Zimbra Collaboration Suite secure upgrade
It so happened that system administrators are always suspicious of everything new. Literally, everything from new server platforms to software updates is perceived with caution, exactly until the first practical experience of using and positive feedback from colleagues from other enterprises appears. It is understandable, because when you literally head for the operation of the enterprise and the preservation of important information, with time you cease to trust even yourself, not to mention the contractors, subordinates or ordinary users.
Distrust of software updates is due to the mass of unpleasant cases when installing fresh patches led to a drop in performance, changes in the user interface, failure of the information system or, which is especially unpleasant, loss of data. However, it is impossible to completely abandon the updates, in this case, the infrastructure of your enterprise may be subject to attack by cybercriminals. Suffice it to recall the sensational case of the WannaCry virus, when data stored on millions of computers that were not updated to the latest version of Windows, turned out to be encrypted. This incident not only cost the workplace not one hundred system administrators, but also clearly showed the need to develop a new software update policy for the enterprise, which would allow to combine the security and speed of their installation. Let us look at how to upgrade the Zimbra Collabration Suite Open-Source Edition on the eve of the release of the Zimbra 8.8.15 LTS release in order to ensure the safety of all critical data.
')
One of the main features of the Zimbra Collaboration Suite is that almost all of its links can be duplicated. In particular, in addition to the main LDAP-Master server, you can add duplicate LDAP replica, to which, if necessary, you can transfer the functions of the main LDAP server. You can also duplicate proxy servers and servers with MTA. This duplication allows, if necessary, to remove individual parts of the infrastructure from the infrastructure at the time of the update and, due to this, reliably protect themselves not only from prolonged downtime, but also from data loss in case of an unsuccessful update.
Unlike other parts of the infrastructure, duplication of mail storages in the Zimbra Collaboration Suite is not supported. Even if there are several mail storages in your infrastructure, each mailbox data can reside on any one mail server. That is why one of the main rules of data integrity during updating is timely backup of information on mail storages. The fresher your backup, the more data will be saved in the event of a contingency. However, there is a caveat here, which is that the free edition of the Zimbra Collaboration Suite does not have a built-in backup mechanism and you have to use the built-in GNU / Linux tools to create backups. However, if Zimbra has several mail storages in your infrastructure, and the mail archive size is large enough, then each such backup can last for a very long time, and also create a serious load on the local network and on the servers themselves. In addition, during prolonged copying, the risks of various force majeure rise sharply. Also, if you perform such a backup without stopping the service, there is a risk that a number of files may be copied incorrectly, which will lead to the loss of some data.
That is why in the event that you need to back up large amounts of information from mail storages, it is better to use incremental backups, which allows you to avoid a complete copy of all information, and back up only those files that appeared or changed after removing the previous full backup. This significantly speeds up the process of removing backups, and also allows you to quickly start installing updates. Incremental backups in Zimbra Open-Source Edition can be achieved using the Zextras Backup modular extension included in the Zextras Suite.
Another powerful tool, Zextras PowerStore, allows a system administrator to deduplicate data on mail storage. This means that all the same attachments and duplicate emails on the mail server will be replaced with one source file, and all repetitions will turn into transparent symbolic links. Due to this, it is possible to achieve not only a significant saving of hard disk space, but also a significant reduction in the size of the backup, which allows you to reduce the time of a full backup and, consequently, carry it out more often.
But the main feature that Zextras PowerStore can provide for a secure upgrade is the transfer of mailboxes between mail servers in Zimbra multiserver infrastructures. Thanks to this feature, the system administrator is able to do exactly the same thing with mail storages that we did with MTA and LDAP servers for their safe update. For example, if there are four mail storages in the Zimbra infrastructure, you can try to distribute mailboxes from one of them to the other three, and when the first mail store is empty, you can update it without any concerns for data integrity. If the system administrator in the infrastructure has spare mail storage, he can use it as a temporary storage for mailboxes transferred from the updated mail storage.
DoMoveMailbox allows the console to do this transfer. In order to use it in order to transfer all accounts from the mail storage, you must first obtain their full list. In order to achieve this, we will execute the command zmprov sa zimbraMailHost = mailbox.example.com> accounts.txt on the mail server. After its execution, we will get the accounts.txt file with a list of all mailboxes on our mail storage. After that, you can immediately use it to transfer accounts to another mail storage. It will look, for example, like this:
The command is executed two times in order to copy all data for the first time without transferring the account itself, and a second time, because data is transferred incrementally, copy all data that appeared after the first transfer, and then transfer the accounts themselves. We draw your attention to the fact that account transfer is accompanied by a small period of inaccessibility of the mailbox, and it will be reasonable to notify users about this. In addition, after the end of the execution of the second command, the corresponding notification is sent to the mail administrator. Thanks to him, the administrator can quickly begin to update the mail storage.
If the software update on the mail storage is done by the SaaS provider, it will be much more sensible to transfer data not by accounts, but by the domains that are located on it. For these purposes, it is enough to modify the input command a little:
After the transfer of accounts and their data from the mail storage is done, the data on the source server no longer represent any significance and you can start updating the mail server without any concerns for their safety.
For those who seek to minimize downtime when transferring mailboxes, a completely different scenario using the zxsuite powerstore doMailboxMove command is ideal , the essence of which is that mailboxes are transferred immediately to updated servers without the need for intermediate servers. In other words, we add a new mail storage to the Zimbra infrastructure, which has already been updated to the latest version, and then we simply transfer accounts from an un-upgraded server to the already familiar scenario and repeat the procedure until all the servers in the infrastructure have been updated.
This method allows you to transfer accounts once and thereby reduce the time during which mailboxes will remain inaccessible. In addition, for its implementation will require only one additional mail server. However, its use should be wary of those administrators who deploy mail storages on different configuration servers. The fact is that the transfer of a large number of accounts to a weaker server can adversely affect the availability and responsiveness of the service, which can be quite critical for large enterprises and SaaS providers.
Thus, thanks to Zextras Backup and Zextras PowerStore, the Zimbra system administrator is able to update all the Zimbra infrastructure nodes without any risk to the information stored on them.
Distrust of software updates is due to the mass of unpleasant cases when installing fresh patches led to a drop in performance, changes in the user interface, failure of the information system or, which is especially unpleasant, loss of data. However, it is impossible to completely abandon the updates, in this case, the infrastructure of your enterprise may be subject to attack by cybercriminals. Suffice it to recall the sensational case of the WannaCry virus, when data stored on millions of computers that were not updated to the latest version of Windows, turned out to be encrypted. This incident not only cost the workplace not one hundred system administrators, but also clearly showed the need to develop a new software update policy for the enterprise, which would allow to combine the security and speed of their installation. Let us look at how to upgrade the Zimbra Collabration Suite Open-Source Edition on the eve of the release of the Zimbra 8.8.15 LTS release in order to ensure the safety of all critical data.
')
One of the main features of the Zimbra Collaboration Suite is that almost all of its links can be duplicated. In particular, in addition to the main LDAP-Master server, you can add duplicate LDAP replica, to which, if necessary, you can transfer the functions of the main LDAP server. You can also duplicate proxy servers and servers with MTA. This duplication allows, if necessary, to remove individual parts of the infrastructure from the infrastructure at the time of the update and, due to this, reliably protect themselves not only from prolonged downtime, but also from data loss in case of an unsuccessful update.
Unlike other parts of the infrastructure, duplication of mail storages in the Zimbra Collaboration Suite is not supported. Even if there are several mail storages in your infrastructure, each mailbox data can reside on any one mail server. That is why one of the main rules of data integrity during updating is timely backup of information on mail storages. The fresher your backup, the more data will be saved in the event of a contingency. However, there is a caveat here, which is that the free edition of the Zimbra Collaboration Suite does not have a built-in backup mechanism and you have to use the built-in GNU / Linux tools to create backups. However, if Zimbra has several mail storages in your infrastructure, and the mail archive size is large enough, then each such backup can last for a very long time, and also create a serious load on the local network and on the servers themselves. In addition, during prolonged copying, the risks of various force majeure rise sharply. Also, if you perform such a backup without stopping the service, there is a risk that a number of files may be copied incorrectly, which will lead to the loss of some data.
That is why in the event that you need to back up large amounts of information from mail storages, it is better to use incremental backups, which allows you to avoid a complete copy of all information, and back up only those files that appeared or changed after removing the previous full backup. This significantly speeds up the process of removing backups, and also allows you to quickly start installing updates. Incremental backups in Zimbra Open-Source Edition can be achieved using the Zextras Backup modular extension included in the Zextras Suite.
Another powerful tool, Zextras PowerStore, allows a system administrator to deduplicate data on mail storage. This means that all the same attachments and duplicate emails on the mail server will be replaced with one source file, and all repetitions will turn into transparent symbolic links. Due to this, it is possible to achieve not only a significant saving of hard disk space, but also a significant reduction in the size of the backup, which allows you to reduce the time of a full backup and, consequently, carry it out more often.
But the main feature that Zextras PowerStore can provide for a secure upgrade is the transfer of mailboxes between mail servers in Zimbra multiserver infrastructures. Thanks to this feature, the system administrator is able to do exactly the same thing with mail storages that we did with MTA and LDAP servers for their safe update. For example, if there are four mail storages in the Zimbra infrastructure, you can try to distribute mailboxes from one of them to the other three, and when the first mail store is empty, you can update it without any concerns for data integrity. If the system administrator in the infrastructure has spare mail storage, he can use it as a temporary storage for mailboxes transferred from the updated mail storage.
DoMoveMailbox allows the console to do this transfer. In order to use it in order to transfer all accounts from the mail storage, you must first obtain their full list. In order to achieve this, we will execute the command zmprov sa zimbraMailHost = mailbox.example.com> accounts.txt on the mail server. After its execution, we will get the accounts.txt file with a list of all mailboxes on our mail storage. After that, you can immediately use it to transfer accounts to another mail storage. It will look, for example, like this:
zxsuite powerstore doMailboxMove reserve_mailbox.example.com input_file accounts.txt stages data
zxsuite powerstore doMailboxMove reserve_mailbox.example.com input_file account.txt data, account notifications admin@example.com
The command is executed two times in order to copy all data for the first time without transferring the account itself, and a second time, because data is transferred incrementally, copy all data that appeared after the first transfer, and then transfer the accounts themselves. We draw your attention to the fact that account transfer is accompanied by a small period of inaccessibility of the mailbox, and it will be reasonable to notify users about this. In addition, after the end of the execution of the second command, the corresponding notification is sent to the mail administrator. Thanks to him, the administrator can quickly begin to update the mail storage.
If the software update on the mail storage is done by the SaaS provider, it will be much more sensible to transfer data not by accounts, but by the domains that are located on it. For these purposes, it is enough to modify the input command a little:
zxsuite powerstore doMailboxMove reserve_mailbox.saas.com domains client1.ru, client2.ru, client3.ru stages data
zxsuite powerstore doMailboxMove secureserver.saas.com domains client1.ru, client2.ru, client3.ru stages data, account notifications admin@saas.com
After the transfer of accounts and their data from the mail storage is done, the data on the source server no longer represent any significance and you can start updating the mail server without any concerns for their safety.
For those who seek to minimize downtime when transferring mailboxes, a completely different scenario using the zxsuite powerstore doMailboxMove command is ideal , the essence of which is that mailboxes are transferred immediately to updated servers without the need for intermediate servers. In other words, we add a new mail storage to the Zimbra infrastructure, which has already been updated to the latest version, and then we simply transfer accounts from an un-upgraded server to the already familiar scenario and repeat the procedure until all the servers in the infrastructure have been updated.
This method allows you to transfer accounts once and thereby reduce the time during which mailboxes will remain inaccessible. In addition, for its implementation will require only one additional mail server. However, its use should be wary of those administrators who deploy mail storages on different configuration servers. The fact is that the transfer of a large number of accounts to a weaker server can adversely affect the availability and responsiveness of the service, which can be quite critical for large enterprises and SaaS providers.
Thus, thanks to Zextras Backup and Zextras PowerStore, the Zimbra system administrator is able to update all the Zimbra infrastructure nodes without any risk to the information stored on them.
Source: https://habr.com/ru/post/460089/
All Articles