Zimbra NE Admin Guide 8.0.5

7/22/2019 Zimbra NE Admin Guide 8.0.5

1/349

Zimbra Collaboration ServerAdministrators Guide

ZCS 8.0

Network Edition

August 2013


2/349

Legal Notices

Copyright 2005-2013 Telligent Systems, Inc. All rights reserved. This product is protected by U.S. andinternational copyright and intellectual property laws.

Telligent and Zimbra are registered trademarks or trademarks of Telligent Systems, Inc. in the UnitedStates and other jurisdictions. All other marks and names mentioned herein may be trademarks of theirrespective companies.

Telligent Systems, Inc. d/b/a Zimbra Software, LLC

www.zimbra.com

ZCS 8.0

August 2013

Rev 4 for 8.0.5


3/349

Zimbra Collaboration Server Network Edition 8.0 iii

Table of Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Third-Party Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Support and Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2 Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Core Email, Calendar and Collaboration Functionality . . . . . . . . . . . . . 15Zimbra Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Zimbra Application Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Example of a Typical Multiserver Configuration . . . . . . . . . . . . . . . . . . 19Zimbra System Directory Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Web Client Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

License Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25License Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25License Usage by Account Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26License Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Automatic License Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Manual License Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27When Licenses are not Installed or Activated . . . . . . . . . . . . . . . . . 27

Obtain a License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Managing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28License Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Update Your License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4 Zimbra Mailbox Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Incoming Mail Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Mailbox Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Message Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Data Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Index Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Backing Up the Mailbox Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Mailbox Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5 Zimbra LDAP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

LDAP Traffic Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35LDAP Directory Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36ZCS LDAP Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

ZCS Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Account Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Internal Authentication Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . 40


4/349

iv Network Edition 8.0 Zimbra Collaboration Server

Administrators Guide

External LDAP and External AD Authentication Mechanism . . . . . . 40Custom Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Kerberos5 Authentication Mechanism . . . . . . . . . . . . . . . . . . . . . . . 42

Global Address List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Flushing LDAP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Flush the Cache for Themes and Locales . . . . . . . . . . . . . . . . . . . . 45Flush Accounts, Groups, COS, Domains, and Servers . . . . . . . . . . 45

6 Zimbra Mail Transfer Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Zimbra MTA Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Postfix Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

SMTP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48SMTP Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Sending Non Local Mail to a Different Server . . . . . . . . . . . . . . . . . 49

Anti-Virus and Anti-Spam Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Anti-Virus Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Anti-Spam Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Receiving and Sending Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Message Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

7 Using the Administration Console . . . . . . . . . . . . . . . . . . . . . . 55

Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Change Administrator Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Log in to the Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . 55Customize the Login and Logout Pages . . . . . . . . . . . . . . . . . . . . . 56

Managing Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Message of the Day for Administrators . . . . . . . . . . . . . . . . . . . . . . . . . 56

Create a Message of the Day. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Remove a Message of the Day . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Zimbra Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

8 Managing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Global Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59General Global Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Setting Up Email Attachment Rules . . . . . . . . . . . . . . . . . . . . . . . . . 61Blocking Email Attachments by File Type . . . . . . . . . . . . . . . . . . . . 62Global MTA Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Global IMAP and POP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Working With Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Domain General Information Settings . . . . . . . . . . . . . . . . . . . . . . . 64Global Address List (GAL) Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Using GAL sync accounts for faster access to GAL. . . . . . . . . . . . . 66Authentication Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Virtual Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Setting Account Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Renaming a Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Adding a Domain Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Zimlets on the Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Managing Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70General Server Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Change MTA Server Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Setting Up IP Address Binding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72


5/349

Zimbra Collaboration Server Network Edition 8.0 v

Managing SSL Certificates for ZCS . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Installing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Viewing Installed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Maintaining Valid Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Install a SSL Certificate for a Domain . . . . . . . . . . . . . . . . . . . . . . . 74

Using DKIM to Authenticate Email Message . . . . . . . . . . . . . . . . . . . . 75Configure ZCS for DKIM Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Update DKIM Data for a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Remove DKIM Signing from ZCS. . . . . . . . . . . . . . . . . . . . . . . . . . . 77Retrieve DKIM Data for a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Anti-spam Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Anti-virus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Zimbra Free/Busy Calendar Scheduling . . . . . . . . . . . . . . . . . . . . . . . . 82

ZCS to ZCS Free/Busy Interoperability . . . . . . . . . . . . . . . . . . . . . . 83Setting Up S/MIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84S/MIME License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Enable S/MIME Feature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Importing S/MIME Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Storage Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Implementing Hierarchical Storage Management . . . . . . . . . . . . . . 86

Email Retention Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Configure Email Lifetime Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Configure Message Retention and Deletion Policies . . . . . . . . . . . . 89Managing the Dumpster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Configure Legal Hold on an Account . . . . . . . . . . . . . . . . . . . . . . . . 90

Customized Admin Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Setting System-wide Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

9 Class of Services for Accounts . . . . . . . . . . . . . . . . . . . . . . . . 93

Managing Accounts Usage with a COS . . . . . . . . . . . . . . . . . . . . . . . . 93

Selecting Features and Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Disable Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Set Default Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Using Server Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Setting Account Quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Set Quotas in Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Managing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Direct Users to Your Change Password Page . . . . . . . . . . . . . . . . . 97Configure a Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Configuring a Login Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Configuring a Session Timeout Policy . . . . . . . . . . . . . . . . . . . . . . . . . 99Managing Default External COS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

10 Customizing Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Messaging and Collaboration Applications . . . . . . . . . . . . . . . . . . . . . 101Email Messaging Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Set Up Address Book Features . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Set Up Calendar Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Set Up Zimbra Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Setting Zimbra Web Client UI Themes . . . . . . . . . . . . . . . . . . . . . . . . 111Other Configuration Settings for Accounts . . . . . . . . . . . . . . . . . . . . . 111

Enable Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111


6/349

vi Network Edition 8.0 Zimbra Collaboration Server


Configure SMS Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Configure Attachment Viewing. . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Display a Warning When Users Try to Navigate Away. . . . . . . . . . 113Enabling the Check Box for the Web Client . . . . . . . . . . . . . . . . . . 113Preferences Import/Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Add Words to Spell Dictionary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

11 Provisioning User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . 115

Creating a Single User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Migrate Existing Accounts and Import Account Email . . . . . . . . . . . . . 116

Migrate Accounts from a Zimbra Server. . . . . . . . . . . . . . . . . . . . . 116Migrate Accounts from Generic IMAP Servers. . . . . . . . . . . . . . . . 118Migrate Accounts using an XML File . . . . . . . . . . . . . . . . . . . . . . . 120Importing Email for Selected Accounts . . . . . . . . . . . . . . . . . . . . . 121Examples of XML Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Auto Provisioning New Accounts from External LDAP . . . . . . . . . . . . 123Auto-Provision Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Configure Eager Mode Auto-Provisioning . . . . . . . . . . . . . . . . . . . 129Configure Lazy Mode Auto-Provisioning . . . . . . . . . . . . . . . . . . . . 131

Manage Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Set Up the Scheduling Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

12 Managing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Change Status of Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Delete an Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138View an Accounts Mailbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Use an Email Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Work with Distribution Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Setting Subscription Policies for Distribution Lists . . . . . . . . . . . . . 139Management Options for Owners of Distribution Lists. . . . . . . . . . 139Creating a Distribution List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Managing Access to Distribution Lists . . . . . . . . . . . . . . . . . . . . . . 141Enable Viewing of Distribution List Members for AD Accounts . . . 143

Using Dynamic Distribution Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Create Dynamic Distribution Lists from the Administration Console 144Using CLI to Manage Dynamic Distribution Lists . . . . . . . . . . . . . . 146

Moving a Mailbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Global Configuration Option for Moving Mailboxes . . . . . . . . . . . . 147

13 Delegated Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Target Types for Granting Administrative Rights . . . . . . . . . . . . . . . . 149Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

System-defined rights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Attribute Right. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Implementing Delegated Administration . . . . . . . . . . . . . . . . . . . . . . . 153

Administrator Groups and Administrators . . . . . . . . . . . . . . . . . . . 153Configure Grants on Administrator Accounts or Admin Groups. . . 154Grant ACLs to a Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Revoking Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154View Rights Granted to Administrators . . . . . . . . . . . . . . . . . . . . . . . . 155Predefined Delegated Administrator Role . . . . . . . . . . . . . . . . . . . . . . 155

Domain Administration Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155


7/349

Zimbra Collaboration Server Network Edition 8.0 vii

Distribution List Administration Group . . . . . . . . . . . . . . . . . . . . . . 155Creating Delegated Administrator Roles . . . . . . . . . . . . . . . . . . . . . . . 156

14 Using the Voice Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Order of Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Voice Service Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Using a Third-Party Unified Communications Server . . . . . . . . . . . . . 165Cisco URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Mitel URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Creating the Voice/Chat Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Configure Presence (Cisco only) . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Enabling the Voice/Chat Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Enable Voice/Chat Service on a Domain . . . . . . . . . . . . . . . . . . . . 167Enable Voice/Chat Service on a COS . . . . . . . . . . . . . . . . . . . . . . 167Enable Voice/Chat Service on a User Account . . . . . . . . . . . . . . . 167

Enabling the Voice/Chat Zimlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

15 Monitoring ZCS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Zimbra Logger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Enable Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Review Server Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Enable or Disable Server Services. . . . . . . . . . . . . . . . . . . . . . . . . 171Server Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Configure Logger Mail Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Configuring Disk Space Notifications . . . . . . . . . . . . . . . . . . . . . . . . . 172Monitoring Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172Configuring Denial of Service Filter Parameters . . . . . . . . . . . . . . . . . 173

Identifying False Positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Customizing DoSFilter Configuration . . . . . . . . . . . . . . . . . . . . . . . 174Tuning Considerations for ZCS 8.0.3 and later . . . . . . . . . . . . . . . 175

Working with Mail Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

View Mail Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Flush Message Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Monitoring Mailbox Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177View Quota. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Increase or Decrease Quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Viewing MobileSync Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Monitoring Authentication Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Viewing Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Use log4j to Configure Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Protocol Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Review mailbox.log Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Reading a Message Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Fixing Corrupted Mailbox Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Check if an Index is Corrupt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Repair and Reindex a Corrupt Index . . . . . . . . . . . . . . . . . . . . . . . 188

SNMP Monitoring and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 188SNMP Monitoring Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188SNMP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Errors Generating SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Checking MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188


8/349

viii Network Edition 8.0 Zimbra Collaboration Server


Checking for ZCS Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . 189Updating Zimbra Connector for Microsoft Outlook . . . . . . . . . . . . . . . 189Types of Notifications and Alerts Sent by ZCS . . . . . . . . . . . . . . . . . . 190

Service status change notification . . . . . . . . . . . . . . . . . . . . . . . . . 190Disk usage notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Duplicate mysqld processes running notification . . . . . . . . . . . . . . 190SSL certificates expiration notification . . . . . . . . . . . . . . . . . . . . . . 191Daily report notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Database integrity check notification . . . . . . . . . . . . . . . . . . . . . . . 191Backup completion notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

16 Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Backing Up the Mailbox Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Backup Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Standard Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Auto-Grouped Backup Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Directory Structure for Backup Files . . . . . . . . . . . . . . . . . . . . . . . . . . 195Backup and Restore Using the Administration Console . . . . . . . . . . . 197

Configure Backup from the Admin Console . . . . . . . . . . . . . . . . . . 197Backup and Restore Using the Command Line Interface . . . . . . . . . . 198Backing up using the Standard Method . . . . . . . . . . . . . . . . . . . . . . . 198

Scheduling a Standard Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Full Backup Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200Incremental Backup Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Find a Specific Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Abort Full Backup in Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Backing up using the Auto-Grouped Method . . . . . . . . . . . . . . . . . . . 203

Configure Auto-Grouped Backup from the CLI . . . . . . . . . . . . . . . 203Schedule Auto-Group Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Backup Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Backup Up content Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Back Up the MySQL Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 205Managing Disk Space for Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . 205Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Restore Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206Stop a Restore Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Restore Mailboxes When Mail Server Is Down . . . . . . . . . . . . . . . 209Restore Individual Accounts on a Live System . . . . . . . . . . . . . . . 210Exclude Items from a Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Restore the LDAP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

General Steps for Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . 211Crash Recovery Server Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Restore the Zimbra Collaboration Server. . . . . . . . . . . . . . . . . . . . 211Install ZCS on a New Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Restoring from Different Failure Scenarios . . . . . . . . . . . . . . . . . . 215Change Local Configuration Files After Restoring Zimbra . . . . . . . 216

Using snapshots to Backup and Restore . . . . . . . . . . . . . . . . . . . . . . 216

17 Zimbra Mobile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Mobile Device Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Setting Up Mobile Policies on ZCS . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Mobile Device Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Managing Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224


9/349

Zimbra Collaboration Server Network Edition 8.0 ix

Supporting Autodiscover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224Set Up Mobile Synchronization for User Accounts. . . . . . . . . . . . . 225Change Mobile Device Password Policy . . . . . . . . . . . . . . . . . . . . 225

Users Mobile Device Self-Care Features . . . . . . . . . . . . . . . . . . . . . . 226

18 Archiving and Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

How Archiving Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227How Discovery Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228Installing the Archiving Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Install Archiving in a Single-Server Environment . . . . . . . . . . . . . . 229Install zimbra-archiving in a Multi-Server Environment . . . . . . . . . 230

Manage Archiving From the Administration Console . . . . . . . . . . . . . 230Enable Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Creating a Dedicated Archive COS . . . . . . . . . . . . . . . . . . . . . . . . 231Set Up Archive Account Name . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Set Up Archiving for a Users Mailbox . . . . . . . . . . . . . . . . . . . . . . 232

Archive Mailboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232Create an archive mailbox and assign a COS . . . . . . . . . . . . . . . . 233Create an Archive Mailbox with No COS or Password . . . . . . . . . 233Enable Archive Forwarding to a Third-party Archiving Server . . . . 233

Searching Across Mailboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Cross Mailbox Search from the Administration Console . . . . . . . . 234

19 Legal Requests for Information . . . . . . . . . . . . . . . . . . . . . . . 237

Legal Intercept Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Set Up Legal Intercept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Set Up Legal Intercept to Forward Message Header . . . . . . . . . . . 238Modify the Intercept Cover Email Message . . . . . . . . . . . . . . . . . . 238

Create Mailbox Snapshots for Legal Discovery . . . . . . . . . . . . . . . . . 239Create a Mailbox Snapshot Zip File . . . . . . . . . . . . . . . . . . . . . . . . 239

20 Zimbra Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Proxy Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Proxy Architecture and Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Change the Zimbra Proxy Configuration . . . . . . . . . . . . . . . . . . . . . . . 242Zimbra IMAP/POP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Zimbra Proxy Ports for POP and IMAP . . . . . . . . . . . . . . . . . . . . . 243Setting Up IMAP and POP Proxy After HTTP Proxy Installation . . 243

Configure ZCS HTTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245Setting Up HTTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246Set Proxy Trusted IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Configure Zimbra Proxy for Kerberos Authentication . . . . . . . . . . . . . 249

21 Changing ZWC Theme Colors and Logo . . . . . . . . . . . . . . . . 251

Customizing Base Theme Colors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Replacing the ZWC Logo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Using Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Add Your Logos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Changing Theme Colors and Logo on Admin Console . . . . . . . . . . . . 255

Changing Base Theme Colors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255Adding Your Logo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255


10/349

x Network Edition 8.0 Zimbra Collaboration Server


22 Zimlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Manage Zimlets from the Administration Console . . . . . . . . . . . . . . . 257Deploy Custom Zimlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258Enable, Disable, or Make Zimlets Mandatory. . . . . . . . . . . . . . . . . 258Undeploy a Zimlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258Add Proxy-Allowed Domains to a Zimlet . . . . . . . . . . . . . . . . . . . . 259

Upgrading a Zimlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259Managing Zimlets from the Command Line Interface . . . . . . . . . . . . . 259

Deploying Zimlets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259Add Proxy Allowed Domains to a Zimlet . . . . . . . . . . . . . . . . . . . . 260Deploying a Zimlet and Granting Access to a COS . . . . . . . . . . . . 260Viewing Zimlet List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260Changing Zimlet Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . 260Upgrading a Zimlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Zimbra Gallery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262Customized Zimlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Appendix A Command-Line Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

General Tool Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263Zimbra CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264Using non-ASCII Characters in CLIs . . . . . . . . . . . . . . . . . . . . . . . 269

zmprov (Provisioning) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269Configure Auto-Grouped Backup from the CLI . . . . . . . . . . . . . . . 281Changing Conversations Thread Default . . . . . . . . . . . . . . . . . . . . 281Detect Corrupted Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

zmaccts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283zmarchiveconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283zmarchivectl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284zmarchivesearch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284zmbackup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285zmblobchk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

zmcalchk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288zmschedulebackup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288zmbackupabort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291zmbackupquery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292zmrestore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293zmrestoreoffline (Offline Restore) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295zmrestoreldap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297zmcontrol (Start/Stop/Restart Service) . . . . . . . . . . . . . . . . . . . . . . . . 297zmmboxsearch (Cross Mailbox Search) . . . . . . . . . . . . . . . . . . . . . . . 298zmmboxmove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299zmmboxmovequery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299zmpurgeoldmbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300zmgsautil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

zmldappasswd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301zmlocalconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302zmmailbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303zmtlsctl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306zmhsm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307zmlicense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308zmmetadump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308zmmypasswd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309zmplayredo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309


11/349

Zimbra Collaboration Server Network Edition 8.0 xi

zmproxyconfgen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310zmproxypurge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311zmredodump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312zmskindeploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312zmsoap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313zmstat-chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313zmstat-chart-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314zmstatctl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315zmthrdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315zmtrainsa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315zmtzupdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316zmvolume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316zmzimletctl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317zmproxyconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318zmsyncreverseproxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Appendix B Configuring SPNEGO Single Sign-On . . . . . . . . . . . . . . . . . . . 323

Configuration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323Create the Kerberos Keytab File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324Configure ZCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326Configure Your Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Test your setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Troubleshooting setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330Configure Kerberos Auth with SPNEGO Auth . . . . . . . . . . . . . . . . . . 331Setting Up Single Sign-On Options for ZCO . . . . . . . . . . . . . . . . . . . . 332

Appendix C ZCS Crontab Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

How to read the crontab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333ZCS Cron Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Jobs for crontab.store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334Jobs for crontab.logger. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Jobs for crontab.mta. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335Single Server Crontab -l Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Appendix D Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345


12/349

xii Network Edition 8.0 Zimbra Collaboration Server



13/349

Zimbra Collaboration Server Network Edition 8.0 13

1 Introduction

Zimbra Collaboration Server (ZCS) is a full-featured messaging andcollaboration solution that includes email, address book, calendaring, tasks,and Web document authoring.

Topics in this chapter include:

Audience

Third-Party Components

Support and Contact Information

Audience

This guide is intended for system administrators responsible for installing,maintaining, and supporting the server deployment of ZCS.

Readers of this guide should have the following recommended knowledge andskill sets:

Familiarity with the associated technologies and standards Linux operatingsystem, and open source concepts

Industry practices for mail system management

Third-Party Components

Where possible, Zimbra adheres to existing industry standards and opensource implementations for backup management, user authentications,operating platform, and database management. However, Zimbra onlysupports the specific implementations described in the ZCS architectureoverview in the Product Overview chapter as officially tested and certified forthe ZCS. This document might occasionally note when other tools areavailable in the marketplace, but such mention does not constitute anendorsement or certification.

Support and Contact Information

Visit www.zimbra.comto join the community and to be a part of building thebest open source messaging solution. We appreciate your feedback andsuggestions.

Contact [email protected] to purchase Zimbra Collaboration Server


14/349

14 Network Edition 8.0 Zimbra Collaboration Server

Administrator Guide

Network Edition customers can contact support at [email protected]

Explore the Zimbra Forums for answers to installation or configurationsproblems

Join the Zimbra Forums, to participate and learn more about the ZimbraCollaboration Server

Let us know what you like about the product and what you would like to see inthe product. Post your ideas to the Zimbra Forum.

If you encounter problems with this software, go to http://bugzilla.Zimbra.comto submit a bug report. Make sure to provide enough detail so that the bug canbe easily duplicated.


15/349


2 Product Overview

The Zimbra Collaboration Server (ZCS) architecture is built with well-knownopen source technologies and standards based protocols. The architectureconsists of client interfaces and server components that can be ran in a singlenode configuration or deployed across multiple servers for high availability andincreased scalability.

Core Email, Calendar and Collaboration Functionality

Zimbra Components

System Architecture

Zimbra Application Packages

Example of a Typical Multiserver Configuration

Zimbra System Directory Tree

The architecture includes the following core advantages:

Open source integrations. Linux, Jetty, Postfix, MySQL, OpenLDAP.

Uses industry standard open protocols. SMTP, LMTP, SOAP, XML,IMAP, POP.

Modern technology design. HTML5, Javascript, XML, and Java.

Horizontal scalability. Each Zimbra mailbox server includes its ownmailbox accounts and associated message store and indexes. Zimbra hasthe flexibility to scale both vertically by adding more system resources orhorizontally by adding more servers.

Browser based client interface. Zimbra Web Client gives users easyaccess to all the ZCS features.

Browser based administration console.

Core Email, Calendar and Collaboration Functionality

ZCS is an innovative messaging and collaboration application that offers thefollowing state-of-the-art solutions that are accessed through a browser basedweb client.

Intuitive message management, search, tagging, and sharing.

Personal, external, and shared calendar


16/349


Administrator Guide

Personal and shared Address Books and Distribution Lists.

Personal and Shared Task lists.

Zimbra Components

Zimbra architecture includes open-source integrations using industry standardprotocols. The third-party software listed below is bundled with Zimbrasoftware and installed as part of the installation process. These componentshave been tested and configured to work with the software.

Jetty, the web application server that Zimbra software runs in.

Postfix, an open source mail transfer agent (MTA) that routes mailmessages to the appropriate Zimbra server

OpenLDAP software, an open source implementation of the LightweightDirectory Access Protocol (LDAP) that stores Zimbra systemconfiguration, the Zimbra Global Address List, and providers userauthentication. Zimbra can also work with GAL and authentication servicesprovided by external LDAP directories such as Active Directory

MySQL database software

Lucene, an open source full-featured text and search engine

Autonomy, Inc., a third-party source that converts certain attachment filetypes to HTML

Anti-virus and anti-spam open source components including:

ClamAV, an anti-virus scanner that protects against malicious files

SpamAssassin, a mail filter that attempts to identify spam

Amavisd-new interfaces between the MTA and one or more contentcheckers

James/Sieve filtering, used to create filters for email

System Architecture

The ZCS architectural design is displayed in the ZCS Collaboration ServerArchitecture figure. This shows the open-source software bundled with theZCS and other recommended third-party applications.


17/349


18/349


Administrator Guide

Zimbra Core Includes the libraries, utilities, monitoring tools, andbasic configuration files.

zmconfigdis part of zimbra-core and is automaticallyenabled and runs on all systems.

Zimbra Convertd Zimbra-convertd package is installed on the zimbra-store server. Only one Zimbra-convertd packageneeds to be present in the ZCS environment.

Zimbra LDAP ZCS uses the OpenLDAP software, an open source LDAPdirectory server. User authentication, the Zimbra GlobalAddress List, and configuration attributes are servicesprovided through OpenLDAP. Note that the Zimbra GALand authentication services can be provided by anexternal LDAP Directory such as Active Directory.

Zimbra MTA Postfix is the open source mail transfer agent (MTA) that

receives email via SMTP and routes each message to theappropriate Zimbra mailbox server using Local MailTransfer Protocol (LMTP).

The Zimbra MTA also includes the anti-virus and anti-spam components.

Zimbra store(mailbox server)

The Zimbra store package installs the components for themailbox server, including Jetty, which is the servletcontainer the Zimbra software runs within. Within ZCS, thisservlet container is called mailboxd.

Each account is configured on one mailbox server, andthis account is associated with a mailbox that contains allthe mail messages, file attachments, contacts, calendar,

and collaboration files for that mail account.

Each Zimbra server has its own standalone data store,message store, and index store for the mailboxes on thatserver.

As each email arrives, the Zimbra server (convertd)extracts the text from the attachments to be indexed alongwith the mail body.

Attachments are converted to HTML when users click onthe view as HTMLlink on the Zimbra Web Client.

Zimbra-SNMP Zimbra uses swatch to watch the syslog output togenerate SNMP traps.

Zimbra-Logger The Zimbra logger installs tools for syslog aggregation,reporting. If the Logger is not installed, the server statisticssection of the administration console is not displayed.

Zimbra-Spell Aspell is the open source spell checker used on theZimbra Web Client. When zimbra-spell is installed, theZimbra-Apache package is also installed.


19/349


Product Overview

Example of a Typical Multiserver Configuration

The exact configuration for each deployment is highly dependent on variablesincluding the number of mailboxes, mailbox quotas, performancerequirements, existing network infrastructure, IT policies, securityrequirements, spam filtering requirements, and so forth.

The figure below shows a typical configuration with incoming traffic and userconnection.

Zimbra-Proxy Use of an IMAP/POP proxy server allows mail retrieval fora domain to be split across multiple Zimbra servers on aper user basis.

The Zimbra Proxy package can be installed with theZimbra LDAP, the Zimbra MTA, the Zimbra mailbox server,or on its own server.

Zimbra-Memcached is a separate package from zimbra-proxy and is automatically selected when the zimbra-proxypackage is installed. One server must run zimbra-memcached when the proxy is in use. All installed zimbra-proxies can use a single memcached server

Zimbra Archiving The Zimbra Archiving and Discovery package is anoptional feature for Zimbra Network Edition.

Archiving and Discovery offers the ability to store andsearch all messages that were delivered to or sent byZimbra. This package includes the cross mailbox searchfunction which can be used for both live and archive

mailbox searches.Note: Using Archiving and Discovery can trigger additionalmailbox license usage. To find out more about ZimbraArchiving and Discovery, contact Zimbra sales.


20/349


Administrator Guide

Typical Configuration with Incoming Traffic and User Connections

Zimbra LDAP

Mounted

Backup disk

Zimbra LDAP

Zimbra Mailbox

Edge MTA

spam filtering

Edge MTA

Load balancer

firewalls

external

end user

Internet mail

Load balancer

Zimbra MTA

Zimbra MTA

internal

end users &

administrator users

Internet mail (inbound)

External user connection

Internal user connection

Replication (optional)

Backup

LDAP directory traffic

master replica

virus and spam

1

23

4

5

6

7

8

filtering

Server

Zimbra mailbox

Server

1 Inbound Internet mail goes through a firewall and load balancing to the

edge MTA for spam filtering.2 The filtered mail then goes through a second load balancer.

3 An external user connecting to the messaging server also goes through afirewall to the second load balancer.

4 The inbound Internet mail goes to any of the Zimbra MTA servers and goesthrough spam and virus filtering.

5 The designated Zimbra MTA server looks up the addressees directoryinformation from the Zimbra LDAP replica server.


21/349


Product Overview

Zimbra System Directory Tree

The following table lists the main directories created by the Zimbra installationpackages.

The directory organization is the same for any server in the ZCS, installingunder /opt/zimbra.

Note: The directories not listed in this table are libraries used for building the

core Zimbra software or miscellaneous third-party tools.

6 After obtaining the users information from the Zimbra LDAP server, theMTA server sends the mail to the appropriate Zimbra mailbox server.

7 Internal end-user connections are made directly to any Zimbra mailboxserver, which then obtains the users directory information from ZimbraLDAP and redirects the user as needed.

8 Server backup can be processed to a mounted disk.

Parent Directory Description

/opt/

zimbra/

Created by all ZCS installation packages

backup/ Backup target contains full and incremental backupdata

bin/ ZCS application files, including the utilities describedin Appendix A, Command -Line Utilities

cdpolicyd Policy functions, throttling

clamav/ Clam AV application files for virus and spam controls

conf/ Configuration information

contrib/ Third-party scripts for conveyance

convertd/ Convert service

cyrus-sasl/ SASL AUTH daemon

data/ Includes data directories for LDAP, mailboxd, postfix,amavisd, clamav

db/ Data Storedocs/ SOAP txt files and technical txt files

dspam/ DSPAM antivirus

extensions-extra/

Server extensions for different authentication types


22/349


Administrator Guide

extensions-network-extra/

Server extensions for different network versionauthentication types

httpd/ Contains the Apache Web server. Used for both aspelland convertd as separate processes

index/ Index store

java/ Contains Java application files

jetty/ mailboxd application server instance. In this directory,the webapps/zimbra/skinsdirectory includes theZimbra UI theme files

lib/ Libraries

libexec/ Internally used executables

log/ Local logs for ZCS server application

logger/ RRD and SQLite data files for logger services

mysql/ MySQL database files

net-snmp/ Used for collecting statistics

openldap/ OpenLDAP server installation, pre-configured to workwith ZCS

postfix/ Postfix server installation, pre-configured to work withZCS

redolog/ Contains current transaction logs for the ZCS server

snmp/ SNMP monitoring files

ssl/ Certificates

store/ Message store

zimbramon/ Contains control scripts and Perl modules

zimlets/ Contains Zimlet zip files that are installed with Zimbra

zimlets-

deployed/

Contains Zimlets that are available with the ZimbraWeb Client

zimlets-

network

Contains Zimlet zip files for features that are installedwith the network edition

zmstat/ mailboxd statistics are saved as .csv files

Parent Directory Description


23/349


Product Overview

Web Client Versions

Zimbra offers a standard HTML, advanced Javascript, and mobile web clientsthat users can log into that users can log into. The web clients include mail,calendar, address book, and task functionality. Users can select the client touse when they log in.

Advanced web client includes Ajax capability and offers a full set of webcollaboration features. This web client works best with newer browsersand fast Internet connections.

Standard web client is a good option when Internet connections are slowor users prefer HTML-based messaging for navigating within their mailbox.

Mobile web client provides an experience optimized for smaller screenformats available on mobile devices.

When users sign in, they view the advanced Zimbra Web Client, unless theyuse the menu on the login screen to change to the standard version. If ZWCdetects the screen resolution to be 800 x 600, users are automaticallyredirected to the standard Zimbra Web Client. Users can still choose theadvanced ZWC but see a warning message suggesting the use of thestandard ZWC for better screen view. When connecting to Zimbra using amobile web browser, Zimbra will automatically detect and default to the mobileweb client.


24/349


Administrator Guide


25/349


3 Licensing

A Zimbra license is required in order to create accounts. When you purchase,renew, or change the Zimbra license, you update the Zimbra server with thenew license information.


License Types

License Requirements

License Usage by Account Type

License Activation

Obtain a License

License Types

ZCS licensing gives administrators better visibility and control into the licensedfeatures they plan to deploy. You can monitor usages and manage thefollowing license types.

Accounts limit. The maximum number of accounts you can create and thenumber of accounts created are shown.

Mobile accounts limit. The maximum number of accounts that can havethe mobile feature enabled.

MAPI accounts limit. The maximum number of accounts that can useZimbra Connector for Microsoft Outlook (ZCO).

Archiving Accounts limit. The maximum number of archive accounts thatcan be created. The archive feature must be installed.

License Requirements

Several types of licenses are available:

Trial. You can obtain a free Trial license from the Zimbra website, atwww.zimbra.com. The trial license allows you to create up to 50 users. Itexpires in 60 days.


26/349


Administrator Guide

Trial Extended. You can obtain a Trial Extended license from Zimbra Salesby contacting [email protected] or calling 1-650-427-5701. This licenseallows you to create up to 50 users and is valid for an extended period oftime.

Subscription. You must purchase the Zimbra Subscription license. Thislicense is valid for a specific ZCS system and is encrypted with the numberof Zimbra accounts (seats) you have purchased, the effective date, andexpiration date of the subscription license.

Perpetual. You must purchase the Zimbra Perpetual license. This licenseis similar to a subscription license and is valid for a specific ZCS system, isencrypted with the number of Zimbra accounts (seats) you havepurchased, the effective date, and an expiration date of 2099-12-31. Whenyou renew your support agreement, no new perpetual license is sent toyou, but your Account records in the systems is updated with your newsupport end date.

License Usage by Account TypeBelow is a description of ZCS accounts and if they impact your license limit.

System accounts. System accounts are specific accounts used by ZCS.They include the spam filter accounts for junk mail (spam and ham), virusquarantine account for email messages with viruses, and GALsyncaccount if you configure GAL for your domain. Do not delete theseaccounts! These accounts do not count against your license.

Administrator account. Administrator and delegated administratoraccounts count against your license.

User accounts. User accounts count against your license account limit.

When you delete an account, the license account limit reflects the change.

Alias account. Aliases do not count against your license.

Distribution list. Distribution lists do not count against your license.

Resource account.Resource accounts (location and resources) do notcount against your ZCS license.

License Activation

All network edition installations require license activation. New installationshave a 10 day grace period from the license issue date before requiring

activation. Your license can be activated by selecting Global Settings > License> Activate License.

Upgraded ZCS versions require an immediate activation to maintain networkfeature functionality.


27/349


Licensing

Automatic License Activation

Licenses are automatically activated if the ZCS server has a connection to theInternet and can communicate with the Zimbra License server. If you areunable to automatically activate your license.

Manual License ActivationFor systems that do not have external access to the Zimbra License server,you can use the Zimbra Support Portal to manually activate your license. Goto the Zimbra website at www.zimbra.com and click Supportto display theZimbra Technical Support page. Click Support Portal Loginto display theZimbra Support Portal page. Enter your email and password to log in.

If you have problems accessing the Support Portal, contact Zimbra Sales [email protected].

When Licenses are not Installed or Activated

If you fail to install or activate your ZCS server license, the following scenariosdescribe how your ZCS server will be impacted.

License is not installed. If a license is not installed, the ZCS defaults tosingle user mode where all features limited by license are limited to oneuser.

License is not valid. If the license could not be validated, the ZCS defaultsto single user mode.

License is not activated. A license activation grace period is 10 days. If forsome reason the license is never activated, the ZCS defaults to singleuser mode after 10 days.

License is in future. If the license starting date is still in the future, the ZCSdefaults to single user mode.

License is in grace period. If the license ending date has passed and iswithin the 30 day grace period, all features limited by license are stillenabled, but administrators may see license renewal prompts.

License expired. If the license ending date has passed and the 30 daygrace period expired, the ZCS server defaults to the feature set of theOpen Source Edition.

Obtain a License

Go to Zimbras Website to obtain a trial license from the Network Downloadsarea. Contact Zimbra sales regarding a trial extended license, or to purchasea subscription license or perpetual license, by emailing [email protected].

The subscription and perpetual license can only be installed on the ZCSsystem for which it is purchased. Only one Zimbra license is required for yourZCS environment. This license sets the number of accounts that can becreated.


28/349


Administrator Guide

Current license information, including the number of accounts purchased, thenumber of accounts used, and the expiration date, can be viewed from GlobalSettings > License.

Managing Licenses

The Update Licensewizard from the administration consoles Global Settingspage is used to upload and install a new license. The Activate Licenselink onthe toolbar activates the license.

Current license information, including the license ID, the issue date, expirationdate, number of accounts purchased, and the number of accounts used canbe viewed fromGlobal Settings > License.

License Information

You must have a ZCS license to create accounts. When you purchase, renew,or change the Zimbra license, you must update the Zimbra server with the

new license information. The Update License Wizardfrom the administrationconsoles Global Settings is used to upload and install a new license. TheActivate Licenselink on the toolbar activates the license.

Current license information, including the license ID, the issue date, expirationdate, number of accounts purchased, and the number of accounts used canbe viewed from the Global Settings > License page.

When the number of accounts created is equal to the number of accountspurchased you will not be able to create new accounts. You can purchaseadditional accounts or you can delete existing accounts. Contact Zimbra salesto purchase additional accounts.

You must renew your license within 30 days of the expiration date. Starting 30days before the license expires, when you log on to the administrationconsole, a reminder notice is displayed.

License Expiration

When your ZCS Network Edition License expires, a license expiration warningappears in the administrative console and web interface for all users. From thedate of the license expiration, there is a 30-day grace period during which thewarning message is displayed, but no features are disabled.

Upon expiration of the grace period, the server reverts to the feature set of the

Open Source Edition. The following is a list of some of the major functions thatare no longer available upon license expiration:

Backup/Restore

Zimbra Mobile (ActiveSync)

Zimbra Connector for Outlook

Zimbra Connector for Blackberry


29/349


Licensing

S/MIME

If you maximize your licensed user limit, you are no longer able to create ordelete accounts.

If you do not plan to renew your license, you can regain the ability to create ordelete accounts by upgrading to ZCS free and open source software (FOSS).

You should choose the same version of FOSS that you are currently runningon the ZCS Network Edition for this transition, after which you can upgrade tothe latest version of ZCS FOSS.

Renewal

When the number of accounts created is equal to the number of accountspurchased you will not be able to create new accounts. You can purchaseadditional accounts or you can delete existing accounts. Contact Zimbra salesto purchase additional accounts.

You must renew your license within 30 days of the expiration date. Starting 30

days before the license expires, when you log on to the administrationconsole, a reminder notice is displayed.

Update Your License

When you renew or change the Zimbra license, you update ZCS mailboxservers with the new license information. This can be done from either theadministration console or using the zmlicense CLI command.

From the administration console:

1. Save the license on the computer you use to access the administration

console.2. Log on to the administration console, go to Global Settings > Licenseand

on the toolbar click Update License. The License Installation Wizard opens.

3. Browse to select the ZCS license file. Click Next. The license file isuploaded.

4. Click Installto install the license file.

5. Click Activate License. Upgraded ZCS versions require an immediateactivation to maintain network feature functionality.

Your license information is updated automatically. The cached account

license count is automatically refreshed on each mailbox server.


30/349


Administrator Guide


31/349


4 Zimbra Mailbox Server

The Zimbra mailbox server is a dedicated server that manages all the mailboxcontent, including messages, contacts, calendar, and attachments. In a ZCSsingle-server environment, all services are on one server. In a ZCS multi-server environment, the LDAP and MTA services can be installed on separateservers.

The Zimbra mailbox server receives the messages from the Zimbra MTAserver and passes them through any filters that have been created. Messagesare then indexed and deposited into the correct mailbox.

The Zimbra mailbox server has dedicated volumes for backup and log files.Each Zimbra mailbox server can see only its own storage volumes. Zimbramailbox servers cannot see, read, or write to another server.

Incoming Mail Routing

The MTA server receives mail via SMTP and routes each mail message to theappropriate ZCS mailbox server using LMTP. As each mail message arrives,its content is indexed so that all elements can be searched.

Mailbox Server

Each account is configured on one mailbox server and this account isassociated with a mailbox that contains email messages, attachments,calendar, contacts and collaboration files for that account. Each Zimbramailbox server has its own standalone message store, data store, and indexstore for the mailboxes on that server.

Message Store

All email messages are stored in MIME format in the Message Store, includingthe message body and file attachments.

The message store is located on each mailbox server under/opt/zimbra/store.

Each mailbox has its own directory named after its internal ZCS mailbox ID.Mailbox IDs are unique per server, not system-wide.

Messages with multiple recipients are stored as a single-copy on the messagestore. On UNIX systems, the mailbox directory for each user contains a hardlink to the actual file.


32/349


Administrator Guide

When ZCS is installed, one index volume and one message volume areconfigured on each mailbox server. Each mailbox is assigned to a permanentdirectory on the current index volume. When a new message is delivered orcreated, the message is saved in the current message volume.

To manage your email storage resources, you can configure storage volumes

for older messages by implementing a Hierarchical Storage Management(HSM) policy. See Chapter 8, Managing Configuration.

Data Store

The ZCS data store is a MySQL database where internal mailbox IDs arelinked with user accounts. All the message metadata including tags,conversations, and pointers to where the messages are stored in the filesystem. The MySQL database files are in opt/zimbra/db.

Each account (mailbox) resides only on one server. Each ZCS server has itsown standalone data store containing data for the mailboxes on that server.

The data store maps the ZCS mailbox IDs to the users OpenLDAPaccounts.The primary identifier within the ZCS database is the mailbox ID,rather than a user name or account name. The mailbox ID is only uniquewithin a single mailbox server.

Metadata including users set of tag definitions, folders, contacts, calendarappointments, tasks, Briefcase folders, and filter rules are in the data storedatabase.

Information about each mail message, including whether it is read orunread, and which tags are associated is stored in the data storedatabase.

Index Store

The index and search technology is provided through Apache Lucene. Eachemail message and attachment is automatically indexed when the messagearrives. An index file is associated with each account.Index files are in opt/zimbra/index.

The tokenizing and indexing process is not configurable by administrators orusers.


33/349


Zimbra Mailbox Server

Message Tokenization

The process is as follows:

1. The Zimbra MTA routes the incoming email to the ZCS mailbox server thatcontains the accounts mailbox.

2. The mailbox server parses the message, including the header, the body,and all readable file attachments such as PDF files or Microsoft Worddocuments, in order to tokenize the words.

3. The mailbox server passes the tokenized information to Lucene to createthe index files.

Note: Tokenization is the method for indexing by each word. Certain

common patterns, such as phone numbers, email addresses, and

domain names are tokenized as shown in the Message

Tokenization figure.

Backing Up the Mailbox Server

ZCS includes a configurable backup manager that resides on every ZCS

server and performs both backup and restore functions. You do not have tostop the ZCS server in order to run the backup process. The backup managercan be used to restore a single user, rather than having to restore the entiresystem in the event that one users mailbox becomes corrupted. Full andincremental backups are in opt/zimbra/backup. See Chapter 16, Backup andRestore.

stanford.edu

stanford.edu

stanford

edu

Word List

documents

words

containing word

word

1

2

3 4

Lucene

Jo Brown

Brown

[email protected]

@zimbra.com

zimbra

Jo

jb


34/349


Administrator Guide

Each Zimbra mailbox server generates redo logs that contain current andarchived transactions processed by the message store server since the lastincremental backup. When the server is restored, after the backed up files arefully restored, any redo logs in the archive and the current redo log in use arereplayed to bring the system to the point before the failure.

Mailbox Server Logs

A ZCS deployment consists of various third-party components with one ormore mailbox servers. Each of the components may generate its own loggingoutput. Local logs are in/opt/zimbra/log.

Selected ZCS log messages generate SNMP traps, which you can captureusing any SNMP monitoring software. See Chapter 15, Monitoring ZCSServers.

Note: System logs, redo logs, and backup sessions should be on separatedisks to minimize the possibility of unrecoverable data loss in the event

that one of those disks fails.


35/349


5 Zimbra LDAP Service

LDAP directory services provide a centralized repository for information aboutusers and devices that are authorized to use your Zimbra service. The centralrepository used for Zimbras LDAP data is the OpenLDAP directory server.


LDAP Traffic Flow

ZCS LDAP Schema

Account Authentication

ZCS Objects

Global Address List

Flushing LDAP Cache

Note: ZCS supports integration with Microsofts Active Directory Server.

Contact support for information on specific directory implementation

scenarios.

The LDAP server is installed when ZCS is installed. Each server has its ownLDAP entry that includes attributes specifying operating parameters. In

addition, a global configuration object sets defaults for any server whose entrydoes not specify every attribute.

A subset of these attributes can be modified through the Zimbra administrationconsole and others through the zmprov CLI utility.

LDAP Traffic Flow

The LDAP Directory Traffic figure shows traffic between the Zimbra-LDAPdirectory server and the other servers in the ZCS system. The Zimbra MTAand the ZCS mailbox server read from, or write to, the LDAP database on thedirectory server.

The Zimbra clients connect through the Zimbra server, which connects toLDAP.


36/349


Administrator Guide

LDAP Directory Traffic

LDAP Directory Hierarchy

LDAP directories are arranged in an hierarchal tree-like structure with twotypes of branches, the mail branches and the config branch. Mail branches areorganized by domain. Entries belong to a domain, such as accounts, groups,aliases, are provisioned under the domain DN in the directory. The configbranch contains admin system entries that are not part of a domain. Configbranch entries include system admin accounts, global config, global grants,COS, servers, mime types, and zimlets.

The Zimbra LDAP Hierarchy figure shows the Zimbra LDAP hierarchy. Eachtype of entry (object) has certain associated object classes.

Zimbra LDAP Hierarchy

directory server

Zimbra mailboxZimbra LDAP

Zimbra MTA

edge MTA

DNS

server

Zimbra CommandLine Tools

ZimbraClients

cn=zimbra

cn=admins cn=confg cn=servers

dc=com

dc=zimbra

ou=people

uid=jane

Domain Branch Config Branch

cn=groups

cn=serverteam

cn=globalgrants cn=zimlets

cn=cos

mime


37/349


Zimbra LDAP Service

An LDAP directory entry consists of a collection of attributes and has aglobally unique distinguished name (dn). The attributes allowed for an entryare determined by theobject classesassociated with that entry. The values ofthe object class attributes determine the schema rules the entry must follow.

An entrys object class that determines what kind of entry it is, is called a

structural object class and cannot be changed. Other object classes are calledauxiliary and may be added to or deleted from the entry.

Use of auxiliary object classes in LDAP allows for an object class to becombined with an existing object class. For example, an entry with structuralobject class inetOrgPerson,and auxiliary object classzimbraAccount,wouldbe an account. An entry with the structural object class zimbraServerwould bea server in the Zimbra system that has one or more Zimbra packagesinstalled.

ZCS LDAP Schema

At the core of every LDAP implementation is a database organized using aschema.

The Zimbra LDAP schema extends the generic schema included withOpenLDAP software. It is designed to coexist with existing directoryinstallations.

All attributes and object classes specifically created for ZCS are prefaced byzimbra., such as, zimbraAccountobject class or zimbraAttachmentsBlockedattribute.

The following schema files are included in the OpenLDAP implementation:

core.schema

cosine.schema

inetorgperson.schema

zimbra.schema

amavisd.schema

dyngroup.schema

nis.schema

Note: You cannot modify the Zimbra schema.


38/349


Administrator Guide

ZCS Objects

Object Description Object class

Accounts Represents an account on the Zimbra

mailbox server that can be logged into.Account entries are eitheradministrators or user accounts. Theobject class name is zimbraAccount.This object class extends thezimbraMailRecipient object class.

All accounts have the followingproperties:

A name in the format [email protected]

A unique ID that never changes and isnever reused

A set of attributes, some of which areuser-modifiable (preferences) andothers that are only configurable byadministrators

All user accounts are associated with adomain, so a domain must be createdbefore creating any accounts.

zimbraAccount

Class ofService(COS)

Defines the default attributes anaccount has and what features areallowed or denied. The COS controlsfeatures, default preference settings,mailbox quotas, message lifetime,

password restrictions, attachmentblocking, and server pools for creationof new accounts.

zimbraCOS

Domains Represents an email domain such asexample.comor example.org.Adomain must exist before emailaddressed to users in that domain canbe delivered.

zimbraDomain

DistributionLists

Also known as mailing lists, are used tosend mail to all members of a list bysending a single email to the list

address.

zimbraDistributionList


39/349


Zimbra LDAP Service

DynamicGroups

Are like distribution lists. The differenceis members of a dynamic group aredynamically computed by a LDAP

search. The LDAP search filter isdefined in an attribute on the dynamicgroup entry.

Note: Both distribution lists anddynamic groups can be used asgrantee or target in the delegatedadministrator framework.

zimbraGroup

Servers Represents a particular server in theZimbra system that has one or more ofthe Zimbra software packages installed.

Attributes describe server configurationinformation, such as which services are

running on the server.

zimbraServer

GlobalConfiguration

Specifies default values for thefollowing objects: server and domain. Ifthe attributes are not set for otherobjects, the values are inherited fromthe global settings.

Global configuration values arerequired and are set during installationas part of the Zimbra core package.These become the default values forthe system.

zimbraGlobalConfig

Alias Represents an alias of an account,distribution list or a dynamic group. ThezimbraAliasTarget attribute points totarget entry of this alias entry.

zimbraAlias

Zimlet Defines Zimlets that are installed andconfigured in Zimbra.

zimbraZimletEntry

CalendarResource

Defines a calendar resource such asconference rooms or equipment thatcan be selected for a meeting. Acalendar resource is an account withadditional attributes on thezimbraCalendarResourceobjectclass.

zimbraCalendarResource

Identity Represents a persona of a user. Apersona contains the users identitysuch as display name and a link to thesignature entry used for outgoingemails. A user can create multiplepersonas. Identity entries are createdunder the users LDAP entry in the DIT.

zimbraIdentity



40/349


Administrator Guide

Account Authentication

Supported authentication mechanisms are Internal, External LDAP, andExternal Active Directory. The authentication method type is set on a per-domain basis. If zimbraAuthMechattribute is not set, the default is to useinternal authentication.

The internal authentication method uses the Zimbra schema running on theOpenLDAP server.

ThezimbraAuthFallbackToLocalattribute can be enabled so that the systemfalls back to the local authentication if external authentication fails. The defaultis FALSE.

Internal Authentication Mechanism

The internal authentication method uses the Zimbra schema running on theOpenLDAP directory server. For accounts stored in the OpenLDAP server, theuserPasswordattribute stores a salted-SHA1 (SSHA) digest of the userspassword. The users provided password is computed into the SSHA digestand then compared to the stored value.

External LDAP and External AD Authentication Mechanism

External LDAP and external Active Directory authentication can be used if theemail environment uses another LDAP server or Microsoft Active Directory forauthentication and Zimbra-LDAP for all other ZCS-related transactions. Thisrequires that users exist in both OpenLDAP and in the external LDAP server.

DataSource

Represents an external mail source of auser. Two examples of data source arePOP3 and IMAP. A data source

contains the POP3/IMAP server name,port, and password for the usersexternal email account. The datasource also contains personainformation, including the display nameand a link to the signature entry foroutgoing email messages sent onbehalf of the external account. DataSource entries are created under theusers LDAP entry in the DIT.

zimbraDataSource

Signature Represents a users signature. A usercan create multiple signatures.

Signature entries are created under theusers LDAP entry in the DIT.

zimbraSignature



41/349


Zimbra LDAP Service

The external authentication methods attempt to bind to the specified LDAPserver using the supplied user name and password. If this bind succeeds, theconnection is closed and the password is considered valid.

ThezimbraAuthLdapURLand zimbraAuthLdapBindDnattributes are requiredfor external authentication.

zimbraAuthLdapURLattributeldap://ldapserver:port/identifies the IPaddress or host name of the external directory server, and port is the portnumber. You can also use the fully qualified host name instead of the portnumber.

For example:

ldap://server1:3268

ldap://exch1.acme.com

If it is an SSL connection, use ldaps:instead of ldap:. The SSL certificateused by the server must be configured as a trusted certificate.

zimbraAuthLdapBindDnattribute is a format string used to determinewhich DN to use when binding to the external directory server.

During the authentication process, the user name starts out in the format:

[email protected]

The user name might need to be transformed into a valid LDAP bind DN(distinguished name) in the external directory. In the case of ActiveDirectory, that bind dnmight be in a different domain.

Custom Authentication

You can implement a custom authentication to integrate external

authentication to your proprietary identity database. When an authenticationrequest comes in, Zimbra checks the designated auth mechanism for thedomain. If the auth mechanism is set to custom authentication, Zimbrainvokes the registered custom auth handler to authenticate the user.

To set up custom authentication, prepare the domain for the custom auth andregister the custom authentication handler.

Preparing a domain for custom auth

To enable a domain for custom auth, set the domain attribute,zimbraAuthMetto custom:{registered-custom-auth-handler-name}.

In the following example, sample is the name that custom authentication isregistered under.

zmprov modifydomain {domain|id} zimbraAuthMech custom:sample.

Register a custom authentication handler.

To register a custom authentication handler, invokeZimbraCustomAuth.register [handlerName, handler] in the init method of the


42/349


Administrator Guide

extension.

Class: com.zimbra.cs.account.ldap.ZimbraCustomAuth

Method: public synchronized static void register [String handlerName,ZimbraCustomAuth handler]

Definitions handlerNameis the name under which this custom auth handler is

registered to Zimbras authentication infrastructure. This name is set inthe domains zimbraAuthMech attribute of the domain.

handleris the object on which the authenticate method is invoked forthis custom auth handler. The object has to be an instance ofZimbraCustomAuth(or subclasses of it).

Example

How

Zimbra NE Admin Guide 8.0.5

Documents

Transcript of Zimbra NE Admin Guide 8.0.5