Zimbra Collaboration Suite Secure Update

    It so happened that system administrators are always distrustful of everything new. Literally everything, from new server platforms to software updates, is perceived with caution, exactly until the first practical experience of use and positive feedback from colleagues from other enterprises appear. It is understandable, because when you are literally the head responsible for the performance of the enterprise and the safety of important information, over time you cease to trust even yourself, not to mention contractors, subordinates or ordinary users.

    The distrust of software updates is caused by a lot of unpleasant cases when installing fresh patches led to a drop in performance, changes in the user interface, a failure of the information system, or, which is especially unpleasant, data loss. However, updates cannot be completely abandoned, in which case the infrastructure of your enterprise may be attacked by cybercriminals. It’s enough to recall the sensational case of the WannaCry virus, when data stored on millions of computers not updated to the latest version of Windows turned out to be encrypted. This incident not only cost the workplace of more than one hundred system administrators, but also clearly showed the need to develop a new policy for updating software products in the enterprise, which would allow combining security and speed of their installation. Let's look at how the Zimbra Collabration Suite Open-Source Edition can be updated on the eve of the Zimbra 8.8.15 LTS release to ensure that all critical data is guaranteed to be secure.


    One of the main features of Zimbra Collaboration Suite is that almost all of its links can be duplicated. In particular, in addition to the main LDAP-Master server, you can add duplicate LDAP-replica, to which, if necessary, you can transfer the functions of the main LDAP server. You can also duplicate proxy servers and servers with MTA. Such duplication allows, if necessary, to remove individual links of the infrastructure from the infrastructure during the upgrade and, thanks to this, reliably protect itself not only from long downtime, but also from data loss in the event of an unsuccessful upgrade.

    Unlike other links in the infrastructure, duplication of mail repositories in Zimbra Collaboration Suite is not supported. Even if there are several mail storages in your infrastructure, the data of each mailbox can be located on any one mail server. That is why one of the main rules of data safety during updating is the timely backup of information on mail storages. The fresher your backup, the more data will be saved in case of an emergency. However, there is a nuance here that the free edition of Zimbra Collaboration Suite does not have a built-in backup mechanism and you will have to use the built-in GNU / Linux tools to create backups. However, if your Zimbra infrastructure has multiple mail storages, Since the size of the mail archive is large enough, each such backup can take a very long time, and also create a serious load on the local network and on the servers themselves. In addition, during prolonged copying, the risks of various force majeure events increase sharply. Also, if you perform such a backup without stopping the service, there is a risk that some files may not be copied correctly, which will lead to the loss of some data.

    That is why in case you need to back up large amounts of information from mail storages, it is better to use incremental backup, which avoids the complete copying of all information, and back up only those files that appeared or underwent changes after the previous full backup was taken. This greatly speeds up the process of removing backups, and also allows you to quickly start installing updates. Incremental backups in Zimbra Open-Source Edition can be achieved using the Zextras Backup modular extension, part of the Zextras Suite.

    Another powerful tool Zextras PowerStore allows the system administrator to deduplicate data on the mail storage. This means that all the same attachments and duplicate emails on the mail server will be replaced with one source file, and all repetitions will turn into transparent symbolic links. Due to this, it is possible to achieve not only significant savings in hard disk space, but also a significant reduction in the size of the backup, which allows to reduce the time of a full backup and, accordingly, to carry out it much more often.

    But the main opportunity that Zextras PowerStore can provide for secure updates is the transfer of mailboxes between mail servers in Zimbra multiserver infrastructures. Thanks to this feature, the system administrator gets the opportunity to do exactly the same thing with mail storages as we did with the MTA and LDAP servers to securely update them. For example, if there are four mail storages in the Zimbra infrastructure, you can try to distribute the mailboxes from one of them to the other three, and when the first mail store is empty, you can update it without any fear for data safety. If the system administrator has a spare mail store in the infrastructure, he can use it as a temporary storage for mailboxes,

    To perform such a transfer allows the console command DoMoveMailbox . In order to use it in order to transfer all accounts from the mail store, you must first get their full list. In order to achieve this, on the mail server, execute the command zmprov sa zimbraMailHost = mailbox.example.com> accounts.txt . After its execution, we will receive the accounts.txt file with a list of all mailboxes on our mail store. After that, you can immediately use it to transfer accounts to another mail store. It will look, for example, like this:

    zxsuite powerstore doMailboxMove reserve_mailbox.example.com input_file
    accounts.txt stages data, account notifications admin@example.com

    The command is executed twice in order to copy all the data for the first time without transferring the account itself, and the second time, since the data is transferred incrementally, copy all the data that appeared after the first transfer, and then transfer the accounts themselves. We draw your attention to the fact that the transfer of the account is accompanied by a short period of inaccessibility of the mailbox, and it will be reasonable to warn users about this. In addition, after the completion of the second command, the administrator receives an appropriate notification in the mail. Thanks to him, the administrator can quickly start updating the mail store.

    If the software update on the mail storage is carried out by the SaaS provider, it will be much more reasonable to transfer the data not to accounts, but to the domains that are located on it. For these purposes, it is enough to modify the input command a little:

    zxsuite powerstore doMailboxMove secureserver.saas.com domains client1.ru, client2.ru
    , client3.ru stages data, account notifications admin @ saas .com

    After the transfer of accounts and their data from the mail storage is completed, the data on the source server ceases to be of any significance, and you can start updating the mail server without any concerns about their safety.

    For those who want to minimize downtime when moving mailboxes, a completely different scenario for using the zxsuite powerstore doMailboxMove command is ideal, the essence of which is that mailboxes are transferred immediately to the updated servers, without the need for intermediate servers. In other words, we add a new mail storage to the Zimbra infrastructure, which has already been updated to the latest version, and then simply transfer accounts from an unrenewed server to it in a familiar scenario and repeat the procedure until all servers in the infrastructure are updated.

    This method allows you to transfer accounts once and thereby reduce the time during which mailboxes will remain unavailable. In addition, its implementation will require only one additional mail server. However, it should be used with caution to those administrators who deploy mail storages on servers with different configurations. The fact is that the transfer of a large number of accounts to a weaker server can negatively affect the availability and responsiveness of the service, which can be quite critical for large enterprises and SaaS providers.

    Thus, thanks to Zextras Backup and Zextras PowerStore, the Zimbra system administrator gets the opportunity to update all nodes of the Zimbra infrastructure without any risk to the information stored on them.

    For all questions related to the Zextras Suite, you can contact the representative of Zextras Katerina Triandafilidi by e-mail katerina@zextras.com

    Also popular now: