In AWS VPC, create an Internet Gateway (igw-xxx) and attach it to your VPC.

In AWS VPC, create 1 subnet INTERNET (10.20.0.0/24).

Configure the route table for the INTERNET subnet like this :

Destination Target
10.20.0.0/16 local
0.0.0.0/0 igw-xxx

In AWS EC2, launch the CentOS 7 ZCS instance.

Attach 1 interface eth0 to the ZCS instance.

Subnet Interface Address
INTERNET eth0 10.20.0.15

Allocate a new Elastic IP address and associate it to the eth0 interface.

The ZCS instance will use 10.20.0.1 for its default gateway.

You should be able to login to the ZCS instance using your ssh key.

ssh -i key.pem centos@elastic-ip-address

Install some utilities

yum install net-tools

yum install mlocate
sh /etc/cron.daily/mlocate

yum install dos2unix
yum install sysstat
yum install lsof
yum install tcpdump
yum install nmap-ncat
yum install bind-utils
yum install tree

Modify the following files

vi /etc/dhclient.conf
------------------------------ cut here ------------------------------
supersede host-name "zcs-host.domain";
supersede domain-name "domain";
------------------------------ cut here ------------------------------

vi /etc/hostname
------------------------------ cut here ------------------------------
zcs-host.domain
------------------------------ cut here ------------------------------

vi /etc/hosts
------------------------------ cut here ------------------------------
::1         localhost localhost.domain
127.0.0.1   localhost localhost.domain
10.20.0.15  zcs-host.domain zcs-host
------------------------------ cut here ------------------------------

vi /etc/sysconfig/network
------------------------------ cut here ------------------------------
NETWORKING=yes
NETWORKING_IPV6=no
NOZEROCONF=yes
------------------------------ cut here ------------------------------

vi /etc/cloud/cloud.cfg
------------------------------ cut here ------------------------------
preserve_hostname: true
------------------------------ cut here ------------------------------

vi /etc/sysconfig/network-scripts/ifcfg-eth0
------------------------------ cut here ------------------------------
DEVICE="eth0"
BOOTPROTO="dhcp"
ONBOOT="yes"
TYPE="Ethernet"
USERCTL="yes"
PEERDNS="yes"
IPV6INIT="no"
PERSISTENT_DHCLIENT="1"
------------------------------ cut here ------------------------------

vi /etc/resolv.conf
------------------------------ cut here ------------------------------
search domain
nameserver 10.20.0.2
------------------------------ cut here ------------------------------

vi /etc/sysctl.conf
------------------------------ cut here ------------------------------
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.default.secure_redirects=0
vm.swappiness=10
vm.vfs_cache_pressure=50
------------------------------ cut here ------------------------------

Add swap file

dd if=/dev/zero of=/swapfile count=1024 bs=1MiB
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile

free -h
------------------------------ cut here ------------------------------
              total        used        free      shared  buff/cache   available
Mem:           991M         74M         67M         12M        848M        738M
Swap:          1.0G          0B        1.0G
------------------------------ cut here ------------------------------

vi /etc/fstab
------------------------------ cut here ------------------------------
/swapfile none swap sw 0 0
------------------------------ cut here ------------------------------

Install development tools and other utilities

yum groupinstall 'Development Tools'
yum install wget

mkdir /root/src
cd /root/src
wget http://downloads.laffeycomputer.com/current_builds/rpl-1.4.1.tar.gz
tar zxf rpl-1.4.1.tar.gz
cd rpl-1.4.1
./configure
make
make install

cd /root/src
wget http://utenti.gufi.org/~gmarco/files/distfiles/xtail-2.1.tar.gz
tar zxf xtail-2.1.tar.gz
cd xtail-2.1
./configure
make
make install

Adjust sshd

vi /etc/ssh/sshd_config
------------------------------ cut here ------------------------------
ClientAliveInterval 900
IgnoreRhosts yes
LoginGraceTime 30
MaxAuthTries 3
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin no
PubkeyAuthentication yes
------------------------------ cut here ------------------------------

service sshd restart

Adjust syslog

vi /etc/rsyslog.conf
------------------------------ cut here ------------------------------
*.*                                                /var/log/all.log
------------------------------ cut here ------------------------------

touch /var/log/all.log
chmod 600 /var/log/all.log

systemctl restart rsyslog.service

vi /etc/logrotate.d/syslog
------------------------------ cut here ------------------------------
/var/log/all.log
------------------------------ cut here ------------------------------

Enable NTP

yum install ntp

vi /etc/ntp.conf
------------------------------ cut here ------------------------------
restrict 10.20.1.9 mask 255.255.255.255 nomodify notrap
------------------------------ cut here ------------------------------

systemctl is-enabled ntpd.service
systemctl enable ntpd.service
systemctl restart ntpd.service

Make SELinux permissive

vi /etc/sysconfig/selinux
------------------------------ cut here ------------------------------
SELINUX=permissive
------------------------------ cut here ------------------------------

restorecon -RFv /etc

Disable postfix

systemctl stop postfix.service
systemctl disable postfix.service

Update CentOS

yum update

Install Zimbra Collaboration Server Open Source Edition 8.7.11

cd /root
wget https://files.zimbra.com/downloads/8.7.11_GA/zcs-8.7.11_GA_1854.RHEL7_64.20170531151956.tgz
tar zxf zcs-8.7.11_GA_1854.RHEL7_64.20170531151956.tgz
cd zcs-8.7.11_GA_1854.RHEL7_64.20170531151956
systemctl stop httpd.service
./install.sh -u
./install.sh

su - zimbra

zmcontrol restart

zmcontrol status
------------------------------ cut here ------------------------------
Host zcs-host.domain
        amavis                  Running
        antispam                Running
        antivirus               Running
        dnscache                Running
        ldap                    Running
        logger                  Running
        mailbox                 Running
        memcached               Running
        mta                     Running
        opendkim                Running
        proxy                   Running
        service webapp          Running
        snmp                    Running
        spell                   Running
        stats                   Running
        zimbra webapp           Running
        zimbraAdmin webapp      Running
        zimlet webapp           Running
        zmconfigd               Running
------------------------------ cut here ------------------------------

zmupdateauthkeys

su - root

/opt/zimbra/libexec/zmsyslogsetup

su - zimbra

zmcontrol restart

Install Z-Push 2.3.7

yum install php-process
yum install php-cli php-soap php
yum install perl-JSON perl-Crypt-OpenSSL-RSA perl-libwww-perl bc
yum install php-mbstring

cd /root
wget http://download.z-push.org/final/2.3/z-push-2.3.7.tar.gz
tar zxf z-push-2.3.7.tar.gz
mv z-push-2.3.7 /var/www/html/z-push-2.3.7
ln -s /var/www/html/z-push-2.3.7 /var/www/html/z-push

mkdir /var/lib/z-push /var/log/z-push
chmod 755 /var/lib/z-push /var/log/z-push
chown apache:apache /var/lib/z-push /var/log/z-push

vi /etc/httpd/conf.d/z-push.conf
------------------------------ cut here ------------------------------
Alias /Microsoft-Server-ActiveSync /var/www/html/z-push/index.php
php_flag magic_quotes_gpc off
php_flag register_globals off
php_flag magic_quotes_runtime off
php_flag short_open_tag on
------------------------------ cut here ------------------------------

Download zimbra66.tgz and zpzb-install.sh from the Zimbra Backend project.

mv zimbra66.tgz zpzb-install.sh /var/www/html/z-push/backend
chmod 755 /var/www/html/z-push/backend/zpzb-install.sh
cd /var/www/html/z-push/backend
./zpzb-install.sh 66

ln -s /var/www/html/z-push/backend/zimbra66 /var/www/html/z-push/backend/zimbra

chown -R root:root /var/www/html

systemctl is-enabled httpd.service
systemctl enable httpd.service
systemctl restart httpd.service

vi /var/www/html/z-push/config.php
------------------------------ cut here ------------------------------
define('USE_FULLEMAIL_FOR_LOGIN', true);
define('PROVISIONING', false);
define('LOOSE_PROVISIONING', true);
define('BACKEND_PROVIDER', 'BackendZimbra');
------------------------------ cut here ------------------------------

vi /var/www/html/z-push/backend/zimbra/config.php
------------------------------ cut here ------------------------------
define('ZIMBRA_URL', 'https://zcs-host.domain');
define('ZIMBRA_DISABLE_URL_OVERRIDE', true);
------------------------------ cut here ------------------------------

vi /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
------------------------------ cut here ------------------------------
        #set $mailhostport ${web.http.uport};   # replace this with *the* mailhost port
        set $mailhostport 80;   # replace this with *the* mailhost port
        #proxy_pass          ${web.upstream.target};
        proxy_pass          http://zcs-host.domain;
------------------------------ cut here ------------------------------

su - zimbra

zmproxyctl restart

su - root

chown -R root:root /var/www/.

/var/www/html/z-push/z-push-admin.php -a list

su - zimbra

zmcontrol restart

Adjust Zimbra configuration

su - zimbra

zmprov md domain zimbraPublicServiceProtocol https

zmprov generateDomainPreAuthKey domain

zmprov gd domain zimbraPreAuthKey

zmprov mcf zimbraMtaMaxMessageSize 204857600

zmprov ms zcs-host.domain zimbraMtaLmtpHostLookup native
zmmtactl restart

zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
zmmtactl restart
zmconfigdctl restart

vi /opt/zimbra/conf/postfix_reject_sender
------------------------------ cut here ------------------------------
domain REJECT
------------------------------ cut here ------------------------------

postmap /opt/zimbra/conf/postfix_reject_sender

vi /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
------------------------------ cut here ------------------------------
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%%
permit_mynetworks, reject_sender_login_mismatch
permit_sasl_authenticated
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%%
------------------------------ cut here ------------------------------

zmmtactl stop
zmmtactl start

zmprov ms zcs-host.domain +zimbraServiceEnabled cbpolicyd

zmprov ms zcs-host.domain zimbraCBPolicydGreylistingEnabled TRUE
zmprov ms zcs-host.domain zimbraFileUploadMaxSize 44040192
zmprov ms zcs-host.domain zimbraMailContentMaxSize 44040192
zmprov mcf zimbraMtaMaxMessageSize 44040192

zmprov mcf zimbraMtaSmtpdSenderLoginMaps  proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch

zmlocalconfig -e antispam_enable_rule_updates=true
zmlocalconfig -e antispam_enable_restarts=true
zmlocalconfig -e antispam_enable_rule_compilation=true

vi /opt/zimbra/data/spamassassin/localrules/local.cf
------------------------------ cut here ------------------------------
rewrite_header Subject *****SPAM*****
------------------------------ cut here ------------------------------

zmprov ms zcs-host.domain +zimbraMtaRestriction reject_unknown_reverse_client_hostname
zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_invalid_helo_hostname"
zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_non_fqdn_sender"
zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org"
zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_rbl_client psbl.surriel.com"
zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"
zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_rhsbl_client dbl.spamhaus.org"
zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_rhsbl_client multi.uribl.com"
zmprov ms zcs-host.domain -zimbraMtaRestriction "reject_rhsbl_client multi.uribl.com"
zmprov ms zcs-host.domain +zimbraMtaRestriction "reject_rhsbl_client multi.surbl.org"
zmprov ms zcs-host.domain +zimbraMtaRestriction 'check_reverse_client_hostname_access pcre:/opt/zimbra/conf/fqrdns.pcre'

zmprov mcf +zimbraMtaRestriction "reject_invalid_helo_hostname"
zmprov mcf +zimbraMtaRestriction "reject_non_fqdn_sender"

zmprov mcf +zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client psbl.surriel.com"
zmprov mcf +zimbraMtaRestriction "reject_rbl_client b.barracudacentral.org"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_client dbl.spamhaus.org"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_client multi.uribl.com"
zmprov mcf -zimbraMtaRestriction "reject_rhsbl_client multi.uribl.com"
zmprov mcf +zimbraMtaRestriction "reject_rhsbl_client multi.surbl.org"

cd /opt/zimbra/conf
wget https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre/raw/master/fqrdns.pcre

zmprov mcf +zimbraMtaRestriction 'check_reverse_client_hostname_access pcre:/opt/zimbra/conf/fqrdns.pcre'

zmprov mcf zimbraAmavisLogLevel 2

rpl '# $bad_header_quarantine_method = undef;' '$bad_header_quarantine_method = undef;' /opt/zimbra/conf/amavisd.conf*

zmamavisdctl restart

vi /var/www/html/index.html
------------------------------ cut here ------------------------------
<html>
<head>
<meta http-equiv="Refresh"
  content="0; URL=https://zcs-host.domain">
</head>
<body>
</body>
</html>
------------------------------ cut here ------------------------------

/opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=XX/ST=XXX/L=XXX/O=XXX/OU=XXX/CN=zcs-host.domain"

Get your SSL certificate (Ex : GoDaddy).

/opt/zimbra/bin/zmcertmgr deploycrt comm abe8bda51fd18943.crt gd_bundle-g2-g1.crt

service zimbra restart
systemctl restart httpd.service

Optionally install Wazuh agent (if you have a Wazuh manager)

cat > /etc/yum.repos.d/wazuh.repo <<\EOF
[wazuh_repo]
gpgcheck=1
gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH
enabled=1
name=CentOS-$releasever - Wazuh
baseurl=https://packages.wazuh.com/yum/el/$releasever/$basearch
protect=1
EOF

yum install wazuh-agent
yum install openscap-scanner

vi /var/ossec/etc/ossec.conf
------------------------------ cut here ------------------------------
  <wodle name="open-scap">
    <disabled>no</disabled>
------------------------------ cut here ------------------------------

/var/ossec/bin/agent-auth -m wazuh_manager_ip_address

rpl MANAGER_IP wazuh_manager_ip_address /var/ossec/etc/ossec.conf

systemctl enable wazuh-agent.service
systemctl restart wazuh-agent.service