https://wiki.archlinux.org/api.php?action=feedcontributions&user=Templis&feedformat=atomArchWiki - User contributions [en]2024-03-28T16:52:34ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=User_talk:DJ_L&diff=366810User talk:DJ L2015-03-23T09:48:15Z<p>Templis: /* OpenChange Server */</p>
<hr />
<div>== <s> Samba 4 stubs </s> ==<br />
Hi, I've noticed you've created [[Samba4 Client Configuration]]: do you intend to move there [[Samba#Client configuration]]? Also about [[Samba4 DHCP with Dynamic DNS]], are you sure you can't add that information to one of our already existing articles on [[Samba]]? -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 13:01, 10 December 2013 (UTC)<br />
<br />
:I suppose the DHCP section could be added to the existing Samba 4 page, but much of it can be reused outside of Samba too. I should change the title after it is ready to go. As to the Client configuration, this is about SSO on Linux hosts and is more akin to [[Active_Directory_Integration]]. I'll get with the original author of that page once the needed configurations are in place to discuss a merge. Thanks for the heads up. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]]) 02:00, 11 December 2013 (UTC)<br />
<br />
::About the DHCP article, how much of it can be used in general? Maybe you just want to link to our already existing articles on DHCP, DNS... and improve them instead of duplicating content? See [[:Category:Networking]] and subcategories too.<br />
::About the client config article, isn't it easier to contribute to [[Active Directory Integration]] from the beginning instead?<br />
::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 05:02, 11 December 2013 (UTC)<br />
<br />
:::Not sure, I'll delete the links. If you can delete the stub pages for me I'd appreciate it. I'll sandbox it locally and see where I'm at when ready to proceed (still having some issues with the DHCP).<br />
:::I've not been here long, policy is probably simply make the edit, but what is acceptable in the community? I presume that I should contact the original author with proposed text vai talk feature, and wait for a response. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]]) 16:17, 15 December 2013 (UTC)<br />
<br />
::::All right, the stubs are deleted. Yes, the policy is "simply make the edit": as long as you properly justify your edits using the Summary (just below the text editing area) you'll be fine. You don't need to contact the previous contributors of an article, just do the edits and keep watching the talk page: if they've got something to say, they'll show up there :) I recommend you to directly edit the existing articles because this will avoid creating duplicated content, which is so hard to maintain especially in the long run. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 12:03, 17 December 2013 (UTC)<br />
<br />
==OpenChange Server==<br />
I have another Question is it possible to add more than one E-Mails per user in sogo? [[User:templis|templis]] ([[User talk:templis|talk]])<br />
: Excellent. I'm glad to see others using and contributing! As to your question about multiple email addresses, absolutely it is possible. Just add a new ProxyAddresses entry. The all capped SMTP is the primary (translates to the "from" address), and little smtp are the alternates (for which you can receive mail, but not send as). [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]])<br />
:: capped SMTP won't work for me. I have to add another user, login as this user and have to delegate my primary user but little smtp work to recive mails, my only problem now is: if I add little smtp I recive two same E-Mails [[User:templis|templis]] ([[User talk:templis|talk]])<br />
::: I haven't seen this behavior. Do you have the same email address listed twice for the user (both SMTP and smtp)? It need only be in one, but if that was the issue, then there is a problem with my LDAP user lookup tables for Postfix. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]])<br />
:::: I think I've found the failure but don't have a sollution for this. I think it's in sogo and the twice e-mails are because of imap and x400. But I can't test this, because i can't remove the imap from the sogo app... [[User:templis|templis]] ([[User talk:templis|talk]])<br />
<br />
Are you sure about your last commit?<br />
Because I have smaba 4.2.0 and openchange-server 2.2-6 runing... I've after last sysupdate only the problem, that my samba passwords are expired. But with smbpasswd -a Administrator and ldap, everything runs perfect. [[User:templis|templis]] ([[User talk:templis|talk]])</div>Templishttps://wiki.archlinux.org/index.php?title=User_talk:DJ_L&diff=366796User talk:DJ L2015-03-23T03:28:56Z<p>Templis: /* OpenChange Server */</p>
<hr />
<div>== <s> Samba 4 stubs </s> ==<br />
Hi, I've noticed you've created [[Samba4 Client Configuration]]: do you intend to move there [[Samba#Client configuration]]? Also about [[Samba4 DHCP with Dynamic DNS]], are you sure you can't add that information to one of our already existing articles on [[Samba]]? -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 13:01, 10 December 2013 (UTC)<br />
<br />
:I suppose the DHCP section could be added to the existing Samba 4 page, but much of it can be reused outside of Samba too. I should change the title after it is ready to go. As to the Client configuration, this is about SSO on Linux hosts and is more akin to [[Active_Directory_Integration]]. I'll get with the original author of that page once the needed configurations are in place to discuss a merge. Thanks for the heads up. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]]) 02:00, 11 December 2013 (UTC)<br />
<br />
::About the DHCP article, how much of it can be used in general? Maybe you just want to link to our already existing articles on DHCP, DNS... and improve them instead of duplicating content? See [[:Category:Networking]] and subcategories too.<br />
::About the client config article, isn't it easier to contribute to [[Active Directory Integration]] from the beginning instead?<br />
::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 05:02, 11 December 2013 (UTC)<br />
<br />
:::Not sure, I'll delete the links. If you can delete the stub pages for me I'd appreciate it. I'll sandbox it locally and see where I'm at when ready to proceed (still having some issues with the DHCP).<br />
:::I've not been here long, policy is probably simply make the edit, but what is acceptable in the community? I presume that I should contact the original author with proposed text vai talk feature, and wait for a response. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]]) 16:17, 15 December 2013 (UTC)<br />
<br />
::::All right, the stubs are deleted. Yes, the policy is "simply make the edit": as long as you properly justify your edits using the Summary (just below the text editing area) you'll be fine. You don't need to contact the previous contributors of an article, just do the edits and keep watching the talk page: if they've got something to say, they'll show up there :) I recommend you to directly edit the existing articles because this will avoid creating duplicated content, which is so hard to maintain especially in the long run. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 12:03, 17 December 2013 (UTC)<br />
<br />
==OpenChange Server==<br />
I have another Question is it possible to add more than one E-Mails per user in sogo? [[User:templis|templis]] ([[User talk:templis|talk]])<br />
: Excellent. I'm glad to see others using and contributing! As to your question about multiple email addresses, absolutely it is possible. Just add a new ProxyAddresses entry. The all capped SMTP is the primary (translates to the "from" address), and little smtp are the alternates (for which you can receive mail, but not send as). [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]])<br />
:: capped SMTP won't work for me. I have to add another user, login as this user and have to delegate my primary user but little smtp work to recive mails, my only problem now is: if I add little smtp I recive two same E-Mails [[User:templis|templis]] ([[User talk:templis|talk]])<br />
::: I haven't seen this behavior. Do you have the same email address listed twice for the user (both SMTP and smtp)? It need only be in one, but if that was the issue, then there is a problem with my LDAP user lookup tables for Postfix. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]])<br />
:::: I think I've found the failure but don't have a sollution for this. I think it's in sogo and the twice e-mails are because of imap and x400. But I can't test this, because i can't remove the imap from the sogo app...<br />
<br />
Are you sure about your last commit?<br />
Because I have smaba 4.2.0 and openchange-server 2.2-6 runing... I've after last sysupdate only the problem, that my samba passwords are expired. But with smbpasswd -a Administrator and ldap, everything runs perfect.</div>Templishttps://wiki.archlinux.org/index.php?title=User:Templis&diff=362251User:Templis2015-02-21T21:31:43Z<p>Templis: </p>
<hr />
<div>== Short desciption about my interests ==<br />
I'm generally interested in computer security.<br />
<br />
== good security links to follow up ==<br />
<br />
Hardening SSH:<br />
https://stribika.github.io/2015/01/04/secure-secure-shell.html<br />
<br />
Hardening SSL in NGINX: (there are also guides for Apache and lighthttpd)<br />
https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html<br />
<br />
good book for encrypt a lot of services, that every Admin should know:<br />
https://bettercrypto.org/<br />
<br />
== Languages: ==<br />
<br />
*'''Deutsch'''<br />
*'''English'''</div>Templishttps://wiki.archlinux.org/index.php?title=User:Templis&diff=362186User:Templis2015-02-21T17:40:24Z<p>Templis: Created page with " '''Languages:''' *'''Deutsch''' *'''English'''"</p>
<hr />
<div><br />
'''Languages:'''<br />
<br />
*'''Deutsch'''<br />
*'''English'''</div>Templishttps://wiki.archlinux.org/index.php?title=User_talk:DJ_L&diff=362185User talk:DJ L2015-02-21T17:34:33Z<p>Templis: </p>
<hr />
<div>==Samba 4 stubs==<br />
Hi, I've noticed you've created [[Samba4 Client Configuration]]: do you intend to move there [[Samba#Client configuration]]? Also about [[Samba4 DHCP with Dynamic DNS]], are you sure you can't add that information to one of our already existing articles on [[Samba]]? -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 13:01, 10 December 2013 (UTC)<br />
<br />
:I suppose the DHCP section could be added to the existing Samba 4 page, but much of it can be reused outside of Samba too. I should change the title after it is ready to go. As to the Client configuration, this is about SSO on Linux hosts and is more akin to [[Active_Directory_Integration]]. I'll get with the original author of that page once the needed configurations are in place to discuss a merge. Thanks for the heads up. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]]) 02:00, 11 December 2013 (UTC)<br />
<br />
::About the DHCP article, how much of it can be used in general? Maybe you just want to link to our already existing articles on DHCP, DNS... and improve them instead of duplicating content? See [[:Category:Networking]] and subcategories too.<br />
::About the client config article, isn't it easier to contribute to [[Active Directory Integration]] from the beginning instead?<br />
::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 05:02, 11 December 2013 (UTC)<br />
<br />
:::Not sure, I'll delete the links. If you can delete the stub pages for me I'd appreciate it. I'll sandbox it locally and see where I'm at when ready to proceed (still having some issues with the DHCP).<br />
:::I've not been here long, policy is probably simply make the edit, but what is acceptable in the community? I presume that I should contact the original author with proposed text vai talk feature, and wait for a response. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]]) 16:17, 15 December 2013 (UTC)<br />
<br />
::::All right, the stubs are deleted. Yes, the policy is "simply make the edit": as long as you properly justify your edits using the Summary (just below the text editing area) you'll be fine. You don't need to contact the previous contributors of an article, just do the edits and keep watching the talk page: if they've got something to say, they'll show up there :) I recommend you to directly edit the existing articles because this will avoid creating duplicated content, which is so hard to maintain especially in the long run. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 12:03, 17 December 2013 (UTC)<br />
<br />
==OpenChange Server==<br />
I have another Question is it possible to add more than one E-Mails per user in sogo? [[User:templis|templis]] ([[User talk:templis|talk]])<br />
: Excellent. I'm glad to see others using and contributing! As to your question about multiple email addresses, absolutely it is possible. Just add a new ProxyAddresses entry. The all capped SMTP is the primary (translates to the "from" address), and little smtp are the alternates (for which you can receive mail, but not send as). [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]])<br />
:: capped SMTP won't work for me. I have to add another user, login as this user and have to delegate my primary user but little smtp work to recive mails, my only problem now is: if I add little smtp I recive two same E-Mails [[User:templis|templis]] ([[User talk:templis|talk]])</div>Templishttps://wiki.archlinux.org/index.php?title=User_talk:DJ_L&diff=362184User talk:DJ L2015-02-21T17:31:59Z<p>Templis: kill unused stuff added another question</p>
<hr />
<div>==Samba 4 stubs==<br />
Hi, I've noticed you've created [[Samba4 Client Configuration]]: do you intend to move there [[Samba#Client configuration]]? Also about [[Samba4 DHCP with Dynamic DNS]], are you sure you can't add that information to one of our already existing articles on [[Samba]]? -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 13:01, 10 December 2013 (UTC)<br />
<br />
:I suppose the DHCP section could be added to the existing Samba 4 page, but much of it can be reused outside of Samba too. I should change the title after it is ready to go. As to the Client configuration, this is about SSO on Linux hosts and is more akin to [[Active_Directory_Integration]]. I'll get with the original author of that page once the needed configurations are in place to discuss a merge. Thanks for the heads up. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]]) 02:00, 11 December 2013 (UTC)<br />
<br />
::About the DHCP article, how much of it can be used in general? Maybe you just want to link to our already existing articles on DHCP, DNS... and improve them instead of duplicating content? See [[:Category:Networking]] and subcategories too.<br />
::About the client config article, isn't it easier to contribute to [[Active Directory Integration]] from the beginning instead?<br />
::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 05:02, 11 December 2013 (UTC)<br />
<br />
:::Not sure, I'll delete the links. If you can delete the stub pages for me I'd appreciate it. I'll sandbox it locally and see where I'm at when ready to proceed (still having some issues with the DHCP).<br />
:::I've not been here long, policy is probably simply make the edit, but what is acceptable in the community? I presume that I should contact the original author with proposed text vai talk feature, and wait for a response. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]]) 16:17, 15 December 2013 (UTC)<br />
<br />
::::All right, the stubs are deleted. Yes, the policy is "simply make the edit": as long as you properly justify your edits using the Summary (just below the text editing area) you'll be fine. You don't need to contact the previous contributors of an article, just do the edits and keep watching the talk page: if they've got something to say, they'll show up there :) I recommend you to directly edit the existing articles because this will avoid creating duplicated content, which is so hard to maintain especially in the long run. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 12:03, 17 December 2013 (UTC)<br />
<br />
==OpenChange Server==<br />
I have another Question is it possible to add more than one E-Mails per user in sogo? ([[User talk:templis|talk]])<br />
: Excellent. I'm glad to see others using and contributing! As to your question about multiple email addresses, absolutely it is possible. Just add a new ProxyAddresses entry. The all capped SMTP is the primary (translates to the "from" address), and little smtp are the alternates (for which you can receive mail, but not send as). [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]])<br />
:: capped SMTP won't work for me. I have to add another user, login as this user and have to delegate my primary user but little smtp work to recive mails, my only problem now is: if I add little smtp I recive two same E-Mails ([[User talk:templis|talk]])</div>Templishttps://wiki.archlinux.org/index.php?title=User_talk:Templis&diff=362183User talk:Templis2015-02-21T17:25:32Z<p>Templis: /* OpenChange Sieve Configuration */</p>
<hr />
<div>== OpenChange Sieve Configuration ==<br />
Thanks for adding Sieve and NGinX configs! Can you see any reason not to add the sieve config directly to the lmtp.conf the first time it is created rather than editing it later? Maybe just assume sieve will be installed. If you want it optional, which I don't think is necessary (but with the addition of NGinX the page is not rigid now anyway - and that is a good thing), you could add a note (comment) in the file to comment out the next line and the last section? OT: I'd like to see your results when using the AS plugin with NGinX too. I haven't added it yet because it is a real drain on Apache. I mean, it works well enough, but some tuning in httpd is definitely necessary else SOGo's web UI is a complete slug when AS is enabled. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]])<br />
::I Just don't wanted to edit your configs, because my feelings are like: "You know what to do and I only hack some workarounds". I generally think it's a good idea to merge sieve in the lmtp config, because without sieve sogo weren't able to save Settings and abort the save and close with: "This service is temporarily not available" (or something like this).<br />
::To the OT: point I'll try active sync this week and will give you feedback.<br />
::: Exchange won't work because ocsmanager need /usr/sbin/paster to start. But I don't have paster. Even goolge don't knows anything about paster...<br />
::Active Sync didn't work and need more config work</div>Templishttps://wiki.archlinux.org/index.php?title=User_talk:Templis&diff=361408User talk:Templis2015-02-16T11:02:09Z<p>Templis: /* OpenChange Sieve Configuration */</p>
<hr />
<div>== OpenChange Sieve Configuration ==<br />
Thanks for adding Sieve and NGinX configs! Can you see any reason not to add the sieve config directly to the lmtp.conf the first time it is created rather than editing it later? Maybe just assume sieve will be installed. If you want it optional, which I don't think is necessary (but with the addition of NGinX the page is not rigid now anyway - and that is a good thing), you could add a note (comment) in the file to comment out the next line and the last section? OT: I'd like to see your results when using the AS plugin with NGinX too. I haven't added it yet because it is a real drain on Apache. I mean, it works well enough, but some tuning in httpd is definitely necessary else SOGo's web UI is a complete slug when AS is enabled. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]])<br />
::I Just don't wanted to edit your configs, because my feelings are like: "You know what to do and I only hack some workarounds". I generally think it's a good idea to merge sieve in the lmtp config, because without sieve sogo weren't able to save Settings and abort the save and close with: "This service is temporarily not available" (or something like this).<br />
::To the OT: point I'll try active sync this week and will give you feedback.<br />
::: Exchange won't work because ocsmanager need /usr/sbin/paster to start. But I don't have paster. Even goolge don't knows anything about paster...</div>Templishttps://wiki.archlinux.org/index.php?title=User_talk:Templis&diff=361283User talk:Templis2015-02-15T14:59:55Z<p>Templis: </p>
<hr />
<div>== OpenChange Sieve Configuration ==<br />
Thanks for adding Sieve and NGinX configs! Can you see any reason not to add the sieve config directly to the lmtp.conf the first time it is created rather than editing it later? Maybe just assume sieve will be installed. If you want it optional, which I don't think is necessary (but with the addition of NGinX the page is not rigid now anyway - and that is a good thing), you could add a note (comment) in the file to comment out the next line and the last section? OT: I'd like to see your results when using the AS plugin with NGinX too. I haven't added it yet because it is a real drain on Apache. I mean, it works well enough, but some tuning in httpd is definitely necessary else SOGo's web UI is a complete slug when AS is enabled. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]])<br />
::I Just don't wanted to edit your configs, because my feelings are like: "You know what to do and I only hack some workarounds". I generally think it's a good idea to merge sieve in the lmtp config, because without sieve sogo weren't able to save Settings and abort the save and close with: "This service is temporarily not available" (or something like this).<br />
::To the OT: point I'll try active sync this week and will give you feedback.</div>Templishttps://wiki.archlinux.org/index.php?title=OpenChange_server&diff=361148OpenChange server2015-02-14T19:45:26Z<p>Templis: /* NGinX httpd */ Making servername, ssl key+cert file bold to follow up wiki site markup</p>
<hr />
<div>[[Category:Mail Server]]<br />
{{Related articles start}}<br />
{{Related|Samba}}<br />
{{Related|Samba/Tips and tricks}}<br />
{{Related|Samba/Troubleshooting}}<br />
{{Related|Samba/Advanced file sharing with KDE4}}<br />
{{Related|Samba Domain Controller}}<br />
{{Related|Active Directory Integration}}<br />
{{Related|Samba 4 Active Directory Domain Controller}}<br />
{{Related articles end}}<br />
<br />
This article explains how to setup a mail server using OpenChange server following on from the [[Samba_4_Active_Directory_Domain_Controller|Samba 4 Active Directory Domain Controller]] article. Postfix is used for the MTA, Dovecot for the IMAP/POP server, and SOGo for the backend with all users stored in Samba's Active Directory (normal Exchange attributes are used througout).<br />
<br />
== Installation ==<br />
<br />
=== Prerequsites ===<br />
<br />
Install the needed prerequsite packages:<br />
<br />
# pacman -S apache postgresql postfix dovecot mariadb<br />
<br />
Install {{AUR|openchange-server}}, {{AUR|sope}}, {{AUR|sogo}}, {{AUR|sogo-openchange}}, and {{AUR|mysql-python-embedded}} from the [[AUR]].<br />
<br />
== Configuration ==<br />
<br />
=== MySQL/MariaDB ===<br />
<br />
Enable MySQL/MariaDB with the following commands and enter mysql as the root user:<br />
<br />
# systemctl enable mysqld.service<br />
# systemctl start mysqld.service<br />
# mysql -u root<br />
<br />
At the mysql prompt, enter the following commands (replace '''OpenchangePW''' with a secure password):<br />
<br />
CREATE DATABASE openchange;<br />
CREATE USER 'openchange'@'localhost' IDENTIFIED BY ''''OpenchangePW'''';<br />
GRANT ALL PRIVILEGES ON `openchange`.* TO 'openchange'@'localhost' WITH GRANT OPTION;<br />
FLUSH PRIVILEGES;<br />
<br />
=== Initial OpenChange configuration ===<br />
<br />
==== Samba ====<br />
<br />
Make a backup copy of your existing samba configuration<br />
<br />
# cp /etc/samba/smb.conf{,.bak}<br />
<br />
Append the following lines to "[global]" section of the {{ic|/etc/samba/smb.conf}} file. Be sure to replace '''OpenchangePW''':<br />
<br />
...<br />
# Begin OpenChange Server Configuration<br />
dcerpc endpoint servers = +epmapper, +mapiproxy, +dnsserver<br />
dcerpc_mapiproxy:server = true<br />
dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr<br />
mapistore:namedproperties = mysql<br />
namedproperties:mysql_user = openchange<br />
namedproperties:mysql_pass = '''OpenchangePW'''<br />
namedproperties:mysql_host = localhost<br />
namedproperties:mysql_db = openchange<br />
mapistore:indexing_backend = mysql://openchange:'''OpenchangePW'''@localhost/openchange<br />
mapiproxy:openchangedb = mysql://openchange:'''OpenchangePW'''@localhost/openchange<br />
# End OpenChange Server Configuration<br />
...<br />
<br />
==== OpenChange ====<br />
<br />
Next, provision the database and create the openchange DB. Once again, replace '''OpenchangePW''':<br />
<br />
# openchange_provision --standalone<br />
# openchange_provision --openchangedb --openchangedb-uri mysql://openchange:'''OpenchangePW'''@localhost/openchange<br />
<br />
Enable mail for the first user (we will use administrator):<br />
<br />
# openchange_newuser --create Administrator<br />
<br />
Restart {{ic|samba}}.<br />
<br />
At this point, you should verify that all samba services are working as expected. Use the tests in the [[Samba_4_Active_Directory_Domain_Controller|Samba 4 Active Directory Domain Controller]] guide in addition to testing RPC from a windows client (simply connect with RSAT tools or soemthing similar). If all is well, then continue. If not, restore the backup of the {{ic|smb.conf}} until you can track down the problem.<br />
<br />
Finally, verify that you can edit user properties. For this, we will use ldbedit. Here you can directly modify user attributes. Relevant attributes are mail and proxyAddresses. The proxyAddress attributie labeled SMTP (as opposed to smtp) is the default mail address. If using internal and exteranal domains, you will need to set SMTP to external address as this will be the SMTP from address and envelope sender in outgoing messages. Replace ''vim'' in the following command with your preferred editor:<br />
<br />
# LDB_MODULES_PATH="/usr/lib/samba/ldb" ldbedit -e ''vim'' -H /var/lib/samba/private/sam.ldb '(samaccountname=administrator)'<br />
<br />
If you first followed the [[Samba_4_Active_Directory_Domain_Controller| Samba 4 Active Directory Domain Controller]] article, you should see text similar to the following in the editor window (substituting '''internal'''.'''domain'''.'''tld''' with your domain's values):<br />
<br />
{{bc|1=...<br />
mail: Administrator@'''internal'''.'''domain'''.'''tld'''<br />
...<br />
proxyAddresses: =EX:/o=First Organization/ou=First Administrative Group/cn=Recipients/cn=Administrator<br />
proxyAddresses: smtp:postmaster@'''internal'''.'''domain'''.'''tld'''<br />
proxyAddresses: X400:c=US;a= ;p=First Organizati;o=Exchange;s=Administrator<br />
proxyAddresses: SMTP:Administrator@'''internal'''.'''domain'''.'''tld'''<br />
...}}<br />
It is important to change both the '''mail''' attribute (this is what we will use for group expansion), and the primary '''SMTP''' address. Change it to the following (again, substitute appropriate values for '''internal'''.'''domain'''.'''tld''' and '''domain'''.'''tld'''):<br />
<br />
{{bc|1=...<br />
mail: Administrator@'''domain'''.'''tld'''<br />
...<br />
proxyAddresses: =EX:/o=First Organization/ou=First Administrative Group/cn=Recipients/cn=Administrator<br />
proxyAddresses: smtp:postmaster@'''internal'''.'''domain'''.'''tld'''<br />
proxyAddresses: smtp:postmaster@'''domain'''.'''tld'''<br />
proxyAddresses: X400:c=US;a= ;p=First Organizati;o=Exchange;s=Administrator<br />
proxyAddresses: smtp:Administrator@'''internal'''.'''domain'''.'''tld'''<br />
proxyAddresses: SMTP:administrator@'''domain'''.'''tld'''<br />
...}}<br />
<br />
=== Initial SOGo configuration ===<br />
<br />
==== Apache httpd ====<br />
<br />
Add SOGo to the Apache configuration appending the following lines at the end of {{ic|/etc/httpd/conf/httpd.conf}}:<br />
<br />
...<br />
# Include SOGo configuration<br />
include conf/extra/SOGo.conf<br />
<br />
Create the {{ic|/etc/httpd/conf/extra/SOGo.conf}} file (replace '''mail'''.'''domain'''.'''tld'''):<br />
<br />
<nowiki>Alias /SOGo.woa/WebServerResources/ \<br />
/usr/lib/GNUstep/SOGo/WebServerResources/<br />
Alias /SOGo/WebServerResources/ \<br />
/usr/lib/GNUstep/SOGo/WebServerResources/<br />
<br />
<Directory /usr/lib/GNUstep/SOGo/><br />
AllowOverride None<br />
<br />
<IfVersion < 2.4><br />
Order deny,allow<br />
Allow from all<br />
</IfVersion><br />
<IfVersion >= 2.4><br />
Require all granted<br />
</IfVersion><br />
<br />
# Explicitly allow caching of static content to avoid browser specific behavior.<br />
# A resource's URL MUST change in order to have the client load the new version.<br />
<IfModule expires_module><br />
ExpiresActive On<br />
ExpiresDefault "access plus 1 year"<br />
</IfModule><br />
</Directory><br />
<br />
## Uncomment the following to enable proxy-side authentication, you will then<br />
## need to set the "SOGoTrustProxyAuthentication" SOGo user default to YES and<br />
## adjust the "x-webobjects-remote-user" proxy header in the "Proxy" section<br />
## below.<br />
#<Location /SOGo><br />
# AuthType XXX<br />
# Require valid-user<br />
# SetEnv proxy-nokeepalive 1<br />
# Allow from all<br />
#</Location><br />
<br />
ProxyRequests Off<br />
SetEnv proxy-nokeepalive 1<br />
ProxyPreserveHost On<br />
<br />
# When using CAS, you should uncomment this and install cas-proxy-validate.py<br />
# in /usr/lib/cgi-bin to reduce server overloading<br />
#<br />
# ProxyPass /SOGo/casProxy http://localhost/cgi-bin/cas-proxy-validate.py<br />
# <Proxy http://localhost/app/cas-proxy-validate.py><br />
# Order deny,allow<br />
# Allow from your-cas-host-addr<br />
# </Proxy><br />
<br />
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0<br />
<br />
# Enable to use Microsoft ActiveSync support<br />
# Note that you MUST have many sogod workers to use ActiveSync.<br />
# See the SOGo Installation and Configuration guide for more details.<br />
#<br />
#ProxyPass /Microsoft-Server-ActiveSync \<br />
# http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \<br />
# retry=60 connectiontimeout=5 timeout=360<br />
<br />
<Proxy http://127.0.0.1:20000/SOGo><br />
## adjust the following to your configuration<br />
RequestHeader set "x-webobjects-server-port" "443"<br />
RequestHeader set "x-webobjects-server-name" "</nowiki>'''mail'''.'''domain'''.'''tld'''<nowiki>"<br />
RequestHeader set "x-webobjects-server-url" "https://</nowiki>'''mail'''.'''domain'''.'''tld'''<nowiki>"<br />
<br />
## When using proxy-side autentication, you need to uncomment and<br />
## adjust the following line:<br />
# RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e"<br />
<br />
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"<br />
<br />
AddDefaultCharset UTF-8<br />
<br />
Order allow,deny<br />
Allow from all<br />
</Proxy><br />
<br />
# For Apple autoconfiguration<br />
<IfModule rewrite_module><br />
RewriteEngine On<br />
RewriteRule ^/.well-known/caldav/?$ /SOGo/dav [R=301]<br />
</IfModule></nowiki><br />
<br />
Create the state directory and start services:<br />
<br />
# mkdir /var/run/sogo<br />
# chown sogo:sogo /var/run/sogo<br />
<br />
Then enable and start the {{ic|sogo}} and {{ic|httpd}} services.<br />
<br />
Open a browser and go to http://server.internal.domain.tld/SOGo/ but do not try to login just yet, just verify that you can connect and get the login screen.<br />
<br />
<br />
==== NGinX httpd ====<br />
<br />
I've added this to my /etc/nginx/nginx.conf<br />
<br />
server {<br />
listen 443;<br />
root /usr/lib/GNUstep/SOGo/WebServerResources/;<br />
server_name '''sogo.domain.tld'''<br />
server_tokens off;<br />
client_max_body_size 100M;<br />
index index.php index.html index.htm;<br />
autoindex off;<br />
ssl on;<br />
ssl_certificate path '''/path/to/your/certfile'''; #eg. /etc/ssl/certs/keyfile.crt<br />
ssl_certificate_key '''/path/to/your/keyfile'''; #eg /etc/ssl/private/keyfile.key<br />
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';<br />
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br />
ssl_session_cache shared:SSL:10m;<br />
#optional ssl_stapling on;<br />
#optional ssl_stapling_verify on;<br />
#optional ssl_trusted_certificate /etc/ssl/private/cacert-stapeling.pem; <br />
#optional resolver 8.8.4.4 8.8.8.8 valid=300s;<br />
#optionalresolver_timeout 10s;<br />
ssl_prefer_server_ciphers on;<br />
#optional ssl_dhparam /etc/ssl/certs/dhparam.pem;<br />
#optional add_header Strict-Transport-Security max-age=63072000;<br />
#optional add_header X-Frame-Options DENY;<br />
#optional add_header X-Content-Type-Options nosniff;<br />
location = / {<br />
rewrite ^ https://$server_name/SOGo;<br />
allow all;<br />
}<br />
location = /principals/ {<br />
rewrite ^ https://$server_name/SOGo/dav;<br />
allow all;<br />
}<br />
location ^~/SOGo {<br />
proxy_pass http://127.0.0.1:20000;<br />
proxy_redirect http://127.0.0.1:20000 default;<br />
# forward user's IP address<br />
proxy_set_header X-Real-IP $remote_addr;<br />
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />
proxy_set_header Host $host;<br />
proxy_set_header x-webobjects-server-protocol HTTP/1.0;<br />
proxy_set_header x-webobjects-remote-host 127.0.0.1;<br />
proxy_set_header x-webobjects-server-name $server_name;<br />
proxy_set_header x-webobjects-server-url $scheme://$host;<br />
proxy_connect_timeout 90;<br />
proxy_send_timeout 90;<br />
proxy_read_timeout 90;<br />
proxy_buffer_size 4k;<br />
proxy_buffers 4 32k;<br />
proxy_busy_buffers_size 64k;<br />
proxy_temp_file_write_size 64k;<br />
client_max_body_size 50m;<br />
client_body_buffer_size 128k;<br />
break;<br />
}<br />
location /SOGo.woa/WebServerResources/ {<br />
alias /usr/lib/GNUstep/SOGo/WebServerResources/;<br />
allow all;<br />
}<br />
location /SOGo/WebServerResources/ {<br />
alias /usr/lib/GNUstep/SOGo/WebServerResources/;<br />
allow all;<br />
}<br />
location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ {<br />
alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;<br />
}<br />
location ^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$ {<br />
alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;<br />
}<br />
}<br />
<br />
==== PostGRE SQL ====<br />
<br />
Initialize the default database and start PostgreSQl (be sure to replace '''en_US.UTF-8''' with the correct locale for your installation):<br />
<br />
# mkdir -p /var/lib/postgres/data<br />
# chown -R postgres:postgres /var/lib/postgres<br />
# su - postgres -c "initdb --locale '''en_US.UTF-8''' -D '/var/lib/postgres/data'"<br />
Then start and enable {{ic|postgresql}} service.<br />
<br />
Create the sogo user and the sogo DB for PostgreSQL (do not select a strong password for the sogo user, just use "sogo" for simplicity. This is temporary and we will change it later):<br />
<br />
# su - postgres<br />
$ createuser --no-superuser --no-createdb --no-createrole --encrypted --pwprompt sogo<br />
$ createdb -O sogo sogo<br />
<br />
Edit the access configuration for the openchange DB:<br />
<br />
# cp /var/lib/postgres/data/pg_hba.conf{,.bak}<br />
# sed \<br />
's/D$/D\n\n#Configuration for OpenChange/' \<br />
-i /var/lib/postgres/data/pg_hba.conf<br />
# sed \<br />
's/ange$/ange\nhost\topenchange\topenchange\t127.0.0.1\/32\t\tmd5/' \<br />
-i /var/lib/postgres/data/pg_hba.conf<br />
# chown postgres:postgres /var/lib/postgres/data/pg_hba.conf{,.bak}<br />
<br />
Restart the {{ic|postgresql}} service.<br />
<br />
==== SOGo ====<br />
<br />
Configure SOGo defaults with the following commands (be certain to replace '''REGION/LOCALITY''', '''SAMBAADMINPASSWORD''', and dc='''internal''',dc='''domain''',dc='''tld''' with appropriate values):<br />
<br />
# su - sogo -s /bin/bash<br />
$ defaults write sogod SOGoTimeZone "'''REGION/LOCALITY'''"<br />
$ defaults write sogod OCSFolderInfoURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_folder_info"<br />
$ defaults write sogod SOGoProfileURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile"<br />
$ defaults write sogod OCSSessionsFolderURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder"<br />
$ defaults write sogod OCSEMailAlarmsFolderURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_alarm_folder"<br />
$ defaults write sogod SOGoUserSources '({CNFieldName = displayName; IDFieldName = cn; UIDFieldName = sAMAccountName; IMAPHostFieldName =; baseDN = "cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''"; bindDN = "cn=Administrator,cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''"; bindPassword = "'''SAMBAADMINPASSWORD'''"; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = "localhost"; id = public; isAddressBook = YES; port = 389;})'<br />
$ defaults write sogod WONoDetach NO<br />
$ defaults write sogod WOLogFile /var/log/sogo/sogo.log<br />
$ defaults write sogod WOPidFile /var/run/sogo/sogo.pid<br />
$ exit<br />
<br />
Next, edit the sogo configuration file, {{ic|/etc/httpd/conf/extra/SOGo.conf}}, and comment out the following lines for testing (until your SSL certs are in place and configuration is complete):<br />
<br />
{{bc|<br />
## adjust the following to your configuration<br />
# RequestHeader set "x-webobjects-server-port" "443"<br />
# RequestHeader set "x-webobjects-server-name" "yourhostname"<br />
# RequestHeader set "x-webobjects-server-url" "<nowiki>https://yourhostname</nowiki>"<br />
}}<br />
<br />
Give the root user the GNUStep configuration for the sogo user:<br />
<br />
# ln -s /etc/sogo/GNUStep /root/GNUStep<br />
<br />
=== Initial Postfix configuration ===<br />
<br />
==== Basic configuratoin ====<br />
<br />
Create a minimal Postfix configuration. Replace '''server'''.'''internal'''.'''domain.tld''' with a valid internal FQDN):<br />
<br />
# postconf -e myhostname='''server'''.'''internal'''.'''domain.tld'''<br />
# postconf -e mydestination=localhost<br />
<br />
If this server will be accessible from the internet, set the HELO/EHLO values to match the FQDN as seen from the internet (replace '''mail'''.'''domain'''.'''tld'''):<br />
<br />
# postconf -e smtp_helo_name='''mail'''.'''domain'''.'''tld'''<br />
# postconf -e smtpd_banner='$smtp_helo_name ESMTP $mail_name'<br />
<br />
Enable and start {{ic|postfix}}.<br />
<br />
==== Virtual user configuration ====<br />
<br />
Create a vmail user and set up Postfix to use it:<br />
<br />
# groupadd -g 5000 vmail<br />
# useradd -u 5000 -g vmail -s /usr/bin/nologin -d /home/vmail -m vmail<br />
# chmod 750 /home/vmail<br />
# postconf -e virtual_minimum_uid=5000<br />
# postconf -e virtual_uid_maps=static:5000<br />
# postconf -e virtual_gid_maps=static:5000<br />
# postconf -e virtual_mailbox_base=/home/vmail<br />
# postfix reload<br />
<br />
==== LDAP configuration ====<br />
<br />
Next we need to tell Postfix how to lookup users. To do this, you will need to create an unprivileged user to use for LDAP lookups (select a suitably strong password, 63 alpha-numeric various case should be good):<br />
<br />
# samba-tool user create ldap --description="Unprivileged user for LDAP lookups"<br />
<br />
Now, create a LDAP alias and group maps for Postfix pasting the following lines in the file {{ic|/etc/postfix/ldap-alias.cf}} as root (replace dc='''internal''',dc='''domain''',dc='''tld''' with appropriate values and '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7''' with a random password of your choosing):<br />
<br />
# Directory settings<br />
server_host = 127.0.0.1<br />
search_base = dc='''internal''',dc='''domain''',dc='''tld'''<br />
scope = sub<br />
version = 3<br />
<br />
# User Binding<br />
bind = yes<br />
bind_dn = cn=ldap,cn=users,dc='''internal''',dc='''domain''',dc='''tld'''<br />
bind_pw = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7'''<br />
<br />
# Filter<br />
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))<br />
result_attribute = samaccountname<br />
result_format = %s@'''internal'''.'''domain'''.'''tld'''<br />
<br />
Create the group map:<br />
<br />
# sed -e '/^query/d' \<br />
-e '/^result/d' \<br />
/etc/postfix/ldap-alias.cf > /etc/postfix/ldap-group.cf<br />
<br />
Append the following lines to the newly created {{ic|/etc/postfix/ldap-group.cf}} (in the #Filter secton):<br />
<br />
query_filter = (&(objectclass=group)(mail=%s))<br />
special_result_attribute = member<br />
leaf_result_attribute = mail<br />
<br />
Set the permissions:<br />
<br />
# chmod 0600 /etc/postfix/ldap-{alias,group}.cf<br />
<br />
Next test our lookup maps for users (groups have not yet been created) (substitute '''internal'''.'''domain'''.'''tld'''):<br />
<br />
# postmap -q administrator@'''domain'''.'''tld''' ldap:/etc/postfix/ldap-alias.cf<br />
# postmap -q administrator@'''internal'''.'''domain'''.'''tld''' ldap:/etc/postfix/ldap-alias.cf<br />
<br />
You should receive the following output for both commands:<br />
<br />
Administrator@internal.domain.tld<br />
<br />
Append any other hosted domains to the first command below, add the maps, and then reload the Postfix configuration (again replacing domain values):<br />
<br />
# postconf -e virtual_mailbox_domains="'''domain'''.'''tld''', '''internal'''.'''domain'''.'''tld'''"<br />
# postconf -e virtual_alias_maps="ldap:/etc/postfix/ldap-alias.cf, ldap:/etc/postfix/ldap-group.cf"<br />
# postfix reload<br />
<br />
At this point, Dovecot will need to be configured before completing the Postfix configuration as Dovecot SASL and LMTP will be used for athentication and delivery (respectively).<br />
<br />
=== Dovecot configuration ===<br />
<br />
==== Basic configuration ====<br />
<br />
Create a very basic dovecot configuration:<br />
<br />
# cp /etc/dovecot/dovecot.conf{.sample,}<br />
# chown root:root /etc/dovecot/dovecot.conf<br />
<br />
Then create the file {{ic|/etc/dovecot/conf.d/local.conf}} with this content:<br />
<br />
auth_mechanisms = plain login<br />
disable_plaintext_auth = no<br />
ssl = no<br />
auth_username_format = %n<br />
mail_location = /home/vmail/%Lu/Maildir<br />
<br />
Enable and start {{ic|dovecot}}.<br />
<br />
==== LDAP configuration ====<br />
<br />
Add the LDAP lookup configuation {{ic|/etc/dovecot/conf.d/ldap.conf}}:<br />
<br />
passdb ldap {<br />
driver = ldap<br />
args = /etc/dovecot/dovecot-ldap-passdb.conf<br />
}<br />
userdb ldap {<br />
driver = ldap<br />
args = /etc/dovecot/dovecot-ldap-userdb.conf<br />
}<br />
<br />
Set permissions:<br />
# chmod 0644 /etc/dovecot/conf.d/ldap.conf<br />
# chown root:root /etc/dovecot/conf.d/ldap.conf<br />
<br />
Create the LDAP user and password configuration files (replace dc='''internal''',dc='''domain''',dc='''tld''' and '''INTERNAL''' with appropropriate values):<br />
<br />
{{ic|/etc/dovecot/dovecot-ldap-passdb.conf}}<br />
hosts = localhost<br />
auth_bind = yes<br />
auth_bind_userdn = '''INTERNAL'''\%u<br />
ldap_version = 3<br />
base = dc='''internal''',dc='''domain''',dc='''tld'''<br />
scope = subtree<br />
deref = never<br />
pass_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*))<br />
<br />
{{ic|/etc/dovecot/dovecot-ldap-userdb.conf}}<br />
hosts = localhost<br />
dn = cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''<br />
dnpass = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7'''<br />
ldap_version = 3<br />
# The base must be cn=Users for OpenChange ATM...future<br />
base = cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''<br />
user_attrs = =uid=5000,=gid=5000,=home=/home/vmail/%Lu,=mail=maildir:/home/vmail/%Lu/Maildir/<br />
user_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*))<br />
<br />
# Attributes and filter to get a list of all users<br />
iterate_attrs = sAMAccountName=user<br />
iterate_filter = (objectClass=person)<br />
<br />
Set permissions:<br />
# chown root:root /etc/dovecot/dovecot-ldap-{pass,user}db.conf<br />
# chmod 0600 /etc/dovecot/dovecot-ldap-userdb.conf<br />
# chmod 0644 /etc/dovecot/dovecot-ldap-passdb.conf<br />
<br />
Create the SASL configuation {{ic|/etc/dovecot/conf.d/sasl.conf}}:<br />
<br />
service auth {<br />
unix_listener /var/spool/postfix/private/auth {<br />
mode = 0660<br />
user = postfix<br />
group = postfix<br />
}<br />
}<br />
<br />
Set permissions:<br />
# chmod 0644 /etc/dovecot/conf.d/sasl.conf<br />
# chown root:root /etc/dovecot/conf.d/sasl.conf<br />
<br />
Reload Dovecot for the configuration to take effect:<br />
<br />
# dovecot reload<br />
<br />
==== Testing Dovecot authentication ====<br />
<br />
Open a ''telnet'' session and test (commands you enter are in bold, replace ''xxxxxxxx'' with your real password):<br />
<br />
'''telnet localhost 143'''<br />
Trying 127.0.0.1...<br />
Connected to localhost.<br />
Escape character is '^]'.<br />
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.<br />
'''a LOGIN Administrator xxxxxxxx'''<br />
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in<br />
'''a LOGOUT'''<br />
* BYE Logging out<br />
. OK Logout completed.<br />
Connection closed by foreign host.<br />
<br />
If you have received anything other than OK, go back and double check your configuration before continuing.<br />
<br />
==== LMTP configuration ====<br />
<br />
Create the LMTP configuration file {{ic|/etc/dovecot/conf.d/lmtp.conf}}:<br />
<br />
mail_location = /home/vmail/%Lu/Maildir<br />
service lmtp {<br />
unix_listener /var/spool/postfix/private/dovecot-lmtp {<br />
mode = 0600<br />
user = postfix<br />
group = postfix<br />
}<br />
user = vmail<br />
}<br />
<br />
protocol lmtp {<br />
postmaster_address = postmaster@'''domain'''.'''tld'''<br />
}<br />
<br />
# chmod 0644 /etc/dovecot/conf.d/lmtp.conf<br />
# dovecot reload<br />
<br />
==== TLS configuration ====<br />
<br />
Put your certificate files into place and create the TLS configuration file {{ic|/etc/dovecot/conf.d/tls.conf}} (adjust paths and names as necessary). The keyfile should be owned by root with 0400 permissions. Any intermediate certificates should be concatenated after the public cert.:<br />
<br />
ssl = yes<br />
ssl_cert = </etc/dovecot/ssl/'''host'''.'''domain'''.'''tld'''.pem<br />
ssl_key = </etc/dovecot/ssl/'''host'''.'''domain'''.'''tld'''.key<br />
<br />
# chmod 644 /etc/dovecot/conf.d/tls.conf<br />
<br />
Remove the earlier explicitly defined values from {{ic|local.conf}} and reload Dovecot:<br />
<br />
# sed -e '/^ssl/d' -e '/disable_plaintext/s/no/yes/' \<br />
-i /etc/dovecot/conf.d/local.conf<br />
# dovecot reload<br />
<br />
==== Sieve Configuration ====<br />
<br />
Edit {{ic|/etc/dovecot/dovecot.conf}} and edit the protocols section.:<br />
protocols = imap lmtp sieve<br />
<br />
Edit {{ic|/etc/dovecot/conf.d/local.conf}} and add:<br />
plugin {<br />
sieve_before = /home/vmail/sieve/spam-global.sieve<br />
sieve=/home/vmail/%Lu/dovecot.sieve<br />
sieve_dir=/home/vmail/%Lu/sieve<br />
}<br />
create dir, change owner, add default rule:<br />
mkdir /home/vmail/sieve/<br />
touch /home/vmail/sieve/spam-global.sieve<br />
chown -R vmail:vmail /home/vmail/sieve<br />
<br />
edit {{ic|/home/vmail/sieve/spam-global.sieve}} and add those lines:<br />
require "fileinto";<br />
if header :contains "X-Spam-Flag" "YES" {<br />
fileinto "Spam";<br />
}<br />
<br />
edit {{ic|/etc/dovecot/conf.d/lmtp.conf}} so that your file looks like this:<br />
mail_location = /home/vmail/%Lu/Maildir<br />
service lmtp {<br />
unix_listener /var/spool/postfix/private/dovecot-lmtp {<br />
mode = 0600<br />
user = postfix<br />
group = postfix<br />
}<br />
user = vmail<br />
}<br />
<br />
protocol lmtp {<br />
postmaster_address = postmaster@domain.tld<br />
'''mail_plugins = sieve'''<br />
}<br />
<br />
'''plugin {<br />
'''sieve_before = /home/vmail/sieve/spam-global.sieve<br />
'''sieve = /home/vmail/%Lu/dovecot.sieve<br />
'''sieve_dir = /home/vmail/%Lu/sieve<br />
'''}<br />
<br />
=== Postfix final configuration ===<br />
<br />
==== SASL configuration ====<br />
<br />
Modify the default smtpd instance:<br />
<br />
# postconf -e smtpd_sasl_type=dovecot<br />
# postconf -e smtpd_sasl_path=private/auth<br />
# postconf -e smtpd_sasl_auth_enable=yes<br />
# postconf -e smtpd_relay_restrictions="permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination"<br />
<br />
==== LMTP configuration ====<br />
<br />
Use dovecot LMTP for delivery:<br />
<br />
# postconf -e virtual_transport=lmtp:unix:private/dovecot-lmtp<br />
<br />
==== TLS configuration ====<br />
<br />
If you intend to use STARTTLS (as you should), enable the mail submission port and restrict to authenticated clients. Edit the following lines in {{ic|/etc/postfix/master.cf}} (replace '''internal.domain.tld'''):<br />
<br />
submission inet n - n - - smtpd<br />
-o syslog_name=postfix/submission<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_sasl_type=dovecot<br />
-o smtpd_sasl_path=private/auth<br />
-o smtpd_sasl_security_options=noanonymous<br />
-o smtpd_client_restrictions=permit_sasl_authenticated,reject<br />
-o smtpd_sender_login_maps=ldap:/etc/postfix/ldap-sender.cf<br />
-o smtpd_sender_restrictions=reject_sender_login_mismatch<br />
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject<br />
<br />
Add your certificates. If you intend to chroot postfix (not discussed in this guide, see here), these need to be placed in the postfix configuration directory as opposed to the default /etc/ssl/private directory. Additionally, any intermediate certs should be concatenated with the public cert being first in the chain and the key file should be owned by root with 0400 permission mode:<br />
<br />
# postconf -e smtpd_tls_key_file=/etc/postfix/ssl/'''mail.domain.tld.key'''<br />
# postconf -e smtpd_tls_cert_file=/etc/postfix/ssl/'''mail.domain.tld.pem'''<br />
<br />
Create a map to verify addresses to authenticated users {{ic|/etc/postfix/ldap-sender.cf}}:<br />
<br />
# Directory settings<br />
server_host = localhost<br />
search_base = dc='''internal''',dc='''domain''',dc='''tld'''<br />
version = 3<br />
scope = sub<br />
<br />
# User Binding<br />
bind = yes<br />
bind_dn = cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld<br />
bind_pw = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7'''<br />
<br />
# Filter<br />
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))<br />
leaf_result_attribute = proxyAddresses<br />
result_attribute = sAMAccountName<br />
<br />
Set permissions:<br />
# chown root:root /etc/postfix/ldap-sender.cf<br />
# chmod 0640 /etc/postfix/ldap-sender.cf<br />
<br />
If you would like to enable TLS on the default SMTP port, you should make it optional. If you make it required, you will not be able to receive mail from many hosts on the internet.<br />
<br />
# postconf -e smtpd_tls_security_level=may<br />
<br />
Reload postfix to apply the configuration changes:<br />
<br />
# postfix reload<br />
<br />
==== Testing the Postfix SASL configuration ====<br />
<br />
Begin by getting a base64 encoded version of you username and password (replace '''xxxxxxxx''' with your real password):<br />
<br />
$ echo -ne '\000Administrator\000'''xxxxxxxx'''' | openssl base64<br />
<br />
You should receive output similar to the following:<br />
<br />
AEFkbWluaXN0cmF0b3IAeHh4eHh4eHg=<br />
<br />
Now, open a ''telnet'' session and test (commands you enter are in bold, replace '''host.domain.tld''' with your real external FQDN and '''AEFkbWluaXN0cmF0b3IAeHh4eHh4eHg=''' with the result of the previous command):<br />
<br />
$ '''telnet localhost 25'''<br />
Trying 127.0.0.1...<br />
Connected to localhost.<br />
Escape character is '^]'.<br />
220 host.domain.tld ESMTP Postfix<br />
'''ehlo host.domain.tld'''<br />
250-mail.lucasit.com<br />
250-PIPELINING<br />
250-SIZE 10240000<br />
250-VRFY<br />
250-ETRN<br />
250-STARTTLS<br />
250-AUTH PLAIN LOGIN<br />
250-ENHANCEDSTATUSCODES<br />
250-8BITMIME<br />
250 DSN<br />
'''AUTH PLAIN AEFkbWluaXN0cmF0b3IAeHh4eHh4eHg='''<br />
235 2.7.0 Authentication successful<br />
'''quit'''<br />
221 2.0.0 Bye<br />
Connection closed by foreign host.<br />
<br />
If you have gotten anything other than a 235 message, something is wrong and you should troubleshoot now rather than later.<br />
<br />
At ths point, you have a fully functional mail server, though you will probably want to lock it down a bit tighter (which is not covered in this article). You could easily stop now and use any mail client you wish, howerver, you would miss out on the fun of Outlook, RPC/HTTPS, calendar, the GAL, and contacts. This additional functionality is provided by SOGo and OpenChange...<br />
<br />
=== SOGo final configuration ===<br />
<br />
==== PostgreSQL ====<br />
<br />
Select a strong password (63 random alphanumeric characters is good) for the sogo user and change it now:<br />
<br />
# su - postgres<br />
$ psql<br />
ALTER USER sogo WITH PASSWORD 'ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT';<br />
\q<br />
<br />
==== SOGo ====<br />
<br />
Create a suitable SOGo configuration file in {{ic|/etc/sogo/sogo.conf}} (replace items in bold with appropriate values):<br />
<br />
{<br />
/* Database Configuration */<br />
SOGoProfileURL = "postgresql://sogo:'''ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT'''@localhost:5432/sogo/sogo_user_profile";<br />
OCSFolderInfoURL = "postgresql://sogo:'''ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT'''@localhost:5432/sogo/sogo_folder_info";<br />
OCSSessionsFolderURL = "postgresql://sogo:'''ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT'''@localhost:5432/sogo/sogo_sessions_folder";<br />
<br />
/* Mail */<br />
SOGoDraftsFolderName = Drafts;<br />
SOGoSentFolderName = Sent;<br />
SOGoTrashFolderName = Trash;<br />
SOGoIMAPServer = localhost;<br />
SOGoSieveServer = sieve://127.0.0.1:4190;<br />
SOGoSMTPServer = 127.0.0.1;<br />
SOGoMailDomain = '''internal'''.'''domain'''.'''tld''';<br />
SOGoMailingMechanism = smtp;<br />
SOGoForceExternalLoginWithEmail = NO;<br />
SOGoMailSpoolPath = /var/spool/sogo;<br />
NGImap4ConnectionStringSeparator = "/";<br />
<br />
/* Notifications */<br />
SOGoAppointmentSendEMailNotifications = NO;<br />
SOGoACLsSendEMailNotifications = NO;<br />
SOGoFoldersSendEMailNotifications = NO;<br />
<br />
/* Authentication */<br />
SOGoPasswordChangeEnabled = YES;<br />
<br />
/* User Authentication */<br />
SOGoUserSources = (<br />
{<br />
type = ldap;<br />
CNFieldName = cn;<br />
IDFieldName = cn;<br />
UIDFieldName = sAMAccountName;<br />
baseDN = "dc='''internal''',dc='''domain''',dc='''tld'''";<br />
bindDN = "cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''";<br />
bindFields = (sAMAccountName);<br />
bindPassword = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7''';<br />
canAuthenticate = YES;<br />
displayName = "Active Directory";<br />
hostname = ldap://127.0.0.1:389;<br />
id = directory;<br />
isAddressBook = YES;<br />
}<br />
);<br />
<br />
/* Web Interface */<br />
SOGoPageTitle = SOGo;<br />
SOGoVacationEnabled = YES;<br />
SOGoForwardEnabled = YES;<br />
SOGoSieveScriptsEnabled = YES;<br />
SOGoMailAuxiliaryUserAccountsEnabled = YES;<br />
SOGoTrustProxyAuthentication = NO;<br />
<br />
/* General */<br />
SOGoLanguage = '''English''';<br />
SOGoTimeZone = '''America/Chicago''';<br />
SOGoCalendarDefaultRoles = (<br />
PublicDAndTViewer,<br />
ConfidentialDAndTViewer<br />
);<br />
SOGoSuperUsernames = (administrator);<br />
SxVMemLimit = 384;<br />
//WOPidFile = "/var/run/sogo/sogo.pid";<br />
SOGoMemcachedHost = "/var/run/memcached.sock";<br />
<br />
/* Debug */<br />
//SOGoDebugRequests = YES;<br />
//SoDebugBaseURL = YES;<br />
//ImapDebugEnabled = YES;<br />
//LDAPDebugEnabled = YES;<br />
//PGDebugEnabled = YES;<br />
//MySQL4DebugEnabled = YES;<br />
//SOGoUIxDebugEnabled = YES;<br />
//WODontZipResponse = YES;<br />
//WOLogFile = /var/log/sogo/sogo.log;<br />
<br />
}<br />
<br />
Then issue the following commands:<br />
# chown sogo:sogo /etc/sogo/sogo.conf<br />
# chmod 0600 /etc/sogo/sogo.conf<br />
# rm /etc/sogo/GNUstep/Defaults/sogod.plist<br />
# mkdir /var/spool/sogo<br />
# chown sogo:sogo /var/spool/sogo<br />
# chmod 700 /var/spool/sogo<br />
<br />
Now restart {{ic|sogo}} service and try it out by visiting http://'''server.internal.domain.tld'''/SOGo/ .<br />
<br />
==== Apache ====<br />
<br />
If all is well with SOGo without SSL, go ahead and enable SSL in httpd (modify paths and filenames as necessary):<br />
<br />
# sed -e '/httpd-ssl.conf/s/#//' \<br />
-e '/modules\/mod_ssl.so/s/#//' \<br />
-e '/mod_socache_shmcb/s/#//' \<br />
-i /etc/httpd/conf/httpd.conf<br />
# sed -e '/^SSLCertificateFile/s@/etc/httpd/conf/server.crt@/etc/httpd/ssl/'''mail'''.'''domain'''.'''tld'''.pem@' \<br />
-e '/^SSLCertificateKeyFile/s@/etc/httpd/conf/server.key@/etc/httpd/ssl/'''mail'''.'''domain'''.'''tld'''.key@' \<br />
-i /etc/httpd/conf/extra/httpd-ssl.conf<br />
<br />
Now go ahead and edit the {{ic|/etc/httpd/conf/extra/SOGo.conf}} file and uncomment the following lines, edit to suit your site:<br />
<br />
## adjust the following to your configuration<br />
RequestHeader set "x-webobjects-server-port" "443"<br />
RequestHeader set "x-webobjects-server-name" "'''mail'''.'''domain'''.'''tld'''"<br />
RequestHeader set "x-webobjects-server-url" "<nowiki>https://</nowiki>'''mail'''.'''domain'''.'''tld'''"<br />
<br />
Restart {{ic|httpd}} service for the changes to take effect.<br />
<br />
Go ahead and go to the regular http page and it should redirect you to the https site.<br />
<br />
=== OpenChange final configuration ===<br />
{{Out of date|Recent versions of Samba have left OCSManager/MAPIProxy in an unusable state. Fortunately, with SOGo-2.2, the new ActiveSync code should eliminate the need for OCSManager with Outlook 2013+.}}<br />
<br />
==== OCSManager ====<br />
<br />
OCSManager is a Python-Paste serverlet that listens specifically for autodiscover, EWS, and RPCProxy requests.<br />
Create a backup copy of the {{ic|/etc/ocsmanager/ocsmanager.ini}} file:<br />
<br />
# mv /etc/oscmanager/ocsmanager.ini{,.bak}<br />
<br />
Setup OCSMangaer with the {{ic|/etc/ocsmanager/ocsmanager.ini}} file (replace the items in italic type with appropriate values):<br />
<br />
#<br />
# ocsmanager - Pylons configuration<br />
#<br />
# The %(here)s variable will be replaced with the parent directory of this file<br />
#<br />
[DEFAULT]<br />
debug = true<br />
email_to = ''postmaster@domain.tld''<br />
smtp_server = localhost<br />
error_email_from = ''postmaster@domain.tld''<br />
<br />
[main]<br />
auth = ldap<br />
mapistore_root = /var/lib/samba/private<br />
mapistore_data = /var/lib/samba/private/mapistore<br />
debug = yes<br />
<br />
[auth:ldap]<br />
host = ldap://''server.domain.tld''<br />
port = 389<br />
bind_dn = ''CN=Users,DC=internal,DC=domain,DC=tld''<br />
bind_pw = ''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7''<br />
basedn = ''CN=ldap,CN=Users,DC=internal,DC=domain,DC=tld''<br />
#filter = (cn=%s)<br />
#attrs = userPassword, x-isActive<br />
<br />
[server:main]<br />
use = egg:Paste#http<br />
host = ''server.internal.domain.tld''<br />
port = 5000<br />
protocol_version = HTTP/1.1<br />
<br />
[app:main]<br />
use = egg:ocsmanager<br />
full_stack = true<br />
static_files = true<br />
cache_dir = %(here)s/data<br />
beaker.session.key = ocsmanager<br />
beaker.session.secret = SDyKK3dKyDgW0mlpqttTMGU1f<br />
app_instance_uuid = {ee533ebc-f266-49d1-ae10-d017ee6aa98c}<br />
NTLMAUTHHANDLER_WORKDIR = /var/cache/ntlmauthhandler<br />
SAMBA_HOST = ''server.internal.domain.tld''<br />
<br />
[rpcproxy:ldap]<br />
host = ''server.internal.domain.tld''<br />
port = 389<br />
basedn = ''CN=Users,DC=internal,DC=domain,DC=tld''<br />
<br />
# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*<br />
# Debug mode will enable the interactive debugging tool, allowing ANYONE to<br />
# execute malicious code after an exception is raised.<br />
set debug = false<br />
<br />
# Logging configuration<br />
[loggers]<br />
keys = root<br />
<br />
[handlers]<br />
keys = console<br />
<br />
[formatters]<br />
keys = generic<br />
<br />
[logger_root]<br />
level = INFO<br />
handlers = console<br />
<br />
[handler_console]<br />
class = StreamHandler<br />
args = (sys.stderr,)<br />
level = NOTSET<br />
formatter = generic<br />
<br />
[formatter_generic]<br />
format = %(asctime)s %(levelname)-5.5s [%(name)s] [%(threadName)s] %(message)s<br />
<br />
Then start and enable {{ic|ocsmanager}} service.<br />
<br />
==== Adding OpenChange MAPIProxy and OCSManger to Apache ====<br />
<br />
This is the part that glues it all together. Add the following to the end of {{ic|/etc/httpd/conf/httpd.conf}} file (or virtual host configuration file):<br />
<br />
LoadModule wsgi_module modules/mod_wsgi.so<br />
include conf/extra/rpcproxy.conf<br />
include conf/extra/ocsmanager-apache.conf<br />
<br />
Now just restart {{ic|httpd}} and {{ic|samba}}. If you have made it this far, and your DNS is configured correctly, you should be able to configure an Outlook client with only an email address, username, and password. For Outlook (or other MAPI clients that support RPC/HTTPS, you need open only port 443, at the edge. Obviously, you still need to consider additional configuration for Postfix (spam and virus filtering, more restrictive use of SMTPD and SMTP, open ports 25 and 587) if you intend to receive mail from the internet. You will probably also want to move the various HTTPD pieces into virtual hosts, provide redirection on 80 for secure services, etc., but those exercises are covered in great detail elsewhere.</div>Templishttps://wiki.archlinux.org/index.php?title=OpenChange_server&diff=361147OpenChange server2015-02-14T19:41:57Z<p>Templis: /* Dovecot configuration */ Adding sieve for correctly working SoGo config</p>
<hr />
<div>[[Category:Mail Server]]<br />
{{Related articles start}}<br />
{{Related|Samba}}<br />
{{Related|Samba/Tips and tricks}}<br />
{{Related|Samba/Troubleshooting}}<br />
{{Related|Samba/Advanced file sharing with KDE4}}<br />
{{Related|Samba Domain Controller}}<br />
{{Related|Active Directory Integration}}<br />
{{Related|Samba 4 Active Directory Domain Controller}}<br />
{{Related articles end}}<br />
<br />
This article explains how to setup a mail server using OpenChange server following on from the [[Samba_4_Active_Directory_Domain_Controller|Samba 4 Active Directory Domain Controller]] article. Postfix is used for the MTA, Dovecot for the IMAP/POP server, and SOGo for the backend with all users stored in Samba's Active Directory (normal Exchange attributes are used througout).<br />
<br />
== Installation ==<br />
<br />
=== Prerequsites ===<br />
<br />
Install the needed prerequsite packages:<br />
<br />
# pacman -S apache postgresql postfix dovecot mariadb<br />
<br />
Install {{AUR|openchange-server}}, {{AUR|sope}}, {{AUR|sogo}}, {{AUR|sogo-openchange}}, and {{AUR|mysql-python-embedded}} from the [[AUR]].<br />
<br />
== Configuration ==<br />
<br />
=== MySQL/MariaDB ===<br />
<br />
Enable MySQL/MariaDB with the following commands and enter mysql as the root user:<br />
<br />
# systemctl enable mysqld.service<br />
# systemctl start mysqld.service<br />
# mysql -u root<br />
<br />
At the mysql prompt, enter the following commands (replace '''OpenchangePW''' with a secure password):<br />
<br />
CREATE DATABASE openchange;<br />
CREATE USER 'openchange'@'localhost' IDENTIFIED BY ''''OpenchangePW'''';<br />
GRANT ALL PRIVILEGES ON `openchange`.* TO 'openchange'@'localhost' WITH GRANT OPTION;<br />
FLUSH PRIVILEGES;<br />
<br />
=== Initial OpenChange configuration ===<br />
<br />
==== Samba ====<br />
<br />
Make a backup copy of your existing samba configuration<br />
<br />
# cp /etc/samba/smb.conf{,.bak}<br />
<br />
Append the following lines to "[global]" section of the {{ic|/etc/samba/smb.conf}} file. Be sure to replace '''OpenchangePW''':<br />
<br />
...<br />
# Begin OpenChange Server Configuration<br />
dcerpc endpoint servers = +epmapper, +mapiproxy, +dnsserver<br />
dcerpc_mapiproxy:server = true<br />
dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr<br />
mapistore:namedproperties = mysql<br />
namedproperties:mysql_user = openchange<br />
namedproperties:mysql_pass = '''OpenchangePW'''<br />
namedproperties:mysql_host = localhost<br />
namedproperties:mysql_db = openchange<br />
mapistore:indexing_backend = mysql://openchange:'''OpenchangePW'''@localhost/openchange<br />
mapiproxy:openchangedb = mysql://openchange:'''OpenchangePW'''@localhost/openchange<br />
# End OpenChange Server Configuration<br />
...<br />
<br />
==== OpenChange ====<br />
<br />
Next, provision the database and create the openchange DB. Once again, replace '''OpenchangePW''':<br />
<br />
# openchange_provision --standalone<br />
# openchange_provision --openchangedb --openchangedb-uri mysql://openchange:'''OpenchangePW'''@localhost/openchange<br />
<br />
Enable mail for the first user (we will use administrator):<br />
<br />
# openchange_newuser --create Administrator<br />
<br />
Restart {{ic|samba}}.<br />
<br />
At this point, you should verify that all samba services are working as expected. Use the tests in the [[Samba_4_Active_Directory_Domain_Controller|Samba 4 Active Directory Domain Controller]] guide in addition to testing RPC from a windows client (simply connect with RSAT tools or soemthing similar). If all is well, then continue. If not, restore the backup of the {{ic|smb.conf}} until you can track down the problem.<br />
<br />
Finally, verify that you can edit user properties. For this, we will use ldbedit. Here you can directly modify user attributes. Relevant attributes are mail and proxyAddresses. The proxyAddress attributie labeled SMTP (as opposed to smtp) is the default mail address. If using internal and exteranal domains, you will need to set SMTP to external address as this will be the SMTP from address and envelope sender in outgoing messages. Replace ''vim'' in the following command with your preferred editor:<br />
<br />
# LDB_MODULES_PATH="/usr/lib/samba/ldb" ldbedit -e ''vim'' -H /var/lib/samba/private/sam.ldb '(samaccountname=administrator)'<br />
<br />
If you first followed the [[Samba_4_Active_Directory_Domain_Controller| Samba 4 Active Directory Domain Controller]] article, you should see text similar to the following in the editor window (substituting '''internal'''.'''domain'''.'''tld''' with your domain's values):<br />
<br />
{{bc|1=...<br />
mail: Administrator@'''internal'''.'''domain'''.'''tld'''<br />
...<br />
proxyAddresses: =EX:/o=First Organization/ou=First Administrative Group/cn=Recipients/cn=Administrator<br />
proxyAddresses: smtp:postmaster@'''internal'''.'''domain'''.'''tld'''<br />
proxyAddresses: X400:c=US;a= ;p=First Organizati;o=Exchange;s=Administrator<br />
proxyAddresses: SMTP:Administrator@'''internal'''.'''domain'''.'''tld'''<br />
...}}<br />
It is important to change both the '''mail''' attribute (this is what we will use for group expansion), and the primary '''SMTP''' address. Change it to the following (again, substitute appropriate values for '''internal'''.'''domain'''.'''tld''' and '''domain'''.'''tld'''):<br />
<br />
{{bc|1=...<br />
mail: Administrator@'''domain'''.'''tld'''<br />
...<br />
proxyAddresses: =EX:/o=First Organization/ou=First Administrative Group/cn=Recipients/cn=Administrator<br />
proxyAddresses: smtp:postmaster@'''internal'''.'''domain'''.'''tld'''<br />
proxyAddresses: smtp:postmaster@'''domain'''.'''tld'''<br />
proxyAddresses: X400:c=US;a= ;p=First Organizati;o=Exchange;s=Administrator<br />
proxyAddresses: smtp:Administrator@'''internal'''.'''domain'''.'''tld'''<br />
proxyAddresses: SMTP:administrator@'''domain'''.'''tld'''<br />
...}}<br />
<br />
=== Initial SOGo configuration ===<br />
<br />
==== Apache httpd ====<br />
<br />
Add SOGo to the Apache configuration appending the following lines at the end of {{ic|/etc/httpd/conf/httpd.conf}}:<br />
<br />
...<br />
# Include SOGo configuration<br />
include conf/extra/SOGo.conf<br />
<br />
Create the {{ic|/etc/httpd/conf/extra/SOGo.conf}} file (replace '''mail'''.'''domain'''.'''tld'''):<br />
<br />
<nowiki>Alias /SOGo.woa/WebServerResources/ \<br />
/usr/lib/GNUstep/SOGo/WebServerResources/<br />
Alias /SOGo/WebServerResources/ \<br />
/usr/lib/GNUstep/SOGo/WebServerResources/<br />
<br />
<Directory /usr/lib/GNUstep/SOGo/><br />
AllowOverride None<br />
<br />
<IfVersion < 2.4><br />
Order deny,allow<br />
Allow from all<br />
</IfVersion><br />
<IfVersion >= 2.4><br />
Require all granted<br />
</IfVersion><br />
<br />
# Explicitly allow caching of static content to avoid browser specific behavior.<br />
# A resource's URL MUST change in order to have the client load the new version.<br />
<IfModule expires_module><br />
ExpiresActive On<br />
ExpiresDefault "access plus 1 year"<br />
</IfModule><br />
</Directory><br />
<br />
## Uncomment the following to enable proxy-side authentication, you will then<br />
## need to set the "SOGoTrustProxyAuthentication" SOGo user default to YES and<br />
## adjust the "x-webobjects-remote-user" proxy header in the "Proxy" section<br />
## below.<br />
#<Location /SOGo><br />
# AuthType XXX<br />
# Require valid-user<br />
# SetEnv proxy-nokeepalive 1<br />
# Allow from all<br />
#</Location><br />
<br />
ProxyRequests Off<br />
SetEnv proxy-nokeepalive 1<br />
ProxyPreserveHost On<br />
<br />
# When using CAS, you should uncomment this and install cas-proxy-validate.py<br />
# in /usr/lib/cgi-bin to reduce server overloading<br />
#<br />
# ProxyPass /SOGo/casProxy http://localhost/cgi-bin/cas-proxy-validate.py<br />
# <Proxy http://localhost/app/cas-proxy-validate.py><br />
# Order deny,allow<br />
# Allow from your-cas-host-addr<br />
# </Proxy><br />
<br />
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0<br />
<br />
# Enable to use Microsoft ActiveSync support<br />
# Note that you MUST have many sogod workers to use ActiveSync.<br />
# See the SOGo Installation and Configuration guide for more details.<br />
#<br />
#ProxyPass /Microsoft-Server-ActiveSync \<br />
# http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \<br />
# retry=60 connectiontimeout=5 timeout=360<br />
<br />
<Proxy http://127.0.0.1:20000/SOGo><br />
## adjust the following to your configuration<br />
RequestHeader set "x-webobjects-server-port" "443"<br />
RequestHeader set "x-webobjects-server-name" "</nowiki>'''mail'''.'''domain'''.'''tld'''<nowiki>"<br />
RequestHeader set "x-webobjects-server-url" "https://</nowiki>'''mail'''.'''domain'''.'''tld'''<nowiki>"<br />
<br />
## When using proxy-side autentication, you need to uncomment and<br />
## adjust the following line:<br />
# RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e"<br />
<br />
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"<br />
<br />
AddDefaultCharset UTF-8<br />
<br />
Order allow,deny<br />
Allow from all<br />
</Proxy><br />
<br />
# For Apple autoconfiguration<br />
<IfModule rewrite_module><br />
RewriteEngine On<br />
RewriteRule ^/.well-known/caldav/?$ /SOGo/dav [R=301]<br />
</IfModule></nowiki><br />
<br />
Create the state directory and start services:<br />
<br />
# mkdir /var/run/sogo<br />
# chown sogo:sogo /var/run/sogo<br />
<br />
Then enable and start the {{ic|sogo}} and {{ic|httpd}} services.<br />
<br />
Open a browser and go to http://server.internal.domain.tld/SOGo/ but do not try to login just yet, just verify that you can connect and get the login screen.<br />
<br />
<br />
==== NGinX httpd ====<br />
<br />
I've added this to my /etc/nginx/nginx.conf<br />
<br />
server {<br />
listen 443;<br />
root /usr/lib/GNUstep/SOGo/WebServerResources/;<br />
server_name sogo.domain.tld<br />
server_tokens off;<br />
client_max_body_size 100M;<br />
index index.php index.html index.htm;<br />
autoindex off;<br />
ssl on;<br />
ssl_certificate path /path/to/your/certfile; #eg. /etc/ssl/certs/keyfile.crt<br />
ssl_certificate_key /path/to/your/keyfile; #eg /etc/ssl/private/keyfile.key<br />
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';<br />
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br />
ssl_session_cache shared:SSL:10m;<br />
#optional ssl_stapling on;<br />
#optional ssl_stapling_verify on;<br />
#optional ssl_trusted_certificate /etc/ssl/private/cacert-stapeling.pem; <br />
#optional resolver 8.8.4.4 8.8.8.8 valid=300s;<br />
#optionalresolver_timeout 10s;<br />
ssl_prefer_server_ciphers on;<br />
#optional ssl_dhparam /etc/ssl/certs/dhparam.pem;<br />
#optional add_header Strict-Transport-Security max-age=63072000;<br />
#optional add_header X-Frame-Options DENY;<br />
#optional add_header X-Content-Type-Options nosniff;<br />
location = / {<br />
rewrite ^ https://$server_name/SOGo;<br />
allow all;<br />
}<br />
location = /principals/ {<br />
rewrite ^ https://$server_name/SOGo/dav;<br />
allow all;<br />
}<br />
location ^~/SOGo {<br />
proxy_pass http://127.0.0.1:20000;<br />
proxy_redirect http://127.0.0.1:20000 default;<br />
# forward user's IP address<br />
proxy_set_header X-Real-IP $remote_addr;<br />
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />
proxy_set_header Host $host;<br />
proxy_set_header x-webobjects-server-protocol HTTP/1.0;<br />
proxy_set_header x-webobjects-remote-host 127.0.0.1;<br />
proxy_set_header x-webobjects-server-name $server_name;<br />
proxy_set_header x-webobjects-server-url $scheme://$host;<br />
proxy_connect_timeout 90;<br />
proxy_send_timeout 90;<br />
proxy_read_timeout 90;<br />
proxy_buffer_size 4k;<br />
proxy_buffers 4 32k;<br />
proxy_busy_buffers_size 64k;<br />
proxy_temp_file_write_size 64k;<br />
client_max_body_size 50m;<br />
client_body_buffer_size 128k;<br />
break;<br />
}<br />
location /SOGo.woa/WebServerResources/ {<br />
alias /usr/lib/GNUstep/SOGo/WebServerResources/;<br />
allow all;<br />
}<br />
location /SOGo/WebServerResources/ {<br />
alias /usr/lib/GNUstep/SOGo/WebServerResources/;<br />
allow all;<br />
}<br />
location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ {<br />
alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;<br />
}<br />
location ^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$ {<br />
alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;<br />
}<br />
}<br />
<br />
<br />
==== PostGRE SQL ====<br />
<br />
Initialize the default database and start PostgreSQl (be sure to replace '''en_US.UTF-8''' with the correct locale for your installation):<br />
<br />
# mkdir -p /var/lib/postgres/data<br />
# chown -R postgres:postgres /var/lib/postgres<br />
# su - postgres -c "initdb --locale '''en_US.UTF-8''' -D '/var/lib/postgres/data'"<br />
Then start and enable {{ic|postgresql}} service.<br />
<br />
Create the sogo user and the sogo DB for PostgreSQL (do not select a strong password for the sogo user, just use "sogo" for simplicity. This is temporary and we will change it later):<br />
<br />
# su - postgres<br />
$ createuser --no-superuser --no-createdb --no-createrole --encrypted --pwprompt sogo<br />
$ createdb -O sogo sogo<br />
<br />
Edit the access configuration for the openchange DB:<br />
<br />
# cp /var/lib/postgres/data/pg_hba.conf{,.bak}<br />
# sed \<br />
's/D$/D\n\n#Configuration for OpenChange/' \<br />
-i /var/lib/postgres/data/pg_hba.conf<br />
# sed \<br />
's/ange$/ange\nhost\topenchange\topenchange\t127.0.0.1\/32\t\tmd5/' \<br />
-i /var/lib/postgres/data/pg_hba.conf<br />
# chown postgres:postgres /var/lib/postgres/data/pg_hba.conf{,.bak}<br />
<br />
Restart the {{ic|postgresql}} service.<br />
<br />
==== SOGo ====<br />
<br />
Configure SOGo defaults with the following commands (be certain to replace '''REGION/LOCALITY''', '''SAMBAADMINPASSWORD''', and dc='''internal''',dc='''domain''',dc='''tld''' with appropriate values):<br />
<br />
# su - sogo -s /bin/bash<br />
$ defaults write sogod SOGoTimeZone "'''REGION/LOCALITY'''"<br />
$ defaults write sogod OCSFolderInfoURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_folder_info"<br />
$ defaults write sogod SOGoProfileURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile"<br />
$ defaults write sogod OCSSessionsFolderURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder"<br />
$ defaults write sogod OCSEMailAlarmsFolderURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_alarm_folder"<br />
$ defaults write sogod SOGoUserSources '({CNFieldName = displayName; IDFieldName = cn; UIDFieldName = sAMAccountName; IMAPHostFieldName =; baseDN = "cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''"; bindDN = "cn=Administrator,cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''"; bindPassword = "'''SAMBAADMINPASSWORD'''"; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = "localhost"; id = public; isAddressBook = YES; port = 389;})'<br />
$ defaults write sogod WONoDetach NO<br />
$ defaults write sogod WOLogFile /var/log/sogo/sogo.log<br />
$ defaults write sogod WOPidFile /var/run/sogo/sogo.pid<br />
$ exit<br />
<br />
Next, edit the sogo configuration file, {{ic|/etc/httpd/conf/extra/SOGo.conf}}, and comment out the following lines for testing (until your SSL certs are in place and configuration is complete):<br />
<br />
{{bc|<br />
## adjust the following to your configuration<br />
# RequestHeader set "x-webobjects-server-port" "443"<br />
# RequestHeader set "x-webobjects-server-name" "yourhostname"<br />
# RequestHeader set "x-webobjects-server-url" "<nowiki>https://yourhostname</nowiki>"<br />
}}<br />
<br />
Give the root user the GNUStep configuration for the sogo user:<br />
<br />
# ln -s /etc/sogo/GNUStep /root/GNUStep<br />
<br />
=== Initial Postfix configuration ===<br />
<br />
==== Basic configuratoin ====<br />
<br />
Create a minimal Postfix configuration. Replace '''server'''.'''internal'''.'''domain.tld''' with a valid internal FQDN):<br />
<br />
# postconf -e myhostname='''server'''.'''internal'''.'''domain.tld'''<br />
# postconf -e mydestination=localhost<br />
<br />
If this server will be accessible from the internet, set the HELO/EHLO values to match the FQDN as seen from the internet (replace '''mail'''.'''domain'''.'''tld'''):<br />
<br />
# postconf -e smtp_helo_name='''mail'''.'''domain'''.'''tld'''<br />
# postconf -e smtpd_banner='$smtp_helo_name ESMTP $mail_name'<br />
<br />
Enable and start {{ic|postfix}}.<br />
<br />
==== Virtual user configuration ====<br />
<br />
Create a vmail user and set up Postfix to use it:<br />
<br />
# groupadd -g 5000 vmail<br />
# useradd -u 5000 -g vmail -s /usr/bin/nologin -d /home/vmail -m vmail<br />
# chmod 750 /home/vmail<br />
# postconf -e virtual_minimum_uid=5000<br />
# postconf -e virtual_uid_maps=static:5000<br />
# postconf -e virtual_gid_maps=static:5000<br />
# postconf -e virtual_mailbox_base=/home/vmail<br />
# postfix reload<br />
<br />
==== LDAP configuration ====<br />
<br />
Next we need to tell Postfix how to lookup users. To do this, you will need to create an unprivileged user to use for LDAP lookups (select a suitably strong password, 63 alpha-numeric various case should be good):<br />
<br />
# samba-tool user create ldap --description="Unprivileged user for LDAP lookups"<br />
<br />
Now, create a LDAP alias and group maps for Postfix pasting the following lines in the file {{ic|/etc/postfix/ldap-alias.cf}} as root (replace dc='''internal''',dc='''domain''',dc='''tld''' with appropriate values and '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7''' with a random password of your choosing):<br />
<br />
# Directory settings<br />
server_host = 127.0.0.1<br />
search_base = dc='''internal''',dc='''domain''',dc='''tld'''<br />
scope = sub<br />
version = 3<br />
<br />
# User Binding<br />
bind = yes<br />
bind_dn = cn=ldap,cn=users,dc='''internal''',dc='''domain''',dc='''tld'''<br />
bind_pw = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7'''<br />
<br />
# Filter<br />
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))<br />
result_attribute = samaccountname<br />
result_format = %s@'''internal'''.'''domain'''.'''tld'''<br />
<br />
Create the group map:<br />
<br />
# sed -e '/^query/d' \<br />
-e '/^result/d' \<br />
/etc/postfix/ldap-alias.cf > /etc/postfix/ldap-group.cf<br />
<br />
Append the following lines to the newly created {{ic|/etc/postfix/ldap-group.cf}} (in the #Filter secton):<br />
<br />
query_filter = (&(objectclass=group)(mail=%s))<br />
special_result_attribute = member<br />
leaf_result_attribute = mail<br />
<br />
Set the permissions:<br />
<br />
# chmod 0600 /etc/postfix/ldap-{alias,group}.cf<br />
<br />
Next test our lookup maps for users (groups have not yet been created) (substitute '''internal'''.'''domain'''.'''tld'''):<br />
<br />
# postmap -q administrator@'''domain'''.'''tld''' ldap:/etc/postfix/ldap-alias.cf<br />
# postmap -q administrator@'''internal'''.'''domain'''.'''tld''' ldap:/etc/postfix/ldap-alias.cf<br />
<br />
You should receive the following output for both commands:<br />
<br />
Administrator@internal.domain.tld<br />
<br />
Append any other hosted domains to the first command below, add the maps, and then reload the Postfix configuration (again replacing domain values):<br />
<br />
# postconf -e virtual_mailbox_domains="'''domain'''.'''tld''', '''internal'''.'''domain'''.'''tld'''"<br />
# postconf -e virtual_alias_maps="ldap:/etc/postfix/ldap-alias.cf, ldap:/etc/postfix/ldap-group.cf"<br />
# postfix reload<br />
<br />
At this point, Dovecot will need to be configured before completing the Postfix configuration as Dovecot SASL and LMTP will be used for athentication and delivery (respectively).<br />
<br />
=== Dovecot configuration ===<br />
<br />
==== Basic configuration ====<br />
<br />
Create a very basic dovecot configuration:<br />
<br />
# cp /etc/dovecot/dovecot.conf{.sample,}<br />
# chown root:root /etc/dovecot/dovecot.conf<br />
<br />
Then create the file {{ic|/etc/dovecot/conf.d/local.conf}} with this content:<br />
<br />
auth_mechanisms = plain login<br />
disable_plaintext_auth = no<br />
ssl = no<br />
auth_username_format = %n<br />
mail_location = /home/vmail/%Lu/Maildir<br />
<br />
Enable and start {{ic|dovecot}}.<br />
<br />
==== LDAP configuration ====<br />
<br />
Add the LDAP lookup configuation {{ic|/etc/dovecot/conf.d/ldap.conf}}:<br />
<br />
passdb ldap {<br />
driver = ldap<br />
args = /etc/dovecot/dovecot-ldap-passdb.conf<br />
}<br />
userdb ldap {<br />
driver = ldap<br />
args = /etc/dovecot/dovecot-ldap-userdb.conf<br />
}<br />
<br />
Set permissions:<br />
# chmod 0644 /etc/dovecot/conf.d/ldap.conf<br />
# chown root:root /etc/dovecot/conf.d/ldap.conf<br />
<br />
Create the LDAP user and password configuration files (replace dc='''internal''',dc='''domain''',dc='''tld''' and '''INTERNAL''' with appropropriate values):<br />
<br />
{{ic|/etc/dovecot/dovecot-ldap-passdb.conf}}<br />
hosts = localhost<br />
auth_bind = yes<br />
auth_bind_userdn = '''INTERNAL'''\%u<br />
ldap_version = 3<br />
base = dc='''internal''',dc='''domain''',dc='''tld'''<br />
scope = subtree<br />
deref = never<br />
pass_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*))<br />
<br />
{{ic|/etc/dovecot/dovecot-ldap-userdb.conf}}<br />
hosts = localhost<br />
dn = cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''<br />
dnpass = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7'''<br />
ldap_version = 3<br />
# The base must be cn=Users for OpenChange ATM...future<br />
base = cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''<br />
user_attrs = =uid=5000,=gid=5000,=home=/home/vmail/%Lu,=mail=maildir:/home/vmail/%Lu/Maildir/<br />
user_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*))<br />
<br />
# Attributes and filter to get a list of all users<br />
iterate_attrs = sAMAccountName=user<br />
iterate_filter = (objectClass=person)<br />
<br />
Set permissions:<br />
# chown root:root /etc/dovecot/dovecot-ldap-{pass,user}db.conf<br />
# chmod 0600 /etc/dovecot/dovecot-ldap-userdb.conf<br />
# chmod 0644 /etc/dovecot/dovecot-ldap-passdb.conf<br />
<br />
Create the SASL configuation {{ic|/etc/dovecot/conf.d/sasl.conf}}:<br />
<br />
service auth {<br />
unix_listener /var/spool/postfix/private/auth {<br />
mode = 0660<br />
user = postfix<br />
group = postfix<br />
}<br />
}<br />
<br />
Set permissions:<br />
# chmod 0644 /etc/dovecot/conf.d/sasl.conf<br />
# chown root:root /etc/dovecot/conf.d/sasl.conf<br />
<br />
Reload Dovecot for the configuration to take effect:<br />
<br />
# dovecot reload<br />
<br />
==== Testing Dovecot authentication ====<br />
<br />
Open a ''telnet'' session and test (commands you enter are in bold, replace ''xxxxxxxx'' with your real password):<br />
<br />
'''telnet localhost 143'''<br />
Trying 127.0.0.1...<br />
Connected to localhost.<br />
Escape character is '^]'.<br />
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.<br />
'''a LOGIN Administrator xxxxxxxx'''<br />
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in<br />
'''a LOGOUT'''<br />
* BYE Logging out<br />
. OK Logout completed.<br />
Connection closed by foreign host.<br />
<br />
If you have received anything other than OK, go back and double check your configuration before continuing.<br />
<br />
==== LMTP configuration ====<br />
<br />
Create the LMTP configuration file {{ic|/etc/dovecot/conf.d/lmtp.conf}}:<br />
<br />
mail_location = /home/vmail/%Lu/Maildir<br />
service lmtp {<br />
unix_listener /var/spool/postfix/private/dovecot-lmtp {<br />
mode = 0600<br />
user = postfix<br />
group = postfix<br />
}<br />
user = vmail<br />
}<br />
<br />
protocol lmtp {<br />
postmaster_address = postmaster@'''domain'''.'''tld'''<br />
}<br />
<br />
# chmod 0644 /etc/dovecot/conf.d/lmtp.conf<br />
# dovecot reload<br />
<br />
==== TLS configuration ====<br />
<br />
Put your certificate files into place and create the TLS configuration file {{ic|/etc/dovecot/conf.d/tls.conf}} (adjust paths and names as necessary). The keyfile should be owned by root with 0400 permissions. Any intermediate certificates should be concatenated after the public cert.:<br />
<br />
ssl = yes<br />
ssl_cert = </etc/dovecot/ssl/'''host'''.'''domain'''.'''tld'''.pem<br />
ssl_key = </etc/dovecot/ssl/'''host'''.'''domain'''.'''tld'''.key<br />
<br />
# chmod 644 /etc/dovecot/conf.d/tls.conf<br />
<br />
Remove the earlier explicitly defined values from {{ic|local.conf}} and reload Dovecot:<br />
<br />
# sed -e '/^ssl/d' -e '/disable_plaintext/s/no/yes/' \<br />
-i /etc/dovecot/conf.d/local.conf<br />
# dovecot reload<br />
<br />
==== Sieve Configuration ====<br />
<br />
Edit {{ic|/etc/dovecot/dovecot.conf}} and edit the protocols section.:<br />
protocols = imap lmtp sieve<br />
<br />
Edit {{ic|/etc/dovecot/conf.d/local.conf}} and add:<br />
plugin {<br />
sieve_before = /home/vmail/sieve/spam-global.sieve<br />
sieve=/home/vmail/%Lu/dovecot.sieve<br />
sieve_dir=/home/vmail/%Lu/sieve<br />
}<br />
create dir, change owner, add default rule:<br />
mkdir /home/vmail/sieve/<br />
touch /home/vmail/sieve/spam-global.sieve<br />
chown -R vmail:vmail /home/vmail/sieve<br />
<br />
edit {{ic|/home/vmail/sieve/spam-global.sieve}} and add those lines:<br />
require "fileinto";<br />
if header :contains "X-Spam-Flag" "YES" {<br />
fileinto "Spam";<br />
}<br />
<br />
edit {{ic|/etc/dovecot/conf.d/lmtp.conf}} so that your file looks like this:<br />
mail_location = /home/vmail/%Lu/Maildir<br />
service lmtp {<br />
unix_listener /var/spool/postfix/private/dovecot-lmtp {<br />
mode = 0600<br />
user = postfix<br />
group = postfix<br />
}<br />
user = vmail<br />
}<br />
<br />
protocol lmtp {<br />
postmaster_address = postmaster@domain.tld<br />
'''mail_plugins = sieve'''<br />
}<br />
<br />
'''plugin {<br />
'''sieve_before = /home/vmail/sieve/spam-global.sieve<br />
'''sieve = /home/vmail/%Lu/dovecot.sieve<br />
'''sieve_dir = /home/vmail/%Lu/sieve<br />
'''}<br />
<br />
=== Postfix final configuration ===<br />
<br />
==== SASL configuration ====<br />
<br />
Modify the default smtpd instance:<br />
<br />
# postconf -e smtpd_sasl_type=dovecot<br />
# postconf -e smtpd_sasl_path=private/auth<br />
# postconf -e smtpd_sasl_auth_enable=yes<br />
# postconf -e smtpd_relay_restrictions="permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination"<br />
<br />
==== LMTP configuration ====<br />
<br />
Use dovecot LMTP for delivery:<br />
<br />
# postconf -e virtual_transport=lmtp:unix:private/dovecot-lmtp<br />
<br />
==== TLS configuration ====<br />
<br />
If you intend to use STARTTLS (as you should), enable the mail submission port and restrict to authenticated clients. Edit the following lines in {{ic|/etc/postfix/master.cf}} (replace '''internal.domain.tld'''):<br />
<br />
submission inet n - n - - smtpd<br />
-o syslog_name=postfix/submission<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_sasl_type=dovecot<br />
-o smtpd_sasl_path=private/auth<br />
-o smtpd_sasl_security_options=noanonymous<br />
-o smtpd_client_restrictions=permit_sasl_authenticated,reject<br />
-o smtpd_sender_login_maps=ldap:/etc/postfix/ldap-sender.cf<br />
-o smtpd_sender_restrictions=reject_sender_login_mismatch<br />
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject<br />
<br />
Add your certificates. If you intend to chroot postfix (not discussed in this guide, see here), these need to be placed in the postfix configuration directory as opposed to the default /etc/ssl/private directory. Additionally, any intermediate certs should be concatenated with the public cert being first in the chain and the key file should be owned by root with 0400 permission mode:<br />
<br />
# postconf -e smtpd_tls_key_file=/etc/postfix/ssl/'''mail.domain.tld.key'''<br />
# postconf -e smtpd_tls_cert_file=/etc/postfix/ssl/'''mail.domain.tld.pem'''<br />
<br />
Create a map to verify addresses to authenticated users {{ic|/etc/postfix/ldap-sender.cf}}:<br />
<br />
# Directory settings<br />
server_host = localhost<br />
search_base = dc='''internal''',dc='''domain''',dc='''tld'''<br />
version = 3<br />
scope = sub<br />
<br />
# User Binding<br />
bind = yes<br />
bind_dn = cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld<br />
bind_pw = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7'''<br />
<br />
# Filter<br />
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))<br />
leaf_result_attribute = proxyAddresses<br />
result_attribute = sAMAccountName<br />
<br />
Set permissions:<br />
# chown root:root /etc/postfix/ldap-sender.cf<br />
# chmod 0640 /etc/postfix/ldap-sender.cf<br />
<br />
If you would like to enable TLS on the default SMTP port, you should make it optional. If you make it required, you will not be able to receive mail from many hosts on the internet.<br />
<br />
# postconf -e smtpd_tls_security_level=may<br />
<br />
Reload postfix to apply the configuration changes:<br />
<br />
# postfix reload<br />
<br />
==== Testing the Postfix SASL configuration ====<br />
<br />
Begin by getting a base64 encoded version of you username and password (replace '''xxxxxxxx''' with your real password):<br />
<br />
$ echo -ne '\000Administrator\000'''xxxxxxxx'''' | openssl base64<br />
<br />
You should receive output similar to the following:<br />
<br />
AEFkbWluaXN0cmF0b3IAeHh4eHh4eHg=<br />
<br />
Now, open a ''telnet'' session and test (commands you enter are in bold, replace '''host.domain.tld''' with your real external FQDN and '''AEFkbWluaXN0cmF0b3IAeHh4eHh4eHg=''' with the result of the previous command):<br />
<br />
$ '''telnet localhost 25'''<br />
Trying 127.0.0.1...<br />
Connected to localhost.<br />
Escape character is '^]'.<br />
220 host.domain.tld ESMTP Postfix<br />
'''ehlo host.domain.tld'''<br />
250-mail.lucasit.com<br />
250-PIPELINING<br />
250-SIZE 10240000<br />
250-VRFY<br />
250-ETRN<br />
250-STARTTLS<br />
250-AUTH PLAIN LOGIN<br />
250-ENHANCEDSTATUSCODES<br />
250-8BITMIME<br />
250 DSN<br />
'''AUTH PLAIN AEFkbWluaXN0cmF0b3IAeHh4eHh4eHg='''<br />
235 2.7.0 Authentication successful<br />
'''quit'''<br />
221 2.0.0 Bye<br />
Connection closed by foreign host.<br />
<br />
If you have gotten anything other than a 235 message, something is wrong and you should troubleshoot now rather than later.<br />
<br />
At ths point, you have a fully functional mail server, though you will probably want to lock it down a bit tighter (which is not covered in this article). You could easily stop now and use any mail client you wish, howerver, you would miss out on the fun of Outlook, RPC/HTTPS, calendar, the GAL, and contacts. This additional functionality is provided by SOGo and OpenChange...<br />
<br />
=== SOGo final configuration ===<br />
<br />
==== PostgreSQL ====<br />
<br />
Select a strong password (63 random alphanumeric characters is good) for the sogo user and change it now:<br />
<br />
# su - postgres<br />
$ psql<br />
ALTER USER sogo WITH PASSWORD 'ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT';<br />
\q<br />
<br />
==== SOGo ====<br />
<br />
Create a suitable SOGo configuration file in {{ic|/etc/sogo/sogo.conf}} (replace items in bold with appropriate values):<br />
<br />
{<br />
/* Database Configuration */<br />
SOGoProfileURL = "postgresql://sogo:'''ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT'''@localhost:5432/sogo/sogo_user_profile";<br />
OCSFolderInfoURL = "postgresql://sogo:'''ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT'''@localhost:5432/sogo/sogo_folder_info";<br />
OCSSessionsFolderURL = "postgresql://sogo:'''ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT'''@localhost:5432/sogo/sogo_sessions_folder";<br />
<br />
/* Mail */<br />
SOGoDraftsFolderName = Drafts;<br />
SOGoSentFolderName = Sent;<br />
SOGoTrashFolderName = Trash;<br />
SOGoIMAPServer = localhost;<br />
SOGoSieveServer = sieve://127.0.0.1:4190;<br />
SOGoSMTPServer = 127.0.0.1;<br />
SOGoMailDomain = '''internal'''.'''domain'''.'''tld''';<br />
SOGoMailingMechanism = smtp;<br />
SOGoForceExternalLoginWithEmail = NO;<br />
SOGoMailSpoolPath = /var/spool/sogo;<br />
NGImap4ConnectionStringSeparator = "/";<br />
<br />
/* Notifications */<br />
SOGoAppointmentSendEMailNotifications = NO;<br />
SOGoACLsSendEMailNotifications = NO;<br />
SOGoFoldersSendEMailNotifications = NO;<br />
<br />
/* Authentication */<br />
SOGoPasswordChangeEnabled = YES;<br />
<br />
/* User Authentication */<br />
SOGoUserSources = (<br />
{<br />
type = ldap;<br />
CNFieldName = cn;<br />
IDFieldName = cn;<br />
UIDFieldName = sAMAccountName;<br />
baseDN = "dc='''internal''',dc='''domain''',dc='''tld'''";<br />
bindDN = "cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''";<br />
bindFields = (sAMAccountName);<br />
bindPassword = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7''';<br />
canAuthenticate = YES;<br />
displayName = "Active Directory";<br />
hostname = ldap://127.0.0.1:389;<br />
id = directory;<br />
isAddressBook = YES;<br />
}<br />
);<br />
<br />
/* Web Interface */<br />
SOGoPageTitle = SOGo;<br />
SOGoVacationEnabled = YES;<br />
SOGoForwardEnabled = YES;<br />
SOGoSieveScriptsEnabled = YES;<br />
SOGoMailAuxiliaryUserAccountsEnabled = YES;<br />
SOGoTrustProxyAuthentication = NO;<br />
<br />
/* General */<br />
SOGoLanguage = '''English''';<br />
SOGoTimeZone = '''America/Chicago''';<br />
SOGoCalendarDefaultRoles = (<br />
PublicDAndTViewer,<br />
ConfidentialDAndTViewer<br />
);<br />
SOGoSuperUsernames = (administrator);<br />
SxVMemLimit = 384;<br />
//WOPidFile = "/var/run/sogo/sogo.pid";<br />
SOGoMemcachedHost = "/var/run/memcached.sock";<br />
<br />
/* Debug */<br />
//SOGoDebugRequests = YES;<br />
//SoDebugBaseURL = YES;<br />
//ImapDebugEnabled = YES;<br />
//LDAPDebugEnabled = YES;<br />
//PGDebugEnabled = YES;<br />
//MySQL4DebugEnabled = YES;<br />
//SOGoUIxDebugEnabled = YES;<br />
//WODontZipResponse = YES;<br />
//WOLogFile = /var/log/sogo/sogo.log;<br />
<br />
}<br />
<br />
Then issue the following commands:<br />
# chown sogo:sogo /etc/sogo/sogo.conf<br />
# chmod 0600 /etc/sogo/sogo.conf<br />
# rm /etc/sogo/GNUstep/Defaults/sogod.plist<br />
# mkdir /var/spool/sogo<br />
# chown sogo:sogo /var/spool/sogo<br />
# chmod 700 /var/spool/sogo<br />
<br />
Now restart {{ic|sogo}} service and try it out by visiting http://'''server.internal.domain.tld'''/SOGo/ .<br />
<br />
==== Apache ====<br />
<br />
If all is well with SOGo without SSL, go ahead and enable SSL in httpd (modify paths and filenames as necessary):<br />
<br />
# sed -e '/httpd-ssl.conf/s/#//' \<br />
-e '/modules\/mod_ssl.so/s/#//' \<br />
-e '/mod_socache_shmcb/s/#//' \<br />
-i /etc/httpd/conf/httpd.conf<br />
# sed -e '/^SSLCertificateFile/s@/etc/httpd/conf/server.crt@/etc/httpd/ssl/'''mail'''.'''domain'''.'''tld'''.pem@' \<br />
-e '/^SSLCertificateKeyFile/s@/etc/httpd/conf/server.key@/etc/httpd/ssl/'''mail'''.'''domain'''.'''tld'''.key@' \<br />
-i /etc/httpd/conf/extra/httpd-ssl.conf<br />
<br />
Now go ahead and edit the {{ic|/etc/httpd/conf/extra/SOGo.conf}} file and uncomment the following lines, edit to suit your site:<br />
<br />
## adjust the following to your configuration<br />
RequestHeader set "x-webobjects-server-port" "443"<br />
RequestHeader set "x-webobjects-server-name" "'''mail'''.'''domain'''.'''tld'''"<br />
RequestHeader set "x-webobjects-server-url" "<nowiki>https://</nowiki>'''mail'''.'''domain'''.'''tld'''"<br />
<br />
Restart {{ic|httpd}} service for the changes to take effect.<br />
<br />
Go ahead and go to the regular http page and it should redirect you to the https site.<br />
<br />
=== OpenChange final configuration ===<br />
{{Out of date|Recent versions of Samba have left OCSManager/MAPIProxy in an unusable state. Fortunately, with SOGo-2.2, the new ActiveSync code should eliminate the need for OCSManager with Outlook 2013+.}}<br />
<br />
==== OCSManager ====<br />
<br />
OCSManager is a Python-Paste serverlet that listens specifically for autodiscover, EWS, and RPCProxy requests.<br />
Create a backup copy of the {{ic|/etc/ocsmanager/ocsmanager.ini}} file:<br />
<br />
# mv /etc/oscmanager/ocsmanager.ini{,.bak}<br />
<br />
Setup OCSMangaer with the {{ic|/etc/ocsmanager/ocsmanager.ini}} file (replace the items in italic type with appropriate values):<br />
<br />
#<br />
# ocsmanager - Pylons configuration<br />
#<br />
# The %(here)s variable will be replaced with the parent directory of this file<br />
#<br />
[DEFAULT]<br />
debug = true<br />
email_to = ''postmaster@domain.tld''<br />
smtp_server = localhost<br />
error_email_from = ''postmaster@domain.tld''<br />
<br />
[main]<br />
auth = ldap<br />
mapistore_root = /var/lib/samba/private<br />
mapistore_data = /var/lib/samba/private/mapistore<br />
debug = yes<br />
<br />
[auth:ldap]<br />
host = ldap://''server.domain.tld''<br />
port = 389<br />
bind_dn = ''CN=Users,DC=internal,DC=domain,DC=tld''<br />
bind_pw = ''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7''<br />
basedn = ''CN=ldap,CN=Users,DC=internal,DC=domain,DC=tld''<br />
#filter = (cn=%s)<br />
#attrs = userPassword, x-isActive<br />
<br />
[server:main]<br />
use = egg:Paste#http<br />
host = ''server.internal.domain.tld''<br />
port = 5000<br />
protocol_version = HTTP/1.1<br />
<br />
[app:main]<br />
use = egg:ocsmanager<br />
full_stack = true<br />
static_files = true<br />
cache_dir = %(here)s/data<br />
beaker.session.key = ocsmanager<br />
beaker.session.secret = SDyKK3dKyDgW0mlpqttTMGU1f<br />
app_instance_uuid = {ee533ebc-f266-49d1-ae10-d017ee6aa98c}<br />
NTLMAUTHHANDLER_WORKDIR = /var/cache/ntlmauthhandler<br />
SAMBA_HOST = ''server.internal.domain.tld''<br />
<br />
[rpcproxy:ldap]<br />
host = ''server.internal.domain.tld''<br />
port = 389<br />
basedn = ''CN=Users,DC=internal,DC=domain,DC=tld''<br />
<br />
# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*<br />
# Debug mode will enable the interactive debugging tool, allowing ANYONE to<br />
# execute malicious code after an exception is raised.<br />
set debug = false<br />
<br />
# Logging configuration<br />
[loggers]<br />
keys = root<br />
<br />
[handlers]<br />
keys = console<br />
<br />
[formatters]<br />
keys = generic<br />
<br />
[logger_root]<br />
level = INFO<br />
handlers = console<br />
<br />
[handler_console]<br />
class = StreamHandler<br />
args = (sys.stderr,)<br />
level = NOTSET<br />
formatter = generic<br />
<br />
[formatter_generic]<br />
format = %(asctime)s %(levelname)-5.5s [%(name)s] [%(threadName)s] %(message)s<br />
<br />
Then start and enable {{ic|ocsmanager}} service.<br />
<br />
==== Adding OpenChange MAPIProxy and OCSManger to Apache ====<br />
<br />
This is the part that glues it all together. Add the following to the end of {{ic|/etc/httpd/conf/httpd.conf}} file (or virtual host configuration file):<br />
<br />
LoadModule wsgi_module modules/mod_wsgi.so<br />
include conf/extra/rpcproxy.conf<br />
include conf/extra/ocsmanager-apache.conf<br />
<br />
Now just restart {{ic|httpd}} and {{ic|samba}}. If you have made it this far, and your DNS is configured correctly, you should be able to configure an Outlook client with only an email address, username, and password. For Outlook (or other MAPI clients that support RPC/HTTPS, you need open only port 443, at the edge. Obviously, you still need to consider additional configuration for Postfix (spam and virus filtering, more restrictive use of SMTPD and SMTP, open ports 25 and 587) if you intend to receive mail from the internet. You will probably also want to move the various HTTPD pieces into virtual hosts, provide redirection on 80 for secure services, etc., but those exercises are covered in great detail elsewhere.</div>Templishttps://wiki.archlinux.org/index.php?title=OpenChange_server&diff=361146OpenChange server2015-02-14T19:21:43Z<p>Templis: /* Initial SOGo configuration */ Add nginx config for subdomaining</p>
<hr />
<div>[[Category:Mail Server]]<br />
{{Related articles start}}<br />
{{Related|Samba}}<br />
{{Related|Samba/Tips and tricks}}<br />
{{Related|Samba/Troubleshooting}}<br />
{{Related|Samba/Advanced file sharing with KDE4}}<br />
{{Related|Samba Domain Controller}}<br />
{{Related|Active Directory Integration}}<br />
{{Related|Samba 4 Active Directory Domain Controller}}<br />
{{Related articles end}}<br />
<br />
This article explains how to setup a mail server using OpenChange server following on from the [[Samba_4_Active_Directory_Domain_Controller|Samba 4 Active Directory Domain Controller]] article. Postfix is used for the MTA, Dovecot for the IMAP/POP server, and SOGo for the backend with all users stored in Samba's Active Directory (normal Exchange attributes are used througout).<br />
<br />
== Installation ==<br />
<br />
=== Prerequsites ===<br />
<br />
Install the needed prerequsite packages:<br />
<br />
# pacman -S apache postgresql postfix dovecot mariadb<br />
<br />
Install {{AUR|openchange-server}}, {{AUR|sope}}, {{AUR|sogo}}, {{AUR|sogo-openchange}}, and {{AUR|mysql-python-embedded}} from the [[AUR]].<br />
<br />
== Configuration ==<br />
<br />
=== MySQL/MariaDB ===<br />
<br />
Enable MySQL/MariaDB with the following commands and enter mysql as the root user:<br />
<br />
# systemctl enable mysqld.service<br />
# systemctl start mysqld.service<br />
# mysql -u root<br />
<br />
At the mysql prompt, enter the following commands (replace '''OpenchangePW''' with a secure password):<br />
<br />
CREATE DATABASE openchange;<br />
CREATE USER 'openchange'@'localhost' IDENTIFIED BY ''''OpenchangePW'''';<br />
GRANT ALL PRIVILEGES ON `openchange`.* TO 'openchange'@'localhost' WITH GRANT OPTION;<br />
FLUSH PRIVILEGES;<br />
<br />
=== Initial OpenChange configuration ===<br />
<br />
==== Samba ====<br />
<br />
Make a backup copy of your existing samba configuration<br />
<br />
# cp /etc/samba/smb.conf{,.bak}<br />
<br />
Append the following lines to "[global]" section of the {{ic|/etc/samba/smb.conf}} file. Be sure to replace '''OpenchangePW''':<br />
<br />
...<br />
# Begin OpenChange Server Configuration<br />
dcerpc endpoint servers = +epmapper, +mapiproxy, +dnsserver<br />
dcerpc_mapiproxy:server = true<br />
dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr<br />
mapistore:namedproperties = mysql<br />
namedproperties:mysql_user = openchange<br />
namedproperties:mysql_pass = '''OpenchangePW'''<br />
namedproperties:mysql_host = localhost<br />
namedproperties:mysql_db = openchange<br />
mapistore:indexing_backend = mysql://openchange:'''OpenchangePW'''@localhost/openchange<br />
mapiproxy:openchangedb = mysql://openchange:'''OpenchangePW'''@localhost/openchange<br />
# End OpenChange Server Configuration<br />
...<br />
<br />
==== OpenChange ====<br />
<br />
Next, provision the database and create the openchange DB. Once again, replace '''OpenchangePW''':<br />
<br />
# openchange_provision --standalone<br />
# openchange_provision --openchangedb --openchangedb-uri mysql://openchange:'''OpenchangePW'''@localhost/openchange<br />
<br />
Enable mail for the first user (we will use administrator):<br />
<br />
# openchange_newuser --create Administrator<br />
<br />
Restart {{ic|samba}}.<br />
<br />
At this point, you should verify that all samba services are working as expected. Use the tests in the [[Samba_4_Active_Directory_Domain_Controller|Samba 4 Active Directory Domain Controller]] guide in addition to testing RPC from a windows client (simply connect with RSAT tools or soemthing similar). If all is well, then continue. If not, restore the backup of the {{ic|smb.conf}} until you can track down the problem.<br />
<br />
Finally, verify that you can edit user properties. For this, we will use ldbedit. Here you can directly modify user attributes. Relevant attributes are mail and proxyAddresses. The proxyAddress attributie labeled SMTP (as opposed to smtp) is the default mail address. If using internal and exteranal domains, you will need to set SMTP to external address as this will be the SMTP from address and envelope sender in outgoing messages. Replace ''vim'' in the following command with your preferred editor:<br />
<br />
# LDB_MODULES_PATH="/usr/lib/samba/ldb" ldbedit -e ''vim'' -H /var/lib/samba/private/sam.ldb '(samaccountname=administrator)'<br />
<br />
If you first followed the [[Samba_4_Active_Directory_Domain_Controller| Samba 4 Active Directory Domain Controller]] article, you should see text similar to the following in the editor window (substituting '''internal'''.'''domain'''.'''tld''' with your domain's values):<br />
<br />
{{bc|1=...<br />
mail: Administrator@'''internal'''.'''domain'''.'''tld'''<br />
...<br />
proxyAddresses: =EX:/o=First Organization/ou=First Administrative Group/cn=Recipients/cn=Administrator<br />
proxyAddresses: smtp:postmaster@'''internal'''.'''domain'''.'''tld'''<br />
proxyAddresses: X400:c=US;a= ;p=First Organizati;o=Exchange;s=Administrator<br />
proxyAddresses: SMTP:Administrator@'''internal'''.'''domain'''.'''tld'''<br />
...}}<br />
It is important to change both the '''mail''' attribute (this is what we will use for group expansion), and the primary '''SMTP''' address. Change it to the following (again, substitute appropriate values for '''internal'''.'''domain'''.'''tld''' and '''domain'''.'''tld'''):<br />
<br />
{{bc|1=...<br />
mail: Administrator@'''domain'''.'''tld'''<br />
...<br />
proxyAddresses: =EX:/o=First Organization/ou=First Administrative Group/cn=Recipients/cn=Administrator<br />
proxyAddresses: smtp:postmaster@'''internal'''.'''domain'''.'''tld'''<br />
proxyAddresses: smtp:postmaster@'''domain'''.'''tld'''<br />
proxyAddresses: X400:c=US;a= ;p=First Organizati;o=Exchange;s=Administrator<br />
proxyAddresses: smtp:Administrator@'''internal'''.'''domain'''.'''tld'''<br />
proxyAddresses: SMTP:administrator@'''domain'''.'''tld'''<br />
...}}<br />
<br />
=== Initial SOGo configuration ===<br />
<br />
==== Apache httpd ====<br />
<br />
Add SOGo to the Apache configuration appending the following lines at the end of {{ic|/etc/httpd/conf/httpd.conf}}:<br />
<br />
...<br />
# Include SOGo configuration<br />
include conf/extra/SOGo.conf<br />
<br />
Create the {{ic|/etc/httpd/conf/extra/SOGo.conf}} file (replace '''mail'''.'''domain'''.'''tld'''):<br />
<br />
<nowiki>Alias /SOGo.woa/WebServerResources/ \<br />
/usr/lib/GNUstep/SOGo/WebServerResources/<br />
Alias /SOGo/WebServerResources/ \<br />
/usr/lib/GNUstep/SOGo/WebServerResources/<br />
<br />
<Directory /usr/lib/GNUstep/SOGo/><br />
AllowOverride None<br />
<br />
<IfVersion < 2.4><br />
Order deny,allow<br />
Allow from all<br />
</IfVersion><br />
<IfVersion >= 2.4><br />
Require all granted<br />
</IfVersion><br />
<br />
# Explicitly allow caching of static content to avoid browser specific behavior.<br />
# A resource's URL MUST change in order to have the client load the new version.<br />
<IfModule expires_module><br />
ExpiresActive On<br />
ExpiresDefault "access plus 1 year"<br />
</IfModule><br />
</Directory><br />
<br />
## Uncomment the following to enable proxy-side authentication, you will then<br />
## need to set the "SOGoTrustProxyAuthentication" SOGo user default to YES and<br />
## adjust the "x-webobjects-remote-user" proxy header in the "Proxy" section<br />
## below.<br />
#<Location /SOGo><br />
# AuthType XXX<br />
# Require valid-user<br />
# SetEnv proxy-nokeepalive 1<br />
# Allow from all<br />
#</Location><br />
<br />
ProxyRequests Off<br />
SetEnv proxy-nokeepalive 1<br />
ProxyPreserveHost On<br />
<br />
# When using CAS, you should uncomment this and install cas-proxy-validate.py<br />
# in /usr/lib/cgi-bin to reduce server overloading<br />
#<br />
# ProxyPass /SOGo/casProxy http://localhost/cgi-bin/cas-proxy-validate.py<br />
# <Proxy http://localhost/app/cas-proxy-validate.py><br />
# Order deny,allow<br />
# Allow from your-cas-host-addr<br />
# </Proxy><br />
<br />
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0<br />
<br />
# Enable to use Microsoft ActiveSync support<br />
# Note that you MUST have many sogod workers to use ActiveSync.<br />
# See the SOGo Installation and Configuration guide for more details.<br />
#<br />
#ProxyPass /Microsoft-Server-ActiveSync \<br />
# http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \<br />
# retry=60 connectiontimeout=5 timeout=360<br />
<br />
<Proxy http://127.0.0.1:20000/SOGo><br />
## adjust the following to your configuration<br />
RequestHeader set "x-webobjects-server-port" "443"<br />
RequestHeader set "x-webobjects-server-name" "</nowiki>'''mail'''.'''domain'''.'''tld'''<nowiki>"<br />
RequestHeader set "x-webobjects-server-url" "https://</nowiki>'''mail'''.'''domain'''.'''tld'''<nowiki>"<br />
<br />
## When using proxy-side autentication, you need to uncomment and<br />
## adjust the following line:<br />
# RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e"<br />
<br />
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"<br />
<br />
AddDefaultCharset UTF-8<br />
<br />
Order allow,deny<br />
Allow from all<br />
</Proxy><br />
<br />
# For Apple autoconfiguration<br />
<IfModule rewrite_module><br />
RewriteEngine On<br />
RewriteRule ^/.well-known/caldav/?$ /SOGo/dav [R=301]<br />
</IfModule></nowiki><br />
<br />
Create the state directory and start services:<br />
<br />
# mkdir /var/run/sogo<br />
# chown sogo:sogo /var/run/sogo<br />
<br />
Then enable and start the {{ic|sogo}} and {{ic|httpd}} services.<br />
<br />
Open a browser and go to http://server.internal.domain.tld/SOGo/ but do not try to login just yet, just verify that you can connect and get the login screen.<br />
<br />
<br />
==== NGinX httpd ====<br />
<br />
I've added this to my /etc/nginx/nginx.conf<br />
<br />
server {<br />
listen 443;<br />
root /usr/lib/GNUstep/SOGo/WebServerResources/;<br />
server_name sogo.domain.tld<br />
server_tokens off;<br />
client_max_body_size 100M;<br />
index index.php index.html index.htm;<br />
autoindex off;<br />
ssl on;<br />
ssl_certificate path /path/to/your/certfile; #eg. /etc/ssl/certs/keyfile.crt<br />
ssl_certificate_key /path/to/your/keyfile; #eg /etc/ssl/private/keyfile.key<br />
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';<br />
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br />
ssl_session_cache shared:SSL:10m;<br />
#optional ssl_stapling on;<br />
#optional ssl_stapling_verify on;<br />
#optional ssl_trusted_certificate /etc/ssl/private/cacert-stapeling.pem; <br />
#optional resolver 8.8.4.4 8.8.8.8 valid=300s;<br />
#optionalresolver_timeout 10s;<br />
ssl_prefer_server_ciphers on;<br />
#optional ssl_dhparam /etc/ssl/certs/dhparam.pem;<br />
#optional add_header Strict-Transport-Security max-age=63072000;<br />
#optional add_header X-Frame-Options DENY;<br />
#optional add_header X-Content-Type-Options nosniff;<br />
location = / {<br />
rewrite ^ https://$server_name/SOGo;<br />
allow all;<br />
}<br />
location = /principals/ {<br />
rewrite ^ https://$server_name/SOGo/dav;<br />
allow all;<br />
}<br />
location ^~/SOGo {<br />
proxy_pass http://127.0.0.1:20000;<br />
proxy_redirect http://127.0.0.1:20000 default;<br />
# forward user's IP address<br />
proxy_set_header X-Real-IP $remote_addr;<br />
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<br />
proxy_set_header Host $host;<br />
proxy_set_header x-webobjects-server-protocol HTTP/1.0;<br />
proxy_set_header x-webobjects-remote-host 127.0.0.1;<br />
proxy_set_header x-webobjects-server-name $server_name;<br />
proxy_set_header x-webobjects-server-url $scheme://$host;<br />
proxy_connect_timeout 90;<br />
proxy_send_timeout 90;<br />
proxy_read_timeout 90;<br />
proxy_buffer_size 4k;<br />
proxy_buffers 4 32k;<br />
proxy_busy_buffers_size 64k;<br />
proxy_temp_file_write_size 64k;<br />
client_max_body_size 50m;<br />
client_body_buffer_size 128k;<br />
break;<br />
}<br />
location /SOGo.woa/WebServerResources/ {<br />
alias /usr/lib/GNUstep/SOGo/WebServerResources/;<br />
allow all;<br />
}<br />
location /SOGo/WebServerResources/ {<br />
alias /usr/lib/GNUstep/SOGo/WebServerResources/;<br />
allow all;<br />
}<br />
location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ {<br />
alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;<br />
}<br />
location ^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$ {<br />
alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;<br />
}<br />
}<br />
<br />
<br />
==== PostGRE SQL ====<br />
<br />
Initialize the default database and start PostgreSQl (be sure to replace '''en_US.UTF-8''' with the correct locale for your installation):<br />
<br />
# mkdir -p /var/lib/postgres/data<br />
# chown -R postgres:postgres /var/lib/postgres<br />
# su - postgres -c "initdb --locale '''en_US.UTF-8''' -D '/var/lib/postgres/data'"<br />
Then start and enable {{ic|postgresql}} service.<br />
<br />
Create the sogo user and the sogo DB for PostgreSQL (do not select a strong password for the sogo user, just use "sogo" for simplicity. This is temporary and we will change it later):<br />
<br />
# su - postgres<br />
$ createuser --no-superuser --no-createdb --no-createrole --encrypted --pwprompt sogo<br />
$ createdb -O sogo sogo<br />
<br />
Edit the access configuration for the openchange DB:<br />
<br />
# cp /var/lib/postgres/data/pg_hba.conf{,.bak}<br />
# sed \<br />
's/D$/D\n\n#Configuration for OpenChange/' \<br />
-i /var/lib/postgres/data/pg_hba.conf<br />
# sed \<br />
's/ange$/ange\nhost\topenchange\topenchange\t127.0.0.1\/32\t\tmd5/' \<br />
-i /var/lib/postgres/data/pg_hba.conf<br />
# chown postgres:postgres /var/lib/postgres/data/pg_hba.conf{,.bak}<br />
<br />
Restart the {{ic|postgresql}} service.<br />
<br />
==== SOGo ====<br />
<br />
Configure SOGo defaults with the following commands (be certain to replace '''REGION/LOCALITY''', '''SAMBAADMINPASSWORD''', and dc='''internal''',dc='''domain''',dc='''tld''' with appropriate values):<br />
<br />
# su - sogo -s /bin/bash<br />
$ defaults write sogod SOGoTimeZone "'''REGION/LOCALITY'''"<br />
$ defaults write sogod OCSFolderInfoURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_folder_info"<br />
$ defaults write sogod SOGoProfileURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile"<br />
$ defaults write sogod OCSSessionsFolderURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder"<br />
$ defaults write sogod OCSEMailAlarmsFolderURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_alarm_folder"<br />
$ defaults write sogod SOGoUserSources '({CNFieldName = displayName; IDFieldName = cn; UIDFieldName = sAMAccountName; IMAPHostFieldName =; baseDN = "cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''"; bindDN = "cn=Administrator,cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''"; bindPassword = "'''SAMBAADMINPASSWORD'''"; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = "localhost"; id = public; isAddressBook = YES; port = 389;})'<br />
$ defaults write sogod WONoDetach NO<br />
$ defaults write sogod WOLogFile /var/log/sogo/sogo.log<br />
$ defaults write sogod WOPidFile /var/run/sogo/sogo.pid<br />
$ exit<br />
<br />
Next, edit the sogo configuration file, {{ic|/etc/httpd/conf/extra/SOGo.conf}}, and comment out the following lines for testing (until your SSL certs are in place and configuration is complete):<br />
<br />
{{bc|<br />
## adjust the following to your configuration<br />
# RequestHeader set "x-webobjects-server-port" "443"<br />
# RequestHeader set "x-webobjects-server-name" "yourhostname"<br />
# RequestHeader set "x-webobjects-server-url" "<nowiki>https://yourhostname</nowiki>"<br />
}}<br />
<br />
Give the root user the GNUStep configuration for the sogo user:<br />
<br />
# ln -s /etc/sogo/GNUStep /root/GNUStep<br />
<br />
=== Initial Postfix configuration ===<br />
<br />
==== Basic configuratoin ====<br />
<br />
Create a minimal Postfix configuration. Replace '''server'''.'''internal'''.'''domain.tld''' with a valid internal FQDN):<br />
<br />
# postconf -e myhostname='''server'''.'''internal'''.'''domain.tld'''<br />
# postconf -e mydestination=localhost<br />
<br />
If this server will be accessible from the internet, set the HELO/EHLO values to match the FQDN as seen from the internet (replace '''mail'''.'''domain'''.'''tld'''):<br />
<br />
# postconf -e smtp_helo_name='''mail'''.'''domain'''.'''tld'''<br />
# postconf -e smtpd_banner='$smtp_helo_name ESMTP $mail_name'<br />
<br />
Enable and start {{ic|postfix}}.<br />
<br />
==== Virtual user configuration ====<br />
<br />
Create a vmail user and set up Postfix to use it:<br />
<br />
# groupadd -g 5000 vmail<br />
# useradd -u 5000 -g vmail -s /usr/bin/nologin -d /home/vmail -m vmail<br />
# chmod 750 /home/vmail<br />
# postconf -e virtual_minimum_uid=5000<br />
# postconf -e virtual_uid_maps=static:5000<br />
# postconf -e virtual_gid_maps=static:5000<br />
# postconf -e virtual_mailbox_base=/home/vmail<br />
# postfix reload<br />
<br />
==== LDAP configuration ====<br />
<br />
Next we need to tell Postfix how to lookup users. To do this, you will need to create an unprivileged user to use for LDAP lookups (select a suitably strong password, 63 alpha-numeric various case should be good):<br />
<br />
# samba-tool user create ldap --description="Unprivileged user for LDAP lookups"<br />
<br />
Now, create a LDAP alias and group maps for Postfix pasting the following lines in the file {{ic|/etc/postfix/ldap-alias.cf}} as root (replace dc='''internal''',dc='''domain''',dc='''tld''' with appropriate values and '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7''' with a random password of your choosing):<br />
<br />
# Directory settings<br />
server_host = 127.0.0.1<br />
search_base = dc='''internal''',dc='''domain''',dc='''tld'''<br />
scope = sub<br />
version = 3<br />
<br />
# User Binding<br />
bind = yes<br />
bind_dn = cn=ldap,cn=users,dc='''internal''',dc='''domain''',dc='''tld'''<br />
bind_pw = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7'''<br />
<br />
# Filter<br />
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))<br />
result_attribute = samaccountname<br />
result_format = %s@'''internal'''.'''domain'''.'''tld'''<br />
<br />
Create the group map:<br />
<br />
# sed -e '/^query/d' \<br />
-e '/^result/d' \<br />
/etc/postfix/ldap-alias.cf > /etc/postfix/ldap-group.cf<br />
<br />
Append the following lines to the newly created {{ic|/etc/postfix/ldap-group.cf}} (in the #Filter secton):<br />
<br />
query_filter = (&(objectclass=group)(mail=%s))<br />
special_result_attribute = member<br />
leaf_result_attribute = mail<br />
<br />
Set the permissions:<br />
<br />
# chmod 0600 /etc/postfix/ldap-{alias,group}.cf<br />
<br />
Next test our lookup maps for users (groups have not yet been created) (substitute '''internal'''.'''domain'''.'''tld'''):<br />
<br />
# postmap -q administrator@'''domain'''.'''tld''' ldap:/etc/postfix/ldap-alias.cf<br />
# postmap -q administrator@'''internal'''.'''domain'''.'''tld''' ldap:/etc/postfix/ldap-alias.cf<br />
<br />
You should receive the following output for both commands:<br />
<br />
Administrator@internal.domain.tld<br />
<br />
Append any other hosted domains to the first command below, add the maps, and then reload the Postfix configuration (again replacing domain values):<br />
<br />
# postconf -e virtual_mailbox_domains="'''domain'''.'''tld''', '''internal'''.'''domain'''.'''tld'''"<br />
# postconf -e virtual_alias_maps="ldap:/etc/postfix/ldap-alias.cf, ldap:/etc/postfix/ldap-group.cf"<br />
# postfix reload<br />
<br />
At this point, Dovecot will need to be configured before completing the Postfix configuration as Dovecot SASL and LMTP will be used for athentication and delivery (respectively).<br />
<br />
=== Dovecot configuration ===<br />
<br />
==== Basic configuration ====<br />
<br />
Create a very basic dovecot configuration:<br />
<br />
# cp /etc/dovecot/dovecot.conf{.sample,}<br />
# chown root:root /etc/dovecot/dovecot.conf<br />
<br />
Then create the file {{ic|/etc/dovecot/conf.d/local.conf}} with this content:<br />
<br />
auth_mechanisms = plain login<br />
disable_plaintext_auth = no<br />
ssl = no<br />
auth_username_format = %n<br />
mail_location = /home/vmail/%Lu/Maildir<br />
<br />
Enable and start {{ic|dovecot}}.<br />
<br />
==== LDAP configuration ====<br />
<br />
Add the LDAP lookup configuation {{ic|/etc/dovecot/conf.d/ldap.conf}}:<br />
<br />
passdb ldap {<br />
driver = ldap<br />
args = /etc/dovecot/dovecot-ldap-passdb.conf<br />
}<br />
userdb ldap {<br />
driver = ldap<br />
args = /etc/dovecot/dovecot-ldap-userdb.conf<br />
}<br />
<br />
Set permissions:<br />
# chmod 0644 /etc/dovecot/conf.d/ldap.conf<br />
# chown root:root /etc/dovecot/conf.d/ldap.conf<br />
<br />
Create the LDAP user and password configuration files (replace dc='''internal''',dc='''domain''',dc='''tld''' and '''INTERNAL''' with appropropriate values):<br />
<br />
{{ic|/etc/dovecot/dovecot-ldap-passdb.conf}}<br />
hosts = localhost<br />
auth_bind = yes<br />
auth_bind_userdn = '''INTERNAL'''\%u<br />
ldap_version = 3<br />
base = dc='''internal''',dc='''domain''',dc='''tld'''<br />
scope = subtree<br />
deref = never<br />
pass_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*))<br />
<br />
{{ic|/etc/dovecot/dovecot-ldap-userdb.conf}}<br />
hosts = localhost<br />
dn = cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''<br />
dnpass = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7'''<br />
ldap_version = 3<br />
# The base must be cn=Users for OpenChange ATM...future<br />
base = cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''<br />
user_attrs = =uid=5000,=gid=5000,=home=/home/vmail/%Lu,=mail=maildir:/home/vmail/%Lu/Maildir/<br />
user_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*))<br />
<br />
# Attributes and filter to get a list of all users<br />
iterate_attrs = sAMAccountName=user<br />
iterate_filter = (objectClass=person)<br />
<br />
Set permissions:<br />
# chown root:root /etc/dovecot/dovecot-ldap-{pass,user}db.conf<br />
# chmod 0600 /etc/dovecot/dovecot-ldap-userdb.conf<br />
# chmod 0644 /etc/dovecot/dovecot-ldap-passdb.conf<br />
<br />
Create the SASL configuation {{ic|/etc/dovecot/conf.d/sasl.conf}}:<br />
<br />
service auth {<br />
unix_listener /var/spool/postfix/private/auth {<br />
mode = 0660<br />
user = postfix<br />
group = postfix<br />
}<br />
}<br />
<br />
Set permissions:<br />
# chmod 0644 /etc/dovecot/conf.d/sasl.conf<br />
# chown root:root /etc/dovecot/conf.d/sasl.conf<br />
<br />
Reload Dovecot for the configuration to take effect:<br />
<br />
# dovecot reload<br />
<br />
==== Testing Dovecot authentication ====<br />
<br />
Open a ''telnet'' session and test (commands you enter are in bold, replace ''xxxxxxxx'' with your real password):<br />
<br />
'''telnet localhost 143'''<br />
Trying 127.0.0.1...<br />
Connected to localhost.<br />
Escape character is '^]'.<br />
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.<br />
'''a LOGIN Administrator xxxxxxxx'''<br />
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in<br />
'''a LOGOUT'''<br />
* BYE Logging out<br />
. OK Logout completed.<br />
Connection closed by foreign host.<br />
<br />
If you have received anything other than OK, go back and double check your configuration before continuing.<br />
<br />
==== LMTP configuration ====<br />
<br />
Create the LMTP configuration file {{ic|/etc/dovecot/conf.d/lmtp.conf}}:<br />
<br />
mail_location = /home/vmail/%Lu/Maildir<br />
service lmtp {<br />
unix_listener /var/spool/postfix/private/dovecot-lmtp {<br />
mode = 0600<br />
user = postfix<br />
group = postfix<br />
}<br />
user = vmail<br />
}<br />
<br />
protocol lmtp {<br />
postmaster_address = postmaster@'''domain'''.'''tld'''<br />
}<br />
<br />
# chmod 0644 /etc/dovecot/conf.d/lmtp.conf<br />
# dovecot reload<br />
<br />
==== TLS configuration ====<br />
<br />
Put your certificate files into place and create the TLS configuration file {{ic|/etc/dovecot/conf.d/tls.conf}} (adjust paths and names as necessary). The keyfile should be owned by root with 0400 permissions. Any intermediate certificates should be concatenated after the public cert.:<br />
<br />
ssl = yes<br />
ssl_cert = </etc/dovecot/ssl/'''host'''.'''domain'''.'''tld'''.pem<br />
ssl_key = </etc/dovecot/ssl/'''host'''.'''domain'''.'''tld'''.key<br />
<br />
# chmod 644 /etc/dovecot/conf.d/tls.conf<br />
<br />
Remove the earlier explicitly defined values from {{ic|local.conf}} and reload Dovecot:<br />
<br />
# sed -e '/^ssl/d' -e '/disable_plaintext/s/no/yes/' \<br />
-i /etc/dovecot/conf.d/local.conf<br />
# dovecot reload<br />
<br />
=== Postfix final configuration ===<br />
<br />
==== SASL configuration ====<br />
<br />
Modify the default smtpd instance:<br />
<br />
# postconf -e smtpd_sasl_type=dovecot<br />
# postconf -e smtpd_sasl_path=private/auth<br />
# postconf -e smtpd_sasl_auth_enable=yes<br />
# postconf -e smtpd_relay_restrictions="permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination"<br />
<br />
==== LMTP configuration ====<br />
<br />
Use dovecot LMTP for delivery:<br />
<br />
# postconf -e virtual_transport=lmtp:unix:private/dovecot-lmtp<br />
<br />
==== TLS configuration ====<br />
<br />
If you intend to use STARTTLS (as you should), enable the mail submission port and restrict to authenticated clients. Edit the following lines in {{ic|/etc/postfix/master.cf}} (replace '''internal.domain.tld'''):<br />
<br />
submission inet n - n - - smtpd<br />
-o syslog_name=postfix/submission<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_sasl_type=dovecot<br />
-o smtpd_sasl_path=private/auth<br />
-o smtpd_sasl_security_options=noanonymous<br />
-o smtpd_client_restrictions=permit_sasl_authenticated,reject<br />
-o smtpd_sender_login_maps=ldap:/etc/postfix/ldap-sender.cf<br />
-o smtpd_sender_restrictions=reject_sender_login_mismatch<br />
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject<br />
<br />
Add your certificates. If you intend to chroot postfix (not discussed in this guide, see here), these need to be placed in the postfix configuration directory as opposed to the default /etc/ssl/private directory. Additionally, any intermediate certs should be concatenated with the public cert being first in the chain and the key file should be owned by root with 0400 permission mode:<br />
<br />
# postconf -e smtpd_tls_key_file=/etc/postfix/ssl/'''mail.domain.tld.key'''<br />
# postconf -e smtpd_tls_cert_file=/etc/postfix/ssl/'''mail.domain.tld.pem'''<br />
<br />
Create a map to verify addresses to authenticated users {{ic|/etc/postfix/ldap-sender.cf}}:<br />
<br />
# Directory settings<br />
server_host = localhost<br />
search_base = dc='''internal''',dc='''domain''',dc='''tld'''<br />
version = 3<br />
scope = sub<br />
<br />
# User Binding<br />
bind = yes<br />
bind_dn = cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld<br />
bind_pw = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7'''<br />
<br />
# Filter<br />
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))<br />
leaf_result_attribute = proxyAddresses<br />
result_attribute = sAMAccountName<br />
<br />
Set permissions:<br />
# chown root:root /etc/postfix/ldap-sender.cf<br />
# chmod 0640 /etc/postfix/ldap-sender.cf<br />
<br />
If you would like to enable TLS on the default SMTP port, you should make it optional. If you make it required, you will not be able to receive mail from many hosts on the internet.<br />
<br />
# postconf -e smtpd_tls_security_level=may<br />
<br />
Reload postfix to apply the configuration changes:<br />
<br />
# postfix reload<br />
<br />
==== Testing the Postfix SASL configuration ====<br />
<br />
Begin by getting a base64 encoded version of you username and password (replace '''xxxxxxxx''' with your real password):<br />
<br />
$ echo -ne '\000Administrator\000'''xxxxxxxx'''' | openssl base64<br />
<br />
You should receive output similar to the following:<br />
<br />
AEFkbWluaXN0cmF0b3IAeHh4eHh4eHg=<br />
<br />
Now, open a ''telnet'' session and test (commands you enter are in bold, replace '''host.domain.tld''' with your real external FQDN and '''AEFkbWluaXN0cmF0b3IAeHh4eHh4eHg=''' with the result of the previous command):<br />
<br />
$ '''telnet localhost 25'''<br />
Trying 127.0.0.1...<br />
Connected to localhost.<br />
Escape character is '^]'.<br />
220 host.domain.tld ESMTP Postfix<br />
'''ehlo host.domain.tld'''<br />
250-mail.lucasit.com<br />
250-PIPELINING<br />
250-SIZE 10240000<br />
250-VRFY<br />
250-ETRN<br />
250-STARTTLS<br />
250-AUTH PLAIN LOGIN<br />
250-ENHANCEDSTATUSCODES<br />
250-8BITMIME<br />
250 DSN<br />
'''AUTH PLAIN AEFkbWluaXN0cmF0b3IAeHh4eHh4eHg='''<br />
235 2.7.0 Authentication successful<br />
'''quit'''<br />
221 2.0.0 Bye<br />
Connection closed by foreign host.<br />
<br />
If you have gotten anything other than a 235 message, something is wrong and you should troubleshoot now rather than later.<br />
<br />
At ths point, you have a fully functional mail server, though you will probably want to lock it down a bit tighter (which is not covered in this article). You could easily stop now and use any mail client you wish, howerver, you would miss out on the fun of Outlook, RPC/HTTPS, calendar, the GAL, and contacts. This additional functionality is provided by SOGo and OpenChange...<br />
<br />
=== SOGo final configuration ===<br />
<br />
==== PostgreSQL ====<br />
<br />
Select a strong password (63 random alphanumeric characters is good) for the sogo user and change it now:<br />
<br />
# su - postgres<br />
$ psql<br />
ALTER USER sogo WITH PASSWORD 'ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT';<br />
\q<br />
<br />
==== SOGo ====<br />
<br />
Create a suitable SOGo configuration file in {{ic|/etc/sogo/sogo.conf}} (replace items in bold with appropriate values):<br />
<br />
{<br />
/* Database Configuration */<br />
SOGoProfileURL = "postgresql://sogo:'''ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT'''@localhost:5432/sogo/sogo_user_profile";<br />
OCSFolderInfoURL = "postgresql://sogo:'''ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT'''@localhost:5432/sogo/sogo_folder_info";<br />
OCSSessionsFolderURL = "postgresql://sogo:'''ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT'''@localhost:5432/sogo/sogo_sessions_folder";<br />
<br />
/* Mail */<br />
SOGoDraftsFolderName = Drafts;<br />
SOGoSentFolderName = Sent;<br />
SOGoTrashFolderName = Trash;<br />
SOGoIMAPServer = localhost;<br />
SOGoSieveServer = sieve://127.0.0.1:4190;<br />
SOGoSMTPServer = 127.0.0.1;<br />
SOGoMailDomain = '''internal'''.'''domain'''.'''tld''';<br />
SOGoMailingMechanism = smtp;<br />
SOGoForceExternalLoginWithEmail = NO;<br />
SOGoMailSpoolPath = /var/spool/sogo;<br />
NGImap4ConnectionStringSeparator = "/";<br />
<br />
/* Notifications */<br />
SOGoAppointmentSendEMailNotifications = NO;<br />
SOGoACLsSendEMailNotifications = NO;<br />
SOGoFoldersSendEMailNotifications = NO;<br />
<br />
/* Authentication */<br />
SOGoPasswordChangeEnabled = YES;<br />
<br />
/* User Authentication */<br />
SOGoUserSources = (<br />
{<br />
type = ldap;<br />
CNFieldName = cn;<br />
IDFieldName = cn;<br />
UIDFieldName = sAMAccountName;<br />
baseDN = "dc='''internal''',dc='''domain''',dc='''tld'''";<br />
bindDN = "cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''";<br />
bindFields = (sAMAccountName);<br />
bindPassword = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7''';<br />
canAuthenticate = YES;<br />
displayName = "Active Directory";<br />
hostname = ldap://127.0.0.1:389;<br />
id = directory;<br />
isAddressBook = YES;<br />
}<br />
);<br />
<br />
/* Web Interface */<br />
SOGoPageTitle = SOGo;<br />
SOGoVacationEnabled = YES;<br />
SOGoForwardEnabled = YES;<br />
SOGoSieveScriptsEnabled = YES;<br />
SOGoMailAuxiliaryUserAccountsEnabled = YES;<br />
SOGoTrustProxyAuthentication = NO;<br />
<br />
/* General */<br />
SOGoLanguage = '''English''';<br />
SOGoTimeZone = '''America/Chicago''';<br />
SOGoCalendarDefaultRoles = (<br />
PublicDAndTViewer,<br />
ConfidentialDAndTViewer<br />
);<br />
SOGoSuperUsernames = (administrator);<br />
SxVMemLimit = 384;<br />
//WOPidFile = "/var/run/sogo/sogo.pid";<br />
SOGoMemcachedHost = "/var/run/memcached.sock";<br />
<br />
/* Debug */<br />
//SOGoDebugRequests = YES;<br />
//SoDebugBaseURL = YES;<br />
//ImapDebugEnabled = YES;<br />
//LDAPDebugEnabled = YES;<br />
//PGDebugEnabled = YES;<br />
//MySQL4DebugEnabled = YES;<br />
//SOGoUIxDebugEnabled = YES;<br />
//WODontZipResponse = YES;<br />
//WOLogFile = /var/log/sogo/sogo.log;<br />
<br />
}<br />
<br />
Then issue the following commands:<br />
# chown sogo:sogo /etc/sogo/sogo.conf<br />
# chmod 0600 /etc/sogo/sogo.conf<br />
# rm /etc/sogo/GNUstep/Defaults/sogod.plist<br />
# mkdir /var/spool/sogo<br />
# chown sogo:sogo /var/spool/sogo<br />
# chmod 700 /var/spool/sogo<br />
<br />
Now restart {{ic|sogo}} service and try it out by visiting http://'''server.internal.domain.tld'''/SOGo/ .<br />
<br />
==== Apache ====<br />
<br />
If all is well with SOGo without SSL, go ahead and enable SSL in httpd (modify paths and filenames as necessary):<br />
<br />
# sed -e '/httpd-ssl.conf/s/#//' \<br />
-e '/modules\/mod_ssl.so/s/#//' \<br />
-e '/mod_socache_shmcb/s/#//' \<br />
-i /etc/httpd/conf/httpd.conf<br />
# sed -e '/^SSLCertificateFile/s@/etc/httpd/conf/server.crt@/etc/httpd/ssl/'''mail'''.'''domain'''.'''tld'''.pem@' \<br />
-e '/^SSLCertificateKeyFile/s@/etc/httpd/conf/server.key@/etc/httpd/ssl/'''mail'''.'''domain'''.'''tld'''.key@' \<br />
-i /etc/httpd/conf/extra/httpd-ssl.conf<br />
<br />
Now go ahead and edit the {{ic|/etc/httpd/conf/extra/SOGo.conf}} file and uncomment the following lines, edit to suit your site:<br />
<br />
## adjust the following to your configuration<br />
RequestHeader set "x-webobjects-server-port" "443"<br />
RequestHeader set "x-webobjects-server-name" "'''mail'''.'''domain'''.'''tld'''"<br />
RequestHeader set "x-webobjects-server-url" "<nowiki>https://</nowiki>'''mail'''.'''domain'''.'''tld'''"<br />
<br />
Restart {{ic|httpd}} service for the changes to take effect.<br />
<br />
Go ahead and go to the regular http page and it should redirect you to the https site.<br />
<br />
=== OpenChange final configuration ===<br />
{{Out of date|Recent versions of Samba have left OCSManager/MAPIProxy in an unusable state. Fortunately, with SOGo-2.2, the new ActiveSync code should eliminate the need for OCSManager with Outlook 2013+.}}<br />
<br />
==== OCSManager ====<br />
<br />
OCSManager is a Python-Paste serverlet that listens specifically for autodiscover, EWS, and RPCProxy requests.<br />
Create a backup copy of the {{ic|/etc/ocsmanager/ocsmanager.ini}} file:<br />
<br />
# mv /etc/oscmanager/ocsmanager.ini{,.bak}<br />
<br />
Setup OCSMangaer with the {{ic|/etc/ocsmanager/ocsmanager.ini}} file (replace the items in italic type with appropriate values):<br />
<br />
#<br />
# ocsmanager - Pylons configuration<br />
#<br />
# The %(here)s variable will be replaced with the parent directory of this file<br />
#<br />
[DEFAULT]<br />
debug = true<br />
email_to = ''postmaster@domain.tld''<br />
smtp_server = localhost<br />
error_email_from = ''postmaster@domain.tld''<br />
<br />
[main]<br />
auth = ldap<br />
mapistore_root = /var/lib/samba/private<br />
mapistore_data = /var/lib/samba/private/mapistore<br />
debug = yes<br />
<br />
[auth:ldap]<br />
host = ldap://''server.domain.tld''<br />
port = 389<br />
bind_dn = ''CN=Users,DC=internal,DC=domain,DC=tld''<br />
bind_pw = ''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7''<br />
basedn = ''CN=ldap,CN=Users,DC=internal,DC=domain,DC=tld''<br />
#filter = (cn=%s)<br />
#attrs = userPassword, x-isActive<br />
<br />
[server:main]<br />
use = egg:Paste#http<br />
host = ''server.internal.domain.tld''<br />
port = 5000<br />
protocol_version = HTTP/1.1<br />
<br />
[app:main]<br />
use = egg:ocsmanager<br />
full_stack = true<br />
static_files = true<br />
cache_dir = %(here)s/data<br />
beaker.session.key = ocsmanager<br />
beaker.session.secret = SDyKK3dKyDgW0mlpqttTMGU1f<br />
app_instance_uuid = {ee533ebc-f266-49d1-ae10-d017ee6aa98c}<br />
NTLMAUTHHANDLER_WORKDIR = /var/cache/ntlmauthhandler<br />
SAMBA_HOST = ''server.internal.domain.tld''<br />
<br />
[rpcproxy:ldap]<br />
host = ''server.internal.domain.tld''<br />
port = 389<br />
basedn = ''CN=Users,DC=internal,DC=domain,DC=tld''<br />
<br />
# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*<br />
# Debug mode will enable the interactive debugging tool, allowing ANYONE to<br />
# execute malicious code after an exception is raised.<br />
set debug = false<br />
<br />
# Logging configuration<br />
[loggers]<br />
keys = root<br />
<br />
[handlers]<br />
keys = console<br />
<br />
[formatters]<br />
keys = generic<br />
<br />
[logger_root]<br />
level = INFO<br />
handlers = console<br />
<br />
[handler_console]<br />
class = StreamHandler<br />
args = (sys.stderr,)<br />
level = NOTSET<br />
formatter = generic<br />
<br />
[formatter_generic]<br />
format = %(asctime)s %(levelname)-5.5s [%(name)s] [%(threadName)s] %(message)s<br />
<br />
Then start and enable {{ic|ocsmanager}} service.<br />
<br />
==== Adding OpenChange MAPIProxy and OCSManger to Apache ====<br />
<br />
This is the part that glues it all together. Add the following to the end of {{ic|/etc/httpd/conf/httpd.conf}} file (or virtual host configuration file):<br />
<br />
LoadModule wsgi_module modules/mod_wsgi.so<br />
include conf/extra/rpcproxy.conf<br />
include conf/extra/ocsmanager-apache.conf<br />
<br />
Now just restart {{ic|httpd}} and {{ic|samba}}. If you have made it this far, and your DNS is configured correctly, you should be able to configure an Outlook client with only an email address, username, and password. For Outlook (or other MAPI clients that support RPC/HTTPS, you need open only port 443, at the edge. Obviously, you still need to consider additional configuration for Postfix (spam and virus filtering, more restrictive use of SMTPD and SMTP, open ports 25 and 587) if you intend to receive mail from the internet. You will probably also want to move the various HTTPD pieces into virtual hosts, provide redirection on 80 for secure services, etc., but those exercises are covered in great detail elsewhere.</div>Templishttps://wiki.archlinux.org/index.php?title=User_talk:DJ_L&diff=361144User talk:DJ L2015-02-14T19:09:06Z<p>Templis: /* OpenChange Server */</p>
<hr />
<div>==Samba 4 stubs==<br />
Hi, I've noticed you've created [[Samba4 Client Configuration]]: do you intend to move there [[Samba#Client configuration]]? Also about [[Samba4 DHCP with Dynamic DNS]], are you sure you can't add that information to one of our already existing articles on [[Samba]]? -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 13:01, 10 December 2013 (UTC)<br />
<br />
:I suppose the DHCP section could be added to the existing Samba 4 page, but much of it can be reused outside of Samba too. I should change the title after it is ready to go. As to the Client configuration, this is about SSO on Linux hosts and is more akin to [[Active_Directory_Integration]]. I'll get with the original author of that page once the needed configurations are in place to discuss a merge. Thanks for the heads up. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]]) 02:00, 11 December 2013 (UTC)<br />
<br />
::About the DHCP article, how much of it can be used in general? Maybe you just want to link to our already existing articles on DHCP, DNS... and improve them instead of duplicating content? See [[:Category:Networking]] and subcategories too.<br />
::About the client config article, isn't it easier to contribute to [[Active Directory Integration]] from the beginning instead?<br />
::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 05:02, 11 December 2013 (UTC)<br />
<br />
:::Not sure, I'll delete the links. If you can delete the stub pages for me I'd appreciate it. I'll sandbox it locally and see where I'm at when ready to proceed (still having some issues with the DHCP).<br />
:::I've not been here long, policy is probably simply make the edit, but what is acceptable in the community? I presume that I should contact the original author with proposed text vai talk feature, and wait for a response. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]]) 16:17, 15 December 2013 (UTC)<br />
<br />
::::All right, the stubs are deleted. Yes, the policy is "simply make the edit": as long as you properly justify your edits using the Summary (just below the text editing area) you'll be fine. You don't need to contact the previous contributors of an article, just do the edits and keep watching the talk page: if they've got something to say, they'll show up there :) I recommend you to directly edit the existing articles because this will avoid creating duplicated content, which is so hard to maintain especially in the long run. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 12:03, 17 December 2013 (UTC)<br />
<br />
==OpenChange Server==<br />
Hi, Thank you for maintaining the [[OpenChange Server]] Article. I've followed up till [[OpenChange Server#Testing Dovecot authentication]] and run into an error. "a NO [AUTHENTICATIONFAILED] Authentication failed." I think its about auth_bind_userdn = INTERNAL\%u What stands INTERNAL for? Is this the INTERNAL.SERVER.TLD? Can You please give a more detailed example regarding your example Hosts?<br />
: Yes, this would be the NetBIOS (short) domain name (from the Samba article). I expect that INTERNAL.SERVER.TLD\%u should work as well (though I didn't bother to test). Perhaps I should use the term "NetBIOS" instead of "INTERNAL" to better separate the namespace. Do you think it would it have read better if it had been written like that? [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]])<br />
<br />
::Ah Thank you, now it works! eventually change this line to: Create the LDAP user and password configuration files (replace dc=internal,dc=domain,dc=tld and INTERNAL(Your NetBIOS Name) with appropropriate values):<br />
::Or even I was to mentally lazy for that :)<br />
::I've found a failure in your Dovecot Test: '''LOGIN Administrator xxxxxxxx''' must be '''a LOGIN Administrator xxxxxxxx'''<br />
<br />
::: Cool! Thanks for fixing that. Everything working well for you? [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]])<br />
:::: There was an error with Dovecot and sieve. I'll go to change this today. I have another Question is it possible to add more than one E-Mails per user in sogo?</div>Templishttps://wiki.archlinux.org/index.php?title=OpenChange_server&diff=360850OpenChange server2015-02-13T21:18:07Z<p>Templis: in Testing Dovecot authentication '''. LOGIN Administrator xxxxxxxx''' changed to '''a LOGIN Administrator xxxxxxxx''' and '''. LOGOUT''' to '''a LOGOUT''' now tests works</p>
<hr />
<div>[[Category:Mail Server]]<br />
{{Related articles start}}<br />
{{Related|Samba}}<br />
{{Related|Samba/Tips and tricks}}<br />
{{Related|Samba/Troubleshooting}}<br />
{{Related|Samba/Advanced file sharing with KDE4}}<br />
{{Related|Samba Domain Controller}}<br />
{{Related|Active Directory Integration}}<br />
{{Related|Samba 4 Active Directory Domain Controller}}<br />
{{Related articles end}}<br />
<br />
This article explains how to setup a mail server using OpenChange server following on from the [[Samba_4_Active_Directory_Domain_Controller|Samba 4 Active Directory Domain Controller]] article. Postfix is used for the MTA, Dovecot for the IMAP/POP server, and SOGo for the backend with all users stored in Samba's Active Directory (normal Exchange attributes are used througout).<br />
<br />
== Installation ==<br />
<br />
=== Prerequsites ===<br />
<br />
Install the needed prerequsite packages:<br />
<br />
# pacman -S apache postgresql postfix dovecot mariadb<br />
<br />
Install {{AUR|openchange-server}}, {{AUR|sope}}, {{AUR|sogo}}, {{AUR|sogo-openchange}}, and {{AUR|mysql-python-embedded}} from the [[AUR]].<br />
<br />
== Configuration ==<br />
<br />
=== MySQL/MariaDB ===<br />
<br />
Enable MySQL/MariaDB with the following commands and enter mysql as the root user:<br />
<br />
# systemctl enable mysqld.service<br />
# systemctl start mysqld.service<br />
# mysql -u root<br />
<br />
At the mysql prompt, enter the following commands (replace '''OpenchangePW''' with a secure password):<br />
<br />
CREATE DATABASE openchange;<br />
CREATE USER 'openchange'@'localhost' IDENTIFIED BY ''''OpenchangePW'''';<br />
GRANT ALL PRIVILEGES ON `openchange`.* TO 'openchange'@'localhost' WITH GRANT OPTION;<br />
FLUSH PRIVILEGES;<br />
<br />
=== Initial OpenChange configuration ===<br />
<br />
==== Samba ====<br />
<br />
Make a backup copy of your existing samba configuration<br />
<br />
# cp /etc/samba/smb.conf{,.bak}<br />
<br />
Append the following lines to "[global]" section of the {{ic|/etc/samba/smb.conf}} file. Be sure to replace '''OpenchangePW''':<br />
<br />
...<br />
# Begin OpenChange Server Configuration<br />
dcerpc endpoint servers = +epmapper, +mapiproxy, +dnsserver<br />
dcerpc_mapiproxy:server = true<br />
dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr<br />
mapistore:namedproperties = mysql<br />
namedproperties:mysql_user = openchange<br />
namedproperties:mysql_pass = '''OpenchangePW'''<br />
namedproperties:mysql_host = localhost<br />
namedproperties:mysql_db = openchange<br />
mapistore:indexing_backend = mysql://openchange:'''OpenchangePW'''@localhost/openchange<br />
mapiproxy:openchangedb = mysql://openchange:'''OpenchangePW'''@localhost/openchange<br />
# End OpenChange Server Configuration<br />
...<br />
<br />
==== OpenChange ====<br />
<br />
Next, provision the database and create the openchange DB. Once again, replace '''OpenchangePW''':<br />
<br />
# openchange_provision --standalone<br />
# openchange_provision --openchangedb --openchangedb-uri mysql://openchange:'''OpenchangePW'''@localhost/openchange<br />
<br />
Enable mail for the first user (we will use administrator):<br />
<br />
# openchange_newuser --create Administrator<br />
<br />
Restart {{ic|samba}}.<br />
<br />
At this point, you should verify that all samba services are working as expected. Use the tests in the [[Samba_4_Active_Directory_Domain_Controller|Samba 4 Active Directory Domain Controller]] guide in addition to testing RPC from a windows client (simply connect with RSAT tools or soemthing similar). If all is well, then continue. If not, restore the backup of the {{ic|smb.conf}} until you can track down the problem.<br />
<br />
Finally, verify that you can edit user properties. For this, we will use ldbedit. Here you can directly modify user attributes. Relevant attributes are mail and proxyAddresses. The proxyAddress attributie labeled SMTP (as opposed to smtp) is the default mail address. If using internal and exteranal domains, you will need to set SMTP to external address as this will be the SMTP from address and envelope sender in outgoing messages. Replace ''vim'' in the following command with your preferred editor:<br />
<br />
# LDB_MODULES_PATH="/usr/lib/samba/ldb" ldbedit -e ''vim'' -H /var/lib/samba/private/sam.ldb '(samaccountname=administrator)'<br />
<br />
If you first followed the [[Samba_4_Active_Directory_Domain_Controller| Samba 4 Active Directory Domain Controller]] article, you should see text similar to the following in the editor window (substituting ''internal.domain.tld'' with your domain's values):<br />
<br />
{{bc|1=...<br />
mail: Administrator@internal.domain.tld<br />
...<br />
proxyAddresses: =EX:/o=First Organization/ou=First Administrative Group/cn=Recipients/cn=Administrator<br />
proxyAddresses: smtp:postmaster@internal.domain.tld<br />
proxyAddresses: X400:c=US;a= ;p=First Organizati;o=Exchange;s=Administrator<br />
proxyAddresses: SMTP:Administrator@internal.domain.tld<br />
...}}<br />
It is important to change both the ''mail'' attribute (this is what we will use for group expansion), and the primary ''SMTP'' address. Change it to the following (again, substitute appropriate values for ''internal''.''domain''.''tld''):<br />
<br />
{{bc|1=...<br />
mail: Administrator@domain.tld<br />
...<br />
proxyAddresses: =EX:/o=First Organization/ou=First Administrative Group/cn=Recipients/cn=Administrator<br />
proxyAddresses: smtp:postmaster@internal.domain.tld<br />
proxyAddresses: smtp:postmaster@domain.tld<br />
proxyAddresses: X400:c=US;a= ;p=First Organizati;o=Exchange;s=Administrator<br />
proxyAddresses: smtp:Administrator@internal.domain.tld<br />
proxyAddresses: SMTP:administrator@domain.tld<br />
...}}<br />
<br />
=== Initial SOGo configuration ===<br />
<br />
==== Apache httpd ====<br />
<br />
Add SOGo to the Apache configuration appending the following lines at the end of {{ic|/etc/httpd/conf/httpd.conf}}:<br />
<br />
...<br />
# Include SOGo configuration<br />
include conf/extra/SOGo.conf<br />
<br />
Create the {{ic|/etc/httpd/conf/extra/SOGo.conf}} file:<br />
<br />
Alias /SOGo.woa/WebServerResources/ \<br />
/usr/lib/GNUstep/SOGo/WebServerResources/<br />
Alias /SOGo/WebServerResources/ \<br />
/usr/lib/GNUstep/SOGo/WebServerResources/<br />
<br />
<Directory /usr/lib/GNUstep/SOGo/><br />
AllowOverride None<br />
<br />
<IfVersion < 2.4><br />
Order deny,allow<br />
Allow from all<br />
</IfVersion><br />
<IfVersion >= 2.4><br />
Require all granted<br />
</IfVersion><br />
<br />
# Explicitly allow caching of static content to avoid browser specific behavior.<br />
# A resource's URL MUST change in order to have the client load the new version.<br />
<IfModule expires_module><br />
ExpiresActive On<br />
ExpiresDefault "access plus 1 year"<br />
</IfModule><br />
</Directory><br />
<br />
## Uncomment the following to enable proxy-side authentication, you will then<br />
## need to set the "SOGoTrustProxyAuthentication" SOGo user default to YES and<br />
## adjust the "x-webobjects-remote-user" proxy header in the "Proxy" section<br />
## below.<br />
#<Location /SOGo><br />
# AuthType XXX<br />
# Require valid-user<br />
# SetEnv proxy-nokeepalive 1<br />
# Allow from all<br />
#</Location><br />
<br />
ProxyRequests Off<br />
SetEnv proxy-nokeepalive 1<br />
ProxyPreserveHost On<br />
<br />
# When using CAS, you should uncomment this and install cas-proxy-validate.py<br />
# in /usr/lib/cgi-bin to reduce server overloading<br />
#<br />
# ProxyPass /SOGo/casProxy http://localhost/cgi-bin/cas-proxy-validate.py<br />
# <Proxy http://localhost/app/cas-proxy-validate.py><br />
# Order deny,allow<br />
# Allow from your-cas-host-addr<br />
# </Proxy><br />
<br />
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0<br />
<br />
# Enable to use Microsoft ActiveSync support<br />
# Note that you MUST have many sogod workers to use ActiveSync.<br />
# See the SOGo Installation and Configuration guide for more details.<br />
#<br />
#ProxyPass /Microsoft-Server-ActiveSync \<br />
# http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \<br />
# retry=60 connectiontimeout=5 timeout=360<br />
<br />
<Proxy http://127.0.0.1:20000/SOGo><br />
## adjust the following to your configuration<br />
RequestHeader set "x-webobjects-server-port" "443"<br />
RequestHeader set "x-webobjects-server-name" "mail.lucasit.com"<br />
RequestHeader set "x-webobjects-server-url" "https://mail.lucasit.com"<br />
<br />
## When using proxy-side autentication, you need to uncomment and<br />
## adjust the following line:<br />
# RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e"<br />
<br />
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"<br />
<br />
AddDefaultCharset UTF-8<br />
<br />
Order allow,deny<br />
Allow from all<br />
</Proxy><br />
<br />
# For Apple autoconfiguration<br />
<IfModule rewrite_module><br />
RewriteEngine On<br />
RewriteRule ^/.well-known/caldav/?$ /SOGo/dav [R=301]<br />
</IfModule><br />
<br />
Create the state directory and start services:<br />
<br />
# mkdir /var/run/sogo<br />
# chown sogo:sogo /var/run/sogo<br />
<br />
Then enable and start the {{ic|sogo}} and {{ic|httpd}} services.<br />
<br />
Open a browser and go to http://server.internal.domain.tld/SOGo/ but do not try to login just yet, just verify that you can connect and get the login screen.<br />
<br />
==== PostGRE SQL ====<br />
<br />
Initialize the default database and start PostgreSQl (be sure to replace ''en_US.UTF-8'' with the correct locale for your installation):<br />
<br />
# mkdir -p /var/lib/postgres/data<br />
# chown -R postgres:postgres /var/lib/postgres<br />
# su - postgres -c "initdb --locale ''en_US.UTF-8'' -D '/var/lib/postgres/data'"<br />
Then start and enable {{ic|postgresql}} service.<br />
<br />
Create the sogo user and the sogo DB for PostgreSQL (do not select a strong password for the sogo user, just use "sogo" for simplicity. This is temporary and we will change it later):<br />
<br />
# su - postgres<br />
$ createuser --no-superuser --no-createdb --no-createrole --encrypted --pwprompt sogo<br />
$ createdb -O sogo sogo<br />
<br />
Edit the access configuration for the openchange DB:<br />
<br />
# cp /var/lib/postgres/data/pg_hba.conf{,.bak}<br />
# sed \<br />
's/D$/D\n\n#Configuration for OpenChange/' \<br />
-i /var/lib/postgres/data/pg_hba.conf<br />
# sed \<br />
's/ange$/ange\nhost\topenchange\topenchange\t127.0.0.1\/32\t\tmd5/' \<br />
-i /var/lib/postgres/data/pg_hba.conf<br />
# chown postgres:postgres /var/lib/postgres/data/pg_hba.conf{,.bak}<br />
<br />
Restart the {{ic|postgresql}} service.<br />
<br />
==== SOGo ====<br />
<br />
Configure SOGo defaults with the following commands (be certain to replace REGION/LOCALITY, SAMBAADMINPASSWORD, and dc=internal,dc=domain,dc=tld with approproptiate values):<br />
<br />
# su - sogo -s /bin/bash<br />
$ defaults write sogod SOGoTimeZone "REGION/LOCALITY"<br />
$ defaults write sogod OCSFolderInfoURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_folder_info"<br />
$ defaults write sogod SOGoProfileURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile"<br />
$ defaults write sogod OCSSessionsFolderURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder"<br />
$ defaults write sogod OCSEMailAlarmsFolderURL "postgresql://sogo:sogo@localhost:5432/sogo/sogo_alarm_folder"<br />
$ defaults write sogod SOGoUserSources '({CNFieldName = displayName; IDFieldName = cn; UIDFieldName = sAMAccountName; IMAPHostFieldName =; baseDN = "cn=Users,dc=internal,dc=domain,dc=tld"; bindDN = "cn=Administrator,cn=Users,dc=internal,dc=domain,dc=tld"; bindPassword = "SAMBAADMINPASSWORD"; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = "localhost"; id = public; isAddressBook = YES; port = 389;})'<br />
$ defaults write sogod WONoDetach NO<br />
$ defaults write sogod WOLogFile /var/log/sogo/sogo.log<br />
$ defaults write sogod WOPidFile /var/run/sogo/sogo.pid<br />
$ exit<br />
<br />
Next, edit the sogo configuration file, {{ic|/etc/httpd/conf/extra/SOGo.conf}}, and comment out the following lines for testing (until your SSL certs are in place and configuration is complete):<br />
<br />
{{bc|<br />
## adjust the following to your configuration<br />
# RequestHeader set "x-webobjects-server-port" "443"<br />
# RequestHeader set "x-webobjects-server-name" "yourhostname"<br />
# RequestHeader set "x-webobjects-server-url" "https://yourhostname"<br />
}}<br />
<br />
Give the root user the GNUStep configuration for the sogo user:<br />
<br />
# ln -s /etc/sogo/GNUStep /root/GNUStep<br />
<br />
=== Initial Postfix configuration ===<br />
<br />
==== Basic configuratoin ====<br />
<br />
Create a minimal Postfix configuration. Replace ''server.internal.domain.tld'' with a valid internal FQDN):<br />
<br />
# postconf -e myhostname=''server.internal.domain.tld''<br />
# postconf -e mydestination=localhost<br />
<br />
If this server will be accessible from the internet, set the HELO/EHLO values to match the FQDN as seen from the internet (replace ''mail.domain.tld''):<br />
<br />
# postconf -e smtp_helo_name=''mail.domain.tld''<br />
# postconf -e smtpd_banner='$smtp_helo_name ESMTP $mail_name'<br />
<br />
Enable and start {{ic|postfix}}.<br />
<br />
==== Virtual user configuration ====<br />
<br />
Create a vmail user and set up Postfix to use it:<br />
<br />
# groupadd -g 5000 vmail<br />
# useradd -u 5000 -g vmail -s /usr/bin/nologin -d /home/vmail -m vmail<br />
# chmod 750 /home/vmail<br />
# postconf -e virtual_minimum_uid=5000<br />
# postconf -e virtual_uid_maps=static:5000<br />
# postconf -e virtual_gid_maps=static:5000<br />
# postconf -e virtual_mailbox_base=/home/vmail<br />
# postfix reload<br />
<br />
==== LDAP configuration ====<br />
<br />
Next we need to tell Postfix how to lookup users. To do this, you will need to create an unprivileged user to use for LDAP lookups (select a suitably strong password, 63 alpha-numeric various case should be good):<br />
<br />
# samba-tool user create ldap --description="Unprivileged user for LDAP lookups"<br />
<br />
Now, create a LDAP alias and group maps for Postfix pasting the following lines in the file {{ic|/etc/postfix/ldap-alias.cf}} as root (replace ''internal'', ''domain'' and ''tld'' with appropriate values):<br />
<br />
# Directory settings<br />
server_host = 127.0.0.1<br />
search_base = dc=''internal'',dc=''domain'',dc=''tld''<br />
scope = sub<br />
version = 3<br />
<br />
# User Binding<br />
bind = yes<br />
bind_dn = cn=ldap,cn=users,dc=''internal'',dc=''domain'',dc=''tld''<br />
bind_pw = ''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7''<br />
<br />
# Filter<br />
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))<br />
result_attribute = samaccountname<br />
result_format = %s@''internal''.''domain''.''tld''<br />
<br />
Create the group map:<br />
<br />
# sed -e '/^query/d' \<br />
-e '/^result/d' \<br />
-e '/format/d' \<br />
/etc/postfix/ldap-alias.cf > /etc/postfix/ldap-group.cf<br />
# echo "query_filter = (&(objectclass=group)(mail=%s))" >> /etc/postfix/ldap-group.cf<br />
# echo "special_result_attribute = member" >> /etc/postfix/ldap-group.cf<br />
# echo "leaf_result_attribute = mail" >> /etc/postfix/ldap-group.cf<br />
<br />
Set the right permissions:<br />
<br />
# chmod 0600 /etc/postfix/ldap-{alias,group}.cf<br />
<br />
Next test our lookup maps for users (groups have not yet been created) (substitue ''internal''.''domain''.''tld''):<br />
<br />
# postmap -q administrator@''domain''.''tld'' ldap:/etc/postfix/ldap-alias.cf<br />
# postmap -q administrator@''internal''.''domain''.''tld'' ldap:/etc/postfix/ldap-alias.cf<br />
<br />
You should receive the following output for both commands:<br />
<br />
Administrator@internal.domain.tld<br />
<br />
Append any other hosted domains to the first command below, add the maps, and then reload the Postfix configuration:<br />
<br />
# postconf -e virtual_mailbox_domains="''domain''.''tld'', ''internal''.''domain''.''tld''"<br />
# postconf -e virtual_alias_maps="ldap:/etc/postfix/ldap-alias.cf, ldap:/etc/postfix/ldap-group.cf"<br />
# postfix reload<br />
<br />
At this point, Dovecot will need to be configured before completing the Postfix configuration as Dovecot SASL and LMTP will be used for athentication and delivery (respectively).<br />
<br />
=== Dovecot configuration ===<br />
<br />
==== Basic configuration ====<br />
<br />
Create a very basic dovecot configuration:<br />
<br />
# cp /etc/dovecot/dovecot.conf{.sample,}<br />
# chown root:root /etc/dovecot/dovecot.conf<br />
<br />
Then create the file {{ic|/etc/dovecot/conf.d/local.conf}} with this content:<br />
<br />
auth_mechanisms = plain login<br />
disable_plaintext_auth = no<br />
ssl = no<br />
auth_username_format = %n<br />
mail_location = /home/vmail/%Lu/Maildir<br />
<br />
Enable and start {{ic|dovecot}}.<br />
<br />
==== LDAP configuration ====<br />
<br />
Add the LDAP lookup configuation {{ic|/etc/dovecot/conf.d/ldap.conf}}:<br />
<br />
passdb ldap {<br />
driver = ldap<br />
args = /etc/dovecot/dovecot-ldap-passdb.conf<br />
}<br />
userdb ldap {<br />
driver = ldap<br />
args = /etc/dovecot/dovecot-ldap-userdb.conf<br />
}<br />
<br />
Set permissions:<br />
# chmod 0644 /etc/dovecot/conf.d/ldap.conf<br />
# chown root:root /etc/dovecot/conf.d/ldap.conf<br />
<br />
Create the LDAP user and password configuration files (replace dc='''internal''',dc='''domain''',dc='''tld''' and '''INTERNAL''' with appropropriate values):<br />
<br />
{{ic|/etc/dovecot/dovecot-ldap-passdb.conf}}<br />
hosts = localhost<br />
auth_bind = yes<br />
auth_bind_userdn = '''INTERNAL'''\%u<br />
ldap_version = 3<br />
base = dc='''internal''',dc='''domain''',dc='''tld'''<br />
scope = subtree<br />
deref = never<br />
pass_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*))<br />
<br />
{{ic|/etc/dovecot/dovecot-ldap-userdb.conf}}<br />
hosts = localhost<br />
dn = cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''<br />
dnpass = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7'''<br />
ldap_version = 3<br />
# The base must be cn=Users for OpenChange ATM...future<br />
base = cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''<br />
user_attrs = =uid=5000,=gid=5000,=home=/home/vmail/%Lu,=mail=maildir:/home/vmail/%Lu/Maildir/<br />
user_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*))<br />
<br />
# Attributes and filter to get a list of all users<br />
iterate_attrs = sAMAccountName=user<br />
iterate_filter = (objectClass=person)<br />
<br />
Set permissions:<br />
# chown root:root /etc/dovecot/dovecot-ldap-{pass,user}db.conf<br />
# chmod 0600 /etc/dovecot/dovecot-ldap-userdb.conf<br />
# chmod 0644 /etc/dovecot/dovecot-ldap-passdb.conf<br />
<br />
Create the SASL configuation {{ic|/etc/dovecot/conf.d/sasl.conf}}:<br />
<br />
service auth {<br />
unix_listener /var/spool/postfix/private/auth {<br />
mode = 0660<br />
user = postfix<br />
group = postfix<br />
}<br />
}<br />
<br />
Set permissions:<br />
# chmod 0644 /etc/dovecot/conf.d/sasl.conf<br />
# chown root:root /etc/dovecot/conf.d/sasl.conf<br />
<br />
Reload Dovecot for the configuration to take effect:<br />
<br />
# dovecot reload<br />
<br />
==== Testing Dovecot authentication ====<br />
<br />
Open a ''telnet'' session and test (commands you enter are in bold, replace ''xxxxxxxx'' with your real password):<br />
<br />
'''telnet localhost 143'''<br />
Trying 127.0.0.1...<br />
Connected to localhost.<br />
Escape character is '^]'.<br />
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.<br />
'''a LOGIN Administrator xxxxxxxx'''<br />
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in<br />
'''a LOGOUT'''<br />
* BYE Logging out<br />
. OK Logout completed.<br />
Connection closed by foreign host.<br />
<br />
If you have received anything other than OK, go back and double check your configuration before continuing.<br />
<br />
==== LMTP configuration ====<br />
<br />
Create the LMTP configuration file {{ic|/etc/dovecot/conf.d/lmtp.conf}}:<br />
<br />
mail_location = /home/vmail/%Lu/Maildir<br />
service lmtp {<br />
unix_listener /var/spool/postfix/private/dovecot-lmtp {<br />
mode = 0600<br />
user = postfix<br />
group = postfix<br />
}<br />
user = vmail<br />
}<br />
<br />
protocol lmtp {<br />
postmaster_address = postmaster@'''domain'''.'''tld'''<br />
}<br />
<br />
# chmod 0644 /etc/dovecot/conf.d/lmtp.conf<br />
# dovecot reload<br />
<br />
==== TLS configuration ====<br />
<br />
Put your certificate files into place and create the TLS configuration file {{ic|/etc/dovecot/conf.d/tls.conf}} (adjust paths and names as necessary). The keyfile should be owned by root with 0400 permissions. Any intermediate certificates should be concatenated after the public cert.:<br />
<br />
ssl = yes<br />
ssl_cert = </etc/dovecot/ssl/'''host'''.'''domain'''.'''tld'''.pem<br />
ssl_key = </etc/dovecot/ssl/'''host'''.'''domain'''.'''tld'''.key<br />
<br />
# chmod 644 /etc/dovecot/conf.d/tls.conf<br />
<br />
Remove the earlier explicitly defined values from {{ic|local.conf}} and reload Dovecot:<br />
<br />
# sed -e '/^ssl/d' -e '/disable_plaintext/s/no/yes/' \<br />
-i /etc/dovecot/conf.d/local.conf<br />
# dovecot reload<br />
<br />
=== Postfix final configuration ===<br />
<br />
==== SASL configuration ====<br />
<br />
Modify the default smtpd instance:<br />
<br />
# postconf -e smtpd_sasl_type=dovecot<br />
# postconf -e smtpd_sasl_path=private/auth<br />
# postconf -e smtpd_sasl_auth_enable=yes<br />
# postconf -e smtpd_relay_restrictions="permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination"<br />
<br />
==== LMTP configuration ====<br />
<br />
Use dovecot LMTP for delivery:<br />
<br />
# postconf -e virtual_transport=lmtp:unix:private/dovecot-lmtp<br />
<br />
==== TLS configuration ====<br />
<br />
If you intend to use STARTTLS (as you should), enable the mail submission port and restrict to authenticated clients. Edit the following lines in {{ic|/etc/postfix/master.cf}} (replace '''internal.domain.tld'''):<br />
<br />
submission inet n - n - - smtpd<br />
-o syslog_name=postfix/submission<br />
-o smtpd_tls_security_level=encrypt<br />
-o smtpd_sasl_auth_enable=yes<br />
-o smtpd_sasl_type=dovecot<br />
-o smtpd_sasl_path=private/auth<br />
-o smtpd_sasl_security_options=noanonymous<br />
-o smtpd_client_restrictions=permit_sasl_authenticated,reject<br />
-o smtpd_sender_login_maps=ldap:/etc/postfix/ldap-sender.cf<br />
-o smtpd_sender_restrictions=reject_sender_login_mismatch<br />
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject<br />
<br />
Add your certificates. If you intend to chroot postfix (not discussed in this guide, see here), these need to be placed in the postfix configuration directory as opposed to the default /etc/ssl/private directory. Additionally, any intermediate certs should be concatenated with the public cert being first in the chain and the key file should be owned by root with 0400 permission mode:<br />
<br />
# postconf -e smtpd_tls_key_file=/etc/postfix/ssl/'''mail.domain.tld.key'''<br />
# postconf -e smtpd_tls_cert_file=/etc/postfix/ssl/'''mail.domain.tld.pem'''<br />
<br />
Create a map to verify addresses to authenticated users {{ic|/etc/postfix/ldap-sender.cf}}:<br />
<br />
# Directory settings<br />
server_host = localhost<br />
search_base = dc='''internal''',dc='''domain''',dc='''tld'''<br />
version = 3<br />
scope = sub<br />
<br />
# User Binding<br />
bind = yes<br />
bind_dn = cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld<br />
bind_pw = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7'''<br />
<br />
# Filter<br />
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))<br />
leaf_result_attribute = proxyAddresses<br />
result_attribute = sAMAccountName<br />
<br />
Set permissions:<br />
# chown root:root /etc/postfix/ldap-sender.cf<br />
# chmod 0640 /etc/postfix/ldap-sender.cf<br />
<br />
If you would like to enable TLS on the default SMTP port, you should make it optional. If you make it required, you will not be able to receive mail from many hosts on the internet.<br />
<br />
# postconf -e smtpd_tls_security_level=may<br />
<br />
Reload postfix to apply the configuration changes:<br />
<br />
# postfix reload<br />
<br />
==== Testing the Postfix SASL configuration ====<br />
<br />
Begin by getting a base64 encoded version of you username and password (replace '''xxxxxxxx''' with your real password):<br />
<br />
$ echo -ne '\000Administrator\000'''xxxxxxxx'''' | openssl base64<br />
<br />
You should receive output similar to the following:<br />
<br />
AEFkbWluaXN0cmF0b3IAeHh4eHh4eHg=<br />
<br />
Now, open a ''telnet'' session and test (commands you enter are in bold, replace '''host.domain.tld''' with your real external FQDN and '''AEFkbWluaXN0cmF0b3IAeHh4eHh4eHg=''' with the result of the previous command):<br />
<br />
$ '''telnet localhost 25'''<br />
Trying 127.0.0.1...<br />
Connected to localhost.<br />
Escape character is '^]'.<br />
220 host.domain.tld ESMTP Postfix<br />
'''ehlo host.domain.tld'''<br />
250-mail.lucasit.com<br />
250-PIPELINING<br />
250-SIZE 10240000<br />
250-VRFY<br />
250-ETRN<br />
250-STARTTLS<br />
250-AUTH PLAIN LOGIN<br />
250-ENHANCEDSTATUSCODES<br />
250-8BITMIME<br />
250 DSN<br />
'''AUTH PLAIN AEFkbWluaXN0cmF0b3IAeHh4eHh4eHg='''<br />
235 2.7.0 Authentication successful<br />
'''quit'''<br />
221 2.0.0 Bye<br />
Connection closed by foreign host.<br />
<br />
If you have gotten anything other than a 235 message, something is wrong and you should troubleshoot now rather than later.<br />
<br />
At ths point, you have a fully functional mail server, though you will probably want to lock it down a bit tighter (which is not covered in this article). You could easily stop now and use any mail client you wish, howerver, you would miss out on the fun of Outlook, RPC/HTTPS, calendar, the GAL, and contacts. This additional functionality is provided by SOGo and OpenChange...<br />
<br />
=== SOGo final configuration ===<br />
<br />
==== PostgreSQL ====<br />
<br />
Select a strong password (63 random alphanumeric characters is good) for the sogo user and change it now:<br />
<br />
# su - postgres<br />
$ psql<br />
ALTER USER sogo WITH PASSWORD 'ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT';<br />
\q<br />
<br />
==== SOGo ====<br />
<br />
Create a suitable SOGo configuration file in {{ic|/etc/sogo/sogo.conf}} (replace items in bold with appropriate values):<br />
<br />
{<br />
/* Database Configuration */<br />
SOGoProfileURL = "postgresql://sogo:'''ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT'''@localhost:5432/sogo/sogo_user_profile";<br />
OCSFolderInfoURL = "postgresql://sogo:'''ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT'''@localhost:5432/sogo/sogo_folder_info";<br />
OCSSessionsFolderURL = "postgresql://sogo:'''ZpRTOZuQiaKBma4YhvozRJwXCbLqhnRiurhvidB9A8vbjxEoNNjbAwHSbpBTobT'''@localhost:5432/sogo/sogo_sessions_folder";<br />
<br />
/* Mail */<br />
SOGoDraftsFolderName = Drafts;<br />
SOGoSentFolderName = Sent;<br />
SOGoTrashFolderName = Trash;<br />
SOGoIMAPServer = localhost;<br />
SOGoSieveServer = sieve://127.0.0.1:4190;<br />
SOGoSMTPServer = 127.0.0.1;<br />
SOGoMailDomain = '''internal'''.'''domain'''.'''tld''';<br />
SOGoMailingMechanism = smtp;<br />
SOGoForceExternalLoginWithEmail = NO;<br />
SOGoMailSpoolPath = /var/spool/sogo;<br />
NGImap4ConnectionStringSeparator = "/";<br />
<br />
/* Notifications */<br />
SOGoAppointmentSendEMailNotifications = NO;<br />
SOGoACLsSendEMailNotifications = NO;<br />
SOGoFoldersSendEMailNotifications = NO;<br />
<br />
/* Authentication */<br />
SOGoPasswordChangeEnabled = YES;<br />
<br />
/* User Authentication */<br />
SOGoUserSources = (<br />
{<br />
type = ldap;<br />
CNFieldName = cn;<br />
IDFieldName = cn;<br />
UIDFieldName = sAMAccountName;<br />
baseDN = "dc='''internal''',dc='''domain''',dc='''tld'''";<br />
bindDN = "cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''";<br />
bindFields = (sAMAccountName);<br />
bindPassword = '''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7''';<br />
canAuthenticate = YES;<br />
displayName = "Active Directory";<br />
hostname = ldap://127.0.0.1:389;<br />
id = directory;<br />
isAddressBook = YES;<br />
}<br />
);<br />
<br />
/* Web Interface */<br />
SOGoPageTitle = SOGo;<br />
SOGoVacationEnabled = YES;<br />
SOGoForwardEnabled = YES;<br />
SOGoSieveScriptsEnabled = YES;<br />
SOGoMailAuxiliaryUserAccountsEnabled = YES;<br />
SOGoTrustProxyAuthentication = NO;<br />
<br />
/* General */<br />
SOGoLanguage = '''English''';<br />
SOGoTimeZone = '''America/Chicago''';<br />
SOGoCalendarDefaultRoles = (<br />
PublicDAndTViewer,<br />
ConfidentialDAndTViewer<br />
);<br />
SOGoSuperUsernames = (administrator);<br />
SxVMemLimit = 384;<br />
//WOPidFile = "/var/run/sogo/sogo.pid";<br />
SOGoMemcachedHost = "/var/run/memcached.sock";<br />
<br />
/* Debug */<br />
//SOGoDebugRequests = YES;<br />
//SoDebugBaseURL = YES;<br />
//ImapDebugEnabled = YES;<br />
//LDAPDebugEnabled = YES;<br />
//PGDebugEnabled = YES;<br />
//MySQL4DebugEnabled = YES;<br />
//SOGoUIxDebugEnabled = YES;<br />
//WODontZipResponse = YES;<br />
//WOLogFile = /var/log/sogo/sogo.log;<br />
<br />
}<br />
<br />
Then issue the following commands:<br />
# chown sogo:sogo /etc/sogo/sogo.conf<br />
# chmod 0600 /etc/sogo/sogo.conf<br />
# rm /etc/sogo/GNUstep/Defaults/sogod.plist<br />
# mkdir /var/spool/sogo<br />
# chown sogo:sogo /var/spool/sogo<br />
# chmod 700 /var/spool/sogo<br />
<br />
Now restart {{ic|sogo}} service and try it out by visiting http://'''server.internal.domain.tld'''/SOGo/ .<br />
<br />
==== Apache ====<br />
<br />
If all is well with SOGo without SSL, go ahead and enable SSL in httpd (modify paths and filenames as necessary):<br />
<br />
# sed -e '/httpd-ssl.conf/s/#//' \<br />
-e '/modules\/mod_ssl.so/s/#//' \<br />
-e '/mod_socache_shmcb/s/#//' \<br />
-i /etc/httpd/conf/httpd.conf<br />
# sed -e '/^SSLCertificateFile/s@/etc/httpd/conf/server.crt@/etc/httpd/ssl/''mail''.''domain''.''tld''.pem@' \<br />
-e '/^SSLCertificateKeyFile/s@/etc/httpd/conf/server.key@/etc/httpd/ssl/''mail''.''domain''.''tld''.key@' \<br />
-i /etc/httpd/conf/extra/httpd-ssl.conf<br />
<br />
Now go ahead and edit the {{ic|/etc/httpd/conf/extra/SOGo.conf}} file and uncomment the following lines, edit to suit your site:<br />
<br />
## adjust the following to your configuration<br />
RequestHeader set "x-webobjects-server-port" "443"<br />
RequestHeader set "x-webobjects-server-name" "mail.domain.tld"<br />
RequestHeader set "x-webobjects-server-url" "https://mail.domain.tld"<br />
<br />
Restart {{ic|httpd}} service for the changes to take effect.<br />
<br />
Go ahead and go to the regular http page and it should redirect you to the https site.<br />
<br />
=== OpenChange final configuration ===<br />
{{Out of date|Recent versions of Samba have left OCSManager/MAPIProxy in an unusable state. Fortunately, with SOGo-2.2, the new ActiveSync code should eliminate the need for OCSManager with Outlook 2013+.}}<br />
<br />
==== OCSManager ====<br />
<br />
OCSManager is a Python-Paste serverlet that listens specifically for autodiscover, EWS, and RPCProxy requests.<br />
Create a backup copy of the {{ic|/etc/ocsmanager/ocsmanager.ini}} file:<br />
<br />
# mv /etc/oscmanager/ocsmanager.ini{,.bak}<br />
<br />
Setup OCSMangaer with the {{ic|/etc/ocsmanager/ocsmanager.ini}} file (replace the items in italic type with appropriate values):<br />
<br />
#<br />
# ocsmanager - Pylons configuration<br />
#<br />
# The %(here)s variable will be replaced with the parent directory of this file<br />
#<br />
[DEFAULT]<br />
debug = true<br />
email_to = ''postmaster@domain.tld''<br />
smtp_server = localhost<br />
error_email_from = ''postmaster@domain.tld''<br />
<br />
[main]<br />
auth = ldap<br />
mapistore_root = /var/lib/samba/private<br />
mapistore_data = /var/lib/samba/private/mapistore<br />
debug = yes<br />
<br />
[auth:ldap]<br />
host = ldap://''server.domain.tld''<br />
port = 389<br />
bind_dn = ''CN=Users,DC=internal,DC=domain,DC=tld''<br />
bind_pw = ''axhnTc2LGdnUKQ80cWjWzZBR79SkgAQ1uLxv94M8EDosDoPBqD4bEEvJ1XvpwI7''<br />
basedn = ''CN=ldap,CN=Users,DC=internal,DC=domain,DC=tld''<br />
#filter = (cn=%s)<br />
#attrs = userPassword, x-isActive<br />
<br />
[server:main]<br />
use = egg:Paste#http<br />
host = ''server.internal.domain.tld''<br />
port = 5000<br />
protocol_version = HTTP/1.1<br />
<br />
[app:main]<br />
use = egg:ocsmanager<br />
full_stack = true<br />
static_files = true<br />
cache_dir = %(here)s/data<br />
beaker.session.key = ocsmanager<br />
beaker.session.secret = SDyKK3dKyDgW0mlpqttTMGU1f<br />
app_instance_uuid = {ee533ebc-f266-49d1-ae10-d017ee6aa98c}<br />
NTLMAUTHHANDLER_WORKDIR = /var/cache/ntlmauthhandler<br />
SAMBA_HOST = ''server.internal.domain.tld''<br />
<br />
[rpcproxy:ldap]<br />
host = ''server.internal.domain.tld''<br />
port = 389<br />
basedn = ''CN=Users,DC=internal,DC=domain,DC=tld''<br />
<br />
# WARNING: *THE LINE BELOW MUST BE UNCOMMENTED ON A PRODUCTION ENVIRONMENT*<br />
# Debug mode will enable the interactive debugging tool, allowing ANYONE to<br />
# execute malicious code after an exception is raised.<br />
set debug = false<br />
<br />
# Logging configuration<br />
[loggers]<br />
keys = root<br />
<br />
[handlers]<br />
keys = console<br />
<br />
[formatters]<br />
keys = generic<br />
<br />
[logger_root]<br />
level = INFO<br />
handlers = console<br />
<br />
[handler_console]<br />
class = StreamHandler<br />
args = (sys.stderr,)<br />
level = NOTSET<br />
formatter = generic<br />
<br />
[formatter_generic]<br />
format = %(asctime)s %(levelname)-5.5s [%(name)s] [%(threadName)s] %(message)s<br />
<br />
Then start and enable {{ic|ocsmanager}} service.<br />
<br />
==== Adding OpenChange MAPIProxy and OCSManger to Apache ====<br />
<br />
This is the part that glues it all together. Add the following to the end of {{ic|/etc/httpd/conf/httpd.conf}} file (or virtual host configuration file):<br />
<br />
LoadModule wsgi_module modules/mod_wsgi.so<br />
include conf/extra/rpcproxy.conf<br />
include conf/extra/ocsmanager-apache.conf<br />
<br />
Now just restart {{ic|httpd}} and {{ic|samba}}. If you have made it this far, and your DNS is configured correctly, you should be able to configure an Outlook client with only an email address, username, and password. For Outlook (or other MAPI clients that support RPC/HTTPS, you need open only port 443, at the edge. Obviously, you still need to consider additional configuration for Postfix (spam and virus filtering, more restrictive use of SMTPD and SMTP, open ports 25 and 587) if you intend to receive mail from the internet. You will probably also want to move the various HTTPD pieces into virtual hosts, provide redirection on 80 for secure services, etc., but those exercises are covered in great detail elsewhere.</div>Templishttps://wiki.archlinux.org/index.php?title=User_talk:DJ_L&diff=359937User talk:DJ L2015-02-07T13:25:51Z<p>Templis: </p>
<hr />
<div>==Samba 4 stubs==<br />
Hi, I've noticed you've created [[Samba4 Client Configuration]]: do you intend to move there [[Samba#Client configuration]]? Also about [[Samba4 DHCP with Dynamic DNS]], are you sure you can't add that information to one of our already existing articles on [[Samba]]? -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 13:01, 10 December 2013 (UTC)<br />
<br />
:I suppose the DHCP section could be added to the existing Samba 4 page, but much of it can be reused outside of Samba too. I should change the title after it is ready to go. As to the Client configuration, this is about SSO on Linux hosts and is more akin to [[Active_Directory_Integration]]. I'll get with the original author of that page once the needed configurations are in place to discuss a merge. Thanks for the heads up. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]]) 02:00, 11 December 2013 (UTC)<br />
<br />
::About the DHCP article, how much of it can be used in general? Maybe you just want to link to our already existing articles on DHCP, DNS... and improve them instead of duplicating content? See [[:Category:Networking]] and subcategories too.<br />
::About the client config article, isn't it easier to contribute to [[Active Directory Integration]] from the beginning instead?<br />
::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 05:02, 11 December 2013 (UTC)<br />
<br />
:::Not sure, I'll delete the links. If you can delete the stub pages for me I'd appreciate it. I'll sandbox it locally and see where I'm at when ready to proceed (still having some issues with the DHCP).<br />
:::I've not been here long, policy is probably simply make the edit, but what is acceptable in the community? I presume that I should contact the original author with proposed text vai talk feature, and wait for a response. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]]) 16:17, 15 December 2013 (UTC)<br />
<br />
::::All right, the stubs are deleted. Yes, the policy is "simply make the edit": as long as you properly justify your edits using the Summary (just below the text editing area) you'll be fine. You don't need to contact the previous contributors of an article, just do the edits and keep watching the talk page: if they've got something to say, they'll show up there :) I recommend you to directly edit the existing articles because this will avoid creating duplicated content, which is so hard to maintain especially in the long run. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 12:03, 17 December 2013 (UTC)<br />
<br />
==OpenChange Server==<br />
Hi, Thank you for maintaining the [[OpenChange Server]] Article. I've followed up till [[OpenChange Server#Testing Dovecot authentication]] and run into an error. "a NO [AUTHENTICATIONFAILED] Authentication failed." I think its about auth_bind_userdn = INTERNAL\%u What stands INTERNAL for? Is this the INTERNAL.SERVER.TLD? Can You please give a more detailed example regarding your example Hosts?<br />
: Yes, this would be the NetBIOS (short) domain name (from the Samba article). I expect that INTERNAL.SERVER.TLD\%u should work as well (though I didn't bother to test). Perhaps I should use the term "NetBIOS" instead of "INTERNAL" to better separate the namespace. Do you think it would it have read better if it had been written like that? [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]])<br />
<br />
::Ah Thank you, now it works! eventually change this line to: Create the LDAP user and password configuration files (replace dc=internal,dc=domain,dc=tld and INTERNAL(Your NetBIOS Name) with appropropriate values):<br />
::Or even I was to mentally lazy for that :)<br />
::I've found a failure in your Dovecot Test: '''LOGIN Administrator xxxxxxxx''' must be '''a LOGIN Administrator xxxxxxxx'''</div>Templishttps://wiki.archlinux.org/index.php?title=User_talk:DJ_L&diff=359862User talk:DJ L2015-02-07T02:04:44Z<p>Templis: </p>
<hr />
<div>==Samba 4 stubs==<br />
Hi, I've noticed you've created [[Samba4 Client Configuration]]: do you intend to move there [[Samba#Client configuration]]? Also about [[Samba4 DHCP with Dynamic DNS]], are you sure you can't add that information to one of our already existing articles on [[Samba]]? -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 13:01, 10 December 2013 (UTC)<br />
<br />
:I suppose the DHCP section could be added to the existing Samba 4 page, but much of it can be reused outside of Samba too. I should change the title after it is ready to go. As to the Client configuration, this is about SSO on Linux hosts and is more akin to [[Active_Directory_Integration]]. I'll get with the original author of that page once the needed configurations are in place to discuss a merge. Thanks for the heads up. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]]) 02:00, 11 December 2013 (UTC)<br />
<br />
::About the DHCP article, how much of it can be used in general? Maybe you just want to link to our already existing articles on DHCP, DNS... and improve them instead of duplicating content? See [[:Category:Networking]] and subcategories too.<br />
::About the client config article, isn't it easier to contribute to [[Active Directory Integration]] from the beginning instead?<br />
::-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 05:02, 11 December 2013 (UTC)<br />
<br />
:::Not sure, I'll delete the links. If you can delete the stub pages for me I'd appreciate it. I'll sandbox it locally and see where I'm at when ready to proceed (still having some issues with the DHCP).<br />
:::I've not been here long, policy is probably simply make the edit, but what is acceptable in the community? I presume that I should contact the original author with proposed text vai talk feature, and wait for a response. [[User:DJ L|DJ L]] ([[User talk:DJ L|talk]]) 16:17, 15 December 2013 (UTC)<br />
<br />
::::All right, the stubs are deleted. Yes, the policy is "simply make the edit": as long as you properly justify your edits using the Summary (just below the text editing area) you'll be fine. You don't need to contact the previous contributors of an article, just do the edits and keep watching the talk page: if they've got something to say, they'll show up there :) I recommend you to directly edit the existing articles because this will avoid creating duplicated content, which is so hard to maintain especially in the long run. -- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 12:03, 17 December 2013 (UTC)<br />
<br />
==OpenChange Server==<br />
Hi, Thank you for maintaining the [[OpenChange Server]] Article. I've followed up till [[OpenChange Server#Testing Dovecot authentication]] and run into an error. "a NO [AUTHENTICATIONFAILED] Authentication failed." I think its about auth_bind_userdn = INTERNAL\%u What stands INTERNAL for? Is this the INTERNAL.SERVER.TLD? Can You please give a more detailed example regarding your example Hosts?</div>Templis