Deploying Zimbra on Kubernetes (using NGINX Ingress and CertManager) - GriffinPlus/docker-zimbra GitHub Wiki
This how-to addresses the deployment of the Zimbra container on a Kubernetes cluster that is running NGINX Ingress to reverse-proxy web traffic to web services in the cluster and CertManager to manage X.509 certificates for these services.
The following examples make some assumptions about the environment:
- The Zimbra server is accessable on the public internet using the hostname
zimbra.my-domain.com, i.e. DNS is set up correctly- An 'A' record defining the hostname of the Zimbra installation on the internet is pointing to your cluster node(s)
- An 'MX' record for the domain(s) Zimbra should handle is/are pointing to this hostname
-
CertManager uses a ClusterIssuer with the name
letsencrypt-prodto fetch certificates using ACME with HTTP as validation method.
Please adjust the examples to fit your needs.
Running the Zimbra container requires some resources to be created in the Kubernetes cluster. It is recommended to put these resources in a namespace dedicated to Zimbra. You can define the Namespace resource in a file as follows:
# namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: zimbraThen let the cluster create it:
me@kube:~$ kubectl apply -f namespace.yaml
namespace/zimbra createdZimbra needs a X.509 certificate for encrypted communication. Assuming that the cluster is using CertManager to manage certificates, the following Certificate resource will request a certificate at the ClusterIssuer letsencrypt-prod. As the certificate is needed by the Zimbra container, it should be requested first.
# certificate.yaml
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: zimbra.my-domain.com
namespace: zimbra
spec:
secretName: tls-zimbra.my-domain.com
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: zimbra.my-domain.com
dnsNames:
- zimbra.my-domain.com
acme:
config:
- http01:
ingressClass: nginx
domains:
- zimbra.my-domain.comNow create the resource to tell CertManager to obtain the desired certificate:
me@kube:~$ kubectl apply -f certificate.yaml
certificate.certmanager.k8s.io/zimbra.my-domain.com createdAfter a few seconds CertManager should have obtained the certificate. To check for success, check the certificate:
me@kube:~$ kubectl describe certificate -n zimbra zimbra.my-domain.com
Name: zimbra.my-domain.com
Namespace: zimbra
Labels: <none>
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"certmanager.k8s.io/v1alpha1","kind":"Certificate","metadata":{"annotations":{},"name":"zimbra.my-domain.com","namespace":"z...
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-01-07T16:53:38Z
Generation: 4
Resource Version: 2729790
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/zimbra/certificates/zimbra.my-domain.com
UID: c7a08110-129c-11e9-b925-862621d1c83d
Spec:
Acme:
Config:
Domains:
zimbra.my-domain.com
Http 01:
Ingress:
Ingress Class: nginx
Common Name: zimbra.my-domain.com
Dns Names:
zimbra.my-domain.com
Issuer Ref:
Kind: ClusterIssuer
Name: letsencrypt-prod
Secret Name: tls-zimbra.my-domain.com
Status:
Acme:
Order:
URL: https://acme-v02.api.letsencrypt.org/acme/order/47903548/260868710
Conditions:
Last Transition Time: 2019-01-07T16:54:18Z
Message: Certificate issued successfully
Reason: CertIssued
Status: True
Type: Ready
Last Transition Time: <nil>
Message: Order validated
Reason: OrderValidated
Status: False
Type: ValidateFailed
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreateOrder 50s cert-manager Created new ACME order, attempting validation...
Normal DomainVerified 16s cert-manager Domain "zimbra.my-domain.com" verified with "http-01" validation
Normal IssueCert 16s cert-manager Issuing certificate...
Normal CertObtained 13s cert-manager Obtained certificate from ACME server
Normal CertIssued 13s cert-manager Certificate issued successfully
At this point everything needed to create a Zimbra container is available. The following Deployment resource defines how to configure the pod with the Zimbra container. For the sake of simplicity it uses a hostPath volume to store the Ubuntu installation Zimbra is installed on. This is fine for single-node clusters, but will cause issues on multi-node clusters, if the pod moves from one node to another. If you are running a multi-node cluster, you should use a persistent volume claim to allocate a volume from your cluster's storage pool. Please see the official Kubernetes documentation for details. If you still want to use a hostPath volume, consider adding node affinity to the pod to ensure that the scheduler always assigns the container to the same node.
Although it should be clear, you should never run more than one instance of the Zimbra container on the same volume. This will not work. If a more robust containered Zimbra installation is required, you should wait for Zimbra X. It is in the closed beta stadium at the time of writing.
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: zimbra
name: zimbra
namespace: zimbra
spec:
replicas: 1
selector:
matchLabels:
app: zimbra
strategy:
type: Recreate
template:
metadata:
labels:
app: zimbra
annotations:
container.apparmor.security.beta.kubernetes.io/zimbra: unconfined
container.seccomp.security.alpha.kubernetes.io/zimbra: unconfined
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 180
containers:
- name: zimbra
image: griffinplus/zimbra
imagePullPolicy: Always
env:
- name: EXTERNAL_HOST_FQDN
value: zimbra.my-domain.com
- name: MAIL_DOMAINS
value: my-domain.eu,my-domain.org
volumeMounts:
- name: zimbra
mountPath: /data
- name: tls-certs
mountPath: /data/app/tls
readOnly: true
securityContext:
capabilities:
add:
- NET_ADMIN
- SYS_ADMIN
- SYS_PTRACE
volumes:
- name: zimbra
hostPath:
path: "/kube-data/zimbra"
- name: tls-certs
secret:
secretName: tls-zimbra.my-domain.com
items:
- key: tls.key
path: zimbra.key
- key: tls.crt
path: zimbra.crtThe container requires some extra permissions to run properly. For details about this, please see the documentation of the Zimbra container. The environment variable EXTERNAL_HOST_FQDN must be set to the hostname of the Zimbra installation on the internet. It overrides the regular hostname of the container and is required when running on Kubernetes, since Kubernetes enforces a specific hostname format for containers and Zimbra needs the hostname the container will use on the internet. The environment variable MAIL_DOMAINS can contain a comma-separated list of additional domain names Zimbra will manage mail for. The domain of the hostname specified in the EXTERNAL_HOST_FQDN variable should not be listed in MAIL_DOMAINS. Both variables configure the internal split-horizon DNS server, so the Zimbra container has an adjusted view of itself.
You can now kick off the deployment:
me@kube:~$ kubectl apply -f deployment.yaml
deployment.apps/zimbra createdAt first the Zimbra container will initialize the persistent volume, install a tailored installation of Ubuntu 16.04 LTS and configure it for Zimbra. Zimbra itself IS NOT installed automatically. Installing and configuring Zimbra is a bit tricky. It is done interactively at the end of this tutorial.
The installation of Ubuntu and required packages may take some time. You can watch the progress using:
me@kube:~$ POD=`kubectl get pods -n zimbra -o name | cut -f2 -d '/'`
me@kube:~$ kubectl logs -n zimbra $POD -fIf everything goes smoothly, you should see Waiting for signals... at the end.
The pod created in the previous step has a dynamic cluster IP address. To make Zimbra accessable from other pods within the cluster a service resource needs to be added:
# service-cluster.yaml
apiVersion: v1
kind: Service
metadata:
name: zimbra-cluster
namespace: zimbra
spec:
selector:
app: zimbra
type: ClusterIP
ports:
- name: smtp
port: 25
protocol: TCP
- name: http
port: 80
protocol: TCP
- name: pop3
port: 110
protocol: TCP
- name: imap
port: 143
protocol: TCP
- name: https
port: 443
protocol: TCP
- name: smtps
port: 465
protocol: TCP
- name: submission
port: 587
protocol: TCP
- name: imaps
port: 993
protocol: TCP
- name: pop3s
port: 995
protocol: TCP
- name: xmpp
port: 5222
protocol: TCP
- name: xmpp-legacy
port: 5223
protocol: TCPTo create the service:
me@kube:~$ kubectl apply -f service-cluster.yaml
service/zimbra-cluster createdThe added service makes Zimbra visible in the cluster, but not on the public internet.
Having Zimbra run within the cluster is great for other pods, but usually users want to access Zimbra to retrieve their mails via POP/IMAP or web interface. As the web interface is handled by ingress, only services other than HTTP/HTTPS need to be covered. Depending on your setup, you may want to choose one way or the other to publish the services.
If you are running a (very small) cluster with only one worker node, this might be for you. The following service resource makes Zimbra services visible on the specified IP address of the worker node. Please replace aaa.bbb.ccc.ddd with the IPv4 address of your node. The specified ports will become accessable at the corresponding ports of the node.
# service-public.yaml
apiVersion: v1
kind: Service
metadata:
name: zimbra-public
namespace: zimbra
spec:
selector:
app: zimbra
ports:
- name: smtp
port: 25
protocol: TCP
- name: pop3
port: 110
protocol: TCP
- name: imap
port: 143
protocol: TCP
- name: smtps
port: 465
protocol: TCP
- name: submission
port: 587
protocol: TCP
- name: imaps
port: 993
protocol: TCP
- name: pop3s
port: 995
protocol: TCP
- name: xmpp
port: 5222
protocol: TCP
- name: xmpp-legacy
port: 5223
protocol: TCP
- name: adminpanel
port: 7071
protocol: TCP
externalIPs:
- aaa.bbb.ccc.dddTo create the service:
me@kube:~$ kubectl apply -f service-public.yaml
service/zimbra-public createdIf you are running a multi-node cluster on bare metal a NodePort service could be another approach. It will publish the services on the specified ports of all nodes. NodePort services can be restricted to a set of nodes, too. For more details see the Kubernetes documentation on NodePort services.
# service-public.yaml
apiVersion: v1
kind: Service
metadata:
name: zimbra-public
namespace: zimbra
spec:
selector:
app: zimbra
type: NodePort
ports:
- name: smtp
port: 25
nodePort: 25
protocol: TCP
- name: pop3
port: 110
nodePort: 110
protocol: TCP
- name: imap
port: 143
nodePort: 143
protocol: TCP
- name: smtps
port: 465
nodePort: 465
protocol: TCP
- name: submission
port: 587
nodePort: 587
protocol: TCP
- name: imaps
port: 993
nodePort: 993
protocol: TCP
- name: pop3s
port: 995
nodePort: 995
protocol: TCP
- name: xmpp
port: 5222
nodePort: 5222
protocol: TCP
- name: xmpp-legacy
port: 5223
nodePort: 5223
protocol: TCP
- name: adminpanel
port: 7071
nodePort: 7071
protocol: TCPTo create the service:
me@kube:~$ kubectl apply -f service-public.yaml
service/zimbra-public createdIf you are using Kubernetes at one of the big cloud providers (AWS, GCE or similar) a LoadBalancer service is probably the best choice.
At last an Ingress resource is needed to configure the NGINX Ingress Controller to forward web traffic to the Zimbra container. The ingress controller will terminate the TLS connection and talk to the Zimbra web server via HTTP only.
# ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: zimbra.my-domain.com
namespace: zimbra
spec:
tls:
- hosts:
- zimbra.my-domain.com
secretName: tls-zimbra.my-domain.com
rules:
- host: zimbra.my-domain.com
http:
paths:
- backend:
serviceName: zimbra-cluster
servicePort: 80To create the ingress:
me@kube:~$ kubectl apply -f ingress.yaml
ingress.extensions/zimbra.my-domain.com createdAt this point the Kubernetes resources are set up completely. The only thing still missing is Zimbra, but the container has prepared an Ubuntu 16.04 LTS environment and everything to install it on the persistent volume.
First you need to enter the container to invoke the installation script:
me@kube:~$ POD=`kubectl get pods -n zimbra -o name | cut -f2 -d '/'`
me@kube:~$ kubectl exec -it -n zimbra $POD -- /bin/bashThe shell you get is in the container itself. The Ubuntu 16.04 LTS environment Zimbra should be installed on is on the persistent volume mounted at /data. To enter the environment just chroot into it and call the installation script:
root@zimbra-fbd955b54-b7xlx:/# chroot /data /bin/bash
root@zimbra-fbd955b54-b7xlx:/# cd /app
root@zimbra-fbd955b54-b7xlx:/app# ./install-zimbra.shThe installation script will then download the required files, start Zimbra's menu-driven installation script and ask for accepting the license agreement. Just answer Y to proceed.
Checking for existing installation...
zimbra-drive...NOT FOUND
zimbra-imapd...NOT FOUND
zimbra-patch...NOT FOUND
zimbra-license-tools...NOT FOUND
zimbra-license-extension...NOT FOUND
zimbra-network-store...NOT FOUND
zimbra-network-modules-ng...NOT FOUND
zimbra-chat...NOT FOUND
zimbra-talk...NOT FOUND
zimbra-ldap...NOT FOUND
zimbra-logger...NOT FOUND
zimbra-mta...NOT FOUND
zimbra-dnscache...NOT FOUND
zimbra-snmp...NOT FOUND
zimbra-store...NOT FOUND
zimbra-apache...NOT FOUND
zimbra-spell...NOT FOUND
zimbra-convertd...NOT FOUND
zimbra-memcached...NOT FOUND
zimbra-proxy...NOT FOUND
zimbra-archiving...NOT FOUND
zimbra-core...NOT FOUND
----------------------------------------------------------------------
PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE.
SYNACOR, INC. ("SYNACOR") WILL ONLY LICENSE THIS SOFTWARE TO YOU IF YOU
FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY DOWNLOADING OR INSTALLING
THE SOFTWARE, OR USING THE PRODUCT, YOU ARE CONSENTING TO BE BOUND BY
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS
AGREEMENT, THEN DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT.
License Terms for this Zimbra Collaboration Suite Software:
https://www.zimbra.com/license/zimbra-public-eula-2-6.html
----------------------------------------------------------------------
Do you agree with the terms of the software license agreement? [N] Y
Next Zimbra asks whether to use the package repository. Just accept it:
Use Zimbra's package repository [Y] Y
Configuring package repository
Checking for installable packages
Found zimbra-core (local)
Found zimbra-ldap (local)
Found zimbra-logger (local)
Found zimbra-mta (local)
Found zimbra-dnscache (local)
Found zimbra-snmp (local)
Found zimbra-store (local)
Found zimbra-apache (local)
Found zimbra-spell (local)
Found zimbra-memcached (repo)
Found zimbra-proxy (local)
Found zimbra-drive (repo)
Found zimbra-imapd (local)
Found zimbra-patch (repo)
Now the installation script wants to know which packages to install. You can safely install everything, but zimbra-dnscache and beta features. The DNS cache would otherwise conflict with the already running dnsmasq the container runs itself to provide a split-horizon DNS for Zimbra.
Select the packages to install
Install zimbra-ldap [Y] Y
Install zimbra-logger [Y] Y
Install zimbra-mta [Y] Y
Install zimbra-dnscache [Y] N
Install zimbra-snmp [Y] Y
Install zimbra-store [Y] Y
Install zimbra-apache [Y] Y
Install zimbra-spell [Y] Y
Install zimbra-memcached [Y] Y
Install zimbra-proxy [Y] Y
Install zimbra-drive [Y] Y
Install zimbra-imapd (BETA - for evaluation only) [N] N
Install zimbra-chat [Y] Y
Checking required space for zimbra-core
Checking space for zimbra-store
Checking required packages for zimbra-store
zimbra-store package check complete.
Installing:
zimbra-core
zimbra-ldap
zimbra-logger
zimbra-mta
zimbra-snmp
zimbra-store
zimbra-apache
zimbra-spell
zimbra-memcached
zimbra-proxy
zimbra-drive
zimbra-patch
zimbra-chat
The system will be modified. Continue? [N] Y
After committing to continue there is no way back as the installation script modifies the system. If something goes wrong, it might leave the environment in an inconsistent state that can not be repaired by simply running the installer once again. In this case, simply shut the container down, clear the persistent volume and start over once again.
The installer now tells what it is doing:
Beginning Installation - see /tmp/install.log.uuzyYbzN for details...
zimbra-core-components will be downloaded and installed.
zimbra-timezone-data will be installed.
zimbra-common-mbox-conf will be installed.
zimbra-common-core-libs will be installed.
zimbra-common-mbox-native-lib will be installed.
zimbra-common-mbox-docs will be installed.
zimbra-common-mbox-db will be installed.
zimbra-common-core-jar will be installed.
zimbra-common-mbox-conf-rights will be installed.
zimbra-common-mbox-conf-attrs will be installed.
zimbra-common-mbox-conf-msgs will be installed.
zimbra-core will be installed.
zimbra-ldap-components will be downloaded and installed.
zimbra-ldap will be installed.
zimbra-logger will be installed.
zimbra-mta-components will be downloaded and installed.
zimbra-mta will be installed.
zimbra-snmp-components will be downloaded and installed.
zimbra-snmp will be installed.
zimbra-store-components will be downloaded and installed.
zimbra-jetty-distribution will be downloaded and installed.
zimbra-mbox-conf will be installed.
zimbra-mbox-webclient-war will be installed.
zimbra-mbox-store-libs will be installed.
zimbra-mbox-war will be installed.
zimbra-mbox-service will be installed.
zimbra-mbox-admin-console-war will be installed.
zimbra-store will be installed.
zimbra-apache-components will be downloaded and installed.
zimbra-apache will be installed.
zimbra-spell-components will be downloaded and installed.
zimbra-spell will be installed.
zimbra-memcached will be downloaded and installed.
zimbra-proxy-components will be downloaded and installed.
zimbra-proxy will be installed.
zimbra-drive will be downloaded and installed (later).
zimbra-patch will be downloaded and installed (later).
zimbra-chat will be downloaded and installed (later).
Downloading packages (10):
zimbra-core-components
zimbra-ldap-components
zimbra-mta-components
zimbra-snmp-components
zimbra-store-components
zimbra-jetty-distribution
zimbra-apache-components
zimbra-spell-components
zimbra-memcached
zimbra-proxy-components
...done
Installing local packages (25):
zimbra-timezone-data
zimbra-common-mbox-conf
zimbra-common-core-libs
zimbra-common-mbox-native-lib
zimbra-common-mbox-docs
zimbra-common-mbox-db
zimbra-common-core-jar
zimbra-common-mbox-conf-rights
zimbra-common-mbox-conf-attrs
zimbra-common-mbox-conf-msgs
zimbra-core
zimbra-ldap
zimbra-logger
zimbra-mta
zimbra-snmp
zimbra-mbox-conf
zimbra-mbox-webclient-war
zimbra-mbox-store-libs
zimbra-mbox-war
zimbra-mbox-service
zimbra-mbox-admin-console-war
zimbra-store
zimbra-apache
zimbra-spell
zimbra-proxy
...done
Installing extra packages (3):
zimbra-drive
zimbra-patch
zimbra-chat
...done
Running Post Installation Configuration:
Operations logged to /tmp/zmsetup.20190108-164637.log
Installing LDAP configuration database...done.
Setting defaults...
Then the installer complains about the domain not having a proper MX record in the DNS. Nevertheless, the split-horizon DNS is configured correctly, so the domain part of the FQDN set in the EXTERNAL_HOST_FQDN is set in the MX record. Simply adjust the domain name appropriately. It will work at the end.
DNS ERROR resolving MX for zimbra.my-domain.com
It is suggested that the domain name have an MX record configured in DNS
Change domain name? [Yes] Y
Create domain: [zimbra.my-domain.com] my-domain.com
Now the installer comes up with the menu-driven configuration.
Main menu
1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-logger: Enabled
4) zimbra-mta: Enabled
5) zimbra-snmp: Enabled
6) zimbra-store: Enabled
+Create Admin User: yes
+Admin user to create: [email protected]
******* +Admin Password UNSET
+Anti-virus quarantine user: [email protected]
+Enable automated spam training: yes
+Spam training user: [email protected]
+Non-spam(Ham) training user: [email protected]
+SMTP host: zimbra.my-domain.com
+Web server HTTP port: 8080
+Web server HTTPS port: 8443
+Web server mode: https
+IMAP server port: 7143
+IMAP server SSL port: 7993
+POP server port: 7110
+POP server SSL port: 7995
+Use spell check server: yes
+Spell server URL: http://zimbra.my-domain.com:7780/aspell.php
+Enable version update checks: TRUE
+Enable version update notifications: TRUE
+Version update notification email: [email protected]
+Version update source email: [email protected]
+Install mailstore (service webapp): yes
+Install UI (zimbra,zimbraAdmin webapps): yes
7) zimbra-spell: Enabled
8) zimbra-proxy: Enabled
9) Default Class of Service Configuration:
s) Save config to file
x) Expand menu
q) Quit
Address unconfigured (**) items (? - help)
Enter menu 6 first to set the admin password:
Store configuration
1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: [email protected]
** 4) Admin Password UNSET
5) Anti-virus quarantine user: [email protected]
6) Enable automated spam training: yes
7) Spam training user: [email protected]
8) Non-spam(Ham) training user: [email protected]
9) SMTP host: zimbra.my-domain.com
10) Web server HTTP port: 8080
11) Web server HTTPS port: 8443
12) Web server mode: https
13) IMAP server port: 7143
14) IMAP server SSL port: 7993
15) POP server port: 7110
16) POP server SSL port: 7995
17) Use spell check server: yes
18) Spell server URL: http://zimbra.my-domain.com:7780/aspell.php
19) Enable version update checks: TRUE
20) Enable version update notifications: TRUE
21) Version update notification email: [email protected]
22) Version update source email: [email protected]
23) Install mailstore (service webapp): yes
24) Install UI (zimbra,zimbraAdmin webapps): yes
Select, or 'r' for previous menu [r] 4
Password for [email protected] (min 6 characters): [7X0eFKNr] my-password
Store configuration
...
Select, or 'r' for previous menu [r] r
Main menu
1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-logger: Enabled
4) zimbra-mta: Enabled
5) zimbra-snmp: Enabled
6) zimbra-store: Enabled
7) zimbra-spell: Enabled
8) zimbra-proxy: Enabled
9) Default Class of Service Configuration:
s) Save config to file
x) Expand menu
q) Quit
*** CONFIGURATION COMPLETE - press 'a' to apply
Select from menu, or press 'a' to apply config (? - help)
Running the Zimbra container on Kubernetes with a NGINX ingress controller requires some more adjustments.
Menu 1: Common Configuration
The entire Zimbra system is installed within the container. There are no external Zimbra components, so there is no need to use encrypted communication between Zimbra components. It is safe to set Secure interprocess communications to no. Furthermore you should set the timezone according to your location.
Common configuration
1) Hostname: zimbra.my-domain.com
2) Ldap master host: zimbra.my-domain.com
3) Ldap port: 389
4) Ldap Admin password: set
5) Store ephemeral attributes outside Ldap: no
6) Secure interprocess communications: no
7) TimeZone: Europe/Berlin
8) IP Mode: ipv4
9) Default SSL digest: sha256
Select, or 'r' for previous menu [r]
Menu 8: zimbra-proxy
The Zimbra container is about to run on Kubernetes using the NGINX ingress controller putting a reverse-proxy in front of zimbra-store, respectively the web service part of it. You should disable Zimbra's own NGINX HTTP[S] proxy in this menu, because running two reverse proxys in a line causes redirection loops. The NGINX ingress will directly proxy requests to the Jetty web service. Furthermore you should disable strict server name enforcement to allow the web service to be accessed without restricting the server name to configured virtual domains.
This step should be done before configuring the zimbra-store as disabling the proxy influences the web service settings.
Proxy configuration
1) Status: Enabled
2) Enable POP/IMAP Proxy: TRUE
3) Enable strict server name enforcement? no
4) IMAP proxy port: 143
5) IMAP SSL proxy port: 993
6) POP proxy port: 110
7) POP SSL proxy port: 995
8) Bind password for nginx ldap user: set
9) Enable HTTP[S] Proxy: FALSE
Select, or 'r' for previous menu [r]
Menu 6: zimbra-store
In this menu you should set Web server mode to both to enable the NGINX ingress reverse-proxy to proxy requests to the web service. Although using http should be enough, it does not work...
Store configuration
1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: [email protected]
4) Admin Password set
5) Anti-virus quarantine user: [email protected]
6) Enable automated spam training: yes
7) Spam training user: [email protected]
8) Non-spam(Ham) training user: [email protected]
9) SMTP host: zimbra.my-domain.com
10) Web server HTTP port: 80
11) Web server HTTPS port: 443
12) Web server mode: both
13) IMAP server port: 7143
14) IMAP server SSL port: 7993
15) POP server port: 7110
16) POP server SSL port: 7995
17) Use spell check server: yes
18) Spell server URL: http://zimbra.my-domain.com:7780/aspell.php
19) Enable version update checks: TRUE
20) Enable version update notifications: TRUE
21) Version update notification email: [email protected]
22) Version update source email: [email protected]
23) Install mailstore (service webapp): yes
24) Install UI (zimbra,zimbraAdmin webapps): yes
Select, or 'r' for previous menu [r]
Back in the Main Menu the configuration can be applied:
Main menu
1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-logger: Enabled
4) zimbra-mta: Enabled
5) zimbra-snmp: Enabled
6) zimbra-store: Enabled
7) zimbra-spell: Enabled
8) zimbra-proxy: Enabled
9) Default Class of Service Configuration:
s) Save config to file
x) Expand menu
q) Quit
*** CONFIGURATION COMPLETE - press 'a' to apply
Select from menu, or press 'a' to apply config (? - help) a
Save configuration data to a file? [Yes]
Save config in file: [/opt/zimbra/config.6347]
Saving config in /opt/zimbra/config.6347...done.
The system will be modified - continue? [No] y
Operations logged to /tmp/zmsetup.20190114-164628.log
Setting local config values...done.
Initializing core config...Setting up CA...done.
Deploying CA to /opt/zimbra/conf/ca ...done.
Creating SSL zimbra-store certificate...done.
Creating new zimbra-ldap SSL certificate...done.
Creating new zimbra-mta SSL certificate...done.
Creating new zimbra-proxy SSL certificate...done.
Installing mailboxd SSL certificates...done.
Installing MTA SSL certificates...done.
Installing LDAP SSL certificate...done.
Installing Proxy SSL certificate...done.
Initializing ldap...done.
Setting replication password...done.
Setting Postfix password...done.
Setting amavis password...done.
Setting nginx password...done.
Setting BES searcher password...done.
Creating server entry for zimbra.my-domain.com...done.
Setting Zimbra IP Mode...done.
Saving CA in ldap...done.
Saving SSL Certificate in ldap...done.
Setting spell check URL...done.
Setting service ports on zimbra.my-domain.com...done.
Setting zimbraFeatureTasksEnabled=TRUE...done.
Setting zimbraFeatureBriefcasesEnabled=TRUE...done.
Checking current setting of zimbraReverseProxyAvailableLookupTargets
Querying LDAP for other mailstores
Searching LDAP for reverseProxyLookupTargets...done.
Adding zimbra.my-domain.com to zimbraReverseProxyAvailableLookupTargets
Updating zimbraLDAPSchemaVersion to version '1537783098'
Setting TimeZone Preference...done.
Disabling strict server name enforcement on zimbra.my-domain.com...done.
Initializing mta config...done.
Setting services on zimbra.my-domain.com...done.
Adding zimbra.my-domain.com to zimbraMailHostPool in default COS...done.
Creating domain my-domain.com...done.
Setting default domain name...done.
Creating domain my-domain.com...already exists.
Creating admin account [email protected].
Creating root alias...done.
Creating postmaster alias...done.
Creating user [email protected].
Creating user [email protected].
Creating user [email protected].
Setting spam training and Anti-virus quarantine accounts...done.
Initializing store sql database...done.
Setting zimbraSmtpHostname for zimbra.my-domain.com...done.
Configuring SNMP...done.
Setting up syslog.conf...done.
Starting servers...done.
Installing common zimlets...
com_zimbra_email...done.
com_zimbra_clientuploader...done.
com_zimbra_cert_manager...done.
com_zimbra_viewmail...done.
com_zimbra_attachcontacts...done.
com_zimbra_adminversioncheck...done.
com_zimbra_ymemoticons...done.
com_zimbra_attachmail...done.
com_zimbra_tooltip...done.
com_zimbra_srchhighlighter...done.
com_zimbra_url...done.
com_zextras_drive_open...done.
com_zimbra_phone...done.
com_zextras_chat_open...done.
com_zimbra_date...done.
com_zimbra_mailarchive...done.
com_zimbra_bulkprovision...done.
com_zimbra_proxy_config...done.
com_zimbra_webex...done.
Finished installing common zimlets.
Restarting mailboxd...done.
Creating galsync account for default domain...done.
You have the option of notifying Zimbra of your installation.
This helps us to track the uptake of the Zimbra Collaboration Server.
The only information that will be transmitted is:
The VERSION of zcs installed (8.8.11_GA_3737_UBUNTU16_64)
The ADMIN EMAIL ADDRESS created ([email protected])
Notify Zimbra of your installation? [Yes] y
Checking if the NG started running...done.
Setting up zimbra crontab...done.
Moving /tmp/zmsetup.20190114-173610.log to /opt/zimbra/log
Configuration complete - press return to exit
Of course, it's up to you to register the installation.
After registering the Zimbra installation the installation script will perform a few common automatic configuration steps:
- Install brute-force detector auditswatch
- Generate a 4096 bit prime to use as DH parameters
Retrieving some information needed for further steps...
- Admin e-mail address: [email protected]
Configuring Zimbra's brute-force detector (auditswatch) to send notifications to [email protected]...
--2019-01-14 17:48:13-- http://bugzilla-attach.zimbra.com/attachment.cgi?id=66723
Resolving bugzilla-attach.zimbra.com (bugzilla-attach.zimbra.com)... 23.22.223.51, 23.20.183.249
Connecting to bugzilla-attach.zimbra.com (bugzilla-attach.zimbra.com)|23.22.223.51|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 35695 (35K) [application/x-perl]
Saving to: 'auditswatch'
auditswatch 100%[========================================================================================================================================>] 34.86K --.-KB/s in 0.1s
2019-01-14 17:48:14 (346 KB/s) - 'auditswatch' saved [35695/35695]
/opt/zimbra/conf/auditswatchrc is missing.
Starting auditswatch...done.
Removing Zimbra installation files...
removed '/install/zcs.tgz'
removed '/install/zcs/.BUILD_TIME_STAMP'
removed '/install/zcs/data/versions-init.sql'
removed directory '/install/zcs/data'
removed '/install/zcs/.BUILD_RELEASE_NO'
removed '/install/zcs/readme_binary_en_US.txt'
removed '/install/zcs/docs/en_US/Zimbra iCalendar Migration Guide.pdf'
removed '/install/zcs/docs/en_US/zimbra_user_guide.pdf'
removed '/install/zcs/docs/en_US/Import_Wizard_Outlook.pdf'
removed '/install/zcs/docs/en_US/RNZCSO_2005Beta.pdf'
removed '/install/zcs/docs/en_US/OSmultiserverinstall.pdf'
removed '/install/zcs/docs/en_US/quick_start.pdf'
removed '/install/zcs/docs/en_US/MigrationWizard_Domino.pdf'
removed '/install/zcs/docs/en_US/MigrationWizard.pdf'
removed '/install/zcs/docs/en_US/admin.pdf'
removed '/install/zcs/docs/en_US/Migration_Exch_Admin.pdf'
removed '/install/zcs/docs/en_US/User Instructions for ZCS Import Wizard.pdf'
removed '/install/zcs/docs/en_US/Fedora Server Config.pdf'
removed directory '/install/zcs/docs/en_US'
removed '/install/zcs/docs/zcl.txt'
removed directory '/install/zcs/docs'
removed '/install/zcs/bin/checkService.pl'
removed '/install/zcs/bin/get_plat_tag.sh'
removed '/install/zcs/bin/checkLicense.pl'
removed '/install/zcs/bin/zmdbintegrityreport'
removed '/install/zcs/bin/zmValidateLdap.pl'
removed directory '/install/zcs/bin'
removed '/install/zcs/.BUILD_NUM'
removed directory '/install/zcs/lib/jars'
removed directory '/install/zcs/lib'
removed '/install/zcs/packages/zimbra-apache_8.8.11.GA.3737.UBUNTU16.64_amd64.deb'
removed '/install/zcs/packages/zimbra-core_8.8.11.GA.3737.UBUNTU16.64_amd64.deb'
removed '/install/zcs/packages/zimbra-common-mbox-docs_8.8.11.1540236948-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-common-mbox-conf-msgs_8.8.11.1539627833-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-store_8.8.11.GA.3737.UBUNTU16.64_amd64.deb'
removed '/install/zcs/packages/zimbra-logger_8.8.11.GA.3737.UBUNTU16.64_amd64.deb'
removed '/install/zcs/packages/zimbra-imapd_8.8.11.GA.3737.UBUNTU16.64_amd64.deb'
removed '/install/zcs/packages/zimbra-snmp_8.8.11.GA.3737.UBUNTU16.64_amd64.deb'
removed '/install/zcs/packages/zimbra-mbox-conf_8.8.11.1539627833-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-common-mbox-conf-attrs_8.8.11.1537865556-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-common-mbox-db_8.8.11.1543567590-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-ldap_8.8.11.GA.3737.UBUNTU16.64_amd64.deb'
removed '/install/zcs/packages/zimbra-mbox-war_8.8.11.1543567590-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-spell_8.8.11.GA.3737.UBUNTU16.64_amd64.deb'
removed '/install/zcs/packages/zimbra-mbox-webclient-war_8.8.11.1544083326-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-mbox-service_8.8.11.1543567590-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-mta_8.8.11.GA.3737.UBUNTU16.64_amd64.deb'
removed '/install/zcs/packages/zimbra-mbox-admin-console-war_8.8.11.1540805051-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-dnscache_8.8.11.GA.3737.UBUNTU16.64_amd64.deb'
removed '/install/zcs/packages/zimbra-common-core-libs_8.8.11.1539971682-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-common-mbox-native-lib_8.8.11.1521095672-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-common-core-jar_8.8.11.1543567590-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-common-mbox-conf_8.8.11.1543567590-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-common-mbox-conf-rights_8.8.11.1487328490-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-mbox-store-libs_8.8.11.1539971682-1.u16_amd64.deb'
removed '/install/zcs/packages/zimbra-timezone-data_1.0.1+1538986928-1.u16_amd64.deb'
removed '/install/zcs/packages/Packages'
removed '/install/zcs/packages/zimbra-proxy_8.8.11.GA.3737.UBUNTU16.64_amd64.deb'
removed directory '/install/zcs/packages'
removed '/install/zcs/.BUILD_PLATFORM'
removed '/install/zcs/.BUILD_TYPE'
removed '/install/zcs/util/addUser.sh'
removed '/install/zcs/util/utilfunc.sh'
removed '/install/zcs/util/globals.sh'
removed '/install/zcs/util/modules/getconfig.sh'
removed '/install/zcs/util/modules/postinstall.sh'
removed '/install/zcs/util/modules/packages.sh'
removed directory '/install/zcs/util/modules'
removed directory '/install/zcs/util'
removed '/install/zcs/install.sh'
removed '/install/zcs/README.txt'
removed '/install/zcs/.BUILD_RELEASE_CANDIDATE'
removed directory '/install/zcs'
removed directory '/install/auditswatch'
removed directory '/install'
Adding Zimbra's Perl include path to search path...
Generating stronger DH parameters (4096 bit)...
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
..................
..................
..................
zmdhparam: saving 'zimbraSSLDHParam' via zmprov modifyConfig
Configuring cipher suites (as strong as possible without breaking compatibility and sacrificing speed)...
Configuring default COS to use selected persona in the Return-Path of the mail envelope (important for privacy).
Installing mail utilities to enable unattended-upgrades to send notifications.
(Can be done after installing Zimbra only as bsd-mailx pulls in postfix that conflicts with the postfix package deployed by Zimbra.)
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
liblockfile-bin liblockfile1
The following NEW packages will be installed:
bsd-mailx liblockfile-bin liblockfile1
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 82.5 kB of archives.
After this operation, 298 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu xenial/main amd64 liblockfile-bin amd64 1.09-6ubuntu1 [10.8 kB]
Get:2 http://archive.ubuntu.com/ubuntu xenial/main amd64 liblockfile1 amd64 1.09-6ubuntu1 [8056 B]
Get:3 http://archive.ubuntu.com/ubuntu xenial/main amd64 bsd-mailx amd64 8.1.2-0.20160123cvs-2 [63.7 kB]
Fetched 82.5 kB in 0s (690 kB/s)
Selecting previously unselected package liblockfile-bin.
(Reading database ... 51696 files and directories currently installed.)
Preparing to unpack .../liblockfile-bin_1.09-6ubuntu1_amd64.deb ...
Unpacking liblockfile-bin (1.09-6ubuntu1) ...
Selecting previously unselected package liblockfile1:amd64.
Preparing to unpack .../liblockfile1_1.09-6ubuntu1_amd64.deb ...
Unpacking liblockfile1:amd64 (1.09-6ubuntu1) ...
Selecting previously unselected package bsd-mailx.
Preparing to unpack .../bsd-mailx_8.1.2-0.20160123cvs-2_amd64.deb ...
Unpacking bsd-mailx (8.1.2-0.20160123cvs-2) ...
Setting up liblockfile-bin (1.09-6ubuntu1) ...
Setting up liblockfile1:amd64 (1.09-6ubuntu1) ...
Setting up bsd-mailx (8.1.2-0.20160123cvs-2) ...
update-alternatives: using /usr/bin/bsd-mailx to provide /usr/bin/mailx (mailx) in auto mode
Processing triggers for libc-bin (2.23-0ubuntu10) ...
Restarting services...
Host zimbra2.griffin.plus
Stopping zmconfigd...Done.
Stopping zimlet webapp...Done.
Stopping zimbraAdmin webapp...Done.
Stopping zimbra webapp...Done.
Stopping service webapp...Done.
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping cbpolicyd...Done.
Stopping archiving...Done.
Stopping opendkim...Done.
Stopping amavis...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping proxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping dnscache...Done.
Stopping ldap...Done.
* Starting enhanced syslogd rsyslogd [ OK ]
* Starting periodic command scheduler cron [ OK ]
* Starting OpenBSD Secure Shell server sshd [ OK ]
Host zimbra2.griffin.plus
Starting ldap...Done.
Starting zmconfigd...Done.
Starting logger...Done.
Starting mailbox...Done.
Starting memcached...Done.
Starting proxy...Done.
Starting amavis...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting opendkim...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
Starting service webapp...Done.
Starting zimbra webapp...Done.
Starting zimbraAdmin webapp...Done.
Starting zimlet webapp...Done.
Starting auditswatch...done.
Now Zimbra should be fully functional. If your ingress is working correctly, you should reach the Zimbra web interface as expected at port 80 (HTTP) and/or 443 (HTTPS) - depending on your ingress setup. The admin console should be accessable via HTTPS at port 7071.
Have Fun!