In AWS VPC, create an Internet Gateway (igw-xxx) and attach it to your VPC.
In AWS VPC, create 1 subnet INTERNET (10.20.0.0/24).
Configure the route table for the INTERNET subnet like this :
Destination | Target |
---|---|
10.20.0.0/16 | local |
0.0.0.0/0 | igw-xxx |
In AWS EC2, launch the CentOS 7 ZCS instance.
Attach 1 interface eth0 to the ZCS instance.
Subnet | Interface | Address |
---|---|---|
INTERNET | eth0 | 10.20.0.15 |
Allocate a new Elastic IP address and associate it to the eth0 interface.
The ZCS instance will use 10.20.0.1 for its default gateway.
You should be able to login to the ZCS instance using your ssh key.
ssh -i key.pem centos@elastic-ip-address
Install some utilities
yum install net-tools yum install mlocate sh /etc/cron.daily/mlocate yum install dos2unix yum install sysstat yum install lsof yum install tcpdump yum install nmap-ncat yum install bind-utils yum install tree
Modify the following files
vi /etc/dhclient.conf ------------------------------ cut here ------------------------------ supersede host-name "zcs-host.domain"; supersede domain-name "domain"; ------------------------------ cut here ------------------------------ vi /etc/hostname ------------------------------ cut here ------------------------------ zcs-host.domain ------------------------------ cut here ------------------------------ vi /etc/hosts ------------------------------ cut here ------------------------------ ::1 localhost localhost.domain 127.0.0.1 localhost localhost.domain 10.20.0.15 zcs-host.domain zcs-host ------------------------------ cut here ------------------------------ vi /etc/sysconfig/network ------------------------------ cut here ------------------------------ NETWORKING=yes NETWORKING_IPV6=no NOZEROCONF=yes ------------------------------ cut here ------------------------------ vi /etc/cloud/cloud.cfg ------------------------------ cut here ------------------------------ preserve_hostname: true ------------------------------ cut here ------------------------------ vi /etc/sysconfig/network-scripts/ifcfg-eth0 ------------------------------ cut here ------------------------------ DEVICE="eth0" BOOTPROTO="dhcp" ONBOOT="yes" TYPE="Ethernet" USERCTL="yes" PEERDNS="yes" IPV6INIT="no" PERSISTENT_DHCLIENT="1" ------------------------------ cut here ------------------------------ vi /etc/resolv.conf ------------------------------ cut here ------------------------------ search domain nameserver 10.20.0.2 ------------------------------ cut here ------------------------------ vi /etc/sysctl.conf ------------------------------ cut here ------------------------------ net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.all.log_martians=1 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.default.log_martians=1 net.ipv4.conf.default.secure_redirects=0 vm.swappiness=10 vm.vfs_cache_pressure=50 ------------------------------ cut here ------------------------------
Add swap file
dd if=/dev/zero of=/swapfile count=1024 bs=1MiB chmod 600 /swapfile mkswap /swapfile swapon /swapfile free -h ------------------------------ cut here ------------------------------ total used free shared buff/cache available Mem: 991M 74M 67M 12M 848M 738M Swap: 1.0G 0B 1.0G ------------------------------ cut here ------------------------------ vi /etc/fstab ------------------------------ cut here ------------------------------ /swapfile none swap sw 0 0 ------------------------------ cut here ------------------------------
Install development tools and other utilities
yum groupinstall 'Development Tools' yum install wget mkdir /root/src cd /root/src wget http://downloads.laffeycomputer.com/current_builds/rpl-1.4.1.tar.gz tar zxf rpl-1.4.1.tar.gz cd rpl-1.4.1 ./configure make make install cd /root/src wget http://utenti.gufi.org/~gmarco/files/distfiles/xtail-2.1.tar.gz tar zxf xtail-2.1.tar.gz cd xtail-2.1 ./configure make make install
Adjust sshd
vi /etc/ssh/sshd_config ------------------------------ cut here ------------------------------ ClientAliveInterval 900 IgnoreRhosts yes LoginGraceTime 30 MaxAuthTries 3 PasswordAuthentication yes PermitEmptyPasswords no PermitRootLogin no PubkeyAuthentication yes ------------------------------ cut here ------------------------------ service sshd restart
Adjust syslog
vi /etc/rsyslog.conf ------------------------------ cut here ------------------------------ *.* /var/log/all.log ------------------------------ cut here ------------------------------ touch /var/log/all.log chmod 600 /var/log/all.log systemctl restart rsyslog.service vi /etc/logrotate.d/syslog ------------------------------ cut here ------------------------------ /var/log/all.log ------------------------------ cut here ------------------------------
Enable NTP
yum install ntp vi /etc/ntp.conf ------------------------------ cut here ------------------------------ restrict 10.20.1.9 mask 255.255.255.255 nomodify notrap ------------------------------ cut here ------------------------------ systemctl is-enabled ntpd.service systemctl enable ntpd.service systemctl restart ntpd.service
Make SELinux permissive
vi /etc/sysconfig/selinux ------------------------------ cut here ------------------------------ SELINUX=permissive ------------------------------ cut here ------------------------------ restorecon -RFv /etc
Disable postfix
systemctl stop postfix.service systemctl disable postfix.service
Update CentOS
yum update
Install Zimbra Collaboration Server Open Source Edition 8.7.11
cd /root wget https://files.zimbra.com/downloads/8.7.11_GA/zcs-8.7.11_GA_1854.RHEL7_64.20170531151956.tgz tar zxf zcs-8.7.11_GA_1854.RHEL7_64.20170531151956.tgz cd zcs-8.7.11_GA_1854.RHEL7_64.20170531151956 systemctl stop httpd.service ./install.sh -u ./install.sh su - zimbra zmcontrol restart zmcontrol status ------------------------------ cut here ------------------------------ Host zcs-host.domain amavis Running antispam Running antivirus Running dnscache Running ldap Running logger Running mailbox Running memcached Running mta Running opendkim Running proxy Running service webapp Running snmp Running spell Running stats Running zimbra webapp Running zimbraAdmin webapp Running zimlet webapp Running zmconfigd Running ------------------------------ cut here ------------------------------ zmupdateauthkeys su - root /opt/zimbra/libexec/zmsyslogsetup su - zimbra zmcontrol restart
Install Z-Push 2.3.7
yum install php-process yum install php-cli php-soap php yum install perl-JSON perl-Crypt-OpenSSL-RSA perl-libwww-perl bc yum install php-mbstring cd /root wget http://download.z-push.org/final/2.3/z-push-2.3.7.tar.gz tar zxf z-push-2.3.7.tar.gz mv z-push-2.3.7 /var/www/html/z-push-2.3.7 ln -s /var/www/html/z-push-2.3.7 /var/www/html/z-push mkdir /var/lib/z-push /var/log/z-push chmod 755 /var/lib/z-push /var/log/z-push chown apache:apache /var/lib/z-push /var/log/z-push vi /etc/httpd/conf.d/z-push.conf ------------------------------ cut here ------------------------------ Alias /Microsoft-Server-ActiveSync /var/www/html/z-push/index.php php_flag magic_quotes_gpc off php_flag register_globals off php_flag magic_quotes_runtime off php_flag short_open_tag on ------------------------------ cut here ------------------------------
Download zimbra66.tgz and zpzb-install.sh from the Zimbra Backend project.
mv zimbra66.tgz zpzb-install.sh /var/www/html/z-push/backend chmod 755 /var/www/html/z-push/backend/zpzb-install.sh cd /var/www/html/z-push/backend ./zpzb-install.sh 66 ln -s /var/www/html/z-push/backend/zimbra66 /var/www/html/z-push/backend/zimbra chown -R root:root /var/www/html systemctl is-enabled httpd.service systemctl enable httpd.service systemctl restart httpd.service vi /var/www/html/z-push/config.php ------------------------------ cut here ------------------------------ define('USE_FULLEMAIL_FOR_LOGIN', true); define('PROVISIONING', false); define('LOOSE_PROVISIONING', true); define('BACKEND_PROVIDER', 'BackendZimbra'); ------------------------------ cut here ------------------------------ vi /var/www/html/z-push/backend/zimbra/config.php ------------------------------ cut here ------------------------------ define('ZIMBRA_URL', 'https://zcs-host.domain'); define('ZIMBRA_DISABLE_URL_OVERRIDE', true); ------------------------------ cut here ------------------------------ vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template ------------------------------ cut here ------------------------------ #set $mailhostport ${web.http.uport}; # replace this with *the* mailhost port set $mailhostport 80; # replace this with *the* mailhost port #proxy_pass ${web.upstream.target}; proxy_pass http://zcs-host.domain; ------------------------------ cut here ------------------------------ su - zimbra zmproxyctl restart su - root chown -R root:root /var/www/. /var/www/html/z-push/z-push-admin.php -a list su - zimbra zmcontrol restart
Adjust Zimbra configuration
su - zimbra zmprov md domain zimbraPublicServiceProtocol https zmprov generateDomainPreAuthKey domain zmprov gd domain zimbraPreAuthKey zmprov mcf zimbraMtaMaxMessageSize 204857600 zmprov ms zcs-host.domain zimbraMtaLmtpHostLookup native zmmtactl restart zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes zmmtactl restart zmconfigdctl restart vi /opt/zimbra/conf/postfix_reject_sender ------------------------------ cut here ------------------------------ domain REJECT ------------------------------ cut here ------------------------------ postmap /opt/zimbra/conf/postfix_reject_sender vi /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf ------------------------------ cut here ------------------------------ %%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%% %%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%% %%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%% %%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%% permit_mynetworks, reject_sender_login_mismatch permit_sasl_authenticated permit_tls_clientcerts %%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%% ------------------------------ cut here ------------------------------ zmmtactl stop zmmtactl start zmprov ms zcs-host.domain +zimbraServiceEnabled cbpolicyd zmprov ms zcs-host.domain zimbraCBPolicydGreylistingEnabled TRUE zmprov ms zcs-host.domain zimbraFileUploadMaxSize 44040192 zmprov ms zcs-host.domain zimbraMailContentMaxSize 44040192 zmprov mcf zimbraMtaMaxMessageSize 44040192 zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch zmlocalconfig -e antispam_enable_rule_updates=true zmlocalconfig -e antispam_enable_restarts=true zmlocalconfig -e antispam_enable_rule_compilation=true vi /opt/zimbra/data/spamassassin/localrules/local.cf ------------------------------ cut here ------------------------------ rewrite_header Subject *****SPAM***** ------------------------------ cut here ------------------------------ zmprov ms zcs-host.domain +zimbraMtaRestriction reject_unknown_reverse_client_hostname zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_invalid_helo_hostname" zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_non_fqdn_sender" zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org" zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_rbl_client psbl.surriel.com" zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org" zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_rhsbl_client dbl.spamhaus.org" zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_rhsbl_client multi.uribl.com" zmprov ms zcs-host.domain -zimbraMtaRestriction "reject_rhsbl_client multi.uribl.com" zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_rhsbl_client multi.surbl.org" zmprov ms zcs-host.domain +zimbraMtaRestriction 'check_reverse_client_hostname_access pcre:/opt/zimbra/conf/fqrdns.pcre' zmprov mcf +zimbraMtaRestriction "reject_invalid_helo_hostname" zmprov mcf +zimbraMtaRestriction "reject_non_fqdn_sender" zmprov mcf +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org" zmprov mcf +zimbraMtaRestriction "reject_rbl_client psbl.surriel.com" zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org" zmprov mcf +zimbraMtaRestriction "reject_rhsbl_client dbl.spamhaus.org" zmprov mcf +zimbraMtaRestriction "reject_rhsbl_client multi.uribl.com" zmprov mcf -zimbraMtaRestriction "reject_rhsbl_client multi.uribl.com" zmprov mcf +zimbraMtaRestriction "reject_rhsbl_client multi.surbl.org" cd /opt/zimbra/conf wget https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre/raw/master/fqrdns.pcre zmprov mcf +zimbraMtaRestriction 'check_reverse_client_hostname_access pcre:/opt/zimbra/conf/fqrdns.pcre' zmprov mcf zimbraAmavisLogLevel 2 rpl '# $bad_header_quarantine_method = undef;' '$bad_header_quarantine_method = undef;' /opt/zimbra/conf/amavisd.conf* zmamavisdctl restart vi /var/www/html/index.html ------------------------------ cut here ------------------------------ <html> <head> <meta http-equiv="Refresh" content="0; URL=https://zcs-host.domain"> </head> <body> </body> </html> ------------------------------ cut here ------------------------------ /opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=XX/ST=XXX/L=XXX/O=XXX/OU=XXX/CN=zcs-host.domain"
Get your SSL certificate (Ex : GoDaddy).
/opt/zimbra/bin/zmcertmgr deploycrt comm abe8bda51fd18943.crt gd_bundle-g2-g1.crt service zimbra restart systemctl restart httpd.service
Optionally install Wazuh agent (if you have a Wazuh manager)
cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=CentOS-$releasever - Wazuh baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch protect=1 EOF yum install wazuh-agent yum install openscap-scanner vi /var/ossec/etc/ossec.conf ------------------------------ cut here ------------------------------ <wodle name="open-scap"> <disabled>no</disabled> ------------------------------ cut here ------------------------------ /var/ossec/bin/agent-auth -m wazuh_manager_ip_address rpl MANAGER_IP wazuh_manager_ip_address /var/ossec/etc/ossec.conf systemctl enable wazuh-agent.service systemctl restart wazuh-agent.service