Zimbra

Solved : Zimbra Error Uploading File

This is my experience with Zimbra who cannot upload a file from webmail. Some guidelines obtained from Zimbra Forums, Lorenzo Milesi Blog and my instinct 🙂

Previously, the Zimbra webmail stuck after user login. And the solution has been written here: https://imanudin.net/2019/05/27/solved-zimbra-webmail-stuck-after-login/. But some of the visitors this blog still getting problem after performing a solution from that article. So, I tried to examine the problem more deeply and looking for a solution from the Zimbra forum and others.

And this is what I do :

– Remove authorized_keys and update SSH Key

su - zimbra
rm /opt/zimbra/.ssh/authorized_keys
zmsshkeygen
zmupdateauthkeys

– Stop Zimbra service

zmcontrol stop

Stopping Zimbra service to ensure that no service is running as a Zimbra user. If there are still services running as Zimbra user, the service can be suspected

– Check crontab

When I check Zimbra crontab, I found this line

*/30 * * * * /opt/zimbra/log/zmswatcher
*/60 * * * * /opt/zimbra/lib/zmcheckexpiredcerts

Sometimes, I get cbstat service. The file is not part of cbpolicyd. You can find cbstat from /opt/zimbra/cbpolicyd/bin/. You cannot remove the line from crontab before stopping the script. Please follow the next instruction below

– Check PID and do not give access permission

You will found pid at /tmp folder. In my case, I found zmcheckexpiredcerts.pid and cbstat.pid. Change the permission of the PID file. Perform below command as ROOT


cd /tmp/
chmod a-rwx zmcheckexpiredcerts.pid cbstat.pid
chmod a-rwx /opt/zimbra/log/zmswatcher
chmod a-rwx /opt/zimbra/lib/zmcheckexpiredcerts

– Check the running script and kill

ps ax | grep -i zmswatch
ps ax | grep -i zmcheckexpiredcerts
ps ax | grep -i cbstat

You will find scripts that run like this and kill PID

16873 ?        Sl     0:17 /opt/zimbra/log/zmswatch
16533 ?        S      0:00 /opt/zimbra/cbpolicyd/bin/cbstat


kill -9 16873 16533

– Check the files that have been infected to upload malware

grep -R '(request.getParameter.' /opt/zimbra/mailboxd
grep -R '(request.getParameter.' /opt/zimbra/jetty
grep -R "if.*equals(" /opt/zimbra/mailboxd
grep -R "if.*equals(" /opt/zimbra/jetty

You will get an infected file like this :

Delete infected files that are recognized by the grep command. You can check deeper with strange lines between if and equals

if  ( "XXXXxx8I9_Q6ATeWB5DuB_v_OT4EKtyD7tmCXxxxx" .equals


grep -R "XXXXxx8I9_Q6ATeWB5DuB_v_OT4EKtyD7tmCXxxxx" /opt/zimbra/mailboxd

Sometimes, strange lines infect the login.jsp file. Please backup first before you delete it. Or you can replace login.jsp file from another Zimbra that use the same version

– Please make sure there are no processes running as Zimbra users.

Perform this command to check

top U zimbra

– Remove Script

If all infected files have been deleted. You can delete the script that was running before

rm /opt/zimbra/log/zmswatch
rm /opt/zimbra/cbpolicyd/bin/cbstat
rm /opt/zimbra/lib/zmcheckexpiredcerts

– Recreate crontab using this guidance: https://wiki.zimbra.com/wiki/Step_to_rebuilt_crontab_file_of_zimbra_user

– Change permission upload folder


chown zimbra.zimbra /opt/zimbra/data/tmp
chown zimbra.zimbra /opt/zimbra/data/tmp/upload
chmod 777 /opt/zimbra/data/tmp
chmod 750 /opt/zimbra/data/tmp/upload

– Download and install Zimbra patch (if any)

The permanent solution is to migrate your Zimbra server to a new one. You can follow the guidelines made by Zimbra here: https://wiki.zimbra.com/wiki/Steps_To_Rebuild_ZCS_Server

If you need professional services, do not hesitate to contact me 🙂

Good luck 🙂

10 comments

  1. kaya nya ini bisa nya temporary saja…pasti permision nya akan balik lagi, kayanya kalo udah kena hack server zimbra nya susah bersihin nya mas…karena script hacker udah nyacak nyacak file kita

    1. Benar,
      Permanen solution memang di upgrade. Namun kemarin coba cara ini dan work sampai sekarang. Sambil proses perpindahan juga dari server lama ke server baru

      1. saya menggunakan ZCS 8.7.10 multiserver berhasil dengan cara diatas, namun setelah beberapa jam, kambuh lagi mas… hehehehehe, solusinya memang harus upgrade atau pacth ya ?, apakah hanya butuh di bersihkan di mailbox server saja ya mas ?
        apakah ada cara lain backup tanpa menggunakan Zextras, soalnya ZExtras kami sudah expired… thanks mas imanuddin atas artikelnya

        1. Hi mas Fendi,
          Untuk Zimbra versi 8.7.10 memang tidak ada patch nya. Jadi kemungkinan akan kambuh lagi meskipun sudah dibersihkan. Rekomendasinya, segera lakukan upgrade ke versi terbaru

  2. Cara paling aman dan gampang kalo sudah pakai virtualisasi, restore saja sama image yang masih bersih, terus check crontab lalu bersihin setelah itu tutup port 7071,80, dan 443 , saya sih gitu sampai sekarang aman…kalo akses port itu pakai vpn

  3. zmbackup command not found when perform full backup for server rebuld

    Zimbra version :- Release 8.6.0_GA_1153.RHEL7_64_20141215151110 RHEL7_64 FOSS edition, Patch 8.6.0_P14.

  4. Saya sudah coba langkah diatas, sudah hampir 2 minggu alhamdulillah normal..saya re-create crontab seperti pada link : https://wiki.zimbra.com/wiki/Step_to_rebuild_crontab_file_of_zimbra_user
    di crontabnya cuma ada :
    */60 * * * * /opt/zimbra/libexec/zmmysqlstatus

    # ZIMBRAEND — DO NOT EDIT ANYTHING BETWEEN THIS LINE AND ZIMBRASTART

    apakah tidak akan menjadi masalah?..dari saya mencoba langkah2 diatas sampai saat ini server belum saya restart baru stop service zimbra saja..

    terima kasih

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.