SOLVED Zimbra 8.6 HTTP ERROR 404 Problem accessing /public/error.jsp. Reason: /public/error.jsp

Do a quick search under the usual jetty folders:

find /opt/zimbra/jetty/ -type f -name *jsp -mtime -30

If you find files like:

/opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
/opt/zimbra/jetty/webapps/zimbra/public/Ajax.jsp

you’re actually hacked.

Unlike the previous “zmcat” and “dblaunchs” that actually exploit the vuln and load some sh*t this looks like a bad childish attack. It seems that they delete some files under jetty dir, don’t know why. 
The attack vector is the same, but, there are no strange processes, there is no persistence. Continue reading “SOLVED Zimbra 8.6 HTTP ERROR 404 Problem accessing /public/error.jsp. Reason: /public/error.jsp” »

Share

Installing a Comodo SSL on Zimbra using CLI

1. Get the bundle from Comodo in crt format, or sometimes like a zip file.

2. Place the bundle on your Zimbra mailbox server. You should receive, or download, the next files:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
my_domain_com.crt 

or 

since comodo is acquired by Sectigo, the updated zip might appear as below: Continue reading “Installing a Comodo SSL on Zimbra using CLI” »

Share

Enable DNSBL or RBL on Zimbra

DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is an effort to fight spam emails. It is a blacklist of source IP addresses that have a reputation of sending spam emails. Most email systems can be configured to check these lists and block or flag emails that were sent from domains/IPs listed there. The ‘Blackhole List’ is sometimes called ‘blacklist’ by email admins.

In this tutorial, we’ll see how we can configure RBL with Zimbra using both GUI and CLI.

Method 1 – GUI:

Login to the Zimbra admin console – https://mail.example.com:7071, and then go to Configure.

Then, go to Global Settings. Continue reading “Enable DNSBL or RBL on Zimbra” »

Share

ZImbra troubleshooting incoming mail problems

Problem

If you’re having trouble receiving mail from outside, you need to find out where the message is failing. When sending your test message, check the Log Files, especially /var/log/zimbra.log, on your MTA server. It’s often helpful to tail the logfile as you send the message:

tail -f /var/log/zimbra.log

If you see nothing logged (no connection, nothing) then the problem likely either DNS or your firewall.

Resolution

Firewall
To troubleshoot your firewall, it helps to have an account on a system outside of your network. For mail to flow inbound, servers on the internet need to connect to your MTA on port 25.

DNS issues
The mail domain that your user accounts are created under must have an MX record. To test this:

host -t mx domain

The IP address returned should be the IP (public or private) of your MTA. If it’s the public address, make sure that the Firewall is forwarding port 25 to the MTA. Continue reading “ZImbra troubleshooting incoming mail problems” »

Share

Fix: Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.Cannot determine services – exiting

My ZImbra 8.6 was throwing the following error once after my letsencrypt SSL got expired:

Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.Cannot determine services - exiting

The Fix:

In order to fix the problem you need to modify the following parameters as Zimbra user:

zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0

Then restart zimbra by using

zmcontrol restart

Hope it’ll restarted

Share

Zimbra Letsencrypt SSL Renew – Zimbra 8.6

Let’s Begin:
This works if you already have an expired letsencrypt ssl certificate and assuming you have already deployed SSL in you zimbra system. However, if you come up here already, and would like to know how to setup letsencrypt on your system you may read my other article here:

https://tweenpath.net/installing-encrypt-zimbra-server/ 

Log on Zimbra user then stop proxy and mail box service for renew proccess.

su zimbra
zmproxyctl stop
zmmailboxdctl stop

Then return root user and renew Letsencrypt certificate

exit

letsencrypt renew: Change directory to Zimbra Letsecnrpyt SSL folder Continue reading “Zimbra Letsencrypt SSL Renew – Zimbra 8.6” »

Share

Zimbra – deleting all email in queue by sender

As root user execute:

/opt/zimbra/postfix/sbin/postqueue -p | tail -n +2 | awk 'BEGIN { RS = "" } / sender@mail\.com/ { print $1 }' | tr -d '*' | /opt/zimbra/postfix/sbin/postsuper -d -

To Delete ALL Messages From Queue

/opt/zimbra/postfix/sbin/postsuper -d ALL

Another way to do this:

mailq | awk '{print $1}' | postsuper -d -

To Delete ALL Messages From The Deferred Queue

/opt/zimbra/postfix/sbin/postsuper -d ALL deferred

To Delete ALL Messages From The Hold Queue

/opt/zimbra/postfix/sbin/postsuper -d ALL hold

There’s a nice Zimbra wiki page with detailed on cleaning up mail queues.

https://wiki.zimbra.com/wiki/Managing-The-Postfix-Queues

Share

Installing Let’s Encrypt on a Zimbra Server

Let’s Encrypt must be installed on one Linux machine to obtain the proper SSL Certificate, CA Intermediate, and Private Key. It is not required that it be on the same Zimbra Server, but it could save time and help to obtain the renewals, etc.

First Step is to stop the jetty or nginx service at Zimbra level

zmproxyctl stop
zmmailboxdctl stop

Second step is to Install git on the Server (apt-get install git/yum install git), and then do a git clone of the project on the folder we wantNote: On RedHat/CentOS 6 you will need to enable the EPEL repository before install.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Let’s now run Let’s Encrypt in auto mode and use the certonly option, because for now the project can’t automatically install the cert on Zimbra servers.

root@zimbra86:~/tmp/letsencrypt# ./letsencrypt-auto certonly --standalone

If you need to have multiple hostnames on the same SSL, so a Multi-SAN, SSL, please run instead, where -d are your domains:

root@zimbra86:~/tmp/letsencrypt# ./letsencrypt-auto certonly --standalone -d xmpp.example.com -d conference.example.com

Continue reading “Installing Let’s Encrypt on a Zimbra Server” »

Share

Zimbra send http traffic to https or keeping both in mix

HTTP proxy can support protocol modes for HTTP or HTTPS only, both HTTP and HTTPS, mixed HTTP and HTTPS or HTTPS redirect from HTTP. Redirect is a popular configuration. This configuration must be made to the proxy servers.

HTTPS redirect from HTTP

zmprov ms proxy.server.name zimbraReverseProxyMailMode redirect

HTTP and HTTPS (support both)

zmprov ms proxy.server.name zimbraReverseProxyMailMode both

HTTPS only

zmprov ms proxy.server.name zimbraReverseProxyMailMode https

HTTP only

zmprov ms proxy.server.name zimbraReverseProxyMailMode http

“mixed” will cause only authentication to be sent over HTTPS

zmprov ms proxy.server.name zimbraReverseProxyMailMode mixed

Src:
https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy_and_memcached#Protocol_Requirements_Including_HTTPS_Redirect

Share