Background
I am looking to bring email in-house for a small accountancy firm (< 5 users). I explored outsourcing to a Zimbra hosting provider, but there is only one in the country and we were unsatisfied with their service. As a result, I have decided to set up a Zimbra mail server myself with the help of the Zimbra community
The purpose of this thread is to verify that the steps and decisions that I make are as sound as possible. Setting up a mail server is a new experience for me, as is the lingo. I have spent the past week reading up as much as I can in the Zimbra forums, as well as various wikis, blogs etc. However, putting all the pieces together in an appropriate way for this accountancy is important and I don't want to make any critical mistakes in terms of security and reliability.
Infrastructure
Internet (Dynamic IP) <-> ADSL Modem <-> Cisco ASA 5505 <-> Server (VMWare ESXi host)
Note: Although the ISP provides a dynamic IP, which renews ever 20 minutes we always get the same one. Also, the ISP blocks port 25.
I will separate my Zimbra installation into three sections making it more manageable for myself and anyone who is willing to help. Also, I think this will be useful for others looking for a Zimbra installation recipe.
1. Domain & DNS (Including Firewall) [STATUS: Waiting for feedback]
2. OS Install & Configuration (Including Split-DNS) [STATUS: Waiting for feedback]
3. Zimbra Install & Configuration [STATUS: On hold] Note: I will update this post with any changes I make after receiving feedback from the community.
-------------------------------------------------
1. Domain & DNS (Including Firewall)
The accountancy firm's domain registrar only handles the domain and points to the ISP's DNS servers. I can administer the domain and any DNS records on the ISP's website.
Code:
Domain: mydomain.se
Public IP: 217.xxx.xxx.xx
Q1: Through my research I have read about different DNS records, MX, PTR, A, CNAME etc. Should I setup any other records except for MX and A? Q2: On the ISP's DNS editor website setting up a DNS record involves filling out four fields: Subdomain, Type, TTL and Data. For my MX and A records: Code:
Subdomain Type TTL Data
@ MX ? mail.mydomain.se
@ A ? 217.xxx.xxx.xx (public IP)
Have I made a mistake by putting "@" for both records? I understand that the "@" means the root domain, i.e. mydomain.se, but I have seen some people put "mail" instead.
Also, I am not confident about what time (TTL) to choose for each record.
Finally the firewall. There is a Cisco ASA 5505 (base license) that needs to be configured for the Zimbra mail server. At the moment there are no ports open and the only way into the LAN is via VPN. I am not a security expert, but I am concerned about security.
Q3: Are the minimum ports that need to be opened 443 (https), 993 (imaps) and 25 (smtp) for sending and receiving email from the LAN and WAN using a client mail application and Zimbra webmail? Q4: The ISP blocks port 25. They have a smtp mail relay thing that is free of charge, but is there any way not to rely on the ISP for sending email, i.e. can I bypass the port 25 restriction? Q5: Are there any additional things I should think about before moving to the next section?
-------------------------------------------------
2. OS Install & Configuration (Including Split-DNS)
I've chosen to use Ubuntu Server 8.04.4 LTS installed in a virtual machine, which will run on the ESXi 4 host. I have little Linux experience, so I will outline most of the steps that I've taken in installing and configuring the OS.
Setting up the virtual machine:
Code:
1 vCPU
2 GB RAM
20 GB hard drive (vmdk)
Q6: I looked at the Zimbra Virtual Appliance and it has two vmdks. Should I do something similar for my install?
The following steps I've compiled from these sources:
Ubuntu 8.04 LTS Server (Hardy Heron) Install Guide - Zimbra :: Wiki [SOLVED] DNS in a nutshell Split DNS - Zimbra :: Wiki The Perfect Server - Ubuntu Hardy Heron (Ubuntu 8.04 LTS Server) | HowtoForge - Linux Howtos and Tutorials http://help.ubuntu.com/community/BIND9ServerHowto
During the Ubuntu Server installation I interrupted the DHCP network configuration and chose to do a manual network config. with the following settings:
Code:
IP: 10.0.1.100
Netmask: 255.255.255.0
Gateway: 10.0.1.1
Nameserver: 10.0.1.100
Hostname: mail
Domain: mydomain.se
At "Partition Disks" I selected "Guided - use entire disk" and accepted the default partition scheme.
Q7: This question is linked to Q6 about the virtual disk setup. Should I modify the partitioning scheme and if so what would be suitable for my mail server?
Finally, at the "Software Selection" screen I selected:
Code:
DNS server
OpenSSH server
Once the installation completed I updated the apt package database and installed any updates:
Code:
sudo apt-get update
sudo apt-get upgrade --show-upgraded
Now I installed "ntpd" for timekeeping against a network time server:
Code:
sudo apt-get install ntp
Note: The following two links are useful for configuring the ntpd service and making sure you follow best practices for virtual machine time management.
https://help.ubuntu.com/8.04/serverguide/C/NTP.html http://kb.vmware.com/selfservice/mic...rnalId=1006427
Installing VMware Tools is also recommended and I did using an Operating System Specific Package (OSP). See this link for information:
http://www.vmware.com/pdf/osp_install_guide.pdf.
At this point I tackled Split-DNS. I can't say that I have fully grasped everything that follows, but since Zimbra will be behind a firewall this is essential.
I started by verifying the hosts file and modifying the first line, so that the file looks like this:
/etc/hosts
Code:
127.0.0.1 localhost.localdomain localhost
10.0.1.100 mail.mydomain.se mail
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
Next I verified resolv.conf:
/etc/resolv.conf
Code:
search mydomain.se
nameserver 10.0.1.100
The next file to modify is named.conf.options. I've seen different variations of this file, but this is what mine looks like. The only thing I've changed is to uncomment "forwarders" and add my ISP's DNS servers.
/etc/bind/named.conf.options
Code:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
// query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
195.67.199.39;
195.67.199.40;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
}; Q8: Should the forwarders be the ISP's DNS servers or the DNS servers that mydomain.se points to?
Add a DNS zone by editing named.conf.local. All I did was add the part in bold.
/etc/bind/named.conf.local
Code:
//
// Do any local configuration here
//
zone "mydomain.se" {
type master;
file "/etc/bind/db.mydomain.se";
};
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918"; Next I used an existing zone file as a template (I saw this here
https://help.ubuntu.com/community/BIND9ServerHowto): Code:
sudo cp /etc/bind/db.local /etc/bind/db.mydomain.se
After making a copy I made a number of changes (shown in bold). Again I've seen many variations of this file.:
/etc/bind/db.mydomain.se
Code:
;
; BIND data file for mydomain.se
;
$TTL 604800
@ IN SOA mail.mydomain.se. admin.mydomain.se. (
20100603 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS mail
IN MX 10 mail
IN A 10.0.1.100
mail IN A 10.0.1.100 Q9: There are two things that I'd like help with in the above file.
a) Should I change the different time durations from the default?
b) If my understanding of Split-DNS is correct then the four last lines should be the same as the two that I setup in Q2 above, but with the LAN IP. Well they are not as I followed the Ubuntu 8.04 LTS Server (Hardy Heron) Install Guide - Zimbra :: Wiki. Perhaps someone can please clarify this for me. Q10: I read something about chrooting BIND. According to the information in Ubuntu's BIND9ServerHowto this is recommended if AppArmor is not installed. Well I have not made any changes to AppArmor and frankly not sure about all of this. What is the recommended approach?
Finally, I finish off this long section (thank you for reading) by restarting bind:
Code:
sudo /etc/init.d/bind9 restart
Then running the following diagnostics, which hopefully means more to you than me
dig mydomain.se mx
Code:
; <<>> DiG 9.4.2-P2.1 <<>> mydomain.se mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24887
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;mydomain.se. IN MX
;; ANSWER SECTION:
mydomain.se. 604800 IN MX 10 mail.mydomain.se.
;; AUTHORITY SECTION:
mydomain.se. 604800 IN NS mail.mydomain.se.
;; ADDITIONAL SECTION:
mail.mydomain.se. 604800 IN A 10.0.1.100
;; Query time: 2 msec
;; SERVER: 10.0.1.100#53(10.0.1.100)
;; WHEN: Tue Jun 8 19:56:37 2010
;; MSG SIZE rcvd: 85
dig mydomain.se any
Code:
; <<>> DiG 9.4.2-P2.1 <<>> mydomain.se any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53740
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;mydomain.se. IN ANY
;; ANSWER SECTION:
mydomain.se. 604800 IN SOA mail.mydomain.se. admin.mydomain.se. 20100603 604800 86400 2419200 604800
mydomain.se. 604800 IN NS mail.mydomain.se.
mydomain.se. 604800 IN MX 10 mail.mydomain.se.
mydomain.se. 604800 IN A 10.0.1.100
;; ADDITIONAL SECTION:
mail.mydomain.se. 604800 IN A 10.0.1.100
;; Query time: 1 msec
;; SERVER: 10.0.1.100#53(10.0.1.100)
;; WHEN: Tue Jun 8 19:57:21 2010
;; MSG SIZE rcvd: 143
host `hostname`
Code:
mail.mydomain.se has address 10.0.1.100
I know that I've probably covered many basic things, which are not Zimbra specific. Nonetheless, I hope that my systematic approach will help others in the community and also let me learn whether I am doing things correctly.
-------------------------------------------------
3. Zimbra Install & Configuration
Coming as soon as I've hammered out the issues in sections 1 and 2 above!
Bugzilla
Wiki
Source
My Zimbra Installation Recipe 
Linear Mode
