gmane.mail.zimbra.hied.admin

license renewal deja vu

David N. Blank-Edelman — 2013-04-24T03:02:16

Hi-

I have this recollection that last year someone posted on this list that they were having trouble getting their license renewed. Guess I get to be that person this year. I've tried mailing our sales rep (who I haven't heard from since last year's renewal, perhaps telling in itself), sending in a query using the general sales contact form, and calling sales (rolled to voicemail, didn't leave a message).

Any tips for a good way to find the person at Zimbra/VMware who can take our money? Thanks!

     -- dNb

Zimbra 6 to 8 upgrade path.

Nathan — 2013-02-14T21:09:44

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Zimbra-hied-admins.

I'm in the process of trying to plan out a zimbra 6.0.10 to zimbra 8
upgrade. I realize that updating directly to 8 from 6 is not
supported, which is only half of my problem.

I have two hurdles to overcome, one being supported OS, the next being
the zimbra version.


I wanted to run an idea i've had regarding a possible upgrade path
past some other zimbra experts.

Here's the state we're currently in:

Zimbra 6.0.10 multi-server install, spanning 9 blades. All of which
are due for renewal.
Running on RHEL5.

Zimbra 8 does not list rhel5 as a supported OS.

Because we're planning on replacing our blades with the same upgrade,
I thought i might try to work an OS upgrade, migration to new
hardware, and a zimbra upgrade all into 1.

My plan follows:

Build new machines to host zimbra. On RHEL6. Virtualize as much as
possible. We'd like to move to a 100% virtualized zimbra environment.
Which is a point i'd like others to weigh in on as well. What sort of
success have others had virtualizing all components of Zimbra?

Install Zimbra 6.0.10 on the new systems, and join them to our
existing multi-server install. Retire our smtp and proxy blades at
this point, as the new virtualized proxy and smtp machines should be
taking over.

Migrate accounts from our three old store blades, to the new store
VM's using zimbra's built-in migration functions.

Retire the old store blades as the new virtual store servers are
handling all of the load.

All that's left to deal with at this point are the ldap servers. We
have two zimbra ldap blades, i'll need to replicate ldap, and then
promote one of the new virtual ldap servers to master i suppose. Then
retire the old ldap servers.

At this point, we should have a fully virtual zimbra 6.0.10
multi-server install, with all of our users on the new systems. At
this point, i'd step through the zimbra upgrade process. Upgrade
6.0.10 to 7.2.x, and then from 7.2.x to 8.x.

Does this sound like a sane upgrade path? Is there something simpler
i'm overlooking?

Thanks!
- -- 
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE (#110-011-426)
System Administrator
11 Pardee Hall
Lafayette College, Easton, PA 18042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlEdUpgACgkQsZqG4IN3sumMSwCfePMpr2BwaKu5nyoFV6jl9SHo
JQ8An07hOAJIgYV0y+5lqwNyZrP9ZXSf
=s6Hf
-----END PGP SIGNATURE-----

How does a university mail server stay on the good side of hotmail?

Richard Loken — 2013-02-08T16:53:49

Good morning all,

I am having relationship issues with Hotmail.

My esteemed employer uses Moodle to manage distance delivery of an ever
increasing number of courses and each additional course means Moodle sends
increasing volumes of mail to remote students.  In addition, we have had
incidents with spammers hijacking our servers and spamming the universe
until we find them and shut them down.

This increasing volume of mail combined with fallout from spam attacks
has led to our being blacklisted by Hotmail and subsequently having our
traffic throttled so that there could be thousands of messages queued up
to Hotmail with delayed delivery.  A conversation with Hotmail led to them
providing a list of email described as spam by their users and the list
included mostly mail from legitimate academic email addresses - they were
reporting academic traffic rather than the spam that started this problem.
I don't entirely disagree with the hotmail users, some of the mail sent out
could be better described as unsolicited advertising than course related
communication.

What measures can we take here that will reduce our problems with big
email providers like (and especially like) Hotmail?

Account abuse management

Stephen Opal — 2013-02-05T15:01:29

Hello all,

Our Zimbra infrastructure is deployed across twelve clusters of varying sizes hosting subscribers (we call them Members). Many of these clusters are dedicated to one Member. The rest are shared clusters hosting dozens of Members. Over the last three years, We have worked toward detecting and responding to account theft and service abuse within our ZCS subscription platform. I'd like to have a conversation regarding our solutions and those you may have employed.

Let me outline some of the tools we use and some I have developed.

- Cisco Ironport

All inbound e-mail traffic goes through our Ironport Cluster and is directed to the proper cluster for delivery. Some Members also have their MTA set to the Ironport which is reducing our Postfix log visibility for other tools.

- Preference Change Management (custom)

We monitor every mailbox.log for 'Create' and 'Modify' requests. When a save is performed in an account, the process examines the IP of origin and the identities and signatures for that account. These values are compared to a set of regular expressions which match historical abuse values. If a match is found, the account is immediately locked and an email notification is sent to our team and to the Member's tech team.

This service has provided high confidence account securing services, sometimes before any SPAM can be sent out. Obviously, it can not be perfect since mail can be sent before any preference changes are made. However, by carefully managing our black-list there is high confidence when it acts. We have had less than ten false positives over our entire service during its two and a half year period of service.

- Outbound Sender Volume Monitoring (custom)

Tracking the Postfix maillog files on our hosts, we are able to observe pulses of mail. When a hosted account sends mail, a record of the event retained. By counting the number of postings within a window of time, we can get a total volume and a count of distinct destination addresses. When thresholds are reached, notifications with account attribute dumps are sent out to our team for further investigation. Since this is very nebulous, human interpretation and investigation is usually needed.

- SASL Authentication Tracking (custom)

Some of our MTA hosts are configured to allow SASL auth to Postfix. We track these authentications and associate the session mail postings by IP and destinations. With this, we can monitor pulses of volume and sources. Currently we automatically secure accounts posting with 30 auths and over 500 messages within 10 minutes. An account is locked if it has authenticated from three or more countries outside the US/CAN within 20 minutes. Since the data is stored in MySQL, we can generate activity reports with account attributed volume and IP sources for visual inspection to find activity under these thresholds that require a human response.

- Discussion

What we have found is while moving the MTA service off from the Zimbra MTA hosts, we are losing our visibility into the SASL authentication tracking. SASL auth can be found in zimbra.log, but we no longer can determine the senders mail volume when the From header field is spoofed. I would prefer not to lose this visibility, but I have no control over this move, so I am looking for strategic options and am willing to accept a mind-set change.

How do you manage breached account detection and response? Have you found commercial or open-sourced products that help capture and respond to abuse?

--
Stephen Opal <sno-8f4Pc2RrbJmHXe+LvDLADg< at >public.gmane.org>
Systems Programmer/Analyst, Merit Network, Inc.
734-527-5763

Spam

Partridge, Richard — 2012-11-08T18:10:17

Hi,

Recent events have led us to explore zimbra's capabilities to rate limit the number of emails that users can send over a period of time.  Looks like policyD is the way to go.

Have you implemented rate limiting in zimbra?  If so, how has your experience been?

Rich

HSM dry run or message age script?

David N. Blank-Edelman — 2012-10-31T00:29:22

Hi-
  We are at a point where we are considering turning on HSM on our poor server to take some space pressure of it until we upgrade to a larger storage setup. I've poked around in the docs a bit and haven't found an indication that there might be a dry-run mode that could tell us just how much data will be sloughed off to secondary storage when it runs for real. Am I just missing it?

If not, does anyone have a script that can take a value you would use for zimbraHsmAge and offer up an approximation of just much data would be moved?

Thanks!
        -- dNb

Zimbra 8.0 LDAP highlights

Quanah Gibson-Mount — 2012-09-05T18:42:48

Hi folks,

I wanted to note some highlights of changes in Zimbra 8.0 in relation to 
LDAP, prompted in part by the recent discussion on this list about ldap 
performance, as some of the solutions to issues in 7.x do not apply to 8.x 
installations.

The first major change for 8.x to cover is that the java interface for 
connecting to LDAP has been replaced.  In 7.x and previous we use JNDI.  In 
8.x, we have switched to using the UnboundID SDK.  One of the significant 
differences between JNDI and the UnboundID SDK is that connection pools 
with startTLS are supported.  This means that making the following changes 
to localconfig are no longer necessary to improve performance:

ldap_common_require_tls = 0
ldap_starttls_required = false
zimbra_require_interprocess_security = 0

Another significant difference between JNDI and the UnboundID SDK is that 
the UnboundID SDK can actually count to 30 seconds, whereas JNDI would 
randomly consider the span of time from 0 seconds to 1 second to be 30 full 
seconds, causing read timeouts when configured to use a 30 second timeout. 
This timer is controlled by the ldap_read_timeout localconfig key.  It can 
now be used reliably with the UnboundID SDK.


There have also been some major changes to the LDAP server.  The old 
Berkeley DB database backend has been replaced in 8.x with the new MDB 
database backend.  MDB is a new database written by Howard Chu, who is also 
the primary OpenLDAP developer.  You can read more about MDB here if you 
are curious: <http://highlandsun.com/hyc/mdb/>

The main implication of changing to MDB is that database configuration is 
substantially less complex than with BDB.  You can compare the tuning wikis 
here:

<https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning> (7.x and 
previous tuning wiki)
<https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning_8.0> (8.x and 
later tuning wiki)

Also a quick comparison of the full tuning key wikis:

<https://wiki.zimbra.com/wiki/OpenLDAP_Tuning_Keys> (7.x and previous 
tuning keys)
<https://wiki.zimbra.com/wiki/OpenLDAP_Tuning_Keys_8.0> (8.x and later 
tuning keys)


Finally, what is likely the largest change for LDAP in ZCS 8.x, is the 
added support for multi-master replication.  If this feature interests you, 
you can check out the wiki on configuring it at 
<https://wiki.zimbra.com/wiki/LDAP_Multi_Master_Replication>

Regards,
Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration

multiple Mail.app instances fighting

David Blank-Edelman — 2012-08-28T20:15:03

Hi-
  Just curious if other people have seen this behavior: we've noticed with a few users that leave their work and home machines on that their two OSX Mail.app instances "fight" over zimbra. This manifests as the two instances basically doing repeated IMAP authentications to our server again and again (so e.g. we had one user whose lines in auth.log were 87% of that logs contents).  Apparently you can see in the activity window tons of "Checking capabilities" when this happens. 

We're running a bit of an ancient version of Zimbra here (hope to upgrade after we get past the beginning of the year maelstrom), so perhaps this isn't as much of a problem with later versions. It is mostly a nuisance (the users can work fine) that fills logs, but beyond that not a real problem.

Is this just us, or have you seen it too and found a way to deal with it?

      -- dNb

migrating from Exchange

Karen Mitchell — 2012-08-22T17:27:31

Hello fellow Zimbra admins. We at PSU are centralizing some of our mail servers to a Zimbra instance from various other mail servers. We have had good success with imapsync for IMAP mail, but have been having trouble with the Exchange migration tool provided by Zimbra. Does anyone have any suggestions or advice for large scale migration of calendar and mail data from Exchange to Zimbra? Thank you in advance.

Zimbra child account support with ZCS 8

Vijay Kumar — 2012-05-17T12:44:29

Hello All,

Greetings !!

We are working with Zimbra Technical Support on zimbra_inbox zero zimlet 
issue with accounts that have child accounts, As per Technical Support, 
child accounts have been deprecated and will be removed in ZCS 8.

Has any one else heard about this news ? We are one of the heavy users 
for this feature investigating replacement option. One of the suggestion 
from Zimbra is to use Shared folders rather than child accounts, This 
option is not practically feasible at our environment due to the number 
of folders each child account has.

Your comments & feedback are appreciated.

Thanks

Best Regards,

Esnatech?

Amos — 2011-11-09T20:21:43

I happened to stumble upon Esnatech, and was just wondering if anybody
here had heard of them, and have explored whether their local PBX
could be tied into Zimbra.  http://www.esnatech.com/landing/zimbra.htm

As it happens, our Exchange team is in the midst of setting up Lync,
and once that's integrated with our Nortel and Avaya phones, I'd
expect that the few staff on our Zimbra instance will be forced to
migrate to Exchange.

In fact, I fear our little Zimbra experiment may not have much of a
future.  Rumor as it that system will negotiate Exchange Labs accounts
for all students, and that was the biggest reason why we got Zimbra.
At least if we were to do that I would hope they would go with Google
Apps because most of our students are using gmail, but I doubt that
will be a consideration when this big contract is signed.

Zimbra and CAS - Issuing multiple tickets and browser gets an error

Matt Mencel — 2011-10-26T14:33:57

I asked this on the cas-users mailing list but thought I'd ask it here as well as it may be a Zimbra only issue.  For those of you using CAS, have you ever seen this behavior?  We use Zimbra Proxy in case that matters.  We just turned CAS on in our production Zimbra environment in the last week, so this is pretty new to us.


A user attempts to browse to the Zimbra web UI, logs in through CAS, and gets an error in their browser saying "too many redirects".  In the CAS logs (Catalina.out) we see that CAS at times is issuing multiple service tickets...and it seems to coincide with the user receiving the "too many redirects" error.  Below is an example, and in this case there were at least 8 tickets issued...just showing a few here.

2011-10-25 20:39:09,427 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: BLAH]>
2011-10-25 20:39:09,474 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-273941-JcWRA6oSq0m1QthmSTIA-cas] for service [https://zimbra.wiu.edu/zimbra/public/preauth.jsp] for user [JA-BLAH]>
2011-10-25 20:39:11,183 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-273942-dDZQvmp9GjBV1cW9fJmB-cas] for service [https://zimbra.wiu.edu/zimbra/public/preauth.jsp] for user [JA-BLAH]>
2011-10-25 20:39:12,732 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-273943-jQ4lWCvFwz1toe7V1bII-cas] for service [https://zimbra.wiu.edu/zimbra/public/preauth.jsp] for user [JA-BLAH]>


Anyone seen this before or know what may be causing it?

Thanks,
Matt

CAS'ifying Zimbra

Steve Elliott — 2011-10-10T19:53:11

Hi, 

We can get CAS to work just fine on our Zimbra test system. Our issue is we have a fair amount of accounts on our system/domain that only respond to a local password as they are not attached to a person. 

We have a person trying to come up with creative ways to allow one of these accounts owners to bypass the CAS aspect and get to the normal Zimbra login screen. 

Wanted to see if anyone out there might have dealt with this issue before and their solution. 

Thanks, 
Steve

Non Zimbra question and I hope that is ok if this type of thing is not abused.

Steve Elliott — 2011-08-22T14:46:30

Situation: We have staff/faculty on our campus that don't realize that you give out your email login data, including password to phishing emails. So we get compromised accounts. 
We are in the works of putting an external MTA (barracuda system) that our Zimbra email will be filtered through if it leaves campus. Of course this may hit some good emails with the bad ones. Though I routinely check to see if we have a rogue account they usually have 2-4 hours of uninterrupted time, especially during the night hours where they can spam their hearts out. 

Question: What solutions do you use to help in those situations?

Messaging Systems Administrator Opening - Purdue University

Brian F Berndt — 2011-08-17T20:07:56

In case you know anyone looking for work in Indiana or if someone
on this list is looking for a position at Purdue University, I
wanted to share this with the group.

Thanks,
Brian

---------------
Brian Berndt
Messaging Systems Administrator
ITaP / ITSO / Mailhub


================================================
Messaging Systems Administrator - West Lafayette
- IT Systems and Operations-1101128
================================================

Job Description
The successful candidate will design and administer the messaging
infrastructure environment including hardware and software infrastructure
components. Install and configure operating systems, monitor systems
activities & applications and fine tune system parameters and configuration
to optimize performance and ensure security of systems, create and maintain
user accounts, install and configure applications, identify and apply
appropriate software upgrades and patches. Develop and maintain operating
procedures which support the messaging infrastructure ?environment and
effective use of resources.

Qualifications
Required:
*   Bachelor's degree in Computer Science, Information Systems or other
    related field.
*   Two years of IT experience including systems administrator experience  
    in either a UNIX/Linux based system and/or a Windows based system in  
    a LAN networked/distributed computing environment.
*   Consideration will be given to an equivalent combination of related  
    education and required work experience.‎
*   Experience with large-scale TCP/IP protocol-based applications.
*   Experience with SMTP, DNS as well as Windows and/or LINUX based  
    enterprise messaging systems.
*   Extensive knowledge of computer operations.
*   Strong written and verbal communication and customer service skills.
*   Ability to learn and use programming languages.
*   Ability to be self-motivated and work without supervision on daily  
    tasks and projects.
*   Ability to work productively as part of a team to complete larger  
    projects.

Preferred:
*   Three or more years of IT experience.
*   Knowledge of C, shell scripting, Perl, and other programming languages;
    knowledge of Exchange Server, Windows Server and RedHat Linux.
*   Experience with handheld email support.

Additional Information:
*   A Background Check will be required for employment in this position.
*   FLSA: Exempt (Not Eligible For Overtime)
*   Retirement Eligibility: Fidelity Contribution Waiting Period.
*   Purdue University is an equal opportunity/equal access/affirmative  
    action employer.


Apply online to this position.
[http://purdue.taleo.net/careersection/wl/jobdetail.ftl?lang=en&job=126823]

Thank you.

**Disclaimer: Taleo shall not be liable for the content or any errors or omissions in the information provided in the section "A friend sent you a message". Conclusions drawn from such information are the responsibility of the user.

7.1.2

Hurstel Howard — 2011-08-16T15:56:34

Hello, 

I was just wondering if anyone out there has went to 7.1.2 yet. We are still on 6.0x and not completely sure about jump to 7.1.x yet. 

Hurstel 




Hurstel Howard 
Senior Systems Administrator 
Aurora University 
630-844-4889 
hhoward-XavatJqqCCo3uPMLIKxrzw< at >public.gmane.org

Balancing accounts between servers

Doug Curtis — 2011-05-05T13:33:13

We are working on balancing our accounts between our eight mailstores. We have primary and HSM storage on the machines. I am working on a script that would determine the sizes of each store on each server and then move accounts based on their sizes to each of the stores. 

While working on the script, I was thinking that maybe someone else has already written a script to do this. Does anyone have such a script that they'd be willing to share? 

Thanks, 

Doug