Zimbra Email Management

Table of Contents

1. Introduction to Email Systems
2. What is Zimbra?
3. Understanding Email Basics
4. Zimbra Installation and Setup
5. Basic Zimbra Administration
6. User Management
7. Domain Management
8. Email Security Concepts
9. DKIM Configuration
10. Email Queue Management
11. PolicyD and Rate Limiting
12. Common Troubleshooting
13. Performance Monitoring
14. Backup and Recovery
15. Advanced Configuration

---

Introduction to Email Systems

What is Email?

Email (Electronic Mail) is a method of exchanging digital messages between people using electronic devices. Think of it like traditional postal mail, but instead of physical letters, we send digital messages through the internet.

How Email Works - Simple Explanation

Imagine you want to send a letter to your friend:

1. Traditional Mail: You write a letter → Put it in an envelope → Post it → Postman delivers it → Friend receives it
2. Email: You type a message → Click send → Email server processes it → Friend's email server receives it → Friend sees it in their inbox

Key Components of Email System

• Email Client: The application you use to read/write emails (like Gmail app, Outlook)
• Email Server: The computer that handles sending and receiving emails
• SMTP: The protocol (set of rules) for sending emails
• IMAP/POP3: Protocols for receiving emails
• DNS: Like a phone book that helps find email servers

---

What is Zimbra?

Overview

Zimbra is an open-source email and collaboration platform. Think of it as a complete office suite that includes:

• Email service
• Calendar
• Contacts
• File sharing
• Instant messaging
• Video conferencing

Why Choose Zimbra?

Advantages:

• Cost-effective: Open source means no licence fees
• Feature-rich: Includes email, calendar, contacts in one platform
• Customisable: You can modify it according to your needs
• Scalable: Works for small businesses to large enterprises
• Web-based: Access from anywhere with internet

Use Cases:

• Small to medium businesses
• Educational institutions
• Government organisations
• Service providers offering email hosting

---

Understanding Email Basics

Email Addresses Structure

An email address has two parts separated by @ symbol:

username@domain.com
   ↑         ↑
 Local    Domain
 Part      Part

Example: john.doe@company.com

• john.doe = username (local part)
• company.com = domain name

Email Protocols Explained

SMTP (Simple Mail Transfer Protocol)

• Purpose: Sending emails
• Port: 25, 587, or 465
• Analogy: Like a postman who picks up and delivers letters

IMAP (Internet Message Access Protocol)

• Purpose: Receiving emails (keeps emails on server)
• Port: 143 or 993 (secure)
• Analogy: Like keeping letters in a post office box that you can access from anywhere

POP3 (Post Office Protocol 3)

• Purpose: Receiving emails (downloads to device)
• Port: 110 or 995 (secure)
• Analogy: Like collecting letters from post office and taking them home

DNS Records for Email

MX Record (Mail Exchange)

• Points to the email server for your domain
• Example: company.com MX 10 mail.company.com

A Record

• Points domain to IP address
• Example: mail.company.com A 192.168.1.100

---

Zimbra Installation and Setup

System Requirements

Minimum Requirements:

• RAM: 8 GB (16 GB recommended)
• Storage: 100 GB (SSD preferred)
• CPU: 2 cores (4 cores recommended)
• Operating System: Ubuntu 18.04+ or CentOS 7+

Pre-installation Checklist

1. Domain Setup: Ensure you own a domain (e.g., company.com)
2. DNS Configuration: Set up MX and A records
3. Server Access: SSH access to your server
4. Static IP: Your server should have a fixed IP address

Installation Steps (Ubuntu)

Step 1: Update System

sudo apt update && sudo apt upgrade -y
sudo reboot

Step 2: Set Hostname

sudo hostnamectl set-hostname mail.company.com
echo "192.168.1.100 mail.company.com" | sudo tee -a /etc/hosts

Step 3: Download Zimbra

cd /tmp
wget https://files.zimbra.com/downloads/8.8.15_GA/zcs-8.8.15_GA_3869.UBUNTU18_64.20190918004220.tgz
tar -xzf zcs-8.8.15_GA_3869.UBUNTU18_64.20190918004220.tgz

Step 4: Install Dependencies

sudo apt install -y dnsmasq-base libaio1 libstdc++6 perl-modules

Step 5: Run Installation

cd zcs-*
sudo ./install.sh

Installation Configuration

During installation, you'll be asked several questions:

1. Select packages: Choose all (default)
2. Domain name: Enter your domain (e.g., company.com)
3. Admin password: Create a strong password
4. LDAP password: Create another strong password
5. Timezone: Select your timezone

---

Basic Zimbra Administration

Accessing Admin Console

1. Open web browser
2. Go to: https://mail.company.com:7071
3. Login with: admin@company.com and your admin password

Admin Console Overview

The admin console has several sections:

Home

• Dashboard showing system status
• Recent activities
• Alerts and warnings

Manage

• Accounts: Create and manage user accounts
• Distribution Lists: Manage email groups
• Resources: Meeting rooms, equipment

Configure

• Global Settings: System-wide configurations
• Domains: Domain management
• Class of Service: User permission templates

Monitor

• Server Status: Check if services are running
• Statistics: Email traffic, storage usage
• Message Queue: Pending emails

Basic Service Management

Checking Service Status

su - zimbra
zmcontrol status

Starting/Stopping Services

# Stop all services
zmcontrol stop

# Start all services
zmcontrol start

# Restart specific service
zmmailboxdctl restart

Common Zimbra Services

• mailboxd: Main mail service
• ldap: Directory service for user accounts
• mta: Mail transfer agent (Postfix)
• antispam: Spam filtering service
• antivirus: Virus scanning service

---

User Management

Creating User Accounts

Via Admin Console

1. Go to Manage → Accounts
2. Click New
3. Fill in details:
   • Account name: user@company.com
   • First/Last name: User's full name
   • Password: Initial password
4. Click Finish

Via Command Line

su - zimbra
zmprov createAccount john.doe@company.com "TempPassword123" \
  displayName "John Doe" \
  givenName "John" \
  sn "Doe"

Account Attributes

Basic Attributes

• Display Name: How name appears in emails
• Email Aliases: Alternative email addresses
• Account Status: Active, Maintenance, Locked, Closed

Quota Management

# Set mailbox quota to 2GB
zmprov modifyAccount john.doe@company.com zimbraMailQuota 2147483648

# Check quota usage
zmprov getAccount john.doe@company.com zimbraMailQuota zimbraMailQuotaUsed

Bulk User Creation

Create a CSV file with user details:

email,password,firstName,lastName,displayName
john.doe@company.com,Pass123,John,Doe,John Doe
jane.smith@company.com,Pass456,Jane,Smith,Jane Smith

Script to create users:

#!/bin/bash
while IFS=, read -r email password firstName lastName displayName; do
    su - zimbra -c "zmprov createAccount $email '$password' \
        givenName '$firstName' \
        sn '$lastName' \
        displayName '$displayName'"
done < users.csv

Distribution Lists

Distribution lists allow sending emails to multiple users at once.

Creating Distribution List

su - zimbra
zmprov createDistributionList all-staff@company.com

# Add members
zmprov addDistributionListMember all-staff@company.com john.doe@company.com
zmprov addDistributionListMember all-staff@company.com jane.smith@company.com

---

Domain Management

Adding New Domain

Prerequisites

1. Own the domain
2. DNS records properly configured
3. MX record pointing to your Zimbra server

Via Admin Console

1. Go to Configure → Domains
2. Click New
3. Enter domain name: newdomain.com
4. Configure settings as needed
5. Click Finish

Via Command Line

su - zimbra
zmprov createDomain newdomain.com

Domain Settings

Authentication

• Internal: Users authenticate against Zimbra's LDAP
• External: Authenticate against external system (Active Directory)

Global Address List

Controls which addresses are visible in the company directory.

Virtual Hosting

Zimbra supports multiple domains on one server:

• company1.com
• company2.org
• school.edu

Each domain can have separate:

• User accounts
• Policies
• Themes
• Features

---

Email Security Concepts

Authentication Methods

SPF (Sender Policy Framework)

Prevents email spoofing by specifying which servers can send email for your domain.

DNS Record Example:

company.com TXT "v=spf1 mx ip4:192.168.1.100 ~all"

Explanation:

• v=spf1: SPF version 1
• mx: Mail servers listed in MX records can send
• ip4:192.168.1.100: This IP address can send
• ~all: Soft fail for other sources

DMARC (Domain-based Message Authentication)

Builds on SPF and DKIM to prevent email spoofing.

DNS Record Example:

_dmarc.company.com TXT "v=DMARC1; p=quarantine; ruf=mailto:dmarc@company.com"

SSL/TLS Configuration

Generating SSL Certificate

# For Let's Encrypt (free certificate)
su - zimbra
/opt/zimbra/bin/zmcertmgr deploycrt self /path/to/certificate /path/to/private-key

Forcing HTTPS

zmprov modifyConfig zimbraMailMode https
zmprov modifyConfig zimbraAdminConsolePort 7071
zmprov modifyConfig zimbraAdminConsoleScheme https

---

DKIM Configuration

What is DKIM?

DKIM (DomainKeys Identified Mail) is like a digital signature for emails. It proves that an email actually came from your domain and wasn't modified during transmission.

How DKIM Works

1. Your server creates a digital signature for outgoing emails
2. The signature is added to the email header
3. Receiving server checks the signature against your DNS record
4. If it matches, the email is considered authentic

Enabling DKIM in Zimbra

Step 1: Enable DKIM

su - zimbra
zmprov modifyDomain company.com zimbraDKIMEnabled TRUE

Step 2: Generate DKIM Key

/opt/zimbra/libexec/zmdkimkeyutil -a -d company.com

Step 3: Get Public Key for DNS

/opt/zimbra/libexec/zmdkimkeyutil -q -d company.com

This will output something like:

20161101._domainkey.company.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

Step 4: Add DNS Record

Add the TXT record to your DNS:

• Name: 20161101._domainkey.company.com
• Type: TXT
• Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

Step 5: Test DKIM

# Send a test email and check headers
echo "Test email" | mail -s "DKIM Test" test@gmail.com

Managing DKIM Keys

View Current Keys

/opt/zimbra/libexec/zmdkimkeyutil -q -d company.com

Rotate Keys (for security)

# Generate new key
/opt/zimbra/libexec/zmdkimkeyutil -a -d company.com

# After updating DNS, remove old key
/opt/zimbra/libexec/zmdkimkeyutil -r -d company.com -s old_selector

---

Email Queue Management

Understanding Email Queues

Email queues are like waiting lines for emails. When an email can't be delivered immediately, it waits in a queue for another attempt.

Common Queue Types

Active Queue

Emails currently being processed or attempted for delivery.

Deferred Queue

Emails that failed delivery and are waiting to be retried.

Hold Queue

Emails manually held by administrator.

Checking Queue Status

View Queue Summary

su - zimbra
postqueue -p

Count Messages in Queue

postqueue -p | tail -1

View Specific Message

postcat -vq [message-id]

Managing Queue

Flush Queue (retry all)

postqueue -f

Delete Specific Message

postsuper -d [message-id]

Delete All Messages

postsuper -d ALL

Hold Messages

postsuper -h [message-id]

Release Held Messages

postsuper -H [message-id]

Queue Monitoring Script

Create a script to monitor queue size:

#!/bin/bash
# queue_monitor.sh

QUEUE_SIZE=$(postqueue -p | tail -1 | awk '{print $5}')
THRESHOLD=100

if [ "$QUEUE_SIZE" -gt "$THRESHOLD" ]; then
    echo "WARNING: Queue size is $QUEUE_SIZE messages"
    # Send alert email or notification
fi

Common Queue Issues

Large Queue Buildup

Causes:

• Destination server down
• Network connectivity issues
• Rate limiting by receiving server
• Authentication problems

Solutions:

• Check network connectivity
• Review error messages in mail logs
• Adjust retry intervals
• Check authentication settings

---

PolicyD and Rate Limiting

What is PolicyD?

PolicyD is a policy daemon that helps control email flow. Think of it as a traffic controller that decides whether to allow, reject, or delay emails based on predefined rules.

Common Use Cases

• Rate limiting: Prevent users from sending too many emails
• Quota enforcement: Block users who exceed their limits
• Greylisting: Temporary rejection of emails to reduce spam
• Blacklisting: Block specific senders or domains

Configuring Basic Rate Limiting

Install PolicyD

su - zimbra
zmprov modifyConfig zimbraMtaSmtpdMilters "inet:localhost:8464"
zmprov modifyConfig zimbraMtaSmtpdEndOfDataMilters "inet:localhost:8464"

Set Rate Limits per User

# Limit user to 100 emails per hour
zmprov modifyAccount user@company.com zimbraMtaMaxMessageSize 10485760
zmprov modifyAccount user@company.com zimbraFeatureMAPIConnectorEnabled FALSE

Advanced PolicyD Configuration

Create Rate Limit Policy

Create file /opt/zimbra/conf/policyd.conf:

# Rate limiting configuration
quota_config = [
    {
        'name': 'sender_rate',
        'quota': 100,  # emails per hour
        'period': 3600,  # seconds
        'key': 'sender'
    }
]

Monitor Rate Limiting

# Check current rates
grep "rate limit" /opt/zimbra/log/mailbox.log

# View PolicyD logs
tail -f /var/log/policyd.log

Greylisting Setup

Greylisting temporarily rejects emails from unknown senders, legitimate servers will retry.

Enable Greylisting

# Configure greylisting
zmprov modifyConfig zimbraMtaSmtpdRecipientRestrictions \
    "permit_sasl_authenticated permit_mynetworks \
    check_policy_service inet:127.0.0.1:60000 \
    reject_unauth_destination"

Whitelist/Blacklist Management

Add to Whitelist

zmprov modifyConfig +zimbraMtaMyNetworks "192.168.1.0/24"

Block Specific Domain

echo "example-spam.com REJECT Blocked domain" >> /opt/zimbra/conf/postfix_reject_sender
postmap /opt/zimbra/conf/postfix_reject_sender
zmmtactl restart

---

Common Troubleshooting

Network Service Not Available

This is one of the most common issues new administrators face.

Symptoms

• Cannot access webmail interface
• Users can't send/receive emails
• Admin console not accessible
• Connection timeouts

Step-by-Step Troubleshooting

Step 1: Check Service Status

su - zimbra
zmcontrol status

Look for any services showing as "Stopped" or "Not running".

Step 2: Check Network Connectivity

# Test if server is reachable
ping mail.company.com

# Check if ports are open
telnet mail.company.com 25    # SMTP
telnet mail.company.com 80    # HTTP
telnet mail.company.com 443   # HTTPS
telnet mail.company.com 993   # IMAPS

Step 3: Check Firewall

# Ubuntu/Debian
sudo ufw status

# CentOS/RHEL
sudo firewall-cmd --list-all

# If firewall is blocking, allow Zimbra ports
sudo ufw allow 25,80,443,993,995,587,465,7071/tcp

Step 4: Check DNS Resolution

# Check if domain resolves correctly
nslookup mail.company.com

# Check MX record
nslookup -type=mx company.com

Step 5: Review Log Files

# Main Zimbra log
tail -f /opt/zimbra/log/zimbra.log

# Mailbox log
tail -f /opt/zimbra/log/mailbox.log

# System logs
tail -f /var/log/messages
tail -f /var/log/syslog

Common Solutions

Restart Services

su - zimbra
zmcontrol restart

Fix Hostname Issues

# Check current hostname
hostname
hostname -f

# Fix if incorrect
sudo hostnamectl set-hostname mail.company.com
echo "your-ip mail.company.com" | sudo tee -a /etc/hosts

Email Delivery Issues

Symptoms

• Emails stuck in queue
• Bounced emails
• Delayed delivery
• "Could not deliver" errors

Troubleshooting Steps

Check Queue

su - zimbra
postqueue -p

Check Mail Logs

tail -f /opt/zimbra/log/mailbox.log | grep "delivery"

Common Error Messages and Solutions

"Connection timed out"

• Check network connectivity
• Verify receiving server is operational
• Check if your IP is blacklisted

"Relay access denied"

• Authentication issue
• Check SMTP authentication settings
• Verify user credentials

"Mailbox full"

• User has exceeded quota
• Increase quota or ask user to delete emails

"Greylisted"

• Temporary rejection, will retry
• Normal behaviour if greylisting is enabled

Authentication Problems

User Can't Login

# Check if account exists
su - zimbra
zmprov getAccount user@company.com

# Check account status
zmprov getAccount user@company.com zimbraAccountStatus

# Reset password
zmprov setPassword user@company.com newpassword123

Test Authentication

# Test SMTP authentication
telnet localhost 25
EHLO test
AUTH LOGIN
# Enter base64 encoded username and password

Performance Issues

High Memory Usage

# Check memory usage
free -h
top

# Restart memory-intensive services
su - zimbra
zmmailboxdctl restart

High CPU Usage

# Identify process causing high CPU
top
htop

# Check for stuck processes
ps aux | grep java

Disk Space Issues

# Check disk usage
df -h

# Find large files
find /opt/zimbra -size +100M -exec ls -lh {} \;

# Clean old logs
find /opt/zimbra/log -name "*.log.*" -mtime +30 -delete

SSL Certificate Issues

Certificate Expired

# Check certificate expiry
su - zimbra
/opt/zimbra/bin/zmcertmgr viewdeploycrt

# Renew Let's Encrypt certificate
certbot renew
/opt/zimbra/bin/zmcertmgr deploycrt letsencrypt /etc/letsencrypt/live/mail.company.com/cert.pem /etc/letsencrypt/live/mail.company.com/privkey.pem /etc/letsencrypt/live/mail.company.com/chain.pem

---

Performance Monitoring

Key Metrics to Monitor

System Resources

• CPU Usage: Should typically be below 80%
• Memory Usage: Monitor for memory leaks
• Disk Space: Ensure adequate free space
• Disk I/O: High I/O can slow email processing

Email Metrics

• Messages per hour: Track email volume
• Queue size: Monitor for backlogs
• Delivery time: How fast emails are processed
• Bounce rate: Percentage of failed deliveries

Monitoring Tools

Built-in Zimbra Statistics

su - zimbra
zmprov getServer `hostname` zimbraSmtpHostname
zmstat-allprocs

System Monitoring

# CPU and memory
htop

# Disk usage
iostat -x 1

# Network
nethogs
iftop

Setting Up Monitoring Scripts

Email Queue Monitor

#!/bin/bash
# /opt/zimbra/bin/queue_monitor.sh

QUEUE_COUNT=$(postqueue -p | tail -1 | awk '{print $5}')
THRESHOLD=100

if [ "$QUEUE_COUNT" -gt "$THRESHOLD" ]; then
    echo "$(date): Queue size $QUEUE_COUNT exceeds threshold" >> /var/log/queue_alerts.log
    # Send alert email
    echo "High queue count: $QUEUE_COUNT" | mail -s "Queue Alert" admin@company.com
fi

Service Status Monitor

#!/bin/bash
# /opt/zimbra/bin/service_monitor.sh

su - zimbra -c "zmcontrol status" | grep -i stopped
if [ $? -eq 0 ]; then
    echo "$(date): Some Zimbra services are stopped" >> /var/log/service_alerts.log
    # Attempt restart
    su - zimbra -c "zmcontrol restart"
fi

Setup Cron Jobs

# Add to root's crontab
crontab -e

# Check queue every 5 minutes
*/5 * * * * /opt/zimbra/bin/queue_monitor.sh

# Check services every minute
* * * * * /opt/zimbra/bin/service_monitor.sh

---

Backup and Recovery

Why Backup is Critical

Email data is often business-critical. Consider these scenarios:

• Hardware failure
• Accidental deletion
• Corruption
• Natural disasters
• Cyber attacks

Types of Backups

Full Backup

Complete copy of all email data, accounts, and configurations.

Incremental Backup

Only backs up changes since last backup.

Differential Backup

Backs up all changes since last full backup.

Zimbra Backup Methods

Built-in Backup (zmbackup)

su - zimbra

# Full backup
zmbackup -f -a all --exclude-blobs

# Backup specific account
zmbackup -f -a user@company.com

# Backup to specific location
zmbackup -f -a all --target /backup/zimbra/

Real-time Backup (HSM - Hierarchical Storage Management)

# Enable HSM
zmprov modifyConfig zimbraHsmPolicy "message:0,document:0"

Backup Strategy

Daily Backup Script

#!/bin/bash
# /opt/zimbra/bin/daily_backup.sh

DATE=$(date +%Y%m%d)
BACKUP_DIR="/backup/zimbra/$DATE"

# Create backup directory
mkdir -p $BACKUP_DIR

# Perform backup
su - zimbra -c "zmbackup -f -a all --target $BACKUP_DIR"

# Compress backup
tar -czf "$BACKUP_DIR.tar.gz" -C /backup/zimbra $DATE

# Remove uncompressed backup
rm -rf $BACKUP_DIR

# Keep only last 7 days of backups
find /backup/zimbra -name "*.tar.gz" -mtime +7 -delete

# Log backup completion
echo "$(date): Backup completed successfully" >> /var/log/zimbra_backup.log

Recovery Procedures

Restore Single Account

su - zimbra

# Restore account from backup
zmrestore -a user@company.com -t 20231201

# Restore to different account
zmrestore -a user@company.com -t 20231201 -ra restored.user@company.com

Restore Entire Server

# Stop Zimbra services
su - zimbra
zmcontrol stop

# Restore data
zmrestore -sys -t 20231201

# Start services
zmcontrol start

Disaster Recovery Planning

Key Components

1. Regular backups: Automated daily backups
2. Offsite storage: Store backups in different location
3. Recovery testing: Regularly test restore procedures
4. Documentation: Step-by-step recovery procedures
5. Spare hardware: Quick replacement capability

---

Advanced Configuration

High Availability Setup

Multi-Server Architecture

For high availability, consider:

• Load balancer: Distributes user connections
• Multiple mailbox servers: Handles user data
• Shared storage: NFS or SAN for common data
• Database replication: MySQL/MariaDB clustering

Basic Load Balancer Configuration

# Install HAProxy
sudo apt install haproxy

# Configure /etc/haproxy/haproxy.cfg
backend zimbra_web
    balance roundrobin
    server zimbra1 192.168.1.101:80 check
    server zimbra2 192.168.1.102:80 check

backend zimbra_smtp
    balance roundrobin
    server zimbra1 192.168.1.101:25 check
    server zimbra2 192.168.1.102:25 check

Custom Themes

Creating Custom Theme

# Create theme directory
mkdir -p /opt/zimbra/jetty/webapps/zimbra/skins/mytheme

# Copy default skin files
cp -r /opt/zimbra/jetty/webapps/zimbra/skins/harmony/* \
   /opt/zimbra/jetty/webapps/zimbra/skins/mytheme/

# Modify CSS files
vim /opt/zimbra/jetty/webapps/zimbra/skins/mytheme/skin.css

Apply Theme to Domain

su - zimbra
zmprov modifyDomain company.com zimbraSkinLogoURL "/skins/mytheme/logo.png"
zmprov modifyDomain company.com zimbraSkinBackgroundColor "#f0f0f0"

Integration with External Systems

Active Directory Integration

# Configure LDAP authentication
zmprov modifyDomain company.com zimbraAuthMech ad
zmprov modifyDomain company.com zimbraAuthLdapURL "ldap://ad.company.com:389"
zmprov modifyDomain company.com zimbraAuthLdapBindDn "CN=zimbra,CN=Users,DC=company,DC=com"

LDAP Sync Setup

# Create LDAP sync configuration
zmprov createDataSource company.com ldapsync ldap \
    zimbraDataSourceHost ad.company.com \
    zimbraDataSourcePort 389 \
    zimbraDataSourceBindDn "CN=zimbra,CN=Users,DC=company,DC=com" \
    zimbraDataSourceBindPassword "password"

Custom Postfix Configuration

Anti-spam Configuration

# Enable SpamAssassin
zmprov modifyConfig zimbraSpamKillPercent 75
zmprov modifyConfig zimbraSpamTagPercent 50

# Custom spam rules
echo "GTUBE /^Subject:.*\*\*\*\*\*SPAM\*\*\*\*\*/" >> /opt/zimbra/conf/postfix_header_checks
postmap /opt/zimbra/conf/postfix_header_checks

Content Filtering

# Block executables
echo "/\.(exe|scr|bat|com|pif)$/ REJECT Executable files not allowed" \
    >> /opt/zimbra/conf/postfix_mime_checks
postmap /opt/zimbra/conf/postfix_mime_checks

Performance Tuning

JVM Tuning

# Increase memory allocation
zmprov modifyServer `hostname` zimbraMailboxdJavaOptions \
    "-Xmx8g -Xms4g -XX:NewRatio=2 -XX:+UseG1GC"

Database Optimisation

# Tune MySQL for Zimbra
echo "innodb_buffer_pool_size = 4G" >> /opt/zimbra/conf/my.cnf
echo "innodb_log_file_size = 512M" >> /opt/zimbra/conf/my.cnf

Security Hardening

Disable Unnecessary Services

# Disable spell checking service if not needed
zmprov modifyConfig zimbraSpellEnabled FALSE

# Disable briefcase if not used
zmprov modifyConfig zimbraFeatureBriefcasesEnabled FALSE

IP Restrictions

# Limit admin access to specific IPs
zmprov modifyConfig zimbraAdminConsoleLoginURL \
    "https://admin.company.com:7071"

# Configure firewall rules
iptables -A INPUT -p tcp --dport 7071 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7071 -j DROP

Enable Audit Logging

# Enable detailed logging
zmprov modifyConfig zimbraLogLevel info
zmprov modifyConfig zimbraAuditLogLevel info

# Monitor authentication attempts
tail -f /opt/zimbra/log/audit.log | grep -i "auth"

Mobile Device Management

ActiveSync Configuration

# Enable ActiveSync for domain
zmprov modifyDomain company.com zimbraFeatureMobileSyncEnabled TRUE

# Set device policies
zmprov modifyDomain company.com zimbraMobilePolicyPasswordRequired TRUE
zmprov modifyDomain company.com zimbraMobilePolicyMinPasswordLength 6

Device Quarantine

# List devices requiring approval
zmprov getAllMobileDevices | grep -i "pending"

# Approve specific device
zmprov modifyMobileDevice user@company.com deviceid status approved

# Block compromised device
zmprov modifyMobileDevice user@company.com deviceid status blocked

---

Troubleshooting Advanced Issues

Memory Leaks and Java Issues

Identifying Memory Leaks

# Monitor Java memory usage
su - zimbra
jstat -gc $(pgrep -f mailboxd) 5s

# Generate heap dump if memory issues persist
jmap -dump:format=b,file=/tmp/heap.dump $(pgrep -f mailboxd)

Garbage Collection Tuning

# Enable GC logging
zmprov modifyServer `hostname` zimbraMailboxdJavaOptions \
    "-Xloggc:/opt/zimbra/log/gc.log -XX:+PrintGCDetails -XX:+UseG1GC"

Database Corruption Issues

Check Database Integrity

su - zimbra
mysql -e "CHECK TABLE zimbra.mail_item;"
mysql -e "REPAIR TABLE zimbra.mail_item;"

Rebuild Corrupted Indexes

# Reindex specific mailbox
zmprov reIndexMailbox user@company.com

# Full reindex (use with caution)
zmreindex start

Split-Brain Scenarios in Clusters

Detecting Split-Brain

# Check cluster status
zmcontrol -v status

# Check LDAP replication
ldapsearch -x -H ldap://server1:389 -D "cn=config" -w password \
    -b "cn=accesslog" "(objectclass=auditWriteObject)"

SSL/TLS Certificate Chain Issues

Verify Certificate Chain

# Check certificate chain
openssl s_client -connect mail.company.com:443 -showcerts

# Verify certificate matches private key
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5

Fix Chain Issues

# Rebuild certificate chain
cat certificate.crt intermediate.crt root.crt > fullchain.pem
/opt/zimbra/bin/zmcertmgr deploycrt comm fullchain.pem private.key

---

Best Practices and Maintenance

Daily Maintenance Tasks

System Health Check Script

#!/bin/bash
# /opt/zimbra/bin/health_check.sh

echo "=== Daily Zimbra Health Check ===" > /tmp/health_report.txt
echo "Date: $(date)" >> /tmp/health_report.txt
echo "" >> /tmp/health_report.txt

# Service status
echo "Service Status:" >> /tmp/health_report.txt
su - zimbra -c "zmcontrol status" >> /tmp/health_report.txt
echo "" >> /tmp/health_report.txt

# Queue status
echo "Mail Queue:" >> /tmp/health_report.txt
postqueue -p | tail -1 >> /tmp/health_report.txt
echo "" >> /tmp/health_report.txt

# Disk usage
echo "Disk Usage:" >> /tmp/health_report.txt
df -h /opt/zimbra >> /tmp/health_report.txt
echo "" >> /tmp/health_report.txt

# Memory usage
echo "Memory Usage:" >> /tmp/health_report.txt
free -h >> /tmp/health_report.txt

# Email the report
mail -s "Daily Zimbra Health Report" admin@company.com < /tmp/health_report.txt

Weekly Maintenance Tasks

Log Rotation and Cleanup

#!/bin/bash
# /opt/zimbra/bin/weekly_cleanup.sh

# Rotate logs older than 7 days
find /opt/zimbra/log -name "*.log.*" -mtime +7 -exec gzip {} \;

# Clean old compressed logs (older than 30 days)
find /opt/zimbra/log -name "*.log.*.gz" -mtime +30 -delete

# Clean temporary files
find /tmp -name "*zimbra*" -mtime +1 -delete

# Optimise database tables
su - zimbra -c "mysql -e 'OPTIMIZE TABLE zimbra.mail_item;'"

Monthly Maintenance Tasks

Security Updates

# Update system packages
sudo apt update && sudo apt upgrade -y

# Check for Zimbra updates
wget -O - https://files.zimbra.com/downloads/latest-version

Performance Review

# Generate performance report
zmstat-chart -h mail.company.com -s $(date -d '30 days ago' +%Y-%m-%d) \
    -e $(date +%Y-%m-%d) --output /tmp/performance_report.html

Security Best Practices

Regular Security Audits

# Check for failed login attempts
grep "authentication failed" /opt/zimbra/log/mailbox.log | tail -20

# Review admin console access
grep "AdminConsole" /opt/zimbra/log/zmaccesslog.log | tail -10

# Check for unusual email patterns
grep "from=<>" /opt/zimbra/log/mailbox.log | wc -l

Password Policy Enforcement

# Set strong password policy
zmprov modifyConfig zimbraPasswordMinLength 8
zmprov modifyConfig zimbraPasswordMinUpperCaseChars 1
zmprov modifyConfig zimbraPasswordMinLowerCaseChars 1
zmprov modifyConfig zimbraPasswordMinNumericChars 1
zmprov modifyConfig zimbraPasswordMinPunctuationChars 1

Capacity Planning

Storage Growth Monitoring

#!/bin/bash
# Monitor mailbox growth trends

for user in $(zmprov getAllAccounts | grep @company.com); do
    quota_used=$(zmprov getAccount $user zimbraMailQuotaUsed 2>/dev/null | grep zimbraMailQuotaUsed | awk '{print $2}')
    quota_limit=$(zmprov getAccount $user zimbraMailQuota 2>/dev/null | grep zimbraMailQuota | awk '{print $2}')
    
    if [ ! -z "$quota_used" ] && [ ! -z "$quota_limit" ] && [ "$quota_limit" != "0" ]; then
        usage_percent=$((quota_used * 100 / quota_limit))
        if [ $usage_percent -gt 80 ]; then
            echo "$user is using $usage_percent% of quota"
        fi
    fi
done

User Growth Planning

# Track user growth
user_count=$(zmprov getAllAccounts | grep @company.com | wc -l)
echo "$(date): $user_count active users" >> /var/log/user_growth.log

---

Conclusion

This comprehensive guide has covered Zimbra email administration from basic concepts to advanced configurations. Here are the key takeaways:

For Beginners

• Start with understanding basic email concepts
• Focus on proper installation and basic administration
• Practice user and domain management
• Learn to read log files for troubleshooting

For Intermediate Administrators

• Master queue management and security configurations
• Implement proper backup strategies
• Set up monitoring and alerting
• Understand performance tuning basics

For Advanced Users

• Design high-availability solutions
• Integrate with existing infrastructure
• Implement custom security policies
• Develop automation scripts

Essential Commands Quick Reference

# Service management
zmcontrol status|start|stop|restart

# User management
zmprov createAccount user@domain.com password
zmprov setPassword user@domain.com newpassword

# Queue management
postqueue -p  # View queue
postqueue -f  # Flush queue

# View logs
tail -f /opt/zimbra/log/mailbox.log

# Backup
zmbackup -f -a all

# Check disk usage
du -sh /opt/zimbra/store

Continued Learning

To become proficient with Zimbra:

1. Practice regularly: Set up a test environment
2. Read documentation: Stay updated with official Zimbra docs
3. Join communities: Participate in Zimbra forums and groups
4. Monitor industry trends: Keep up with email security developments
5. Automate repetitive tasks: Write scripts for common operations

Final Tips

• Always backup before making changes
• Test configurations in a lab environment first
• Document your customisations
• Monitor logs regularly
• Keep security as a top priority
• Plan for growth and scalability

Remember, becoming an expert in Zimbra administration takes time and practice. Start with the basics, build your confidence, and gradually move to more advanced topics. The email infrastructure you manage is often critical to business operations, so always prioritise stability and security in your implementations.

Good luck with your Zimbra journey!