ZCS Administrator's Guide, Open Source Edition 5.0 (Rev 5.0.19 September 2009)
Table of Contents Previous Next Index


Managing ZCS Configurations

Managing ZCS Configurations
This chapter describes the Zimbra Collaboration Suite components that you manage. The ZCS components are configured during the initial installation of the software. After the installation, you can manage the following components from either the administration console or using the CLI utility:
Help is available from the administration console about how to perform tasks from the administration console. If the task is only available from the CLI, see Appendix A for a description of how to use the CLI utility.
Managing Global Configurations
Global Settings controls global rules that apply to accounts in the Zimbra servers. The global settings are set during installation, and the settings can be modified from the administration console. A series of tabs make it easy to manage these settings.
Global settings that can be configured include:
Configuring authentication process, setting the Relay MTA for external delivery, enabling DNS lookup and protocol checks
Note: If IMAP/POP proxy is set up, making sure that the port numbers are configured correctly.
Note: Configurations set in Global Settings define inherited default values for the following objects: server, account, COS, and domain. If these attributes are set in the server, they override the global settings.
General Global Settings
In the General tab configure the following:
Most results returned by GAL search field. This sets a global ceiling for the number of GAL results returned from a user search. The default is 100 results per search.
Default domain. The default domain displays. This is the domain that user logins are authenticated against.
Number of scheduled tasks that can run simultaneously. This controls how many threads are used to process fetching content from remote data sources. The default is 20. If this is set too low, users do not get their mail from external sources pulled down often enough. If the thread is set too high, the server may be consumed with downloading this mail and not servicing “main” user requests.
Sleep time between subsequent mailbox purges. The duration of time that the server should “rest” between purging mailboxes. By default, message purge is scheduled to run every 1 minute. See the Customizing Accounts chapter, section “Setting Email Retention Policy” .
Note: If the message purge schedule is set to 0, messages are not purged even if the mail, trash and spam message life time is set.
Maximum size of an uploaded file for Documents or Briefcase (kb). This is the maximum size of a file that can be uploaded into Documents or Briefcase. Note: the maximum message size for an email message and attachments that can be sent is configured in the Global Settings MTA tab.
Global Attachment Settings
The Attachments tab can be configured with global rules to reject mail with files attached and to disable viewing files attached to mail messages in users’ mailboxes. When attachment settings are configured in Global Settings, the global rule takes precedence over COS and Account settings.
The attachment settings are as follows:
Attachments cannot be viewed regardless of COS. Users cannot view any attachments. This global setting can be set to prevent a virus outbreak from attachments, as no mail attachments can be opened.
Attachments are viewed according to COS. This global settings states the COS sets the rules for how email attachments are viewed.
Reject messages with attachment extension lets you select which file types are unauthorized for all accounts. The most common extensions are listed. You can also add different extension types to the list. Messages with those type of files attached are rejected and the sender gets a bounce notice. The recipient does not get the mail message and is not notified.
Note: Attachments settings can also be set for a Class of Service (COS) and for accounts.
Global MTA Settings
The MTA tab is used to enable or disable authentication and configure a relay hostname, the maximum message size, enable DNS lookup, protocol checks, and DNS checks. For a information about the Zimbra MTA, see Zimbra MTA.
 
Authentication should be enabled, to support mobile SMTP authentication users so that their email client can talk to the Zimbra MTA.
TLS authentication only forces all SMTP auth to use Transaction Level Security to avoid passing passwords in the clear.
Web mail MTA Host name and Web mail MTA Port. The MTA that the web server connects to for sending mail. The default port number is 25.
The Relay MTA for external delivery is the relay host name. This is the Zimbra MTA to which Postfix relays non-local email.
If your MX records point to a spam-relay or any other external non-Zimbra server, enter the name of that server in the Inbound SMTP host name field. This check compares the domain MX setting against the zimbraInboundSmtpHostname setting, if set. If this attribute is not set, the domain MX setting is checked against zimbraSmtpHostname.
If Enable DNS lookups is checked, the Zimbra MTA makes an explicit DNS query for the MX record of the recipient domain. If this option is disabled, set a relay host in the Relay MTA for external delivery.
If Allow domain administrators to check MX records from Admin Console is checked, domain administrators can check the MX records for their domain.
Set the Maximum messages size for a message and it’s attachments that can be sent. Note: To set the maximum size of an uploaded file to Documents or Briefcase, go to the General Information tab.
You can enable the X-Originating-IP header to messages checkbox. The X-Originating-IP header information specifies the original sending IP of the email message the server is forwarding.
Protocol checks
The Protocol fields are checked to reject unsolicited commercial email (UCE), for spam control.
The DNS fields are checked to reject mail if the client’s IP address is unknown, the hostname in the greeting is unknown, or if the sender’s domain is unknown.
Global IMAP and POP Settings
IMAP and POP access can be enabled as a global setting or server setting.
With POP3 users can retrieve their mail stored on the Zimbra server and download new mail to their computer. The user’s POP configuration determines if messages are deleted from the Zimbra server.
With IMAP, users can access their mail from any computer as the mail is stored on the Zimbra server.
When you make changes to these settings, you must restart ZCS before the changes take effect.
Anti-spam Settings
ZCS utilizes SpamAssassin to control spam. SpamAssassin uses predefined rules as well as a Bayes database to score messages with a numerical range. ZCS uses a percentage value to determine spaminess based on a SpamAssassin score of 20 as 100%. Any message tagged between 33%-75% is considered spam and delivered to the user’s Junk folder. Messages tagged above 75% are always considered spam and discarded.
When a message is tagged as spam, the message is delivered to the recipient’s Junk folder. Users can view the number of unread messages that are in their Junk folder and can open the Junk folder to review the messages marked as spam. If you have the anti-spam training filters enabled, when they add or remove messages in the Junk folder, their action helps train the spam filter. See “Anti-Spam Protection” .
RBL (Real time black-hole lists) can be turned on or off in SpamAssassin from the Zimbra CLI. See the section “To turn RBL on:” .
Anti-virus Settings
Anti-virus protection is enabled for each server when the Zimbra software is installed. The global settings for the anti-virus protection is configured with these options enabled:
Block encrypted archives, such as password protected zipped files.
Send notification to recipient to alert that a mail message had a virus and was not delivered.
During ZCS installation, the administrator notification address for anti-virus alerts is configured. The default is to set up the admin account to receive the notification. When a virus has been found, a notification is automatically sent to that address.
By default, the Zimbra MTA checks every two hours for any new anti-virus updates from ClamAV. The frequency can be set between 1 and 24 hours.
Note: Updates are obtained via HTTP from the ClamAV website.
Zimbra Free/Busy Interoperability
When ZCS is deployed in a mix of ZCS servers and third party email servers and Calendar is an important feature with your users, you can set up free/busy scheduling across the mix so that users can efficiently schedule meetings.
ZCS can query the free/busy schedules of users on Microsoft Exchange 2003/2007 servers and also can propagate the free/busy schedules of ZCS users to the Exchange servers.
To set free/busy interoperability, the Exchange systems must be set up as described in the Exchange Setup Requirements section, and the ZCS Global Config, Domain, COS and Account settings must be configured. The easiest way to configure ZCS is from the administration console.
Note: You can use the zmprov CLI. For more information about using zmprov to set this up, see the wiki article, Free Busy Interop for Exchange.
Exchange 2003/2007 Setup Requirements.
For Exchange 2003, the following is required:
ZCS users must be provisioned as a contact on the AD using the same administrative group for each mail domain. This is required only for ZCS to Exchange free/busy replication.
The Exchange user name must be provisioned in the account attribute zimbraForeignPrincipal for all ZCS users. This is required only for ZCS to Exchange free/busy replication.
Configuring Free/Busy on ZCS
To set Free/Busy Interoperability up from the administration console, configure the following:
Add the o and ou values that are configured in the legacyExchangeDN attribute for Exchange in either the Global Config or Domain Interop tab or in the Class of Service (COS) Advanced tab. The o and ou values correspond to the ZCS domain attribute zimbraFreebusyExchangeUserOrg.
In the Accounts Free/Busy Interop tab, configure the foreign principal for the account. The cn setting in the legacyExchangeDn attribute corresponds to the zimbraForeignPrincipal attribute. This sets up a mapping from the ZCS account to the corresponding object in the AD.
Note: To find these settings on the Exchange server, you can run the Exchange ADSI Edit tool and search the legacyExchangeDN attribute for the o= , ou= , and cn= settings.
Global Config Setup
The ZCS Global Config Settings are configured from the Interop tab on the administration console. Here you configure the Exchange server settings as follows:
Exchange user name and password. This is the name of the account in Active Directory and password that has access to the public folders. These are used to authenticate against the Exchange server on REST and WebDAV interfaces.
The O and OU used in the legacyExchangeDN attribute. Set at the global level this applies to all accounts talking to Exchange.
 
 
 
 
Managing Domains
One domain is identified during the installation process and additional domains can be easily added to the Zimbra system from the administration console.
For domains, you configure the following. These settings can be set from the admin console:
A domain can be renamed and all account, distribution list, alias and resource addresses are changed to the new domain name. The CLI utility is used to changing the domain name. See “Renaming a Domain” .
General Information
In this tab you configure the following:
The default time zone for the domain. If a time zone is configured in a COS or for an account, the domain time zone setting is ignored.
Inbound SMTP host name. If your MX records point to a spam-relay or any other external non-zimbra server, enter the name of the server here.
Default Class of Service (COS) for the domain. This COS is automatically assigned to accounts created on the domain if another COS is not set.
Domain status. The domain status is active in the normal state. Users can log in and mail is delivered. Changing the status can affect the status for accounts on the domain also. The domain status is displayed on the Domain General tab. Domain status can be set as follows :
Active. Active is the normal status for domains. Accounts can be created and mail can be delivered. Note: If an account has a different status setting than the domain setting, the account status overrides the domain status.
Closed. When a domain status is marked as closed, Login for accounts on the domain is disabled and messages are bounced. The closed status overrides an individual account’s status setting.
Locked. When a domain status is marked as locked, users cannot log in to check their email, but email is still delivered to the accounts. If an account’s status setting is marked as maintenance or closed, the account’s status overrides the domain status setting.
Maintenance. When the domain status is marked as maintenance, users cannot log in and their email is queued at the MTA. If an account’ status setting is marked as closed, the account’s status overrides the domain status setting.
Suspended. When the domain status is marked as suspended, users cannot log in, their email is queued at the MTA, and accounts and distribution lists cannot be created, deleted, or modified. If an account’s status setting is marked as closed, the account’s status overrides the domain status setting.
Setting up a Public Service Host Name
You can configure each domain with the public service host name to be used for REST URLs. This is the URL that is used when sharing Documents Notebooks, email folders and Briefcase folders, as well as sharing task lists, address books, and calendars.
When users share a ZCS folder, the default is to create the URL with the Zimbra server hostname and the Zimbra service host name. This is displayed as http://server.domain.com/service/home/username/sharedfolder. The attributes are generated as follows:
When you configure a public service host name, this name is used instead of the server/service name, as http://publicservicename.domain.com/home/username/sharedfolder. The attributes to be used are:
You can use another FQDN as long as the name has a proper DNS entry to point at ‘server’ both internally and externally.
Global Address List (GAL) Mode
The Global Address List (GAL) is your company-wide listing of users that is available to all users of the email system.
GAL is configured on a per-domain basis. The GAL mode setting for each domain determines where the GAL lookup is performed. Select one of the following GAL configurations:
Internal. The Zimbra LDAP server is used for directory lookups.
External. External directory servers are used for GAL lookups. You can configure multiple external LDAP hosts for GAL. All other directory services use the Zimbra LDAP service (configuration, mail routing, etc.). When you configure the external GAL mode, you can configure GAL search and GAL sync separately.
Both. Internal and external directory servers are used for GAL lookups.
Configuring Both GAL Search and GAL Sync
Configuring search and sync separately lets you configure different search settings and sync settings. You may want to configure these settings differently if your LDAP environment is set up to optimize LDAP searching by setting up an LDAP cache server, but users also need to be able to sync to the GAL.
Authentication Modes
Authentication is the process of identifying a user or a server to the directory server and granting access to legitimate users based on user name and password information provided when users log in. Zimbra Collaboration Suite offers the following three authentication mechanisms:
Internal. The Internal authentication uses the Zimbra directory server for authentication on the domain. When you select Internal, no other configuration is required.
External LDAP. The user name and password is the authentication information supplied in the bind operation to the directory server. You must configure the LDAP URL, LDAP filter, and to use DN password to bind to the external server.
External Active Directory. The user name and password is the authentication information supplied to the Active Directory server. You identify the Active Directory domain name and URL.
On the administration console, you use an authentication wizard to configure the authentication settings on your domain.
Virtual Hosts
Virtual hosting allows you to host more than one domain name on a server. The general domain configuration does not change. When you create a virtual host, this becomes the default domain for a user login. Zimbra Web Client users can log in without having to specify the domain name as part of their user name.
Virtual hosts are entered on the Domains>Virtual Hosts tab on the administrator’s console. The virtual host requires a valid DNS configuration with an A record. Not required for Virtual Hosts.
To open the Zimbra Web Client log in page, users enter the virtual host name as the URL address. For example, https://mail.company.com.
When the Zimbra login screen displays, users enter only their user name and password. The authentication request searches for a domain with that virtual host name. When the virtual host is found, the authentication is completed against that domain.
Documents
Zimbra Documents is a document sharing and collaboration application. Users can create, organize, and share web documents. Images, spreadsheets, and other rich web content objects can be embedded into Documents via the AJAX Linking and Embedding (ALE) specification.
The Documents application consists of a global Documents account that includes the Document templates and the global notebook, one optional Documents account per domain, and individual accounts’ Documents notebooks. The global Documents account is automatically created when ZCS is installed. The domain Documents account is not automatically created.
One Documents account can be created per domain. You can easily add the account from the administration console when you create a domain. When you create the account, you configure who can access this Documents account and what access rights these users can have.
The following users can be selected to access the Documents account:
Except for Public, which is view-only, you can select the access privileges these users can have: view, edit, remove, and add pages to the Documents notebook. You can view and change these access permissions from the administration console.
Free/Busy Interoperability
The Zimbra Free/Busy Module to connect with Microsoft Exchange pulls the free/busy schedule of users on Exchange and also pushes the free/busy schedule of ZCS users to the Exchange server. You complete the Interop tab for the domain to enable this feature for the domain. For more information see “Zimbra Free/Busy Interoperability” .
You configure the following on the domain Interop tab:
Exchange user name and password. This is the name of the account and password that has access to the public folders.
Note: Domain settings overwrite Global settings.
Zimlets on the Domain
Zimbra Collaboration Suite includes pre configured Zimlets, see Working with Zimlets. These Zimlets are enabled in the default COS. Additional Zimlets can be added and enabled by COS or by account. All Zimlets that are deployed are displayed in the Domain>Zimlets tab. If you do not want all the deployed Zimlets made available for users on the domain, select from the list the Zimlets that are available for the domain. This overrides the Zimlet settings in the COS or for an account.
 
 
Renaming a Domain
When you rename a domain you are actually creating a new domain, moving all accounts to the new domain and deleting the old domain. All account, alias, distribution list, and resource addresses are changed to the new domain name. The LDAP is updated to reflect the changes.
How to Rename a Domain
Before you rename a domain
After the domain has been renamed
Update external references that you have set up for the old domain name to the new domain name. This may include automatically generated emails that were sent to the administrator’s mailbox such as backup session notifications
You rename the domain using the CLI utility zmprov. To rename a domain, type
zmprov -l rd [olddomain.com] [newdomain.com]
Domain Rename Process
When you run this zmprov command, the domain renaming process goes through the following steps:
1.
The status of the old domain is changed to an internal status of shutdown, and mail status of the domain is changed to suspended. Users cannot login, their email is bounced by the MTA, and accounts, calendar resources and distribution lists cannot be created, deleted or modified.
2.
3.
4.
5.
6.
Managing Servers
A server is a machine that has one or more of the Zimbra service packages installed. During the installation, the Zimbra server is automatically registered on the LDAP server.
You can view the current status of all the servers that are configured with Zimbra software, and you can edit or delete existing server records. You cannot add servers directly to LDAP. The ZCS Installation program must be used to add new servers because the installer packages are designed to register the new host at the time of installation.
The server settings include:
General information about the service host name, and LMTP advertised name and bind address, and the number of threads that can simultaneously process data source imports
Authentication types enabled for the server, setting a Web mail MTA hostname different from global. Setting relay MTA for external delivery, and enabling DNS lookup if required.
Enabling POP and IMAP and setting the port numbers for a server. If IMAP/POP proxy is set up, making sure that the port numbers are configured correctly.
Servers inherit global settings if those values are not set in the server configuration. Settings that can be inherited from the Global configuration include MTA, SMTP, IMAP, POP, anti-virus, and anti-spam configurations.
General Server Settings
The General Information tab includes the following configuration information:
LMTP information including advertised name, bind address, and number of threads that can simultaneously process data source imports. The default is 20 threads.
Purge setting. The server manages the message purge schedule. You configure the duration of time that the server should “rest” between purging mailboxes from the administration console, Global settings or Server settings, General tabs. By default, message purge is scheduled to run every 1 minute.
When installing a reverse proxy the communication between the proxy server and the backend mailbox server must be in plain text. Checking This server is a reverse proxy lookup target automatically sets the following:
The Notes text box can be used to record details you want to save.
Services Settings
The Services tab shows the Zimbra services. A check mark identifies the services that are enabled for the selected server, including LDAP, Mailbox, IMAP and POP proxy, MTA, SNMP, Anti-virus, Anti-spam, Spell Checker, and Logger.
MTA Server Settings
The MTA tab shows the following settings:
Authentication enabled. Enables SMTP client authentication, so users can authenticate. Only authenticated users or users from trusted networks are allowed to relay mail. TLS authentication when enabled, forces all SMTP auth to use Transaction Level Security (similar to SSL) to avoid passing passwords in the clear.
Network settings, including Web mail MTA hostname, Web mail MTA timeout, the relay MTA for external delivery, MTA trusted networks ID, and the ability to enable DNS lookup for the server.
IMAP and POP Server Settings
From these tabs, you can configure IMAP and POP availability on a per server basis.
Volume Settings
In the Volume tab you manage storage volumes on the Zimbra Mailbox server. When Zimbra Collaboration Suite is installed, one index volume and one message volume are configured on each mailbox server. You can add new volumes, set the volume type, and set the compression threshold.
Note: If Compress Blobs is enabled (YES), the disk space used is decreased, but memory requirements for the server increases.
Index Volume
Each Zimbra mailbox server is configured with one current index volume. Each mailbox is assigned to a permanent directory on the current index volume. When an account is created, the current index volume is automatically defined for the account. You cannot change which index volume the account is assigned.
As index volumes become full, you can create a new current index volume for new accounts. When a new current index volume is added, the older index volume is no longer assigned new accounts.
Index volumes not marked current are still actively in use as the volumes for accounts assigned to them. Any index volume that is referenced by a mailbox as its index volume cannot be deleted.
Message Volume
When a new message is delivered or created, the message is saved in the current message volume. Additional message volumes can be created, but only one is configured as the current volume where new messages are stored. When the volume is full, you can configure a new current message volume. The current message volume receives all new messages. New messages are never stored in the previous volume.
A current volume cannot be deleted, and message volumes that have messages referencing the volume cannot be deleted.
 
 
Managing Other Functions
Zimlets
Zimlets can be deployed and undeployed from the administration console. The Zimlets pane lists all the Zimlets that are installed and shows whether the Zimlet is enabled or not. You can allow access to the enabled Zimlets by domain, and you can configure COSs and individual accounts to allow access to Zimlets. See the Working with Zimlets chapter for information about Zimlets.
Admin Extensions
You can create custom modules to add to the Zimbra administration console user interface. You can use the administration console to easily upload and install your modules.
Note: Go to the Zimbra Wiki, Extending Admin UI for documentation about how to create an extended admin UI module.
Backing Up the System
Backing up the mailbox server on a regular basis can help you quickly restore your email service if there is an unexpected crash. You should include backing up the ZCS server in your system-wide backup process. Only full backups of the ZCS data can be created.
Before backing up the ZCS data, all servers must be stopped. To stop the servers, use the CLI command, zmcontrol stop. After the backup is complete, to restart the servers, use zmcontrol start. See Appendix A, for more information about these command.
To restore the ZCS data, you must delete the existing data and then restore the backup files. The servers must be stopped before restoring the data.
 

Managing ZCS Configurations

Table of Contents Previous Next Index
ZCS Administrator's Guide, Open Source Edition 5.0 (Rev 5.0.19 September 2009)
Copyright © 2009 Zimbra Inc.