Optimizing office infrastructure and deploying new jobs is a major challenge for companies of all types and sizes. The best option for a new project is to rent resources in the cloud and purchase licenses that can be used both from the provider and in your own data center. One of the solutions for this scenario is Zextras Suite , which allows you to create a platform for collaboration and corporate communications of the enterprise both in the cloud and on its own infrastructure.
The solution is designed for offices of any size and has two main deployment scenarios: if you have up to 3000 thousand mailboxes and do not have high requirements for fault tolerance, you can use the installation in the single-server version, and the multi-server installation option supports reliable and responsive operation of tens and hundreds thousands of mailboxes. In all cases, the user gets access to mail, documents and messages through a single web interface from the workplace with any OS without installing and configuring additional software, or through mobile applications for iOS and Android. It is possible to use the familiar Outlook and Thunderbird clients.
For project deployment, Zextras partner - SVZchose Yandex.Cloud, because its architecture is similar to AWS and there is support for S3 compatible storage, which will reduce the cost of storing large volumes of mail, messages and documents and increase the fault tolerance of the solution.
In the Yandex.Cloud environment, for single-server installation, the basic tools for managing virtual machines "Compute Cloud" and the capabilities of managing virtual networks "Virtual Private Cloud" are used . For multi-server installation, in addition to the specified tools, it is necessary to use the technologies of "Placement groups" , if necessary (depending on the scale of the system) - also "Instance Groups" and the Yandex Load Balancer network balancer .
S3-compatible object storage Yandex Object Storage can be used in both installation options, and can also be connected to systems deployed on-premise for economical and fault-tolerant storage of mail server data in Yandex.Cloud.
For a single-server installation, depending on the number of users and / or mailboxes, it is required: for the main server 4-12 vCPU, 8-64 GB vRAM (specific vCPU and vRAM values ​​depend on the number of mailboxes and the actual load), at least 80 GB of disk space for the operating system and applications, as well as additional disk space for storing mail, indexes, logs, etc., depending on the number and average size of mailboxes and which can dynamically change during system operation; for Docs auxiliary servers: 2-4 vCPU, 2-16 GB vRAM, 16 GB of disk space (specific resource values ​​and the number of servers depend on the actual load); an additional TURN / STUN server may be required (its need as a separate server and resources depend on the actual load).For multi-server installations, the number and purpose of role-based virtual machines and the resources allocated to them are determined individually, depending on the user's requirements.
Purpose of the article
Description of the deployment in the Yandex.Cloud environment of Zextras Suite products based on the Zimbra mail server in the single-server installation option. The resulting installation can be used in a production environment (advanced users can make the necessary settings and add resources).
Zextras Suite / Zimbra includes:
- Zimbra is a corporate email with the ability to share mailboxes, calendars and contact lists (address books).
- Zextras Docs is a built-in office suite based on LibreOffice online for creating and collaborating with documents, spreadsheets, presentations.
- Zextras Drive is an individual file storage that allows you to edit, store and share files and folders with other users.
- Zextras Team – - . Team Basic, 1:1, Team Pro, , , , .
- Zextras Mobile – Exchange ActiveSync MDM (Mobile Device Management). Microsoft Outlook .
- Zextras Admin – .
- Zextras Backup -
- Zextras Powerstore is a hierarchical storage of objects of the mail system with support for data processing classes, with the ability to store data locally or in cloud storage of the S3 architecture, including Yandex Object Storage.
Upon completion of the installation, the user receives a system working in the Yandex.Cloud environment.
Conditions and restrictions
- The allocation of disk space for mailboxes, indexes and other types of data is not described as Zextras Powerstore supports different types of storage. The type and size of storages depends on the tasks and parameters of the system. If necessary, this can be done later in the process of converting the described installation into a productive one.
- DNS () , DNS- .. DNS-, .
- , . ( , «» ( « » default). , ., , , .
- DNS, .
- «» . «editor» ( « » , : , , )
- X.509 , TLS. , . , . ( / ) . , .
Description of the Zextras / Zimbra system installation process in the "single-server" option
1. Preliminary preparation
Before starting the installation, you must ensure:
a) Making changes to the public DNS zone (creating an A-record for the Zimbra server and MX-records for the served mail domain).
b) Configuring a virtual network infrastructure in Yandex.Cloud.
At the same time, after making changes to the DNS zone, it takes some time to propagate these changes, but, on the other hand, you cannot create an A record without knowing the IP address associated with it.
Therefore, the actions are performed in the following sequence:
1. Reserve a public IP address in Yandex.Cloud
1.1In the "Yandex.Cloud Console" (if necessary, select the directory to the "available clouds") go to the Virtual Private Cloud section, the IP addresses subsection, then click the "Reserve address" button, select the preferred availability zone (or agree with the proposed value; this availability zone should subsequently be used for all actions described in the following in Yandex.Cloud, if there is an option to select an availability zone on the corresponding forms), in the dialog box that opens, if you wish, you can, but not necessarily, select the "DDoS protection" option, and click the "Reserve" button (see also the documentation ).
After the dialog is closed, a static IP address allocated by the system will be available in the list of IP addresses, which can be copied and used in the next step.
1.2In the "direct" DNS zone, make an A record for the Zimbra server pointing to the previously allocated IP address, an A record for the TURN server pointing to the same IP address, and an MX record for the served mail domain. In our example, these will be mail.testmail.svzcloud.ru (Zimbra server), turn.testmail.svzcloud.ru (TURN server), and testmail.svzcloud.ru (mail domain), respectively.
1.3 In Yandex.Cloud, in the selected availability zone for the subnet that will be used to deploy virtual machines, enable NAT on the Internet.
To do this, in the Virtual Private Cloud section, subsection "Cloud networks", select the appropriate cloud network (by default, only the default network is available there), select the appropriate availability zone in it and select "Enable NAT in the Internet" in its settings.
The status will change in the list of subnets:
For details, see the documentation: one and two .
2. Creation of virtual machines
2.1. Creating a virtual machine for Zimbra
Sequence of actions:
2.1.1 In the Yandex.Cloud Console, go to the Compute Cloud section, the Virtual Machines subsection, click the Create VM button (for more information on creating a VM, see the documentation ).
2.1.2 There you need to set:
- Name - arbitrary (in accordance with the format supported by Yandex.Cloud)
- Availability zone - must match the previously selected for the virtual network.
- In "Public Images" select Ubuntu 18.04 lts
- Install a bootable disk of at least 80GB in the disks. For test purposes, the type of HDD is sufficient (and also for productive use, provided that some types of data are transferred to SSD-type disks). If necessary, additional disks can be added after the VM is created.
In "computing resources" set:
- vCPU: at least 4.
- Guaranteed vCPU share: for the duration of the steps described in the article, at least 50%, after the installation, if necessary, you can reduce it.
- RAM: 8GB recommended.
- Subnet: select a subnet for which NAT on the Internet was enabled during the preliminary preparation stage.
- Public address: select from a list of IP addresses previously used to create an A-record in DNS.
- User: as desired, but different from the root user and from the Linux system accounts.
- Be sure to set the public (public) SSH key.
→ For more information on using SSH
See also Appendix 1 . Generating SSH keys in openssh and putty and converting keys from putty to openssh format.
2.1.3 After completing the configuration, click "Create VM".
2.2. Creating a virtual machine for Zextras Docs
Sequence of actions:
2.2.1 In the Yandex.Cloud Console, go to the Compute Cloud section, the Virtual Machines subsection, and click the Create VM button (for more information on creating a VM, see here ).
2.2.2 There you need to set:
- Name - arbitrary (in accordance with the format supported by Yandex.Cloud)
- Availability zone - must match the previously selected for the virtual network.
- In "Public Images" select Ubuntu 18.04 lts
- Install a bootable disk of at least 80GB in the disks. For test purposes, the type of HDD is sufficient (and also for productive use, provided that some types of data are transferred to SSD-type disks). If necessary, additional disks can be added after the VM is created.
In "computing resources" set:
- vCPU: at least 2.
- Guaranteed vCPU share: for the duration of the steps described in the article, at least 50%, after the installation, if necessary, you can reduce it.
- RAM: at least 2GB.
- Subnet: select a subnet for which NAT on the Internet was enabled during the preliminary preparation stage.
- Public address: no address (this machine does not need access from the Internet, only outgoing access from this machine to the Internet, which is provided by the "NAT to the Internet" option of the subnet used).
- : , root Linux.
- () SSH-, , Zimbra, , . . Zextras Docs Zimbra.
See also Appendix 1. Generating SSH keys in openssh and putty and converting keys from putty to openssh format.
2.2.3 After completing the configuration, click "Create VM".
2.3 The created virtual machines will be available in the list of virtual machines, which displays, in particular, their status and used IP addresses, both public and internal. Information about the IP addresses will be required in the next steps of the installation.
3. Preparing the Zimbra server for installation
3.1 Installing updates You
need to log into the Zimbra server at its public IP address through your preferred ssh client using your private (private, private) ssh key and using the username you specified when creating the virtual machine.
After logging in, execute the commands:
sudo apt update
sudo apt upgrade(when running the last command, answer “y” when asked whether you are sure of installing the proposed list of updates)
After installing the updates, you can (but not necessarily) run the command:
sudo apt autoremoveAnd at the end of the step, execute the command
sudo shutdown –r now3.2 Installing applications You
need to install the NTP client to synchronize the system time and the screen application with the following command:
sudo apt install ntp screen(when executing the last command, answer “y” when asked if you are sure of installing the attached package list)
You can also install additional utilities for the convenience of the administrator. For example, Midnight Commander can be installed with the command:
sudo apt install mc3.3. Changing the system configuration
3.3.1 Change the value of the manage_etc_hosts parameter from true to false in the /etc/cloud/cloud.cfg.d/95-yandex-cloud.cfg file . Note: to modify this file, the editor must be run with root user rights, for example, “ sudo vi /etc/cloud/cloud.cfg.d/95-yandex-cloud.cfg ” or, if the mc package is installed, you can use the command “ sudo mcedit /etc/cloud/cloud.cfg.d/95-yandex-cloud.cfg » 3.3.2 Edit / etc / hosts
as follows, replacing in the line defining the FQDN of the host, the address from 127.0.0.1 with the internal IP address of this server, and the name from the fully qualified name in the .internal zone to the public name of the server specified earlier in the A record of the DNS zone, and the corresponding by changing the short hostname (if different from the short hostname from the public DNS A record).
For example, in our case, the hosts file looked like:
After editing, it took the form:
Note: the editor to change this file must be run with root user rights, for example, “ sudo vi / etc / hosts ” or, if the mc package is installed, you can use the command " Sudo mcedit / etc / hosts "
3.4 Set user password
This is necessary due to the fact that in the future the firewall will be configured, and in the event of any problems with it, if the user has a password, it will be possible to enter the virtual machine using the serial console from the Yandex.Cloud web console and disable the firewall and / or fix the error. When creating a virtual machine, the user does not have a password, and therefore access is only possible over SSH using key authentication.
To set a password, run the command:
sudo passwd < >For example, in our case it will be the command “ sudo passwd user ”.
4. Installing Zimbra and Zextras Suite
4.1. Downloading Zimbra and Zextras Suite Distributions
4.1.1 Downloading Zimbra Distribution
Sequence of actions:
1) Go to the URL www.zextras.com/download-zimbra-9 and fill out the form. You will receive an email with links to download Zimbra for different OS.
2) Select the current version of the distribution kit for the Ubuntu 18.04 LTS platform and copy the link
3) Download the Zimbra distribution kit to the Zimbra server and unpack it. To do this, in the ssh session on the zimbra server, execute the commands
cd ~
mkdir zimbra
cd zimbra
wget <url, >
tar –zxf < >(in our example it is “ tar –zxf zcs-9.0.0_OSE_UBUNTU18_latest-zextras.tgz ”)
4.1.2 Downloading the Zextras Suite distribution
Sequence of actions:
1) Go to the browser at the URL www.zextras.com/download
2) Fill in the form by entering the required data, and click the “DOWNLOAD NOW” button
3) The download page will open
It contains two URLs of interest to us: one at the top of the page for the Zextras Suite itself, which we will need now, and the other at the bottom in the Docs Server block for Ubuntu 18.04 LTS, which will be needed later to install Zextras Docs on VM for Docs.
4)Download the Zextras Suite distribution kit to the Zimbra server and unpack it. To do this, in the ssh session on the zimbra server, execute the commands
cd ~
mkdir zimbra
cd zimbra(if after the previous step the current directory has not changed - the commands above can be omitted)
wget http://download.zextras.com/zextras_suite-latest.tgz
tar –zxf zextras_suite-latest.tgz4.2. Installing Zimbra
Procedure
1) Go to the directory in which you unzip the file in step 4.1.1 (you can see the ls, while in ~ / zimbra directory command).
In our example, this will be:
cd ~/zimbra/zcs-9.0.0_OSE_UBUNTU18_latest-zextras/zimbra-installer2) Start the Zimbra installation with the command
sudo ./install.sh3) Answering the installer's
questions You can answer the installer's questions with “y” (corresponds to “yes”), “n” (corresponds to “no”), or leave the installer's suggestion unchanged (he offers options, displaying them in square brackets, for example, “ [Y] ”or“ [N]. ”
Do you agree with the terms of the software license agreement? - yes.
Use Zimbra's package repository? - default (yes).
“ Install zimbra-ldap? ”,“ Install zimbra- logger? ”,“ Install zimbra-mta? ”- default (yes)
Install zimbra-dnscache?- no (the operating system has its own caching DNS server by default, so this package will have a conflict with it due to the ports being used).
Install zimbra-snmp? - if you wish, you can leave the default option (yes), you can not install this package. In our example, the default is left.
“ Install zimbra-store? ”,“ Install zimbra-apache? ”,“ Install zimbra-spell? ”,“ Install zimbra-memcached? ”,“ Install zimbra-proxy? "- by default (yes).
Install zimbra-snmp? - no (the package is actually not supported and is functionally replaced by Zextras Drive).
Install zimbra-imapd? - by default (no).
Install zimbra-chat? - no (functionally replaced by Zextras Team)
After which the installer will ask whether to continue with the installation?
We answer "yes" if you can continue, otherwise we answer "no" and get the opportunity to change the answers to the previously asked questions.
After agreeing to continue, the installer will install the packages.
4.) Answering the questions of the primary configurator
4.1) Since our example distinguishes between the DNS name of the mail server (name of the A record) and the name of the served mail domain (name of the MX record), the configurator displays a warning and prompts you to specify the name of the served mail domain. We agree with his proposal and enter the name of the MX record. In our example, it looks like this:
Note: you can also set the accepted mail domain to be different from the server name if there is an MX record of the same name for the server name.
4.2) The configurator displays the main menu.
We need to set the Zimbra administrator password (menu item 6 in our example), without which it is impossible to continue the installation, and change the zimbra-proxy setting (menu item 8 in our example; if necessary, this setting can be changed after installation).
4.3) Changing the zimbra-store settings
At the configurator prompt, enter the menu item number and press Enter. We get to the storage settings menu:
where, in the configurator's prompt, enter the number of the Admin Password menu item (in our example, 4), press Enter, after which the configurator offers a randomly generated password that you can agree with (remembering it) or enter your own. In both cases, at the end it is necessary to press Enter, after which the token of waiting for the input of information from the user will be removed from the “Admin Password” item: We
return to the previous menu (we agree with the suggestion of the configurator).
4.4) Changing the zimbra-proxy settings
By analogy with the previous step, in the main menu, select the item number "zimbra-proxy" and enter it in the configurator prompt.
In the Proxy configuration menu that opens, select the item number "Proxy server mode" and enter it in the configurator's prompt.
The configurator will offer to choose one of the modes, enter “redirect” into its prompt and press Enter.
Then we return to the main menu (we agree with the suggestion of the configurator).
4.5) Launching the configuration
To launch the configuration, enter "a" in the configurator prompt. After which he will ask whether to save the entered configuration to a file (which can be used for re-installation) - you can agree with the default proposal, if saving is done - he will ask in which file to save the configuration (you can also agree with the default proposal or enter your own file name).
At this stage, you can still refuse to continue and make changes to the configuration, agreeing with the default answer to the question "The system will be modified - continue?"
To start the installation, you must answer “Yes” to this question, after which the configurator will apply the previously entered settings for some time.
4.6) Completing Zimbra Installation
Before completing, the installer will ask whether to notify Zimbra about the installation made? You can either agree with the default offer or refuse (by answering “No”) from the notification.
After that, the installer will perform the final operations for some time and will display a notification about the completion of the system configuration with a proposal to press any key to exit the installer.
4.3.Installing Zextras Suite
For details on installing Zextras Suite, see the instructions .
Sequence of actions:
1) Go to the directory where the files were unpacked in step 4.1.2 (you can view it with the ls command while in the ~ / zimbra directory).
In our example, this will be:
cd ~/zimbra/zextras_suite2) Start the Zextras Suite installation with the command
sudo ./install.sh all3) Answering the installer's questions
The principle of the installer is similar to the work of the Zimbra installer, except for the absence of a configurator. The installer's questions can be answered with “y” (corresponds to “yes”), “n” (corresponds to “no”), or leave the installer's suggestion unchanged (he offers options by displaying them in square brackets, for example, “[Y]” or “ . [N] "
to begin the installation process you need to consistently answer" yes "to the following questions:
? the Do you agree with the terms of the software license Agreement
? the Do you wish for Zextras Suite to automatically download, the install and upgrade the ZAL Library then
Afterwards a notification will be displayed asking you to press Enter to continue:
After pressing Enter, the installation process will begin, sometimes interrupted by questions, to which, however, we agree with the default proposals ("yes"), namely:
Zextras Suite Core will now be installed. Proceed?
Do you wish to stop the Zimbra Web Application (mailbox)?
The Zextras Suite Zimlet will now be installed. Proceed?
Before starting the final part of the installation, a notification will be displayed about the need to configure the DOS filter with a proposal to press Enter to continue. After pressing Enter, the final part of the installation begins, at the end the final notification is displayed and the work of the installer ends.
4.4. Initial tuning of settings and determination of LDAP configuration parameters
1)All subsequent actions are performed from under the zimbra user. To do this, run the command
sudo su - zimbra2) Change the DOS filter setting with the command
zmprov mcf zimbraHttpDosFilterMaxRequestsPerSec 1503) To install Zextras Docs, you will need information on some of the Zimbra settings. To do this, you can run the command:
zmlocalconfig –s | grep ldapIn our example, the following information will be displayed:
For further use, you will need ldap_url, zimbra_ldap_password (and zimbra_ldap_userdn, although the Zextras Docs installer usually gives correct guesses about the LDAP username).
4) Exit work under the zimbra user by executing the
logout command
5. Preparing the Docs server for installation
5.1. Uploading SSH Private Key to Zimbra Server and Login to Docs Server
It is necessary to place the private key of the SSH key pair on the Zimbra server, the public key of which was used in step 2.2.2 of clause 2.2 when creating the Docs virtual machine. It can be uploaded to the server via SSH (for example, via sftp) or inserted via the clipboard (if the capabilities of the SSH client and its execution environment allow).
We assume that the private key is placed in the ~ / .ssh / docs.key file and the user used to log into the Zimbra server is its owner (if this file was downloaded / created from under this user, it automatically became its owner).
You must execute the command once:
chmod 600 ~/.ssh/docs.keyIn the future, to enter the Docs server, you must perform the following sequence of actions:
1) Go to the Zimbra server
2) Run the command
ssh -i ~/.ssh/docs.key user@< ip- Docs>Where the value <internal IP address of the Docs server> can be found in the Yandex.Cloud Console, for example, as shown in clause 2.3.
5.2. Installing updates
After logging into the Docs server, execute the commands similar to those for the Zimbra server:
sudo apt update
sudo apt upgrade(when running the last command, answer “y” when asked whether you are sure of installing the proposed list of updates)
After installing the updates, you can (but not necessarily) run the command:
sudo apt autoremoveAnd at the end of the step, execute the command
sudo shutdown –r now5.3. Installing applications You
need to install the NTP client to synchronize the system time and the screen application, similar to the same action for the Zimbra server, with the following command:
sudo apt install ntp screen(when executing the last command, answer “y” when asked if you are sure of installing the attached package list)
You can also install additional utilities for the convenience of the administrator. For example, Midnight Commander can be installed with the command:
sudo apt install mc5.4. Changing the system configuration
5.4.1. In the file /etc/cloud/cloud.cfg.d/95-yandex-cloud.cfg, as for the Zimbra server, change the value of the manage_etc_hosts parameter from true to false.
Note: to modify this file, the editor must be run with root user rights, for example, “ sudo vi /etc/cloud/cloud.cfg.d/95-yandex-cloud.cfg ” or, if the mc package is installed, you can use the command “ sudo mcedit /etc/cloud/cloud.cfg.d/95-yandex-cloud.cfg "
5.4.2.Edit / etc / hosts, adding the public FQDN of the Zimbra server to it, but with the internal IP address assigned by Yandex.Cloud. If you have an administrator-managed internal DNS server used by virtual machines (for example, in a productive environment) and capable of resolving the public FQDN of the Zimbra server with the internal IP address when receiving a request from the internal network (for requests from the Internet, the FQDN of the Zimbra server must be resolved to the public IP address, and the TURN server must always be resolved by the public IP address, including when accessing from internal addresses), this operation is not required.
For example, in our case, the hosts file looked like this:
After editing, it took the form:
Note: to change this file, the editor must be run with root user rights, for example, “sudo vi / etc / hosts ”or, if the mc package is installed, you can use the command“ sudo mcedit / etc / hosts ”
6. Installing Zextras Docs
6.1.
Log in to the Docs server The procedure for logging into the Docs server is described in clause 5.1.
6.2. Downloading the Zextras Docs distribution kit
Sequence of actions:
1) From the page from which in clause 4.1.2. Downloading the Zextras Suite distribution The Zextras Suite distribution was downloaded (in step 3), copy the URL for building Docs for Ubuntu 18.04 LTS (if it has not been copied earlier).
2) Download the Zextras Suite distribution kit to the Zimbra server and unpack it. To do this, in the ssh session on the zimbra server, execute the commands
cd ~
mkdir zimbra
cd zimbra
wget <URL >(in our case, the command “wget download.zextras.com/zextras-docs-installer/latest/zextras-docs-ubuntu18.tgz ” is executed )
tar –zxf < >(in our case, the command “tar –zxf zextras-docs-ubuntu18.tgz” is executed)
6.3. Installing Zextras Docs
For details on installing and configuring Zextras Docs, see here .
Sequence of actions:
1) Go to the directory into which the files were unpacked in step 4.1.1 (can be viewed with the ls command while in the ~ / zimbra directory).
In our example, this will be:
cd ~/zimbra/zextras-docs-installer2) Start the Zextras Docs installation with the command
sudo ./install.sh3) Answering the installer's
questions You can answer the installer's questions with “y” (corresponds to “yes”), “n” (corresponds to “no”), or leave the installer's suggestion unchanged (he offers options, displaying them in square brackets, for example, “ [Y] ”or“ [N] ”).
System will be modified, would you like to proceed? - accept the default option ("yes").
After that, the installation of dependencies will begin: the installer will show which packages it wants to install and ask for confirmation to install them. In all cases, we agree with the default offers.
For example, he might ask “ python2.7 not found. Would you like to install it? "," Python-ldap not found. Would you like to install it? " etc.
After installing all the necessary packages, the installer asks for consent to install Zextras Docs:
Would you like to install Zextras DOCS? - accept the default option ("yes").
After that, for some time, the packages are installed, in fact, Zextras Docs and the transition to the configurator questions.
4) Answering the questions of the configurator The
configurator asks for the configuration parameters in turn, in response, the values ​​obtained at step 3 in p.4.4 are entered. Initial tuning of settings and determination of LDAP configuration parameters.
In our example, the settings are as follows:
5) Completing the Zextras Docs installation
After answering the configurator's questions, the installer completes the local Docs configuration and registers the installed service on the main Zimbra server installed earlier.
For a single-server installation, as a rule, this is enough, but in some cases (if documents will not open in Docs in the web client on the Drive tab), you may need to perform an action that is mandatory for a multi-server installation - in our example, on the main Zimbra server, you will need to execute from under user Zimbra commands / opt / zimbra / libexec / zmproxyconfgen and zmproxyctl restart .
7. Initial configuration of Zimbra and Zextras Suite (except Team)
7.1. Initial login to the admin console
Log in to the browser at the URL: https: // <FQDN of the Zimbra_server>: 7071
If you wish, you can log in to the web client at the URL: https: // <FQDN of the Zimbra_server>
When you log in, browsers show a warning about an unsafe connection due to the inability to verify the certificate. It is necessary to answer the browser about consent to go to the site despite this warning. This is due to the fact that after installation, a self-signed X.509 certificate is used for TLS connections, which can later (in productive use - need to) be replaced with a commercial certificate or another certificate recognized by the browsers used.
In the form for authentication, enter the username in the form admin @ <your served mail domain> and the Zimbra administrator password specified when installing the Zimbra server in step 4.3 in step 4.2.
In our example, it looks like this:
Admin Console:
Web client:
Note 1. If you do not specify a serviced mail domain when logging into the administrator console or the web client, users will be authenticated in the mail domain created during the Zimbra server installation. After installation, this is the only accepted mail domain that exists on this server, but additional mail domains may be added during system operation, and then the explicit indication of the domain in the username will make a difference.
Note 2. When logging into the web client, the browser may ask for permission to display notifications from the site. You must agree to receive notifications from this site.
Note 3.After logging into the administrator console, a notification may be displayed that there are messages to the administrator, usually a reminder to configure Zextras Backup and / or to purchase a Zextras license before the default trial license expires. These actions can be performed later, and therefore the messages present at the time of entry can be ignored and / or marked as read in the Zextras menu: Zextras Alert.
Note 4. It should be especially noted that in the server status monitor the status of the Docs service is displayed as "not available" even if the Docs in the web client works correctly:
This is a feature of the trial version and can be eliminated only after purchasing a license and contacting support.
7.2.Deploying Zextras Suite Components
In the Zextras: Core menu, click on the Deploy button for all zimlets that you intend to use.
When deploying zimlets, a dialog is displayed with the result of an operation of the following type:
In our example, all Zextras Suite zimlets are deployed, after which the Zextras: Core form will take the following form:
7.3. Changing access settings
7.3.1. Changing global settings
In the Settings: Global settings, Proxy server submenu, change the following parameters:
Web proxy mode: redirect
Enable administration console proxy server: put a checkbox.
Then in the upper right part of the form, click on "Save".
In our example, after the changes made, the form looks like this:
7.3.2. Changes to the main Zimbra server settings
In the Setup menu: Servers: <name of the main Zimbra server>, Proxy server submenu, change the following parameters:
Web proxy mode: click on the "Reset to default" button (this will not change the value itself, since it was already set during installation). Enable the proxy server of the administration console: check that the checkbox is checked (the default value should have been applied, if not, you can click the "Reset to default" button and / or set it manually). Then, in the upper right part of the form, click on "Save".
In our example, after the changes have been made, the form looks like this:
Note: (restart may be required if input on this port does not work)
7.4. New login to the administrator console
Login to the administrator console in the browser at the URL: https: // <FQDN_ of the_Zimbra_server>: 9071
In the future, use this URL to login
Note: for a single-server installation, the change made in the previous step is usually sufficient, but in some cases (if the server page is not displayed when entering at the specified URL), you may need to perform an action that is mandatory for a multi-server installation - in our example, on the main Zimbra server, the / opt / zimbra / libexec / zmproxyconfgen and zmproxyctl restart commands will need to be executed from under the Zimbra user .
7.5.Editing the default COS
From the Setup: Class of Service menu, select the COS named "default".
In the submenu "Opportunities" remove the checkbox for the "Portfolio" function, then in the upper right part of the form, click on "Save".
In our example, after configuration, the form looks like this:
It is also recommended to put a checkbox in the Drive submenu for the “Enable file and folder sharing” setting, and then click on “Save” in the upper right part of the form.
In our example, after configuration, the form looks like this:
In a test environment, in the same service class, you can enable Team Pro functions, for which, in the Team submenu, enable the checkbox with the same name, after which the configuration form will take the following form:
With Team Pro features disabled, users will only have access to Team Basic features.
Please note that Zextras Team Pro is licensed independently of Zextras Suite, which allows you to purchase it for fewer mailboxes than Zextras Suite itself; Team Basic features are included in the Zextras Suite license. Therefore, when used in a productive environment, it may be necessary to create a separate class of service for Team Pro users that will include the appropriate functionality.
7.6. Firewall Configuration
Required for the main Zimbra server:
a)Allow Internet access to ssh, http / https, imap / imaps, pop3 / pop3s, smtp ports (main port and additional ports for use by mail clients) and administration console port.
b) Allow all connections from the internal network (for which NAT to the Internet was enabled in step 1.3 in step 1).
There is no need to configure a firewall for the Zextras Docs server. it cannot be accessed from the Internet.
To do this, you need to perform the following sequence of actions:
1) Go to the text console of the main Zimbra server. When logging in via SSH, it is necessary to execute the “screen” command to avoid interruption of command execution in case of temporary loss of connection with the server due to changes in the firewall settings.
2) Execute commands
sudo ufw allow 22,25,80,110,143,443,465,587,993,995,9071/tcp
sudo ufw allow from <__>/< CIDR >
sudo ufw enableIn our example, it looks like this:
7.7. Checking access to the web client and the administrator's console
To monitor the firewall's performance, you can go to the browser at the following URL
Administrator Console: https: // <FQDN_ of the Zimbra_server>: 9071
Web client: http: // <FQDN_ of the_Zimbra_server> (an automatic redirect to https: // <FQDN_ of_Zimbra_server>)
In this case, at the alternative URL https: // <FQDN_ of_Zimbra_server>: 7071, the administrator console should not open.
The web client in our example looks like this:
Note. When logging into the web client, the browser may ask for permission to display notifications from the site. You must agree to receive notifications from this site.
8. Ensuring the operation of audio and video conferencing in Zextras Team
8.1. General Information
The steps described below are not required if all Zextras Team clients communicate with each other without using NAT (in this case, interaction with the Zimbra server itself can be carried out using NAT, i.e. it is important that there is no NAT between clients), or if only text messenger.
To ensure interaction between clients in the audio and video conferencing mode:
a) You must install or use the existing TURN server.
b)Because TURN server usually has the functionality of a STUN server as well, it is recommended to use it in this capacity as well (alternatively, you can use public STUN servers, but STUN functionality alone is usually not enough).
In a productive environment, due to the potentially high load, it is recommended to move the TURN server to a separate virtual machine. For testing and / or light load, the TURN server can be combined with the main Zimbra server.
In our example, we will install the TURN server on the main Zimbra server. Installing TURN on a separate server is the same with the difference that the steps related to installing and configuring the TURN software are performed on the TURN server, and the steps for configuring the Zimbra server to use this server are performed on the main Zimbra server.
8.2. Installing the TURN server
Before going to the main Zimbra server via SSH, execute the command
sudo apt install resiprocate-turn-server8.3. TURN server setup
Note. To change all the following configuration files, the editor must be run as root, for example, “ sudo vi /etc/reTurn/reTurnServer.config ” or, if the mc package is installed, you can use the command “ sudo mcedit /etc/reTurn/reTurnServer.config »
Simplified user creation
To simplify the creation and debugging of a test connection to the TURN server, we will disable the use of hashed passwords in the TURN server user base. In a productive environment, it is recommended to use hashed passwords; in this case, the generation of password hashes for them must be performed in accordance with the instructions contained in the files /etc/reTurn/reTurnServer.config and /etc/reTurn/users.txt.
Sequence of actions:
1) Edit the file /etc/reTurn/reTurnServer.config
Change the value of the "UserDatabaseHashedPasswords" parameter from "true" to "false".
2) Edit the /etc/reTurn/users.txt file.
Set the username, password, realm (arbitrary, not used when setting up a Zimbra connection) in it and set the account status to “AUTHORIZED”.
In our example, the file initially looked like this:
After editing it took the form:
3) Applying the configuration
Run the command
sudo systemctl restart resiprocate-turn-server8.4. Configuring a firewall for the TURN server
At this stage, you set additional firewall rules required for the TURN server to work. It is necessary to allow access to the main port on which the server accepts requests and to the dynamic range of ports used by the server to organize media streams.
The ports are specified in the /etc/reTurn/reTurnServer.config file, in our case these are:
and
To set the firewall rules, you need to run the commands
sudo ufw allow 3478,49152:65535/udp
sudo ufw allow 3478,49152:65535/tcp8.5. Configuring the use of the TURN server in Zimbra
For configuration, the FQDN of the TURN server is used, created in step 1.2 of item 1, and which must be resolved by DNS servers with the same public IP address for both requests from the Internet and for requests from internal addresses ...
View the current “zxsuite team iceServer get” connection setup performed under the zimbra user.
For more information on configuring the use of a TURN server, see the "Installing Zextras Team to Use a TURN Server" section in the documentation .
To configure, you need to run the following commands on the Zimbra server:
sudo su - zimbra
zxsuite team iceServer add stun:<FQDN TURN>:3478?transport=udp
zxsuite team iceServer add turn:<FQDN TURN>:3478?transport=udp credential <> username < >
zxsuite team iceServer add stun:<FQDN TURN>:3478?transport=tcp
zxsuite team iceServer add turn:<FQDN TURN>:3478?transport=tcp credential <> username < >
zxsuite team iceServer add stun:<FQDN TURN>:3478
logoutAs <user name> and <password>, the values ​​of the user name and password are used, respectively, specified in step 2 in section 8.3.
In our example, it looks like this:
9. Allowing mail through the SMTP protocol
According to the documentation , outgoing traffic to TCP port 25 to the Internet and to Yandex Compute Cloud virtual machines is always blocked in Yandex.Cloud when accessing via a public IP. the address. This will not prevent you from checking the reception of mail to the served mail domain sent from another mail server, but it will prevent you from sending mail outside the Zimbra server.
The documentation states that Yandex.Cloud can open TCP port 25 upon a support request, if you follow the Acceptable Use Policy, and reserves the right to block the port again in case of violation of the rules. To open the port, you need to contact the Yandex.Cloud support service.
application
Generating SSH keys in openssh and putty and converting keys from putty format to openssh
1. Generating SSH key pairs
On Windows using putty: run puttygen.exe command and click the “Generate” button
On Linux: run the command
ssh-keygen2. Converting keys from putty format to openssh
In Windows: Steps
:
- Run puttygen.exe program.
- Load the private key in ppk format, for which use the File → Load private key menu item.
- Enter the code (passphrase), if required for this key.
- The public key in OpenSSH format is displayed in puttygen with the inscription "Public key for pasting into OpenSSH authorized_keys file field"
- To export a private key to OpenSSH format, select Conversions → Export OpenSSH key in the main menu
- Save the private key to a new file.
On Linux
1. Install PuTTY tool package: On
Ubuntu:
sudo apt-get install putty-toolson Debian-like distributions:
apt-get install putty-toolsin RPM-based yum-based distributions (CentOS, etc.):
yum install putty2. To convert the private key, execute the command:
puttygen <key.ppk> -O private-openssh -o <key_openssh>3. To generate a public key (if necessary):
puttygen <key.ppk> -O public-openssh -o <key_openssh.pub>Result
After installation in accordance with the recommendations, the user receives a Zimbra mail server configured in the Yandex.Cloud infrastructure with the Zextras extension for corporate communications and collaboration with documents. The settings are made with certain restrictions for the test environment, but it is not difficult to transfer the installation to production mode and add options for using the Yandex.Cloud object storage and others. For questions regarding the development and use of solutions, please contact your partner Zextras - the SVZ or representatives Yandeks.Oblako .
For all questions related to Zextras Suite, you can contact the Representative of the Zextras company Ekaterina Triandafilidi by e-mail katerina@zextras.com