ZImbra troubleshooting incoming mail problems


If you’re having trouble receiving mail from outside, you need to find out where the message is failing. When sending your test message, check the Log Files, especially /var/log/zimbra.log, on your MTA server. It’s often helpful to tail the logfile as you send the message:

tail -f /var/log/zimbra.log

If you see nothing logged (no connection, nothing) then the problem likely either DNS or your firewall.


To troubleshoot your firewall, it helps to have an account on a system outside of your network. For mail to flow inbound, servers on the internet need to connect to your MTA on port 25.

DNS issues
The mail domain that your user accounts are created under must have an MX record. To test this:

host -t mx domain

The IP address returned should be the IP (public or private) of your MTA. If it’s the public address, make sure that the Firewall is forwarding port 25 to the MTA. Continue reading “ZImbra troubleshooting incoming mail problems” »


Fix: Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.Cannot determine services – exiting

My ZImbra 8.6 was throwing the following error once after my letsencrypt SSL got expired:

Unable to start TLS: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed when connecting to ldap master.Cannot determine services - exiting

The Fix:

In order to fix the problem you need to modify the following parameters as Zimbra user:

zmlocalconfig -e ldap_starttls_required=false
zmlocalconfig -e ldap_starttls_supported=0

Then restart zimbra by using

zmcontrol restart

Hope it’ll restarted


Zimbra Letsencrypt SSL Renew – Zimbra 8.6

Let’s Begin:
This works if you already have an expired letsencrypt ssl certificate and assuming you have already deployed SSL in you zimbra system. However, if you come up here already, and would like to know how to setup letsencrypt on your system you may read my other article here:


Log on Zimbra user then stop proxy and mail box service for renew proccess.

su zimbra
zmproxyctl stop
zmmailboxdctl stop

Then return root user and renew Letsencrypt certificate


letsencrypt renew: Change directory to Zimbra Letsecnrpyt SSL folder Continue reading “Zimbra Letsencrypt SSL Renew – Zimbra 8.6” »


Zimbra – deleting all email in queue by sender

As root user execute:

/opt/zimbra/postfix/sbin/postqueue -p | tail -n +2 | awk 'BEGIN { RS = "" } / sender@mail\.com/ { print $1 }' | tr -d '*' | /opt/zimbra/postfix/sbin/postsuper -d -

To Delete ALL Messages From Queue

/opt/zimbra/postfix/sbin/postsuper -d ALL


/opt/zimbra/common/sbin/postsupe -d ALL

Another way to do this:

mailq | awk '{print $1}' | postsuper -d -

To Delete ALL Messages From The Deferred Queue

/opt/zimbra/postfix/sbin/postsuper -d ALL deferred

To Delete ALL Messages From The Hold Queue

/opt/zimbra/postfix/sbin/postsuper -d ALL hold

There’s a nice Zimbra wiki page with detailed on cleaning up mail queues.



Installing Let’s Encrypt on a Zimbra Server

Let’s Encrypt must be installed on one Linux machine to obtain the proper SSL Certificate, CA Intermediate, and Private Key. It is not required that it be on the same Zimbra Server, but it could save time and help to obtain the renewals, etc.

First Step is to stop the jetty or nginx service at Zimbra level

zmproxyctl stop
zmmailboxdctl stop

Second step is to Install git on the Server (apt-get install git/yum install git), and then do a git clone of the project on the folder we wantNote: On RedHat/CentOS 6 you will need to enable the EPEL repository before install.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

Let’s now run Let’s Encrypt in auto mode and use the certonly option, because for now the project can’t automatically install the cert on Zimbra servers.

root@zimbra86:~/tmp/letsencrypt# ./letsencrypt-auto certonly --standalone

If you need to have multiple hostnames on the same SSL, so a Multi-SAN, SSL, please run instead, where -d are your domains:

root@zimbra86:~/tmp/letsencrypt# ./letsencrypt-auto certonly --standalone -d xmpp.example.com -d conference.example.com

Continue reading “Installing Let’s Encrypt on a Zimbra Server” »


Zimbra send http traffic to https or keeping both in mix

HTTP proxy can support protocol modes for HTTP or HTTPS only, both HTTP and HTTPS, mixed HTTP and HTTPS or HTTPS redirect from HTTP. Redirect is a popular configuration. This configuration must be made to the proxy servers.

HTTPS redirect from HTTP

zmprov ms proxy.server.name zimbraReverseProxyMailMode redirect

HTTP and HTTPS (support both)

zmprov ms proxy.server.name zimbraReverseProxyMailMode both

HTTPS only

zmprov ms proxy.server.name zimbraReverseProxyMailMode https

HTTP only

zmprov ms proxy.server.name zimbraReverseProxyMailMode http

“mixed” will cause only authentication to be sent over HTTPS

zmprov ms proxy.server.name zimbraReverseProxyMailMode mixed



Increase mail attachment in Zimbra 8.8

Postfix configuration (zimbraMtaMaxMessageSize and message_size_limit)

You can examine the current value of this parameter like this:

# su - zimbra
$ postconf message_size_limit
message_size_limit = 10240000

This configuration parameter is stored in the zimbra ldap directory, and propagated to postconf’s message_size_limit by zmmtaconfig, which is invoked by the zimbra postfix command. The following commands will set the message_size_limit to 2MB (adjust this value to suit your needs):

# su - zimbra
$ zmprov modifyConfig zimbraMtaMaxMessageSize 2048000
$ postfix reload

You can then confirm the changes with this command:

$ postconf | grep message_size_limit

IMAP Continue reading “Increase mail attachment in Zimbra 8.8” »


Zimbra Exporting all mail addresses

Exporting all addresses (mailboxes, aliases and distribution lists) is a vital tool if you have a backup MX and only want it to accept email for valid recipients. One reason for that is to stop spammers who simply use a dictionary of common names to generate recipient email addresses which would flood a backup MX with undeliverable email. Some anti-spam providers (e.g. Postini) have automatic provisioning processes for making this possible.

A naive process of extracting mailboxes looks like this:

/opt/zimbra/bin/zmaccts | grep 'active' | egrep -v '^\W+' | awk '{print $1}'

Unfortunately, this doesn’t give distribution lists and aliases, so a more sophisticated approach is necessary, for which there is no specific tool and requires using the ldap tool thus: Continue reading “Zimbra Exporting all mail addresses” »


Best Practices on Email Protection: SPF, DKIM and DMARC

Once we installed Zimbra Collaboration, we need to be aware of some additional configurations that will allow us to send emails to other Email systems with an improve Security, such Gmail, Hotmail, Yahoo!, etc. This Wiki article will show the different Email Protection resources that exists, depends of the volume of sent email, will be better to implement only one, or two, or maybe all of them, depends.

Sender Policy Framework (SPF) is an email validation system, designed to prevent unwanted emails using a spoofing system. To check this common security problem, SPF going to verify the source IP of the email and compare it with a DNS TXT record with a SPF content. 

Where needs to be configured?
SPF needs to be configured in the Public DNS Continue reading “Best Practices on Email Protection: SPF, DKIM and DMARC” »