zinstaller-10.1

#!/bin/bash

UVER=$(lsb_release -d)
if (echo $UVER) | grep -q "Ubuntu 22"; then
   echo $UVER is supported
else
   echo $UVER is not supported
   exit
fi

# Argbash - see https://argbash.io for more info
die() {
	local _ret="${2:-1}"
	test "${_PRINT_HELP:-no}" = yes && print_help >&2
	echo "$1" >&2
	exit "${_ret}"
}

u=`id -un`
if [ x$u != "xroot" ]; then
    echo "Error: must be run as root user"
    exit 1
fi

print_help() {
    printf '%s\n'
    printf '%s\n' "Install and configure Zimbra 10.1 ..."
    printf 'Usage: %s [-l|--license <arg>] [-p|--password <arg>] [-t|--timezone <arg>] [-le|--letsencypt <arg>] [-h|--help] <domain>\n' "$(basename $0)"
    printf '\t%s\n' "<domain>: Domain to install Zimbra for"
    printf '\t%s\n' "-l, --license: License file to use (mandatory key required)"
    printf '\t%s\n' "-p, --password: Admin password to use (no default)"
    printf '\t%s\n' "-n, --hostname: Hostname to use for the server (default: mail)"
    printf '\t%s\n' "-t, --timezone: Timezone to set the server to user (optional) (default: 'Singapore')"
    printf '\t%s\n' "-e, --letsencypt: Use Let's Encrypt for providing TLS certificates (optional y/n) (default: 'n')"
    printf '\t%s\n' "-a, --apache: Add support for spell check and convertd (optional y/n) (default: 'n')"
    printf '\t%s\n' "-h, --help: Prints help"
    printf '%s\n'
    printf '%s\n' "Usage: $(basename $0) [-l license-key] [-p mypassword] [-t 'TimeZone'] [-n Server-Name] [-a n] [-le y] Domain-Name"
    printf '%s\n' "Example: $(basename $0) -l xxx-alpha-numeric-xxx -p alRTFGmn1 -n zmail -t 'Europe/London' -a n -le y myorg.co.uk"
    exit 1
}

parse_commandline() {
    _positionals_count=0
    while test $# -gt 0; do
        _key="$1"
        case "$_key" in
            -l|--license)
                test $# -lt 2 && die "Missing value for the mandatory argument '$_key'." 1
                _arg_license="$2"
                shift
                ;;
            --license=*)
                _arg_license="${_key##--license=}"
                ;;
            -l*)
                _arg_license="${_key##-l}"
                ;;
            -p|--password)
                test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
                _arg_password="$2"
                shift
                ;;
            --password=*)
                _arg_password="${_key##--password=}"
                ;;
            -p*)
                _arg_password="${_key##-p}"
                ;;
            -n|--hostname)
                test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
                _arg_hostname="$2"
                shift
                ;;
            --hostname=*)
                _arg_hostname="${_key##--hostname=}"
                ;;
            -n*)
                _arg_hostname="${_key##-n}"
                ;;
            -t|--timezone)
                test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
                _arg_timezone="$2"
                shift
                ;;
            --timezone=*)
                _arg_timezone="${_key##--timezone=}"
                ;;
            -t*)
                _arg_timezone="${_key##-t}"
                ;;
            -a|--apache)
                test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
                _arg_apache="$2"
                shift
                ;;
            --apache=*)
                _arg_apache="${_key##--apache=}"
                ;;
            -a*)
                _arg_apache="${_key##-a}"
                ;;
            -e|--letsencrypt)
                test $# -lt 2 && die "Missing value for the optional argument '$_key'." 1
                _arg_letsencrypt="$2"
                shift
                ;;
            --letsencrypt=*)
                _arg_letsencrypt="${_key##--letsencrypt=}"
                ;;
            -e*)
                _arg_letsencrypt="${_key##-e=}"
                ;;
            -h|--help)
                print_help
                exit 0
                ;;
            -h*)
                print_help
                exit 0
                ;;
            *)
                _last_positional="$1"
                _positionals+=("$_last_positional")
                _positionals_count=$((_positionals_count + 1))
                ;;
        esac
        shift
    done
}

handle_passed_args_count() {
	local _required_args_string="'domain'"
	test "${_positionals_count}" -ge 1 || _PRINT_HELP=yes die "FATAL ERROR: Not enough positional arguments - we require exactly 1 (namely: $_required_args_string), but got only ${_positionals_count}." 1
	test "${_positionals_count}" -le 1 || _PRINT_HELP=yes die "FATAL ERROR: There were spurious positional arguments --- we expect exactly 1 (namely: $_required_args_string), but got ${_positionals_count} (the last one was: '${_last_positional}')." 1
}

assign_positional_args() {
	local _positional_name _shift_for=$1
	_positional_names="_arg_domain"

	shift "$_shift_for"
	for _positional_name in ${_positional_names}
	do
		test $# -gt 0 || break
		eval "$_positional_name=\${1}" || die "Error during argument parsing, possibly an Argbash bug." 1
		shift
	done
}

parse_commandline "$@"
handle_passed_args_count
assign_positional_args 1 "${_positionals[@]}"

if [ -z "$_arg_license" ]
then
    printf '%s\n' "License Key is missing ... Please check and re-run $(basename $0).\n"
    print_help
fi

MYIP=$(hostname -I | cut -f1 -d" " | tr -d '[:space:]')
LICENSE="$_arg_license"
DOMAIN="$_arg_domain"
HOSTONLY="${_arg_hostname:="mail"}"
HOSTNAME="${_arg_hostname:-"mail"}"."$DOMAIN"
TIMEZONE="${_arg_timezone:-"Asia/Kolkata"}"
LETSENCRYPT="${_arg_letsencrypt:-"n"}"
APACHE="${_arg_apache:-"n"}"
MYPASSWORD="${_arg_password:-$(openssl rand -base64 9)}"
GREEN='\033[0;32m'
RED='\033[0;31m'
NC='\033[0m' # No Color
SYSTEMMEMORY=$(($(grep MemAvailable /proc/meminfo | awk '{print $2}')/1024/1024))

# Only-Office repo is added by the installer 
#rm -f /etc/apt/sources.list.d/zimbra-onlyoffice.list
#cat > /etc/apt/sources.list.d/zimbra-onlyoffice.list << EOF
#deb     [arch=amd64] https://repo.zimbra.com/apt/onlyoffice-1010 focal zimbra
#EOF

echo "Updating system and installing some essential packages ..."
#What are the other essential packages?
DEBIAN_FRONTEND=noninteractive apt-get update -qq -y < /dev/null > /dev/null
DEBIAN_FRONTEND=noninteractive apt-get upgrade -qq -y < /dev/null > /dev/null
DEBIAN_FRONTEND=noninteractive apt-get install -qq -y apt-utils< /dev/null > /dev/null
DEBIAN_FRONTEND=noninteractive apt-get install -qq -y netcat-openbsd sudo libidn11 libpcre3 libgmp10 libexpat1 libstdc++6 libperl5.30 libaio1 resolvconf unzip pax sysstat sqlite3< /dev/null > /dev/null
DEBIAN_FRONTEND=noninteractive apt-get install -qq -y dnsmasq lsb-release net-tools netfilter-persistent dnsutils iptables sed wget rsyslog ldapscripts< /dev/null > /dev/null

#Make sure to enable PAM
cat /etc/ssh/sshd_config | grep -v -i usepam > /tmp/sshd_config
echo "UsePAM yes" >>/tmp/sshd_config
mv /tmp/sshd_config /etc/ssh/sshd_config
systemctl restart sshd

echo "Disabling some of the non-essential services for Zimbra ..."
systemctl stop postfix
systemctl disable postfix
systemctl mask postfix

systemctl stop iptables
systemctl disable iptables
systemctl mask iptables

systemctl stop httpd
systemctl disable httpd
systemctl mask httpd

systemctl stop exim
systemctl disable exim
systemctl mask exim

systemctl stop named
systemctl disable named
systemctl mask named

systemctl stop apache2
systemctl disable apache2
systemctl mask apache2

systemctl stop sendmail
systemctl disable sendmail
systemctl mask sendmail

systemctl stop mysqld
systemctl disable mysqld
systemctl mask mysqld

systemctl stop mariadb
systemctl disable mariadb
systemctl mask mariadb

systemctl stop systemd-resolved
systemctl disable systemd-resolved
systemctl mask systemd-resolved

systemctl stop ufw
systemctl disable ufw
systemctl mask ufw

systemctl enable rsyslog
systemctl restart rsyslog

#Install a DNS Server
echo "Configuring dnsmasq ..."
mv /etc/dnsmasq.conf /etc/dnsmasq.conf.old
#create the conf file
printf 'server=8.8.8.8\nserver=8.8.4.4\nserver=9.9.9.9\nserver=149.112.112.112\nserver=1.1.1.1\nserver=1.0.0.1\nlisten-address=127.0.0.1\ndomain='$DOMAIN'\nmx-host='$DOMAIN','$HOSTNAME',0\naddress=/'$HOSTNAME'/'$MYIP'\n' | tee -a /etc/dnsmasq.conf >/dev/null
mv /etc/resolv.conf {,.old}
echo "nameserver 127.0.0.1" > /etc/resolv.conf
# restart dns services
systemctl enable dnsmasq.service > /dev/null 2>&1 && systemctl restart dnsmasq.service
echo -e "${GREEN}... Done.${NC}"

# Check DNS
echo "Checking DNS ..."
name=`host license.zimbra.com`
if [[ "$name" == *"not found"* ]]; then
    echo -e "${RED}DNS resolution failed! Check your resolve.conf file.${NC}"
    exit 1
else
    echo -e "${GREEN}... Done.${NC}"
fi

# Update firewall
echo "Enabling firewall for Zimbra ports ..."
echo "Ports 22/25/143/80/443/465/587/995/993/9071 will be opened to the internet."
echo "Please check your iptables for more info."

#flushing iptables while having INPUT=DROP policy will terminate ssh connection
iptables -P INPUT ACCEPT

iptables --flush
#block null packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
#block syn flood
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#block XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

#accept all traffic on your loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#Allow Established and Related Incoming Connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#Allow ports
iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 587  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 9071  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

#enable ping
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#Set policy defaults
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P INPUT DROP

#IPv6 closed for now
/usr/sbin/ip6tables -P OUTPUT ACCEPT
/usr/sbin/ip6tables -P FORWARD ACCEPT
/usr/sbin/ip6tables -P INPUT DROP

netfilter-persistent save

#Check Firewall
response=$(curl --write-out '%{http_code}' --silent --output /dev/null https://license.zimbra.com/actuator/health)
if [[ "$response" == "200" ]]; then
    echo "Zimbra License server reachable ..."
    echo -e "${GREEN}... Done.${NC}"
else
    echo -e "${RED} Issue with firewall ... Please check!${NC}"
    exit 1
fi

# Reset the hosts file
echo "Rewriting the /etc/hosts file ..."
mv /etc/hosts /etc/hosts.old
printf '127.0.0.1\tlocalhost.localdomain\tlocalhost\n127.0.1.1\tubuntu\n'$MYIP'\t'$HOSTNAME'\t'$HOSTONLY'\t' | tee -a /etc/hosts >/dev/null 2>&1
echo -e "${GREEN}... Done.${NC}"
echo "Setting hostname ($HOSTNAME) and timezone ($TIMEZONE) ..."
hostnamectl set-hostname $HOSTNAME >/dev/null 2>&1
timedatectl set-timezone $TIMEZONE >/dev/null 2>&1
echo -e "${GREEN}... Done.${NC}"
apt-get -qq update < /dev/null > /dev/null

#other updates
echo "Updating locale ..."
DEBIAN_FRONTEND=noninteractive apt-get install -qq -y locales < /dev/null > /dev/null
locale-gen "en_US.UTF-8" > /dev/null
update-locale LC_ALL="en_US.UTF-8"

# Get Ubuntu Version
version=$(lsb_release -d | awk -F" " '{print $3}' | cut -c 1-5)

if [ "$LETSENCRYPT" != "${LETSENCRYPT#[Yy]}" ] ;then # this grammar (the #[] operator) means that the variable $answer where any Y or y in 1st position will be dropped if they exist.
   if [ $(dig +short type257 $(hostname --d) | grep "letsencrypt.org" | grep "issue" | wc -l) -ge 1 ]; then   
      echo "Installing certbot"
      apt-get install -y -qq python3 python3-venv libaugeas0 python3-venv > /dev/null
      python3 -m venv /opt/certbot/
      /opt/certbot/bin/pip install --upgrade pip
      /opt/certbot/bin/pip install certbot
      ln -s /opt/certbot/bin/certbot /usr/local/sbin/certbot
      /usr/local/sbin/certbot certonly -d $(hostname --fqdn) --standalone --preferred-chain  "ISRG Root X2" --agree-tos --register-unsafely-without-email
      cat >> /usr/local/sbin/letsencrypt-zimbra << EOF
#!/bin/bash
MAILTO=""
/usr/local/sbin/certbot certonly -d $(hostname --fqdn) --standalone -n --preferred-chain  "ISRG Root X2" --agree-tos --register-unsafely-without-email

cp "/etc/letsencrypt/live/$(hostname --fqdn)/privkey.pem" /opt/zimbra/ssl/zimbra/commercial/commercial.key
chown zimbra:zimbra /opt/zimbra/ssl/zimbra/commercial/commercial.key
wget -O /tmp/ISRG-X2.pem https://letsencrypt.org/certs/isrg-root-x2.pem
rm -f "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
cp "/etc/letsencrypt/live/$(hostname --fqdn)/chain.pem" "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
cat /tmp/ISRG-X2.pem >> "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
chown zimbra:zimbra /etc/letsencrypt -R
cd /tmp
su - zimbra -c '/opt/zimbra/bin/zmcertmgr deploycrt comm "/etc/letsencrypt/live/$(hostname --fqdn)/cert.pem" "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"'
rm -f "/etc/letsencrypt/live/$(hostname --fqdn)/chainZimbra.pem"
EOF
      chmod +rx /usr/local/sbin/letsencrypt-zimbra
   else 
      echo "CAA record for your domain cannot be found, you should add it first, example for bind:"
      echo "@			CAA     0 issue \"letsencrypt.org\""
      exit 1
   fi
fi

#Preparing the config files to inject
if [ ! -d "/tmp/zcs" ]; then
    mkdir /tmp/zcs
else
    rm -rf /tmp/zcs/*    #Dangerous Command
fi

#Download binaries
echo "Downloading Zimbra 10 for Ubuntu $version ..."
wget -P /tmp/ https://files.zimbra.com/downloads/10.1.0_GA/zcs-NETWORK-10.1.0_GA_4655.UBUNTU22_64.20240819064312.tgz > /dev/null 2>&1

echo "Extracting the files ..."
cd /tmp/zcs && tar xzf /tmp/zcs-NETWORK-10.1.0_GA_4655.UBUNTU22_64.20240819064312.tgz

echo "Creating the auto-install input files ..."
> /tmp/zcs/zconfig
cat <<EOF >/tmp/zcs/zconfig
AVDOMAIN="$DOMAIN"
AVUSER="super-admin@$DOMAIN"
CREATEADMIN="super-admin@$DOMAIN"
CREATEADMINPASS="$MYPASSWORD"
CREATEDOMAIN="$DOMAIN"
DOCREATEADMIN="yes"
DOCREATEDOMAIN="yes"
DOTRAINSA="yes"
ENABLEDEFAULTBACKUP="yes"
EXPANDMENU="no"
HOSTNAME="$HOSTNAME"
HTTPPORT="8080"
HTTPPROXY="TRUE"
HTTPPROXYPORT="80"
HTTPSPORT="8443"
HTTPSPROXYPORT="443"
IMAPPORT="7143"
IMAPPROXYPORT="143"
IMAPSSLPORT="7993"
IMAPSSLPROXYPORT="993"
INSTALL_WEBAPPS="service zimlet zimbra zimbraAdmin"
JAVAHOME="/opt/zimbra/common/lib/jvm/java"
LDAPBESSEARCHSET="set"
LDAPAMAVISPASS="$MYPASSWORD"
LDAPPOSTPASS="$MYPASSWORD"
LDAPROOTPASS="$MYPASSWORD"
LDAPADMINPASS="$MYPASSWORD"
LDAPREPPASS="$MYPASSWORD"
LDAPBESSEARCHSET="set"
LDAPDEFAULTSLOADED="1"
LDAPHOST="$HOSTNAME"
LDAPPORT="389"
LDAPREPLICATIONTYPE="master"
LDAPSERVERID="2"
LICENSEACTIVATIONOPTION="1"
LICENSEACTIVATIONOPTIONMSG="Activate license after installation"
LICENSEKEY="$LICENSE"
MAILBOXDMEMORY="1920"
MAILPROXY="TRUE"
MODE="https"
MYSQLMEMORYPERCENT="30"
ONLYOFFICEHOSTNAME="$HOSTNAME"
ONLYOFFICESTANDALONE="no"
POPPORT="7110"
POPPROXYPORT="110"
POPSSLPORT="7995"
POPSSLPROXYPORT="995"
PROXYMODE="https"
REMOVE="no"
RUNARCHIVING="no"
RUNAV="yes"
RUNCBPOLICYD="no"
RUNDKIM="yes"
RUNSA="yes"
RUNVMHA="no"
SERVICEWEBAPP="yes"
SMTPDEST="super-admin@$DOMAIN"
SMTPHOST="$HOSTNAME"
SMTPNOTIFY="yes"
SMTPSOURCE="super-admin@$DOMAIN"
SNMPNOTIFY="yes"
SNMPTRAPHOST="$HOSTNAME"
SPELLURL="http://$HOSTNAME:7780/aspell.php"
STARTSERVERS="yes"
STRICTSERVERNAMEENABLED="TRUE"
SYSTEMMEMORY="$SYSTEMMEMORY"
TRAINSAHAM="ham.account@$DOMAIN"
TRAINSASPAM="spam.account@$DOMAIN"
UIWEBAPPS="yes"
UPGRADE="yes"
USEKBSHORTCUTS="TRUE"
USESPELL="yes"
VERSIONUPDATECHECKS="TRUE"
VIRUSQUARANTINE="virus-quarantine.account@$DOMAIN"
ZIMBRA_REQ_SECURITY="yes"
ldap_bes_searcher_password="$MYPASSWORD"
ldap_dit_base_dn_config="cn=zimbra"
ldap_nginx_password="$MYPASSWORD"
mailboxd_directory="/opt/zimbra/mailboxd"
mailboxd_keystore="/opt/zimbra/mailboxd/etc/keystore"
mailboxd_keystore_password="$MYPASSWORD"
mailboxd_server="jetty"
mailboxd_truststore="/opt/zimbra/common/lib/jvm/java/lib/security/cacerts"
mailboxd_truststore_password="changeit"
postfix_mail_owner="postfix"
postfix_setgid_group="postdrop"
ssl_default_digest="sha256"
zimbraDNSMasterIP="8.8.4.4"
zimbraDNSTCPUpstream="no"
zimbraDNSUseTCP="yes"
zimbraDNSUseUDP="yes"
zimbraDefaultDomainName="$DOMAIN"
zimbraFeatureBriefcasesEnabled="Enabled"
zimbraFeatureTasksEnabled="Enabled"
zimbraIPMode="ipv4"
zimbraMailProxy="FALSE"
zimbraMtaMyNetworks="127.0.0.0/8 $MYIP/32 [::1]/128 [fe80::]/64"
zimbraPrefTimeZoneId="$TIMEZONE"
zimbraReverseProxyLookupTarget="TRUE"
zimbraVersionCheckInterval="1d"
zimbraVersionCheckNotificationEmail="super-admin@$DOMAIN"
zimbraVersionCheckNotificationEmailFrom="super-admin@$DOMAIN"
zimbraVersionCheckSendNotifications="TRUE"
zimbraWebProxy="TRUE"
zimbra_ldap_userdn="uid=zimbra,cn=admins,cn=zimbra"
zimbra_require_interprocess_security="1"
zimbra_server_hostname="$HOSTNAME"
EOF

if [[ "$APACHE" == "y" ]]; then
    echo 'INSTALL_PACKAGES="zimbra-core zimbra-ldap zimbra-logger zimbra-mta zimbra-store zimbra-apache zimbra-spell zimbra-convertd zimbra-memcached zimbra-proxy zimbra-archiving zimbra-onlyoffice zimbra-license-daemon"' >>/tmp/zcs/zconfig
else 
    echo 'INSTALL_PACKAGES="zimbra-core zimbra-ldap zimbra-logger zimbra-mta zimbra-store zimbra-convertd zimbra-memcached zimbra-proxy zimbra-archiving zimbra-onlyoffice zimbra-license-daemon"' >>/tmp/zcs/zconfig
fi

> /tmp/zcs/zkeys
cat <<EOF >/tmp/zcs/zkeys
y
y
y
y
y
n
n
y
y
$APACHE
$APACHE
y
y
y
y
y
y
EOF

D=`date +%s`
echo -e "${GREEN}... Done.${NC}"
echo "Installing the Zimbra binaries ..."
echo -e "For more details you can open a new terminal and run ${GREEN}tail -f /tmp/install.log.*${NC}"
cd /tmp/zcs/zcs-* && ./install.sh -l $LICENSE -s < /tmp/zcs/zkeys >> /tmp/zcs/install-$D.log 2>&1
echo -e "${GREEN}... Done.${NC}"

echo "Setting up your Zimbra configuration, this can take up to 20 minutes or slightly more."
echo -e "For more details you can open a new terminal and run ${GREEN}tail -f /tmp/zmsetup.log${NC}."
/opt/zimbra/libexec/zmsetup.pl -c /tmp/zcs/zconfig >> /tmp/zcs/install-$D.log 2>&1
echo "Allow mailbox service to start ..."
for i in {15..0}; do echo -ne "${RED}$i${NC}\033[0K\r"; sleep 1; done; echo
echo "Activating license ..."
su - zimbra -c "zmlicense -a $LICENSE"
echo -e "${GREEN}... Done.${NC}"

if [ "$LETSENCRYPT" != "${LETSENCRYPT#[Yy]}" ] ;then # this grammar (the #[] operator) means that the variable $answer where any Y or y in 1st position will be dropped if they exist.
    echo "Deploying Let's Encrypt on Zimbra"
    ln -s /usr/local/sbin/letsencrypt-zimbra /etc/cron.daily/letsencrypt-zimbra
    ip=$(dig +short @8.8.4.4 $(hostname))   # Ensure local IP resolution does not happen
    if [ -n "$ip" ]; then
        /etc/cron.daily/letsencrypt-zimbra
    else
        echo -e "${RED}Could not resolve hostname ...${NC}." 
        echo -e "${RED}Correct your nameserver entries and run the command ${GREEN}/etc/cron.daily/letsencrypt-zimbra${NC}."
	fi
fi

echo "Deploying additional Zimlets"
DEBIAN_FRONTEND=noninteractive apt-get install -qq -y zimbra-zimlet-user-sessions-management zimbra-zimlet-slack zimbra-zimlet-zoom zimbra-zimlet-dropbox zimbra-zimlet-google-drive zimbra-zimlet-onedrive zimbra-zimlet-jitsi zimbra-zimlet-video-call-preferences zimbra-zimlet-nextcloud zimbra-zimlet-voice-message zimbra-zimlet-sideloader zimbra-zimlet-org-chart zimbra-zimlet-privacy-protector zimbra-zimlet-custom-fonts zimbra-zimlet-download-email zimbra-zimlet-import-export-ics < /dev/null > /dev/null

if [[ $(hostname --fqdn) == *"barrydegraaff"* ]] || [[ $(hostname --fqdn) == *"zimbra.tech"* ]]; then
    DEBIAN_FRONTEND=noninteractive apt-get install -qq -y zimbra-zimlet-sideloader< /dev/null > /dev/null
fi

echo "Setting optimal security settings"
rm -Rf /tmp/provfile

cat >> /tmp/provfile << EOF
mcf zimbraPublicServiceProtocol https
mcf zimbraPublicServicePort 443
mcf zimbraPublicServiceHostname $HOSTNAME
mcf zimbraReverseProxySSLProtocols TLSv1.2
mcf +zimbraReverseProxySSLProtocols TLSv1.3
mcf zimbraReverseProxySSLCiphers ""
mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains"
mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff"
mcf +zimbraResponseHeader "X-Robots-Tag: noindex"
mcf +zimbraResponseHeader "Referrer-Policy: no-referrer"
mcf zimbraMailKeepOutWebCrawlers TRUE
mcf zimbraSmtpSendAddMailer FALSE

mcf zimbraSSLDHParam /etc/ffdhe4096.pem

mcf zimbraMtaSmtpdTlsCiphers medium
mcf zimbraMtaSmtpdTlsMandatoryCiphers  medium
mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2'
mcf zimbraMtaTlsSecurityLevel may

ms $HOSTNAME zimbraPop3CleartextLoginEnabled FALSE
ms $HOSTNAME zimbraImapCleartextLoginEnabled FALSE

mcf zimbraLastLogonTimestampFrequency 1s
mc default zimbraPrefShortEmailAddress FALSE
mc default zimbraFeatureTwoFactorAuthAvailable TRUE
mc default zimbraFeatureTrustedDevicesEnabled FALSE

mcf +zimbraMailTrustedIP 127.0.0.1
mcf +zimbraMailTrustedIP $MYIP
mcf +zimbraGalLdapAttrMap manager=manager
mcf zimbraBackupReportEmailSender super-admin@$DOMAIN zimbraBackupReportEmailRecipients super-admin@$DOMAIN

ms $HOSTNAME zimbraFileUploadMaxSize 80000000
ms $HOSTNAME zimbraMailContentMaxSize 80000000
mcf zimbraMtaMaxMessageSize 80000000
mcf zimbraFileUploadMaxSize 80000000
mcf zimbraMailContentMaxSize 80000000
EOF

su - zimbra -c '/opt/zimbra/bin/postconf -e fast_flush_domains=""'
su - zimbra -c '/opt/zimbra/bin/postconf -e smtpd_etrn_restrictions=reject'
su - zimbra -c '/opt/zimbra/bin/postconf -e disable_vrfy_command=yes'
su - zimbra -c '/opt/zimbra/bin/postconf -e tls_medium_cipherlist=$(/opt/zimbra/common/bin/openssl ciphers)'
su - zimbra -c '/opt/zimbra/bin/postconf -e tls_preempt_cipherlist=no'

su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_common_tlsprotocolmin="3.3"'
su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_common_tlsciphersuite="HIGH"'
su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_starttls_supported=1'
su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e zimbra_require_interprocess_security=1'
su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e ldap_starttls_required=true'

su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e alias_login_enabled=false'
su - zimbra -c '/opt/zimbra/bin/zmlocalconfig -e zimbra_same_site_cookie="Strict"'

su - zimbra -c '/opt/zimbra/bin/zmprov < /tmp/provfile'

#https://wiki.zimbra.com/wiki/Enabling_Admin_Console_Proxy
su - zimbra -c "/opt/zimbra/libexec/zmproxyconfig -e -w -C -H $HOSTNAME"

# Update Authkeys and Syslog
su - zimbra -c '/opt/zimbra/bin/zmupdateauthkeys'
/opt/zimbra/libexec/zmsyslogsetup

su - zimbra -c '/opt/zimbra/bin/zmzimletctl undeploy com_zimbra_clientuploader'
rm -Rf /opt/zimbra/lib/ext/com_zimbra_clientuploader

su - zimbra -c '/opt/zimbra/bin/zmcontrol restart'

echo
echo -e "${GREEN}Login to the admin console and activate your license before trying any other feature!${NC}"
echo "Zimbra installation details:"
echo
echo "  - Webmail Login:  https://${HOSTNAME}"
echo "  - Admin Console:  https://${HOSTNAME}:9071"
echo "  - Admin Username: super-admin"
echo "  - Admin Password: ${MYPASSWORD}"
echo ""