ZCS Administrator's Guide 7.2.3
ZCS Administrator's Guide 7.2.3
Open Source Edition


Managing ZCS Configuration > Managing Domains

Managing Domains
One domain is identified during the installation process and additional domains can be easily added to the Zimbra system from the administration console.
For domains, you configure the following. The following can be configured from the admin console:
*
*
*
*
*
*
*
A domain can be renamed and all account, distribution list, alias and resource addresses are changed to the new domain name. The CLI utility is used to changing the domain name. See Renaming a Domain.
Note:
General Information
In this tab you configure the following:
*
*
*
*
*
Active. Active is the normal status for domains. Accounts can be created and mail can be delivered. Note: If an account has a different status setting than the domain setting, the account status overrides the domain status.
Closed. When a domain status is marked as closed, Login for accounts on the domain is disabled and messages are bounced. The closed status overrides an individual account’s status setting.
Locked. When a domain status is marked as locked, users cannot log in to check their email, but email is still delivered to the accounts. If an account’s status setting is marked as maintenance or closed, the account’s status overrides the domain status setting.
Maintenance. When the domain status is marked as maintenance, users cannot log in and their email is queued at the MTA. If an account’ status setting is marked as closed, the account’s status overrides the domain status setting.
Suspended. When the domain status is marked as suspended, users cannot log in, their email is queued at the MTA, and accounts and distribution lists cannot be created, deleted, or modified. If an account’s status setting is marked as closed, the account’s status overrides the domain status setting.
Shutdown. When the domain status is changed to Shutdown, the server is doing major and lengthy maintenance work on the domain. For example, renaming the domain or moving LDAP entries. Modification and deletion of the domain can only be done internally by the server when it is safe to release the domain, they cannot be done in the admin console or using zmprov.
Setting up a Public Service Host Name
You can configure each domain with the public service host name to be used for REST URLs. This is the URL that is used when sharing email folders and Briefcase folders, as well as sharing task lists, address books, and calendars.
When users share a ZCS folder, the default is to create the URL with the Zimbra server hostname and the Zimbra service host name. This is displayed as http://server.domain.com/service/home/username/sharedfolder. The attributes are generated as follows:
*
*
*
When you configure a public service host name, this name is used instead of the server/service name, as http://publicservicename.domain.com/home/username/sharedfolder. The attributes to be used are:
*
*
*
You can use another FQDN as long as the name has a proper DNS entry to point at ‘server’ both internally and externally.
Global Address List (GAL) Mode
The Global Address List (GAL) is your company-wide listing of users that is available to all users of the email system. See Zimbra LDAP Service on page 33.
GAL is configured on a per-domain basis. The GAL mode setting for each domain determines where the GAL lookup is performed.
Select one of the following GAL configurations:
*
Internal. The Zimbra LDAP server is used for directory lookups.
*
External. External directory servers are used for GAL lookups. You can configure multiple external LDAP hosts for GAL. All other directory services use the Zimbra LDAP service (configuration, mail routing, etc.). When you configure the external GAL mode, you can configure GAL search and GAL sync separately.
*
Both. Internal and external directory servers are used for GAL lookups.
Creating GAL sync accounts
To give users faster access to GAL, when you configure an internal or external GAL, you can set up an account in ZCS that is configured to sync to the GAL data. You define the GAL datasource and the contact data is syncd to address book.
If the mode Both is selected, an address book is created for each LDAP data source.
When a datasource is configured in this account, the GAL configuration on the domain is overridden.
The internal GAL polling interval for the GAL sync determines how often the GALsync account syncs with the LDAP server. The sync intervals can be in x days, hours, minutes, or seconds.
When the GAL sync account syncs to the LDAP, all GAL contacts from the LDAP are added to the address book for that GAL. During the sync, the address book is updated with new contact, modified contact and deleted contact information. You should not modify the address book directly. When the LDAP syncs the GAL to the address book, changes you made directly to the address book are deleted.
If the GALsync account is not available for some reason, the traditional LDAP based search is run.
See Appendix A Command-Line Utilities, the CLI zmgsautil for information about the GALsync CLI command,
Changing GAL sync account name.
The default name for the GAL sync account is galsync. When you configure the GAL mode, you can specify another name. After the GAL sync account is created, you cannot rename the account as the data sync will not work.
To change the account name you delete the existing GAL sync account and configure a new GAL for the domain.
1.
2.
Select Configure GAL to open the configuration wizard and change the GAL mode to internal. Do not configure any other fields. Click Finish.
3.
4.
Configuring GAL Search for External GALs
When you configure an external GAL, you can configure different search settings and sync settings. You may want to configure different search settings if your LDAP environment is set up to optimize LDAP searching by setting up an LDAP cache server, but users also will need to be able to sync to the GAL.
Authentication Modes
Authentication is the process of identifying a user or a server to the directory server and granting access to legitimate users based on user name and password information provided when users log in. VMware Zimbra Collaboration Server offers the following three authentication mechanisms:
*
Internal. The Internal authentication uses the Zimbra directory server for authentication on the domain. When you select Internal, no other configuration is required.
*
External LDAP. The user name and password is the authentication information supplied in the bind operation to the directory server. You must configure the LDAP URL, LDAP filter, and to use DN password to bind to the external server.
*
External Active Directory. The user name and password is the authentication information supplied to the Active Directory server. You identify the Active Directory domain name and URL.
On the administration console, you use an authentication wizard to configure the authentication settings on your domain.
Virtual Hosts
Virtual hosting allows you to host more than one domain name on a server. The general domain configuration does not change. When you create a virtual host, this becomes the default domain for a user login. Zimbra Web Client users can log in without having to specify the domain name as part of their user name.
Virtual hosts are entered on the Domains>Virtual Hosts tab on the administrator’s console. The virtual host requires a valid DNS configuration with an A record. Not required for Virtual Hosts.
To open the Zimbra Web Client log in page, users enter the virtual host name as the URL address. For example, https://mail.company.com.
When the Zimbra login screen displays, users enter only their user name and password. The authentication request searches for a domain with that virtual host name. When the virtual host is found, the authentication is completed against that domain.
Domain Advanced Tab
The features configured in the Advanced tab include:
*
*
Briefcase
When a Briefcase folder is shared with an external guest, they must log in to view the shared item.
The Authentication Required dialog that displays references the company name “Zimbra” in the prompt. You can change the company name from Zimbra to your company name in the Domain>Advanced tab. This also can be configured as a global setting.
 
Setting Account Email Validation Rules
The ZCS server validates an email address or domain name using javax.mail.internet.InternetAddress when accounts, groups, or domains are created or renamed.
You can define additional email validation rules to validate email addresses for messages sent from the advanced Zimbra Web Client. This validation is done from the Zimbra Web Client.
1.
2.
In the Regular expression for invalid email address field enter a regular expression (regex) to filter out email addresses that should be considered invalid. You can add multiple regular expressions.
Example of regular expressions:
*
test@\\d+.com. This regular expression identifies email addresses with a number in the domain name as invalid. That is test@123.com or test@1.com are not valid addresses.
*
mail@donotreply.com (any specific address). This type of regular expression identifies a specific email address that is invalid.
Note:
Free/Busy Interoperability
The Zimbra Free/Busy Module to connect with Microsoft Exchange pulls the free/busy schedule of users on Exchange and also pushes the free/busy schedule of ZCS users to the Exchange server. You complete the Interop tab for the domain to enable this feature for the domain. For more information see Zimbra Free/Busy Interoperability.
You configure the following on the domain Interop tab:
*
*
*
Zimlets on the Domain
VMware Zimbra Collaboration Server includes pre configured Zimlets, see Managing Zimlets on page 185. These Zimlets are enabled in the default COS. Additional Zimlets can be added and enabled by COS or by account. All Zimlets that are deployed are displayed in the Domain>Zimlets tab. If you do not want all the deployed Zimlets made available for users on the domain, select from the list the Zimlets that are available for the domain. This overrides the Zimlet settings in the COS or for an account.
Renaming a Domain
When you rename a domain you are actually creating a new domain, moving all accounts to the new domain and deleting the old domain. All account, alias, distribution list, and resource addresses are changed to the new domain name. The LDAP is updated to reflect the changes.
How to Rename a Domain
Before you rename a domain
*
*
After the domain has been renamed
*
*
You rename the domain using the CLI utility zmprov. To rename a domain, type
zmprov -l rd [olddomain.com] [newdomain.com]
Domain Rename Process
When you run this zmprov command, the domain renaming process goes through the following steps:
1.
The status of the old domain is changed to an internal status of shutdown, and mail status of the domain is changed to suspended. Users cannot login, their email is bounced by the MTA, and accounts, calendar resources and distribution lists cannot be created, deleted or modified.
2.
3.
4.
5.
6.
Adding a Domain Alias
A domain alias allows different domain names to direct to a single domain address. For example, your domain is domain.com, but you want users to have an address of example.com, you can create example.com as the alias for the domain.com address. Sending mail to user@example.com is the same as sending mail to user@domain.com.
Note:
You can create a domain alias from the administration console Domain tool bar>Add a Domain Alias link. The domain alias is listed in the administration console Navigation pane under Domains.
Installing a SSL Certificate for a Domain
An SSL certificate can be installed for each domain on a ZCS server. Zimbra Proxy must be installed on ZCS and correctly configured to support multiple domains. For each domain, a virtual host name and Virtual IP address are configured with the virtual domain name and IP address.
Each domain must be issued a signed commercial certificate that attests that the public key contained in the certificate belongs to that domain.
To install the SSL Certificate for a Domain:
1.
Configure the Zimbra Proxy Virtual Host Name and IP Address. Type zmprov md <domain> +zimbraVirtualHostName {domain.example.com} +zimbraVirtualIPAddress {1.2.3.4}
Note:
2.
Copy the root certificate and the intermediate certificates in descending order, starting with your domain certificate. This allows the full certificate chain to be validated.
Make sure you remove any password authentication from the private key before the certificate is saved. See your commercial certificate provider for details about how to remove the password.
Click Save.
The domain certificate is deployed to /opt/zimbra/conf/domaincerts.
Copyright © 2013 VMware Inc.