Updated: Installing Zimbra 7.0 (ZCS) on an EC2 instance

Zimbra can be installed on an Amazon AWS EC2 instance. However there are a few hoops you'll have to jump through to get it functioning properly. Namely, resizing an AMI image and configuring DNS correctly.

Setup your Amazon AWS Account

If you don't already have an Amazon Web Services account then sign up and provide your credit/debit card details

Once you're account is up and running there are a few things you'll need to do prior to installing the Zimbra Collaboration Suite on an EC2 instance.

Amazon Web Services Security Group Setup.

Before creating your instance, you'll need to configure a security group with the appropiate port requirements for Zimbra to function.

Give your security group a name (e.g. Zimbra ZCS), and configure the following required ports:

22 SSH (it's best to close this port after you complete the installation)

110 POP3 proxy port
143 IMAP proxy port
389 LDAP
993 IMAP SSL proxy port
995 POP3 SSL proxy port
7071 Zimbra Admin Console Port
7110 Zimbra Default POP3
7995 Zimbra Default POP3S
7143 Zimbra Default IMAP
7993 Zimbra Default IMAPS

The source for all ports is (N.B. You may not require all the above ports to be open. Choose the ones relevent for your use.)

Once you've created your security group it's time to setup your instance.

Amazon Web Services Instance Creation and Configuration.

For this installation I decided to use an Ubuntu ami image listed on alestic. (credit to Canonical for these ami's)

The image you use depends on which cloud region you want to set your instance up in.

Ubuntu 10.04 LTS 64bit Lucid EBS boot:

Cloud Region ami ID
US East 1 ami-63be790a
US West 1 ami-97c694d2
EU West 1 ami-5c417128
AP Southeast 1 ami-4af18918
AP Northeast 1 ami-34d36635

'ubuntu' is the account name used to access all the above images upon logging in.

(http://alestic.com/index.html will have the latest ami IDs.)

Because the default EBS storage size of all the above images is set to 8-15GB, you'll have to use the AWS EC2 AMI API and a command line interface to resize your instances EBS volume.

(If you're not sure on how to do this on windows, Steve Evans at SerkTools has a great tutorial. You'll also need to download the Amazon EC2 API Tools).

Once you have the command line setup, use the following command to create your custom instance. Amend the AMI ID and Region to reflect those of your choice. Next, override the default EBS volume size, specifying 100 GB (you can specify any size in GB suitable for your requirements) for the root disk device (/dev/sda1):

ec2-run-instances -t m1.large -g "Zimbra ZCS" -k yourkeypair
-b "/dev/sda1=:100:false" ami-3202f25b --region ap-southeast-1

If we check the EBS volume mapped to the new instance in the aws console, you’ll see that it is 100GB, but when you ssh to the instance and check the root file system size you’ll notice that it is only showing 8 GB:

$ df -h /
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1              7.9G  723M   6.8G  10% /

There’s one step left. We need to resize the file system so that it fills up the entire 100 GB EBS volume. It'll take approx. 2-3 minutes to run:

$ sudo resize2fs /dev/sda1
resize2fs 1.41.11 (14-Mar-2010)
Filesystem at /dev/sda1 is mounted on /; on-line resizing required
old desc_blocks = 1, new_desc_blocks = 7
Performing an on-line resize of /dev/sda1 to 26214400 (4k) blocks.
The filesystem on /dev/sda1 is now 26214400 blocks long.

Finally we can check to make sure we're running a on a bigger filesystem:

$ df -h /
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1              99G  735M   93G   1% /

Note: The output reflects “99” instead of “100” because of slight differences in how df and EBS calculate “GB” (e.g., 1024 MB vs 1000 MB).

Preparing Your Instance for the Zimbra ZCS Insallation

Log into your instance via SSH, and run the following commands to install bind:

$sudo su
$apt-get update
$apt-get install bind9

Now that we have Bind installed it's time to configure your DNS settings.

Depending on your instance, check /etc/default/bind9 to see the root directory path for your bind installation. If not other path is specified, then it's most likely /etc/bind/

Proper DNS configuration is PARAMOUNT! If you don't have your DNS working properly, don't even bother trying to install Zimbra, because trying to fix DNS post installation may result in an install that can do everything except send mail--even from a Zimbra user to themselves! So I'll say it again:

If you can't resolve your instances (mailserver's) own private IP address (NOT the public Elastic IP) using nslookup, fix it BEFORE you install Zimbra!

Now you have to configure the following files, which are in the directory /etc/bind. If the query-source address line is not present, add it. Note that the forwarders line is already there, it just needs to be uncommented, and in the case of the forwarders, the ip addresses of your favoured ISP's DNS servers need to be added. Note also that the syntax needs to be EXACTLY as shown below--leave out one semicolon or bracket and the whole thing will fail:

$sudo nano /etc/bind/named.conf.options

Your named.conf.options will look like the following:

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        // };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };

Edit it to look like this:

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        query-source address * port 53;

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };

the ip addresses on this file are public ip addresses of the DNS you use in the outside world (I opted to use Google's DNS servers & The line "query-source address * port 53" is to allow your machine to hit the DNS if oddball DNS ports are blocked. You can comment it if you don't need it.

Check /etc/resolv.conf :

$sudo nano /etc/resolv.conf

Edit the file so it looks like the following:

nameserver xxx.xxx.xxx.xxx
domain yourdomain.com

The IP address here should be your instances private ip address (e.g. 10.x.x.x). (update: if present, make sure to remove the search ec2.internal line. otherwise your server will cease to route incoming mail.)
Once you've fixed these two files and restarted bind

$sudo /etc/init.d/bind9 restart

you should be able to resolve names in the outside world. Try something like "ping google.com" and if you get an answer, you're on the way.

Now it's time to get the internal zone working. Append the following lines to /etc/bind/named.conf.local

zone "mydomain.com"  {
                type master;
                file "/etc/bind/db.mydomain.com";


zone "xxx.xxx.xxx.in-addr.arpa" {
                type master;
                file "/etc/bind/db.xxx.xxx.xxx";

Note that you need to type the full pathname to your db.* file. Also, be sure you don't miss a semicolon ";" in any of these lines that have them because a missing semicolon breaks the file. (db.xxx.xxx.xxx would be from your internal IP address, e.g. db.

The zone xxx.xxx.xxx.in-addr.arpa represents the reverse zone. You must insert your instances private IP address in the inverse order. Es.(192.168.1.x -> zone "1.168.192.in-addr.arpa")

Now create your file /etc/bind/db.mydomain.com

; BIND data file for mydomain.com
$TTL    604800
@       IN      SOA     mail.mydomain.com. admin.mydomain.com. (
                         070725         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
@       IN      NS      mail
        IN      MX      10 mail
        IN      A       xxx.xxx.xxx.xxx
mail    IN      A       xxx.xxx.xxx.xxx

The ip address here is again your instances internal private  ip address; the string "admin.mydomain.com" is replaced with the email address you are using for administration, only with a "." instead of the "@" in the address. Be careful to increment the serial number one higher every time you modify this file or the changes won't stick. Many users use the date they edit the file for the serial number, but as long as you start low and only get higher it really doesn't matter.

Now create your file /etc/bind/db.xxx.xxx.xxx (where xxx.xxx.xxx represents your internal IP address).

@               IN      SOA     mail.mydomanin.com. admin.mydomain.com. (
                               1       ; Serial
                               8H      ; Refresh
                               2H      ; Retry
                               4W      ; Expire
                               1D)     ; Minimum TTL
                        NS      mail.mydomain.com.
x                       PTR     localhost.

Where "x" indicates the host id.

Now you may need to reboot your instance (restarting bind9 alone doesn't always work) and try to resolve your mail server.

nslookup mydomain.com

Hosts Table & Hostname

Before you get to the install you also need to modify your /etc/hosts  and/etc/hostname files:

Edit your /etc/hosts file to look like the following: localhost.localdomain localhost
xxx.xxx.xxx.xxx  mail.yourdomain.com mail

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

xxx.xxx.xxx.xxx represents your instance internal private ip address.

Now edit your /etc/hostname file to the the following:


Reboot your instance.

Now you're ready to install Zimbra.

Installing Zimbra

Make sure you run all the following commands as root. Create a directory to download the Zimbra installer to, and download the Ubuntu 10.04 LTS 64bit installer (the Zimbra downloads page will list the latest installer):

$sudo su
$mkdir zimbra
$cd zimbra
$wget http://files2.zimbra.com/downloads/7.1.2_GA/zcs-7.1.2_GA_3268.UBUNTU10_64.20110804130819.tgz

Next untar the download and run the installer from the newly created directory:

$tar xzvf zcs-7.1.2_GA_3268.UBUNTU10_64.20110804130819.tgz
$cd zcs-7.1.2_GA_3268.UBUNTU10_64.20110804130819

The installation may not work the first time, but it'll give you a list of missing dependencies. Write down all the package names it indicates are missing. Your list may be slightly different than mine, but whatever's missing, install them. Just separate each package name with a space like this:

apt-get install libperl5.10 sysstat sqlite3

Now re-run your Zimbra install and accept all the defaults except:

When it asks you for your domain, it's going to have your fully-qualified domain name (hostname.mydomain.com) rather than just the domain, and probably complain about not having an MX record. Change the hostname to just mydomain.com and it'll find the names through nslookup, and it'll be happy. The rest of the install should proceed without errors, except that toward the end it's going to ask you to "Address unconfigured items", this is the admin password, which is in menu item 3. (See step 8 of the Zimbra 7.0 Installation Guide for details on setting the admin password.)

Finally, when the install is done and it has given you the last "press Enter to finish" you are almost done. I recommend at this point that you convert your webmail to use https rather than http. This is a question of security, but it is also discretionary. If you choose to do this, then at the command prompt, type:

$sudo su
$su zimbra
$zmtlsctl redirect
$zmmailboxdctl stop
$zmmailboxdctl start

Then run the following command to ensure that all your Zimbra services are in a running state:

$zmcontrol status

You should see the following result:

Host mail.yourdomain.com
        antispam                Running
        antivirus               Running
        imapproxy               Running
        ldap                    Running
        logger                  Running
        mailbox                 Running
        memcached               Running
        mta                     Running
        snmp                    Running
        spell                   Running
        stats                   Running
        zmconfigd               Running

If your installation is successful, you can go to https://xxx.xxx.xxx.xxx:7071 (your public Elastic IP address) to get the administrative console, or https://xxx.xxx.xxx.xxx to log in as a user.

Alternatively, you can go to http://mail.yourdomain.com if you've already setup your DNS records with your provider. (note: going to http://mail.yourdomain.com will auto redirect you to the secure https://mail.yourdomain.com site. You'll receive a certificate error. Just accept this to continue.)

Congratulations--one shiny new Zimbra installation on an Amazon EC2 instance.

Important note regarding EC2 private IP address persistence

By default, EC2 images don't have a persistent ip address, and each time an AMI is launched/rebooted it will probably have a new private ip and hostname.

You'll have to update the following files to reflect the private IP address change:

Edit /etc/bind/db.mydomain.com to reflect the new IP address, and make sure you increment the serial no. to a higher value.

Edit /etc/hosts to reflect the new private IP address.

Edit the /etc/resolv.conf to reflect the new private IP address.

Now restart the bind service:

$sudo /etc/init.d/bind9 restart

Restart the Zimbra server and your new private IP should be functional:

$su zimbra
$zmcontrol stop
$zmcontrol start

Important Update:

It seems that the resolv.conf file may be overwritten even during normal operation of your Zimbra server. This in effect disables the ability of the server to route mail. The following amendments will prevent this from happening.

Edit the /etc/dhclient.conf file (create one if it doesn't exist) to look like the following:

supersede  domain-name "yourdomain.com" ;
prepend domain-name-servers xxx.xxx.xxx.xxx ;my internal EC2 IP address

Where xxx.xxx.xxx.xxx represents your EC2's internal IP address (e.g. 10.x.x.x)

Next, run the following command to force the changes (if need be).

$ dhclient -r ; dhclient

After doing this, check your /etc/resolv.conf file to ensure the changes have indeed been made.

The resolv.conf settings should now remain permanent, and persist during normal daily operation of your Zimbra server.

Further Considerations

If you intend to utilize the above installation in production. You'll have to consider a few extra details:

By default Amazon AWS enforce default limits on the amount of email that can be sent from EC2 accounts. If you wish to send larger amounts of email from EC2, you can apply to have these limits removed from your account by filling out this form.

For the server to function without issue with most email clients you will need to install a verified SSL certificate.

You may also want to consider the type of the instance and size of EBS volume you configure, depending on the number of users you intend to support.

Thanks and Credit to the following sources for helping me put this tutorial together:

Ubuntu 8.04 LTS Server (Hardy Heron) Install Guide - Zimbra :: Wiki http://bit.ly/gcS7VU
Zimbra Collaboration Suite - Quick Start Installtion Guide: http://bit.ly/hLx2H8
Split DNS - Zimbra :: Wiki http://bit.ly/ghI4vB
Amazon EC2 AMI Tools Reference: http://bit.ly/f4S6lZ
Alestic.com http://bit.ly/hKVQau
Setting Up EC2 Command Line Tools on Windows | SerkTools http://bit.ly/fhneQ5

Also, many thanks to the Zimbra forums!

comments powered by Disqus