Setup a Zimbra collaboration suite on Ubuntu Xenial

With this tutorial you learn how to install the latest version of Zimbra on an Ubuntu Xenial server.


Zimbra Overview

The Zimbra Collaboration Suite is designed to provide an end-to-end mail solution that is scalable and highly reliable.

Messaging architecture is built with open technology and well-known standards. The application is composed of a mail server application and a client interface.

Installing Zimbra

1 . Connect to your server using SSH:

ssh root@SERVER_IP

2 . Update your system to the latest version:

apt-get update && apt-get upgrade

3 . Edit your /etc/hosts file so it looks like the following example:     zimbra       localhost

4 . Download and extract the latest version of Zimbra

tar xfz zcs-8.8.9_GA_2055.UBUNTU16_64.20180703080917.tgz

5 . Enter the Zimbra directory:

cd zcs-*

6 . Run the setup tool:


7 . Confirm that you agree to the software license, by typing y:

Do you agree with the terms of the software license agreement? [N]y

8 . Confirm that you want to use the repository of Zimbra, by pressing on Enter:

Use Zimbra's package repository [Y]

9 . Zimbra will ask you which packages to install. You can keep the default values and confirm that the system will be modified, by typing y:

The system will be modified.  Continue? [N] Y

The required packages will be downloaded and installed. This may take a while.

10 . Set the domain from to

DNS ERROR resolving MX for
It is suggested that the domain name have an MX record configured in DNS
Change domain name? [Yes] Y
Create domain: []
        MX: (
Checking for port conflicts

11 . Press 7, then 4 to set the admin password, enter the new password and confirm by pressing Enter:

Store configuration

   1) Status:                                  Enabled
   2) Create Admin User:                       yes
   3) Admin user to create:          
** 4) Admin Password                           UNSET
   5) Anti-virus quarantine user:    
   6) Enable automated spam training:          yes
   7) Spam training user:            
   8) Non-spam(Ham) training user:   
   9) SMTP host:                     
  10) Web server HTTP port:                    8080
  11) Web server HTTPS port:                   8443
  12) Web server mode:                         https
  13) IMAP server port:                        7143
  14) IMAP server SSL port:                    7993
  15) POP server port:                         7110
  16) POP server SSL port:                     7995
  17) Use spell check server:                  yes
  18) Spell server URL:              
  19) Enable version update checks:            TRUE
  20) Enable version update notifications:     TRUE
  21) Version update notification email:
  22) Version update source email:   
  23) Install mailstore (service webapp):      yes
  24) Install UI (zimbra,zimbraAdmin webapps): yes

Select, or 'r' for previous menu [r] 4

Password for (min 6 characters): [KyYxqndxmw] Pa$$w0rd

12 . Press r to go back to the main menu, then press 5 to enter the DNS configuration and 2to set the DNS resolver to or your preferred DNS server:

5) zimbra-dnscache:                         Enabled
******* +Master DNS IP address(es):            UNSET
     +Enable DNS lookups over TCP:          yes
     +Enable DNS lookups over UDP:          yes
     +Only allow TCP to communicate with Master DNS: no

6) zimbra-snmp:                             Enabled
7) zimbra-store:                            Enabled
8) zimbra-spell:                            Enabled
9) zimbra-proxy:                            Enabled
10) Default Class of Service Configuration:
s) Save config to file
x) Expand menu
q) Quit

Address unconfigured (**) items  (? - help) 5

DNS Cache configuration

1) Status:                                  Enabled
** 2) Master DNS IP address(es):               UNSET
3) Enable DNS lookups over TCP:             yes
4) Enable DNS lookups over UDP:             yes
5) Only allow TCP to communicate with Master DNS: no

Select, or 'r' for previous menu [r] 2

IP Address(es) of Master DNS Server(s), space separated:

13 . Press Enter to confirm your modification.

14 . Press r to go back to the main menu, then press a to apply the configuration. When asked if you want to save the configuration, press Enter, confirm the file name by pressing on Enter and type yes when asked if you want the system to be modified:

*** CONFIGURATION COMPLETE - press 'a' to apply
Select from menu, or press 'a' to apply config (? - help) a
Save configuration data to a file? [Yes]
Save config in file: [/opt/zimbra/config.4007]
Saving config in /opt/zimbra/config.4007...done.
The system will be modified - continue? [No] yes
Operations logged to /tmp/zmsetup.20180719-122146.log

The configuration of Zimbra will start.

Please note that this will take a while.

15 . You will be asked if you want to report your installation to Zimbra, you can type no if you don’t want to do this:

Notify Zimbra of your installation? [Yes] no
Notification skipped

16 . Once a message appears, the installation is complete. Press Enter to exit the setup tool.

17 . You can now login to the admin console at https://YOUR_SERVER_IP:7071/zimbraAdmin/. Use the user admin@domin.tld and the password that you have set during the installation to login:

ZimbraAdmin Login

18 . Once you are logged you can click on Get Started to begin with the configuration of the Zimbra server:

ZimbraAdmin Configuration

19 . The user interface of your Zimbra is available at https://YOUR_SERVER_IP. Use your complete email address and its password to login:

Zimbra Webmail

You can now check your emails, manage your contacts and your calendar.

Requesting a Let's Encrypt certificate for Zimbra

By default Zimbra uses a self-sgined certificate which can cause warnings in a web browser. To get rid of these warnings, a Let’s Encrypt certificate can be requested.

1 . Connect to your server as root via SSH and install git :

apt-get install git

2 . Switch into the Zimbra user:

su zimbra

3 . Stop the following services:

zmproxyctl stop
zmmailboxdctl stop

4 . Exit from the Zimbra user:


5 . Clone and enter the Lets Encrypt Repository:

git clone
cd letsencrypt

6 . Lauch the following command to use the certonly feature of Let’s Encrypt, as the certificate can’t be integrated into Zimbra automatically:

 ./letsencrypt-auto certonly --standalone

Fill in the required information when asked. If you need a certificate for multiple domain names, specify them with the -d-flag:

./letsencrypt-auto certonly --standalone -d -d

7 . The certificate has been issued once the following message appears:

- Congratulations! Your certificate and chain have been saved at:
  Your key file has been saved at:

You can find the following files in the directory /etc/letsencrypt/live/

  • cert.pem is the certificate

  • chain.pem is the chain

  • fullchain.pem is the concatenation of cert.pem + chain.pem

  • privkey.pem is the private key

Lets Encrypt creates the chain.pem file without the root CA. Copy the IdenTrust root Certificate and merge it after the chain.pem:

Your chain.pem should look like:


In short: chain.pem has to be concatened with the root CA. First the chain and the end of the file the root CA. The order is important.

8 . Copy the Let’s Encrypt folder with all files /etc/letsencrypt/live/ into /opt/zimbra/ssl/letsencrypt:

mkdir /opt/zimbra/ssl/letsencrypt
cp /etc/letsencrypt/live/* /opt/zimbra/ssl/letsencrypt/
chown zimbra:zimbra /opt/zimbra/ssl/letsencrypt/*

9 . Change into the Zimbra user:

su zimbra

10 . Verify the certificate:

cd /opt/zimbra/ssl/letsencrypt/
/opt/zimbra/bin/zmcertmgr verifycrt comm privkey.pem cert.pem chain.pem

If everything is working fine, the following message will appear:

** Verifying 'cert.pem' against 'privkey.pem'
Certificate 'cert.pem' and private key 'privkey.pem' match.
** Verifying 'cert.pem' against 'chain.pem'
Valid certificate chain: cert.pem: OK

11 . Backup the existing certificate:

cp -a /opt/zimbra/ssl/zimbra /opt/zimbra/ssl/zimbra.$(date "+%Y%m%d")

12 . Copy the private key into Zimbra’s SSL path:

cp /opt/zimbra/ssl/letsencrypt/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

13 . Finally deploy the SSL certificate:

/opt/zimbra/bin/zmcertmgr deploycrt comm cert.pem chain.pem

Note: This may take a little while

14 . Restart the Zimbra services:

zmcontrol restart

15 . Go to https://YOUR_SERVER_IP and you will notice that the connection is now signed by a valid certificate:

Zimbra Login with valid SSL

Reconfiguring Zimbra in case your internal IP address has changed

Zimbra is configured to use the internal IP of your server for handling your mails.

In case you have reconfigured the internal IP of the server or if it has changed because you have archived the server and restarted it later, you have to re-authorize the new IP in Zimbra.

1 . Connect to your server and and su into the Zimbra user:

su zimbra

2 . Run ifconfig to detect your internal IP Address.

3 . Run the following command to check if the IP matches:

postconf mynetworks

This command will return a line like the following:

mynetworks =

4 . Run a second check from Zimbras LDAP:

zmprov getServer | grep zimbraMtaMyNetworks

5 . If the result of the two commands does not provide the actual IP address of your server, you can update it with the following command:

zmprov modifyServer zimbraMtaMyNetworks ' YOUR_SERVER_IP/31'

6 . Reload the postfix configuration and restart Zimbra to take the modification into effect:

postfix reload
zmcontrol stop
zmcontrol start

Discover the Cloud That Makes Sense