misc notes

Zimbra 雑多なメモ: Difference between revisions

Page Discussion

Zimbra 雑多なメモ (view source)

Revision as of 11:23, 9 November 2023

9,924 bytes added ,  9 November 2023
no edit summary
No edit summary
No edit summary
 
(55 intermediate revisions by the same user not shown)
Line 1: Line 1:
*Zimbra9, Zimbra10 FOSS
仕事早いw
https://forums.zimbra.org/viewtopic.php?t=72231
https://techfiles.online/zimbra/
*Zimbra9, Zimbra10
Open Source edition が無くなるようなので離脱の準備を始めることにする。
https://computingforgeeks.com/zimbra-open-source-editions-end-of-support/
メモ的キーワード opendkim postsrsd
*Apple macos iOS にオレオレ証明書が使えない
昔できた方法がもはや拒否されてるので、この際なので Let’s Encrypt を導入した。
https://wiki.zimbra.com/wiki/Installing_a_LetsEncrypt_SSL_Certificate
python のバージョン不整合地獄に落ちだが、上の方法が一番近道なので、不整合地獄を力業で解決するのが吉。
手アップデートやパッケージ hold とか駆使しつつ...
証明書が更新されたあとに自動 restart はまた考える
*オレオレ証明書の更新
https://wiki.zimbra.com/wiki/Regenerate_Self-Signed_SSL_Certificate_-_Single-Server
zimbra ユーザで
<syntaxhighlight lang="bash" enclose="div">
/opt/zimbra/bin/zmcertmgr createca -new
/opt/zimbra/bin/zmcertmgr deployca
/opt/zimbra/bin/zmcertmgr createcrt -new -days 365
/opt/zimbra/bin/zmcertmgr deploycrt self
/opt/zimbra/bin/zmcertmgr viewdeployedcrt
zmcontrol restart
</syntaxhighlight>
*BLOCK customer.worldstream.nl
<syntaxhighlight lang="bash" enclose="div">
zmprov mcf zimbraMtaHeaderChecks 'pcre:/opt/zimbra/conf/postfix_header_checks  pcre:/opt/zimbra/conf/custom_header_checks'
zmmtactl restart
</syntaxhighlight>
/opt/zimbra/conf/custom_header_checks
<syntaxhighlight lang="text" enclose="div">
/^Received: from customer\.worldstream\.nl/ DISCARD
</syntaxhighlight>
<syntaxhighlight lang="bash" enclose="div">
/opt/zimbra/common/sbin/postfix reload
</syntaxhighlight>
https://wiki.zimbra.com/wiki/King0770-Notes-Header-Checks
https://gato.intaa.net/archives/12999
*TLSv1.2 のみしたかったが
iPhone (iOS12) Mail (IMAP) から繋がらず、 TLSv1 を有効にしないといけないらしい...アカンやつやw
*Unable to start TLS: SSL connect attempt failed error:
SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.
apt でパッケージが 8.7b8 から 8.7b9 に upgrade されたら StartTLS がこわれた...
強引な解決方法
<syntaxhighlight lang="bash" enclose="div">
zmlocalconfig -e ldap_starttls_supported=0
</syntaxhighlight>
[https://wiki.zimbra.com/wiki/Unable_to_create_a_successful_TLS_connection_to_the_ldap_masters When upgrading to 8.5x, "Unable to create a successful TLS connection to the ldap masters" comes up]
* gzip: stdin: file size changed while zipping
<syntaxhighlight lang="bash" enclose="div">
    postrotate
      kill -USR1 `cat /opt/zimbra/log/nginx.pid 2> /dev/null` 2> /dev/null && sleep 5 || true
    endscript
</syntaxhighlight>
[https://sebastian.marsching.com/wiki/Network/Zimbra Network/Zimbra - Sebastian's Wiki]
* OS upgrade の場合
[https://forums.zimbra.org/viewtopic.php?f=8&t=61175 imbra Collaboration 8.7.x and Ubuntu OS update corrupts/removes Zimbra installation]
<syntaxhighlight lang="bash" enclose="div">
cd /opt
cd zimbra.lts16
cp -adpRx bin common/bin common/lib common/libexec common/sbin common/share lib libexec /opt/zimbra
</syntaxhighlight>
コピーがうまくいかないので、tar cf - ./bin|(cd /opt/zimbra;tar xf -) でちまちまコピる
<syntaxhighlight lang="bash" enclose="div">
cd /opt
cd zimbra.lts16
tar cf - ./bin ./common/bin ./common/lib ./common/libexec ./common/sbin ./common/share ./lib ./libexec |(cd /opt/zimbra;tar xf -)
</syntaxhighlight>
*よくあるからメモ
zimbra を update したあとに、
<pre>
Jul 15 16:30:03 mail1 postfix/postdrop[7889]: warning: mail_queue_enter: create file maildrop/370137.7889: Permission denied
</pre>
が大量にでる。
<syntaxhighlight lang="bash" enclose="div">
zmcontrol stop
sudo killall postdrop
# もし必要なら
#sudo usermod -a -G postdrop zimbra
#sudo /opt/zimbra/libexec/zmfixperms
zmcontrol start
</syntaxhighlight>
killall postdrop が肝
*high precision timestamps 再
/opt/zimbra/common/bin/prepflog.pl
<syntaxhighlight lang="diff" enclose="div">
250c250
<            /^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(?:[\+\-](?:\d{2}):(?:\d{2})|Z) \S+ (.+)$/o) == 10);
---
>            /^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(?:\.\d+)?(?:[\+\-](?:\d{2}):(?:\d{2})|Z) \S+ (.+)$/) == 7);
255,256c255,257
<    unless((($cmd, $qid) = $logRmdr =~ m#^(?:postfix|$syslogName)/([^\[:]*).*?: ([^:\s]+)#o) == 2 ||
<            (($cmd, $qid) = $logRmdr =~ m#^((?:postfix)(?:-script)?)(?:\[\d+\])?: ([^:\s]+)#o) == 2)
---
>    unless((($cmd, $qid) = $logRmdr =~ m#^(?:postfix-?\w*|$syslogName)(?:/(?:smtps|submission))?/([^\[:]*).*?: ([^:\s]+)#o) == 2 ||
>            (($cmd, $qid) = $logRmdr =~ m#^((?:postfix)(?:-script)?)(?:\[\d+\])?: ([^:\s]+)#o) == 2 ||
>            (($cmd, $qid) = $logRmdr =~ m#^MailScanner\[\d+\]: (Requeue): (\w+)\.#) == 2)
560c561
< # return a date string to match in log
---
> # return traditional and RFC3339 date strings to match in log
562c563
<    my $dateOpt = $_[0];
---
>    my ($dateOpt) = $_[0];
572c573
<    my ($t_mday, $t_mon) = (localtime($time))[3,4];
---
>    my ($t_mday, $t_mon, $t_year) = (localtime($time))[3,4,5];
574c575
<    return sprintf("%s %2d", $monthNames[$t_mon], $t_mday);
---
>    return sprintf("%s %2d", $monthNames[$t_mon], $t_mday), sprintf("%04d-%02d-%02d", $t_year+1900, $t_mon+1, $t_mday);
</syntaxhighlight>
*postfix : Specific Whitelist/Blacklist per IP
[https://wiki.zimbra.com/wiki/Specific_Whitelist/Blacklist_per_IP Specific Whitelist/Blacklist per IP]
<syntaxhighlight lang="bash" enclose="div">
su - zimbra
# Blacklist Edit /opt/zimbra/conf/postfix_blacklist. Add IP address SPACE REJECT to the file, one IP address per line.
postmap /opt/zimbra/conf/postfix_blacklist
zmprov mcf +zimbraMtaRestriction 'check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist'
zmmtactl restart
</syntaxhighlight>
:postmap will need to be rerun on the file anytime an IP address is added or removed.
:fail2ban というのもある
::結局、大胆に...
<syntaxhighlight lang="bash" enclose="div">
iptables -A INPUT -s 62.150.168.221 -j DROP
iptables -A INPUT -s 62.150.168.194 -j DROP
</syntaxhighlight>
*reset admin password
[https://wiki.zimbra.com/wiki/Admin_Password_Reset Admin password Reset]
<syntaxhighlight lang="bash" enclose="div">
su - zimbra
zmprov gaaa
zmprov sp <admin email address> <new password>
</syntaxhighlight>
*proxy memcache and set https only
[https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy_and_memcached Enabling Zimbra Proxy and memcached]
<syntaxhighlight lang="bash" enclose="div">
su - zimbra
./libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https  -H `zmhostname`
./libexec/zmproxyconfig -e -m -o -i 7143:143:7993:993 -p 7110:110:7995:995 -H `zmhostname`
zmprov ms `zmhostname` zimbraMailReferMode reverse-proxied
zmmailboxdctl restart
#zmprov ms `zmhostname` +zimbraServiceEnabled memcached
#zmcontrol restart
zmprov ms `zmhostname` zimbraReverseProxyMailMode https
zmcontrol restart
lsof -i :443
lsof -i :11211
</syntaxhighlight>
*Errors mysql After Upgrade to 8.7
[https://forums.zimbra.org/viewtopic.php?f=13&t=60288&p=271092&hilit=innodb#p271092 Errors mysql After Upgrade to 8.7]
MariaDB が エラー出す。
<syntaxhighlight lang="text" enclose="div">
This behavior is caused by bug in Zimbra installation script which doesn't perform mysql_upgrade during Zimbra upgrade process.
Resolution:
1. Obtain mysql root password:
$ zmlocalconfig -s | grep mysql | grep password
2. Create missing directory and symbolic link:
$ mkdir /opt/zimbra/data/tmp/mysqldata
$ ln -s /opt/zimbra/data/tmp/mysql/mysql.sock /opt/zimbra/data/tmp/mysqldata/mysql.sock
3. Perform mysql_upgrade
$ /opt/zimbra/common/bin/mysql_upgrade -u root -p
</syntaxhighlight>
* /opt/zimbra/libexec/zmfixperms -extended したら...
<syntaxhighlight lang="text" enclose="div">
Jul 15 16:30:03 mail1 postfix/postdrop[7889]: warning: mail_queue_enter: create file maildrop/370137.7889: Permission denied
</syntaxhighlight>
:結局これで FIX
<syntaxhighlight lang="bash" enclose="div">
usermod -a -G postdrop zimbra
</syntaxhighlight>
*zimbra-proxy を使っていない場合に slapd が起動しなくなった。
<syntaxhighlight lang="text" enclose="div">
Failed to start slapd.  Attempting debug start to determine error.
TLS: error:02001002:system library:fopen:No such file or directory bss_file.c:175
TLS: error:2006D080:BIO routines:BIO_new_file:no such file bss_file.c:178
57e0763b main: TLS init def ctx failed: -1
</syntaxhighlight>
:zimbra ユーザでコマンド実行
<syntaxhighlight lang="bash" enclose="div">
openssl dhparam -out /opt/zimbra/conf/dhparam.pem 2048
</syntaxhighlight>
*8.7.0 upgrade でハマる
[https://wiki.zimbra.com/wiki/Recovering_from_upgrade_failure https://wiki.zimbra.com/wiki/Recovering_from_upgrade_failure]
:log 確認すると パッケージインストールで失敗している。どうも、昔仕込んでいた mta-dummy_1.0_all.deb の関連で、bsd-mailx と競合しているっぽい。
:bsd-mailx を削除して、上記の方法でなんとかインストールできた。その後パッケージの依存関係が壊れたところを手で修復...疲れた。
*メモ
[https://wiki.zimbra.com/wiki/How_to_obtain_an_A%2B_in_the_Qualys_SSL_Labs_Security_Test How to obtain an A+ in the Qualys SSL Labs security test]
*Enabling Zimbra Proxy
:8.5 以降は proxy が標準になっており、過去からのアップデートのおりに不具合がでる(ほったらかし系)
[https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy Enabling Zimbra Proxy]
:imap の SSL が繋がらなくって小一時間はまった...けっきょく解決策は proxy を有効にする。
*no such data source: InternalGAL
*no such data source: InternalGAL
<pre>
<pre>
Line 20: Line 268:
---
---
> # my $today = strftime("%b %e ", localtime);
> # my $today = strftime("%b %e ", localtime);
> my $today = strftime("%Y-%m-%dT", localtime);
> my $today = strftime("%F", localtime);
</pre>
</pre>


Retrieved from "https://www.egrep.jp/wiki/index.php/Special:MobileDiff/2823...6952"