How I implemented Zimbra
Good day to all!
After returning to the previous place of work, it became necessary to rake out the own shoals of 2 years old multiplied (exactly multiplied) by the shoals of Razolby-outsourcing LLC (the name of the organization, as you correctly understand, is changed). One of these jambs was the Exim mail server, from which it was not enough that spam flowed out of the tub, as well as the crookedly configured antispam by the incoming admin of Razdolbay Outsourcing somewhere “lost” the necessary letters, and as a nice bonus in imap` from time to time, the necessary letters were periodically lost. In general, the best solution was rm -rf /. That is what I did and implemented Zimbra and now I want to tell how it did it in such a way that it worked (primarily in the logic of the company) becoming the second workflow tool, although earlier the electronic was separate from several people.
And so, they drove to fight with spam, sabbathing sloppiness, reluctance to work, the stupidity of users and even a whole bunch!
')
I will not describe the installation process, there is nothing special about installing the 5th debian, there is no zimbra installation script. There is a difficulty in the other. Zimbra is very sensitive to the hostname, so if you have more than one interface - be sure to bring your hosts on the machine where you put it to this form:
respectively for gray and white ip. Of course, you can humanly configure the DNS, but I have to clean up the order with DNS servers of which as many as 3 are a matter of future periods, so let's leave it for now. Who has similar problems - keep in mind. But Zimbra is smart, so all that she does not like - you will know about it right away.
I won the spam without straining at all, just transferred the mail to the VDS, which the site is spinning on and turned on greylisting. Let them have wider channels, let the spam take the server on the side. Fortunately, sendmail is on the VDS, so I did as I wrote in the wiki by preconfiguring it as the secondary system .
In short, I will explain: MX records on the mail.mydomain.ru host, on it sendmail with greylisting. There we accept mail to user@mydomain.ru type addresses, which are forwarded to user@zimbra.mydomain.ru type addresses. And the zimbra server, respectively, sends via relay and replaces user@zimbra.mysite.ru to user@mysite.ru at the sending stage. In general, I don’t know deeply postfix, so I suspect that there’s not such tricks you can do.
In addition to defeating spam, there is another effective plus - a very serious reduction in the load on the Zimbra server, which is several times less productive than sendmail. In other words, sendmail + milter greylist doesn’t even feel like 20,000 spam emails per day, 95% of which will be cut off, and it will already be a kind of unnecessary load to Zimbre, I immediately warn you, it is VERY gluttonous to resources, so it makes sense to think again.
Then the most interesting part of the work went - work with users. It was very hard for me to explain to managers the new "routing" of mail, how a mail alias differs from mailbox, why I can make it so that a letter that is sent to sales@mydomain.ru comes to all managers and the director of sales. And why no one can remove it. I will just give you advice - do not waste time on it. Do it all. In any case, it’s not for them to rake, your task is for them to get the mail, and how it will come to them is not their concern. Just be guided in the creation of infrastruktruta following principles:
In general, this is quite a chore to create users, you can write scripts and import, you can still somehow, in my case 40 entries at the first stage and stretching for another month I decided not to bother. But who will implement - keep in mind that there (in zimbra) there is a regular means of import.
Here I was waiting for the first surprise. It seemed to me that I wrote a normal instruction in which I registered what to do inside and out. But in the end, after reading it, there were questions like “Thank you, but what should we do?”. Fortunately, I quickly realized that this would not work and rewrote it. Remember: the user needs a shortcut on the desktop. 1 out of 5 only knows what the address bar is and why it is needed, the remaining 4, at best, type zimbra.mynetwork.local into the Yandex address bar. But the very idea of ​​issuing instructions was correct, those who mastered it in the 3rd version did not ask any more questions.
I quote a text:
In brief, I will explain about the "local mailbox". In fact, no, it is not local, but I no less brazenly and cynically ruled all third-party SMTP firewall, except sendmail-server. Although in the DNS `s domain I have MX records on zimbra.mydomain.ru. Simply, this is the most optimal solution in terms of creating problems for a likely spammer with minimal effort on my part.
In general, this can put an end to the post, but I want to separately highlight the following 2 points.
All employees were divided into 2 unequal groups - allies and Sabotage. Those who "do not care", you know that little different from the saboteurs. It is because of them that something is not working. Since the introduction of a Web-Based ERP system, which was administratively installed, failed miserably at this enterprise, it became clear that I couldn’t push anything, it would be the first step to the file. And I don’t recommend to everyone else, I’ll stop working as soon as possible.
Among the first saboteurs was the head of sales. He said: “Make me one box at all as it was!”. I tried to explain to him about the advantages of the approach proposed by me, but he did not understand me (despite the fact that he has a technical education), then I said: "Let's agree, you will have a walking post, but you will do what I say, if she does not walk, I will do what you say goes? My concern is that the mail reached your eagles, and then your business is with her and what’s next. ”He waved his hand, after a week all questions disappeared by themselves. Moral: do not try to convince the "kettle".
The next step was the fight against mashrudernichestvo. Just do not think that I have something against mail.ru I have, I even have the mailbox I use there, but this is personal mail. It is very stupid when the manager gives an address like svetik_k0783@mail.ru (any coincidence is a coincidence!) In business correspondence, as well as this is actually personal mail. In the corporate standard, I am obliged to be able to access the employee’s mail in case of emergency (for example, he went to the hospital for a couple of months, and in his mailbox is the correspondence going to complete the contract for a couple million rubles). Actually about the fight, I have a transparent squid, which as is known does not transparently proxies HTTPS, and some employees have google mail. I closed the https via NAT and did not open the Google subnets, but their authorization is strictly https. Those who have boxes made noises on Google by themselves, I explained that Google is using secure authentication, which does not work well through a proxy, and I’m sending you a proxy only through a letter signed by the director, in which you specify a good reason why you need google-mail with a normally functioning local. And for those who have mail.ru said that mail.ru will also transfer 100% to secure authentication, so if your business correspondence did not open one fine morning, you were warned. The objections like “And I have all the clients in mail.ru” were very sluggish because I immediately repeated that I didn’t close it to you, it works while it works, but when it falls off, you were warned long before the hour.
Fighting sloppiness was using a cunning trick. What is sloppiness? In the banal "I forgot to check mail a couple of days." Why watch the mail storekeeper, for example? This will be discussed further. As in any enterprise, there is a file server on which "from the years" the place ended. I cut all the “private” folders, leaving only the department folders and made a large file storage facility, but warned you don’t add confidential documents here, everyone has access here. And I showed how to send files in Zimbra and taught that you sent the file to Vasya, so call him and say, “Vasya, I threw the file to Zimbra, check your mail!” In time, you will have to call less often. People liked it because as an alternative to private file transfer there was only a self-written messenger that the outsourcing company implemented, this messenger used a direct computer-to-computer connection and it was possible to transfer only if the person is in the workplace. Therefore, I suggested that here you can send and not worry, it will come in any case.
As a result, after a month the flight returned to normal completely, people really began to use it. The global address book has become a very weighty argument “for”, the simple and friendly interface of Zimbra was no less helpful, but from the point of view of employees who go on business trips, this generally became the solution to the whole problem.
And lastly ...
Before the crisis, there was such a character who, even during the first coming, made me hack a flash drive. His name is "information security specialist." And I liked this topic because the number of viruses has become an order of magnitude smaller and I don’t have a special desire to open them back. And in zimbre, you can upload documents to the portfolio. Therefore, I told all my friends that we need flash drives - you will not get them. There is a briefcase in Zimbre, you have uploaded the document and work with it at home if you really need it. The question as in the case of the mail.ru has disappeared by itself, and I am in the black, I see what is happening in my household, who is sharing what with what. Of course, if you need to transfer a lot of files back and forth, I go to my colleagues for a meeting, but believe me, this is not so and often, and I also have a solution for ubunt for these purposes, but this is possible next time.
In conclusion, I would like to say that if you have not yet introduced zimbra, and at the same time you have a need for something like that - do not hesitate to bet. 3 months the flight is normal, even survived one update. I didn’t play with it on any virtual machines, everything worked right away in the battle mode, which hints that if you have experience in administering Linux and mail servers, everything will turn out almost immediately. Yes, even if it becomes a discovery for you that the SMTP and IMAP server is, as in the well-known joke about the history of the Communist Party of the Soviet Union, “two different people in general!” - no big deal, you will succeed!
Update 1: I add, at therequest of viewers, to the proposal of habriuser mister_fog, a couple of links on this topic. I think that it will not be superfluous for those who, like some who have unsubscribed, "now decide to switch to Zimbra."
Materials tagged with Zimbra on ossportal.ru
Switch to open source software. Replace Exchange in 10 days
Update 2: due to the abundance of comments on the topic zimbra.mynetwork.local vs zimbra.mydomain.ru I want to ask you not to invent spherical horses in a vacuum in the form of the fact that this is a problem for users. I absolutely responsibly declare that there is no problem at all and my users think the same way, otherwise I would have known about it a long time ago. For the user, it will be just to update the bookmark in the browser. For me, this is a problem until hands reach fights with DNS. When my hands reach, I will make zimbra.mydomain.ru rezolvitsya to the "gray" address if the person is inside the LAN. And in order to make the transition less difficult for those who went to the old addresses, I’ll hang the Web server with 1 page with an automatic redirect to JS, which in 2 minutes will throw the user to the new address, and before that he will read what needs to be updated. moreover I will make the same JS button for adding a new address to the bookmarks.
After returning to the previous place of work, it became necessary to rake out the own shoals of 2 years old multiplied (exactly multiplied) by the shoals of Razolby-outsourcing LLC (the name of the organization, as you correctly understand, is changed). One of these jambs was the Exim mail server, from which it was not enough that spam flowed out of the tub, as well as the crookedly configured antispam by the incoming admin of Razdolbay Outsourcing somewhere “lost” the necessary letters, and as a nice bonus in imap` from time to time, the necessary letters were periodically lost. In general, the best solution was rm -rf /. That is what I did and implemented Zimbra and now I want to tell how it did it in such a way that it worked (primarily in the logic of the company) becoming the second workflow tool, although earlier the electronic was separate from several people.
And so, they drove to fight with spam, sabbathing sloppiness, reluctance to work, the stupidity of users and even a whole bunch!
')
1. We put and win spam
I will not describe the installation process, there is nothing special about installing the 5th debian, there is no zimbra installation script. There is a difficulty in the other. Zimbra is very sensitive to the hostname, so if you have more than one interface - be sure to bring your hosts on the machine where you put it to this form:
# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
aaa.aaa.aaa.aaa zimbra.mydomain.ru zimbra
xxx.xxx.xxx.xxx zimbra.mydomain.ru zimbra
respectively for gray and white ip. Of course, you can humanly configure the DNS, but I have to clean up the order with DNS servers of which as many as 3 are a matter of future periods, so let's leave it for now. Who has similar problems - keep in mind. But Zimbra is smart, so all that she does not like - you will know about it right away.
I won the spam without straining at all, just transferred the mail to the VDS, which the site is spinning on and turned on greylisting. Let them have wider channels, let the spam take the server on the side. Fortunately, sendmail is on the VDS, so I did as I wrote in the wiki by preconfiguring it as the secondary system .
In short, I will explain: MX records on the mail.mydomain.ru host, on it sendmail with greylisting. There we accept mail to user@mydomain.ru type addresses, which are forwarded to user@zimbra.mydomain.ru type addresses. And the zimbra server, respectively, sends via relay and replaces user@zimbra.mysite.ru to user@mysite.ru at the sending stage. In general, I don’t know deeply postfix, so I suspect that there’s not such tricks you can do.
In addition to defeating spam, there is another effective plus - a very serious reduction in the load on the Zimbra server, which is several times less productive than sendmail. In other words, sendmail + milter greylist doesn’t even feel like 20,000 spam emails per day, 95% of which will be cut off, and it will already be a kind of unnecessary load to Zimbre, I immediately warn you, it is VERY gluttonous to resources, so it makes sense to think again.
2. We organize infrastructure
Then the most interesting part of the work went - work with users. It was very hard for me to explain to managers the new "routing" of mail, how a mail alias differs from mailbox, why I can make it so that a letter that is sent to sales@mydomain.ru comes to all managers and the director of sales. And why no one can remove it. I will just give you advice - do not waste time on it. Do it all. In any case, it’s not for them to rake, your task is for them to get the mail, and how it will come to them is not their concern. Just be guided in the creation of infrastruktruta following principles:
- No shared IMAP mailboxes. One user - one mailbox. The rest is aliases.
- Minimize the installation of mail clients. The average company employee does not need an email client. All in a web interface.
- The signature is a “personal” box, on the business card is the department's box (which in turn is an alias).
- A good idea to do a mail collector on a primary server. Stupidly and cynically copy all incoming mail (or not all) because sometimes it makes sense, such an infrastructure is more than convenient for this.
In general, this is quite a chore to create users, you can write scripts and import, you can still somehow, in my case 40 entries at the first stage and stretching for another month I decided not to bother. But who will implement - keep in mind that there (in zimbra) there is a regular means of import.
3. Implement
Here I was waiting for the first surprise. It seemed to me that I wrote a normal instruction in which I registered what to do inside and out. But in the end, after reading it, there were questions like “Thank you, but what should we do?”. Fortunately, I quickly realized that this would not work and rewrote it. Remember: the user needs a shortcut on the desktop. 1 out of 5 only knows what the address bar is and why it is needed, the remaining 4, at best, type zimbra.mynetwork.local into the Yandex address bar. But the very idea of ​​issuing instructions was correct, those who mastered it in the 3rd version did not ask any more questions.
I quote a text:
-
( ), .
:
192.168.xxx.yyy zimbra.mynetwork.local
( ) zimbra.mydomain.ru
/?
():
: -- * , -
/ ?
. «» , .
dir@mydomain.ru → .@mydomain.ru.
— , , .
i.ivanov@mydomain.ru
, .
/: .@mydomain.ru // !
? . ?
— . sales@mydomain.ru « » .
i.ivanov@zimbra.mydomain.ru ? ?
,
.
() ?
! — .
In brief, I will explain about the "local mailbox". In fact, no, it is not local, but I no less brazenly and cynically ruled all third-party SMTP firewall, except sendmail-server. Although in the DNS `s domain I have MX records on zimbra.mydomain.ru. Simply, this is the most optimal solution in terms of creating problems for a likely spammer with minimal effort on my part.
In general, this can put an end to the post, but I want to separately highlight the following 2 points.
4. The human factor
All employees were divided into 2 unequal groups - allies and Sabotage. Those who "do not care", you know that little different from the saboteurs. It is because of them that something is not working. Since the introduction of a Web-Based ERP system, which was administratively installed, failed miserably at this enterprise, it became clear that I couldn’t push anything, it would be the first step to the file. And I don’t recommend to everyone else, I’ll stop working as soon as possible.
Among the first saboteurs was the head of sales. He said: “Make me one box at all as it was!”. I tried to explain to him about the advantages of the approach proposed by me, but he did not understand me (despite the fact that he has a technical education), then I said: "Let's agree, you will have a walking post, but you will do what I say, if she does not walk, I will do what you say goes? My concern is that the mail reached your eagles, and then your business is with her and what’s next. ”He waved his hand, after a week all questions disappeared by themselves. Moral: do not try to convince the "kettle".
The next step was the fight against mashrudernichestvo. Just do not think that I have something against mail.ru I have, I even have the mailbox I use there, but this is personal mail. It is very stupid when the manager gives an address like svetik_k0783@mail.ru (any coincidence is a coincidence!) In business correspondence, as well as this is actually personal mail. In the corporate standard, I am obliged to be able to access the employee’s mail in case of emergency (for example, he went to the hospital for a couple of months, and in his mailbox is the correspondence going to complete the contract for a couple million rubles). Actually about the fight, I have a transparent squid, which as is known does not transparently proxies HTTPS, and some employees have google mail. I closed the https via NAT and did not open the Google subnets, but their authorization is strictly https. Those who have boxes made noises on Google by themselves, I explained that Google is using secure authentication, which does not work well through a proxy, and I’m sending you a proxy only through a letter signed by the director, in which you specify a good reason why you need google-mail with a normally functioning local. And for those who have mail.ru said that mail.ru will also transfer 100% to secure authentication, so if your business correspondence did not open one fine morning, you were warned. The objections like “And I have all the clients in mail.ru” were very sluggish because I immediately repeated that I didn’t close it to you, it works while it works, but when it falls off, you were warned long before the hour.
Fighting sloppiness was using a cunning trick. What is sloppiness? In the banal "I forgot to check mail a couple of days." Why watch the mail storekeeper, for example? This will be discussed further. As in any enterprise, there is a file server on which "from the years" the place ended. I cut all the “private” folders, leaving only the department folders and made a large file storage facility, but warned you don’t add confidential documents here, everyone has access here. And I showed how to send files in Zimbra and taught that you sent the file to Vasya, so call him and say, “Vasya, I threw the file to Zimbra, check your mail!” In time, you will have to call less often. People liked it because as an alternative to private file transfer there was only a self-written messenger that the outsourcing company implemented, this messenger used a direct computer-to-computer connection and it was possible to transfer only if the person is in the workplace. Therefore, I suggested that here you can send and not worry, it will come in any case.
As a result, after a month the flight returned to normal completely, people really began to use it. The global address book has become a very weighty argument “for”, the simple and friendly interface of Zimbra was no less helpful, but from the point of view of employees who go on business trips, this generally became the solution to the whole problem.
And lastly ...
5. Well, where is the flash drive ...
Before the crisis, there was such a character who, even during the first coming, made me hack a flash drive. His name is "information security specialist." And I liked this topic because the number of viruses has become an order of magnitude smaller and I don’t have a special desire to open them back. And in zimbre, you can upload documents to the portfolio. Therefore, I told all my friends that we need flash drives - you will not get them. There is a briefcase in Zimbre, you have uploaded the document and work with it at home if you really need it. The question as in the case of the mail.ru has disappeared by itself, and I am in the black, I see what is happening in my household, who is sharing what with what. Of course, if you need to transfer a lot of files back and forth, I go to my colleagues for a meeting, but believe me, this is not so and often, and I also have a solution for ubunt for these purposes, but this is possible next time.
In conclusion, I would like to say that if you have not yet introduced zimbra, and at the same time you have a need for something like that - do not hesitate to bet. 3 months the flight is normal, even survived one update. I didn’t play with it on any virtual machines, everything worked right away in the battle mode, which hints that if you have experience in administering Linux and mail servers, everything will turn out almost immediately. Yes, even if it becomes a discovery for you that the SMTP and IMAP server is, as in the well-known joke about the history of the Communist Party of the Soviet Union, “two different people in general!” - no big deal, you will succeed!
Update 1: I add, at the
Materials tagged with Zimbra on ossportal.ru
Switch to open source software. Replace Exchange in 10 days
Update 2: due to the abundance of comments on the topic zimbra.mynetwork.local vs zimbra.mydomain.ru I want to ask you not to invent spherical horses in a vacuum in the form of the fact that this is a problem for users. I absolutely responsibly declare that there is no problem at all and my users think the same way, otherwise I would have known about it a long time ago. For the user, it will be just to update the bookmark in the browser. For me, this is a problem until hands reach fights with DNS. When my hands reach, I will make zimbra.mydomain.ru rezolvitsya to the "gray" address if the person is inside the LAN. And in order to make the transition less difficult for those who went to the old addresses, I’ll hang the Web server with 1 page with an automatic redirect to JS, which in 2 minutes will throw the user to the new address, and before that he will read what needs to be updated. moreover I will make the same JS button for adding a new address to the bookmarks.
Source: https://habr.com/ru/post/114079/
All Articles