7,166
edits
No edit summary |
No edit summary |
||
(55 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
*Zimbra9, Zimbra10 FOSS | |||
仕事早いw | |||
https://forums.zimbra.org/viewtopic.php?t=72231 | |||
https://techfiles.online/zimbra/ | |||
*Zimbra9, Zimbra10 | |||
Open Source edition が無くなるようなので離脱の準備を始めることにする。 | |||
https://computingforgeeks.com/zimbra-open-source-editions-end-of-support/ | |||
メモ的キーワード opendkim postsrsd | |||
*Apple macos iOS にオレオレ証明書が使えない | |||
昔できた方法がもはや拒否されてるので、この際なので Let’s Encrypt を導入した。 | |||
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate | |||
python のバージョン不整合地獄に落ちだが、上の方法が一番近道なので、不整合地獄を力業で解決するのが吉。 | |||
手アップデートやパッケージ hold とか駆使しつつ... | |||
証明書が更新されたあとに自動 restart はまた考える | |||
*オレオレ証明書の更新 | |||
https://wiki.zimbra.com/wiki/Regenerate_Self-Signed_SSL_Certificate_-_Single-Server | |||
zimbra ユーザで | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
/opt/zimbra/bin/zmcertmgr createca -new | |||
/opt/zimbra/bin/zmcertmgr deployca | |||
/opt/zimbra/bin/zmcertmgr createcrt -new -days 365 | |||
/opt/zimbra/bin/zmcertmgr deploycrt self | |||
/opt/zimbra/bin/zmcertmgr viewdeployedcrt | |||
zmcontrol restart | |||
</syntaxhighlight> | |||
*BLOCK customer.worldstream.nl | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
zmprov mcf zimbraMtaHeaderChecks 'pcre:/opt/zimbra/conf/postfix_header_checks pcre:/opt/zimbra/conf/custom_header_checks' | |||
zmmtactl restart | |||
</syntaxhighlight> | |||
/opt/zimbra/conf/custom_header_checks | |||
<syntaxhighlight lang="text" enclose="div"> | |||
/^Received: from customer\.worldstream\.nl/ DISCARD | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
/opt/zimbra/common/sbin/postfix reload | |||
</syntaxhighlight> | |||
https://wiki.zimbra.com/wiki/King0770-Notes-Header-Checks | |||
https://gato.intaa.net/archives/12999 | |||
*TLSv1.2 のみしたかったが | |||
iPhone (iOS12) Mail (IMAP) から繋がらず、 TLSv1 を有効にしないといけないらしい...アカンやつやw | |||
*Unable to start TLS: SSL connect attempt failed error: | |||
SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master. | |||
apt でパッケージが 8.7b8 から 8.7b9 に upgrade されたら StartTLS がこわれた... | |||
強引な解決方法 | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
zmlocalconfig -e ldap_starttls_supported=0 | |||
</syntaxhighlight> | |||
[https://wiki.zimbra.com/wiki/Unable_to_create_a_successful_TLS_connection_to_the_ldap_masters When upgrading to 8.5x, "Unable to create a successful TLS connection to the ldap masters" comes up] | |||
* gzip: stdin: file size changed while zipping | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
postrotate | |||
kill -USR1 `cat /opt/zimbra/log/nginx.pid 2> /dev/null` 2> /dev/null && sleep 5 || true | |||
endscript | |||
</syntaxhighlight> | |||
[https://sebastian.marsching.com/wiki/Network/Zimbra Network/Zimbra - Sebastian's Wiki] | |||
* OS upgrade の場合 | |||
[https://forums.zimbra.org/viewtopic.php?f=8&t=61175 imbra Collaboration 8.7.x and Ubuntu OS update corrupts/removes Zimbra installation] | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
cd /opt | |||
cd zimbra.lts16 | |||
cp -adpRx bin common/bin common/lib common/libexec common/sbin common/share lib libexec /opt/zimbra | |||
</syntaxhighlight> | |||
コピーがうまくいかないので、tar cf - ./bin|(cd /opt/zimbra;tar xf -) でちまちまコピる | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
cd /opt | |||
cd zimbra.lts16 | |||
tar cf - ./bin ./common/bin ./common/lib ./common/libexec ./common/sbin ./common/share ./lib ./libexec |(cd /opt/zimbra;tar xf -) | |||
</syntaxhighlight> | |||
*よくあるからメモ | |||
zimbra を update したあとに、 | |||
<pre> | |||
Jul 15 16:30:03 mail1 postfix/postdrop[7889]: warning: mail_queue_enter: create file maildrop/370137.7889: Permission denied | |||
</pre> | |||
が大量にでる。 | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
zmcontrol stop | |||
sudo killall postdrop | |||
# もし必要なら | |||
#sudo usermod -a -G postdrop zimbra | |||
#sudo /opt/zimbra/libexec/zmfixperms | |||
zmcontrol start | |||
</syntaxhighlight> | |||
killall postdrop が肝 | |||
*high precision timestamps 再 | |||
/opt/zimbra/common/bin/prepflog.pl | |||
<syntaxhighlight lang="diff" enclose="div"> | |||
250c250 | |||
< /^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(?:[\+\-](?:\d{2}):(?:\d{2})|Z) \S+ (.+)$/o) == 10); | |||
--- | |||
> /^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(?:\.\d+)?(?:[\+\-](?:\d{2}):(?:\d{2})|Z) \S+ (.+)$/) == 7); | |||
255,256c255,257 | |||
< unless((($cmd, $qid) = $logRmdr =~ m#^(?:postfix|$syslogName)/([^\[:]*).*?: ([^:\s]+)#o) == 2 || | |||
< (($cmd, $qid) = $logRmdr =~ m#^((?:postfix)(?:-script)?)(?:\[\d+\])?: ([^:\s]+)#o) == 2) | |||
--- | |||
> unless((($cmd, $qid) = $logRmdr =~ m#^(?:postfix-?\w*|$syslogName)(?:/(?:smtps|submission))?/([^\[:]*).*?: ([^:\s]+)#o) == 2 || | |||
> (($cmd, $qid) = $logRmdr =~ m#^((?:postfix)(?:-script)?)(?:\[\d+\])?: ([^:\s]+)#o) == 2 || | |||
> (($cmd, $qid) = $logRmdr =~ m#^MailScanner\[\d+\]: (Requeue): (\w+)\.#) == 2) | |||
560c561 | |||
< # return a date string to match in log | |||
--- | |||
> # return traditional and RFC3339 date strings to match in log | |||
562c563 | |||
< my $dateOpt = $_[0]; | |||
--- | |||
> my ($dateOpt) = $_[0]; | |||
572c573 | |||
< my ($t_mday, $t_mon) = (localtime($time))[3,4]; | |||
--- | |||
> my ($t_mday, $t_mon, $t_year) = (localtime($time))[3,4,5]; | |||
574c575 | |||
< return sprintf("%s %2d", $monthNames[$t_mon], $t_mday); | |||
--- | |||
> return sprintf("%s %2d", $monthNames[$t_mon], $t_mday), sprintf("%04d-%02d-%02d", $t_year+1900, $t_mon+1, $t_mday); | |||
</syntaxhighlight> | |||
*postfix : Specific Whitelist/Blacklist per IP | |||
[https://wiki.zimbra.com/wiki/Specific_Whitelist/Blacklist_per_IP Specific Whitelist/Blacklist per IP] | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
su - zimbra | |||
# Blacklist Edit /opt/zimbra/conf/postfix_blacklist. Add IP address SPACE REJECT to the file, one IP address per line. | |||
postmap /opt/zimbra/conf/postfix_blacklist | |||
zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist' | |||
zmmtactl restart | |||
</syntaxhighlight> | |||
:postmap will need to be rerun on the file anytime an IP address is added or removed. | |||
:fail2ban というのもある | |||
::結局、大胆に... | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
iptables -A INPUT -s 62.150.168.221 -j DROP | |||
iptables -A INPUT -s 62.150.168.194 -j DROP | |||
</syntaxhighlight> | |||
*reset admin password | |||
[https://wiki.zimbra.com/wiki/Admin_Password_Reset Admin password Reset] | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
su - zimbra | |||
zmprov gaaa | |||
zmprov sp <admin email address> <new password> | |||
</syntaxhighlight> | |||
*proxy memcache and set https only | |||
[https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy_and_memcached Enabling Zimbra Proxy and memcached] | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
su - zimbra | |||
./libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname` | |||
./libexec/zmproxyconfig -e -m -o -i 7143:143:7993:993 -p 7110:110:7995:995 -H `zmhostname` | |||
zmprov ms `zmhostname` zimbraMailReferMode reverse-proxied | |||
zmmailboxdctl restart | |||
#zmprov ms `zmhostname` +zimbraServiceEnabled memcached | |||
#zmcontrol restart | |||
zmprov ms `zmhostname` zimbraReverseProxyMailMode https | |||
zmcontrol restart | |||
lsof -i :443 | |||
lsof -i :11211 | |||
</syntaxhighlight> | |||
*Errors mysql After Upgrade to 8.7 | |||
[https://forums.zimbra.org/viewtopic.php?f=13&t=60288&p=271092&hilit=innodb#p271092 Errors mysql After Upgrade to 8.7] | |||
MariaDB が エラー出す。 | |||
<syntaxhighlight lang="text" enclose="div"> | |||
This behavior is caused by bug in Zimbra installation script which doesn't perform mysql_upgrade during Zimbra upgrade process. | |||
Resolution: | |||
1. Obtain mysql root password: | |||
$ zmlocalconfig -s | grep mysql | grep password | |||
2. Create missing directory and symbolic link: | |||
$ mkdir /opt/zimbra/data/tmp/mysqldata | |||
$ ln -s /opt/zimbra/data/tmp/mysql/mysql.sock /opt/zimbra/data/tmp/mysqldata/mysql.sock | |||
3. Perform mysql_upgrade | |||
$ /opt/zimbra/common/bin/mysql_upgrade -u root -p | |||
</syntaxhighlight> | |||
* /opt/zimbra/libexec/zmfixperms -extended したら... | |||
<syntaxhighlight lang="text" enclose="div"> | |||
Jul 15 16:30:03 mail1 postfix/postdrop[7889]: warning: mail_queue_enter: create file maildrop/370137.7889: Permission denied | |||
</syntaxhighlight> | |||
:結局これで FIX | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
usermod -a -G postdrop zimbra | |||
</syntaxhighlight> | |||
*zimbra-proxy を使っていない場合に slapd が起動しなくなった。 | |||
<syntaxhighlight lang="text" enclose="div"> | |||
Failed to start slapd. Attempting debug start to determine error. | |||
TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:175 | |||
TLS: error:2006D080:BIO routines:BIO_new_file:no such file bss_file.c:178 | |||
57e0763b main: TLS init def ctx failed: -1 | |||
</syntaxhighlight> | |||
:zimbra ユーザでコマンド実行 | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
openssl dhparam -out /opt/zimbra/conf/dhparam.pem 2048 | |||
</syntaxhighlight> | |||
*8.7.0 upgrade でハマる | |||
[https://wiki.zimbra.com/wiki/Recovering_from_upgrade_failure https://wiki.zimbra.com/wiki/Recovering_from_upgrade_failure] | |||
:log 確認すると パッケージインストールで失敗している。どうも、昔仕込んでいた mta-dummy_1.0_all.deb の関連で、bsd-mailx と競合しているっぽい。 | |||
:bsd-mailx を削除して、上記の方法でなんとかインストールできた。その後パッケージの依存関係が壊れたところを手で修復...疲れた。 | |||
*メモ | |||
[https://wiki.zimbra.com/wiki/How_to_obtain_an_A%2B_in_the_Qualys_SSL_Labs_Security_Test How to obtain an A+ in the Qualys SSL Labs security test] | |||
*Enabling Zimbra Proxy | |||
:8.5 以降は proxy が標準になっており、過去からのアップデートのおりに不具合がでる(ほったらかし系) | |||
[https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy Enabling Zimbra Proxy] | |||
:imap の SSL が繋がらなくって小一時間はまった...けっきょく解決策は proxy を有効にする。 | |||
*no such data source: InternalGAL | *no such data source: InternalGAL | ||
<pre> | <pre> | ||
Line 20: | Line 268: | ||
--- | --- | ||
> # my $today = strftime("%b %e ", localtime); | > # my $today = strftime("%b %e ", localtime); | ||
> my $today = strftime("% | > my $today = strftime("%F", localtime); | ||
</pre> | </pre> | ||