CentOS7搭建Zimbra开源邮件服务器安装记录

Zimbra提供一套开源协同办公套件包括WebMail，日历，通信录，Web文档管理和创作。它最大的特色在于其采用Ajax技术模仿CS桌面应用软件的风格开发的客户端兼容Firefox,Safari和IE浏览器。
一、安装CentOS7
https://blog.youkuaiyun.com/wxqcom007/article/details/131105445

二、安装前准备
1.配置主机名（主机名和邮箱域名相同）
主机内网ip:172.16.1.230
配置/etc/hostname

echo 'mail.server.com' > /etc/hostname

配置/etc/hosts

echo '172.16.1.230 mail.server.com mail' >> /etc/hosts

2.检查并停止sendmail和postfix，如果服务器上有的话（不然会占用端口）

systemctl stop sendmail
systemctl disable sendmail
systemctl stop postfix
systemctl disable postfix

下面显示系统中运行了postfix 进行了停止并关闭

[root@mail src]# systemctl stop sendmail
Failed to stop sendmail.service: Unit sendmail.service not loaded.
[root@mail src]# systemctl disable sendmail
Failed to execute operation: No such file or directory
[root@mail src]# systemctl stop postfix
[root@mail src]# systemctl disable postfix
Removed symlink /etc/systemd/system/multi-user.target.wants/postfix.service.

3.安装必备软件包
安装perl环境和基础包

yum install perl ntp

安装出现以下错误，因为没有安装perl环境

[root@mail zcs-8.8.15_GA_3869.RHEL7_64.20190918004220]# ./install.sh
ERROR: System perl at /usr/bin/perl must be present before installation.

4.重启系统，确保生效。

reboot

三、开始安装Zimbra
1.下载Zimbra官方开源版
官方下载页
https://www.zimbra.com/downloads/zimbra-collaboration-open-source/

cd /opt/src
wget https://files.zimbra.com/downloads/8.8.15_GA/zcs-8.8.15_GA_3869.RHEL7_64.20190918004220.tgz

2.解压安装

tar zxvf zcs-8.8.15_GA_3869.RHEL7_64.20190918004220.tgz

进入软件目录开始安装

[root@mail src]# cd zcs-8.8.15_GA_3869.RHEL7_64.20190918004220
[root@mail zcs-8.8.15_GA_3869.RHEL7_64.20190918004220]# ./install.sh

Operations logged to /tmp/install.log.yICfsKrl
Checking for existing installation...
    zimbra-drive...NOT FOUND
    zimbra-imapd...NOT FOUND
    zimbra-patch...NOT FOUND
    zimbra-mta-patch...NOT FOUND
    zimbra-proxy-patch...NOT FOUND
    zimbra-license-tools...NOT FOUND
    zimbra-license-extension...NOT FOUND
    zimbra-network-store...NOT FOUND
    zimbra-network-modules-ng...NOT FOUND
    zimbra-chat...NOT FOUND
    zimbra-talk...NOT FOUND
    zimbra-ldap...NOT FOUND
    zimbra-logger...NOT FOUND
    zimbra-mta...NOT FOUND
    zimbra-dnscache...NOT FOUND
    zimbra-snmp...NOT FOUND
    zimbra-store...NOT FOUND
    zimbra-apache...NOT FOUND
    zimbra-spell...NOT FOUND
    zimbra-convertd...NOT FOUND
    zimbra-memcached...NOT FOUND
    zimbra-proxy...NOT FOUND
    zimbra-archiving...NOT FOUND
    zimbra-core...NOT FOUND


----------------------------------------------------------------------
PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE.
SYNACOR, INC. ("SYNACOR") WILL ONLY LICENSE THIS SOFTWARE TO YOU IF YOU
FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY DOWNLOADING OR INSTALLING
THE SOFTWARE, OR USING THE PRODUCT, YOU ARE CONSENTING TO BE BOUND BY
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS
AGREEMENT, THEN DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT.

License Terms for this Zimbra Collaboration Suite Software:
https://www.zimbra.com/license/zimbra-public-eula-2-6.html
----------------------------------------------------------------------



Do you agree with the terms of the software license agreement? [N]

一路 Y 安装

DNS ERROR resolving MX for mail.server.com
It is suggested that the domain name have an MX record configured in DNS
Change domain name? [Yes]
Create domain: [mail.server.com] server.com
        MX: mail.server.com (126.24.188.158)
        Interface: 127.0.0.1
        Interface: ::1
        Interface: 172.16.1.230

安装完成开始配置服务器

Main menu

   1) Common Configuration:
   2) zimbra-ldap:                             Enabled
   3) zimbra-logger:                           Enabled
   4) zimbra-mta:                              Enabled
   5) zimbra-dnscache:                         Enabled
   6) zimbra-snmp:                             Enabled
   7) zimbra-store:                            Enabled
        +Create Admin User:                    yes
        +Admin user to create:                 admin@server.com
******* +Admin Password                        UNSET
        +Anti-virus quarantine user:           virus-quarantine.efvgbrvxt@server.com
        +Enable automated spam training:       yes
        +Spam training user:                   spam.nyui9patij@server.com
        +Non-spam(Ham) training user:          ham.59kgptkjhn@server.com
        +SMTP host:                            mail.server.com
        +Web server HTTP port:                 8080
        +Web server HTTPS port:                8443
        +Web server mode:                      https
        +IMAP server port:                     7143
        +IMAP server SSL port:                 7993
        +POP server port:                      7110
        +POP server SSL port:                  7995
        +Use spell check server:               yes
        +Spell server URL:                     http://mail.server.com:7780/aspell.php
        +Enable version update checks:         TRUE
        +Enable version update notifications:  TRUE
        +Version update notification email:    admin@server.com
        +Version update source email:          admin@server.com
        +Install mailstore (service webapp):   yes
        +Install UI (zimbra,zimbraAdmin webapps): yes

   8) zimbra-spell:                            Enabled
   9) zimbra-proxy:                            Enabled
  10) Default Class of Service Configuration:
   s) Save config to file
   x) Expand menu
   q) Quit

按7－再按4设置管理帐号密码
按r 设置完成返回上级菜单

*** CONFIGURATION COMPLETE - press 'a' to apply
Select from menu, or press 'a' to apply config (? - help) a
Save configuration data to a file? [Yes]
Save config in file: [/opt/zimbra/config.11990]
Saving config in /opt/zimbra/config.11990...done.
The system will be modified - continue? [No] yes
Operations logged to /tmp/zmsetup.20230613-101957.log
Setting local config values...

最后按a应用配置
yes保存配置到文件
直接回车，保存到配置到文件/opt/zimbra/config.11990
yes继续安装

# 跳过通知zimbra
Notify Zimbra of your installation? [Yes] no

Configuration complete - press return to exit
[root@mail zcs-8.8.15_GA_3869.RHEL7_64.20190918004220]# 

安装完成！

3.完成后查看服务运行状态：

[root@mail zcs-8.8.15_GA_3869.RHEL7_64.20190918004220]# service zimbra status
Host mail.server.com
        amavis                  Running
        antispam                Running
        antivirus               Running
        dnscache                Running
        ldap                    Running
        logger                  Running
        mailbox                 Running
        memcached               Running
        mta                     Running
        opendkim                Running
        proxy                   Running
        service webapp          Running
        snmp                    Running
        spell                   Running
        stats                   Running
        zimbra webapp           Running
        zimbraAdmin webapp      Running
        zimlet webapp           Running
        zmconfigd               Running

全部启动成功。如果有没启动成功的，请等一等再看，启动服务需要时间。

四、配置SMTP认证
zimbra邮件系统安装完成后开启的是TLS认证功能，没有开始postfix的SMTP认证功能。open relay对公网上所有的用户开放，意味着垃圾邮件制造者可以使用我们的邮件服务器做中转站达到发送垃圾邮件的目的，我们的邮件服务器有可能会被反垃圾邮件联盟组织列入黑名单，导致互联网上的邮件服务器拒收我们的邮件，因此我们需要关闭服务器的open relay功能，启用SMTP认证，只给通过认证的用户进行邮件的转发。
测试服务器是否开始SMTP认证，在CMD命令行执行telnet 命令 如下

[root@mail ~]# telnet 172.16.1.230 25
Trying 172.16.1.230...
Connected to 172.16.1.230.
Escape character is '^]'.
220 mail.server.com ESMTP Postfix
ehlo mail.server.com
250-mail.server.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
quit221 2.0.0 Bye

在以上命令结果中，没有看到任何有关AUTH认证的参数，表明服务器是没有开启SMTP认证功能的。
开启smtp认证功能

[root@mail ~]# su zimbra
[zimbra@mail root]$ zmprov modifyServer mail.server.com zimbraMtaTlsAuthOnly FALSE
[zimbra@mail root]$ zmcontrol restart

五、开放端口开启外网访问
根据自已需求选择要不要关闭，也可以选用设置防火墙规则
1.关闭selinux和在防火墙中允许zimbra端口
内网测试环境可用，要是外网访问建议只开放指定的服务端口

#运行以下命令，禁用SELinux，然后停止SELinux运行：
setenforce 0

#编辑SELinux配置文件，服务器重启之后仍然会保持禁用状态：
egrep -v "(^$|^#)" /etc/selinux/config
SELINUX=disabled
SELINUXTYPE=targeted

关闭防火墙功能

systemctl start  firewalld # 启动
systemctl status firewalld # 查看状态
firewall-cmd --state #查看状态
systemctl disable firewalld #停止
systemctl stop firewalld  # 禁用

2.只在防火墙开放指定服务端口
内网端口：80, 443, 25, 110, 143, 465, 995, 993, 587, 7025, 8443, 7071
外网端口映射：25-SMTP 110-POP3 143-IMAP
25,110,143,7025,7110,7143,7993,7995

根据自已需求选择,

#永久开放端口
[root@mail ~]# firewall-cmd --permanent --add-port=7071/tcp
[root@mail ~]# firewall-cmd --permanent --add-port=8443/tcp
[root@mail ~]# firewall-cmd --permanent --add-port=25/tcp
[root@mail ~]# firewall-cmd --permanent --add-port=7110/tcp
[root@mail ~]# firewall-cmd --permanent --add-port=7143/tcp
success

firewall-cmd --permanent --add-port={25,80,110,143,443,465,587,993,995,5222,5223,9071,7071}/tcp

#防火墙重载
[root@mail ~]# firewall-cmd --reload
success

六、邮箱服务器管理
批量添加用户
zmprov createAccount 邮箱@域名 密码 displayName ‘用户名’ （建议用英文名）

zmprov createAccount mary@server.com admin123 displayName 'Mary'
zmprov createAccount tom@server.com admin123 displayName 'Tom'

七、问题处理
日志查询

 tail -f /var/log/zimbra.log

1.收不到邮件，后台显示7025错误

postfix/lmtp ... deferred ... connection refused

防火墙是否开放25端口，是还对外映射
DNS查询mx记录是否正常

host -t mx server.com

zmprov ms server.com zimbraMtaLmtpHostLookup native
zmprov ms `zmhostname` zimbraMtaLmtpHostLookup native

2.DANE问题

Jun 14 12:56:49 mail postfix/smtp[24886]: warning: DNSSEC validation may be unavailable
Jun 14 12:56:49 mail postfix/smtp[24886]: warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated

https://blog.zimbra.com/2022/03/zimbra-skillz-enable-dane-verification-for-outgoing-email-in-zimbra/

[zimbra@mail root]$ zmprov ms `zmhostname` zimbraMtaSmtpDnsSupportLevel "dnssec"
[zimbra@mail root]$ zmprov ms `zmhostname` zimbraMtaSmtpTlsSecurityLevel "dane"
[zimbra@mail root]$ zmmtactl restart

补充

安装配置bind
1.安装

[root@mail ~]# yum install bind bind-utils -y

启动named服务并设置随开机启动

[root@mail ~]# systemctl enable named
[root@mail ~]# systemctl start named

２. 修改/etc/named.conf主配置文件

           attacks. Implementing BCP38 within your network would greatly
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1;192.168.x.0/24; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { localhost;192.168.x.0/24; };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.example.zones";

创建/etc/named.example.zones区域配置文件

[root@mail ~]# vim /etc/named.example.zones 

//erp.com.zone Domain resolve IP
zone "example.com" IN {
        type master;
        file "example.com.zone";
};

//x.168.192.zone IP resolve Domain
zone "x.168.192.in-addr.arpa" IN {
        type master;
        file "x.168.192.zone";
};

创建正向解析配置文件/var/named/example.com.zone

[root@mail ~]# vim /var/named/example.com.zone 
$TTL 1D
@       IN SOA  @ example.com. (
                                20190607        ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.example.com.
        IN      MX 10    mail
        A       127.0.0.1
        AAAA    ::1
ns1     IN      A       192.168.x.x
dns01   IN      CNAME   ns1
mail    IN      A       192.168.x.x

创建反向解析配置文件/var/named/x.168.192.zone

[root@mail ~]# vim /var/named/x.168.192.zone 
$TTL 1D
@       IN SOA  @ ns1.example.com. (
                                20190607        ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1.example.com.
        A       127.0.0.1
        AAAA    ::1
        PTR     localhost.
x      PTR     ns1

更改配置文件相应的权限

[root@mail ~]# chown :named /etc/named.example.zones 
[root@mail ~]# chown :named /var/named/example.com.zone 
[root@mail ~]# chown :named /var/named/11.168.192.zone 

检查named配置文件语法是否正常

[root@mail ~]# named-checkconf 
[root@mail ~]# named-checkzone "example.com" /var/named/example.com.zone 
zone example.com/IN: loaded serial 20190607
OK
[root@mail ~]# named-checkzone "x.168.192.in-addr.arpa" /var/named/x.168.192.zone 
zone 11.168.192.in-addr.arpa/IN: loaded serial 20190607
OK

验证测试MX记录

[root@mail ~]# dig MX example.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> MX example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11248
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com.                  IN      MX

;; ANSWER SECTION:
example.com.           86400   IN      MX      10 mail.example.com.

;; AUTHORITY SECTION:
example.com.           86400   IN      NS      ns1.example.com.

;; ADDITIONAL SECTION:
mail.example.com.      86400   IN      A       192.168.x.x
ns1.example.com.       86400   IN      A       192.168.x.x

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 11 16:53:11 CST 2019
;; MSG SIZE  rcvd: 112