• Security Topics
• ZC System Care
• Troubleshooting
• Questions & Additional Information/Support
May 28, 2014 2

• Day 2:
• Review & Questions
• Backup/Restore
• Performance Tuning & Monitoring with zmstats
• Migration Options & Planning
• Upgrading ZC
• Upgrade Troubleshooting
• Personalizing ZC Deployment
• Archiving and Discovery (optional module)
May 28, 2014 3

• Day 3:
• ZC Architectural Components
• Architecture and Storage Considerations
• Multi-Server Installation and Upgrading
• Reconfigure ZC (hands-on) into a multi-node
architecture
• Delegated Administration
• Directory and GAL Integration
May 28, 2014 4

ZC Architecture
Sections 2 & 3 in your Student Guide
May 28, 2014 5

ZC Architecture Advantages
• Open source integrations
• Industry-standard open protocols
• Modern technology design
• Horizontal scalability
• High availability (HA) support
• Web client
• Admin console
May 28, 2014 6

Supported Operating Systems
• Zimbra Collaboration Network Edition v8.x is
supported on the following Operating Systems:
• Red Hat Enterprise Linux AS/ES 6, 64 bit
• CentOS 6, 64 bit
• SUSE Linux Enterprise Server 11, 64 bit (SP3 for ZC 8.0.5+)
• Ubuntu 10.04 LTS , 64 bit (deprecated, no support beyond ZC 8.x)
• Ubuntu 12.04 LTS, 64 bit
• Platforms not Supported in ZC 8 (EOL in ZC 7)

• Red Hat Enterprise Linux 5, 32 & 64 bit
• Red Hat Enterprise Linux 4, 32 & 64 bit
• SUSE Linux Enterprise Server 10, 32 bit
• Ubuntu 8.04 LTS, 32 & 64 bit
May 28, 2014 7

ZC Architecture
May 28, 2014 8

Flexible Deployment Models
Traditional Virtualized
ZC ZC ZC ZC ZC
On-premises Hosted On-premises Hosted
• Administer ZC, OS stack • Administer ZC, OS within

manually VMware framework
• Rely on ZC for Hierarchical • Rely on vSphere for High
Storage, OS for clustering Availability, Backup and Data
• Run ZC on Linux servers Recovery
• Run ZC on any server
• Maximum configuration
potential
May 28, 2014 9

Zimbra Client Architecture
Mobile Clients Desktop Clients Browser Clients
Microsoft Apple; other Zimbra Zimbra

Windows Apple HTML Client
Outlook Standard AJAX Client
Zimbra
Desktop
Zimbra Outlook IMAP, POP;
BlackBerry Android Connector Card & CalDAV Zimlet AJAX Framework
Platform API Interfaces

SOAP
POP
RSS
REST
LMTP
CalDAV
IMAP
Atom
ActiveSync
CardDAV
BES
Zimlet WS Proxy
Zimbra Mobile
Zimlet Proxy or
Connector
for BES Nginx Proxy
Postfix MTA
Zimlet JSP Tags
Including
Anti-Spam
and Virus
Jetty + JVM + OS
May 28, 2014 10

Mailbox Server (MBS) Architecture
(Jetty + JVM)
Database Attachment Free/Busy

Message and File Store Search Meta Data Directory
Reliability Index & View Providers
JDBC
Storage Zimbra Lucene MySQL Open External Autonomy IBM
Microsoft
System Journaling Index LDAP LDAP Keyview Domino
Exchange
Active
Directory
May 28, 2014 11

Licensing
• Necessary to create accounts
• Controls ZC “Network Edition” Features

• Client Connectors
• ZC Backup & Restore
• HSM
• Attachment Indexing & Rendering
• Zimbra Mobile Accounts Limit
• MAPI Accounts Limit
• Zimbra Archiving and Discovery Accounts Limit (optional)
• Delegated Administrator
May 28, 2014 12

Examining License Status
• Home > Configure > Global Settings > License Page
May 28, 2014 13

Installation
Section 4 in your Student Guide
May 28, 2014 14

Installation Considerations
• Other Servers
• Third-party and Open-source Software
• Ports
May 28, 2014 15

Zimbra Port Mapping
Port Server Port Server
25 Postfix 7071 ZC Admin services connector (SSL)

80 HTTP 7072 ZC Nginx Lookup (backend http service for
nginx lookup/authentication)
110 POP3 7110 Backend POP3 (if proxy configured)
143 IMAP 7143 Backend IMAP (if proxy configured)
389 LDAP 7306 MySQL
443 HTTPS 7993 Backend IMAP SSL (if proxy configured)
587 SMTP Message Submission (RFC 6409) 7995 Backend POP3 SSL (if proxy configured)
993 IMAP SSL 9071 Admin Console SSL Proxy (if configured)
995 POP3 SSL 10024 amavisd-new
7025 LMTP 10025 Postfix answering amavisd-new
7047 Conversion Server (httpd) 11211 memcached – nginx route lookups
Other (miscellaneous): 514 – syslogd (logger), 636 – LDAPS, 7780 – spellcheck (httpd)
May 28, 2014 16

Installation Process Overview
• Verification of prerequisite packages
• Menu-driven configuration
• Configuring IMAP/POP
• Configuring virtual hosting
• Load balancing
• Configuring DNS
May 28, 2014 17

Training Lab Environment
• Discover your particular domain for the training session
(such as zimbra1.lab, zimbra2.lab, etc.)
• Select the single-server environment option, and
enter the domain you were assigned
• Please re-use that same domain throughout the
training session
May 28, 2014 18

Single-Server Installation –
General Steps
• Log in as root ( sudo su - )
• Disable unnecessary applications
• Accept software agreement
• Auto-check for prerequisite software
• Select services to be installed
• Accept or change default entries as needed
• Save the files in the appropriate directories

• Modify the server
• End the installation process
May 28, 2014 19

Begin Installation Exercise
May 28, 2014 20

Troubleshooting Install
• Port conflicts
• FQDN not used
• Firewall stopped
• LDAP cannot start or you cannot connect to LDAP
during installation
• DNS setup
• Cannot resolve hostname
• Compat-* libraries not found
• Remove other MTAs, mail apps, or web servers
• SE Linux disabled
May 28, 2014 21

Administration Console
Managing Zimbra Configuration
May 28, 2014 22

Overview: Simple, Powerful
Administration
• Proven open technologies, web-scalable architecture
reduce TCO
• Bulk user provisioning and policy management
• Delegated, role-based administration
On average, 33% less time
• Class-of-service and multi-tenancy is spent administering
• HSM and storage management Zimbra than MS Exchange*
• Real-time backup and restore * Source: University of Pennsylvania case study Nov 09
• Integrated anti-spam/virus
• LDAP, Active
Directory integration
• Integrated Archiving
and Discovery
May 28, 2014 23

Key Administrator Features
• Class of Service (COS)
• Controls to create different feature packages for different users
• Advertising and Zimlets can be controlled at the COS or user level
• Granular Delegated Administration

• Accounts, Aliases
• Distribution lists, Resources
• Administrative APIs and Utilities

• Administration API provided for provisioning, billing, integration,
and SSO
• Command line utilities and Ajax Admin Console
May 28, 2014 24

Key Administrator Features, cont.
• Scaling and System Optimization
• Flexible architecture – easy to break out MTAs, directory, mail
servers and the storage
• Single-copy storage of messages and attachments
• Out-of-the-box tools for moving mailboxes
• Disaster Recovery and Back Up

• Per mailbox and online mailbox back up and restore tools
• Multi-Tenancy
• Domains are directory entries, and enabling you to spread all of
your users across shared servers and storage
May 28, 2014 25

Definitions
• Class of Service (COS): a set of common preferences and
available features that are applied to all accounts within
that COS
• Domain: an email domain – every account always has one
primary domain specified
• Account: an email account
• Global Settings: Default values and settings that apply
globally, such as Max. Message Size
• Server Settings: Settings specific to an individual server,
such as MTA relay
May 28, 2014 26

Adding and Modifying Domains
• One domain is identified during the installation
• Create additional domains
• Edit and delete domains
• Domain tabs include
• GAL
• Authentication
• Virtual Host
• Briefcase
• Free/Busy Interop
• Zimlets
• Themes
• Certificate
• Account limits
• ACL (Access Control List)
May 28, 2014 27

Creating New Accounts
• Account Wizard to create a few accounts
• Only a account name and last name are required
• Default COS sets features
• Password can be set
• Can customize further
• Migration Tool to import users mailboxes, calendars &

contacts
• Run the migration tool to create a .xml file with data from the
migrating accounts
• Run the ZC Migration Wizard for Exchange one-step migration
option, which uses the .xml file data to create accounts and import
account content
NOTE: Individual account setting override COS and Domain settings.
May 28, 2014 28

Types of User Accounts
• Global Administrators
• Full privileges to manage server, global settings, domains and
accounts
• One global administrator is created when ZC is installed
• Can create other administrators
• Delegated Administrators
• Custom administrator roles can be created
• Regular User
• COS sets the default attributes and features available
May 28, 2014 29

Types of Addresses
• Account
• Alias
• Distribution List
• Resource
May 28, 2014 30

Defining and Modifying COS
• COS used to group users with same features and
service levels
• COS is configured with the following

• Features
• Themes
• Mailbox quotas
• Message lifetime policy
• Password policy
• Attachment blocking rules
• Server Pool rules
• Mobile Policies
May 28, 2014 31

Mobile Device Management
• Enabled by COS or Account
• Over 30 Policies Configured
• Warning: Remote Wipe Setting
• Approved/Blocked Apps
• Disable Mobile Device Functions
• Camera
• Browser
• POP or IMAP email
New
in ZC
8!
May 28, 2014 32

Dumpster/Trash
• Trash Folder
• All deleted items are moved to Trash folder
• Can be emptied, deleting items
• Dumpster (not enabled by default)

• Right-click ‘Recover Deleted Items’ on Trash folder
• Items deleted by emptying trash can be recovered
• Enabled in Class of Service settings
• Separate retention time from Trash folder
May 28, 2014 33

Landfill
• Second level of the Dumpster, not visible to end users
• Used for litigation holds
• zimbraDumpsterPurgeEnabled setting prevents Dumpster
content from being purged
• Content that would otherwise be purged is shifted to
the Landfill and never deleted, but becomes invisible to
end users
• Admin can access Landfill content
New in
ZC 8!
May 28, 2014 34

Auto-Discover for ActiveSync
Overview and Configuration
• Users enter their email address and password – Auto
Discover returns the required system settings to provision
the mobile devices for their account.
• Configure a valid SSL certificate from a certification
authority (CA)
• Unified Communications Certificate (UCC)
type is recommended for auto discover to
New in
work. ZC 8!
• A DNS SRV record for
autodiscover.<domain>.com, allowing client
devices to locate and connect to the autodiscover service.
May 28, 2014 35

Auto-Discover for ActiveSync, cont.
• Configure ZC
• Use the Certificate
Installation wizard
(ZC Admin Console)
to generate the cert
signing request and
then install the received
signed cert.
• Configure the Subject Alternative Name (SAN) field with all

possible valid domain names
• zmcertmgr can also be used for many operations
# /opt/zimbra/bin/zmcertmgr createcrt -new -days 365 -
subjectAltNames "host1.domain.tld,host2.domain.tld"
May 28, 2014 36

Global Settings Configuration
• Global settings define default global values for servers,
accounts, COS, and domains
• Global settings include the following settings

• General– default domain, mail purge rules, etc.
• Attachments rules – included blocked extensions
• MTA – authentication, network, message size, etc.
• IMAP and POP3 proxy service
• Anti-spam and anti-virus checking
• Free/busy Interop
• Hierarchical storage management
• License information
• Backup and restore configuration
May 28, 2014 37

Administration Console Exercise
May 28, 2014 38

CLI Utility
May 28, 2014 39

Command Line Interface
Command Line Interface (CLI) can be used to create, modify and
delete certain features and functions of Zimbra Collaboration. The
admin console is the main tool for maintaining ZC, but some
functions can only be changed from the CLI utility.
The CLI utility can be used for the following:
 Provisioning accounts
 Back up and restore
 Starting and stopping a service
 Moving mailboxes
 Cross mailbox searches
 Installing certificates
 Local configuration
 Rewriting configuration files (zmconfigd)
May 28, 2014 40

General CLI Utility Standards
• Linux user “zimbra”
Run CLI commands as the zimbra user:
# su – zimbra
• Syntax
CLI commands are case sensitive:
$ zmprov modifyAccount [email protected] zimbraAccountStatus locked
• Usage:
/opt/zimbra/bin/zmcontrol [-v -h -H <host>] command [args]
-v: display version

-h: print usage statement
-H: Host name (localhost)
Append “-h” to display the usage options for a command
May 28, 2014 41

Useful CLI Commands
• zmprov modify ldap configuration of accounts, domains, cos’s, global settings
• zmmailbox command-line access to mailboxes
• zmaccts (zmprov –l gaa) lists all accounts and their status
• zmcontrol and zm*ctl (i.e. zmmailboxdctl) used to start/stop/restart/view

status of ZC services
• zmlocalconfig (–e, -s) used to set or get local configuration for ZC
• zmmsgtrace trace messages
• zmmboxmove (zmmboxmovequery) move mailboxes between mailbox servers
• zmblobchk clear mysql of entries that have no blobs
• zmsoap execute soap calls directly
May 28, 2014 42

zmprov Overview
• Single most used admin command-line tool
• Account (create, view, modify, suspend, delete)
• Server (view, modify)
• COS (create, view, modify)
• Domain (create, view, modify)
• Distribution list / security group
• Quota usage, mailbox ID
May 28, 2014 43

zmprov Overview, cont.
• Manage ZC objects, attributes, and their settings
(including GlobalConfig)
• Uses a set of sub-commands
• Get configured object attribute values for global configuration:
zmprov getAllConfig(gacf) # long and (short) sub-command
• Create a new account / Change an attribute value:

a. username, domain and password values are required
b. attr1 and value1 … are optional
zmprov createAccount(ca) {user@domain} {password} [[Attr1 Value1]
[Attr2 Value2] …]
$ zmprov modifyAccount [email protected] zimbraAccountStatus locked
• Usage
zmprov (w/ sub-command): SOAP access to LDAP server
zmprov –l (w/ sub-command): direct LDAP access to LDAP server
zmprov (w/o sub-command): interactive mode
May 28, 2014 44

zmprov Sub-Commands
• createAccount (ca)  modifyConfig (mcf)
• createCos (cc)  modifyAccount (ma)
• createDistributionList (cdl)  modifyCos (mc)
• createDomain (cd)
 modifyDomain (md)
• getAccount (ga)
• getAllAccount (gaa)  modifyServer (ms)
• getAllConfig (gacf) Example :
• getConfig (gcf) $ zmprov getAccount [email protected]
# name [email protected]
• getCos (gc) cn: Last First
displayName: Last First
getDistributionList (gdl)
givenName: First
• mail: [email protected]
objectClass: organizationalPerson
• getDomain (gd) objectClass: zimbraAccount
objectClass: amavisAccount
• getServer (gs) sn: Last
uid: Last
userPassword: VALUE-BLOCKED
zimbraAccountStatus: active
May 28, 2014 45

Attribute Types
• Numeric (non alpha)
• zimbraMailPort: Zimbra Web Client port number
• zimbraMailQuota: mail quotas in bytes
• Enum (Keywords)
• zimbraAccountStatus: active, locked, maintenance, …
• zimbraMailMode: http, https, both
• ASCII String
• zimbraServiceEnabled
Enable a new service:
$ zmprov ms `zmhostname` +zimbraServiceEnabled mta
Disable a service:
$ zmprov ms `zmhostname` -zimbraServiceEnabled mta
• zimbraMailHost
May 28, 2014 46

Attribute Description
• Get attribute description and values:
$ zmprov desc –a zimbraAccountStatus
zimbraAccountStatus
account status
type : enum
value : active, maintenance, locked, closed, lockout, pending
callback: AccountStatus
immutable : false
cardinality : single
requiredIn : account
optionalIn :
flags: domainAdminModifiable
defaults :
min :
max :
id : 2
requiresRestart :
since :
deprecatedSince :
May 28, 2014 47

zmprov Syntax Examples
• Create a new account
$ zmprov createAccount [email protected] password
• Lock an account
$ zmprov modifyAccount [email protected] zimbraAccountStatus
locked
• Add a user to a Distribution List (DL)

$ zmprov addDistributionListMember [email protected]
[email protected]
• List all global config info (same as admin console

global settings)
$ zmprov getAllConfig
May 28, 2014 48

zmprov More Syntax Examples
• List the attributes (including users) of a DL
$ zmprov getDistributionList [email protected]
• Restrict who can view addresses in distribution lists to

individuals/domain
$ zmprov grr domain <domain_name> usr [email protected]
viewDistList
• Grant rights to a user in a domain to send messages to all

distribution lists
$ zmprov grr domain <domain_name> usr [email protected]
sendToDistList
More zmprov examples are available in your training guide
May 28, 2014 49

Distribution List Restrictions
• Enabling the ZC Milter
The ZC milter allows for the regulation of distribution list
senders on a Global or server level. When the milter server is
enabled, only users who have been granted explicit sending
permissions will be allowed.
• Through Admin Console

• Global: Home > Configure > Global Settings > MTA > Milter Server
• Server: Home > Configure > Servers > Select Desired Server > Milter
Server
• With Command Line

• zmmilterctl start|stop|restart|reload|refresh|status (as zimbra user)
May 28, 2014 50

Distribution List Restrictions, cont.
• Examples for granting sender permissions using the CLI
• To allow a specific internal user:
$ zmprov grr dl [email protected] usr [email protected] sendToDistList
• To allow all members in a group:

$ zmprov grr dl [email protected] grp [email protected] sendToDistList
• To allow all internal users:

$ zmprov grr dl [email protected] all sendToDistList
• To allow a specific external email address:

$ zmprov grr dl [email protected] gst [email protected] “” sendToDistList
• To confirm settings:
$ zmprov ckr dl [email protected] [email protected] sendToDistList
May 28, 2014 51

zmmailbox Overview
• zmmailbox tool is used for mailbox management
• Provision new mailboxes along with accounts
• Debug issues with a mailbox
• Help with migrations
• zmmailbox command can be invoked from within zmprov
• Syntax
zmmailbox [args] [cmd] [cmd-args ...]
May 28, 2014 52

zmmailbox Help
Command Function
zmmailbox help admin Help on admin-related commands
zmmailbox help commands Help on all commands
zmmailbox help contact Help on contact-related commands (address book)
zmmailbox help conversation Help on conversation-related commands
zmmailbox help folder Help on folder-related commands
zmmailbox help item Help on item-related commands
zmmailbox help message Help on message-related commands
zmmailbox help misc Help on miscellaneous commands
zmmailbox help search Help on search-related commands
zmmailbox help tag Help on tag-related commands
zmmailbox help account Help on account-related commands
zmmailbox help appointment Help on appointment-related commands
zmmailbox help filter Help on filter-related commands
zmmailbox help right Help on right commands
May 28, 2014 53

zmmailbox Examples
When you create an account, you can pre-create some tags and folders. Invoke
zmmailbox inside of zmprov by using “selectMailbox(sm)”
$ zmprov
prov> ca [email protected] test123
9a993516-aa49-4fa5-bc0d-f740a474f7a8
prov> sm [email protected]
mailbox: [email protected], size: 0 B, messages: 0, unread: 0
mbox [email protected]> createFolder /Archive
257
mbox [email protected]> createTag TODO
258
mbox [email protected]> createSearchFolder /unread "is:unread"
259
mbox [email protected]> exit
prov> exit
To find the mailbox size for an account

$ zmmailbox –z -m [email protected] gms
May 28, 2014 54

CLI Exercise
May 28, 2014 55

Security Topics
May 28, 2014 56

Single Sign-On
• PreAuth – Authentication credentials passed from a
trusted external source, such as a single sign-on portal
• SPNEGO – Active Directory + Browser Integration
• Zimbra Authentication based on Active Directory login to the
domain.
a. If you enable SPNEGO SSO on a domain, you must inform/instruct
all users to configure their browsers properly.
b. If the browser is improperly configured, server will redirect the
request to the regular username/password login page.
May 28, 2014 57

Certificates – Server
• Self-Signed vs. Commercial
• Server or Domain based
• (mail.mycompany.com OR mail.companyA.com +
mail.companyB.com)
• Additional IP needed for each domain based certificate
• Subject Alt Names (mail.mycompany.com,

mb1.mycompany.com, mb2.mycompany.com) vs.
Wild Card (*.mycompany.com)
• In the case of SSL offloading, certificates will be applied to
an external device and Zimbra can keep self-signed
certificates
May 28, 2014 58

Commercial Certificates, cont.
1. Generate certificate request (CSR) with filename commercial.csr
• Use Admin Console or zmcertmgr
a. In a Zimbra multi-server certificate deployment, zmcertmgr is the
better tool to use
b. The CSR and private key generated by Zimbra should always return
identical md5-hash values.
2. Copy and paste the CSR to Certificate Authority through the on-
line interfaces provided
3. Retrieve the files from the Certificate Authority
4. Install the certificate, intermediate, and root. For multiple servers:
a. Copy commercial.csr, commercial.crt, commercial_ca.crt to
other servers
b. Use zmcertmgr (as root) to verify and install
May 28, 2014 59

• Inspect what you retrieved from the CA!
• What you import into Zimbra is the SSL certificate + the root
and intermediate certificates combined
zmcertmgr deploycrt comm /path/actual_cert.crt
/path/root_and_intermediate.crt
• Use cat or notepad to review the certificate chain
• Check that the actual certificate file has the same md5-hash
value as the private key generated by Zimbra
# openssl rsa -in
/opt/zimbra/ssl/zimbra/commercial/commercial.key -
modulus -noout | openssl md5; openssl x509 -in
/path/hostname.domain.ext.crt -modulus -noout |
openssl md5
• If the md5-hashes are different, something went wrong
May 28, 2014 60

4. Use zmcertmgr (as root) to verify and install
zmcertmgr verifycrt comm
/opt/zimbra/ssl/zimbra/commercial/commercial.key
/path/actual_cert.crt /path/root_and_intermediate.crt
zmcertmgr deploycrt comm /path/actual_cert.crt
/path/root_and_intermediate.crt
5. For multiple servers:

• Copy commercial.csr, commercial.crt, commercial_ca.crt to
other servers
• Use zmcertmgr (as root) to verify and install
• Once Certificates are deployed – one way to check if you have the
right Common Names and Subject Alternative Names – use
http://www.sslshopper.com/ssl-checker.html
May 28, 2014 61

Certificates – User-based
• Used by S/MIME (Zimlet) for encrypting email content or
user validation based on public key/private key pair
• Used for automated Browser Authentication
Create Client Use the CA Import the CA Configure ZC to

Certificate and (Self- Certificate to “sign” Certificate into the
“request Client
Signed) Certificate the Client jetty keystore and
Authority (CA) Certificate client certificate Certificates”
Certificate into browser
New in
ZC 8!
May 28, 2014 62

S/MIME
• Zimlet that provides secure encoding of MIME content for email
messages
• Allows signing and encryption
• Public Keys, Private Keys
a. If I ENCRYPT my message with your PUBLIC key, ONLY YOU will be able
to read (decrypt) the message with your private key (Don’t encrypt with
your key).
b. If I SIGN the message with my private key, you can CONFIRM I sent the
message using my public key
• “Free Email” certificates added by user, must be in “der” format.
• Enabled by COS or Account
• Requires either Firefox, Safari, or IE and
• A recent, and safe, Java version in browser (go to
www.java.com/verify, Version 7 update 45 for example)
Note: Verify that your browser will work with S/MIME before
implementation.
May 28, 2014 63

ZC System Care
May 28, 2014 64

Overview
• Zimbra Collaboration includes the following to help you
monitor the Zimbra servers, usage, and mail flow:
• Zimbra Logger package to capture and display server statistics
and server status and to create nightly reports
• Mailbox quota monitoring
• MTA mail queue monitoring
• Log files
• zmmsgtrace (tool for tracing messages through logs)
–r –s –F –D –t (recipient, sender, from, destination, time range)
• External monitoring HIGHLY recommended!!

• Also, selected error messages generate SNMP traps,
which can be monitored using an SNMP tool.
May 28, 2014 65

Server Statistics
• Message traffic statistics
• Disk usage statistics
• Data used to plan and implement server configurations
May 28, 2014 66

Admin Console Server Stats
If the Zimbra-logger package is installed on a Zimbra mailbox
server, Server Statistics shows bar graphs of the message
count, message volume, anti-spam, and anti-virus activity.
The information is displayed for the last 48 hours; and 30, 60
and 365 days.
• Message Count
• Message Volume
• Anti-Spam/Virus Activity
• Disk Space
• Session
• Mailbox Quota
May 28, 2014 67

Logger Service & Daily Reports
• When the Logger package is installed, a daily mail report is
automatically scheduled in the crontab. The Zimbra daily mail
report includes the following information:
• Errors generated from the Zimbra MTA Postfix logs
• Total number of messages that moved through the Zimbra MTA
• Message size information (totals and average bytes per message)
• Average delay in seconds for message delivery
• Total number of bounced deliveries
• Most active sender accounts and number of messages
• Most active recipient accounts and number of messages
• The report runs every morning at 11:30 p.m. and is sent to the
administrator’s email address.
May 28, 2014 68

Monitoring Mail Queues
May 28, 2014 69

Enabling Server Statistics
1. On each server, as root, type
/opt/zimbra/libexec/zmsyslogsetup
This enables the server to log data and statistics to the appropriate
log files.
2. Additionally on your logger monitor host, based on your OS, perform
one of the following to enable syslog to listen for/accept log data from
remote machines:
Syslog:
a. Edit the /etc/sysconfig/syslog file, add -r to the SYSLOGD_OPTIONS
setting
SYSLOGD_options=”-r -m 0”
b. Restart the syslog daemon:
/etc/init.d/syslogd restart
May 28, 2014 70

Enabling Server Statistics, cont.
Rsyslog (typically used in recent RHEL/CENTOS versions),
uncomment from /etc/rsyslog.conf:
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
Syslog-ng (typically used in recent SuSE versions),

uncomment from /etc/syslog-ng/syslog-ng.conf
#udp(ip("0.0.0.0") port(514));
May 28, 2014 71

Working with Log Files
• The ZC server uses log4j, a Java logging package, as
the log manager
• By default, the ZC server has log4j configured to log to the
local file system.
• You can configure log4j to direct output to another location.
Go to the Log4j website for information about using log4j.
May 28, 2014 72

Working with Log Files, cont.
• Logging Levels
• The logging level is set by default to include logs that are generated
for INFO, WARNING, ERROR, and FATAL. When problems start to
occur, you can turn on the DEBUG log level.
• To change the logging levels, edit the log4j properties,
logger.com.zimbra.
• When enabling DEBUG, you can specify a specific category to
debug. For example, to see debug details for POP activity, you
would type logger.com.zimbra.pop=DEBUG.
• Protocol trace is available in the following logging categories with
TRACE logging level: zimbra.smtp, zimbra.lmtp, zimbra.soap,
zimbra.imap, zimbra.imap-client, zimbra.pop, zimbra.pop-client.
May 28, 2014 73

Increasing per Server Logging
• To make global changes, edit this file:
$ vi /opt/zimbra/conf/log4j.properties
• Add a line at the end that is similar to:

log4j.logger.zimbra.imap=DEBUG
• No restart of any service is needed, BUT if something happens that

causes a regeneration of the log4j.properties file then your changes
will be overwritten. A regeneration of this file takes the contents of
/opt/zimbra/conf/log4j.properties.in
• To permanently make a change, modify

/opt/zimbra/conf/log4j.properties.in
• A restart of mailboxd is necessary
May 28, 2014 74

Log4J Variables (All Logging Categories)
Variable Provides information on the following
zimbra.all All log events (7.0 or later)
zimbra.index Indexing-related events
zimbra.index.lucene Logging of low-level lucene operations (debug-level
only)
zimbra.searchstat Statistics about what kinds of searches are run
zimbra.redolog Redolog-related events
zimbra.lmtp LMTP-related events**
zimbra.smtp SMTP-related events**
zimbra.nio NIO-related events
zimbra.imap IMAP-related events**
zimbra.pop POP-related events**
zimbra.mailbox
** (As of ZC 7.x:Mailbox-related
use TRACE-levelevents
logging for most debug information.
TRACE provides protocol-level details as well as DEBUG.)
May 28, 2014 75

Log4J Variables, cont.
zimbra.calendar Calendar-related events
zimbra.im Instant messaging-related events
zimbra.account Account-related events
zimbra.gal GAL-related events
zimbra.ldap LDAP-related events
zimbra.security Security-related events
zimbra.soap Soap-related events**
zimbra.test Testing-related events
zimbra.sqltrace When set to DEBUG, logs SQL statements sent to
the database
zimbra.dbconn Tracing database connections
May 28, 2014 76

zimbra.perf Performance statistics
zimbra.cache Tracing object cache activity
zimbra.filter Filter-related logs
zimbra.session Session- and notification-related logs
zimbra.backup Backup- and restore-related logs
zimbra.system Startup/Shutdown and other related logs
zimbra.sync, Sync client interface logs
zimbra.synctrace,
zimbra.syncstate
zimbra.wcbxml Wcbxml client interface logs
zimbra.extensions Extension-loading related info
zimbra.zimlet Zimlet-related info
May 28, 2014 77

zimbra.wiki Wiki and document sharing
zimbra.op Server operations
zimbra.dav WebDAV operations
zimbra.io File IO operations
zimbra.datasource External POP/IMAP datasource operations
zimbra.rmgmt Remote management
zimbra.webclient ZimbraWebClient servelet and ISP operations
zimbra.scheduler Scheduled task operations
zimbra.store Filesystem (mailstore) storage operations
zimbra.fb Free/Busy operations
Zimbra.purge Mailbox purge operations
Zimbra.mailop Mailbox operations (e.g. add/delete, move)
Zimbra.misc Events that do not have a specific category
May 28, 2014 78
Summary of Log Files
• syslog
• Captures local mail and application activity
• Gathers data for all components for centralized logging
• /opt/zimbra/log/mailbox.log
• A mailboxd log4j server log containing logs from mailbox server
• /opt/zimbra.log/audit.log
• Contains authentication activity of users and administrators and
login failures
May 28, 2014 79

Summary of Log Files, cont.
• /var/log/zimbra.log
• Details activities of the Zimbra MA, Logger, Authentication, and
Directory
• Logs LDAP activity to Zimbra.log
• sync.log
• Contains information about ZC mobile sync operations
• zmmailboxd.out
• Contains mailbox startup information and thread dumps if
mailboxd is shut down
• Contains information about Denial of Service Filter events
May 28, 2014 80

Reviewing mailbox.log Records
Originator Originator IP Zimbra Client Type Operation Description
Date Time Log Level Jetty thread-pool number mailbox server processing the SOAP request SOAP request type
2013-10-31 14:20:19,592 INFO [qtp1075680019-180857:https://10.137.28.179:443/service/soap/SendMsgRequest]

[[email protected];mid=2;ip=10.113.235.213;ua=ZimbraWebClient - FF24 (Win)/8.0.4_GA_5737;] smtp - Sending message to MTA at zcsmta2.kappa.local:
Message-ID=<[email protected]>, replyType=r
FQDN of MTA Message ID Browser/Version ZC Version
Date Time Log Level Thread/Process IP Operation Description Message size number recipients
2013-10-31 14:20:20,386 INFO [LmtpServer-1] [ip=10.137.28.179;] lmtp - Delivering message: size=1734 bytes, nrcpts=1, [email protected],
msgid=<[email protected]>
Originator Message ID
May 28, 2014 81

Reviewing mailbox.log Records, cont.
• Exceptions
• A handler exception will be added to mailbox.log indicating an
abnormal event occurred.
• The handler exception is sometimes followed by stack trace
information.
• Between the handler exception and the content of the stack trace
you can often find a string that provides more insight to the error
(grep –i “13:00:” mailbox.log | grep –i
exception –A15 –B5)
• Search (Google) zimbra “string” to find links to articles that provide
further insight.
May 28, 2014 82

Reviewing mailbox.log Records, cont.
com.example.cs.mailbox.MailServiceException: Invalid address: Jon R at
com.example.cs.mailbox.MailServiceException.internal_SEND_FAILURE
(MailServiceException.java:416)
-
-
-
at
org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:4
42)
caused by: com.example.cs.mailbox.MailSender$SafeSendFailedException:501 Bad
address syntax
; chained exception is:
com.sun.mail.smtp.SMTPAddressFailedException: 501 Bad address syntax at
com.sun.mail.smtp.SMTPTransport.rcptTo(SMTPTransport.java:1196)
at
com.sun.mail.smtp.SMTPTransport.sendMessage (SMTPTransport.java:584)
at javax.mail.Transport.sent0(Transport.java:169)
at javax.mail.Transport.sent(Transport.java:98)
at
com.example.cs.mailbox.MailSender.sendMessage(MailSender.java:409)
at
com.example.cs.mailbox.MailSender.sendMimeMessage(MailSender.java:262)
… 30 more
May 28, 2014 83

Increasing per user Logging
• addAccountLogger
$ zmprov aal [email protected] zimbra.imap debug
• removeAccountLogger
$ zmprov ral [email protected] zimbra.imap
• Account level settings do not survive mailboxd restarts

• Example:
• Enable tracing of soap requests for an account:
$ zmprov aal [email protected] zimbra.soap trace
• Watch the log file and login via the AJAX client:
$ tail -f /opt/zimbra/log/mailbox.log
May 28, 2014 84

Port and Process Monitoring ZC
May 28, 2014 85

Port & Process Monitoring
• IMAP/POP
• Web (SOAP)
• SMTP
• LDAP
May 28, 2014 86

Managing Disk Volumes & HSM
• Index volume
• Message volume
• Scheduling HSM
sessions
May 28, 2014 87

Statistics & Capacity Planning
• Server Statistics pane to monitor:
• Message count
• Message volume
• Anti-Spam/Anti-Virus activity
May 28, 2014 88

Postfix Commands
• Postconf: Postfix command to view or modify the postfix
configuration
• Postfix: Start, stop, reload, flush, check, upgrade

configuration
• Qshape: Examine postfix queue in relation to time and

sender/recipient domain
May 28, 2014 89

ZC Cron Jobs
May 28, 2014 90

ZC Cron Jobs
• Log pruning
• /opt/zimbra/log (2:30 am)
• logrotate:
/etc/anacrontab -> /etc/cron.daily/logrotate -> /etc/logrotate.d/zimbra
• Status logging
• zmstatuslog (2 minutes)
• Backups
• Full and incremental backup (1:00 am)
• Jobs for crontab.store
• Log pruning -> /opt/zimbra/mailboxd/logs
• Clean up the quarantine directory
• Table maintenance
• Report on any database inconsistencies -> zmdbintegrityreport
• Monitor for multiple mysqld processes to prevent corruption
May 28, 2014 91

ZC Cron Jobs, cont.
• Jobs for crontab.logger
• Process logs: zmlogprocess (10 minutes).
• Daily reports: Report runs every evening at 11:30pm and is sent
to the administrator’s email address
• Jobs for crontab.mta

• Queue logging -> zmqueue report status (10 minutes).
• Spam training -> zmtrainsa (11:00 p.m.)
• Spam training cleanup
• DSPAM cleanup
• Spam Bayes auto-expiry
• Clean up amavisd/tmp (5:15 a.m. and at 8:15 p.m.)
May 28, 2014 92

Reading the crontab
The crontab is used to schedule commands to be executed
periodically on the ZC servers
$ crontab –l
Field Description
Minute 0 through 59
Hour 0 through 23
Day of the month 1 through 31
Month 1 through 12
Day of the week 0 through 7 (0 or 7 is Sunday, 1 is
Monday, etc., or use names)
Command This is the complete sequence of
commands to be executed for the job.
May 28, 2014 93

Crontab Example
May 28, 2014 94

Crontab Example, cont.
May 28, 2014 95

Troubleshooting Mailstore
Performance
• Run zmdiaglog while problem is still occurring and before
restarting the ZC processes:
# /opt/zimbra/libexec/zmdiaglog
• Optional: run zmdiaglog with the –a argument to produce

a heap dump and core dump:
# /opt/zimbra/libexec/zmdiaglog -a
• Other optional arguments:

-j include the output of /opt/zimbra/libexec/zmjavawatch
-z zip the output directory for easier upload
-d Place the output in a directory other than /opt/zimbra/data/tmp
-t timeout for hanging commands (default 120s)
May 28, 2014 96

Troubleshooting Mailstore
Performance, cont.
• Recommended: Run zmdiaglog with the –a –j -z
arguments to produce a heap dump, core dump, include
the zmjavawatch output and zip everything up:
# /opt/zimbra/libexec/zmdiaglog –a –j -z
• When zmdiaglog is complete, and the mailstore is not

functioning properly, restart the ZC processes:
# su - zimbra
$ zmcontrol restart
• Once ZC has been restarted, upload to our ftp site at:

ftp.zimbra.com
Username/Password: provided by Support
May 28, 2014 97

Troubleshooting Exercise
May 28, 2014 98

Support Information
May 28, 2014 99

Additional Information
• Admin Console Help Search
• Support Portal http://support.zimbra.com/
• Web Client Help
• Website
• Forums http://www.zimbra.com/forums/
• Wiki http://wiki.zimbra.com/
• Online documentation
http://www.zimbra.com/products/documentation.html
• Bugzilla bug database http://bugzilla.zimbra.com/
• Product Information
http://www.zimbra.com/products/whats_new.html
• Product Planning (integrated with bugzilla)
http://pm.zimbra.com/
May 28, 2014 100

Search for Information Exercise
May 28, 2014 101

Day 1 Wrap-up and feedback
May 28, 2014 102

Zimbra Collaboration Day 2
May 28, 2014 103

• Review & Questions
• Backup/Restore
• Performance Tuning & Monitoring with zmstats
• Migration Options & Planning
• Upgrading ZC
• Upgrade Troubleshooting
• Zimbra on vSphere
• Personalizing ZC Deployment
• Archiving and Discovery (optional module)
May 28, 2014 104

• Questions ?
May 28, 2014 105

Day 1 Quiz
• If you use the Zimbra proxy, you are able to preserve the
same servername.domain.com in the URL no matter how
many backend mailbox servers you have – TRUE or FALSE
• What components are used by Zimbra to provide
Antispam and Antivirus capabilities?
• What protocol is used to deliver messages from the
Zimbra MTA to the mailbox server?
• What process/package in the Zimbra application converts
attachments to HTML?
May 28, 2014 106

Day 1 Quiz, cont.
• Once a Zimbra Network Edition license expires, IMAP
stops working – TRUE or FALSE
• What port does LMTP connect on to the mailbox server?
• What is the name of the command line utility to deploy
Zimlets?
• What command line utility is used to change the
percentage of memory dedicated to mysql in Zimbra?
• What information is logged in the sync.log?
May 28, 2014 107

Backup & Restore
May 28, 2014 108

Backup Overview
• Helps you quickly restore mail service in the event of a
crash
• Full Backup: Includes LDAP directory server, database,
index directory, and message directory for each mailbox
• Incremental Backup: Includes LDAP directory server and
gathers all redo log transactions
May 28, 2014 109

Backup & Restore
• Zimbra backup tools write a consistent snapshot of mailboxes to a designated backup
directory.
• Zimbra mailboxes can be restored from the following:
1. Full backup files that contains all the information needed to restore mailboxes
2. Incremental backup files that contains the LDAP directory server files and all the redo
log transactions written since the last backup
3. Redo logs that contains current and archived transactions processed by the Zimbra
server since the last incremental backup
• Figure below shows the sequence of a full point-in-time recovery. When a system is
restored, the last full backup is restored, each incremental backup since the last backup is
restored, and the archived and current redo logs are restored.
• Sample backup timeline:
May 28, 2014 110

Backup Methods
Two distinct backup methods are available on ZC:
• Standard backup method: Appropriate for enterprise

deployments where full backups are run on non-working days.
• Weekly full backup session
• Daily incremental backup sessions
• Auto-grouped backup method: Recommended for large ZC

environments where running a full backup of all accounts at
one time would take too long.
• Runs a full backup session for a different group of mailboxes each
scheduled backup
• System administrator configures the interval in days that backups
should run and the number of groups backups are made up of
May 28, 2014 111

Backup & Restore CLI
• CLI backup and restore commands include:
• zmschedulebackup - Used to schedule full backups, incremental
backups, and deletion of old backups
• zmbackup - Executes full or incremental backup of the mail server
a. This is run on a live server, while the mailboxd process and the
mailbox server are running
b. This command also has an option to manually delete old backups
when they are no longer needed
May 28, 2014 112

Backup & Restore CLI, cont.
• zmrestore: Executes a full or incremental restore to the ZC
mail server
• The zmrestore command is performed on a server that is running
• zmrestoreoffline: Restores the ZC mail server when the

mailboxd process is stopped
• zmrestoreldap: Restores the complete LDAP directory
server, including accounts, domains, servers, COS, and
other data
• Zimbra backup & restore can also be run from the admin
console
May 28, 2014 113

CLI Backup Examples
• Perform a full backup of all mailboxes on server1:
$ zmbackup -f -a all -s server1.domain.com
• Perform incremental backup of all mailboxes on server1 since last full
backup:
$ zmbackup -i -a all -s server1.domain.com
• Perform full backup of only user1’s mailbox on server1. Note that

hostname does not need full domain if account is used:
$ zmbackup -f -s server1 -a [email protected]
• Perform incremental backup of user1’s mailbox on server1:

$ zmbackup -i -s server1 -a [email protected]
• Enabling MySQL database backups (mysqldump):

zmlocalconfig –e mysql_backup_retention=<N>
May 28, 2014 114

CLI Restore Examples
• Put accounts into maintenance mode:
$ zmprov ma account1 zimbraAccountStatus maintenance
• The maintenance mode prevents delivery of new emails during the

restore. Otherwise, the emails would be overwritten during the
restore process.
• Run the zmrestore command to restore the accounts, using commas
between accounts:
$ zmrestore -s server1 -a [email protected], [email protected]
• Put accounts into active mode:

$ zmprov ma account1 zimbraAccountStatus active
• Important: If a user account is restored and the COS that the account
was assigned to no longer exists, the default COS is assigned to the
account.
May 28, 2014 115

CLI Restore Examples, cont.
• Perform a full restore of all accounts on server1, including last full
backup and any incremental backups since last full backup:
$ zmrestore -s server1.domain.com -a all
• Perform a single account restore on server1:

$ zmrestore -s server1.domain.com -a [email protected]
• Note: A single account can also be restored from the admin console.
May 28, 2014 116

Backup and Restore Exercise
May 28, 2014 117

Performance Tuning & Monitoring
May 28, 2014 118

ZC Architecture
• ZC depends on many open source components
• Linux
• Postfix
• OpenLDAP
• MySQL
• Each component can affect system performance
May 28, 2014 119

zmstat Framework
• ZC writes statistics to CSV files in /opt/zimbra/zmstat
• cpu.csv: CPU utilization
• fd.csv: file descriptor count
• mailboxd.csv: ZC server and JVM statistics
• mtaqueue.csv: Postfix queue length
• mysql.csv: MySQL status variables
• proc.csv: per-process CPU and memory consumption
• soap.csv, pop3.csv, imap.csv: request processing time
• threads.csv: JVM thread counts
• io.csv: per-device disk utilization
• io-x.csv: extended IO statistics per device
May 28, 2014 120

What to do with the data?
• Import into Excel or DB of choice
• View graphs in the Admin UI
• Generate charts with zmstat-chart

• Push chart data (.png + index.html) to web server or IT
management for review
May 28, 2014 121

Admin UI charts
Admin UI Charts
• Charts displayed directly in the admin web UI
• Chart and date range are user-selectable
• Good for viewing a small number of stats, various date

ranges
May 28, 2014 122

Admin UI charts
Admin UI Charts, cont.
May 28, 2014 123

zmstat-chart
zmstat-chart
• Command-line utility that generates charts in HTML/PNG
format
• Reads chart configuration from

/opt/zimbra/conf/zmstat-chart.xml or custom config file
• Reads data from CSV files
• Chart timelines are aligned, to help correlate system

events and performance measurements
• Example:
$ zmstat-chart -s /opt/zimbra/zmstat/YYYY-MM-DD -d ~/charts
May 28, 2014 124

Sample HTML Charts
• Response time by client protocol
May 28, 2014 125

Sample HTML Charts, cont.
• Message add rate
• Message add speed
May 28, 2014 126

• CPU
• Disk
May 28, 2014 127

• Process memory
• JVM garbage collection
May 28, 2014 128

• InnoDB buffer pool hit rate
May 28, 2014 129

Diagnosing Slowness
• Questions to ask when “Zimbra is slow”
1. Disk or CPU?
2. Which component (Postfix, server, MySQL, LDAP, etc.)?
3. Which disk partition?
4. Which protocol (SOAP, POP or IMAP)?
5. Client or server?
6. Which client? Check ua (user agent) context in mailbox.log
May 28, 2014 130

Diagnosing Slowness, cont.
• High disk utilization
• Database, index, mail store?
• Put components on separate devices to get separate utilization
stats
• High database disk utilization

• InnoDB buffer pool hit rate should be > 995
• Add memory if necessary
May 28, 2014 131

Diagnosing Slowness, cont.
• High CPU utilization
• Garbage collection? Increase JVM heap size.
• Do thread dumps during time of slowness to see what the server
is doing
• Slow response time, but disk and CPU utilization are low
• Thread dumps will show blocked threads
May 28, 2014 132

Wrap-Up
• Questions
May 28, 2014 133

Migration
May 28, 2014 134

Migration Planning Overview
• Customer Requirements
• Accessing customer environment
• Current workload and traffic flow
• Migration Strategy
• Quick migration
• Split-Domain migration
• Provisioning
• Test Migration
• Small, medium and large size mailboxes part of pilot pool
• Determine the time for the migration
• Go-Live Steps
• Communication plan
• Final Migration plan
May 28, 2014 135

Customer Requirements – Data
• What will or will not be migrated?
• User settings/preferences
• Email messages and attachments
• Calendar
• Address books
• Distribution lists/Groups
• Tasks
• Filters
• Signatures
• Vacation messages
• Public folders
May 28, 2014 136

Customer Requirements -
Back-End
• How is the current email system implemented?
• How are users accessing the current system?
May 28, 2014 137

Current Workload Profile
• Helps determine:
• ZC storage requirements
• ZC servers to deploy
• High availability and clustering
May 28, 2014 138

Migration Strategy
For additional information see section 14 in your student guide.
• Migration Options
• Quick migration
• Split-Domain/Phased migration
• Which Migration Tools to be used?
• Provisioning
• Passwords & User settings
• Documentation containing:
• Proposed New Architecture
• Migration Strategy
• Migration Tools to be used
• Testing Criteria
• Test Migration
May 28, 2014 139

Split-Domain Migration
Split-Domain Migration
May 28, 2014 140

Split Domain Strategy
• You can run Zimbra system with customer’s existing
legacy system
• Zimbra can be deployed as the primary system or the

secondary system to an existing messaging environment
May 28, 2014 141

Split Domain – Zimbra as Primary
System
• Can be used during migration
• ZC as primary system gives customers options
• Taking advantage of ZC functionality
• Re-directing access to legacy system for accounts that have not
migrated
• Less technical tasks to perform once the cutover to

ZC is complete
• Turnoff legacy system
May 28, 2014 142

Split Domain - Zimbra as Secondary
System
• Allows a customer to not change any email routing

configuration in production
• Setup ZC with same email domain during trial and

migration period
• Allows Pilot users to be moved from one system to

another
May 28, 2014 143

The Migration
• ZC single-server or multi-server install is performed
• COSs are created to match user’s existing features and

preferences
• User accounts are created on the Zimbra server
• Appropriate migration tools are run to migrate user’s

mail, calendar, contacts, etc. to ZC
May 28, 2014 144

Migration Tools - Server
• ZC Migration Wizard for Exchange
• Run by Administrator (from admin console)
• One-step process uses .xml template to provision accounts and import
users’ email, calendars, contacts, and tasks
• Domino Migration Tools
• Run by Administrator
• System-to-System
• Includes NSF-import tool for local PAB’s
• Groupwise Migration Tools
• IMAP tools for migrating email
• IMAPsync run by Administrator,
• External IMAP connection in “Inbox” by user
May 28, 2014 145

Migration Tools - Client
• PST-based User Migration Tool
• Usually run by End-User, could be done by Administrator
• Loads Outlook-created PST to Zimbra
• REST interface to import calendar and contacts

• Sun iPlanet calendar migration tool

• Oracle calendar migration tool
• Migration tool information available at:
http://wiki.zimbra.com/index.php?title=User_Migration
http://www.zimbra.com/products/documentation_additi
onal.html
May 28, 2014 146

Auto-Provisioning
• Allows you to create users from an external LDAP source such as
Active Directory
• Definable Attribute Mapping
• Generates “Welcome Email”
• Limited by LDAP Search Base/Search Filter
• Does not “clean-up” deleted users, dynamically assign COS, create

archive accounts
• “Eager” Mode
• Users automatically created on a schedule basis
• By domain
• “Lazy” Mode - Account creation occurs when user attempts to login

• Alternative: zmexternaldirsync, a tool from the Zimbra PS Team that
requires configuration and customization
May 28, 2014 147

Exchange Migration Information
• General Migration Guidelines:
• Primary bottleneck for migrating from Exchange can be Exchange
I/O Subsystem
• Number of messages and size of the messages can impact the

length of the migration
• OPTIONAL CONSIDERATION: Have the users clean out Trash and

Junk folders prior to migration
NOTE: This is optional because some users use their Trash folder
as an archive
May 28, 2014 148

Exchange Migration Information, cont.
• General Setup Guidelines:
• Use at least Windows 2003 Server to run the migration wizard
with Outlook 2010 installed
• Migration Wizard must be joined to the customer’s domain and
logged into that domain with Exchange Administrator privileges
• Recommended for the migration server to be at the customer’s
site since MAPI calls are made to retrieve messages
• Ports 443, 7070, and 7071 are used for communication by the
Wizard to talk to the Zimbra environment
May 28, 2014 149

Exchange Migration Execution
• General Migration execution guidelines:
• Migration Wizard performs best with X simultaneous threads per
instance
The number of threads per instance is based on your environment. In
many cases, 3-4 simultaneous threads per instance works
• You can run multiple instances of the migration wizard
• If an account migration fails, you can restart the migration by

using the SAME original account login name
May 28, 2014 150

Upgrading ZC
May 28, 2014 151

Upgrade Considerations
• Upgrades from ZC 6 or 7 to ZC 8 may (most likely) require
an OS upgrade
• Upgrading OS directly NOT recommended
• Older Zimlets removed
• Phase 1 – Upgrade existing environment to latest 7.x
version
• Allows usage of zmmboxmove which is multi-threaded,
asynchronous (other methods such as zmmailboxmove and
zmbackup/restore single threaded)
• Reduces user impact
• Install ZC 8 on new servers and migrate users with
zmmboxmove
• Follow up with zmdedupe
May 28, 2014 152
Rolling Upgrade (New OS):
RHEL5 to RHEL6
1. Create a RHEL6 guest template
2. Install ZCS 7.2 LDAP replica on RHEL 6 VM
3. Promote RHEL6 LDAP 7.2 replica to master
(requires modifying all other nodes to point to the new master)
4. Move LDAP Replicas to new RHEL6 VMs
5. Move MTAs to new RHEL6 VMs
6. Do a Rolling Upgrade on LDAP nodes to ZCS8
[http://wiki.zimbra.com/wiki/Rolling_Upgrades_for_ZCS]
7. Optionally: Promote one or more LDAP replicas to LDAP Multi-Master
https://wiki.zimbra.com/wiki/LDAP_Multi_Master_Replication#Promoting_an_existing_repli
ca_to_be_a_multi-master
8. Do a Rolling Upgrade on MTA nodes to ZCS8
9. Do a Rolling Upgrade on Proxy nodes to ZCS8
10. Create X new ZCS 8 mailstores on RHEL6
11. zmmboxmove users from ZCS7.2 mailstores to ZCS8
12. Decommission RHEL5 and ZCS7.2 systems
Rolling Upgrade Diagram
Current OS – Multiple Sites
LDAP MMR
Nginx Proxy Nginx Proxy
LDAP Master LDAP Master MTA (8.x)
(7.x) MTA (8.x)
(7.x)
LDAP Master (7.x)
(8.x) (7.x)
(8.x)
(8.x) (8.x)
(7.x)
[writes only] [writes only] Phase 2
LDAP Master LDAP Master
LDAP Replica LDAP Replica
(8.x) (8.x)
(7.x) (7.x)
[reads only] [reads only]
Mailstore (8.x) For
Site A Site B Admin/Provisioning
Phase 1
Phase 1
Mailstore (7.x) Mailstore (7.x) Mailstore (7.x) Mailstore (8.x) Mailstore (8.x) Mailstore (8.x)
Phase 3 Phase 4
zmmboxmove 8.x
Beta Group
zmmboxmove
Production Users
Single Server Upgrade – Checklist I
• Review Known Issues in Release Notes
• LDAP Master/Replica Order
• Interprocess Communications
• Expired Certificates
• Database Corruption
• Pre-requisite Recommendation
1. Perform a test upgrade in test environment
Note: This could be a Virtual Environment
2. Apply and test any customization, especially

a. Existing provisioning scripts
b. Zimlets
c. Skins and Themes
May 28, 2014 155

Single Server Upgrade – Checklist II
• Important: Before you begin the upgrade, make sure you have a good backup
for all users!
• Backup all customizations including:
• Customized files you might have created for branding
• Any Postfix MTA configurations
• Any configuration file changes like SpamAssassin
• Your SSL certificates
• Any Zimlets created
• Other items not on this list, such as scripts you have created
• Backup a copy of ZCLicense.xml
• Make sure backups are stored in a safe partition or on another server
• Stop servers
• Perform install steps
• Run a full backup with the upgraded ZC version
• Re-apply the customizations
May 28, 2014 156

Single-Server Upgrade Exercise

ZC 8.0 Release notes can be found at
http://www.zimbra.com/support/documentation.ht
ml
May 28, 2014 157

Troubleshooting
Common Problems
• License Activation with new format (from older 6 upgrades)
• Login Problems
• Mail delivery
• Server not responding
• Poor performance
May 28, 2014 158

Zimbra on vSphere
Deployment Best Practices
May 28, 2014 159

Zimbra on vSphere
• Deployment model
• Single Server or Simple deployment model
a. All services deployed in a single virtual machine
b. Ideal for small to medium businesses
c. Simple HA and backup model
• Multi-server or distributed deployment model

• Services distributed among multiple virtual machines
• Ideal for large enterprise deployments
• Message archiving, HA and backup a must to ensure maximum
uptime
May 28, 2014 160

Zimbra on vSphere Best Practices - CPU
• Zimbra is NOT a CPU bound application when proper disk and memory
resources are allocated to the virtual machine
• Can over commit CPU resources however, be aware of other applications
sharing the resources
• NUMA is employed in all recent hardware. When sizing your virtual machines
take into consideration the NUMA architecture. Crossing a NUMA node
results in degraded performance
• Example:
• 4 CPU sockets with 4 cores per socket equipped with 64GB of system
memory
• The maximum recommended virtual machine size is 4vCPU with 16GB of
system memory
• Ensure that Hyper-Threading or HT Sharing is disabled on your Zimbra VMs
• Monitor host CPU utilization, VM ready time and enable Distributed Resource
Scheduler (DRS) to balance virtual machines across hosts in the vSphere
cluster
May 28, 2014 161

Zimbra on vSphere Best Practices -
Memory
• Size virtual machines appropriately taking into consideration NUMA
architecture
• Follow earlier example of configuration:
• ESX host with 4x4 (4 sockets and 4 cores per socket) and 64GB of
system memory.
• Build your virtual machine with 4vCPU and 16GB of memory. This is the
maximum configuration you can build without crossing and NUMA node
• Remember – Crossing a NUMA node results in performance degradation
because the system must access memory that is not local to the CPUs the
virtual machine might be executing on
• Configure the memory reservation for the Zimbra mailbox virtual
machines to the allocated memory of the virtual machine. Example:
• If you allocate 16384MB of memory to your Zimbra mailbox virtual
machine, you should configure the memory reservation to 16384MB. You
can set the memory reservation in settings of the Zimbra mailbox virtual
machine
May 28, 2014 162

Zimbra on vSphere Best Practices –
Storage
• How you design your storage for your Zimbra deployment will impact
how your Zimbra configuration will perform whether it be physical or
virtual
• DO NOT over subscribe VMFS datastores
• Always take into consideration your existing and projected workloads
when designing the storage for your Zimbra deployment
• Eight major partitions for Zimbra mailbox server in a multi-server
deployment
a. /opt/zimbra root partition for Zimbra application
b. /opt/zimbra/db mySQL database files (holds all metadata)
c. /opt/zimbra/store Blob store (messages, attachments, etc.)
d. /opt/zimbra/index message index partition for fast user searches
e. /opt/zimbra/redo mySQL database log files also holds incr. backups
f. /opt/zimbra/logs general Zimbra log files
g. /opt/zimbra/backup holds all backup data for the Zimbra mailbox server
h. /opt/zimbra/store02… Zimbra Hierarchal Storage Management (HSM)
May 28, 2014 163

Storage, cont.
• Use paravirtualized (PVSCSI) SCSI adapter for workloads that generate
greater than 2000 IOPS
• Use separate vSCSI adapters to separate I/O patterns (sequential .vs. random)
• Also using multiple vSCSI adapters within a virtual machine will allow more
‘in-flight’ I/O
• Configuration physical storage with appropriate number of spindles
• Use eager thick-zero disks. This will prevent duplicate disk I/Os !!
• Slow disk usage under zimbra requires capacity and can use inexpensive
disks (SATA, RAID-5)
• Fast disk usage under Zimbra requires speed vs. capacity and should be
deployed using enterprise-level disks. (fibre channel, iSCSI and RAID-10 or
better)
• Use Raw Data Mapped disks (RDM) only if you require access to array based
functions
• Take into consideration shared storage resources and never oversubscribe
your disks !!
May 28, 2014 164

Network
• Use latest VMXNET3 adapter if supported by the
operating system
• Use separate physical adapters, VLANs and NIC teams to
separate network traffic and provide redundancy for your
vMotion and IP based storage traffic (iSCSI and NFS)
• Use separate physical switches on the infrastructure to
eliminate single points of failure
May 28, 2014 165

vSphere Cluster Resources
• VMware HA – Enable HA to provide out of the box high
availability for your Zimbra virtual machines
• VMware HA will automatically recover your Zimbra virtual
machines in the case of unplanned downtime
• VMware vMotion – can reduce planned downtime by

relocating your Zimbra virtual machines to other hosts in
the vSphere cluster in the case of hardware maintenance
• Be sure to use dedicated NIC ports, VLANs and NIC teams to avoid
network contention between client/server, storage I/O and
vMotion traffic
May 28, 2014 166

vSphere Cluster Resources, cont.
• VMware DRS – Enable DRS to provide intelligent
placement of your Zimbra virtual machines in the
vSphere cluster
• VMware DRS will continuously monitor the vSphere cluster and
ensure the cluster is balanced for resource utilization. In the case
your Zimbra virtual machines should become resource
constrained they will be placed where the resources are
• Enable Affinity Rules - To keep virtual machines that
communicate each other together and to separate virtual
machines that could cause your Zimbra deployment to fail.
Affinity rules can eliminate single points of failure by not
allowing ‘all of the eggs in one basket’
May 28, 2014 167

Zimlets and Themes
May 28, 2014 168

Custom UI Skins / Themes
Skins, AKA themes, are a combination of HTML, CSS, and properties files that
control the appearance of the ZWC. You can change the appearance of ZWC to use
specific logo and colors. You can create many different skins to provide your users
with choices, or you can restrict users to a single skin to enforce brand identity.
Logo
Username
App Search
Chooser
app_top_toolbar
Tree app_main
Tree
Footer
May 28, 2014 169

Customization Options
• Themes by COS or Account
• Via the Admin Console or CLI (zmprov)
• Options include:
• ad_bottom
• ad_top
• ad_tree_bottom
• ad_side
May 28, 2014 170

Telus Skin Example (1 of 3)
May 28, 2014 171

May 28, 2014 172

May 28, 2014 173

Managing Zimlets from the
Admin Console
• Deploy a Zimlet
• Make a Zimlet available or not per COS or account
• Disable a Zimlet
• Undeploy a Zimlet
May 28, 2014 174

Admin Console
• You can manage Zimlet tasks from the ZC Admin Console
(Home > Configure > Class of Service > Zimlets)
May 28, 2014 175

Admin Console
• You can:
• Make a Zimlet available or not available per COS or account.
• Make a Zimlet mandatory.
• Disable a Zimlet, which leaves it on the server but the Zimlet is
not used.
• Deploy a Zimlet, which:
• Creates the Zimlet entry in the LDAP server
• Installs the Zimlet files on the server
• Enables the Zimlet
• Makes the Zimlet available to the members of the default COS
• Undeploy a Zimlet, which removes it from the COS listings and the
Zimlets list.
May 28, 2014 176

Customizing Themes Exercise
May 28, 2014 177

Zimbra Archiving and Discovery
(ZAD)
May 28, 2014 178

Introduction
• ZC optional package  ZAD
• Archiving: the ability to archive messages that were delivered to
or sent by ZC
• Discovery: the ability to search across mailboxes – referred to as

Cross Mailbox Search
• Inbound and outbound mail is forked at the Zimbra MTA
• Can be installed in a single server or multi-server

deployment
• Searched can be performed on live and archived

mailboxes
May 28, 2014 179

ZAD – How it works
• If User A sends a message to User B, and if User B has
archiving enabled, the MTA delivers two messages — one
to User B’s mailbox and one to User B’s archive mailbox.
The message received in User B’s mailbox looks normal, as
shown in the following example:
Received: from localhost (localhost.localdomain [127.0.0.1]) …
From: [email protected]
To: [email protected]
Subject: New License Key
Message-ID: <015f01c717fe$70f042d1$b1d6f61d@thom>
Date: Mon, 04 Nov 2008 23:48:18 -0000
Hi B,
Can you send me the license key for the software again?
Thanks, A
May 28, 2014 180

ZAD – How it works, cont.
• The message received in User B’s archive mailbox contains
additional X-Envelope-From and X-Envelope-To headers.
These headers show the real email address the message
was sent from and each of the email addresses to which
the message was sent.
Received: from localhost (localhost.localdomain [127.0.0.1]) …
From: [email protected]
To: [email protected]
Subject: New License Key
Message-ID: <015f01c717fe$70f042d1$b1d6f61d@thom>
X-Envelope-From: [email protected]
X-Envelope-To: [email protected]
Date: Mon, 04 Nov 2008 23:48:18 -0000
Hi B,
Can you send me the license key for the software again?
Thanks, A
May 28, 2014 181

Enabling Archiving
• Archiving is installed on a mailbox server and enabled on
an MTA server
• To enable archiving (on the MTA server)
$ zmprov ms <zmhostname> +zimbraServiceEnabled archiving
• The server must be restarted

$ zmcontrol restart
May 28, 2014 182

Archive Account Name Templates
• zimbraArchiveAccountDateTemplate
• Sets the date format used in the name template.
• The default is yyyyMMdd.
• Adding the date to the account name makes it easier to roll off
older data from the system to backups
• zimbraArchiveAccountNameTemplate
• Sets up how the archive mailbox name is created.
• The default value is ${user}-${date}@${domain}.archive.
• The archive account address would be like this example:
[email protected].
May 28, 2014 183

Create an Archive Mailbox
• Type as Zimbra user:
$ zmarchiveconfig enable <[email protected]> archive-cos <cosname>
• Archive accounts are created based on the Zimbra Archive

name templates
• The attribute zimbraIsSystemResource is added to the
archive account and set to TRUE
• The archive account is displayed in the admin console
• When a message is received in a mailbox with archiving
enabled, a copy of the message is delivered to the archive
mailbox
May 28, 2014 184

Cross Mailbox Search from
Admin Console
May 28, 2014 185

Cross Mailbox Advanced Search
May 28, 2014 186

Day 2 Wrap-up and feedback
May 28, 2014 187

Zimbra Collaboration Server Day 3
Sections 20-26 in your Student Guide
May 28, 2014 188

• ZC Architectural Components - Review
• Architecture and Storage Considerations
• Multi-Server Installation and Upgrading
• Reconfigure ZC (hands-on) into a
multi-node architecture
• Clustering
• Delegated Administration
• Directory and GAL Integration
May 28, 2014 189

Open Source Software
• Zimbra leverages over 80 OSS projects:
• CyberNeko HTML Parser, Xerces, SpamAssassin, MINA, Lucene,
log4j, joda, jml, Jetty, James jSieve, Jakarta Taglibs, Jakarta ORO,
Jakarta Commons Libraries, cindy, Apache HTTPD, Apache Derby
• Yahoo User Interface Library, tcmalloc, SoundManager2, pcre,

libvent, JavaScript MD5, zlib, TinyLine GZIPInputStream, RSA MD4,
OpenSSL, nginx, net-snmp, memcached, kxml2, jzlib, joscar, jaxen,
iCal4j, Heimdal, gifencoder, Ganymed SSH-2 for Java, dom4j, cyrus-
sasl
• Swatch, rrdtool, MySQL Connector/j, MySQL, Dspam, ClamAV,

amavisd-new, Postfix
• OpenLDAP, PHP, SleepyCat, JavaMail, Rhino, libical, AND MORE!
May 28, 2014 190

Flexible Deployment Models
Traditional Virtualized
ZC ZC ZC ZC ZC
On-premises Hosted On-premises Hosted
• Administer ZC, OS stack • Administer ZC, OS within

manually VMware framework
• Rely on ZC for Hierarchical • Rely on vSphere for High
Storage, OS for clustering Availability, Backup and Data
• Run ZC on Linux servers Recovery
• Run ZC on any server
• Maximum configuration
potential
May 28, 2014 191

Zimbra Client Architecture
Mobile Clients Desktop Clients Browser Clients
Microsoft Apple; other Zimbra Zimbra

Windows Apple HTML Client
Outlook Standard AJAX Client
Zimbra
Desktop
Zimbra Outlook IMAP, POP;
BlackBerry Android Connector Card & CalDAV Zimlet AJAX Framework
Platform API Interfaces

SOAP
POP
RSS
REST
LMTP
CalDAV
IMAP
Atom
ActiveSync
CardDAV
BES
Zimlet WS Proxy
Zimbra Mobile
Zimlet Proxy or
Connector
for BES Nginx Proxy
Postfix MTA
Zimbra Collaboration Server
Zimlet JSP Tags
Including
Anti-Spam
and Virus
Jetty + JVM + OS
May 28, 2014 192

Mailbox Server (MBS) Architecture
Zimbra Collaboration Server

(Jetty + JVM)
Database Attachment Free/Busy

Message and File Store Search Meta Data Directory
Reliability Index & View Providers
JDBC
Storage Zimbra Lucene MySQL Open External Autonomy IBM
Microsoft
System Journaling Index LDAP LDAP Keyview Domino
Exchange
Active
Directory
May 28, 2014 193

ZC Architecture
May 28, 2014 194

Multi-Server Architecture
May 28, 2014 195

Possible Deployments
Note:
1. The number of users are considered active users, not the number
provisioned.
2. IMAP usage will dramatically affect these numbers.
Small Medium Large Very Large

Less than 1000 1000 to 2500 Users 2501 to 15,000 Over 15,000 Users
Users Users
• All ZC components • Zimbra LDAP and • Zimbra LDAP on • Zimbra LDAP server
installed on one Zimbra message one server as master
server store on one server • 2nd LDAP master • 2nd LDAP master
• Zimbra MTA on a • Multiple Zimbra • Multiple Zimbra
separate server mailbox servers mailbox servers
• Possibly include • Multiple Zimbra • Multiple Zimbra
additional Zimbra MTA servers MTA servers
MTA servers
configured • Multiple Proxy • Multiple Proxy
servers servers
May 28, 2014 196

IMAP Improvements: NIO
• With ZC 8 there were significant improvements to IMAP support that enable
more IMAP transactions compared to prior releases
• Historically, with high IMAP usage on a ZC mailbox server, IO against MySQL and
memory consumption were potential bottlenecks
• A new threading model, known as NIO, reduces the memory footprint of

mailboxd and the ZC server overall (by lowering threads required)
• Java thread counts prior to NIO were 3-4 client connections per IMAP user (1000
logged in IMAP users consume about 3500 threads)
• Java thread count after ZC 8 NIO implementation is reduced significantly (1000
logged in IMAP users consume less than 100 threads)
• Java threads use 256K memory, hence less than 25MB of Java memory consumed.
• NIO is enabled by default
May 28, 2014 197

LDAP Multi-Master Replication
• Read rates ~300x greater performance
(2 MMRs = 1 Master + 5 Replicas)
• Writes can be made to multiple
“master” LDAP servers
• Remote sites can perform writes locally
• Eliminates Single Point of Failure for LDAP
• Requires all LDAP servers to be “master” (no replicas)
• Disaster Recovery is simplified if an LDAP master fails
May 28, 2014 198

LDAP Multi-Master Replication, cont.
• Options:
• Add new LDAP servers
• Modify existing LDAP replicas to participate as Masters
Note: Server IDs MUST be unique between masters, and Replication
IDs must be unique in a master.
• See also:
http://wiki.zimbra.com/wiki/LDAP_Multi_Master_Replication
May 28, 2014 199

Policyd
• Policyd
• Policyd is an anti-spam policy daemon for Postfix (written in C)
that does Greylisting, Sender-(envelope, SASL or host / ip)based
throttling (on messages and/or volume per defined time unit),
Recipient rate limiting, Spamtrap monitoring / blacklisting, HELO
auto blacklisting and HELO randomization prevention
• Included in Zimbra package, but not enabled by default
• Examples:
• System admins can restrict the number of emails sent by a
user to 100/day
• Service providers can restrict “spammers” on compromised
accounts
May 28, 2014 200

OpenDKIM
• DKIM – Domain Keys Identified Mail
• Allows creation of Public/Private Keys used to validate email sent
from your domain
• Used by ISP’s, Yahoo, Gmail, Financial Institutions, DOD, etc.
• DKIM can be used to verify inbound mail, but no warning
to user:
https://bugzilla.zimbra.com/show_bug.cgi?id=78424
• zmdkimkeyutil is used to manage domain keys
$ /opt/zimbra/libexec/zmdkimkeyutil -a -d example.com
Public key to enter into DNS: 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey IN TXT "v=DKIM1;=rsa;

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDY5CBg15nZ2vYnRmrNub6Jn6ghQ2DXQbQgOJ/E5IGzi
UYEuE2OnxkBm1h3jived21uHjpNy0naOZjLj0xLyyjclVy1chrhSbsGAhe8HLXUsdXyfRvNTq8NWLsUnMEsoomtJCJ
/6LYWYU1whOQ9oKZVAwWHSovAWZpByqNMZmFg7QIDAQAB" ; ----- DKIM 0E9F184A-9577-11E1-AD0E-
2A2FBBAC6BCB
dig -t txt 0E9F184A-9577-11E1-AD0E-2A2FBBAC6BCB._domainkey.example.com ns.example.com
May 28, 2014 201

Architecture and Storage
Considerations
• Hardware sizing and capacity planning
• Customer transaction profile
• Sizing worksheet
• Storage and file system layout
• Server sizing
May 28, 2014 202

Multi-Server Installation and
Upgrading
May 28, 2014 203

Multi-Server Installation –
General Steps
• Start the installation process

• Install the ZC LDAP master server
• Install the ZC mailbox server
• Install ZC MTA on a server
• Install ZC Proxy on a server
• Run final set-up
• Verify server configuration
• Log onto the admin console
May 28, 2014 204

Multi-Server Upgrades – Checklist I
Important: Before you begin the upgrade, make sure you
have a good backup for all users!
• Review Known Issues in Release Notes
• Pre-requisite recommendation:
1. Perform a Test Upgrade in Test environment
Note: This could be a Virtual Environment.
2. Apply and test any customization, especially
a. Existing provisioning scripts
b. Zimlets
c. Skins and Themes
May 28, 2014 205

Multi-Server Upgrades – Checklist II
• Save all customizations including:
• Themes and Skins created
• Any Postfix MTA configurations
• Any configuration file changes like SpamAssassin
• Copy of SSL certificates
• Any Zimlets created
• Others not on this list like scripts
• Make sure backups are stored in a safe partition or on

another server
• Perform install steps
• Run a full backup with the upgraded ZC version
• Re-apply customizations
May 28, 2014 206
Multi-Server Exercise Checklist
• Verify hostname and IP address of vm2 virtual machine
• vm1 will be used for LDAP and MTA
• Locate the ZC software
• Install Mailbox Service on vm2
• Install Proxy Service on vm1
• Configure vm1 and vm2 for running Proxy service
• Log into the Admin Console
May 28, 2014 207

Before You Upgrade
• Backup ZC as a normal disaster recovery requirement
• Backup a copy of ZCLicense.xml
• Backup customized files you might have created for

branding
• Backup your certificates
May 28, 2014 208

Multi-Server Migration Exercise
May 28, 2014 209

Delegated Administration
May 28, 2014 210

Overview
• What: Delegated Administration lets you create different
delegated administrator roles to manage your ZC
environment
• Who: Accounts or distribution lists can be provisioned as
administrator accounts or groups
• How: These administrator accounts or distribution lists
are granted rights to perform administrator tasks on a
specific target
May 28, 2014 211

Overview, cont.
• Delegated administration is flexible
• Manage one or more distribution lists
• Reset passwords for one or more users
• Manage domain administration rights on one or more domains
• Predefined delegated administrator roles

• Domain administrators
• Distribution list administrators
May 28, 2014 212

Concepts
• Target: A ZC object on which rights can be granted
• Examples: Account, Calendar Resource, Class of Service (COS),
Distribution List (DL), Domain, Global Config, Global Grant,
Server, and Zimlet
• Admin Group: A distribution list that has been assigned an

administrator role
• Admin Account: An individual user account that has been
assigned an administrator role to administer specific
targets
May 28, 2014 213

Concepts, cont.
• Grantee: Refers to the admin user who has been granted
specific permissions (rights) to administer a target
• Rights: Functions that the delegated administrator can or
cannot perform on a target.
• Grant: Specifies the specific grantee who can or cannot
view or modify the right on a target
May 28, 2014 214

Concepts, cont.
• Access Control Entry (ACE): The specific access granted
on a target
• Access Control List (ACL): A list of the access control
entries (ACE) set on a specific target.
• Admin View: Refers to the tabs and content in the admin
console a delegated administrator sees when he logs in
May 28, 2014 215

Concepts, cont.
ACE (Access Control Entries)
Who Grant/Deny Right Target
members of group-1 can createAccount Domain-2
admin-1 cannot setPassword all-users-in-domain-1
admin-2 cannot modifyQuota all-users-in-domain-1
ACL (Access Control List)
Who Grant/Deny Right Target
admin-1 cannot setPassword all-users-in-domain-1
admin-2 cannot modifyQuota all-users-in-domain-1
May 28, 2014 216

Rights
• System-defined rights
• Preset
a. Predefined and fixed implication on targets
b. Associated with a fixed target type
c. Independent of other rights on the same target
d. Requires granting rights on multiple targets in order for the right to be valid.
If the right involves accessing multiple targets, the Admin user needs to have
adequate rights on all pertinent targets
• setAttrs
a. Allows the domain admin
to modify and view an attribute
value
• getAttrs
a. Allows the domain admin to
view an attribute value
• Combo
a. Contains other rights
System rights are listed and described on the
Home>Configure>Rights page
May 28, 2014 217
Rights, cont.
• Attribute Rights
• Specific to a defined
attribute
• Configured on the target
• Type of permission is
specified
read (get) or write (set)
• Positive or Negative Rights

• Negative rights are rights specifically denied to a delegated administrator
account or group
• To be able to revoke a right granted
a. to a wider scope of delegated administrator account or group
b. on a wider scope of targets
May 28, 2014 218

How Rights are Granted
• Scope of rights across target type
• Target types = ‘Account’, ‘Calendar resource’, ‘COS’, ‘Config’,
‘Server’, => Scope = the selected account, Calendar, COS, …
• Target type = ‘Distribution list’ =>

• For DL, Scope = DL and all DLs under this DL
• For accounts or calendar resources, Scope = all accounts or calendar
res. that are direct or indirect members of this DL
• Target type = ‘Domain’ =>

• Rights for all accounts, calendar resources, DL in this domain
• Target type = ‘Global ACL’ =>

• Used to grant admin rights for all entries in a target type
May 28, 2014 219

Implementing Delegated
Administration
• Provisioning
• Global administrator provisions delegated administrators and
delegated administrator groups
• Define Roles: Which rights to assign to the targets the
administrator will manage?
• Admin Group: Create administrator groups and add individual
administrator accounts to the group
• Global Admin: Accounts that are configured as global
administrator accounts cannot be granted ACLs
May 28, 2014 220

Implementing Delegated
Administration, cont.
• Manage the rights

• Administrator Wizard: Allows you to create admin accounts and
grant rights to the account
• Configure grants on existing administrator accounts: Add new
rights or modify rights to an existing delegated administrator or
administrator group account
• Set ACEs directly on a target: Add, modify and delete rights
directly in a target’s Access Control List tab
May 28, 2014 221

Create a Delegated Admin
• Manage Accounts section
1. Home > Manage > Accounts > Options Menu
1. Choose the
Administrator type:
a. Admin Account
b. Admin Group
May 28, 2014 222

Create a Delegated Admin, cont.
• Create a new Admin Group
1. Set the admin name
2. Select or unselect the box
to assign default admin
views and rights
3. Select an existing admin
role and either:
a. Click Finish
b. Or click Next to define admin role.
• Select the views from the
Directly Assigned Admin
views list
May 28, 2014 223

Create a Delegated Admin, cont.
• Configure the Grants
• List of all the grants
necessary to display all
the items selected in the
directly assigned views
column
• Add access rights (ACE) to the account, select:

• Target type
• Target name to administer
• Rights to be granted
May 28, 2014 224

Configure Grants
• Granting rights at the accounts level
May 28, 2014 225

Configure Grants, cont.
• Granting rights at the target level
• Granting rights at the attribute level
• Allow to modify or view (or not modify or view) a specific
attribute on a target
• Revoking rights: Select the right to revoke and click Delete

• Viewing rights
May 28, 2014 226

Assign Administrator Role
• To assign administrator rights to a user, click the
Administrator box on General Information page
• Additional options are then displayed
May 28, 2014 227

Predefined Admin Roles
• Domain Administration Group
• zimbradomainadmins: Delegated admin group grants all the rights
necessary to support ZC domain administration for accounts,
aliases, distribution lists and resources
• Domain Admin Console View
a. Only the functions they are authorized to manage are displayed on
the console’s Navigation pane
b. Access the following utilities on the Downloads page to be used for
accounts on domains they administer:
– Migration wizards
– Import wizard
– Zimbra Connector for Outlook
– Zimbra Connector for Apple® iSync
May 28, 2014 228

Predefined Admin Roles, cont.
• Distribution List Administration Group
• zimbradladmin: Delegated admin group grants all the rights
necessary to log on to the admin console and manage
distribution lists
May 28, 2014 229

Specific Access Rights
• Manage multiple domains
1. Create the administrator account on one of the domains
to be managed
2. Select the following views:

a. Account List View
b. Distribution List View
c. Alias List View
d. Resource List View
May 28, 2014 230

Specific Access Rights, cont.
3. Configure default grants
for this domain
4. Add another domain to be managed (domainexample2.com)

a. Set adminConsoleAccountRights
b. Add more rights:
– adminConsoleDLRights
– adminConsoleAliasRights
– adminConsoleResourceRights
– adminConsoleSavedSearchRights
– adminConsoleDomainRights
May 28, 2014 231

• Manage Distribution Lists
• To assign a user to manage a distribution list:
1. Create a distribution list and Enable Admin Group
2. Select the view and grant the distribution list rights.
3. Add the user to the list and make that user an administrator
4. Create a new distribution list
and include the following:
• Check Admin Group
• Add the user who will be the
admin as a member of the DL
• Go to the Admin Views tab
and check Distribution List View
so the admin can view the DL
• Click Save
5. In the Configure Grants pages
add the rights shown here:
May 28, 2014 232

• Change Passwords
• To create delegated administrators who only change passwords
a. Create the admin or admin group
b. Select the views and grant the taskSetPassword combo right
• Select the following views:

a. Account List view to be able to select accounts to change passwords
b. Alias List view to be able to find users who use an alias instead of account name
• Add the specific right:

a. The ‘Configure the Grants page’ displays recommended grants for the views you have
chosen
b. For Change Password rights, do not configure these grants
c. Select Skip
d. Click Add to add the following right:
May 28, 2014 233

Demo/Exercise
• An admin who is only allow to change passwords and
create/modify aliases
• ListDomain, createAlias, deleteAlias, setAccountPassword
• A domain admin who is allowed to administer a domain

but not View Mail
• adminLoginAs
• Domain Admin with rights to administer a 2nd domain

(da1)
• domainAdminConsoleRights on 2nd domain
• domainAdminZimletRights on global target
May 28, 2014 234

Delegated Administration Exercises
May 28, 2014 235

Provisioning and Integration of External
Directories for GAL and Authentication
May 28, 2014 236

Overview
• What is the ZC LDAP directory like?
• Types of integration with external directories

• Authentication
• Global Address List lookup
• Free/Busy lookup
May 28, 2014 237

ZC LDAP Hierarchy
• Data organized into tree-shaped hierarchy
• Each entry specified by a unique “distinguished name”

(DN)
• Empty Root, Base, Suffix (-b “”)
May 28, 2014 238

ZC Directory Schema
• ZC installation configures the system with a custom
extension of generic OpenLDAP schema
• All ZC components depend upon this
• All Zimbra defined attributes prefixed with “zimbra”
May 28, 2014 239

Object Definitions
• Class of Service (COS)
• Set of common preferences and available features that are applied
to all accounts within that COS
• dn: cn=default,cn=cos,cn=zimbra
• Domain
• Internet domain name for which the server will handle mail
• dn: dc=zimbra,dc=com
May 28, 2014 240

Object Definitions, cont.
• Account
• Email account: every account belongs to a single COS and domain
• dn: uid=admin,ou=people,dc=zimbra,dc=com
• Meta-accounts have parallel DN’s, but different

objectClasses
• Account Aliases
• Distribution Lists (DL’s)
• Resource Accounts
May 28, 2014 241

Object Definitions, cont.
• Global Configuration
• ZC system wide configuration
• dn: cn=config,cn=zimbra
• Server
• ZC server specific configuration
• Overrides global config
• dn: cn=dogfood.zimbra.com,cn=servers,cn=zimbra
• LDAP Admin/Access Accounts

• Used for access from other ZC services
• dn: uid=zmpostfix,cn=appaccts,cn=zimbra
• dn: uid=zimbra,cn=admins,cn=zimbra
May 28, 2014 242

External Directory Access
• Authentication and GAL configured independently for
each domain
• Configuration elements
• LDAP search base
ou=people,dc=zimbra,dc=com
• LDAP bind DN
Ldap user on the external directory with search access
• Search Filter
Search to run on the external directory
May 28, 2014 243

Types of Integration
• Authentication
• Internal
• External LDAP
• External Active Directory
• Global Address List

• Free/Busy lookup
• Calendar scheduling
• Automatic for other users on the same ZC
• Default external integration is with Exchange 2003
May 28, 2014 244

Types of Integration, cont.
• Single Sign on
• SPNEGO can be configured on ZC for single sign-on
authentication.
• When users log on to their Intranet through Active Directory, they
can enter their ZWC mailbox without having to re-authenticate to
Zimbra.
• PreAuth Keys
May 28, 2014 245

Single Sign-on
Zimbra provides a pre-authentication mechanism to enable a
trusted third party to forward authentication credentials to
the Zimbra system. This enables the user not have to enter
the login information twice.
Example Single Sign-on Flow:

• A portal application is accessed by the User
• The application presents a “Mail” link
• Using our framework, an Authentication Token is created
• Secret keys are exchanged between the Portal application and Zimbra
• Server computes Hash secret key and creates an authentication sequence
• User is redirected to ZC mail with this authentication token with secret HMAC
key
May 28, 2014 246

External Directory Authentication
May 28, 2014 247

External Directory GAL
Note: GAL Polling interval is set up on this tab for the COS.
May 28, 2014 248

GALsync
• Syncing LDAP to GALsync accounts gives users faster
access to GAL data
• GALsync accounts are created for internal or external GAL
• With Both, a GALsync account is created for each LDAP data
source
• GALsync account polling interval to LDAP server can be set
• New contact, modified contact and deleted contact information is
synced to the GALsync account
May 28, 2014 249

AD and GalSync Accounts
• During message composition from Zimbra Web Client, directory
lookups against an external (AD or other LDAPv3 source) can be
costly in larger directories
• By enabling a GalSync Account, the browsing and paging of the global
address list is done locally (less resource consumption)
• A galsync account will always be created by default in a ZC 8
installation, of the format [email protected] (where
xxxxxxxxxx is random alpha-numerics)
• An internal or external datasource is required, that must be associated
to the galsync account
• Many other settings must be configured correctly, which is where the
complexity (and sometimes confusion) occurs.
• ZC Admin Console or CLI can be used
• GALs and GalSync Facilities are Domain configurations
May 28, 2014 250

AD and GalSync Accounts, cont.
• Adding Active Directory GAL to existing GalSync Account
$ zmprov md domain.ext zimbraGalMode both
$ zmmailbox -z -m [email protected] createFolder -
-view contact /_ADGAL
$ zmgsautil adddatasource -a [email protected] -n
ADGAL –domain domain.ext -t ldap -f _ADGAL -p 1h
• At this point you have two datasources within the Galsync account,
however the ADGAL datasource requires a lot more configuration to
work properly.
• LDAP Search Base
• LDAP Bind DN
• LDAP Bind Password
• LDAP URL (where to connect to Active Directory)
• LDAP Filter (what AD objects you want to reveal to Zimbra users)
May 28, 2014 251

• Configuring the Galsync Account for Active Directory
Access
Baseline Example
$ zmprov mds [email protected] ADGAL
zimbraGalSyncLdapBindDn [email protected]
zimbraGalSyncLdapBindPassword ‘ma$hp0W'
zimbraGalSyncLdapFilter "(&(objectClass=user)(mail=*))"
zimbraGalSyncLdapSearchBase cn=users,dc=domain,dc=local
zimbraGalSyncLdapURL ldap://10.17.111.159:389
Optional zimbraGalSyncLdapFilter (for Coexistence Scenario)

'(&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(
mail=*%s*))(!(msExchHideFromAddressLists=TRUE))(|(&(object
Category=person)(objectClass=user)(!(homeMDB=*))(!(msExchH
omeServerName=*)))(&(objectCategory=person)(objectClass=us
er)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategor
y=person)(objectClass=contact))(objectCategory=group)(obje
ctCategory=publicFolder)(objectCategory=msExchDynamicDistr
ibutionList)))'
May 28, 2014 252

• If you created Contacts in AD to be used for forwarding
message from Exchange Mailboxes to Zimbra, you do not
want those contacts to be displayed in your GAL
• If you have used a prefix for the contacts as an identifier (for
example zcon-contact_name), then you would need to add
(!(givenName=zcon*)) – to exclude all entries that begin with
“zcon”
• You may need to enable ZC for Multi-Domain Search, in

which case you would need to issue these commands
$ zmprov mcf zimbraGalInternalSearchBase ROOT
$ zmprov mcf zimbraGalSyncInternalSearchBase ROOT
$ zmprov md work.net zimbraGalSyncLdapSearchBase ROOT
May 28, 2014 253

Free/Busy Lookup
• Exchange to ZC f/b retrieval
• REST interface on the Exchange server
• ZC to Exchange f/b propagation

• WebDAV interface on the Exchange server
• ZC must authenticate in both cases

• HTTP basic authentication
• HTML form based authentication (like OWA)
May 28, 2014 254

Free/Busy
• ZC global configuration ldap attributes that configure
free/busy interoperation with Exchange server
• zimbraFreebusyExchangeAuthUsername
• zimbraFreebusyExchangeAuthPassword
• zimbraFreebusyExchangeAuthScheme
• zimbraFreebusyExchangeURL
• zimbraFreebusyExchangeUserOrg
May 28, 2014 255

IPv6
• Added (beta) in ZC 8
New in
• Defaults to IPv4 ZC 8!
• Configured at installation
• Not available on Zimbra Collaboration Appliance
• Configuration
• Controlled by zimbraIPMode server setting
• After setting zimbraIPMode, use zmiptool to configure
services
$ zmprov ms `zmhostname` zimbraIPMode ipv4
$ libexec/zmiptool
$ zmcontrol restart
May 28, 2014 256

Voice Integration
• Utilizes third-party Unified Communications (UC) server
to bridge calls between ZC and the UC server
• Based on the inherent URL support of many UC servers
(examples below)
• Fetch voicemail from Cisco UC Server: https://xx.xx.xxx.xx.
• ZC Cisco Click2Call Zimlet (send requests to Cisco CUCM server):
https://xx.xx.xxx.xx/webdialer/services/WebdialerSoapService70
• Cisco CUPS server Presence: http://xx.xx.xxx.xx:8082/presence-
service/users
May 28, 2014 257

Voice Integration, cont.
• The voice service is enabled in the admin console, which
provides users with the Voice tab in the ZWC and the voice
service features contained within
• UC server domain information is added to the admin Console
configures Unified Communication server’s domain information
as a “Proxy Allowed Domain”, which then allows configured voice
service Zimlets to send requests to the UC servers
May 28, 2014 258

Voice Integration Services
• Visual Voice Mail: From the Voice tab, users can perform
all voice mail tasks. Supported audio formats include WAV
and MP3.
• Click-to-Call: Users can make a phone call from a ZWC
account. Click-to-Call eliminates the use for a dial pad
on a phone.
• Click-to-Chat: (Cisco clients only) Users can chat with a
contact using the Cisco Jabber client and ZC.
• Presence: (Cisco clients only) Availability information
about users or contacts is displayed in real time.
May 28, 2014 259

GAL Integration Exercise
May 28, 2014 260

Support Information
May 28, 2014 261

Additional Information
1. Admin Console Help Search
2. Support Portal
3. Web Client Help
4. Website
Forums
http://www.zimbra.com/forums/
Wiki
http://wiki.zimbra.com/
Online documentation
http://www.zimbra.com/support/documentation.html
Bugzilla bug database
http://bugzilla.zimbra.com/
Product Info
http://www.zimbra.com/products/whats_new.html
Product Planning
http://pm.zimbra.com/
May 28, 2014 262

Thank you!
May 28, 2014 263

©2014 Zimbra Systems, Inc. All rights reserved. Telligent
and its symbol are registered trademarks or trademarks of
Zimbra, Inc. Other company and product names mentioned
herein are property of their respective owners. The
contents of this publication are subject to change without
notification and are the property of and cannot be
reproduced without the written permission of Zimbra. The
contents of this publication are not a commitment by
Zimbra to provide the features and benefits described.
Zimbra
3000 Internet Blvd., Suite 200
Frisco, TX 75034 USA
Main: +1 972-407-0688
Main US toll-free: 877-492-9484
www.zimbra.com
May 28, 2014 264

Zimbra Collaboration System Administration - March2014

Uploaded by

Copyright:

Available Formats

Zimbra Collaboration System Administration - March2014

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Zimbra Collaboration System Administration - March2014

Uploaded by

Copyright:

Available Formats

Zimbra Collaboration

May 28, 2014 1

May 28, 2014 2

May 28, 2014 3

May 28, 2014 4

Sections 2 & 3 in your Student Guide

May 28, 2014 5

May 28, 2014 6

• Platforms not Supported in ZC 8 (EOL in ZC 7)

May 28, 2014 7

May 28, 2014 8

On-premises Hosted On-premises Hosted

• Administer ZC, OS stack • Administer ZC, OS within

May 28, 2014 9

Microsoft Apple; other Zimbra Zimbra

Platform API Interfaces

May 28, 2014 10

Database Attachment Free/Busy

May 28, 2014 11

• Controls ZC “Network Edition” Features

May 28, 2014 12

May 28, 2014 13

Section 4 in your Student Guide

May 28, 2014 14

• Third-party and Open-source Software

May 28, 2014 15

Port Server Port Server

25 Postfix 7071 ZC Admin services connector (SSL)

7025 LMTP 10025 Postfix answering amavisd-new

7047 Conversion Server (httpd) 11211 memcached – nginx route lookups

May 28, 2014 16

• Configuring virtual hosting

May 28, 2014 17

May 28, 2014 18

• Save the files in the appropriate directories

May 28, 2014 19

Section 4 in your Student Guide

May 28, 2014 20

May 28, 2014 21

Section 5 in your Student Guide

May 28, 2014 22

May 28, 2014 23

• Granular Delegated Administration

• Administrative APIs and Utilities

May 28, 2014 24

• Disaster Recovery and Back Up

May 28, 2014 25

May 28, 2014 26

May 28, 2014 27

• Migration Tool to import users mailboxes, calendars &

NOTE: Individual account setting override COS and Domain settings.

May 28, 2014 28

May 28, 2014 29

May 28, 2014 30

• COS is configured with the following

May 28, 2014 31

May 28, 2014 32

• Dumpster (not enabled by default)

May 28, 2014 33