How to Set Up Zimbra Open-Source Mail Server on Ubuntu 18.04

Setting up your own email server on Linux from scratch is a long and tedious process, a pain in the butt if you are not an advanced user. This tutorial will be showing you how to use Zimbra to quickly set up a full-featured mail server on Ubuntu 18.04, saving you lots of time and headaches.

What is Zimbra?

Zimbra is an open-source email, calendaring, and collaboration software suite developed by Synacor, Inc. It comes with a shell script that automatically installs and configures all necessary mail server components on your Linux server, thus eliminating manual installation and configuration. With Zimbra, you can easily create unlimited mailboxes and unlimited mail domains in a web-based admin panel. Email accounts can be managed in MariaDB or OpenLDAP. The following is a list of open-source software that will be automatically installed and configured by Zimbra.

• Postfix SMTP server
• Nginx web server to serve the admin console and webmail. It will also be used as an IMAP/POP3 proxy.
• Jetty: web application server that runs Zimbra software.
• OpenLDAP stores Zimbra system configuration, the Zimbra Global Address List, and provides user authentication.
• MariaDB database
• OpenDKIM: for DKIM signing and verification
• Amavised-new: an interface between MTA and content scanner.
• SpamAssassin for anti-spam
• ClamAV: anti-virus scanner
• Lucene: open-source full-featured text and search engine
• Apache JSieve: email message filter
• LibreOffice: High fidelity document preview
• Aspell: an open-source spell checker used on the Zimbra Web Client
• memcached: open-source object caching system.
• unbound: lightweight and fast DNS resolver.

Zimbra also ships with some of its own developed software:

• zimbra-drive: cloud storage.
• zimbra-chat: text chat.
• zimbra-talk: group messaging and video conferencing with screen sharing and file sharing funcationality.
• mailboxd: Its own developed IMAP/POP3 server.

There are two editions of Zimbra:

• Free open-source edition.
• Commercially supported Network Edition with 60-days free trial.

Some well-known Zimbra users include: Mozilla, Skype, O’Reilly Media, Standford University, and Comcast. We will be using the open-source edition (OSE) in this article.

Server Requirements

• A clean fresh Ubuntu 18.04 OS.
• At least 2 CPU cores and 3GB RAM. If you use a single-core CPU, Zimbra will be running very slowly. And you need a server with at least 3GB of RAM, because after the installation, your server will use more than 2GB of RAM.

Step 1: Choose the Right Hosting Provider and Buy a Domain Name

Zimbra must be installed on a clean fresh server.

This tutorial is done on a $9/month Kamatera VPS (virtual private server) with 1 CPU and 3GB RAM. They offer a 30-day free trial.

Kamatera is a very good option to run a mail server because

• They don’t block port 25, so you can send unlimited emails (transactional email and newsletters) without spending money on SMTP relay service. Kamatera doesn’t have any SMTP limits. You can send a million emails per day.
• The IP address isn’t on any email blacklist. (At least this is true in my case. I chose the Dallas data center.) You definitely don’t want to be listed on the dreaded Microsoft Outlook IP blacklist or the spamrats blacklist. Some blacklists block an entire IP range and you have no way to delist your IP address from this kind of blacklist.
• You can edit PTR record to improve email deliverability.
• They allow you to send newsletters to your email subscribers with no hourly limits or daily limits, whatsoever.
• You can order multiple IP addresses for a single server. This is very useful for folks who need to send a large volume of emails. You can spread email traffic on multiple IP addresses to achieve better email deliverability.

Other VPS providers like DigitalOcean blocks port 25. DigitalOcean would not unblock port 25, so you will need to set up SMTP relay to bypass blocking, which can cost you additional money. If you use Vultr VPS, then port 25 is blocked by default. They can unblock it if you open a support ticket, but they may block it again at any time if they decide your email sending activity is not allowed. Vultr actually may re-block it if you use their servers to send newsletters.

Go to Kamatera website to create an account, then create your server in your account dashboard.

I recommend following the tutorial linked below to properly set up your Linux VPS server on Kamatera.

• How to Create a Linux VPS Server on Kamatera

Once you created a server, Kamatera will send you an email with the server SSH login details. To log into your server, you use an SSH client. If you are using Linux or macOS on your computer, then simply open up a terminal window and run the following command to log into your server. Replace 12.34.56.78 with your server’s IP address.

ssh [email protected]

You will be asked to enter the password.

You also need a domain name. I registered my domain name from NameCheap because the price is low and they give whois privacy protection free for life.

Step 2: Creating DNS MX Record

The MX record specifies which host or hosts handle emails for a particular domain name. For example, the host that handles emails for linuxbabe.com is mail.linuxbabe.com. If someone with a Gmail account sends an email to [email protected], then Gmail server will query the MX record of linuxbabe.com. When it finds out that mail.linuxbabe.com is responsible for accepting email, it then queries the A record of mail.linuxbabe.com to get the IP address, thus the email can be delivered.

You need to go to your DNS hosting service (usually your domain registrar) to create DNS records. In your DNS manager, create a MX record for your domain name. Enter @ in the Name field to represent the main domain name, then enter mail.your-domain.com in the Value field.

Note: The hostname for MX record can not be an alias to another name. Also, It’s highly recommended that you use hostnames, rather than bare IP addresses for MX record.

Your DNS manager may require you to enter a preference value (aka priority value). It can be any number between 0 and 65,356. A small number has higher priority than a big number. It’s recommended that you set the value to 0, so this mail server will have the highest priority for receiving emails. After creating MX record, you also need to create an A record for mail.your-domain.com , so that it can be resolved to an IP address. If your server uses IPv6 address, be sure to add AAAA record.

Hint: If you use Cloudflare DNS service, you should not enable the CDN feature when creating A record for mail.your-domain.com. Cloudflare does not support SMTP proxy.

Step 3: Configuring Hostname

Log into your server via SSH, then run the following command to update existing software packages.

sudo apt update

sudo apt upgrade -y

I strongly recommend creating a sudo user for managing your server rather than using the default root user. Run the following command to create a user. Replace username with your preferred username.

adduser username

Then add the user to the sudo group.

adduser username sudo

Switch to the new user.

su - username

Next, set a fully qualified domain name (FQDN) for your server with the following command.

sudo hostnamectl set-hostname mail.your-domain.com

We also need to update /etc/hosts file with a command-line text editor like Nano.

sudo nano /etc/hosts

Edit it like below. Use arrow keys to move the cursor in the file. You must put your mail server hostname after localhost.

127.0.0.1       localhost.localdomain localhost mail.your-domain.com

Save and close the file. (To save a file in Nano text editor, press Ctrl+O, then press Enter to confirm. To close the file, press Ctrl+X.)

To see the changes, re-login and then run the following command to see your hostname.

hostname -f

Step 4: Install Zimbra Mail Server on Ubuntu 18.04

Zimbra 9 still provides an open-source edition. However, it doesn’t provide the binary. Only the source code is available. Fortunately, there’s a third-party Zimbra solution provider named Zextras that offers Zimbra binary download.

You can go to Zextras website, and fill out a form to get the Zimbra 9 binary download link. If you don’t want to fill out the form, run the following command on your server to download Zimbra 9 installer.

wget download.zextras.com/zcs-9.0.0_OSE_UBUNTU18_latest-zextras.tgz

Extract the archived file.

tar xvf zcs-9.*.tgz

Then change to the newly-created directory.

cd zcs-9*/

Before running the installer script, install the netstat utility.

sudo apt install net-tools

Next, run the Bash script with sudo privilege.

sudo bash install.sh

The mail server setup wizard will appear. First, you need to agree with the terms of the software license agreement.

Then type y to confirm that you want to use Zimbra’s package repository.

Next, it will ask you to select the packages you want to install. You can install them by pressing y. ( Y is capitalized, which means it’s the default answer when you press Enter.) Note that the zimbra-imapd package is currently in beta and it’s not recommended to install it. I simply press Enter to use the default answers.

Confirm the packages you selected by pressing y.

Now installation begins.

It might tell you that you need to change the hostname. Answer y and enter your mail server hostname (mail.your-domain.com).

It might also tell you that you need to change the domain name. This tutorial assumes that you want an email address like [email protected]. In that case, Type Y and then enter your-domain.com here, without sub-domain.

If it tells you that none of the MX records resolve to this host, then you need to create DNS A record for mail.your-domain.com.

If there’s a port conflict detected for zimbra-dnscache (port 53), then you need to open another SSH session and run the following command to stop the systemd-resolved service.

sudo systemctl stop systemd-resolved

and continue the installation.

Then the main menu displays. It tells you that the admin password is not set, so you need to press 7, then press 4 to set the admin password.

Once you set a password for the admin account, press r to go back to the main menu, then press the following keys.

• Press a to apply the configuration.
• Press y to save the configuration to a file.
• Press Enter to use the default file name.
• Press y to continue.

Wait for the installation process to finish. At the end of the installation, you have the option to notify Zimbra of your installation.

Once the configuration is complete, press Enter to exit from the setup wizard. Now you can visit the web-based admin panel at https://mail.your-domain.com. Because it’s using a self-signed TLS certificate, you need to add a security exception in your web browser. You will learn how to install a valid Let’s Encrypt TLS certificate in step 7.

Step 5: Configure Systemd-Resolved

Systemd-resolved is the default DNS resolver manager on Ubuntu. We need to change its configuration to make it work with Zimbra. It should start after the Zimbra service at system boot time.

The service configuration file for systemd-resolved is /lib/systemd/system/systemd-resolved.service. To override the default systemd service configuration, we create a separate directory.

sudo mkdir -p /etc/systemd/system/systemd-resolved.service.d/

Then create a file under this directory.

sudo nano /etc/systemd/system/systemd-resolved.service.d/custom.conf

Add the following lines in the file, which will make systemd-resolved start after Zimbra is started, and we make it sleep 60 seconds before it will be started.

[Unit]
After=zimbra.service
Before=

[Service]
ExecStartPre=/bin/sleep 60

Save and close the file. Then reload systemd for the changes to take effect.

sudo systemctl daemon-reload

Step 6: Testing Unbound DNS Resolver

The unbound DNS resolver is installed by Zimbra. However, it might not be able to work out of the box. Restart your server.

sudo shutdown -r now

Then log in to your server again over SSH and run the following command to test if DNS resolution is working.

dig A linuxbabe.com

If you see the SERVFAIL error, it means Unbound isn’t running properly.

To fix it, switch to the zimbra user.

sudo su - zimbra

And check which upstream DNS resolver Unbound is using.

zmprov getServer `zmhostname` | grep DNSMasterIP

A correct setup should show you that 8.8.8.8 is the upstream DNS resolver.

zimbraDNSMasterIP: 8.8.8.8

If 127.0.0.53 is the upstream resolver, you have a problem. Remove it with:

zmprov ms `zmhostname` -zimbraDNSMasterIP 127.0.0.53

Then add 8.8.8.8 as the upstream resolver.

zmprov ms `zmhostname` +zimbraDNSMasterIP 8.8.8.8

Now exit from the zimbra user

exit

Wait a few moments and run the following command again to test.

dig A linuxbabe.com

You should see the following output, which means it’s working correctly now.

If you run the following command to show which DNS resolver your server is using,

cat /etc/resolv.conf

and it tells you that

/etc/resolv.conf: No such file or directory

Check if the systemd-resolved.service is running.

sudo systemctl status systemd-resolved

Run the following command to make sure it will be automatically started at boot time.

sudo systemctl enable --now systemd-resolved

Step 7: Installing Let’s Encrypt TLS Certificate

Since the mail server is using a self-signed TLS certificate, both desktop mail client users and webmail client users will see a warning. To fix this, we can obtain and install a free Let’s Encrypt TLS certificate.

Obtaining the Certificate

First, run the following command to install the latest Let’s Encrypt (certbot) client from the Snap store.

sudo snap install certbot --classic

Zimbra has already configured TLS settings in the Nginx, we can use the standalone plugin to obtain a certificate over TCP port 80. Run the following command. Replace the red text with your actual data.

sudo /snap/bin/certbot certonly --standalone --agree-tos --staple-ocsp --email [email protected] -d mail.your-domain.com --preferred-chain 'ISRG Root X1'

• certonly: obtain the certificate, but don’t install it automatically.
• --standalone: uses the standalone plugin to obtain certificate.
• --preferred-chain 'ISRG Root X1': Use the ISRG Root X1 certificate chain, because the default DST root CA certificate expired on September 31, 2021.

When it asks you if you want to receive communications from EFF, you can choose No.

If everything went well, you will see the following text indicating that you have successfully obtained a TLS certificate. Your certificate and chain have been saved at /etc/letsencrypt/live/mail.your-domain.com/ directory.

Failure to Obtain TLS Certificate

If certbot failed to obtain TLS certificate, maybe it’s because your DNS records are not propagated to the Internet. Depending on the domain registrar you use, your DNS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://dnsmap.io, enter your mail server’s hostname (mail.your-domain.com) to check DNS propagation.

Installing the Certificate in Zimbra

After obtaining a TLS certificate, let’s configure Zimbra to use it. Grant permission to the zimbra user so it can read the Let’s Encrypt files.

sudo apt install acl

sudo setfacl -R -m u:zimbra:rwx /etc/letsencrypt/

Switch to the zimbra user.

sudo su - zimbra

Copy the private key.

cp /etc/letsencrypt/live/mail.your-domain.com/privkey.pem /opt/zimbra/ssl/zimbra/commercial/commercial.key

Download Let’s Encrypt Root CA certificate.

wget -O /tmp/isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem.txt

Create a certificate chain. The following command will put the root CA certificate (isrgrootx1.pem) under the intermediate CA certificate (chain.pem). You should not reverse the order, or it won’t work.

cat /etc/letsencrypt/live/mail.your-domain.com/chain.pem /tmp/isrgrootx1.pem > /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

deploy the certificate.

/opt/zimbra/bin/zmcertmgr deploycrt comm /etc/letsencrypt/live/mail.your-domain.com/cert.pem /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt

View the deployed cert.

/opt/zimbra/bin/zmcertmgr viewdeployedcrt

Restart Zimbra.

zmcontrol restart

Run the following command as the zimbra user to check if all Zimbra services are running.

zmcontrol status

If all is working, it should display

Troubleshooting

Wrong Hostname

If the zmcontrol status command shows the localhost.localdomain hostname, then you need to change the hostname to mail.your-domain.com.

/opt/zimbra/libexec/zmsetservername -n mail.your-domain.com

Then delete localhost.localdomain.

zmloggerhostmap -d localhost.localdomain localhost.localdomain

OpenLDAP Failure

If OpenLDAP fails to restart, and it says that

Unable to start TLS: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed when connecting to ldap master.

Then you can disable TLS on OpenLDAP with the following two commands. Some folks might be wondering if it’s safe to disable TLS on OpenLDAP. It is safe because the LDAP connection is only established on the mail server itself. There’s no LDAP connection to be established from another host.

zmlocalconfig -e ldap_starttls_required=false

zmlocalconfig -e ldap_starttls_supported=0

Then restart Zimbra services.

zmcontrol restart

Hint: If you have successfully deploy Let’s Encrypt TLS certificate in Zimbra as instructed earlier, then your OpenLDAP server should have no problem in starting TLS.

Amavis Failure

If Amavis is not running, then restart it with:

zmamavisdctl restart

If the restart failed, you should check the Zimbra log file (/var/log/zimbra.log). For example, I have the following error message in this file.

Ignoring stale PID file /opt/zimbra/log/amavisd.pid, older than system uptime 0 0:01:00
Pid_file already exists for running process (3340)

So I need to delete the stale PID file.

rm /opt/zimbra/log/amavisd.pid

Then restart Amavis.

zmamavisdctl restart

Reduce CPU & RAM Usage

Avoid using the zmcontrol restart command whenever you can, because it will generate many report emails to the admin account. Every email will invoke ClamAV for virus-scanning. ClamAV is a resource hog. If you need to start/stop an individual Zimbra service, use the specific tools to complete the task .

• zmopendkimctl: OpenDKIM.
• zmamavisdctl: Amavis
• zmantispamctl: Anti-Spam
• zmdnscachectl: Unbound DNS resolver.
• zmantivirusctl: Anti-Virus
• zmmtactl: Postfix SMTP server
• zmspellctl: Spell checking
• zmzimletctl: Zimlet webapp
• zmmailboxdctl: mailboxd
• zmstatctl: stats
• zmconfigdctl: zmconfigd
• zmmemcachedctl: memcached
• zmloggerctl: logger

To reduce the CPU and RAM usage by Amavis and ClamAV, run the following two commands as the zimbra user.

zmprov ms `zmhostname` zimbraAmavisMaxServers 1
zmprov ms `zmhostname` zimbraClamAVMaxThreads 1

This will make Amavis and ClamAV use only one thread to process emails. (Default is 10) If you have a 4 cores CPU and 16 GB RAM, you can increase the number of threads to make email processing faster.

Step 9: Sending Test Email

Now you can visit the Zimbra web client again. Your web browser won’t warn you anymore because Nginx is now using a valid TLS certificate.

Log into Zimbra web client with the admin account ([email protected]) and you can test email sending and receiving.

Zimbra has a built-in calendar.

You can log into the admin console, which is accessible from the dropdown menu in the upper-right corner. Or you can access it via https://mail.your-domain.com:7071/zimbraAdmin/.

Click the Add Account link to add new email addresses.

Step 10: Checking If Port 25 (outbound) is blocked

Your ISP or hosting provider won’t block incoming connection to port 25 of your server, which means you can receive emails from other mail servers. However, many ISP/hosting providers block outgoing connection to port 25 of other mail servers, which means you can’t send emails.

Hint: If you use Kamatera VPS, then the outbound port 25 is open by default.

If your email didn’t arrive at your other email address such as Gmail, then run the following command on your mail server to check if port 25 (outbound) is blocked.

telnet gmail-smtp-in.l.google.com 25

If it’s not blocked, you would see messages like below, which indicates a connection is successfully established. (Hint: Type in quit and press Enter to close the connection.)

Trying 74.125.68.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP y22si1641751pll.208 - gsmtp

If port 25 (outbound) is blocked, you would see something like:

Trying 2607:f8b0:400e:c06::1a...
Trying 74.125.195.27...
telnet: Unable to connect to remote host: Connection timed out

In this case, your Postfix can’t send emails to other SMTP servers. Ask your ISP/hosting provider to open it for you. If they refuse your request, you need to set up SMTP relay to bypass port 25 blocking.

Still Can’t Send Email?

If port 25 (outbound) is not blocked, but you still can’t send emails from your own mail server to your other email address like Gmail, then you should check the mail log (/var/log/mail.log).

sudo tail -n 30 /var/log/mail.log

For example, some folks might see the error message.

host gmail-smtp-in.l.google.com[2404:6800:4003:c03::1b] said: 550-5.7.1 [2a0d:7c40:3000:b8b::2] Our system has detected that 550-5.7.1 this message does not meet IPv6 sending guidelines regarding PTR 550-5.7.1 records and authentication. Please review 550-5.7.1 https://support.google.com/mail/?p=IPv6AuthError for more information

This means your mail server is using IPv6 to send the email, but you didn’t set up IPv6 records. You should go to your DNS manager, set AAAA record for mail.your-domain.com, then you should set PTR record for your IPv6 address, which is discussed in step 9.

Step 11: Login From Mail Clients

Fire up your desktop email client such as Mozilla Thunderbird and add a mail account.

• In the incoming server section, select IMAP protocol, enter mail.your-domain.com as the server name, choose port 143 and STARTTLS. Choose normal password as the authentication method.
• In the outgoing section, select SMTP protocol, enter mail.your-domain.com as the server name, choose port 587 and STARTTLS. Choose normal password as the authentication method.

Step 12: Improving Email Deliverability

To prevent your emails from being flagged as spam, you should set PTR, SPF, DKIM and DMARC records.

PTR record

A pointer record, or PTR record, maps an IP address to a FQDN (fully qualified domain name). It’s the counterpart to the A record and is used for reverse DNS lookup, which can help with blocking spammers. Many SMTP servers reject emails if no PTR record is found for the sending server.

To check the PTR record for an IP address, run this command:

dig -x IP-address +short

or

host IP-address

PTR record isn’t managed by your domain registrar. It’s managed by the organization that gives you an IP address. Because you get IP address from your hosting provider or ISP, not from your domain registrar, so you must set PTR record for your IP in the control panel of your hosting provider, or ask your ISP. Its value should be your mail server’s hostname: mail.your-domain.com. If your server uses IPv6 address, be sure to add a PTR record for your IPv6 address as well.

To edit the reverse DNS record for your Kamatera VPS, log into the Kamatera client area, then open a support ticket and tell them to add PTR record for your server IP addresss to point the IP address to mail.your-domain.com. It’s not convenient, you might think, but this is to keep spammers away from the platform, so legitimate email senders like us will have a great IP reputation.

SPF Record

SPF (Sender Policy Framework) record specifies which hosts or IP address are allowed to send emails on behalf of a domain. You should allow only your own email server or your ISP’s server to send emails for your domain. In your DNS management interface, create a new TXT record like below.

Explanation:

• TXT indicates this is a TXT record.
• Enter @ in the name field to represent the main domain name.
• v=spf1 indicates this is a SPF record and the version is SPF1.
• mx means all hosts listed in the MX records are allowed to send emails for your domain and all other hosts are disallowed.
• ~all indicates that emails from your domain should only come from hosts specified in the SPF record. Emails that are from other hosts will be flagged as forged.

To check if your SPF record is propagated to the public Internet, you can use the dig utility on your Linux mail server like below:

dig your-domain.com txt

The txt option tells dig that we only want to query TXT records.

DKIM Record

DKIM (DomainKeys Identified Mail) uses a private key to digitally sign emails sent from your domain. Receiving SMTP servers verify the signature by using the public key, which is published in the DNS DKIM record.

Run the following command to generate DKIM keys on your Zimbra mail server.

/opt/zimbra/libexec/zmdkimkeyutil -a -d your-domain.com

The DKIM public key is in the parentheses. My DKIM selector is F9421034-2BCF-11EC-80AF-728BCB6E6C77. The DKIM sub-domain is F9421034-2BCF-11EC-80AF-728BCB6E6C77._domainkey.linuxbabe.com. Yours might be different.

Then in your DNS manager, create a TXT record, enter F9421034-2BCF-11EC-80AF-728BCB6E6C77._domainkey in the name field. (Your DKIM sub-domain might be different.) Copy everything in the parentheses and paste it into the value field. Delete all double quotes and line breaks.

Note that your DKIM record may need some time to propagate to the Internet. Depending on the domain registrar you use, your DNS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://www.dmarcanalyzer.com/dkim/dkim-check/ to check if your DKIM record is valid.

DMARC Record

DMARC stands for Domain-based Message Authentication, Reporting and Conformance. DMARC can help receiving email servers to identify legitimate emails and prevent your domain name from being used by email spoofing.

To create a DMARC record, go to your DNS manager and add a TXT record. In the name field, enter _dmarc. In the value field, enter the following. (You should create the [email protected] email address.)

v=DMARC1; p=none; pct=100; rua=mailto:[email protected]

The above DMARC record is a safe starting point. If you want to read the full explanation of DMARC, please check the following article. Note that this is optional.

• Creating DMARC Record to Protect Your Domain Name From Email Spoofing

Step 13: Testing Email Score and Placement

After creating PTR, SPF, DKIM record, go to https://www.mail-tester.com. You will see a unique email address. Send an email from your domain to this address and then check your score. As you can see, I got a perfect score. In the test result, you should check if your PTR record, SPF and DKIM record is valid.

Mail-tester.com can only show you a sender score. There’s another service called GlockApps that allow you to check if your email is landed in the recipient’s inbox or spam folder, or rejected outright. It supports many popular email providers like Gmail, Outlook, Hotmail, YahooMail, iCloud mail, etc.

What if Your Emails Are Still Being Marked as Spam?

I have more tips for you in this article: How to stop your emails being marked as spam. Although it will take some time and effort, your emails will eventually be placed in inbox after applying these tips.

What if Your Email is Rejected by Microsoft Mailbox?

Microsoft seems to be using an internal blacklist that blocks many legitimate IP addresses. If your emails are rejected by Outlook or Hotmail, you need to submit the sender information form. After that, your email will be accepted by Outlook/Hotmail.

Troubleshooting

First, please use a VPS with at least 4GB RAM. Running Zimbra on a 2GB RAM VPS will cause the database, SpamAssassin, or ClamAV to be killed because of out-of-memory problem. If you really want to use a 2GB RAM VPS, you are going to lose incoming emails and have other undesirable outcomes.

As a rule of thumb, you should always check the mail log /var/log/mail.log when there’s email delivery problem.

HTTP ERROR 502

If the Zimbra web interface isn’t accessible, such as a 502 gateway error, it’s likely that your server needs more RAM.

You can also try to restart all Zimbra services to fix this issue.

Run the following command as the zimbra user to check if all Zimbra services are running.

zmcontrol status

If you enabled the firewall, you should open the following ports in the firewall.

HTTP port:  80
HTTPS port: 443
SMTP port:  25
Submission port: 587
SMTPS port: 465 (For Microsoft Outlook mail client)
IMAP port:  143 and 993

If you would like to use the UFW firewall, check my guide here: Getting started with UFW firewall on Debian and Ubuntu.

How to Renew TLS Certificate

Let’s Encrypt issued TLS certificate is valid for 90 days only and it’s important that you set up a Cron job to automatically renew the certificate. You can run the following command to renew certificate.

sudo certbot renew

You can use the --dry-run option to test the renewal process, instead of doing a real renewal.

sudo /snap/bin/certbot renew --dry-run

Create Cron Job

If the dry run is successful, you can create Cron job to automatically renew certificate. Simply open root user’s crontab file.

sudo crontab -e

Then add the following line at the bottom of the file.

@daily /snap/bin/certbot renew --quiet

Save and close the file.

Setting Up Backup Mail Server

Your primary mail server could be down sometimes. If you host your mail server in a data center, then the downtime is very minimal, so you shouldn’t be worried about losing inbound emails. If you host your mail server at home, the downtime can’t be predicted so it’s a good practice for you to run a backup mail server in a data center to prevent losing inbound emails. The backup mail server needs just 512MB RAM to run. Please check the full detail in the following article.

• How to Set up a Backup Email Server with Postfix on Ubuntu (Complete Guide)

Setting Up SMTP for your Website

If your website and mail server are running on two different VPS (virtual private server), you can set up SMTP relay between your website and mail server, so that your website can send emails through your mail server. See the following article.

• How to set up SMTP relay between 2 Postfix SMTP servers on Ubuntu

Wrapping Up

That’s it! I hope this tutorial helped you set up a mail server on Ubuntu 18.04 with Zimbra. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂