This manual is deprecated. Please visit https://groupoffice.readthedocs.io for the latest documentation. |
Difference between revisions of "Group-Office on separate mail- and webserver howto"
(→Install the webserver) |
(→Secure access) |
||
(34 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
I'm going to show an ideal setup of a separate mailserver and Group-Office server. | I'm going to show an ideal setup of a separate mailserver and Group-Office server. | ||
− | On both servers we'll install a minimal Debian 6. | + | On both servers we'll install a minimal Debian 6 on a Proxmox virtual environment. You don't need Proxmox but it's an easy and powerful way to virtualize your machines. |
+ | |||
+ | ==Proxmox notes== | ||
+ | After installing Debian 6 on Proxmox the timezone is set to UTC. You can change the timezone by running: | ||
+ | |||
+ | <pre>dpkg-reconfigure tzdata</pre> | ||
+ | |||
+ | The locale is also not configured: | ||
+ | |||
+ | <pre>dpkg-reconfigure locales</pre> | ||
+ | |||
+ | <pre>export LANG=en_US.UTF8 | ||
+ | export LC_ALL=en_US.UTF8</pre> | ||
+ | |||
+ | Then I installed ntp to make sure the time is updated correctly: | ||
+ | |||
+ | <pre>apt-get install ntp</pre> | ||
+ | |||
+ | I also had to add: | ||
+ | |||
+ | <pre>myhostname: mx1.example.com</pre> | ||
+ | |||
+ | to /etc/postfix/main.cf because in proxmox I just called the machine "mx1". Changing the hostname afterwards caused problems with proxmox. | ||
+ | |||
+ | Of course you should also apply all latest system updates: | ||
+ | |||
+ | <pre>apt-get update && apt-get dist-upgrade</pre> | ||
+ | |||
+ | |||
+ | ===Adding VPS with IP on different subnet then the host=== | ||
+ | I spent some time in figuring this one out. But to have a guest machine that has an IP address on another subnet you need to change this line in /etc/vz/vz.conf: | ||
+ | |||
+ | <pre>NEIGHBOUR_DEVS=detect</pre> | ||
+ | |||
+ | into: | ||
+ | |||
+ | <pre>NEIGHBOUR_DEVS=all</pre> | ||
==Secure access== | ==Secure access== | ||
Line 9: | Line 45: | ||
<pre>apt-get install fail2ban</pre> | <pre>apt-get install fail2ban</pre> | ||
+ | |||
+ | On the Group-Office mailserver it's recommended to enable sasl, dovecot and postfix filters. | ||
Install sudo to allow normal users to execute root commands: | Install sudo to allow normal users to execute root commands: | ||
Line 44: | Line 82: | ||
ChallengeResponseAuthentication no | ChallengeResponseAuthentication no | ||
</pre> | </pre> | ||
+ | |||
+ | By default when you use sudo -s it doesn't work with ssh agent forwarding. This can be fixed by adding: | ||
+ | |||
+ | <pre>Defaults env_keep=SSH_AUTH_SOCK</pre> | ||
+ | |||
+ | to /etc/sudoers with the visudo command. | ||
+ | |||
+ | ==Add Group-Office repository== | ||
+ | You can do that easily by executing the following command in the terminal: | ||
+ | |||
+ | <pre>echo -e "\n## Group-Office repository\ndeb http://repos.groupoffice.eu/ fourzero main" | tee -a /etc/apt/sources.list</pre> | ||
+ | |||
+ | To authenticate the packages you need to import the public key by running the following commands: | ||
+ | |||
+ | <pre>gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-keys 01F1AE44 | ||
+ | gpg --export --armor 01F1AE44 | apt-key add -</pre> | ||
+ | |||
+ | Update APT: | ||
+ | <pre>apt-get update</pre> | ||
==Install the mailserver== | ==Install the mailserver== | ||
+ | <pre>apt-get install groupoffice-mailserver</pre> | ||
==Install the webserver== | ==Install the webserver== | ||
+ | If you want multiple Group-Office installations: | ||
+ | <pre>apt-get install groupoffice-servermanager</pre> | ||
+ | |||
+ | Allow the groupoffice MySQL user to create new databases: | ||
+ | |||
+ | <pre> | ||
+ | REVOKE ALL PRIVILEGES ON * . * FROM 'groupoffice-com'@'localhost'; | ||
+ | GRANT ALL PRIVILEGES ON * . * TO 'groupoffice-com'@'localhost' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | For a single install: | ||
+ | |||
+ | <pre>apt-get install groupoffice-com</pre> | ||
+ | |||
+ | Now create a global config file for all Group-Office installations with the information to connect to the mailserver. This is for setting vacation messages, changin passwords and adding mailboxes. | ||
+ | |||
+ | /etc/groupoffice/globalconfig.inc.php | ||
+ | <pre> | ||
+ | <?php | ||
+ | $config['serverclient_server_url']="https://mx1.example.com/groupoffice/"; | ||
+ | $config['serverclient_username']="admin"; | ||
+ | $config['serverclient_password']="secret"; | ||
+ | $config['serverclient_mbroot']=""; | ||
+ | $config['serverclient_use_ssl']="0"; | ||
+ | $config['serverclient_novalidate_cert']="0"; | ||
+ | $config['serverclient_type']="imap"; | ||
+ | $config['serverclient_host']="imap.imfoss.nl"; | ||
+ | $config['serverclient_port']="143"; | ||
+ | $config['serverclient_smtp_host']="smtp.interconnect.nl"; | ||
+ | $config['serverclient_smtp_port']="25"; | ||
+ | $config['serverclient_smtp_encryption']=""; | ||
+ | $config['serverclient_smtp_username']=""; | ||
+ | $config['serverclient_smtp_password']=""; | ||
+ | ?> | ||
+ | </pre> | ||
+ | |||
+ | ===Install professional version=== | ||
+ | Find the right loaders at http://www.ioncube.com/loaders.php | ||
+ | |||
+ | Download them to the server with the "wget" command. Unpack the archive in /usr/local/ioncube: | ||
+ | |||
+ | <pre> | ||
+ | cd /usr/local/ioncube | ||
+ | wget the/url/to/ioncube_loader.....tar.gz | ||
+ | tar zxf ioncube_loaders.....tar.gz | ||
+ | </pre> | ||
+ | |||
+ | Create the file /etc/php5/conf.d/ioncube.ini and put this line in it: | ||
+ | <pre>zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.x.so</pre> | ||
+ | |||
+ | Put the licenses from the Intermesh Software Shop in /usr/share/groupoffice and then run: | ||
+ | |||
+ | <pre>apt-get install groupoffice-pro</pre> | ||
+ | |||
+ | Now restart the webserver: | ||
+ | |||
+ | <pre>/etc/init.d/apache2 restart</pre> | ||
+ | |||
+ | ===Install imapproxy=== | ||
+ | Webmail systems make lots of imap connections. It's wise to use [http://imapproxy.org/ imapproxy] to cache connections to the IMAP server. | ||
+ | |||
+ | Install imapproxy on the webserver and configure it to proxy the imapserver. Accounts will be configures with "localhost" as the hostname and imapproxy will route this to the real IMAP server. | ||
+ | |||
+ | run | ||
+ | |||
+ | <pre> | ||
+ | apt-get install imapproxy ca-certificates | ||
+ | </pre> | ||
+ | |||
+ | /etc/imapproxy.conf looks like this (Don't forget to add "tls_ca_path /etc/ssl/certs/"): | ||
+ | |||
+ | <pre> | ||
+ | ## imapproxy.conf | ||
+ | ## | ||
+ | ## This is the global configuration file for imapproxy. | ||
+ | ## Lines beginning with a '#' sign are treated as comments and will be | ||
+ | ## ignored. Each line to be processed must be a space delimited | ||
+ | ## keyword/value pair. | ||
+ | ## | ||
+ | |||
+ | # | ||
+ | ## server_hostname | ||
+ | ## | ||
+ | ## This setting controls which imap server we proxy our connections to. | ||
+ | # | ||
+ | server_hostname imap.example.com | ||
+ | |||
+ | |||
+ | # | ||
+ | ## connect_retries | ||
+ | ## | ||
+ | ## This setting controls how many times we retry connecting to our server. | ||
+ | ## The delay between retries is configurable with 'connect_delay' | ||
+ | # | ||
+ | connect_retries 10 | ||
+ | connect_delay 5 | ||
+ | |||
+ | # | ||
+ | ## cache_size | ||
+ | ## | ||
+ | ## This setting determines how many in-core imap connection structures | ||
+ | ## will be allocated. As such, it determines not only how many cached | ||
+ | ## connections will be allowed, but really the total number of simultaneous | ||
+ | ## connections, cached and active. | ||
+ | # | ||
+ | cache_size 3072 | ||
+ | |||
+ | |||
+ | # | ||
+ | ## listen_port | ||
+ | ## | ||
+ | ## This setting specifies which port the proxy server will bind to and | ||
+ | ## accept incoming connections from. | ||
+ | # | ||
+ | listen_port 143 | ||
+ | |||
+ | |||
+ | # | ||
+ | ## listen_address | ||
+ | ## | ||
+ | ## This setting specifies which address the proxy server will bind to and | ||
+ | ## accept incoming connections to. If undefined, bind to all. | ||
+ | ## Must be a dotted decimal IP address. | ||
+ | # | ||
+ | #listen_address 127.0.0.1 | ||
+ | |||
+ | |||
+ | tls_ca_path /etc/ssl/certs/ | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | ===Install phpmyadmin=== | ||
+ | PhpMyAdmin is very useful in many cases. We just install it by running | ||
+ | <pre>apt-get install phpmyadmin</pre> | ||
+ | |||
+ | We want to restrict access so it can only be accessed from the office. Edit /etc/apache2/conf.d/phpmyadmin.conf and add | ||
+ | |||
+ | <pre> | ||
+ | Order Deny,Allow | ||
+ | Deny from all | ||
+ | Allow from ip.to.office | ||
+ | </pre> | ||
+ | |||
+ | To the section: | ||
+ | <pre> | ||
+ | <Directory /usr/share/phpmyadmin> | ||
+ | .. | ||
+ | </Directory> | ||
+ | </pre> | ||
==Enabling SSL== | ==Enabling SSL== | ||
Line 54: | Line 262: | ||
This is for a self-signed certificate. You probably want to purchase a real one. | This is for a self-signed certificate. You probably want to purchase a real one. | ||
+ | <pre> | ||
mkdir /etc/apache2/ssl && /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem | mkdir /etc/apache2/ssl && /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem | ||
+ | </pre> | ||
Edit /etc/apache2/sites-enabled/000-default: | Edit /etc/apache2/sites-enabled/000-default: | ||
Line 64: | Line 274: | ||
Change the VirtualHost port from *:80 to *:443. | Change the VirtualHost port from *:80 to *:443. | ||
+ | |||
+ | Enable the apache SSL module: | ||
+ | |||
+ | <pre>a2enmod ssl</pre> | ||
+ | |||
+ | Restart Apache: | ||
+ | |||
+ | <pre>/etc/init.d/apache2 restart</pre> | ||
+ | |||
+ | ==Configuration script== | ||
+ | |||
+ | Here's an example script that does most of the above automatically: | ||
+ | |||
+ | <pre> | ||
+ | #!/bin/bash | ||
+ | |||
+ | dpkg-reconfigure tzdata | ||
+ | |||
+ | dpkg-reconfigure locales | ||
+ | |||
+ | export LANG=en_US.UTF8 | ||
+ | |||
+ | apt-get install ntp fail2ban sudo vim | ||
+ | |||
+ | echo -e "\n## Group-Office repository\ndeb http://repos.groupoffice.eu/ threesix main" | tee -a /etc/apt/sources.list | ||
+ | |||
+ | gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-keys 01F1AE44 | ||
+ | gpg --export --armor 01F1AE44 | apt-key add - | ||
+ | |||
+ | |||
+ | apt-get update && apt-get dist-upgrade | ||
+ | |||
+ | apt-get install groupoffice-mailserver groupoffice-servermanager | ||
+ | |||
+ | |||
+ | cd /usr/local | ||
+ | |||
+ | wget http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz | ||
+ | tar zxf http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz | ||
+ | rm http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz | ||
+ | |||
+ | echo "zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.3.so" > /etc/php5/conf.d/ioncube.ini | ||
+ | |||
+ | apt-get install groupoffice-pro | ||
+ | </pre> | ||
+ | |||
+ | ==Other useful software== | ||
+ | |||
+ | ===netdiag=== | ||
+ | The package "netdiag" provides a command [http://www.slctech.org/~mackay/NETWATCH/netwatch.html netwatch] which will show the bandwidth usage per IP address. Extremely useful to find out who's the problem when you're using too much bandwidth. |
Latest revision as of 09:37, 16 April 2014
I'm going to show an ideal setup of a separate mailserver and Group-Office server.
On both servers we'll install a minimal Debian 6 on a Proxmox virtual environment. You don't need Proxmox but it's an easy and powerful way to virtualize your machines.
Contents
Proxmox notes
After installing Debian 6 on Proxmox the timezone is set to UTC. You can change the timezone by running:
dpkg-reconfigure tzdata
The locale is also not configured:
dpkg-reconfigure locales
export LANG=en_US.UTF8 export LC_ALL=en_US.UTF8
Then I installed ntp to make sure the time is updated correctly:
apt-get install ntp
I also had to add:
myhostname: mx1.example.com
to /etc/postfix/main.cf because in proxmox I just called the machine "mx1". Changing the hostname afterwards caused problems with proxmox.
Of course you should also apply all latest system updates:
apt-get update && apt-get dist-upgrade
Adding VPS with IP on different subnet then the host
I spent some time in figuring this one out. But to have a guest machine that has an IP address on another subnet you need to change this line in /etc/vz/vz.conf:
NEIGHBOUR_DEVS=detect
into:
NEIGHBOUR_DEVS=all
Secure access
First we'll secure the remote access on both servers:
Install fail2ban. This is a program that will monitor various log files and blocks users who make more then 3 failed login attempts.
apt-get install fail2ban
On the Group-Office mailserver it's recommended to enable sasl, dovecot and postfix filters.
Install sudo to allow normal users to execute root commands:
apt-get install sudo
Then add a personal user:
adduser <username> adduser <username> sudo
Generate an ssh keypair for your username on your own machine. We don't cover this here.
Add the public key to:
/home/<username>/.ssh/authorized_keys
Set the right permissions:
chmod 700 /home/<username>/.ssh/ chmod 600 /home/<username>/.ssh/authorized_keys
Now test the SSH login with your keypair and make sure it works because we're going to disable any other login method. Make sure this user can use sudo too.
When this works disable root login through SSH and disable login with normal passwords:
Change /etc/ssh/sshd_config:
PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no
By default when you use sudo -s it doesn't work with ssh agent forwarding. This can be fixed by adding:
Defaults env_keep=SSH_AUTH_SOCK
to /etc/sudoers with the visudo command.
Add Group-Office repository
You can do that easily by executing the following command in the terminal:
echo -e "\n## Group-Office repository\ndeb http://repos.groupoffice.eu/ fourzero main" | tee -a /etc/apt/sources.list
To authenticate the packages you need to import the public key by running the following commands:
gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-keys 01F1AE44 gpg --export --armor 01F1AE44 | apt-key add -
Update APT:
apt-get update
Install the mailserver
apt-get install groupoffice-mailserver
Install the webserver
If you want multiple Group-Office installations:
apt-get install groupoffice-servermanager
Allow the groupoffice MySQL user to create new databases:
REVOKE ALL PRIVILEGES ON * . * FROM 'groupoffice-com'@'localhost'; GRANT ALL PRIVILEGES ON * . * TO 'groupoffice-com'@'localhost' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
For a single install:
apt-get install groupoffice-com
Now create a global config file for all Group-Office installations with the information to connect to the mailserver. This is for setting vacation messages, changin passwords and adding mailboxes.
/etc/groupoffice/globalconfig.inc.php
<?php $config['serverclient_server_url']="https://mx1.example.com/groupoffice/"; $config['serverclient_username']="admin"; $config['serverclient_password']="secret"; $config['serverclient_mbroot']=""; $config['serverclient_use_ssl']="0"; $config['serverclient_novalidate_cert']="0"; $config['serverclient_type']="imap"; $config['serverclient_host']="imap.imfoss.nl"; $config['serverclient_port']="143"; $config['serverclient_smtp_host']="smtp.interconnect.nl"; $config['serverclient_smtp_port']="25"; $config['serverclient_smtp_encryption']=""; $config['serverclient_smtp_username']=""; $config['serverclient_smtp_password']=""; ?>
Install professional version
Find the right loaders at http://www.ioncube.com/loaders.php
Download them to the server with the "wget" command. Unpack the archive in /usr/local/ioncube:
cd /usr/local/ioncube wget the/url/to/ioncube_loader.....tar.gz tar zxf ioncube_loaders.....tar.gz
Create the file /etc/php5/conf.d/ioncube.ini and put this line in it:
zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.x.so
Put the licenses from the Intermesh Software Shop in /usr/share/groupoffice and then run:
apt-get install groupoffice-pro
Now restart the webserver:
/etc/init.d/apache2 restart
Install imapproxy
Webmail systems make lots of imap connections. It's wise to use imapproxy to cache connections to the IMAP server.
Install imapproxy on the webserver and configure it to proxy the imapserver. Accounts will be configures with "localhost" as the hostname and imapproxy will route this to the real IMAP server.
run
apt-get install imapproxy ca-certificates
/etc/imapproxy.conf looks like this (Don't forget to add "tls_ca_path /etc/ssl/certs/"):
## imapproxy.conf ## ## This is the global configuration file for imapproxy. ## Lines beginning with a '#' sign are treated as comments and will be ## ignored. Each line to be processed must be a space delimited ## keyword/value pair. ## # ## server_hostname ## ## This setting controls which imap server we proxy our connections to. # server_hostname imap.example.com # ## connect_retries ## ## This setting controls how many times we retry connecting to our server. ## The delay between retries is configurable with 'connect_delay' # connect_retries 10 connect_delay 5 # ## cache_size ## ## This setting determines how many in-core imap connection structures ## will be allocated. As such, it determines not only how many cached ## connections will be allowed, but really the total number of simultaneous ## connections, cached and active. # cache_size 3072 # ## listen_port ## ## This setting specifies which port the proxy server will bind to and ## accept incoming connections from. # listen_port 143 # ## listen_address ## ## This setting specifies which address the proxy server will bind to and ## accept incoming connections to. If undefined, bind to all. ## Must be a dotted decimal IP address. # #listen_address 127.0.0.1 tls_ca_path /etc/ssl/certs/
Install phpmyadmin
PhpMyAdmin is very useful in many cases. We just install it by running
apt-get install phpmyadmin
We want to restrict access so it can only be accessed from the office. Edit /etc/apache2/conf.d/phpmyadmin.conf and add
Order Deny,Allow Deny from all Allow from ip.to.office
To the section:
<Directory /usr/share/phpmyadmin> .. </Directory>
Enabling SSL
This is for a self-signed certificate. You probably want to purchase a real one.
mkdir /etc/apache2/ssl && /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Edit /etc/apache2/sites-enabled/000-default:
SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem
Change the VirtualHost port from *:80 to *:443.
Enable the apache SSL module:
a2enmod ssl
Restart Apache:
/etc/init.d/apache2 restart
Configuration script
Here's an example script that does most of the above automatically:
#!/bin/bash dpkg-reconfigure tzdata dpkg-reconfigure locales export LANG=en_US.UTF8 apt-get install ntp fail2ban sudo vim echo -e "\n## Group-Office repository\ndeb http://repos.groupoffice.eu/ threesix main" | tee -a /etc/apt/sources.list gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-keys 01F1AE44 gpg --export --armor 01F1AE44 | apt-key add - apt-get update && apt-get dist-upgrade apt-get install groupoffice-mailserver groupoffice-servermanager cd /usr/local wget http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz tar zxf http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz rm http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz echo "zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.3.so" > /etc/php5/conf.d/ioncube.ini apt-get install groupoffice-pro
Other useful software
netdiag
The package "netdiag" provides a command netwatch which will show the bandwidth usage per IP address. Extremely useful to find out who's the problem when you're using too much bandwidth.