Posted by This is my experience with Zimbra who cannot upload a file from webmail. Some guidelines obtained from Zimbra Forums, Lorenzo Milesi Blog and my instinct 🙂
Previously, the Zimbra webmail stuck after user login. And the solution has been written here: https://imanudin.net/2019/05/27/solved-zimbra-webmail-stuck-after-login/. But some of the visitors this blog still getting problem after performing a solution from that article. So, I tried to examine the problem more deeply and looking for a solution from the Zimbra forum and others.
And this is what I do :
– Remove authorized_keys and update SSH Key
su - zimbra
rm /opt/zimbra/.ssh/authorized_keys
zmsshkeygen
zmupdateauthkeys
– Stop Zimbra service
zmcontrol stop
Stopping Zimbra service to ensure that no service is running as a Zimbra user. If there are still services running as Zimbra user, the service can be suspected
– Check crontab
When I check Zimbra crontab, I found this line
*/30 * * * * /opt/zimbra/log/zmswatcher */60 * * * * /opt/zimbra/lib/zmcheckexpiredcerts
Sometimes, I get cbstat service. The file is not part of cbpolicyd. You can find cbstat from /opt/zimbra/cbpolicyd/bin/. You cannot remove the line from crontab before stopping the script. Please follow the next instruction below
– Check PID and do not give access permission
You will found pid at /tmp folder. In my case, I found zmcheckexpiredcerts.pid and cbstat.pid. Change the permission of the PID file. Perform below command as ROOT
cd /tmp/
chmod a-rwx zmcheckexpiredcerts.pid cbstat.pid
chmod a-rwx /opt/zimbra/log/zmswatcher
chmod a-rwx /opt/zimbra/lib/zmcheckexpiredcerts
– Check the running script and kill
ps ax | grep -i zmswatch
ps ax | grep -i zmcheckexpiredcerts
ps ax | grep -i cbstat
You will find scripts that run like this and kill PID
16873 ? Sl 0:17 /opt/zimbra/log/zmswatch 16533 ? S 0:00 /opt/zimbra/cbpolicyd/bin/cbstat
kill -9 16873 16533
– Check the files that have been infected to upload malware
grep -R '(request.getParameter.' /opt/zimbra/mailboxd
grep -R '(request.getParameter.' /opt/zimbra/jetty
grep -R "if.*equals(" /opt/zimbra/mailboxd
grep -R "if.*equals(" /opt/zimbra/jetty
You will get an infected file like this :
Delete infected files that are recognized by the grep command. You can check deeper with strange lines between if and equals
if ( "XXXXxx8I9_Q6ATeWB5DuB_v_OT4EKtyD7tmCXxxxx" .equals
grep -R "XXXXxx8I9_Q6ATeWB5DuB_v_OT4EKtyD7tmCXxxxx" /opt/zimbra/mailboxd
Sometimes, strange lines infect the login.jsp file. Please backup first before you delete it. Or you can replace login.jsp file from another Zimbra that use the same version
– Please make sure there are no processes running as Zimbra users.
Perform this command to check
top U zimbra
– Remove Script
If all infected files have been deleted. You can delete the script that was running before
rm /opt/zimbra/log/zmswatch
rm /opt/zimbra/cbpolicyd/bin/cbstat
rm /opt/zimbra/lib/zmcheckexpiredcerts
– Recreate crontab using this guidance: https://wiki.zimbra.com/wiki/Step_to_rebuilt_crontab_file_of_zimbra_user
– Change permission upload folder
chown zimbra.zimbra /opt/zimbra/data/tmp
chown zimbra.zimbra /opt/zimbra/data/tmp/upload
chmod 777 /opt/zimbra/data/tmp
chmod 750 /opt/zimbra/data/tmp/upload
– Download and install Zimbra patch (if any)
The permanent solution is to migrate your Zimbra server to a new one. You can follow the guidelines made by Zimbra here: https://wiki.zimbra.com/wiki/Steps_To_Rebuild_ZCS_Server
If you need professional services, do not hesitate to contact me 🙂
Good luck 🙂
kaya nya ini bisa nya temporary saja…pasti permision nya akan balik lagi, kayanya kalo udah kena hack server zimbra nya susah bersihin nya mas…karena script hacker udah nyacak nyacak file kita
Benar,
Permanen solution memang di upgrade. Namun kemarin coba cara ini dan work sampai sekarang. Sambil proses perpindahan juga dari server lama ke server baru
saya menggunakan ZCS 8.7.10 multiserver berhasil dengan cara diatas, namun setelah beberapa jam, kambuh lagi mas… hehehehehe, solusinya memang harus upgrade atau pacth ya ?, apakah hanya butuh di bersihkan di mailbox server saja ya mas ?
apakah ada cara lain backup tanpa menggunakan Zextras, soalnya ZExtras kami sudah expired… thanks mas imanuddin atas artikelnya
Hi mas Fendi,
Untuk Zimbra versi 8.7.10 memang tidak ada patch nya. Jadi kemungkinan akan kambuh lagi meskipun sudah dibersihkan. Rekomendasinya, segera lakukan upgrade ke versi terbaru
Cara paling aman dan gampang kalo sudah pakai virtualisasi, restore saja sama image yang masih bersih, terus check crontab lalu bersihin setelah itu tutup port 7071,80, dan 443 , saya sih gitu sampai sekarang aman…kalo akses port itu pakai vpn
zmbackup command not found when perform full backup for server rebuld
Zimbra version :- Release 8.6.0_GA_1153.RHEL7_64_20141215151110 RHEL7_64 FOSS edition, Patch 8.6.0_P14.
Hello Sadik,
You can ignore the warning. The zmbackup command is only available in Zimbra NE
Saya sudah coba langkah diatas, sudah hampir 2 minggu alhamdulillah normal..saya re-create crontab seperti pada link : https://wiki.zimbra.com/wiki/Step_to_rebuild_crontab_file_of_zimbra_user
di crontabnya cuma ada :
*/60 * * * * /opt/zimbra/libexec/zmmysqlstatus
# ZIMBRAEND — DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART
apakah tidak akan menjadi masalah?..dari saya mencoba langkah2 diatas sampai saat ini server belum saya restart baru stop service zimbra saja..
terima kasih
sebagai informasi saya menggunakan zimbra versi : Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P14.
saya menggunakan langkah A pada link : https://wiki.zimbra.com/wiki/Step_to_rebuild_crontab_file_of_zimbra_user
Hi mas,
Sudah dipastikan itu crontabnya salah. Untuk file zmmysqlstatus bisa dihapus
Hi Iman,
How to increase briefcase upload size?
Hi Joseph Vimalan,
You can increase this value : zimbraFileUploadMaxSize