How to Set Up Zimbra Open-Source Mail Server on Ubuntu 18.04

Setting up your own email server on Linux from scratch is a long and tedious process, a pain in the butt if you are not an advanced user. This tutorial will be showing you how to use Zimbra to quickly set up a full-featured mail server on Ubuntu 18.04, saving you lots of time and headaches.

Set-Up-Zimbra-Mail-Server-on-Ubuntu-20.04

What is Zimbra?

Zimbra is an open-source email, calendaring, and collaboration software suite developed by Synacor, Inc. It comes with a shell script that automatically installs and configures all necessary mail server components on your Linux server, thus eliminating manual installation and configuration. With Zimbra, you can easily create unlimited mailboxes and unlimited mail domains in a web-based admin panel. Email accounts can be managed in MariaDB or OpenLDAP. The following is a list of open-source software that will be automatically installed and configured by Zimbra.

  • Postfix SMTP server
  • Nginx web server to serve the admin console and webmail. It will also be used as an IMAP/POP3 proxy.
  • Jetty: web application server that runs Zimbra software.
  • OpenLDAP stores Zimbra system configuration, the Zimbra Global Address List, and provides user authentication.
  • MariaDB database
  • OpenDKIM: for DKIM signing and verification
  • Amavised-new: an interface between MTA and content scanner.
  • SpamAssassin for anti-spam
  • ClamAV: anti-virus scanner
  • Lucene: open-source full-featured text and search engine
  • Apache JSieve: email message filter
  • LibreOffice: High fidelity document preview
  • Aspell: an open-source spell checker used on the Zimbra Web Client
  • memcached: open-source object caching system.
  • unbound: lightweight and fast DNS resolver.

Zimbra also ships with some of its own developed software:

  • zimbra-drive: cloud storage.
  • zimbra-chat: text chat.
  • zimbra-talk: group messaging and video conferencing with screen sharing and file sharing funcationality.
  • mailboxd: Its own developed IMAP/POP3 server.

There are two editions of Zimbra:

  • Free open-source edition.
  • Commercially supported Network Edition with 60-days free trial.

Some well-known Zimbra users include: Mozilla, Skype, O’Reilly Media, Standford University, and Comcast. We will be using the open-source edition (OSE) in this article.

Server Requirements

  • A clean fresh Ubuntu 18.04 OS.
  • At least 2 CPU cores and 3GB RAM. If you use a single-core CPU, Zimbra will be running very slowly. And you need a server with at least 3GB of RAM, because after the installation, your server will use more than 2GB of RAM.

Step 1: Choose the Right Hosting Provider and Buy a Domain Name

Zimbra must be installed on a clean fresh server.

This tutorial is done on a $9/month Kamatera VPS (virtual private server) with 1 CPU and 3GB RAM. They offer a 30-day free trial.

Kamatera is a very good option to run a mail server because

  • They don’t block port 25, so you can send unlimited emails (transactional email and newsletters) without spending money on SMTP relay service. Kamatera doesn’t have any SMTP limits. You can send a million emails per day.
  • The IP address isn’t on any email blacklist. (At least this is true in my case. I chose the Dallas data center.) You definitely don’t want to be listed on the dreaded Microsoft Outlook IP blacklist or the spamrats blacklist. Some blacklists block an entire IP range and you have no way to delist your IP address from this kind of blacklist.
  • You can edit PTR record to improve email deliverability.
  • They allow you to send newsletters to your email subscribers with no hourly limits or daily limits, whatsoever.
  • You can order multiple IP addresses for a single server. This is very useful for folks who need to send a large volume of emails. You can spread email traffic on multiple IP addresses to achieve better email deliverability.

Other VPS providers like DigitalOcean blocks port 25. DigitalOcean would not unblock port 25, so you will need to set up SMTP relay to bypass blocking, which can cost you additional money. If you use Vultr VPS, then port 25 is blocked by default. They can unblock it if you open a support ticket, but they may block it again at any time if they decide your email sending activity is not allowed. Vultr actually may re-block it if you use their servers to send newsletters.

Go to Kamatera website to create an account, then create your server in your account dashboard.

kamatera server types

I recommend following the tutorial linked below to properly set up your Linux VPS server on Kamatera.

Once you created a server, Kamatera will send you an email with the server SSH login details. To log into your server, you use an SSH client. If you are using Linux or macOS on your computer, then simply open up a terminal window and run the following command to log into your server. Replace 12.34.56.78 with your server’s IP address.

ssh [email protected]

You will be asked to enter the password.

It’s highly recommended that you use Ubuntu LTS like Ubuntu 18.04. Installing a piece of complex server software like Zimbra on a non-LTS Ubuntu is discouraged as you will probably encounter problems when upgrading your OS every 9 months. It is far better for your mail server to stay stable for 2 or 5 years.

You also need a domain name. I registered my domain name from NameCheap because the price is low and they give whois privacy protection free for life.

Step 2: Creating DNS MX Record

The MX record specifies which host or hosts handle emails for a particular domain name. For example, the host that handles emails for linuxbabe.com is mail.linuxbabe.com. If someone with a Gmail account sends an email to [email protected], then Gmail server will query the MX record of linuxbabe.com. When it finds out that mail.linuxbabe.com is responsible for accepting email, it then queries the A record of mail.linuxbabe.com to get the IP address, thus the email can be delivered.

You need to go to your DNS hosting service (usually your domain registrar) to create DNS records. In your DNS manager, create a MX record for your domain name. Enter @ in the Name field to represent the main domain name, then enter mail.your-domain.com in the Value field.

iredmail email server create MX record

Note: The hostname for MX record can not be an alias to another name. Also, It’s highly recommended that you use hostnames, rather than bare IP addresses for MX record.

Your DNS manager may require you to enter a preference value (aka priority value). It can be any number between 0 and 65,356. A small number has higher priority than a big number. It’s recommended that you set the value to 0, so this mail server will have the highest priority for receiving emails. After creating MX record, you also need to create an A record for mail.your-domain.com , so that it can be resolved to an IP address. If your server uses IPv6 address, be sure to add AAAA record.

Hint: If you use Cloudflare DNS service, you should not enable the CDN feature when creating A record for mail.your-domain.com. Cloudflare does not support SMTP proxy.

Step 3: Configuring Hostname

Log into your server via SSH, then run the following command to update existing software packages.

sudo apt update

sudo apt upgrade -y

I strongly recommend creating a sudo user for managing your server rather than using the default root user. Run the following command to create a user. Replace username with your preferred username.

adduser username

adduser scalahosting

Then add the user to the sudo group.

adduser username sudo

Switch to the new user.

su - username

Next, set a fully qualified domain name (FQDN) for your server with the following command.

sudo hostnamectl set-hostname mail.your-domain.com

We also need to update /etc/hosts file with a command-line text editor like Nano.

sudo nano /etc/hosts

Edit it like below. Use arrow keys to move the cursor in the file. You must put your mail server hostname after localhost.

127.0.0.1       localhost.localdomain localhost mail.your-domain.com

Save and close the file. (To save a file in Nano text editor, press Ctrl+O, then press Enter to confirm. To close the file, press Ctrl+X.)

To see the changes, re-login and then run the following command to see your hostname.

hostname -f

Step 4: Install Zimbra Mail Server on Ubuntu 18.04

Zimbra 9 still provides an open-source edition. However, it doesn’t provide the binary. Only the source code is available. Fortunately, there’s a third-party Zimbra solution provider named Zextras that offers Zimbra binary download.

You can go to Zextras website, and fill out a form to get the Zimbra 9 binary download link. If you don’t want to fill out the form, run the following command on your server to download Zimbra 9 installer.

wget download.zextras.com/zcs-9.0.0_OSE_UBUNTU18_latest-zextras.tgz

Extract the archived file.

tar xvf zcs-9.*.tgz

Then change to the newly-created directory.

cd zcs-9*/

Before running the installer script, install the netstat utility.

sudo apt install net-tools

Next, run the Bash script with sudo privilege.

sudo bash install.sh

The mail server setup wizard will appear. First, you need to agree with the terms of the software license agreement.

zimbra software license agreement

Then type y to confirm that you want to use Zimbra’s package repository.

ubuntu-18.04-zimbra-package-repository

Next, it will ask you to select the packages you want to install. You can install them by pressing y. ( Y is capitalized, which means it’s the default answer when you press Enter.) Note that the zimbra-imapd package is currently in beta and it’s not recommended to install it. I simply press Enter to use the default answers.

ubuntu 18.04 zimbra Select the packages to install

Confirm the packages you selected by pressing y.

zimbra-core ubuntu 18.04

Now installation begins.

ubuntu 18.04 zimbra begin installation

It might tell you that you need to change the hostname. Answer y and enter your mail server hostname (mail.your-domain.com).

zimbra hostname

It might also tell you that you need to change the domain name. This tutorial assumes that you want an email address like [email protected]. In that case, Type Y and then enter your-domain.com here, without sub-domain.

zimbra ubuntu 18.04 DNS ERROR resolving MX

If it tells you that none of the MX records resolve to this host, then you need to create DNS A record for mail.your-domain.com.

If there’s a port conflict detected for zimbra-dnscache (port 53), then you need to open another SSH session and run the following command to stop the systemd-resolved service.

sudo systemctl stop systemd-resolved

zimbra dnscache port conflict

and continue the installation.

Then the main menu displays. It tells you that the admin password is not set, so you need to press 7, then press 4 to set the admin password.

ubuntu-zimbra-address-unconfigured-item-set-admin-password

zimbra-store-configuration-ubuntu

Once you set a password for the admin account, press r to go back to the main menu, then press the following keys.

  • Press a to apply the configuration.
  • Press y to save the configuration to a file.
  • Press Enter to use the default file name.
  • Press y to continue.

ubuntu zimbra main menu save config

Wait for the installation process to finish. At the end of the installation, you have the option to notify Zimbra of your installation.

ubuntu 18.04 notifying Zimbra of your installation

Once the configuration is complete, press Enter to exit from the setup wizard. Now you can visit the web-based admin panel at https://mail.your-domain.com. Because it’s using a self-signed TLS certificate, you need to add a security exception in your web browser. You will learn how to install a valid Let’s Encrypt TLS certificate in step 7.

Step 5: Configure Systemd-Resolved

Systemd-resolved is the default DNS resolver manager on Ubuntu. We need to change its configuration to make it work with Zimbra. It should start after the Zimbra service at system boot time.

The service configuration file for systemd-resolved is /lib/systemd/system/systemd-resolved.service. To override the default systemd service configuration, we create a separate directory.

sudo mkdir -p /etc/systemd/system/systemd-resolved.service.d/

Then create a file under this directory.

sudo nano /etc/systemd/system/systemd-resolved.service.d/custom.conf

Add the following lines in the file, which will make systemd-resolved start after Zimbra is started, and we make it sleep 60 seconds before it will be started.

[Unit]
After=zimbra.service
Before=

[Service]
ExecStartPre=/bin/sleep 60

Save and close the file. Then reload systemd for the changes to take effect.

sudo systemctl daemon-reload

Step 6: Testing Unbound DNS Resolver

The unbound DNS resolver is installed by Zimbra. However, it might not be able to work out of the box. Restart your server.

sudo shutdown -r now

Then log in to your server again over SSH and run the following command to test if DNS resolution is working.

dig A linuxbabe.com

If you see the SERVFAIL error, it means Unbound isn’t running properly.

zimbra unbound servfail ubuntu

To fix it, switch to the zimbra user.

sudo su - zimbra

And check which upstream DNS resolver Unbound is using.

zmprov getServer `zmhostname` | grep DNSMasterIP

A correct setup should show you that 8.8.8.8 is the upstream DNS resolver.

zimbraDNSMasterIP: 8.8.8.8

If 127.0.0.53 is the upstream resolver, you have a problem. Remove it with:

zmprov ms `zmhostname` -zimbraDNSMasterIP 127.0.0.53

Then add 8.8.8.8 as the upstream resolver.

zmprov ms `zmhostname` +zimbraDNSMasterIP 8.8.8.8

Now exit from the zimbra user

exit

Wait a few moments and run the following command again to test.

dig A linuxbabe.com

You should see the following output, which means it’s working correctly now.

unbound master DNS IP zimbra ubuntu

If you run the following command to show which DNS resolver your server is using,

cat /etc/resolv.conf

and it tells you that

/etc/resolv.conf: No such file or directory

Check if the systemd-resolved.service is running.

sudo systemctl status systemd-resolved

Run the following command to make sure it will be automatically started at boot time.

sudo systemctl enable --now systemd-resolved

Step 7: Installing Let’s Encrypt TLS Certificate

Since the mail server is using a self-signed TLS certificate, both desktop mail client users and webmail client users will see a warning. To fix this, we can obtain and install a free Let’s Encrypt TLS certificate.

Obtaining the Certificate

First, run the following command to install the latest Let’s Encrypt (certbot) client from the Snap store.

sudo snap install certbot --classic

Zimbra has already configured TLS settings in the Nginx, we can use the standalone plugin to obtain a certificate over TCP port 80. Run the following command. Replace the red text with your actual data.

sudo /snap/bin/certbot certonly --standalone --agree-tos --staple-ocsp --email [email protected] -d mail.your-domain.com --preferred-chain 'ISRG Root X1'
  • certonly: obtain the certificate, but don’t install it automatically.
  • --standalone: uses the standalone plugin to obtain certificate.
  • --preferred-chain 'ISRG Root X1': Use the ISRG Root X1 certificate chain, because the default DST root CA certificate expired on September 31, 2021.

When it asks you if you want to receive communications from EFF, you can choose No.

iredmail letsencrypt

If everything went well, you will see the following text indicating that you have successfully obtained a TLS certificate. Your certificate and chain have been saved at /etc/letsencrypt/live/mail.your-domain.com/ directory.

zimbra ubuntu certbot TLS certificate

Failure to Obtain TLS Certificate

If certbot failed to obtain TLS certificate, maybe it’s because your DNS records are not propagated to the Internet. Depending on the domain registrar you use, your DNS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://dnsmap.io, enter your mail server’s hostname (mail.your-domain.com) to check DNS propagation.

Installing the Certificate in Zimbra

After obtaining a TLS certificate, let’s configure Zimbra to use it. Grant permission to the zimbra user so it can read the Let’s Encrypt files.

sudo apt install acl

sudo setfacl -R -m u:zimbra:rwx /etc/letsencrypt/

Switch to the zimbra user.

sudo su - zimbra

Copy the private key.

cp /etc/letsencrypt/live/mail.your-domain.com/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

Download Let’s Encrypt Root CA certificate.

wget -O /tmp/isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt

Create a certificate chain. The following command will put the root CA certificate (isrgrootx1.pem) under the intermediate CA certificate (chain.pem). You should not reverse the order, or it won’t work.

cat /etc/letsencrypt/live/mail.your-domain.com/chain.pem /tmp/isrgrootx1.pem > /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

deploy the certificate.

/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/mail.your-domain.com/cert.pem /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

zimbra depoly letsencrypt certificate

View the deployed cert.

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

zmcertmgr viewdeployedcrt

Restart Zimbra.

zmcontrol restart

Run the following command as the zimbra user to check if all Zimbra services are running.

zmcontrol status

If all is working, it should display

zmcontrol status

Troubleshooting

Wrong Hostname

If the zmcontrol status command shows the localhost.localdomain hostname, then you need to change the hostname to mail.your-domain.com.

/opt/zimbra/libexec/zmsetservername -n mail.your-domain.com

Then delete localhost.localdomain.

zmloggerhostmap -d localhost.localdomain localhost.localdomain

OpenLDAP Failure

If OpenLDAP fails to restart, and it says that

Unable to start TLS: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed when connecting to ldap master.

Then you can disable TLS on OpenLDAP with the following two commands. Some folks might be wondering if it’s safe to disable TLS on OpenLDAP. It is safe because the LDAP connection is only established on the mail server itself. There’s no LDAP connection to be established from another host.

zmlocalconfig -e ldap_starttls_required=false

zmlocalconfig -e ldap_starttls_supported=0

Then restart Zimbra services.

zmcontrol restart

Hint: If you have successfully deploy Let’s Encrypt TLS certificate in Zimbra as instructed earlier, then your OpenLDAP server should have no problem in starting TLS.

Amavis Failure

If Amavis is not running, then restart it with:

zmamavisdctl restart

If the restart failed, you should check the Zimbra log file (/var/log/zimbra.log). For example, I have the following error message in this file.

Ignoring stale PID file /opt/zimbra/log/amavisd.pid, older than system uptime 0 0:01:00
Pid_file already exists for running process (3340)

So I need to delete the stale PID file.

rm /opt/zimbra/log/amavisd.pid

Then restart Amavis.

zmamavisdctl restart

Reduce CPU & RAM Usage

Avoid using the zmcontrol restart command whenever you can, because it will generate many report emails to the admin account. Every email will invoke ClamAV for virus-scanning. ClamAV is a resource hog. If you need to start/stop an individual Zimbra service, use the specific tools to complete the task .

  • zmopendkimctl: OpenDKIM.
  • zmamavisdctl: Amavis
  • zmantispamctl: Anti-Spam
  • zmdnscachectl: Unbound DNS resolver.
  • zmantivirusctl: Anti-Virus
  • zmmtactl: Postfix SMTP server
  • zmspellctl: Spell checking
  • zmzimletctl: Zimlet webapp
  • zmmailboxdctl: mailboxd
  • zmstatctl: stats
  • zmconfigdctl: zmconfigd
  • zmmemcachedctl: memcached
  • zmloggerctl: logger

To reduce the CPU and RAM usage by Amavis and ClamAV, run the following two commands as the zimbra user.

zmprov ms `zmhostname` zimbraAmavisMaxServers 1
zmprov ms `zmhostname` zimbraClamAVMaxThreads 1

This will make Amavis and ClamAV use only one thread to process emails. (Default is 10) If you have a 4 cores CPU and 16 GB RAM, you can increase the number of threads to make email processing faster.

Step 9: Sending Test Email

Now you can visit the Zimbra web client again. Your web browser won’t warn you anymore because Nginx is now using a valid TLS certificate.

ubuntu-18.04-zimbra-web-client

Log into Zimbra web client with the admin account ([email protected]) and you can test email sending and receiving.

Set Up Zimbra Mail Server on Ubuntu 18.04

Zimbra has a built-in calendar.

zimbra calendar

You can log into the admin console, which is accessible from the dropdown menu in the upper-right corner. Or you can access it via https://mail.your-domain.com:7071/zimbraAdmin/.

zimbra admin console

Click the Add Account link to add new email addresses.

zimbra add new email addresses

Step 10: Checking If Port 25 (outbound) is blocked

Your ISP or hosting provider won’t block incoming connection to port 25 of your server, which means you can receive emails from other mail servers. However, many ISP/hosting providers block outgoing connection to port 25 of other mail servers, which means you can’t send emails.

Hint: If you use Kamatera VPS, then the outbound port 25 is open by default.

If your email didn’t arrive at your other email address such as Gmail, then run the following command on your mail server to check if port 25 (outbound) is blocked.

telnet gmail-smtp-in.l.google.com 25

If it’s not blocked, you would see messages like below, which indicates a connection is successfully established. (Hint: Type in quit and press Enter to close the connection.)

Trying 74.125.68.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP y22si1641751pll.208 - gsmtp

If port 25 (outbound) is blocked, you would see something like:

Trying 2607:f8b0:400e:c06::1a...
Trying 74.125.195.27...
telnet: Unable to connect to remote host: Connection timed out

In this case, your Postfix can’t send emails to other SMTP servers. Ask your ISP/hosting provider to open it for you. If they refuse your request, you need to set up SMTP relay to bypass port 25 blocking.

Still Can’t Send Email?

If port 25 (outbound) is not blocked, but you still can’t send emails from your own mail server to your other email address like Gmail, then you should check the mail log (/var/log/mail.log).

sudo tail -n 30 /var/log/mail.log

For example, some folks might see the error message.

host gmail-smtp-in.l.google.com[2404:6800:4003:c03::1b] said: 550-5.7.1 [2a0d:7c40:3000:b8b::2] Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines regarding PTR 550-5.7.1 records and authentication. Please review 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more information

This means your mail server is using IPv6 to send the email, but you didn’t set up IPv6 records. You should go to your DNS manager, set AAAA record for mail.your-domain.com, then you should set PTR record for your IPv6 address, which is discussed in step 9.

Step 11: Login From Mail Clients

Fire up your desktop email client such as Mozilla Thunderbird and add a mail account.

  • In the incoming server section, select IMAP protocol, enter mail.your-domain.com as the server name, choose port 143 and STARTTLS. Choose normal password as the authentication method.
  • In the outgoing section, select SMTP protocol, enter mail.your-domain.com as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.

zimbra mail client configuration

Step 12: Improving Email Deliverability

To prevent your emails from being flagged as spam, you should set PTR, SPF, DKIM and DMARC records.

PTR record

A pointer record, or PTR record, maps an IP address to a FQDN (fully qualified domain name). It’s the counterpart to the A record and is used for reverse DNS lookup, which can help with blocking spammers. Many SMTP servers reject emails if no PTR record is found for the sending server.

To check the PTR record for an IP address, run this command:

dig -x IP-address +short

or

host IP-address

PTR record isn’t managed by your domain registrar. It’s managed by the organization that gives you an IP address. Because you get IP address from your hosting provider or ISP, not from your domain registrar, so you must set PTR record for your IP in the control panel of your hosting provider, or ask your ISP. Its value should be your mail server’s hostname: mail.your-domain.com. If your server uses IPv6 address, be sure to add a PTR record for your IPv6 address as well.

To edit the reverse DNS record for your Kamatera VPS, log into the Kamatera client area, then open a support ticket and tell them to add PTR record for your server IP addresss to point the IP address to mail.your-domain.com. It’s not convenient, you might think, but this is to keep spammers away from the platform, so legitimate email senders like us will have a great IP reputation.

SPF Record

SPF (Sender Policy Framework) record specifies which hosts or IP address are allowed to send emails on behalf of a domain. You should allow only your own email server or your ISP’s server to send emails for your domain. In your DNS management interface, create a new TXT record like below.

modoboa spf record

Explanation:

  • TXT indicates this is a TXT record.
  • Enter @ in the name field to represent the main domain name.
  • v=spf1 indicates this is a SPF record and the version is SPF1.
  • mx means all hosts listed in the MX records are allowed to send emails for your domain and all other hosts are disallowed.
  • ~all indicates that emails from your domain should only come from hosts specified in the SPF record. Emails that are from other hosts will be flagged as forged.

To check if your SPF record is propagated to the public Internet, you can use the dig utility on your Linux mail server like below:

dig your-domain.com txt

The txt option tells dig that we only want to query TXT records.

DKIM Record

DKIM (DomainKeys Identified Mail) uses a private key to digitally sign emails sent from your domain. Receiving SMTP servers verify the signature by using the public key, which is published in the DNS DKIM record.

Run the following command to generate DKIM keys on your Zimbra mail server.

/opt/zimbra/libexec/zmdkimkeyutil -a -d your-domain.com

zimbra dkim

The DKIM public key is in the parentheses. My DKIM selector is F9421034-2BCF-11EC-80AF-728BCB6E6C77. The DKIM sub-domain is F9421034-2BCF-11EC-80AF-728BCB6E6C77._domainkey.linuxbabe.com. Yours might be different.

Then in your DNS manager, create a TXT record, enter F9421034-2BCF-11EC-80AF-728BCB6E6C77._domainkey in the name field. (Your DKIM sub-domain might be different.) Copy everything in the parentheses and paste it into the value field. Delete all double quotes and line breaks.

zimbra mail server dkim record

Note that your DKIM record may need some time to propagate to the Internet. Depending on the domain registrar you use, your DNS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://www.dmarcanalyzer.com/dkim/dkim-check/ to check if your DKIM record is valid.

DMARC Record

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. DMARC can help receiving email servers to identify legitimate emails and prevent your domain name from being used by email spoofing.

To create a DMARC record, go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following. (You should create the [email protected] email address.)

v=DMARC1; p=none; pct=100; rua=mailto:[email protected]

create dmarc record txt

The above DMARC record is a safe starting point. If you want to read the full explanation of DMARC, please check the following article. Note that this is optional.

Step 13: Testing Email Score and Placement

After creating PTR, SPF, DKIM record, go to https://www.mail-tester.com. You will see a unique email address. Send an email from your domain to this address and then check your score. As you can see, I got a perfect score. In the test result, you should check if your PTR record, SPF and DKIM record is valid.

Testing Email Score and PlacementMail-tester.com can only show you a sender score. There’s another service called GlockApps that allow you to check if your email is landed in the recipient’s inbox or spam folder, or rejected outright. It supports many popular email providers like Gmail, Outlook, Hotmail, YahooMail, iCloud mail, etc.

glockapps-email-placement-test-scalahosting-vps

What if Your Emails Are Still Being Marked as Spam?

I have more tips for you in this article: How to stop your emails being marked as spam. Although it will take some time and effort, your emails will eventually be placed in inbox after applying these tips.

What if Your Email is Rejected by Microsoft Mailbox?

Microsoft seems to be using an internal blacklist that blocks many legitimate IP addresses. If your emails are rejected by Outlook or Hotmail, you need to submit the sender information form. After that, your email will be accepted by Outlook/Hotmail.

Troubleshooting

First, please use a VPS with at least 4GB RAM. Running Zimbra on a 2GB RAM VPS will cause the database, SpamAssassin, or ClamAV to be killed because of out-of-memory problem. If you really want to use a 2GB RAM VPS, you are going to lose incoming emails and have other undesirable outcomes.

As a rule of thumb, you should always check the mail log /var/log/mail.log when there’s email delivery problem.

HTTP ERROR 502

If the Zimbra web interface isn’t accessible, such as a 502 gateway error, it’s likely that your server needs more RAM.

zimbra HTTP ERROR 502

You can also try to restart all Zimbra services to fix this issue.

Run the following command as the zimbra user to check if all Zimbra services are running.

zmcontrol status

If you enabled the firewall, you should open the following ports in the firewall.

HTTP port:  80
HTTPS port: 443
SMTP port:  25
Submission port: 587
SMTPS port: 465 (For Microsoft Outlook mail client)
IMAP port:  143 and 993

If you would like to use the UFW firewall, check my guide here: Getting started with UFW firewall on Debian and Ubuntu.

How to Renew TLS Certificate

Let’s Encrypt issued TLS certificate is valid for 90 days only and it’s important that you set up a Cron job to automatically renew the certificate. You can run the following command to renew certificate.

sudo certbot renew

You can use the --dry-run option to test the renewal process, instead of doing a real renewal.

sudo /snap/bin/certbot renew --dry-run

Create Cron Job

If the dry run is successful, you can create Cron job to automatically renew certificate. Simply open root user’s crontab file.

sudo crontab -e

Then add the following line at the bottom of the file.

@daily /snap/bin/certbot renew --quiet

Save and close the file.

Setting Up Backup Mail Server

Your primary mail server could be down sometimes. If you host your mail server in a data center, then the downtime is very minimal, so you shouldn’t be worried about losing inbound emails. If you host your mail server at home, the downtime can’t be predicted so it’s a good practice for you to run a backup mail server in a data center to prevent losing inbound emails. The backup mail server needs just 512MB RAM to run. Please check the full detail in the following article.

Setting Up SMTP for your Website

If your website and mail server are running on two different VPS (virtual private server), you can set up SMTP relay between your website and mail server, so that your website can send emails through your mail server. See the following article.

Wrapping Up

That’s it! I hope this tutorial helped you set up a mail server on Ubuntu 18.04 with Zimbra. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 3 Average: 5]

16 Responses to “How to Set Up Zimbra Open-Source Mail Server on Ubuntu 18.04

  • IMRON HS
    2 years ago
    zimbra@mail:~$ /opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/mail.gie.co.id/cert.pem /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    ERROR: open input '/etc/letsencrypt/live/mail.gie.co.id/cert.pem' failed: Permission denied
    

    Permission denied,
    any solution Xiao Guoan (Admin) ?
    Thank you

    • IMRON HS
      2 years ago

      Using this command right?

      sudo chown nodeuser -R /etc/letsencrypt
      
    • Xiao Guoan (Admin)
      2 years ago
      sudo apt install acl
      
      sudo setfacl -R -m u:zimbra:rwx /etc/letsencrypt/
      
  • I was able to make this work by switching to the zimbra user first before applying the command.
    However another issue arose. The deployment command yields the following:

    zimbra@mail:~$ /opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/mail.the-domain.org/cert.pem /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    ERROR: Can't read file '/opt/zimbra/ssl/zimbra/commercial/commercial.key'

    I run the acl installation also without success.

    • Xiao Guoan (Admin)
      2 years ago

      I just updated step 7 to deploy Let’s Encrypt certificate in Zimbra, please check it out.

  • Bilal Inamdar
    2 years ago

    There are two issues with the article.
    Create a certificate chain & deploy the certificate have permission issue.
    Create cronjob – sudo /snap/bin/crontab -e no such file or folder.

    Do fix the above.

    Other than that awesome article !

    • Xiao Guoan (Admin)
      2 years ago

      I just updated step 7 to deploy Let’s Encrypt certificate in Zimbra, please check it out.

      Cron command should be:

      sudo crontab -e
  • Torleif
    2 years ago

    Hi. Thank you!
    Will this guide work on Debian?

  • Hi made that tip:

    Troubleshooting

    Wrong Hostname

    If the zmcontrol status command shows the localhost.localdomain hostname, then you need to change the hostname to mail.your-domain.com.

    /opt/zimbra/libexec/zmsetservername -n mail.your-domain.com

    Then delete localhost.localdomain.

    zmloggerhostmap -d localhost.localdomain localhost.localdomain

    —–

    But have that error with command ‘zmcontrol restart’

    stopping proxy…nginx: [emerg] host not found in upstream “localhost.localdomain:8080” in /opt/zimbra/conf/nginx/includes/nginx.conf.web:27

    And I Can’t go to example: mail.tone.com
    Help ???

  • Jhonatas Garagnani
    2 years ago

    Hello, I need you help, please, a install the version in ubuntu 18.04 not work, return error 502, and I testing the version for ubuntu 20.04, I have than error 502, my server have 8gb ram and 2tb disk.

  • Cesar RB
    1 year ago

    Based on this guide how to get maximum space for emails with 2TB ssd, on my first attempt only 100GB and server down. I lost a lot of emails. I need to use all my ssd drive

  • zimbra@zimbra:~$ /opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/zimbra.xxx.ru/cert.pem /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
    ** Verifying ‘/etc/letsencrypt/live/zimbra.xxx.ru/cert.pem’ against ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’
    139954265224512:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:474:
    ERROR: Certificate ‘/etc/letsencrypt/live/zimbra.xxx.ru/cert.pem’ and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ do not match.

    I got this error 2 times on clean install of Ubuntu 20.04. How can i resolve it?

  • Sussan Morris
    9 months ago

    I get this : and private key ‘/opt/zimbra/ssl/zimbra/commercial/commercial.key’ do not match.

  • I’ve built a Zimbra mail server. I can’t send an email to Google as below. How to solve it?
    —————————————————————————————————-
    This is the mail system at host mail.test.kr.

    I’m sorry to have to inform you that your message could not
    be delivered to one or more recipients. It’s attached below.

    For further assistance, please send mail to postmaster.

    If you do so, please include this problem report. You can
    delete your own text from the attached returned message.

    The mail system

    : host gmail-smtp-in.l.google.com[142.251.170.26] said:
    550-5.7.1 [1.1.1.1] The IP you’re using to send mail is not
    authorized to 550-5.7.1 send email directly to our servers. Please use the
    SMTP relay at your 550-5.7.1 service provider instead. Learn more at 550
    5.7.1 https://support.google.com/mail/?p=NotAuthorizedError
    v63-20020a638942000000b0050f83a9e61fsi11627026pgd.278 – gsmtp (in reply to
    end of DATA command)

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here