DOKUMENTASI – Mail Ops

Instalallation Mail Server

 Contents

Installation Bind9 (DNS Server) ................................................................................................ 3

Installation Zimbra ......................................................................................................................... 5

Install SSL Let’s Encrypt Zimbra ................................................................................................. 7
Install and configuration Shorewall ......................................................................................... 9
Management User and Contact Group On Zimbra ......................................................... 10
Create Account on Zimbra (Via Command) ................................................................ 10
Create Account on Zimbra (Via Webmail) .................................................................. 11
Create Admin Account on Zimbra (Via Webmail) ..................................................... 14
Create a Contact Group in Zimbra ................................................................................. 17
Setting Timezone ........................................................................................................................... 18
Changing Mailbox Quota Account on Zimbra ................................................................... 18
Working in Briefcase .................................................................................................................... 21
Creating Briefcase folders ................................................................................................ 21
Uploading Files .................................................................................................................... 23
Sharing your Briefcase ....................................................................................................... 24
See The Postfix Queues [Mail Queue] ................................................................................. 26
First Way [CLI] ..................................................................................................................... 26
Second Way (Via Zimbra Admin) ................................................................................... 27
Antivirus Zimbra ............................................................................................................................ 27
Migration Plan MailOps .............................................................................................................. 28
MailOps Flow .................................................................................................................................. 29

2
 Documentation

Installation Bind9 (DNS Server)

Update and upgrade Linux (Ubuntu 20.04)
apt update && apt upgrade

Setting Server IP Address

vi /etc/netplan/50-cloud-init.yaml
network:
version: 2
ethernets:
eth0:
accept-ra: false
addresses:
- 2400:6180:0000:00D0:0000:0000:12F9:A001/64
- 188.166.239.101/20
- 10.15.0.9/16
match:
macaddress: c2:c9:3d:b2:ee:31
mtu: 1500
nameservers:
addresses:
- 67.207.67.2
- 67.207.67.3
search: []
routes:
- to: ::/0
via: 2400:6180:0000:00D0:0000:0000:0000:0001
- to: 0.0.0.0/0
via: 188.166.224.1
set-name: eth0
eth1:
addresses:
- 10.130.10.155/16
match:
macaddress: be:ca:79:e1:d6:c0
mtu: 1500
nameservers:
addresses:
- 67.207.67.2
- 67.207.67.3
search: []
set-name: eth1

Install bind9 package

apt install bind9 -y

Move to bind directory

cd /etc/bind

3
Edit file zona
vi named.conf.default-zones
zone "cls-indo.com" {
type master;
file "/etc/bind/cls-indo-forward";
allow-update { none; };
};

zone "239.166.188.in-addr.arpa" {
type master;
file "/etc/bind/cls-indo-reverse";
allow-update { none; };
};

Edit the file named.conf.options, change it to be like this

vi named.conf.options
. . .
forwarders {
8.8.8.8;
8.8.4.4;
};
allow-query { any; };
. . .
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};

Open the file named.conf, change it to be like this

vi named.conf
include "/etc/bind/named.conf.options";
//include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

Create reverse and forward files by copying the following files

cp db.local cls-indo-forward
cp db.127 cls-indo-reverse

Change the forward file to be like this

vi cls-indo-forward
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA cls-indo.com. root.cls-indo.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
IN NS cls-indo.com.
IN MX 200 smtp.cls-indo.com.
IN A 188.166.239.101
smtp IN A 188.166.239.101

4
Then edit the reverse file to be like this
vi cls-indo-reverse
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA cls-indo.com. root.cls-indo.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS cls-indo.com.
101 IN PTR smtp.cls-indo.com.

Restart service bind9

systemctl restart bind9

Then edit the resolv.conf file to force it to use the domain that was created
vi /etc/resolv.conf
search cls-indo.com
nameserver 188.166.239.101
nameserver 8.8.8.8

Installation Zimbra
Edit hostname
hostnamectl set-hostname smtp.cls-indo.com
su –

Edit file hosts, add domain and ip address of the server

vi /etc/hosts
188.166.239.101 smtp.cls-indo.com smtp

The next step in Installing Zimbra Ubuntu is downloading Zimbra Collaboration, to download
Zimbra you can link https://www.zimbra.com/downloads/
wget \
https://files.zimbra.com/downloads/8.8.15_GA/zcs-
8.8.15_GA_4179.UBUNTU20_64.20211118033954.tgz

Extract the zimbra file that was downloaded

tar -xvf zcs-8.8.15_GA_4179.UBUNTU20_64.20211118033954.tgz

If it has been successfully extracted, then move to the zimbra folder

cd zcs-8.8.15_GA_4179.UBUNTU20_64.20211118033954

5
Run the installer script. When Zimbra gives a notification of the Software License agreement,
select “Y” and do the same on Zimbra’s package repository Installation.
./install.sh --platform-override

If there is an error like the one below:

Follow the following command

apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 9BE6ED79

And run ./Install.sh again. In the packages installation, select “Y” for each package
./install.sh --platform-override
installed packages
zimbra-ldap
zimbra-logger
zimbra-mta
zimbra-dnscache
zimbra-snmp
zimbra-store
zimbra-apache
zimbra-spell
zimbra-memcached
zimbra-proxy
zimbra-drive
zimbra-imapd

Access Zimbra Dashboard

https://smtp.cls-indo.com

6
Access Zimbra Dashboard Admin
https://smtp.cls-indo.com:7071

Install SSL Let's Encrypt Zimbra

Install Cerbot
apt install certbot

SSL Request to Let's Encrypt

certbot certonly --standalone -d smtp.cls-indo.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/smtp.cls-indo.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/smtp.cls-indo.com/privkey.pem
Your cert will expire on 2022-07-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

*Note: renew the ssl certificate every 90 days, this is how to renew the ssl certificate
certbot renew

7
Copy the SSL private key to the Zimbra SSL folder
cp \
/etc/letsencrypt/live/smtp.cls-indo.com/privkey.pem \
/opt/zimbra/ssl/zimbra/commercial/commercial.key

Change permissions to user zimbra on the commercial.key file

chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key

Creating a Let's Encrypt CA, chain.pem

wget -O /tmp/ISRG-X1.pem https://letsencrypt.org/certs/isrgrootx1.pem
wget -O /tmp/R3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
cat /tmp/R3.pem > /etc/letsencrypt/live/smtp.cls-indo.com/chain.pem
cat /tmp/ISRG-X1.pem >> /etc/letsencrypt/live/smtp.cls-indo.com/chain.pem

Change permissions to user zimbra on the folder

chown -R zimbra:zimbra /etc/letsencrypt

Let's Encrypt SSL Verification

su - zimbra
/opt/zimbra/bin/zmcertmgr verifycrt comm \
/opt/zimbra/ssl/zimbra/commercial/commercial.key \
/etc/letsencrypt/live/smtp.cls-indo.com/cert.pem \
/etc/letsencrypt/live/smtp.cls-indo.com/chain.pem
** Verifying '/etc/letsencrypt/live/smtp.cls-indo.com/cert.pem' against
'/opt/zimbra/ssl/zimbra/commercial/commercial.key'
Certificate '/etc/letsencrypt/live/smtp.cls-indo.com/cert.pem' and private
key '/opt/zimbra/ssl/zimbra/commercial/commercial.key' match.
** Verifying '/etc/letsencrypt/live/smtp.cls-indo.com/cert.pem' against
'/etc/letsencrypt/live/smtp.cls-indo.com/chain.pem'
Valid certificate chain: /etc/letsencrypt/live/smtp.cls-indo.com/cert.pem:
OK

Deploy SSL Let’s Encrypt

/opt/zimbra/bin/zmcertmgr deploycrt comm \
/etc/letsencrypt/live/smtp.cls-indo.com/cert.pem \
/etc/letsencrypt/live/smtp.cls-indo.com/chain.pem

Restart Zimbra
zmcontrol restart

8
Access Zimbra in a web browser

Install and configuration Shorewall

Install shorewall ipv4
apt install shorewall

Change directory
cd /etc/shorewall/

Edit the interfaces file, then enter the interface used

vim interfaces
ZONE INTERFACE OPTIONS
net eth0
loc eth1

Open the policy file, give the desired policy

vim policy
#SOURCE DEST POLICY LOGLEVEL LIMIT
fw all ACCEPT info
net all DROP info
loc all ACCEPT info
all all REJECT info

Open the rules file, accept ports that are allowed in and out
vim rules
#ACTION SOURCE DEST PROTO DPORT SPORT ORIGDEST
ACCEPT net fw tcp 22
ACCEPT net fw tcp 25
ACCEPT net fw tcp 80
ACCEPT net fw tcp 443
ACCEPT net fw tcp 143

9
ACCEPT net fw tcp 993
ACCEPT net fw tcp 995
ACCEPT net fw tcp 465
ACCEPT net fw tcp 587
ACCEPT net fw tcp 953
ACCEPT net fw tcp 7071
ACCEPT net fw tcp 8443

Open the zones file, enter the type and zone

vim zones
#ZONE TYPE OPTIONS
fw firewall
net ipv4
loc ipv4

Restart shorewall
systemctl restart shorewall

Management User and Contact Group On Zimbra

Create Account on Zimbra (Via Command)
Create an e-mail account
su - zimbra
zmprov ca admin.legal@cls-indo.com clsindo1234!

Change/reset email account password

zmprov sp admin.legal@cls-indo.com NEW_PASSWORD

Delete the contents of a specific user's mailbox

zmmailbox -z -m admin.legal@cls-indo.com emptyFolder /Inbox

10
Create Account on Zimbra (Via Webmail)
Login to Zimbra Admin https://smtp.cls-indo.com:7071

Click Manage

11
Click the Settings Button at the top right, then click New

Enter username and email name

12
Enter the email password, then click Next

Enter the required additional information, when finished click Finish

13
Create Admin Account on Zimbra (Via Webmail)
Login to Zimbra Admin https://smtp.cls-indo.com:7071

Click Manage

14
Click the Settings Button at the top right, then click New

Enter the username admin

15
Check Global Administrator, then click Next

Enter the required additional information, when finished click Finish

16
Create a Contact Group in Zimbra
Login to webmail Zimbra https://smtp.cls-indo.com/

Click Contacts, then click the down arrow. Then click Contact Group

17
Enter the name of the contact group and enter the name of the contact that will be a contact
group. When finished, click save

Setting Timezone
See timezone list
timedatectl list-timezones

Set the timezone to Asia/Jakarta

timedatectl set-timezone Asia/Jakarta

Changing Mailbox Quota Account on Zimbra

Change Via Cli
Login to user Zimbra
su – Zimbra

Change the account quota using the following command (example: 1GB)
zmprov ma user@cls-indo.com zimbraMailQuota 1073741824

Information :
In CLI the unit is bytes
1 GB = 1024 MB = 1048576 KB = 1073741824 Byte
2 GB = 2147483648 Byte

18
3 GB = 3221225472 Byte
4 GB = 4294967296 Byte
5 GB = 5368709120 Byte
6 GB = 6442450944 Byte
7 GB = 7516192768 Byte
8 GB = 8589934592 Byte
9 GB = 9663676416 Byte
10 GB = 10737418240 Byte
To check whether the settings have been set or not, use the following command:
zmprov ga user@cls-indo.com | grep zimbraMailQuota

Change via Zimbra Admin web

Open url zimbra admin. https://smtp.cls-indo.com:7071
Click Manage

19
Right Click on user@cls-indo.com, Select Edit

Select Advanced, then enter Mailbox Size in Account quota (MB): (in MB). When finished,
click Save in the upper right corner

Information :
Account quota (MB): 0 -> Unlimited
1 GB = 1024 MB
2 GB = 2048 MB
3 GB = 3072 MB
4 GB = 4096 MB

20
5 GB = 5120 MB
6 GB = 6144 MB
7 GB = 7168 MB
8 GB = 8192 MB
9 GB = 9216 MB
10 GB = 10240 MB
Klik Save Pada pojok kanan atas

Working in Briefcase
Creating Briefcase folders
Click the Briefcase tab.

21
Right-click Briefcase, select New Folder

Type a name for the new Briefcase folder. Then click OK. The new briefcase displays in the
Overview pane.

This name must be unique within the hierarchy of your mailbox folders. Briefcase folders
cannot have the same name as any top-level folder in your Zimbra mail, calendar, or address
book. For example, if you have a calendar named Holidays, you cannot name a top-level
Briefcase Holidays. Holidays could be a name of a briefcase within another briefcase.
Select the folder hierarchy. You can create a new top-level briefcase, or you can place it under
an existing briefcase.

22
Uploading Files
Uploading a file transfers a file from your personal computer to your email account. This
makes the file available any time you log in to your account. Your account quota determines
how many files can be uploaded to your Briefcase.
Open Briefcase and on the toolbar click Upload File.

In the Upload New File to Briefcase dialog click Choose Files to find the files to upload. You
can select multiple files to upload at once if the files are in the same directory. To add other
files, click Add and browse to the file.

23
When you upload a file with the same name as an existing file, an Information dialog displays
a warning. If you click No, the file is not uploaded. When all files are uploaded, click OK. The
files are displayed in the briefcase.

Sharing your Briefcase

Right-click on the folder you want to share, select Share Folder

24
Select the desired share with and roles, then click OK

Internal Users or Groups

For internal users or groups, you specify the type of access permissions to give the Grantee:
• Viewer. The Grantee can read the contents of the folder but cannot make changes to
the content.
• Manager. The Grantee has permission to view and edit the contents of a folder, create
new sub folders, present items on your behalf, and delete items from the folder.
• Admin. The Grantee has full permission to view and edit the content of a shared folder,
create new sub folders, present on your behalf, delete items from the shared folder,
and share the folder with others.
Note: None is an option to temporarily disable access to a mail folder without revoking the
share privileges. The Grantee still has the mail folder in his mailbox but cannot view or manage
activities on the grantor's mail folder.
External Guests
You can share external guests that must use a password to view the folder content. External
guides cannot make changes to your folder. You create the password
Public URL
Anyone who knows the URL to the folder can view the folder content. The public cannot make
any changes to the folder. When you select to share with Public, the URL for that displays in
the Share Properties dialog is made accessible to the public.

25
See The Postfix Queues [Mail Queue]
First Way [CLI]
As zimbra using sudo - show a summary of queue count - ~/libexec/zmqstat:
sudo ~/libexec/zmqstat
deferred=3
incoming=0
active=0
hold=0
corrupt=0

As zimbra - /opt/zimbra/postfix/sbin/postqueue -p
/opt/zimbra/common/sbin/postqueue -p
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
992C64BB81C 42244 Wed May 25 08:28:01 warehouse@cls-indo.com
(host mx6.telkomsel.co.id[202.3.219.124] said: 450 Service temporarily
unavailable; Client Host [188.166.239.101] blocked using Trend Micro Email
Reputation Service. Please see http://www.mail-abuse.com/cgi-
bin/lookup?ip_address=188.166.239.101 (in reply to RCPT TO command))
BillCo_jabotabek@telkomsel.co.id
CES@telkomsel.co.id
(lost connection with mx6.telkomsel.co.id[202.3.219.124] while sending RCPT
TO)
gabriella_m_h@telkomsel.co.id
. . .
-- 1079 Kbytes in 3 Requests.

As zimbra - mailq
mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
992C64BB81C 42244 Wed May 25 08:28:01 warehouse@cls-indo.com
(host mx6.telkomsel.co.id[202.3.219.124] said: 450 Service temporarily
unavailable; Client Host [188.166.239.101] blocked using Trend Micro Email
Reputation Service. Please see http://www.mail-abuse.com/cgi-
bin/lookup?ip_address=188.166.239.101 (in reply to RCPT TO command))
BillCo_jabotabek@telkomsel.co.id
CES@telkomsel.co.id
(lost connection with mx6.telkomsel.co.id[202.3.219.124] while sending RCPT
TO)
gabriella_m_h@telkomsel.co.id
. . .
-- 1079 Kbytes in 3 Requests.

26
Second Way (Via Zimbra Admin)
Click Monitor

Click Mail Queues

Antivirus Zimbra
ClamAV is powerful antivirus software that can scan your email and your server for malicious
files. It works like an antivirus program on your computer, but ClamAV scans your server.
Specifically, ClamAV looks for malicious email attachments and malicious server files.

27
Basic features of ClamAV:
1. ClamAV is designed to scan files quickly.
2. Real time protection (Linux only). The ClamOnAcc client for the ClamD scanning
daemon provides on-access scanning on modern versions of Linux. This includes an
optional capability to block file access until a file has been scanned (on-access
prevention).
3. ClamAV detects millions of viruses, worms, trojans, and other malware, including
Microsoft Office macro viruses, mobile malware, and other threats.
4. ClamAV’s bytecode signature runtime, powered by either LLVM or our custom
bytecode interpreter, allows the ClamAV signature writers to create and distribute
very complex detection routines and remotely enhance the scanner’s functionality.
5. Signed signature databases ensure that ClamAV will only execute trusted signature
definitions.
6. ClamAV scans within archives and compressed files but also protects against archive
bombs
To enable antivirus service in Zimbra:
zmprov -l ms smtp.cls-indo.com -zimbraServiceEnabled antivirus

To configure virus definition update frequency:

zmprov mcf zimbraVirusDefinitionsUpdateFrequency 2h

Migration Plan MailOps

NO Migration Plan
1. remove TXT record on DNS public
cls-indo.com. 3600 IN TXT v=spf1 +a +mx +ip4:202.157.186.2 +a:mail.cls-
indo.com +a:cls-indo.com +ip4:103.82.240.51
+ip4:103.82.240.174 +include:zoho.com ~all
2. edit MX record
mail.cls-indo.com from 0 to 300
3. Add DMARC record
v=DMARC1;p=quarantine;pct=5;rua=mailto:postmaster@cls-indo.com

28
MailOps Flow

29