Wiki source code of Zimbra Collaboration Server

Version 1.1 by Sebastian Marsching on 2022/04/03 22:51
Show last authors
1 {{toc/}}
2
3 # Using MailStore Archiving with Zimbra
4
5 This is a short description of how I configure [Zimbra](http://www.zimbra.com/) to work with the [MailStore](http://www.mailstore.com/) archiving software.
6
7 Changes in configuration file `/opt/zimbra/conf/amavisd.conf.in`:
8
9 ```diff
10 --- amavisd.conf.in.zimbra-dist 2011-06-03 20:22:33.856452812 +0200
11 +++ amavisd.conf.in 2011-06-03 20:22:45.686544874 +0200
12 @@ -156,6 +156,10 @@
13 # $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter!
14 %%uncomment SERVICE:archiving%%$archive_quarantine_method = 'smtp:[127.0.0.1]:10025';
15
16 +# Enable archiving to fixed e-mail address
17 +$archive_quarantine_method = 'smtp:[127.0.0.1]:10025';
18 +@archive_quarantine_to_maps = ('my-archiving-address@example.com');
19 +
20 %%uncomment VAR:zimbraAmavisQuarantineAccount%%$final_virus_destiny = D_DISCARD;
21 $final_banned_destiny = D_BOUNCE;
22 $final_spam_destiny = D_DISCARD;
23 ```
24
25 This should send every e-mail passed through Zimbra to the address `my-archiving-address@example.com`. This is the POP3 or IMAP mailbox that [MailStore](https://sebastian.marsching.com/wiki/MailStore) uses to receive all e-mails. Amavis will take care of writing headers that help [MailStore](https://sebastian.marsching.com/wiki/MailStore) identify to which e-mail address the e-mail actually belongs, so that it can be archived in the right [MailStore](https://sebastian.marsching.com/wiki/MailStore) account.
26
27 I have been using this configuration with ZCS 7.1, 7.2 and 8.6. For other versions, the configuration file and thus the changes might look different.
28
29 # Make Zimbra only accept mail for existing accounts
30
31 By default, Zimbra accepts e-mails for addresses which are not valid and later sends a bounce mail. Unfortunately this can cause SPAM back-scatter and thus should be avoided (also see my [blog article](http://sebastian.marsching.com/blog/archives/97-Fighting-SPAM-Bounces-with-Exim-Part-I.html)).
32
33 In Zimbra 8.6 it is very simple to change this behavior:
34
35 ```bash
36 zmprov mcf +zimbraMtaRestriction reject_unverified_recipient
37 ```
38
39 ## Effect on Hosts Listed in zimbraMtaMyNetworks
40
41 The change described above will have no effect on hosts listed in `zimbraMtaMyNetworks`. Therefore, if you have mail-server acting as a front-end to the Zimbra server, you should not list it in `zimbraMtaMyNetworks`. `zimbraMtaMyNetworks` should only contain the Zimbra server itself (and the loopback address).
42
43 However, for OpenDKIM and [SpamAssassin](https://sebastian.marsching.com/wiki/SpamAssassin), you also want to trust your other mail servers. You can get this effect by editing the configuration files and adding the appropriate IP addresses there:
44
45 `/opt/zimbra/conf/opendkim-localnets.conf.in` (Zimbra 8 only):
46
47 %%zimbraMtaMyNetworksPerLine%%
48 192.0.2.1/32
49 [2001:db8::1]/128
50
51 %%uncomment VAR:zimbraMtaMyNetworks%%trusted_networks %%zimbraMtaMyNetworks%% 192.0.2.1/32 [2001:db8::1]/128
52
53 In recent Zimbra versions (ZCS 8.5 and newer) it might be more elegant to add your own `trusted_networks` line to `/opt/zimbra/data/spamassassin/localrules/sauser.cf`.
54
55 **Important note:** Earlier versions of this tutorial suggested also adding the hosts to the `@mynetworks` list in `amavisd.conf.in`. However, this is not a good idea because it will cause [SpamAssassin](https://sebastian.marsching.com/wiki/SpamAssassin) to treat all e-mail as "submitted" by an authenticated client and thus it will also treat all hosts as trusted, even if it would not otherwise (as explained on the [SpamAssassin mailing list](http://mail-archives.apache.org/mod_mbox/spamassassin-users/201604.mbox/%3Cxn0k4sewlxfk5pi005%40news.gmane.org%3E)). For this reason, `zimbraMtaMyNetworks` should only contain the Zimbra server itself and the `@mynetworks` option in the Amavis configuration should not be changed.
56
57 # Mailbox Selected READ-ONLY Error in Thunderbird
58
59 Sometimes Thunderbird report the error "Mailbox selected READ-ONLY" when trying to move an e-mail from the inbox. The e-mail is copied to the target folder but not removed from the inbox. Besides the read flag will not be set correctly.
60
61 This problem seems to be related to the [Ehcache feature](http://www.zimbra.com/forums/administrators/58281-7-2-0-mailbox-selected-read-only-errors.html) in Zimbra. For me disable Ehcache solved the problem in Zimbra 7 and 8:
62
63 ```bash
64 zmlocalconfig -e imap_use_ehcache=false
65 ```
66
67 # IPv6 and Zimbra 8
68
69 There are two potential problems when using Zimbra 8 on a IPv6-enabled host: The first problem concerns OpenLDAP and the second one concerns OpenDKIM.
70
71 ## Fixing the OpenLDAP Problem
72
73 Fixing the OpenLDAP problem is easy: Set the local configuration option `ldap_bind_url` to `ldap:///`:
74
75 ```bash
76 zmlocalconfig -e ldap_bind_url=ldap:///
77 ```
78
79 After this change you have to restart Zimbra. For details refer to the [article in my blog](http://sebastian.marsching.com/blog/archives/126-OpenLDAP-Server-not-listening-on-IPv6-Socket-in-Zimbra-8.html).
80
81 This change should survive minor Upgrades of Zimbra (e.g. from Zimbra 8.0.3 to Zimbra 8.0.5).
82
83 ## Fixing the OpenDKIM Problem
84
85 Fixing the OpenDKIM problem is a bit more tricky: You have to edit the file `/opt/zimbra/conf/opendkim.conf.in` and change the line
86
87 Socket %%zimbraInetMode%%:8465@[%%zimbraLocalBindAddress%%]
88
89 to
90
91 Socket inet:8465@[127.0.0.1]
92
93 After this change you have to restart Zimbra. For details refer to the [article in my blog](http://sebastian.marsching.com/blog/archives/124-OpenDKIM-bug-in-Zimbra-Collaboration-Server.html).
94
95 Unfortunately, this change is overwritten when updating Zimbra, therefore it has to be applied again after each update.
96
97 # Fixing the zmsaupdate cron-job
98
99 Some of versions of Zimbra (I noticed it in Zimbra 8.0.6) have a bug that causes the cron job for `zmsaupdate` to fail if `/bin/sh` is not pointing to a Bource Again Shell (Bash) (e.g. Ubuntu 12.04 LTS). The error message (send to the local `zimbra` user) looks like that:
100
101 /bin/sh: 28: /opt/zimbra/.bashrc: [[: not found
102 /bin/sh: 36: [: Linux: unexpected operator
103
104 The fix for this is simple: The command has to be wrapped in a call to Bash. This can be done by editing Zimbra's crontab (`crontab -u zimbra -e`) and changing the line
105
106 45 0 * * * . /opt/zimbra/.bashrc; /opt/zimbra/libexec/zmsaupdate
107
108 to
109
110 45 0 * * * /bin/bash -c ". /opt/zimbra/.bashrc; /opt/zimbra/libexec/zmsaupdate"
111
112 # SSL / TLS options
113
114 ## Disabling SSLv3
115
116 The [article in the Zimbra Wiki](https://wiki.zimbra.com/wiki/How_to_disable_SSLv3) extensively describes how to disable SSLv3. Since Zimbra 8.6, the supported TLS protocol versions can be controlled through the `zimbraMailboxdSSLProtocols` and `zimbraReverseProxySSLProtocols` options.
117
118 For adjusting the list of supported ciphers you might want to refer to the following sites:
119
120 * [http://wiki.zimbra.com/wiki/Cipher_suites](http://wiki.zimbra.com/wiki/Cipher_suites)
121 * [http://wiki.zimbra.com/wiki/Postfix_PCI_Compliance_in_ZCS](http://wiki.zimbra.com/wiki/Postfix_PCI_Compliance_in_ZCS)
122 * [http://wiki.zimbra.com/wiki/Weak_Cipher_Suites_Appear_in_Security_Scans](http://wiki.zimbra.com/wiki/Weak_Cipher_Suites_Appear_in_Security_Scans)
123
124 ## TLS Ciphers
125
126 Inspired by the [BetterCrypto guide](https://bettercrypto.org/), I use the following settings (communication with other mail-servers always goes through another MTA, therefore I can be quite strict):
127
128 ```bash
129 zmprov mcf zimbraMtaSmtpdTlsCiphers high
130 zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high
131 zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers aNULL,eNULL,LOW,3DES,MD5,EXP,PSK,DSS,RC4,SEED,ECDSA,DES
132 zmprov mcf zimbraMtaSmtpdTlsProtocols \!SSLv2,\!SSLv3
133 zmprov mcf zimbraReverseProxySSLCiphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
134 zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
135 zmprov mcf -zimbraReverseProxySSLProtocols TLSv1
136 zmprov mcf -zimbraReverseProxySSLProtocols TLSv1.1
137 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
138 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA
139 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
140 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA
141 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
142 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5
143 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA
144 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5
145 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA
146 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
147 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
148 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
149 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
150 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
151 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
152 ```
153
154 A word regarding the ciphers and protocols that we configure for the reverse proxy: We disable TLS 1.0 and 1.1 because they are not considered secure any longer and most browsers have dropped support for them anyway. We enable **all** TLSv1.3 ciphers because they seem to be enabled anyway, even if we do not list them. We prefer 256 bit ciphers over 128 bit ciphers. A minimal modern list supporting both TLSv1.2 and TLSv1.3 would look like this:
155
156 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
157
158 We include the CHACHA20 ciphers because some systems that do support them do not support AES256, and they should be better than AES128.
159
160 In addition to that list, we add the AES128-GCM ciphers because Android 5.0 and 6.0 apparently neither support AES256 nor CHACHA20. We add the CBC ciphers to the end of the list, because IE 11 on Windows 8.1 (and Windows Server 2012 R2) does not support GCM yet. The AES256-CBC variant would be sufficient for that, but also supporting AES128-CBC also gives us support for IE11 on Windows Phone 8.1, and it is probably not significantly more insecure than AES256-CBC.
161
162 It probably is a good idea to completely remove the AES-CBC ciphers when Windows 8.1 / Windows Server 2012 R2 drop out of support in 2023.
163
164 In addition to these changes, it makes sense to enable TLSv1.3 and disable TLSv1.0 and TLSv1.1 for mailboxd. This happens through `zmlocalconfig`. Run `zmlocalconfig mailboxd_java_options` to display the current options and edit the `https.protocols` and `jdk.tls.client.protocols` options. Then set the resulting string through `zmlocalconfig`. For example:
165
166 ```bash
167 zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=debug,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m"
168 ```
169
170 ## Strict-Transport-Security Header
171
172 It makes sense to add the Strict-Transport-Security header so that the web interface is never used through an unencrypted connection. I got the idea [here](http://blog.capitar.com/getting-a-better-zimbra-ssl-labs-rating/)). I use these settings with Zimbra 8.6.
173
174 Typically, the `add_header` option needs to be added to two files:
175
176 * `/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template`
177 * `/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template`
178
179 The option is added in the following form and add it right after the `ssl_verify_depth` option:
180
181 add_header Strict-Transport-Security max-age=15768000;
182
183 Since Zimbra 8.7 there is a simpler option for adding this header:
184
185 ```bash
186 zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=15768000"
187 ```
188
189 If you enable the Nginx proxy for the first time, do not forget to (re-)enable the redirect mode (unless you are using the pure https mode):
190
191 ```bash
192 zmprov ms <server> zimbraReverseProxyMailMode redirect
193 ```
194
195 You also might have to configure the protocol and hostname used for generating URLs (otherwise, some generated URLs might use the http scheme):
196
197 ```bash
198 zmprov md <domain> zimbraPublicServiceHostname <server>
199 zmprov md <domain> zimbraPublicServiceProtocol https
200 ```
201
202 ## Adjusting the DH key size
203
204 By default, Nginx only uses 1024 bit keys when using the TLS_DH_* ciphers (Diffie-Hellman key exchange). This is not considered enough any longer. In order to increase this size, the Diffie-Hellman parameters need to be configured explicitly. I am using the following settings with Zimbra 8.6.
205
206 First, the DH parameters need to be generated with OpenSSL:
207
208 ```bash
209 openssl dhparam -outform PEM -out /opt/zimbra/conf/dhparam2048.pem 2048
210 ```
211
212 Next, the `ssl_dhparam` option has to be added to the relevant sections of the Nginx configuration. I added it to the following configuration files, right before the `ssl_ecdh_curve` option:
213
214 * `/opt/zimbra/conf/nginx/templates/nginx.conf.mail.template`
215 * `/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template`
216 * `/opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.template`
217 * `/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template`
218 * `/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template`
219 * `/opt/zimbra/conf/nginx/templates/nginx.conf.web.sso.default.template`
220 * `/opt/zimbra/conf/nginx/templates/nginx.conf.web.sso.template`
221
222 The configuration line should look like this:
223
224 ssl_dhparam /opt/zimbra/conf/dhparam2048.pem;
225
226 Starting with Zimbra 8.7, Zimbra uses 2048 bit DH params by default and this manual intervention is not necessary any longer.
227
228 # Fixing the logrotate script
229
230 The logrotate script (`/etc/logrotate.d/zimbra`) for the Nginx log files has a small problem ([Bug 106800](https://bugzilla.zimbra.com/show_bug.cgi?id=106800)): It might happen, that the compression of the logfile starts before Nginx has stopped writing to the logfile. This might result in an e-mail with the following content being sent to the administrator:
231
232 /etc/cron.daily/logrotate:
233 gzip: stdin: file size changed while zipping
234
235 At the moment, I am testing the following workaround for this issue: I changed the logrotate script to wait for five seconds after sending SIGUSR1 to Nginx. This should allow Nginx to reopen the file:
236
237 postrotate
238 kill -USR1 `cat /opt/zimbra/log/nginx.pid 2> /dev/null` 2> /dev/null && sleep 5 || true
239 endscript
240
241 If this does not help, the `delaycompress` option should fix it for sure.
242
243 # Enabling SpamAssassin rule updates
244
245 Since Zimbra 8, it might be necessary to explicitly enable [SpamAssassin](https://sebastian.marsching.com/wiki/SpamAssassin) rule updates (see [this article](https://wiki.zimbra.com/wiki/Anti-spam_Strategies) in the Zimbra knowledge-base). You can do this through `zmlocalconfig`:
246
247 ```bash
248 zmlocalconfig -e antispam_enable_rule_updates=true
249 zmlocalconfig -e antispam_enable_restarts=true
250 zmlocalconfig -e antispam_enable_rule_compilation=true
251 ```
252
253 The last line is only necessary if you want to compile rules (this should improve the scan performance).
254
255 # Adding Pyzor and Razor to SpamAssassin
256
257 This has been heavily inspired by [https://wiki.zimbra.com/wiki/Improving_Anti-spam_system](https://wiki.zimbra.com/wiki/Improving_Anti-spam_system) and [https://wiki.zimbra.com/wiki/Anti-spam_Strategies](https://wiki.zimbra.com/wiki/Anti-spam_Strategies), but it use a different path for the configuration files so that they do not get lost during a Zimbra upgrade.
258
259 ## Pyzor
260
261 Install the package (as root):
262
263 ```bash
264 aptitude install pyzor
265 ```
266
267 Create a symbol link in the Zimbra directory (as root):
268
269 ```bash
270 ln -s data/pyzor /opt/zimbra/.pyzor
271 ```
272
273 Run **all remaining actions** as the **zimbra** user (`su - zimbra`).
274
275 Create the configuration directory:
276
277 ```bash
278 mkdir /opt/zimbra/data/pyzor
279 ```
280
281 Create a symbol link in the amavisd directory:
282
283 ```bash
284 ln -s ../pyzor /opt/zimbra/data/amavisd/.pyzor
285 ```
286
287 Optionally, increase the timeout for Pyzor by adding the `pyzor_timeout` option to the [SpamAssassin](https://sebastian.marsching.com/wiki/SpamAssassin) configuration. For example:
288
289 pyzor_timeout 20
290
291 In recent Zimbra versions, you can add this line to `/opt/zimbra/data/spamassassin/localrules/sauser.cf`.
292
293 ## Razor
294
295 Install the package (as root):
296
297 ```bash
298 aptitude install razor
299 ```
300
301 Create a symbol link in the Zimbra directory (as root):
302
303 ```bash
304 ln -s data/razor /opt/zimbra/.razor
305 ```
306
307 Run **all remaining actions** as the **zimbra** user (`su - zimbra`).
308
309 Create the configuration directory:
310
311 ```bash
312 mkdir /opt/zimbra/data/razor
313 ```
314
315 Create a symbol link in the `amavisd` directory:
316
317 ```bash
318 ln -s ../razor /opt/zimbra/data/amavisd/.razor
319 ```
320
321 Initialize the configuration:
322
323 ```bash
324 razor-admin -create
325 razor-admin -discover
326 razor-admin -register
327 ```
328
329 # Using the ClamAV Unofficial Signatures
330
331 Adding more signatures to ClamAV can help in improving the detection rate for virus scans. The ClamAV Unofficial Signatures Updater is available from [GitHub](https://github.com/extremeshok/clamav-unofficial-sigs). In order to install the script, one should download the newest release in the `.tar.gz` format from the [releases page](https://github.com/extremeshok/clamav-unofficial-sigs/releases) (version 5.4.1 in this example) and unpack it in `/opt/zimbra`. One should then create a symbol-link from `clamav-unofficial-sigs` to the directory created when unpacking the archive and make the script executable, for example:
332
333 ```bash
334 ln -s clamav-unofficial-sigs-5.4.1 /opt/zimbra/clamav-unofficial-sigs
335 chmod a+x /opt/zimbra/clamav-unofficial-sigs/clamav-unofficial-sigs.sh
336 ```
337
338 All remaining steps should be done as the `zimbra` user.
339
340 Create directories for the script’s configuration and data:
341
342 ```bash
343 mkdir /opt/zimbra/conf/clamav-unofficial-sigs
344 mkdir /opt/zimbra/data/clamav-unofficial-sigs
345 ```
346
347 Copy the `master.conf` and example `user.conf` from the distribution to the configuration directory:
348
349 ```bash
350 cp /opt/zimbra/clamav-unofficial-sigs/config/master.conf /opt/zimbra/conf/clamav-unofficial-sigs
351 cp /opt/zimbra/clamav-unofficial-sigs/config/user.conf /opt/zimbra/conf/clamav-unofficial-sigs
352 ```
353
354 Create a `/opt/zimbra/conf/clamav-unofficial-sigs/os.conf` file that contains OS-specific paths, etc. As these paths differ from the ones typically used for the operating system (Zimbra brings its own version of ClamAV), one cannot use one of the example files. The following file works with Zimbra 8.7 on Ubuntu 14.04 LTS and with the ClamAV Unofficial Signatures Updater 5.4.1, but changes might be needed when using a different version of Zimbra, a different operating system, or a differet version of the updater script.
355
356 ```bash
357 # This file contains os configuration settings for clamav-unofficial-sigs.sh
358 ###################
359 # This is property of eXtremeSHOK.com
360 # You are free to use, modify and distribute, however you may not remove this notice.
361 # Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com
362 ##################
363 #
364 # Script updates can be found at: https://github.com/extremeshok/clamav-unofficial-sigs
365 #
366 # Originially based on:
367 # Script provide by Bill Landry (unofficialsigs@gmail.com).
368 #
369 # License: BSD (Berkeley Software Distribution)
370 #
371 ##################
372 #
373 # NOT COMPATIBLE WITH VERSION 3.XX / 4.XX CONFIG
374 #
375 ################################################################################
376 # SEE MASTER.CONF FOR CONFIG EXPLAINATIONS
377 ################################################################################
378 # Rename to os.conf to enable this file
379 ################################################################################
380
381 # Zimbra
382
383 clam_user="zimbra"
384 clam_group="zimbra"
385
386 clam_dbs="/opt/zimbra/data/clamav/db"
387
388 clamd_pid="/opt/zimbra/log/clamd.pid"
389
390 clamd_restart_opt="/opt/zimbra/bin/zmclamdctl restart"
391
392 clamd_reload_opt="/opt/zimbra/common/bin/clamdscan --config-file=/opt/zimbra/conf/clamd.conf --reload"
393
394 clamscan_bin="/opt/zimbra/common/bin/clamscan"
395
396 #clamd_socket="/var/run/clamav/clamd.ctl"
397
398 work_dir="/opt/zimbra/data/clamav-unofficial-sigs"
399 log_file_path="/opt/zimbra/log"
400
401 # https://eXtremeSHOK.com ######################################################
402 ```
403
404 One also has to make some modifications to the `user.conf` file. As an absolute minimum, the line `user_configuration_complete="yes"` has to be added or the updater script will not work. I also chose to set the following options:
405
406 securiteinfo_enabled="no" # SecuriteInfo
407 malwarepatrol_enabled="no" # Malware Patrol
408 downloader_ignore_ssl="no" # do not ignore SSL (certifcate) errors when
409 # downloading files
410
411 Finally, one has to add the following line to the `crontab` file of the `zimbra` user (`crontab -u zimbra -e`):
412
413 # Update unofficial ClamAV signatures
414 45 * * * * /bin/bash /opt/zimbra/clamav-unofficial-sigs/clamav-unofficial-sigs.sh -c /opt/zimbra/conf/clamav-unofficial-sigs >/dev/null
415
416 it is a good idea to once run this script manually in order to see whether everything is working (`/bin/bash /opt/zimbra/clamav-unofficial-sigs/clamav-unofficial-sigs.sh -c /opt/zimbra/conf/clamav-unofficial-sigs`).
417
418 After running the script, one can check whether ClamAV is actually using the signatures by running `clamscan --debug -d /opt/zimbra/data/clamav/db /dev/null 2>&1|grep loaded`. In addition to the regular ClamAV signatures, one should see the signatures added by the updater script (the exact list depends on the configuration).
419
420 # Use Zimbra for system mail
421
422 The paths are for Zimbra 8.7:
423
424 ```bash
425 update-alternatives \
426 --install /usr/sbin/sendmail mta /opt/zimbra/common/sbin/sendmail 25 \
427 --slave /usr/bin/mailq mta-mailq /opt/zimbra/common/sbin/mailq \
428 --slave /usr/bin/newaliases mta-newaliases /opt/zimbra/common/sbin/newaliases \
429 --slave /usr/share/man/man1/mailq.1.gz mta-mailqman /opt/zimbra/common/share/man/man1/mailq.1 \
430 --slave /usr/share/man/man1/newaliases.1.gz mta-newaliasesman /opt/zimbra/common/share/man/man1/newaliases.1 \
431 --slave /usr/share/man/man8/sendmail.8.gz mta-sendmailman /opt/zimbra/common/share/man/man1/sendmail.1 \
432 --slave /usr/share/man/man5/aliases.5.gz mta-aliasesman /opt/zimbra/common/share/man/man5/aliases.5
433 ```
434
435 # Synchronizing contacts with the macOS Contacts app (CardDAV)
436
437 Contacts that are stored in Zimbra can be synchronized with the macOS Contacts app through the CardDAV protocol. However, there seems to be one severe limitation at least up to macOS 10.12.5 (Sierra). Only one address book can be synchronized. If there is more than one address book, the “first” one is selected. In this case, “first” seems to be decided based on the lexical order. In my case, I had an extra address book starting with the letter “A” and this one would be chosen instead of the standard “Contacts” address book. I could fix this by renaming the extra address book.
438
439 # Remove submitting clients IP address from headers
440
441 By default, the IP address of the client that submitted an e-mail is visible through the `Received` header added by Postfix. This might not be desirable for privacy reasons. I got the basic idea from [here](https://www.x4b.net/kb/MailServerClientProtection), but I had to adapt it to make it work with Zimbra 8.8.
442
443 We add the following lines to `/opt/zimbra/conf/postfix_header_checks.in`:
444
445 /^Received:.*with ESMTPSA/
446 IGNORE
447 /^X-Originating-IP:/
448 IGNORE
449
450 Please note that there is a tab (not spaces) in front of `IGNORE`.
451
452 Unfortunately, Zimbra does not use the header checks file by default and manually setting the `header_checks` option in Postfix's `main.cf` does not work either, because it is overwritten when Postfix is started. There are two ways to fix this. One can either set the `zimbraMtaBlockedExtensionWarnRecipient` configuration option to `FALSE` like suggested [here](https://wiki.zimbra.com/wiki/King0770-Notes-Header-Checks):
453
454 ```bash
455 zmprov mcf zimbraMtaBlockedExtensionWarnRecipient FALSE
456 ```
457
458 The other solution is changing the configuration of `zmconfigd` by removing the following lines from `/opt/zimbra/conf/zmconfigd.cf`:
459
460 if VAR zimbraMtaBlockedExtensionWarnRecipient
461 POSTCONF header_checks
462 fi
463
464 Most likely, you also want to set the `zimbraSmtpSendAddOriginatingIP` to `FALSE`:
465
466 ```bash
467 zmprov mcf zimbraSmtpSendAddOriginatingIP FALSE
468 ```