ZI-ACCESS - Installation and Administration Guide

Installation or update

It is necessary to have ZI-LicenseSystem already installed in the system prior to any other ZI-* zimlet installation. Check here: ZI-LicenseSystem - Installation or update

To update zimlet to the newer version just follow the installation steps and when the installer asks you if you want to update answer: Y

Download the latest version of the zimlet package from https://www.intalio.pl/en/zi-access-downloads and unpack it in /tmp (as root) for exmaple:

cd /tmp
wget https://www.intalio.pl/sites/default/files/modules-files/zi-access-1.9-zimbra9.tar__0.gz
tar xvzf zi-access-1.9-zimbra9.tar_.gz

Be sure to download zimlet designed for your Zimbra release eg. 8.8.15 or 9.0.0

Run installation script (as root):

cd ./ZI-Access-1.9-Zimbra9/
perl ./ZI-Installer --install-deps

At the beginning required perl packages will be installed if they are not available in the system already:

image-1662460986477.png

Answer: Y and wait until the package manager finishes its work:

image-1662461747823.png

image-1662461532014.png

Type: Y and press Enter

image-1662461803898.png

When the deployment process is done you will be asked to provide the login and password that you can find in the license documents you received from us:

image-1662461878009.png

Choose the license number (usually you will see only one option), press Enter, verify that the details are correct and proceed by answering Y

image-1662462073054.png

Your license will be downloaded and activated. In the last step you will be asked to restart the mailbox service. You can skip it (answer: N) and restart the mailboxd service manually later but until that zimlet will not work properly.

If you are going to install another zimlet right after this one it's not necessary to restart the mailbox at this point and you can do it only once after installing the last one.

image-1662462330191.png

After the mailboxd restart, zimlet should be installed. To check it, log in to the Administration Console of your ZCS Server and navigate to Tools and Migration > ZI-LicenseSystem where you can find details about granted licenses or Tools and Migration > ZI-Access where you can configure your zimlet.

image-1662462684070.png

image-1662481316136.png

reCAPTCHA (only in v2.x)

To be able to use the reCaptcha feature you have to manually copy the whole content of the helpers/reCaptcha_patch.html file to the /opt/zimbra/jetty/webapps/zimbra/public/login.jsp file right before the

</body>
</html>

tags at the end of it.

After any Zimbra patch installation or Zimbra upgrade it is possible that the /opt/zimbra/jetty/webapps/zimbra/public/login.jsp may be overwritten so you have to check that proper reCaptcha script is in there after you finish updating your Zimbra. 

 

Zimlet configuration

Overview

To configure the ZI-Access zimlet, please open the Administration Console > Tools and migration > ZI-Access

image-1662464466112.png

ZI-Access consists of the following display panes:

Configuration

The fields on the Configuration Panel have the following meaning:

After filling out the form switch Module activation to YES and then click Save (in the top right corner).

If you use External Authentication (LDAP or Active Directory) you have to turn off Fallback to Local on your domains
zmprov md contoso.com zimbraAuthFallbackToLocal FALSE
and use the Fallback checkbox in the ZI-Access settings if you want to.

reCAPTCHA

Soon

 

Necessary Zimbra configuration

Originating IP

In a multi-server environment, or any environment running a proxy, a mailbox server may only log the IP of the connecting proxy instead of the real client IP.

For example:

2022-09-06 15:21:29,972 INFO  [qtp192881625-932://localhost:8080/service/soap/BatchRequest] [name=admin@foss9lab.int.intalio.pl;oip=172.17.0.147;ua=zclient/9.0.0_GA_4373;soapId=7e375894;] account - Authentication successful for user: admin@foss9lab.int.intalio.pl

In such case ZI-Access will not work. 

To solve this you have to define the Trusted IPs of your internal nginx proxies, so that the mailstores will instead capture the data on the originating IP from the HTTP traffic. By default, the zimbraMailTrustedIP is empty:

zmprov gcf zimbraMailTrustedIP

By adding your nginx proxy addresses (as seen by the mailstores) to this attribute, it should then log appropriately. For example, if there are two nginx proxies 10.11.12.1 and 10.11.12.2:

zmprov mcf +zimbraMailTrustedIP 10.11.12.1 +zimbraMailTrustedIP 10.11.12.2

Please note here too, if you are running Nginx on the same node as the mailstore, you will need to add both 127.0.0.1 and the real address of that node:

zmprov mcf +zimbraMailTrustedIP 127.0.0.1 +zimbraMailTrustedIP 10.11.12.13

Then restart mailboxd

zmmailboxdctl restart

And check /opt/zimbra/log/mailbox.log to find out that now "oip=" presents the real client IP address

2022-09-06 15:56:50,653 INFO  [qtp192881625-128://localhost:8080/service/soap/BatchRequest] [name=admin@foss9lab.int.intalio.pl;oip=172.17.0.140;ua=zclient/9.0.0_GA_4373;soapId=6fbb7960;] account - Authentication successful for user: admin@foss9lab.int.intalio.pl

 

Release Notes

Release Notes

ZI-Access 2.5