Post on 08-Feb-2018
7/22/2019 Zimbra NE Admin Guide 8.0.5
1/349
Zimbra Collaboration ServerAdministrators Guide
ZCS 8.0
Network Edition
August 2013
7/22/2019 Zimbra NE Admin Guide 8.0.5
2/349
Legal Notices
Copyright 2005-2013 Telligent Systems, Inc. All rights reserved. This product is protected by U.S. andinternational copyright and intellectual property laws.
Telligent and Zimbra are registered trademarks or trademarks of Telligent Systems, Inc. in the UnitedStates and other jurisdictions. All other marks and names mentioned herein may be trademarks of theirrespective companies.
Telligent Systems, Inc. d/b/a Zimbra Software, LLC
www.zimbra.com
ZCS 8.0
August 2013
Rev 4 for 8.0.5
7/22/2019 Zimbra NE Admin Guide 8.0.5
3/349
Zimbra Collaboration Server Network Edition 8.0 iii
Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Third-Party Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Support and Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2 Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Core Email, Calendar and Collaboration Functionality . . . . . . . . . . . . . 15Zimbra Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Zimbra Application Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Example of a Typical Multiserver Configuration . . . . . . . . . . . . . . . . . . 19Zimbra System Directory Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Web Client Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3 Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
License Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25License Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25License Usage by Account Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26License Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Automatic License Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Manual License Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27When Licenses are not Installed or Activated . . . . . . . . . . . . . . . . . 27
Obtain a License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Managing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
License Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28License Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Update Your License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4 Zimbra Mailbox Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Incoming Mail Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Mailbox Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Message Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Data Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Index Store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Backing Up the Mailbox Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Mailbox Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5 Zimbra LDAP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
LDAP Traffic Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35LDAP Directory Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36ZCS LDAP Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
ZCS Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Account Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Internal Authentication Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . 40
7/22/2019 Zimbra NE Admin Guide 8.0.5
4/349
iv Network Edition 8.0 Zimbra Collaboration Server
Administrators Guide
External LDAP and External AD Authentication Mechanism . . . . . . 40Custom Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Kerberos5 Authentication Mechanism . . . . . . . . . . . . . . . . . . . . . . . 42
Global Address List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Flushing LDAP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Flush the Cache for Themes and Locales . . . . . . . . . . . . . . . . . . . . 45Flush Accounts, Groups, COS, Domains, and Servers . . . . . . . . . . 45
6 Zimbra Mail Transfer Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Zimbra MTA Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Postfix Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
SMTP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48SMTP Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Sending Non Local Mail to a Different Server . . . . . . . . . . . . . . . . . 49
Anti-Virus and Anti-Spam Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Anti-Virus Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Anti-Spam Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Receiving and Sending Mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Message Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
7 Using the Administration Console . . . . . . . . . . . . . . . . . . . . . . 55
Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Change Administrator Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Log in to the Administration Console . . . . . . . . . . . . . . . . . . . . . . . . . . 55Customize the Login and Logout Pages . . . . . . . . . . . . . . . . . . . . . 56
Managing Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Message of the Day for Administrators . . . . . . . . . . . . . . . . . . . . . . . . . 56
Create a Message of the Day. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Remove a Message of the Day . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Zimbra Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
8 Managing Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Global Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59General Global Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Setting Up Email Attachment Rules . . . . . . . . . . . . . . . . . . . . . . . . . 61Blocking Email Attachments by File Type . . . . . . . . . . . . . . . . . . . . 62Global MTA Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Global IMAP and POP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Working With Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Domain General Information Settings . . . . . . . . . . . . . . . . . . . . . . . 64Global Address List (GAL) Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Using GAL sync accounts for faster access to GAL. . . . . . . . . . . . . 66Authentication Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Virtual Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Setting Account Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Renaming a Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Adding a Domain Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Zimlets on the Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Managing Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70General Server Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Change MTA Server Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Setting Up IP Address Binding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
7/22/2019 Zimbra NE Admin Guide 8.0.5
5/349
Zimbra Collaboration Server Network Edition 8.0 v
Managing SSL Certificates for ZCS . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Installing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Viewing Installed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Maintaining Valid Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Install a SSL Certificate for a Domain . . . . . . . . . . . . . . . . . . . . . . . 74
Using DKIM to Authenticate Email Message . . . . . . . . . . . . . . . . . . . . 75Configure ZCS for DKIM Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Update DKIM Data for a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Remove DKIM Signing from ZCS. . . . . . . . . . . . . . . . . . . . . . . . . . . 77Retrieve DKIM Data for a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Anti-spam Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Anti-virus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Zimbra Free/Busy Calendar Scheduling . . . . . . . . . . . . . . . . . . . . . . . . 82
ZCS to ZCS Free/Busy Interoperability . . . . . . . . . . . . . . . . . . . . . . 83Setting Up S/MIME . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84S/MIME License. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Enable S/MIME Feature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Importing S/MIME Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Storage Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Implementing Hierarchical Storage Management . . . . . . . . . . . . . . 86
Email Retention Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Configure Email Lifetime Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Configure Message Retention and Deletion Policies . . . . . . . . . . . . 89Managing the Dumpster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Configure Legal Hold on an Account . . . . . . . . . . . . . . . . . . . . . . . . 90
Customized Admin Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Setting System-wide Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
9 Class of Services for Accounts . . . . . . . . . . . . . . . . . . . . . . . . 93
Managing Accounts Usage with a COS . . . . . . . . . . . . . . . . . . . . . . . . 93
Selecting Features and Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Disable Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Set Default Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Using Server Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Setting Account Quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Set Quotas in Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Managing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Direct Users to Your Change Password Page . . . . . . . . . . . . . . . . . 97Configure a Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configuring a Login Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Configuring a Session Timeout Policy . . . . . . . . . . . . . . . . . . . . . . . . . 99Managing Default External COS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
10 Customizing Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Messaging and Collaboration Applications . . . . . . . . . . . . . . . . . . . . . 101Email Messaging Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Set Up Address Book Features . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Set Up Calendar Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Set Up Zimbra Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Setting Zimbra Web Client UI Themes . . . . . . . . . . . . . . . . . . . . . . . . 111Other Configuration Settings for Accounts . . . . . . . . . . . . . . . . . . . . . 111
Enable Sharing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
7/22/2019 Zimbra NE Admin Guide 8.0.5
6/349
vi Network Edition 8.0 Zimbra Collaboration Server
Administrators Guide
Configure SMS Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Configure Attachment Viewing. . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Display a Warning When Users Try to Navigate Away. . . . . . . . . . 113Enabling the Check Box for the Web Client . . . . . . . . . . . . . . . . . . 113Preferences Import/Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Add Words to Spell Dictionary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
11 Provisioning User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . 115
Creating a Single User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Migrate Existing Accounts and Import Account Email . . . . . . . . . . . . . 116
Migrate Accounts from a Zimbra Server. . . . . . . . . . . . . . . . . . . . . 116Migrate Accounts from Generic IMAP Servers. . . . . . . . . . . . . . . . 118Migrate Accounts using an XML File . . . . . . . . . . . . . . . . . . . . . . . 120Importing Email for Selected Accounts . . . . . . . . . . . . . . . . . . . . . 121Examples of XML Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Auto Provisioning New Accounts from External LDAP . . . . . . . . . . . . 123Auto-Provision Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Configure Eager Mode Auto-Provisioning . . . . . . . . . . . . . . . . . . . 129Configure Lazy Mode Auto-Provisioning . . . . . . . . . . . . . . . . . . . . 131
Manage Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Set Up the Scheduling Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
12 Managing User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Change Status of Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Delete an Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138View an Accounts Mailbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Use an Email Alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138Work with Distribution Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Setting Subscription Policies for Distribution Lists . . . . . . . . . . . . . 139Management Options for Owners of Distribution Lists. . . . . . . . . . 139Creating a Distribution List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Managing Access to Distribution Lists . . . . . . . . . . . . . . . . . . . . . . 141Enable Viewing of Distribution List Members for AD Accounts . . . 143
Using Dynamic Distribution Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Create Dynamic Distribution Lists from the Administration Console 144Using CLI to Manage Dynamic Distribution Lists . . . . . . . . . . . . . . 146
Moving a Mailbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Global Configuration Option for Moving Mailboxes . . . . . . . . . . . . 147
13 Delegated Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Target Types for Granting Administrative Rights . . . . . . . . . . . . . . . . 149Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
System-defined rights. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Attribute Right. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Implementing Delegated Administration . . . . . . . . . . . . . . . . . . . . . . . 153
Administrator Groups and Administrators . . . . . . . . . . . . . . . . . . . 153Configure Grants on Administrator Accounts or Admin Groups. . . 154Grant ACLs to a Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Revoking Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154View Rights Granted to Administrators . . . . . . . . . . . . . . . . . . . . . . . . 155Predefined Delegated Administrator Role . . . . . . . . . . . . . . . . . . . . . . 155
Domain Administration Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
7/22/2019 Zimbra NE Admin Guide 8.0.5
7/349
Zimbra Collaboration Server Network Edition 8.0 vii
Distribution List Administration Group . . . . . . . . . . . . . . . . . . . . . . 155Creating Delegated Administrator Roles . . . . . . . . . . . . . . . . . . . . . . . 156
14 Using the Voice Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Order of Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Voice Service Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Using a Third-Party Unified Communications Server . . . . . . . . . . . . . 165Cisco URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Mitel URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Creating the Voice/Chat Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166Configure Presence (Cisco only) . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Enabling the Voice/Chat Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167Enable Voice/Chat Service on a Domain . . . . . . . . . . . . . . . . . . . . 167Enable Voice/Chat Service on a COS . . . . . . . . . . . . . . . . . . . . . . 167Enable Voice/Chat Service on a User Account . . . . . . . . . . . . . . . 167
Enabling the Voice/Chat Zimlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
15 Monitoring ZCS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Zimbra Logger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Enable Server Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Review Server Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Enable or Disable Server Services. . . . . . . . . . . . . . . . . . . . . . . . . 171Server Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Configure Logger Mail Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Configuring Disk Space Notifications . . . . . . . . . . . . . . . . . . . . . . . . . 172Monitoring Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172Configuring Denial of Service Filter Parameters . . . . . . . . . . . . . . . . . 173
Identifying False Positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Customizing DoSFilter Configuration . . . . . . . . . . . . . . . . . . . . . . . 174Tuning Considerations for ZCS 8.0.3 and later . . . . . . . . . . . . . . . 175
Working with Mail Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
View Mail Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177Flush Message Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Monitoring Mailbox Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177View Quota. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Increase or Decrease Quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Viewing MobileSync Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Monitoring Authentication Failures . . . . . . . . . . . . . . . . . . . . . . . . . . . 178Viewing Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Use log4j to Configure Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Protocol Trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Review mailbox.log Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Reading a Message Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Fixing Corrupted Mailbox Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Check if an Index is Corrupt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Repair and Reindex a Corrupt Index . . . . . . . . . . . . . . . . . . . . . . . 188
SNMP Monitoring and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 188SNMP Monitoring Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188SNMP Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188Errors Generating SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Checking MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
7/22/2019 Zimbra NE Admin Guide 8.0.5
8/349
viii Network Edition 8.0 Zimbra Collaboration Server
Administrators Guide
Checking for ZCS Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . 189Updating Zimbra Connector for Microsoft Outlook . . . . . . . . . . . . . . . 189Types of Notifications and Alerts Sent by ZCS . . . . . . . . . . . . . . . . . . 190
Service status change notification . . . . . . . . . . . . . . . . . . . . . . . . . 190Disk usage notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190Duplicate mysqld processes running notification . . . . . . . . . . . . . . 190SSL certificates expiration notification . . . . . . . . . . . . . . . . . . . . . . 191Daily report notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Database integrity check notification . . . . . . . . . . . . . . . . . . . . . . . 191Backup completion notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
16 Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Backing Up the Mailbox Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Backup Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Standard Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Auto-Grouped Backup Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Directory Structure for Backup Files . . . . . . . . . . . . . . . . . . . . . . . . . . 195Backup and Restore Using the Administration Console . . . . . . . . . . . 197
Configure Backup from the Admin Console . . . . . . . . . . . . . . . . . . 197Backup and Restore Using the Command Line Interface . . . . . . . . . . 198Backing up using the Standard Method . . . . . . . . . . . . . . . . . . . . . . . 198
Scheduling a Standard Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . 199Full Backup Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200Incremental Backup Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Find a Specific Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Abort Full Backup in Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203Backing up using the Auto-Grouped Method . . . . . . . . . . . . . . . . . . . 203
Configure Auto-Grouped Backup from the CLI . . . . . . . . . . . . . . . 203Schedule Auto-Group Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Backup Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204Backup Up content Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Back Up the MySQL Database . . . . . . . . . . . . . . . . . . . . . . . . . . . 205Managing Disk Space for Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . 205Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Restore Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206Stop a Restore Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209Restore Mailboxes When Mail Server Is Down . . . . . . . . . . . . . . . 209Restore Individual Accounts on a Live System . . . . . . . . . . . . . . . 210Exclude Items from a Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210Restore the LDAP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
General Steps for Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . 211Crash Recovery Server Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Restore the Zimbra Collaboration Server. . . . . . . . . . . . . . . . . . . . 211Install ZCS on a New Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Restoring from Different Failure Scenarios . . . . . . . . . . . . . . . . . . 215Change Local Configuration Files After Restoring Zimbra . . . . . . . 216
Using snapshots to Backup and Restore . . . . . . . . . . . . . . . . . . . . . . 216
17 Zimbra Mobile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Mobile Device Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Setting Up Mobile Policies on ZCS . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Mobile Device Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Managing Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
7/22/2019 Zimbra NE Admin Guide 8.0.5
9/349
Zimbra Collaboration Server Network Edition 8.0 ix
Supporting Autodiscover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224Set Up Mobile Synchronization for User Accounts. . . . . . . . . . . . . 225Change Mobile Device Password Policy . . . . . . . . . . . . . . . . . . . . 225
Users Mobile Device Self-Care Features . . . . . . . . . . . . . . . . . . . . . . 226
18 Archiving and Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
How Archiving Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227How Discovery Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228Installing the Archiving Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Install Archiving in a Single-Server Environment . . . . . . . . . . . . . . 229Install zimbra-archiving in a Multi-Server Environment . . . . . . . . . 230
Manage Archiving From the Administration Console . . . . . . . . . . . . . 230Enable Archiving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Creating a Dedicated Archive COS . . . . . . . . . . . . . . . . . . . . . . . . 231Set Up Archive Account Name . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Set Up Archiving for a Users Mailbox . . . . . . . . . . . . . . . . . . . . . . 232
Archive Mailboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232Create an archive mailbox and assign a COS . . . . . . . . . . . . . . . . 233Create an Archive Mailbox with No COS or Password . . . . . . . . . 233Enable Archive Forwarding to a Third-party Archiving Server . . . . 233
Searching Across Mailboxes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Cross Mailbox Search from the Administration Console . . . . . . . . 234
19 Legal Requests for Information . . . . . . . . . . . . . . . . . . . . . . . 237
Legal Intercept Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Set Up Legal Intercept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237Set Up Legal Intercept to Forward Message Header . . . . . . . . . . . 238Modify the Intercept Cover Email Message . . . . . . . . . . . . . . . . . . 238
Create Mailbox Snapshots for Legal Discovery . . . . . . . . . . . . . . . . . 239Create a Mailbox Snapshot Zip File . . . . . . . . . . . . . . . . . . . . . . . . 239
20 Zimbra Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Proxy Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Proxy Architecture and Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241Change the Zimbra Proxy Configuration . . . . . . . . . . . . . . . . . . . . . . . 242Zimbra IMAP/POP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Zimbra Proxy Ports for POP and IMAP . . . . . . . . . . . . . . . . . . . . . 243Setting Up IMAP and POP Proxy After HTTP Proxy Installation . . 243
Configure ZCS HTTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245Setting Up HTTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246Set Proxy Trusted IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Configure Zimbra Proxy for Kerberos Authentication . . . . . . . . . . . . . 249
21 Changing ZWC Theme Colors and Logo . . . . . . . . . . . . . . . . 251
Customizing Base Theme Colors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251Replacing the ZWC Logo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252Using Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Add Your Logos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254Changing Theme Colors and Logo on Admin Console . . . . . . . . . . . . 255
Changing Base Theme Colors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255Adding Your Logo. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
7/22/2019 Zimbra NE Admin Guide 8.0.5
10/349
x Network Edition 8.0 Zimbra Collaboration Server
Administrators Guide
22 Zimlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Manage Zimlets from the Administration Console . . . . . . . . . . . . . . . 257Deploy Custom Zimlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258Enable, Disable, or Make Zimlets Mandatory. . . . . . . . . . . . . . . . . 258Undeploy a Zimlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258Add Proxy-Allowed Domains to a Zimlet . . . . . . . . . . . . . . . . . . . . 259
Upgrading a Zimlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259Managing Zimlets from the Command Line Interface . . . . . . . . . . . . . 259
Deploying Zimlets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259Add Proxy Allowed Domains to a Zimlet . . . . . . . . . . . . . . . . . . . . 260Deploying a Zimlet and Granting Access to a COS . . . . . . . . . . . . 260Viewing Zimlet List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260Changing Zimlet Configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . 260Upgrading a Zimlet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261Zimbra Gallery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262Customized Zimlets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Appendix A Command-Line Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
General Tool Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263Zimbra CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264Using non-ASCII Characters in CLIs . . . . . . . . . . . . . . . . . . . . . . . 269
zmprov (Provisioning) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269Configure Auto-Grouped Backup from the CLI . . . . . . . . . . . . . . . 281Changing Conversations Thread Default . . . . . . . . . . . . . . . . . . . . 281Detect Corrupted Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
zmaccts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283zmarchiveconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283zmarchivectl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284zmarchivesearch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284zmbackup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285zmblobchk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
zmcalchk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288zmschedulebackup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288zmbackupabort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291zmbackupquery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292zmrestore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293zmrestoreoffline (Offline Restore) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295zmrestoreldap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297zmcontrol (Start/Stop/Restart Service) . . . . . . . . . . . . . . . . . . . . . . . . 297zmmboxsearch (Cross Mailbox Search) . . . . . . . . . . . . . . . . . . . . . . . 298zmmboxmove . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299zmmboxmovequery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299zmpurgeoldmbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300zmgsautil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
zmldappasswd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301zmlocalconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302zmmailbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303zmtlsctl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306zmhsm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307zmlicense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308zmmetadump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308zmmypasswd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309zmplayredo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
7/22/2019 Zimbra NE Admin Guide 8.0.5
11/349
Zimbra Collaboration Server Network Edition 8.0 xi
zmproxyconfgen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310zmproxypurge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311zmredodump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312zmskindeploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312zmsoap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313zmstat-chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313zmstat-chart-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314zmstatctl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315zmthrdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315zmtrainsa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315zmtzupdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316zmvolume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316zmzimletctl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317zmproxyconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318zmsyncreverseproxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Appendix B Configuring SPNEGO Single Sign-On . . . . . . . . . . . . . . . . . . . 323
Configuration Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323Create the Kerberos Keytab File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324Configure ZCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326Configure Your Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Test your setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329Troubleshooting setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330Configure Kerberos Auth with SPNEGO Auth . . . . . . . . . . . . . . . . . . 331Setting Up Single Sign-On Options for ZCO . . . . . . . . . . . . . . . . . . . . 332
Appendix C ZCS Crontab Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
How to read the crontab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333ZCS Cron Jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Jobs for crontab.store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334Jobs for crontab.logger. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Jobs for crontab.mta. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335Single Server Crontab -l Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Appendix D Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
7/22/2019 Zimbra NE Admin Guide 8.0.5
12/349
xii Network Edition 8.0 Zimbra Collaboration Server
Administrators Guide
7/22/2019 Zimbra NE Admin Guide 8.0.5
13/349
Zimbra Collaboration Server Network Edition 8.0 13
1 Introduction
Zimbra Collaboration Server (ZCS) is a full-featured messaging andcollaboration solution that includes email, address book, calendaring, tasks,and Web document authoring.
Topics in this chapter include:
Audience
Third-Party Components
Support and Contact Information
Audience
This guide is intended for system administrators responsible for installing,maintaining, and supporting the server deployment of ZCS.
Readers of this guide should have the following recommended knowledge andskill sets:
Familiarity with the associated technologies and standards Linux operatingsystem, and open source concepts
Industry practices for mail system management
Third-Party Components
Where possible, Zimbra adheres to existing industry standards and opensource implementations for backup management, user authentications,operating platform, and database management. However, Zimbra onlysupports the specific implementations described in the ZCS architectureoverview in the Product Overview chapter as officially tested and certified forthe ZCS. This document might occasionally note when other tools areavailable in the marketplace, but such mention does not constitute anendorsement or certification.
Support and Contact Information
Visit www.zimbra.comto join the community and to be a part of building thebest open source messaging solution. We appreciate your feedback andsuggestions.
Contact sales@zimbra.com to purchase Zimbra Collaboration Server
7/22/2019 Zimbra NE Admin Guide 8.0.5
14/349
14 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
Network Edition customers can contact support at support@zimbra.com
Explore the Zimbra Forums for answers to installation or configurationsproblems
Join the Zimbra Forums, to participate and learn more about the ZimbraCollaboration Server
Let us know what you like about the product and what you would like to see inthe product. Post your ideas to the Zimbra Forum.
If you encounter problems with this software, go to http://bugzilla.Zimbra.comto submit a bug report. Make sure to provide enough detail so that the bug canbe easily duplicated.
7/22/2019 Zimbra NE Admin Guide 8.0.5
15/349
Zimbra Collaboration Server Network Edition 8.0 15
2 Product Overview
The Zimbra Collaboration Server (ZCS) architecture is built with well-knownopen source technologies and standards based protocols. The architectureconsists of client interfaces and server components that can be ran in a singlenode configuration or deployed across multiple servers for high availability andincreased scalability.
Core Email, Calendar and Collaboration Functionality
Zimbra Components
System Architecture
Zimbra Application Packages
Example of a Typical Multiserver Configuration
Zimbra System Directory Tree
The architecture includes the following core advantages:
Open source integrations. Linux, Jetty, Postfix, MySQL, OpenLDAP.
Uses industry standard open protocols. SMTP, LMTP, SOAP, XML,IMAP, POP.
Modern technology design. HTML5, Javascript, XML, and Java.
Horizontal scalability. Each Zimbra mailbox server includes its ownmailbox accounts and associated message store and indexes. Zimbra hasthe flexibility to scale both vertically by adding more system resources orhorizontally by adding more servers.
Browser based client interface. Zimbra Web Client gives users easyaccess to all the ZCS features.
Browser based administration console.
Core Email, Calendar and Collaboration Functionality
ZCS is an innovative messaging and collaboration application that offers thefollowing state-of-the-art solutions that are accessed through a browser basedweb client.
Intuitive message management, search, tagging, and sharing.
Personal, external, and shared calendar
7/22/2019 Zimbra NE Admin Guide 8.0.5
16/349
16 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
Personal and shared Address Books and Distribution Lists.
Personal and Shared Task lists.
Zimbra Components
Zimbra architecture includes open-source integrations using industry standardprotocols. The third-party software listed below is bundled with Zimbrasoftware and installed as part of the installation process. These componentshave been tested and configured to work with the software.
Jetty, the web application server that Zimbra software runs in.
Postfix, an open source mail transfer agent (MTA) that routes mailmessages to the appropriate Zimbra server
OpenLDAP software, an open source implementation of the LightweightDirectory Access Protocol (LDAP) that stores Zimbra systemconfiguration, the Zimbra Global Address List, and providers userauthentication. Zimbra can also work with GAL and authentication servicesprovided by external LDAP directories such as Active Directory
MySQL database software
Lucene, an open source full-featured text and search engine
Autonomy, Inc., a third-party source that converts certain attachment filetypes to HTML
Anti-virus and anti-spam open source components including:
ClamAV, an anti-virus scanner that protects against malicious files
SpamAssassin, a mail filter that attempts to identify spam
Amavisd-new interfaces between the MTA and one or more contentcheckers
James/Sieve filtering, used to create filters for email
System Architecture
The ZCS architectural design is displayed in the ZCS Collaboration ServerArchitecture figure. This shows the open-source software bundled with theZCS and other recommended third-party applications.
7/22/2019 Zimbra NE Admin Guide 8.0.5
17/349
7/22/2019 Zimbra NE Admin Guide 8.0.5
18/349
18 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
Zimbra Core Includes the libraries, utilities, monitoring tools, andbasic configuration files.
zmconfigdis part of zimbra-core and is automaticallyenabled and runs on all systems.
Zimbra Convertd Zimbra-convertd package is installed on the zimbra-store server. Only one Zimbra-convertd packageneeds to be present in the ZCS environment.
Zimbra LDAP ZCS uses the OpenLDAP software, an open source LDAPdirectory server. User authentication, the Zimbra GlobalAddress List, and configuration attributes are servicesprovided through OpenLDAP. Note that the Zimbra GALand authentication services can be provided by anexternal LDAP Directory such as Active Directory.
Zimbra MTA Postfix is the open source mail transfer agent (MTA) that
receives email via SMTP and routes each message to theappropriate Zimbra mailbox server using Local MailTransfer Protocol (LMTP).
The Zimbra MTA also includes the anti-virus and anti-spam components.
Zimbra store(mailbox server)
The Zimbra store package installs the components for themailbox server, including Jetty, which is the servletcontainer the Zimbra software runs within. Within ZCS, thisservlet container is called mailboxd.
Each account is configured on one mailbox server, andthis account is associated with a mailbox that contains allthe mail messages, file attachments, contacts, calendar,
and collaboration files for that mail account.
Each Zimbra server has its own standalone data store,message store, and index store for the mailboxes on thatserver.
As each email arrives, the Zimbra server (convertd)extracts the text from the attachments to be indexed alongwith the mail body.
Attachments are converted to HTML when users click onthe view as HTMLlink on the Zimbra Web Client.
Zimbra-SNMP Zimbra uses swatch to watch the syslog output togenerate SNMP traps.
Zimbra-Logger The Zimbra logger installs tools for syslog aggregation,reporting. If the Logger is not installed, the server statisticssection of the administration console is not displayed.
Zimbra-Spell Aspell is the open source spell checker used on theZimbra Web Client. When zimbra-spell is installed, theZimbra-Apache package is also installed.
7/22/2019 Zimbra NE Admin Guide 8.0.5
19/349
Zimbra Collaboration Server Network Edition 8.0 19
Product Overview
Example of a Typical Multiserver Configuration
The exact configuration for each deployment is highly dependent on variablesincluding the number of mailboxes, mailbox quotas, performancerequirements, existing network infrastructure, IT policies, securityrequirements, spam filtering requirements, and so forth.
The figure below shows a typical configuration with incoming traffic and userconnection.
Zimbra-Proxy Use of an IMAP/POP proxy server allows mail retrieval fora domain to be split across multiple Zimbra servers on aper user basis.
The Zimbra Proxy package can be installed with theZimbra LDAP, the Zimbra MTA, the Zimbra mailbox server,or on its own server.
Zimbra-Memcached is a separate package from zimbra-proxy and is automatically selected when the zimbra-proxypackage is installed. One server must run zimbra-memcached when the proxy is in use. All installed zimbra-proxies can use a single memcached server
Zimbra Archiving The Zimbra Archiving and Discovery package is anoptional feature for Zimbra Network Edition.
Archiving and Discovery offers the ability to store andsearch all messages that were delivered to or sent byZimbra. This package includes the cross mailbox searchfunction which can be used for both live and archive
mailbox searches.Note: Using Archiving and Discovery can trigger additionalmailbox license usage. To find out more about ZimbraArchiving and Discovery, contact Zimbra sales.
7/22/2019 Zimbra NE Admin Guide 8.0.5
20/349
20 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
Typical Configuration with Incoming Traffic and User Connections
Zimbra LDAP
Mounted
Backup disk
Zimbra LDAP
Zimbra Mailbox
Edge MTA
spam filtering
Edge MTA
Load balancer
firewalls
external
end user
Internet mail
Load balancer
Zimbra MTA
Zimbra MTA
internal
end users &
administrator users
Internet mail (inbound)
External user connection
Internal user connection
Replication (optional)
Backup
LDAP directory traffic
master replica
virus and spam
1
23
4
5
6
7
8
filtering
Server
Zimbra mailbox
Server
1 Inbound Internet mail goes through a firewall and load balancing to the
edge MTA for spam filtering.2 The filtered mail then goes through a second load balancer.
3 An external user connecting to the messaging server also goes through afirewall to the second load balancer.
4 The inbound Internet mail goes to any of the Zimbra MTA servers and goesthrough spam and virus filtering.
5 The designated Zimbra MTA server looks up the addressees directoryinformation from the Zimbra LDAP replica server.
7/22/2019 Zimbra NE Admin Guide 8.0.5
21/349
Zimbra Collaboration Server Network Edition 8.0 21
Product Overview
Zimbra System Directory Tree
The following table lists the main directories created by the Zimbra installationpackages.
The directory organization is the same for any server in the ZCS, installingunder /opt/zimbra.
Note: The directories not listed in this table are libraries used for building the
core Zimbra software or miscellaneous third-party tools.
6 After obtaining the users information from the Zimbra LDAP server, theMTA server sends the mail to the appropriate Zimbra mailbox server.
7 Internal end-user connections are made directly to any Zimbra mailboxserver, which then obtains the users directory information from ZimbraLDAP and redirects the user as needed.
8 Server backup can be processed to a mounted disk.
Parent Directory Description
/opt/
zimbra/
Created by all ZCS installation packages
backup/ Backup target contains full and incremental backupdata
bin/ ZCS application files, including the utilities describedin Appendix A, Command -Line Utilities
cdpolicyd Policy functions, throttling
clamav/ Clam AV application files for virus and spam controls
conf/ Configuration information
contrib/ Third-party scripts for conveyance
convertd/ Convert service
cyrus-sasl/ SASL AUTH daemon
data/ Includes data directories for LDAP, mailboxd, postfix,amavisd, clamav
db/ Data Storedocs/ SOAP txt files and technical txt files
dspam/ DSPAM antivirus
extensions-extra/
Server extensions for different authentication types
7/22/2019 Zimbra NE Admin Guide 8.0.5
22/349
22 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
extensions-network-extra/
Server extensions for different network versionauthentication types
httpd/ Contains the Apache Web server. Used for both aspelland convertd as separate processes
index/ Index store
java/ Contains Java application files
jetty/ mailboxd application server instance. In this directory,the webapps/zimbra/skinsdirectory includes theZimbra UI theme files
lib/ Libraries
libexec/ Internally used executables
log/ Local logs for ZCS server application
logger/ RRD and SQLite data files for logger services
mysql/ MySQL database files
net-snmp/ Used for collecting statistics
openldap/ OpenLDAP server installation, pre-configured to workwith ZCS
postfix/ Postfix server installation, pre-configured to work withZCS
redolog/ Contains current transaction logs for the ZCS server
snmp/ SNMP monitoring files
ssl/ Certificates
store/ Message store
zimbramon/ Contains control scripts and Perl modules
zimlets/ Contains Zimlet zip files that are installed with Zimbra
zimlets-
deployed/
Contains Zimlets that are available with the ZimbraWeb Client
zimlets-
network
Contains Zimlet zip files for features that are installedwith the network edition
zmstat/ mailboxd statistics are saved as .csv files
Parent Directory Description
7/22/2019 Zimbra NE Admin Guide 8.0.5
23/349
Zimbra Collaboration Server Network Edition 8.0 23
Product Overview
Web Client Versions
Zimbra offers a standard HTML, advanced Javascript, and mobile web clientsthat users can log into that users can log into. The web clients include mail,calendar, address book, and task functionality. Users can select the client touse when they log in.
Advanced web client includes Ajax capability and offers a full set of webcollaboration features. This web client works best with newer browsersand fast Internet connections.
Standard web client is a good option when Internet connections are slowor users prefer HTML-based messaging for navigating within their mailbox.
Mobile web client provides an experience optimized for smaller screenformats available on mobile devices.
When users sign in, they view the advanced Zimbra Web Client, unless theyuse the menu on the login screen to change to the standard version. If ZWCdetects the screen resolution to be 800 x 600, users are automaticallyredirected to the standard Zimbra Web Client. Users can still choose theadvanced ZWC but see a warning message suggesting the use of thestandard ZWC for better screen view. When connecting to Zimbra using amobile web browser, Zimbra will automatically detect and default to the mobileweb client.
7/22/2019 Zimbra NE Admin Guide 8.0.5
24/349
24 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
7/22/2019 Zimbra NE Admin Guide 8.0.5
25/349
Zimbra Collaboration Server Network Edition 8.0 25
3 Licensing
A Zimbra license is required in order to create accounts. When you purchase,renew, or change the Zimbra license, you update the Zimbra server with thenew license information.
Topics in this chapter include:
License Types
License Requirements
License Usage by Account Type
License Activation
Obtain a License
License Types
ZCS licensing gives administrators better visibility and control into the licensedfeatures they plan to deploy. You can monitor usages and manage thefollowing license types.
Accounts limit. The maximum number of accounts you can create and thenumber of accounts created are shown.
Mobile accounts limit. The maximum number of accounts that can havethe mobile feature enabled.
MAPI accounts limit. The maximum number of accounts that can useZimbra Connector for Microsoft Outlook (ZCO).
Archiving Accounts limit. The maximum number of archive accounts thatcan be created. The archive feature must be installed.
License Requirements
Several types of licenses are available:
Trial. You can obtain a free Trial license from the Zimbra website, atwww.zimbra.com. The trial license allows you to create up to 50 users. Itexpires in 60 days.
7/22/2019 Zimbra NE Admin Guide 8.0.5
26/349
26 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
Trial Extended. You can obtain a Trial Extended license from Zimbra Salesby contacting sales@zimbra.com or calling 1-650-427-5701. This licenseallows you to create up to 50 users and is valid for an extended period oftime.
Subscription. You must purchase the Zimbra Subscription license. Thislicense is valid for a specific ZCS system and is encrypted with the numberof Zimbra accounts (seats) you have purchased, the effective date, andexpiration date of the subscription license.
Perpetual. You must purchase the Zimbra Perpetual license. This licenseis similar to a subscription license and is valid for a specific ZCS system, isencrypted with the number of Zimbra accounts (seats) you havepurchased, the effective date, and an expiration date of 2099-12-31. Whenyou renew your support agreement, no new perpetual license is sent toyou, but your Account records in the systems is updated with your newsupport end date.
License Usage by Account TypeBelow is a description of ZCS accounts and if they impact your license limit.
System accounts. System accounts are specific accounts used by ZCS.They include the spam filter accounts for junk mail (spam and ham), virusquarantine account for email messages with viruses, and GALsyncaccount if you configure GAL for your domain. Do not delete theseaccounts! These accounts do not count against your license.
Administrator account. Administrator and delegated administratoraccounts count against your license.
User accounts. User accounts count against your license account limit.
When you delete an account, the license account limit reflects the change.
Alias account. Aliases do not count against your license.
Distribution list. Distribution lists do not count against your license.
Resource account.Resource accounts (location and resources) do notcount against your ZCS license.
License Activation
All network edition installations require license activation. New installationshave a 10 day grace period from the license issue date before requiring
activation. Your license can be activated by selecting Global Settings > License> Activate License.
Upgraded ZCS versions require an immediate activation to maintain networkfeature functionality.
7/22/2019 Zimbra NE Admin Guide 8.0.5
27/349
Zimbra Collaboration Server Network Edition 8.0 27
Licensing
Automatic License Activation
Licenses are automatically activated if the ZCS server has a connection to theInternet and can communicate with the Zimbra License server. If you areunable to automatically activate your license.
Manual License ActivationFor systems that do not have external access to the Zimbra License server,you can use the Zimbra Support Portal to manually activate your license. Goto the Zimbra website at www.zimbra.com and click Supportto display theZimbra Technical Support page. Click Support Portal Loginto display theZimbra Support Portal page. Enter your email and password to log in.
If you have problems accessing the Support Portal, contact Zimbra Sales atsales@zimbra.com.
When Licenses are not Installed or Activated
If you fail to install or activate your ZCS server license, the following scenariosdescribe how your ZCS server will be impacted.
License is not installed. If a license is not installed, the ZCS defaults tosingle user mode where all features limited by license are limited to oneuser.
License is not valid. If the license could not be validated, the ZCS defaultsto single user mode.
License is not activated. A license activation grace period is 10 days. If forsome reason the license is never activated, the ZCS defaults to singleuser mode after 10 days.
License is in future. If the license starting date is still in the future, the ZCSdefaults to single user mode.
License is in grace period. If the license ending date has passed and iswithin the 30 day grace period, all features limited by license are stillenabled, but administrators may see license renewal prompts.
License expired. If the license ending date has passed and the 30 daygrace period expired, the ZCS server defaults to the feature set of theOpen Source Edition.
Obtain a License
Go to Zimbras Website to obtain a trial license from the Network Downloadsarea. Contact Zimbra sales regarding a trial extended license, or to purchasea subscription license or perpetual license, by emailing sales@zimbra.com.
The subscription and perpetual license can only be installed on the ZCSsystem for which it is purchased. Only one Zimbra license is required for yourZCS environment. This license sets the number of accounts that can becreated.
7/22/2019 Zimbra NE Admin Guide 8.0.5
28/349
28 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
Current license information, including the number of accounts purchased, thenumber of accounts used, and the expiration date, can be viewed from GlobalSettings > License.
Managing Licenses
The Update Licensewizard from the administration consoles Global Settingspage is used to upload and install a new license. The Activate Licenselink onthe toolbar activates the license.
Current license information, including the license ID, the issue date, expirationdate, number of accounts purchased, and the number of accounts used canbe viewed fromGlobal Settings > License.
License Information
You must have a ZCS license to create accounts. When you purchase, renew,or change the Zimbra license, you must update the Zimbra server with the
new license information. The Update License Wizardfrom the administrationconsoles Global Settings is used to upload and install a new license. TheActivate Licenselink on the toolbar activates the license.
Current license information, including the license ID, the issue date, expirationdate, number of accounts purchased, and the number of accounts used canbe viewed from the Global Settings > License page.
When the number of accounts created is equal to the number of accountspurchased you will not be able to create new accounts. You can purchaseadditional accounts or you can delete existing accounts. Contact Zimbra salesto purchase additional accounts.
You must renew your license within 30 days of the expiration date. Starting 30days before the license expires, when you log on to the administrationconsole, a reminder notice is displayed.
License Expiration
When your ZCS Network Edition License expires, a license expiration warningappears in the administrative console and web interface for all users. From thedate of the license expiration, there is a 30-day grace period during which thewarning message is displayed, but no features are disabled.
Upon expiration of the grace period, the server reverts to the feature set of the
Open Source Edition. The following is a list of some of the major functions thatare no longer available upon license expiration:
Backup/Restore
Zimbra Mobile (ActiveSync)
Zimbra Connector for Outlook
Zimbra Connector for Blackberry
7/22/2019 Zimbra NE Admin Guide 8.0.5
29/349
Zimbra Collaboration Server Network Edition 8.0 29
Licensing
S/MIME
If you maximize your licensed user limit, you are no longer able to create ordelete accounts.
If you do not plan to renew your license, you can regain the ability to create ordelete accounts by upgrading to ZCS free and open source software (FOSS).
You should choose the same version of FOSS that you are currently runningon the ZCS Network Edition for this transition, after which you can upgrade tothe latest version of ZCS FOSS.
Renewal
When the number of accounts created is equal to the number of accountspurchased you will not be able to create new accounts. You can purchaseadditional accounts or you can delete existing accounts. Contact Zimbra salesto purchase additional accounts.
You must renew your license within 30 days of the expiration date. Starting 30
days before the license expires, when you log on to the administrationconsole, a reminder notice is displayed.
Update Your License
When you renew or change the Zimbra license, you update ZCS mailboxservers with the new license information. This can be done from either theadministration console or using the zmlicense CLI command.
From the administration console:
1. Save the license on the computer you use to access the administration
console.2. Log on to the administration console, go to Global Settings > Licenseand
on the toolbar click Update License. The License Installation Wizard opens.
3. Browse to select the ZCS license file. Click Next. The license file isuploaded.
4. Click Installto install the license file.
5. Click Activate License. Upgraded ZCS versions require an immediateactivation to maintain network feature functionality.
Your license information is updated automatically. The cached account
license count is automatically refreshed on each mailbox server.
7/22/2019 Zimbra NE Admin Guide 8.0.5
30/349
30 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
7/22/2019 Zimbra NE Admin Guide 8.0.5
31/349
Zimbra Collaboration Server Network Edition 8.0 31
4 Zimbra Mailbox Server
The Zimbra mailbox server is a dedicated server that manages all the mailboxcontent, including messages, contacts, calendar, and attachments. In a ZCSsingle-server environment, all services are on one server. In a ZCS multi-server environment, the LDAP and MTA services can be installed on separateservers.
The Zimbra mailbox server receives the messages from the Zimbra MTAserver and passes them through any filters that have been created. Messagesare then indexed and deposited into the correct mailbox.
The Zimbra mailbox server has dedicated volumes for backup and log files.Each Zimbra mailbox server can see only its own storage volumes. Zimbramailbox servers cannot see, read, or write to another server.
Incoming Mail Routing
The MTA server receives mail via SMTP and routes each mail message to theappropriate ZCS mailbox server using LMTP. As each mail message arrives,its content is indexed so that all elements can be searched.
Mailbox Server
Each account is configured on one mailbox server and this account isassociated with a mailbox that contains email messages, attachments,calendar, contacts and collaboration files for that account. Each Zimbramailbox server has its own standalone message store, data store, and indexstore for the mailboxes on that server.
Message Store
All email messages are stored in MIME format in the Message Store, includingthe message body and file attachments.
The message store is located on each mailbox server under/opt/zimbra/store.
Each mailbox has its own directory named after its internal ZCS mailbox ID.Mailbox IDs are unique per server, not system-wide.
Messages with multiple recipients are stored as a single-copy on the messagestore. On UNIX systems, the mailbox directory for each user contains a hardlink to the actual file.
7/22/2019 Zimbra NE Admin Guide 8.0.5
32/349
32 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
When ZCS is installed, one index volume and one message volume areconfigured on each mailbox server. Each mailbox is assigned to a permanentdirectory on the current index volume. When a new message is delivered orcreated, the message is saved in the current message volume.
To manage your email storage resources, you can configure storage volumes
for older messages by implementing a Hierarchical Storage Management(HSM) policy. See Chapter 8, Managing Configuration.
Data Store
The ZCS data store is a MySQL database where internal mailbox IDs arelinked with user accounts. All the message metadata including tags,conversations, and pointers to where the messages are stored in the filesystem. The MySQL database files are in opt/zimbra/db.
Each account (mailbox) resides only on one server. Each ZCS server has itsown standalone data store containing data for the mailboxes on that server.
The data store maps the ZCS mailbox IDs to the users OpenLDAPaccounts.The primary identifier within the ZCS database is the mailbox ID,rather than a user name or account name. The mailbox ID is only uniquewithin a single mailbox server.
Metadata including users set of tag definitions, folders, contacts, calendarappointments, tasks, Briefcase folders, and filter rules are in the data storedatabase.
Information about each mail message, including whether it is read orunread, and which tags are associated is stored in the data storedatabase.
Index Store
The index and search technology is provided through Apache Lucene. Eachemail message and attachment is automatically indexed when the messagearrives. An index file is associated with each account.Index files are in opt/zimbra/index.
The tokenizing and indexing process is not configurable by administrators orusers.
7/22/2019 Zimbra NE Admin Guide 8.0.5
33/349
Zimbra Collaboration Server Network Edition 8.0 33
Zimbra Mailbox Server
Message Tokenization
The process is as follows:
1. The Zimbra MTA routes the incoming email to the ZCS mailbox server thatcontains the accounts mailbox.
2. The mailbox server parses the message, including the header, the body,and all readable file attachments such as PDF files or Microsoft Worddocuments, in order to tokenize the words.
3. The mailbox server passes the tokenized information to Lucene to createthe index files.
Note: Tokenization is the method for indexing by each word. Certain
common patterns, such as phone numbers, email addresses, and
domain names are tokenized as shown in the Message
Tokenization figure.
Backing Up the Mailbox Server
ZCS includes a configurable backup manager that resides on every ZCS
server and performs both backup and restore functions. You do not have tostop the ZCS server in order to run the backup process. The backup managercan be used to restore a single user, rather than having to restore the entiresystem in the event that one users mailbox becomes corrupted. Full andincremental backups are in opt/zimbra/backup. See Chapter 16, Backup andRestore.
stanford.edu
stanford.edu
stanford
edu
Word List
documents
words
containing word
word
1
2
3 4
Lucene
Jo Brown
Brown
jb@zimbra.com
@zimbra.com
zimbra
Jo
jb
7/22/2019 Zimbra NE Admin Guide 8.0.5
34/349
34 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
Each Zimbra mailbox server generates redo logs that contain current andarchived transactions processed by the message store server since the lastincremental backup. When the server is restored, after the backed up files arefully restored, any redo logs in the archive and the current redo log in use arereplayed to bring the system to the point before the failure.
Mailbox Server Logs
A ZCS deployment consists of various third-party components with one ormore mailbox servers. Each of the components may generate its own loggingoutput. Local logs are in/opt/zimbra/log.
Selected ZCS log messages generate SNMP traps, which you can captureusing any SNMP monitoring software. See Chapter 15, Monitoring ZCSServers.
Note: System logs, redo logs, and backup sessions should be on separatedisks to minimize the possibility of unrecoverable data loss in the event
that one of those disks fails.
7/22/2019 Zimbra NE Admin Guide 8.0.5
35/349
Zimbra Collaboration Server Network Edition 8.0 35
5 Zimbra LDAP Service
LDAP directory services provide a centralized repository for information aboutusers and devices that are authorized to use your Zimbra service. The centralrepository used for Zimbras LDAP data is the OpenLDAP directory server.
Topics in this chapter include:
LDAP Traffic Flow
ZCS LDAP Schema
Account Authentication
ZCS Objects
Global Address List
Flushing LDAP Cache
Note: ZCS supports integration with Microsofts Active Directory Server.
Contact support for information on specific directory implementation
scenarios.
The LDAP server is installed when ZCS is installed. Each server has its ownLDAP entry that includes attributes specifying operating parameters. In
addition, a global configuration object sets defaults for any server whose entrydoes not specify every attribute.
A subset of these attributes can be modified through the Zimbra administrationconsole and others through the zmprov CLI utility.
LDAP Traffic Flow
The LDAP Directory Traffic figure shows traffic between the Zimbra-LDAPdirectory server and the other servers in the ZCS system. The Zimbra MTAand the ZCS mailbox server read from, or write to, the LDAP database on thedirectory server.
The Zimbra clients connect through the Zimbra server, which connects toLDAP.
7/22/2019 Zimbra NE Admin Guide 8.0.5
36/349
36 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
LDAP Directory Traffic
LDAP Directory Hierarchy
LDAP directories are arranged in an hierarchal tree-like structure with twotypes of branches, the mail branches and the config branch. Mail branches areorganized by domain. Entries belong to a domain, such as accounts, groups,aliases, are provisioned under the domain DN in the directory. The configbranch contains admin system entries that are not part of a domain. Configbranch entries include system admin accounts, global config, global grants,COS, servers, mime types, and zimlets.
The Zimbra LDAP Hierarchy figure shows the Zimbra LDAP hierarchy. Eachtype of entry (object) has certain associated object classes.
Zimbra LDAP Hierarchy
directory server
Zimbra mailboxZimbra LDAP
Zimbra MTA
edge MTA
DNS
server
Zimbra CommandLine Tools
ZimbraClients
cn=zimbra
cn=admins cn=confg cn=servers
dc=com
dc=zimbra
ou=people
uid=jane
Domain Branch Config Branch
cn=groups
cn=serverteam
cn=globalgrants cn=zimlets
cn=cos
mime
7/22/2019 Zimbra NE Admin Guide 8.0.5
37/349
Zimbra Collaboration Server Network Edition 8.0 37
Zimbra LDAP Service
An LDAP directory entry consists of a collection of attributes and has aglobally unique distinguished name (dn). The attributes allowed for an entryare determined by theobject classesassociated with that entry. The values ofthe object class attributes determine the schema rules the entry must follow.
An entrys object class that determines what kind of entry it is, is called a
structural object class and cannot be changed. Other object classes are calledauxiliary and may be added to or deleted from the entry.
Use of auxiliary object classes in LDAP allows for an object class to becombined with an existing object class. For example, an entry with structuralobject class inetOrgPerson,and auxiliary object classzimbraAccount,wouldbe an account. An entry with the structural object class zimbraServerwould bea server in the Zimbra system that has one or more Zimbra packagesinstalled.
ZCS LDAP Schema
At the core of every LDAP implementation is a database organized using aschema.
The Zimbra LDAP schema extends the generic schema included withOpenLDAP software. It is designed to coexist with existing directoryinstallations.
All attributes and object classes specifically created for ZCS are prefaced byzimbra., such as, zimbraAccountobject class or zimbraAttachmentsBlockedattribute.
The following schema files are included in the OpenLDAP implementation:
core.schema
cosine.schema
inetorgperson.schema
zimbra.schema
amavisd.schema
dyngroup.schema
nis.schema
Note: You cannot modify the Zimbra schema.
7/22/2019 Zimbra NE Admin Guide 8.0.5
38/349
38 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
ZCS Objects
Object Description Object class
Accounts Represents an account on the Zimbra
mailbox server that can be logged into.Account entries are eitheradministrators or user accounts. Theobject class name is zimbraAccount.This object class extends thezimbraMailRecipient object class.
All accounts have the followingproperties:
A name in the format ofuser@example.domain
A unique ID that never changes and isnever reused
A set of attributes, some of which areuser-modifiable (preferences) andothers that are only configurable byadministrators
All user accounts are associated with adomain, so a domain must be createdbefore creating any accounts.
zimbraAccount
Class ofService(COS)
Defines the default attributes anaccount has and what features areallowed or denied. The COS controlsfeatures, default preference settings,mailbox quotas, message lifetime,
password restrictions, attachmentblocking, and server pools for creationof new accounts.
zimbraCOS
Domains Represents an email domain such asexample.comor example.org.Adomain must exist before emailaddressed to users in that domain canbe delivered.
zimbraDomain
DistributionLists
Also known as mailing lists, are used tosend mail to all members of a list bysending a single email to the list
address.
zimbraDistributionList
7/22/2019 Zimbra NE Admin Guide 8.0.5
39/349
Zimbra Collaboration Server Network Edition 8.0 39
Zimbra LDAP Service
DynamicGroups
Are like distribution lists. The differenceis members of a dynamic group aredynamically computed by a LDAP
search. The LDAP search filter isdefined in an attribute on the dynamicgroup entry.
Note: Both distribution lists anddynamic groups can be used asgrantee or target in the delegatedadministrator framework.
zimbraGroup
Servers Represents a particular server in theZimbra system that has one or more ofthe Zimbra software packages installed.
Attributes describe server configurationinformation, such as which services are
running on the server.
zimbraServer
GlobalConfiguration
Specifies default values for thefollowing objects: server and domain. Ifthe attributes are not set for otherobjects, the values are inherited fromthe global settings.
Global configuration values arerequired and are set during installationas part of the Zimbra core package.These become the default values forthe system.
zimbraGlobalConfig
Alias Represents an alias of an account,distribution list or a dynamic group. ThezimbraAliasTarget attribute points totarget entry of this alias entry.
zimbraAlias
Zimlet Defines Zimlets that are installed andconfigured in Zimbra.
zimbraZimletEntry
CalendarResource
Defines a calendar resource such asconference rooms or equipment thatcan be selected for a meeting. Acalendar resource is an account withadditional attributes on thezimbraCalendarResourceobjectclass.
zimbraCalendarResource
Identity Represents a persona of a user. Apersona contains the users identitysuch as display name and a link to thesignature entry used for outgoingemails. A user can create multiplepersonas. Identity entries are createdunder the users LDAP entry in the DIT.
zimbraIdentity
Object Description Object class
7/22/2019 Zimbra NE Admin Guide 8.0.5
40/349
40 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
Account Authentication
Supported authentication mechanisms are Internal, External LDAP, andExternal Active Directory. The authentication method type is set on a per-domain basis. If zimbraAuthMechattribute is not set, the default is to useinternal authentication.
The internal authentication method uses the Zimbra schema running on theOpenLDAP server.
ThezimbraAuthFallbackToLocalattribute can be enabled so that the systemfalls back to the local authentication if external authentication fails. The defaultis FALSE.
Internal Authentication Mechanism
The internal authentication method uses the Zimbra schema running on theOpenLDAP directory server. For accounts stored in the OpenLDAP server, theuserPasswordattribute stores a salted-SHA1 (SSHA) digest of the userspassword. The users provided password is computed into the SSHA digestand then compared to the stored value.
External LDAP and External AD Authentication Mechanism
External LDAP and external Active Directory authentication can be used if theemail environment uses another LDAP server or Microsoft Active Directory forauthentication and Zimbra-LDAP for all other ZCS-related transactions. Thisrequires that users exist in both OpenLDAP and in the external LDAP server.
DataSource
Represents an external mail source of auser. Two examples of data source arePOP3 and IMAP. A data source
contains the POP3/IMAP server name,port, and password for the usersexternal email account. The datasource also contains personainformation, including the display nameand a link to the signature entry foroutgoing email messages sent onbehalf of the external account. DataSource entries are created under theusers LDAP entry in the DIT.
zimbraDataSource
Signature Represents a users signature. A usercan create multiple signatures.
Signature entries are created under theusers LDAP entry in the DIT.
zimbraSignature
Object Description Object class
7/22/2019 Zimbra NE Admin Guide 8.0.5
41/349
Zimbra Collaboration Server Network Edition 8.0 41
Zimbra LDAP Service
The external authentication methods attempt to bind to the specified LDAPserver using the supplied user name and password. If this bind succeeds, theconnection is closed and the password is considered valid.
ThezimbraAuthLdapURLand zimbraAuthLdapBindDnattributes are requiredfor external authentication.
zimbraAuthLdapURLattributeldap://ldapserver:port/identifies the IPaddress or host name of the external directory server, and port is the portnumber. You can also use the fully qualified host name instead of the portnumber.
For example:
ldap://server1:3268
ldap://exch1.acme.com
If it is an SSL connection, use ldaps:instead of ldap:. The SSL certificateused by the server must be configured as a trusted certificate.
zimbraAuthLdapBindDnattribute is a format string used to determinewhich DN to use when binding to the external directory server.
During the authentication process, the user name starts out in the format:
user@domain.com
The user name might need to be transformed into a valid LDAP bind DN(distinguished name) in the external directory. In the case of ActiveDirectory, that bind dnmight be in a different domain.
Custom Authentication
You can implement a custom authentication to integrate external
authentication to your proprietary identity database. When an authenticationrequest comes in, Zimbra checks the designated auth mechanism for thedomain. If the auth mechanism is set to custom authentication, Zimbrainvokes the registered custom auth handler to authenticate the user.
To set up custom authentication, prepare the domain for the custom auth andregister the custom authentication handler.
Preparing a domain for custom auth
To enable a domain for custom auth, set the domain attribute,zimbraAuthMetto custom:{registered-custom-auth-handler-name}.
In the following example, sample is the name that custom authentication isregistered under.
zmprov modifydomain {domain|id} zimbraAuthMech custom:sample.
Register a custom authentication handler.
To register a custom authentication handler, invokeZimbraCustomAuth.register [handlerName, handler] in the init method of the
7/22/2019 Zimbra NE Admin Guide 8.0.5
42/349
42 Network Edition 8.0 Zimbra Collaboration Server
Administrator Guide
extension.
Class: com.zimbra.cs.account.ldap.ZimbraCustomAuth
Method: public synchronized static void register [String handlerName,ZimbraCustomAuth handler]
Definitions handlerNameis the name under which this custom auth handler is
registered to Zimbras authentication infrastructure. This name is set inthe domains zimbraAuthMech attribute of the domain.
handleris the object on which the authenticate method is invoked forthis custom auth handler. The object has to be an instance ofZimbraCustomAuth(or subclasses of it).
Example
How