Training on Zimbra at Dodla Dairy by GBB

Table of Contents

1 Zimbra

1.1 Server administration

1.1.1 Installing Zimbra

To understand Zimbra installation refer:

There is also older article on Zimbra installation at:

The older article also has information on:

  1. Relaying mails through other MTA
  2. Stopping and starting zimbra
  3. Changing Zimbra http port

1.1.2 Purpose of various Zimbra components

Various components that make up Zimbra installation are Core, LDAP, Logger, MTA, etc. Components and description are available at

Almost all components are required. Not installing anything mentioned as optional also breaks various things.

1.1.3 Web based admin portal

A web based administration portal is available by default at https://<zimbra-fqdn>:7071/ Only admin user can login on this portal to manage the server.

Web portal has following menu options

It is used for monitoring server status
Server Status
Shows status of various services (Running, Stopped, etc.)
There are many statistics related to email sent/received and also related to anti-virus/anti-spam plugins
Mail Queues (IMP)
There is option of looking at and managing mail queues. We can re-queue deferred emails, remove deferred email from queue, hold emails in active queue, etc. using this option.


This allows management of accounts, aliases, distribution lists and resources. For information on resources refer
This is the main configuration menu option for Zimbra web based admin management interface.
Class of Service
Class of service defines which features, themes, settings, etc. will be available to a user. Class of service is quite similar to roles for assigning permissions used in other tools/software.


Email domains that are managed by this Zimbra server and their settings
Servers that are part of Zimbra setup. A single server setup is enough for requirements.
Global settings
Smart host, blocked extension types etc. settings
Zimlets and Admin extensions
Extensions for users (Eg Chat, Emoticons) and administration (Eg View Mail)
For domain certificate management
Tools and Migration
Various tools including migration tools for migrating from other email servers (Eg Lotus) to Zimbra


1.1.4 SSH as root or zimbra user

Many times administration cannot be done graphically. In such cases SSH to Zimbra server is required. SSH can be done using clients such as putty, if using Windows. SSH can be done as root user. After login get access to Zimbra user shell using:

su - zimbra

Both root shell and zimbra shell are important. A few operations require root access (esp. once not related to Zimbra such as server reboot). Zimbra shell access is required for many zimbra command line options such as restarting entire set of zimbra services

zmcontrol restart

or checking status of all zimbra services

zmcontrol status

In many cases GUI uses similar API/commands to obtain information and display. Very often command-line is more accurate, more detailed and has many features which are not available in graphical administration. Hence, comfort with command-line for advanced operations and automation is necessary.

1.2 Securing access to Zimbra

1.2.1 SSH and 7071 accessible only for internal users

  1. Use firewalld and configure fail2ban. Note that fail2ban depends on firewalld, so disabling firewalld is not an option.


  2. Ideally, only key based access should be allowed. This removes any scope of successful bruteforce dictionary attack on public SSH servers.

1.2.2 Configure recognized SSL certificates

1.2.3 Zimbra policyd configuration

For newer versions of Zimbra policyd can be configured as described at

Refer for understanding older version configuration and also on how to use policyd for desired policy outcomes.

1.2.4 Sender Policy

Ensure that emails are sent from same username / email ID with which login was done


1.2.5 Configure logwatch

It makes sense to configure logwatch using

yum -y install logwatch

Additionally, logwatch should be configured to use sendmail which is part of Zimbra using:

1.3 Email related concepts

1.3.1 DNS is must /etc/hosts wont do

  • Emails work based on DNS records. Even in a lab environment for working with email servers we need DNS. We cannot setup test environments based on /etc/hosts etc. the way it is possible for other services (Eg Web)
  • DNS is required and used both for sending and receiving emails. While sending DNS is queried for MX records of destination email server. Similarly while receiving our DNS would be queried for our MX records to determine email servers for the domain
  • Try
    dig -t MX
    dig -t A

    Note that MX records are used and not A records

1.3.3 Email ports and SMTP protocol example

Email services use following ports described at

Thus, emails are often exchanged between two email servers without encryption or authentication using SMTP protocol.

Note that anyone can send email from any ID with any headers (Eg Date/Time) as desired. Learn to use view source or show original to see email headers.


1.3.4 SPAM is not exact science

  • IP and domain reputation
    On IP and domain reputation note that:
    1. We cannot do much about ISP IP reputation
    2. Broadband providers who provide broadband to home users are likely to have bad reputation compared to ISPs provided leased lines to offices.
    3. Domain reputation requires domain to old, recognized, not compromised recently, etc.

    To some extent IP reputation can be solved by using Smarthost. For this we can buy SMTP gateway services from various email providers, eg netcore. We can always setup our own SMTP gateway at a better reputation IP at AWS or Azure.

  • Email content based learning and training
    There are special email addresses in Zimbra
    • SPAM
    • HAM
    • Quarantine

    Each user can participate in training Zimbra to improve Zimbra filtering

1.4 Troubleshooting

Example issues can be seen at

Older articles are available at

For other issues use below suggested methods.

1.4.1 Look at log file

Look at Zimbra logs at two locations

  • /var/log/maillog file
  • /opt/zimbra/log folder
  • /var/log/zimbra.log file

for understanding reason for particular failure

1.4.2 Restart zimbra service or zimbra server

If there is no proper error message or log then restarting zimbra service:

zmcontrol restart  #As zimbra user

or entire zimbra server as root user might help.

1.4.3 Take latest backup and restore older working copy

As a final resort if logs are not helpful and server restart is also not solving the problem, then restoring an older working copy from backup might resolve the problem. This should be done as a last resort only. This is not part of regular day-to-day troubleshooting steps.

1.7 High availability

1.7.1 Commercial edition HA at application level

There is high availability feature available in paid professional and standard editions. Refer to understand difference between Zimbra editions.

In our experience Open Source Edition (OSE) is sufficient for most of the requirements. Hence, we are not getting into details of commercial edition HA for now.

Also refer:

1.7.2 Zimbra live-sync or custom scripts for community edition

1.7.3 Hypervisor level HA

This can be using vSphere HA or Hyper-V HA

1.7.4 OS level fault tolerance (DRBD, RAID, LACP, clustering, etc.)

Various OS clustering and fault-tolerant techniques

2 Windows 10 hardening and performance improvement

Very good resource on Windows 10 hardening is available at

2.1 Dont spend time hardening system if it is already compromised

If system is already compromised, dont try to harden it. The best option is to take data (not application) backup and format the system. All infected partitions including D: might have to be formatted to clean the infection.

2.2 WSUS Offline update

Any new Windows installation is vulnerable as many latest patches are developed after Windows installation was prepared. These patches are released after Windows installation was prepared and are not part of installation DVD. To get these packages systems are often connected to Internet to get these updates. This has two issues:

  1. System is vulnerable while patches are getting downloaded and installed.
  2. If the number of systems in large then considerable Internet bandwidth is getting used in re-downloading same patches for different systems.

A utility for updating windows offline is available at This utility can help in preparing a offline update DVD. Using such offline update DVD, systems can be patched before they are connected to Internet.

2.3 Gold images hardened and unhardened

At various stages of hardening such as initial unhardened system can be imaged for future reference or restoring purposes. If during hardening system breaks, we can revert to previous stable image and continue hardening using different techniques.

In case of VMs the image can be created as snapshot or templates. In case of physical systems consider using free edition of

If there is expertise in Linux then live boot using system rescue CD, followed by imaging disk using Linux dd command can also be considered. Refer

If there is need to clone from one Gold system to many others refer

2.4 Install antivirus

Windows 10 comes with Windows Defender anti-virus. If some other anti-virus is desired then even that can be considered. It is useful to have anti-virus as it can scan files obtained from media (USB, CD/DVD, etc.) or downloaded from Internet. It is also possible to receive files using protocols such as Windows File Sharing, SMTP (Email attachments), etc.

2.5 Create a standard user account

In Linux it is rare to login directly as root on workstations. Most work is done using normal user account. Privilege escalation is used when administrative access is required for thing such as:

  • Modifying critical system settings, files, partitions, etc.
  • Starting important network service on ports < 1024
  • Installing software or drivers to be available to all users
  • Update date/time or ntp settings
  • Join or leave AD domain

The same is recommended for Windows. All work should be done from standard non-administrator user. Login as administrator only when required.

2.6 Install experimental software on test machine or on VMs

It is unwise to install unknown software or software which is required for one-time use directly on important end-user machine. Such software should be installed on test machine or on VMs. After work is done test machine can be restored to original image or VM can be restored to previous snapshot.

Many remote access software such as anydesk or teamviewer can also be run from inside the VM. This way only VM is accessible from reverse anydesk or teamviewer and not the real admin station.

2.7 Turn UAC to the max

It is irritating to get notifications for approval initially but they are helpful in maintaining a secure system. Go to Control Panel -> All Control Panel Items -> User Accounts -> Change User Account Control Settings and move slider up to make system more secure.

2.8 Choose network as public instead of work/home unless necessary

Using network as work/home is useful only when file sharing, joining domain, etc. are desired. If these are not desired, then choosing public for a network gives it most secure defaults.

2.9 Additional steps from hardening link

Additional steps from the reference hardening link such as:

Use only Bare Essential Network protocols
Disable IPv6, File and printer sharing, Microsoft LLDP Protocol Driver, etc.
Disable IPV6 Totally
If IPv6 is not supported by ISP and not used within home/office internally, then disabling it makes system more secure from 6to4 tunneling.
Disable unused Networking Devices
Disable unused networking devices such as remote desktop redirection bus and kernel debug network adapter
Disable IGMP
Disable group protocols unless multicast protocols and support are required.
Disable port 1900 UPnP
It is not advisable to have UPnP so that all firewall rules are manual
Disable SMB v1 protocol
Disable old vulnerable protocols
Disabling Listening Ports
Look at netstat -abn output and disable services which are not required. As such firewall should provide protection against unauthorized connection to these services, but there is no point having service, if it is not required at all.
Network firewall
Apart from host level firewall, considering having a network firewall (hardware or software - such as pfsense).
Windows Advanced Firewall, turn on outbound blocking and logging
Most firewalls are configured to block only incoming connections while allowing all outgoing traffic. This is definitely bad.

However, use this with caution. Many systems such as anti-virus, OS, anti-spam, etc. talk to central servers for updates, signatures, patches. Disabling outgoing access by default might break many of these software.

Many more
Many more such useful advise from the reference link.

3 File sharing

3.1 FTP or FTPS

FTP protocol was not designed to traverse firewalls. By default FTP used one port 21 for control and other port 20 for data. Further, ftp assumes both server and client to be on same network without any NAT in between as data transfer requires server to connect to client on port 20 and not other way round.

Thus, passive FTP was invented to solve this issues. However, in this case server sends a port number from a range of port numbers to client for connecting. This port range is typically in insecure 1024-65535 range. For ftp server to work this port range has to be allowed in firewall. This is an issue as any unprivileged process can listen on these ports and act as backdoor for server.

Hence, ideally both FTP and FTPS (FTP over SSL) should be avoided and more secure and more modern protocols discussed later should be preferred.


3.2 SFTP

Any Linux machine with SSH should provide SFTP subsystem support. If the goal of file sharing server is to give individuals private data storage space on server without any sharing between users then SFTP is a easy to setup choice. Setting up a Linux server with Linux users makes it a file sharing utility.

To secure it further consider editing /etc/ssh/sshdconfig using:

Match Group sftponly
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no

then add sftp only users to 'sftponly' group. These users will only be able to connect over sftp and chrooted to home folder. They will not be able to access anything outside home folder.

Note that this breaks rsync as users home folder is not a fully functional chroot environment with /dev/null, /dev/zero, /etc/passwd, etc. required files.

Note that this requires doing

  1. chown root:root /home/user1
  2. chmod 755 /home/user1
  3. mkdir /home/user1/files
  4. chown user1:user1 /home/user1/files
  5. chmod 700 /home/user1/files

so that sftp chroot directory is owned by root user while accessible by user. At the same time there is a directory which can be read/written only by the user.

Ideally only key based access should be allowed. Do not use password based access.

Demo user sftp


3.3 Samba or NFS

Other way of sharing files is by a more involved Samba or NFS setup. Samba plays well with Windows clients and supports authentication. It also allows many users to access same set of shared files/folders for read/write. Even printer sharing is allowed.

NFS is easier to configure and allows access based on client IP. We cannot configure authentication for NFS. It is easier to use NFS in Linux environments.


4 LAN and WAN monitoring and performance improvement

4.1 LAN monitoring

For LAN monitoring consider using:

It can be used for monitoring uptime, service status.
It can be used for monitoring CPU, bandwidth used for each port. This works for both hosts and network devices using SNMP.
It can also monitor traps sent by network devices such as port up/down information, configuration change, admin login, etc.


Once we have details of current status and usage, we can optimize by mechanisms such as upgrading switch, upgrading firmware, configuring or using port or link-aggregation, etc.

4.2 WAN monitoring

For WAN if we can setup firewall and monitor WAN usage based on parameters such as source IP, source user, destination domain, domain category, application traffic - http, dns, etc. This is easier to do using commercial sonicwall analyzer, fortilyzer, etc. But if required pfsense with ntop can also provide reasonably good information. Once it is learned which protocols or users or applications are using undesired amount of bandwidth, we can either block them or rate limit their usage.

5 Cpanel administration, sample website hosting and management.

Cpanel setup information is available at The setup process is basically downloading a perl setup script which automates most of the setup process. After setup is complete web login can be done on https://<ip>:2087/

On login it is realized that license is compulsory for using CPanel. Related message on web portal is:

Trial License:
This copy of cPanel & WHM is for trial use and will expire at the end of the trial period. Upgrade to a paid copy of cPanel & WHM to use the software after that period.

Due to forced requirement of commercial licensing, we are not looking into it in-depth as part of open-source initiatives for now.

Date: 2019-02-10 Sun

Author: Saurabh Barjatiya

Org version 7.9.3f with Emacs version 24

Validate XHTML 1.0