suite a disque dur full, clamav ne voulait plus se lancer :
LibClamAV Error: Can't load /opt/zimbra/data/clamav/db//main.cvd: Can't verify database integrity
ERROR: Can't verify database integrity
Pour résoudre le problème il faut renommer les fichiers de signatures pour forcer clamav à la re-télécharger
cd /opt/zimbra/data/clamav/db
mv main.cvd main.cvd.bak
mv main.cld main.cld.bak
mv daily.cvd daily.cvd.bak
mv daily.cld daily.cld.bak
puis
zmclamdctl start
on vérifie que tout est ok
zmcontrol status
fail2ban sur Ubuntu 18.04
sudo apt-get install fail2ban
ensuite on crée un fichier /etc/fail2ban/jail.local
et on active certaines prisons déjà présentes :
[apache-badbots]
enabled = true
[apache-auth]
enabled = true
[apache-noscript]
enabled = true
[apache-botsearch]
enabled = true
[sshd]
enabled = false
sudo fail2ban-client status
sur ZIMBRA on crée un filtre spécial :
/etc/fail2ban/filter.d/zimbra-submission.conf
[Definition]
#
failregex = postfix\/submission\/smtpd[\d+]: warning: .[<HOST>]: SASL \w+ authentication failed: authentication failure$
postfix\/smtps\/smtpd[\d+]: warning: .[<HOST>]: SASL \w+ authentication failed: authentication failure$
ignoreregex =
et un autre zimbra.conf
[Definition]
failregex = [ip=<HOST>;] account - authentication failed for . (no such account)$
[ip=<HOST>;] security - cmd=Auth; . error=authentication failed for ., invalid password;$
;oip=<HOST>;. security - cmd=Auth; . protocol=soap; error=authentication failed for . invalid password;$
[oip=<HOST>;. SoapEngine - handler exception: authentication failed for ., account not found$
WARN .;ip=<HOST>;ua=ZimbraWebClient . security - cmd=AdminAuth; . error=authentication failed for .;$
NOQUEUE: reject: RCPT from .[<HOST>]: 550 5.1.1 .: Recipient address rejected:
ensuite dans jail.conf
[zimbra-account]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-account]
sendmail[name=zimbra-account, dest=loic@lobass.fr]
logpath = /opt/zimbra/log/mailbox.log
bantime = 600
maxretry = 5
[zimbra-audit]
enabled = true
filter = zimbra
action = iptables-allports[name=zimbra-audit]
sendmail[name=Zimbra-audit, dest=loic@lobass.fr]
logpath = /opt/zimbra/log/audit.log
bantime = 600
maxretry = 5
[zimbra-recipient]
enabled = true
filter = zimbra-submission
action = iptables-allports[name=zimbra-recipient]
sendmail[name=Zimbra-recipient, dest=loic@lobass.fr]
logpath = /var/log/zimbra.log
bantime = 172800
maxretry = 5
jail for postfix since postfix performs Zimbra mail transfer
[postfix]
enabled = true
filter = postfix
action = iptables-multiport[name=postfix, port=smtp, protocol=tcp]
sendmail-buffered[name=Postfix, dest=loic@lobass.fr]
logpath = /var/log/zimbra.log
bantime = 172800
maxretry = 5
J'ai modifié le fichier /etc/fail2ban/action.d/sendmail.conf
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
Fail2Ban" | /opt/zimbra/postfix/sbin/sendmail -f <sender> <dest>
Et cela fonctionne :
fail2ban-client status zimbra-recipient
Status for the jail: zimbra-recipient
|- Filter
| |- Currently failed: 0
| |- Total failed: 5
| - File list: /var/log/zimbra.log - Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 212.70.149.69
Cela vient du certificat SSL qui est HS :
zimbra@zimbra:~$ /opt/zimbra/bin/zmcertmgr viewdeployedcrt
- ldap: /opt/zimbra/conf/slapd.crt
notBefore=Nov 24 21:41:40 2016 GMT
notAfter=Nov 24 21:41:40 2017 GMT
subject= /OU=Zimbra Collaboration Server/CN=zimbra.xxx
issuer= /O=CA/OU=Zimbra Collaboration Server/CN=zimbra.xxx
SubjectAltName=zimbra.xxx - mailboxd: /opt/zimbra/mailboxd/etc/mailboxd.pem
notBefore=Nov 24 21:41:40 2016 GMT
notAfter=Nov 24 21:41:40 2017 GMT
subject= /OU=Zimbra Collaboration Server/CN=zimbra.xxx
issuer= /O=CA/OU=Zimbra Collaboration Server/CN=zimbra.xxx
SubjectAltName=zimbra.xxx - mta: /opt/zimbra/conf/smtpd.crt
notBefore=Nov 24 21:41:40 2016 GMT
notAfter=Nov 24 21:41:40 2017 GMT
subject= /OU=Zimbra Collaboration Server/CN=zimbra.xxx
issuer= /O=CA/OU=Zimbra Collaboration Server/CN=zimbra.xxx
SubjectAltName=zimbra.xxx - proxy: /opt/zimbra/conf/nginx.crt
notBefore=Nov 24 21:41:40 2016 GMT
notAfter=Nov 24 21:41:40 2017 GMT
subject= /OU=Zimbra Collaboration Server/CN=zimbra.xxx
issuer= /O=CA/OU=Zimbra Collaboration Server/CN=zimbra.xxx
SubjectAltName=zimbra.xxx
voici la procédure pour le régénérer:
https://wiki.zimbra....rtificate_Tools
https://wiki.zimbra....-_Single-Server
Single-Node Self-Signed Certificate
-
Begin by generating a new Certificate Authority (CA).
/opt/zimbra/bin/zmcertmgr createca -new -
Then generate a certificate signed by the CA that expires in 1825 days.
/opt/zimbra/bin/zmcertmgr createcrt -new -days 1825 -
Next deploy the certificate.
/opt/zimbra/bin/zmcertmgr deploycrt self -
Next deploy the CA.
/opt/zimbra/bin/zmcertmgr deployca
ZCS 8.5 or above onwards this attribute is now in ldap - zimbraMtaLmtpHostLookup
zmprov ms mtaserver.com zimbraMtaLmtpHostLookup native
In case that you are using Single Server, be aware always of the Global Config as well:
zmprov mcf zimbraMtaLmtpHostLookup native
Once this is done, you'll need to restart the mta:
zmmtactl restart
le lien pour télécharger les downloads ZIMBRA
14.04 :
https://files.zimbra.com/downloads/8.7.11_GA/zcs-8.7.11_GA_1854.UBUNTU14_64.20170531151956.tgz
16.04 :
https://files.zimbra.com/downloads/8.7.11_GA/zcs-8.7.11_GA_1854.UBUNTU16_64.20170531151956.tgz
18.04:
https://files.zimbra.com/downloads/8.8.15_GA/zcs-8.8.15_GA_3869.UBUNTU18_64.20190918004220.tgz
su - zimbra
zmproxyctl stop
zmmailboxdctl stop
A tester :
letsencrypt-auto renew
en root :
./letsencrypt-auto certonly --standalone -d jupiter.lobass.fr
Rajouter la chaine X3 au chai.pem :
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
vi /etc/letsencrypt/live/jupiter.lobass.fr/chain.pem
cp /etc/letsencrypt/live/jupiter.lobass.fr/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*
su - zimbra
[zimbra@jupiter ~]$ cd /opt/zimbra/ssl/letsencrypt/[zimbra@jupiter letsencrypt]$ /opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem
Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK
cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key
cp: overwrite `/opt/zimbra/ssl/zimbra/commercial/commercial.key'? y
Puis déploiement du certificat :
/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem
zmcontrol restart
installer ce plugin :
https://addons.mozilla.org/fr/thunderbird/addon/cardbook/
puis déclarer le compte distant
pour les installer ensemble
Test de la solution de tchat : ok fonctionne mais version Trial uniquement
**
installation sans souci :
./install.sh all
Désintallation idem :
./install.sh -u all
messagerie intstantanée