zimbra – outlook certificate error

http://www.zimbra.com/forums/administrators/26641-outlook-users-getting-certificate-warning.html

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2044455

I have tested with opensource zimbra 8.0.2 on centos 6-4 with widows xp – outlook express and windows 7 – outlook 2007

zimbra server hostname = desktop51.bipinpatel.com
zimbra server ip = 192.168.0.51

on zimbra server run command as root

openssl x509 -in /opt/zimbra/ssl/zimbra/ca/ca.pem -outform DER -out ca.der

now install this ca.der crtificate in windows.

On the Outlook system, double-click the ca.der file.
Click Install Certificate.
Click Next in the Welcome screen.
In the Certificate Store screen, click Place all certificates in the following store and click Browse.
Click Trusted Root Certificate Authorities and click OK.
Click Next, then Finish.
If a pop-up appears, click Yes and wait for the The Import was successful message.

now in windows, zimbra server hostname must be resloved.

if you using ip for incoming/outgoing server in outlook then it is not work there must use zimbra server hostname.

if zimbra hostname is not resolved in windows then add zimbra server hostname in windows

c:\windows\system32\drivers\etc\hosts

192.168.0.51    desktop51.bipinpatel.com    desktop51

Posted in Uncategorized | Tagged , , , | Leave a comment

add domain or mail id to blacklist in zimbra

su - zimbra

vim /opt/zimbra/conf/amavisd.conf.in 

goto 279 line approx. press i then
add domain or mail id to blacklist with 70 rate

     # soft-blacklisting (positive score)
     'sender@example.net'                     =>  3.0,
     '.example.net'                           =>  1.0,
    'abc@xyz.com'               =>  70.0,

   },
  ],  # end of site-wide tables
});

in above example abc@xyz.com was tested for blacklist

press ESC key

then type :wq! and enter

zmamavisdctl stop && zmamavisdctl start
Posted in Uncategorized | Leave a comment

postfix-recipient-restriction in zimbra

http://wiki.zimbra.com/wiki/RestrictPostfixRecipients

here xyz.com is my domain.

 

[root@desktop51 ~]# su – zimbra
[zimbra@desktop51 ~]$ cd postfix/conf/

[zimbra@desktop51 conf]$ cat r_sender_list
xyz.com    OK

[zimbra@desktop51 conf]$ cat r_recipient_list
guest@xyz.com    recipient_list

[zimbra@desktop51 conf]$ postmap r_sender_list
[zimbra@desktop51 conf]$ postmap r_recipient_list

[zimbra@desktop51 conf]$ postconf  -e “smtpd_restriction_classes=sender_list,recipient_list”

[zimbra@desktop51 conf]$ postconf  -e “recipient_list=check_sender_access hash:/opt/zimbra/postfix/conf/r_sender_list, reject”

[zimbra@desktop51 conf]$ cat /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf
check_recipient_access hash:/opt/zimbra/postfix/conf/r_recipient_list

[zimbra@desktop51 conf]$ postfix reload

[root@desktop225 bipin-data]#

Posted in Bipin hands-on | Tagged , , , , , | Leave a comment

postfix-sender-restriction

http://wiki.zimbra.com/wiki/Ajcody-MTA-Postfix-Topics#For_ESMTP_Auth_is_LOGIN_-_Example

http://wiki.zimbra.com/wiki/Restrict_sending_to_certain_domains

here xyz.com is my domain.

[root@desktop51 ~]# su – zimbra

[zimbra@desktop51 ~]$ cd postfix/conf/

[zimbra@desktop51 conf]$ cat s_sender_list
guest@xyz.com    sender_list

[zimbra@desktop51 conf]$ postmap  s_sender_list

[zimbra@desktop51 conf]$ cat s_recipient_list
xyz.com    OK

[zimbra@desktop51 conf]$ postmap  s_recipient_list

[zimbra@desktop51 conf]$ postconf  -d | grep smtpd_restriction_classes
smtpd_restriction_classes =

[zimbra@desktop51 conf]$ postconf  -e “smtpd_restriction_classes=sender_list”

[zimbra@desktop51 conf]$ postconf -e “sender_list = check_recipient_access hash:/opt/zimbra/postfix/conf/s_recipient_list, reject”

add this
[zimbra@desktop51 conf]$ cat /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
check_sender_access hash:/opt/zimbra/postfix/conf/s_sender_list

postfix reload
[root@desktop225 bipin-data]#

Posted in Bipin hands-on | Leave a comment

Nsupdate for DDNS update record

DDNS update with Nsupdate utility

Adding records

> update add www1.example.com 86400 a 172.16.1.1
> update add http://www.example.com 600 cname www1.example.com.
> send

> update add 1.1.16.172.in-addr.arpa 86400 ptr www1.example.com.
> send

Multiple updates

> update delete http://www.example.com cname
> update delete www1.example.com a
> update delete www2.example.com a
> update delete www3.example.com a
> send

Deleting a record

> update delete http://www.example.com cname
> send

With TSIG key

nsupdate -v -k /etc/bind/admin-updater.key

The first option “-v” is to specify that communication with the DNS is to be done with TCP, not UDP.

The second option “-k” is to specify where the encryption key files are to be found.

Example

# nsupdate
> server ns.mydns.com
> update delete oldhost.example.com. A
> update add newhost.example.com. 86400 A 192.168.254.117
> send
> quit

Example 2

# nsupdate -k /path/to/file-is-rndc.key
> server server1.example.com
> zone my.example.com
> update add host1.my.example.com. 3600 A 10.20.30.40
> zone 30.20.10.in-addr.arpa.
> update add 40.30.20.10.in-addr.arpa. 7200 PTR host1.my.example.com.
> send
> quit

http://dag.wieers.com/howto/bits/bind-ddns.php

http://grayingmatter.consorti.com/2009/03/nsupdate-by-key-from-rhel.html

http://honglus.blogspot.in/2012/02/nsupdatethe-command-line-tool-to-manage.html

nsupdate,the command line tool to manage BIND DNS records
nsupdate can submit Dynamic DNS Update requests as defined in RFC2136 to a name server, it is provided by “bind-utils” package.
Authentication for DNS updates
Transaction signatures (TSIG) can be used to authenticate the Dynamic DNS updates, The only supported encryption algorithm for TSIG is HMAC-MD5.
The TSIG public key is stored in a KEY record in a zone served by the name server, the TSIG private key is used by nsupdate to get authenticated.

$mkdir  /var/named/keys; cd /var/named/keys

$dnssec-keygen -a HMAC-MD5 -b 256 -n USER  server1-ddns-key

Kserver1-ddns-key.+157+00575.key

Kserver1-ddns-key.+157+00575.private

#Since HMAC-MD5 is symmetric encryption algorithm, the “key string” in private key and public key are equivalent, the public key can be deleted.

$ rm Kserver1-ddns-key.+157+00575.key

$ cat Kserver1-ddns-key.+157+00575.private

Private-key-format: v1.2

Algorithm: 157 (HMAC_MD5)

Key: x3NLKprWMvSMaPx75At6zA+DiWb2SvzpFzPFowc7SBU=

#Create a BIND configuration file to be included in /etc/named.conf (it is optional, the statements can be specified in /etc/named.conf directly)

$cat keys.conf

#the key name is arbitrary , but  must be the same name  specified in dnssec-keygen command line

key server1-ddns-key {

algorithm HMAC-MD5;

secret “x3NLKprWMvSMaPx75At6zA+DiWb2SvzpFzPFowc7SBU=”;

};

$cat /etc/named.conf

include “/var/named/keys/keys.conf”;

#zone example.com allow the key to do update

zone “example.com” IN {

type master;

file “example.zone”;

allow-update { key server1-ddns-key ; };

};

The journal file for dynamic Update
All changes made to a zone using dynamic update are stored in the zone’s journal file.
The name of the journal file is formed by appending the extension .jnl to the name of the corresponding zone file.
The updated entries are saved in .jnl file, the entries are merged to the zone file on the following conditions
1.Every 15 minutes
2.”rndc freeze zone” command is issued
3.Service restart
However, the updated record in memory become effective immediately without waiting to be merged to the zone file.
In order for named process to write the journal file, the zone directory /var/named/ must be writable by named user or group
$chown root:named /var/named; chmod g+rw /var/named
nsupdate sample commands

$nsupdate -k Kserver1-ddns-key.+157+00575.private

> server localhost

> zone example.com

> update add www1.example.com 86400 A 172.16.1.11

> send

Suspend dynamic DNS update

#sometimes it is necessary to update the zone file manually, follow this order to edit zone file manually

$rndc freeze example.com

$vi example.com.zone

$rndc thaw example.com

#if your zone exists in multiple views, you may get this error.

$rndc freeze example.com

rndc: ‘freeze’ failed: not found

#You have to specify class name (IN) and the view name in full.

$rndc freeze example.com  IN myview-name

nsupdate By Key From RHEL
We have a DNS zone here at DJ that’s used for allowing nsupdates, typically in the case of applications with an HA capability between VLANS out on the WAN (when migrating the production IP is not an option).

While we have used ACLs for the allow-update stanza in bind’s named.conf, I wanted to make the push towards key based authentication. The following how to is what I did to make that work.

First, generate the key. This will create two files, containing the same key, due to backwards compatibility issues with the library used to create the key. The options to pass to the “dnssec-keygen” tool (part of the bind RPM) are simple. The “-r /dev/urandom” bit below uses the psuedo-random driver to generate the key; something perfectly sufficient for this case IMHO. The name you use for the key is not important. Though it looks like an FQDN, it can be “fuzzydice” if you want it to be. The convention in all things BIND seems to be “something.yourdomain.com”.

# dnssec-keygen -a HMAC-MD5 -b 512 -n HOST -r /dev/urandom some.meaningful.name.com
Ksome.meaningful.name.com.+157+01885
# ls *meaningful*
Ksome.meaningful.name.com.+157+01885.key Ksome.meaningful.name.com.+157+01885.private
#

I prefer to copy the key string from the “.private” key file as it doesn’t have any spaces in the key string. Its contents would look like this.

Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: sKTsCBcE9PbjY8nG9izhfbASk5O1xI9L+O7R/tC3go+HVsneIOZuoEy9DH0dTILbjodRj9QZT6RPT3MwUHg8aw==

The next step is to allow this key’s use by named. You will need to edit “named.conf” in at least one place, possibly two.

First, update your “allow-update” line in the zone entry. For example see below.

zone “ha.yourdomain.com” in {
type master;
file “db.ha.yourdomain.com”;
forwarders {};
allow-update { key some.meaningful.name.com; };
};

You can mix ACLs, hosts, and keys on the same “allow-update”.

allow-update { key some.meaningful.name.com; 192.168.1.1; my_trusted_acl; };

Secondly, you need to include the key for named to pick up. This is typically done in one of two ways: directly in the “named.conf” file or in an included file. RHEL’s named.conf, out of the box, should have the following line.

include “/etc/key.conf”;

Ideally, this is where you put the key to avoid a messy “named.conf” but you could put the key directly in. Either way, your entry should look something like this.

key some.meaningful.name.com. {
algorithm hmac-md5;
secret “sKTsCBcE9PbjY8nG9izhfbASk5O1xI9L+O7R/tC3go+HVsneIOZuoEy9DH0dTILbjodRj9QZT6RPT3MwUHg8aw==”;
};

Don’t forget to reload named.

# rndc reload

Now that was the hard part. The easy part is to actually use the key. The “nsupdate” tool is well documented in RHEL’s man page, so I’ll just show an example case. What isn’t so well documented is that you need BOTH “.key” and “.private” files even though you only refer to one on the command line. Keep both of those files in the same directory.

# nsupdate -k Ksome.meaningful.name.com.+157+01885.private
> server 192.168.254.2
> update delete virtualhost.ha.yourdomain.com. CNAME
> update add virtualhost.ha.yourdomain.com. 300 CNAME virtualhost.otherdc.yourdomain.com.
> send
> quit
#

You can script this action by putting the nsupdate commands in a “conf” file that is passed to “nsupdate” as an option.
Posted by Jason Consorti at 7:10 AM
Labels: linux, nsupdate, technology

Posted in Bipin hands-on | Leave a comment