Group-Office on separate mail- and webserver howto

From Group-Office Groupware and CRM Documentation
Jump to: navigation, search

I'm going to show an ideal setup of a separate mailserver and Group-Office server.

On both servers we'll install a minimal Debian 6 on a Proxmox virtual environment. You don't need Proxmox but it's an easy and powerful way to virtualize your machines.

Proxmox notes

After installing Debian 6 on Proxmox the timezone is set to UTC. You can change the timezone by running:

dpkg-reconfigure tzdata

The locale is also not configured:

dpkg-reconfigure locales
export LANG=en_US.UTF8
export LC_ALL=en_US.UTF8

Then I installed ntp to make sure the time is updated correctly:

apt-get install ntp

I also had to add:


to /etc/postfix/ because in proxmox I just called the machine "mx1". Changing the hostname afterwards caused problems with proxmox.

Of course you should also apply all latest system updates:

apt-get update && apt-get dist-upgrade

Adding VPS with IP on different subnet then the host

I spent some time in figuring this one out. But to have a guest machine that has an IP address on another subnet you need to change this line in /etc/vz/vz.conf:




Secure access

First we'll secure the remote access on both servers:

Install fail2ban. This is a program that will monitor various log files and blocks users who make more then 3 failed login attempts.

apt-get install fail2ban

On the Group-Office mailserver it's recommended to enable sasl, dovecot and postfix filters.

Install sudo to allow normal users to execute root commands:

apt-get install sudo

Then add a personal user:

adduser <username>
adduser <username> sudo

Generate an ssh keypair for your username on your own machine. We don't cover this here.

Add the public key to:


Set the right permissions:

chmod 700 /home/<username>/.ssh/
chmod 600 /home/<username>/.ssh/authorized_keys

Now test the SSH login with your keypair and make sure it works because we're going to disable any other login method. Make sure this user can use sudo too.

When this works disable root login through SSH and disable login with normal passwords:

Change /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no

By default when you use sudo -s it doesn't work with ssh agent forwarding. This can be fixed by adding:

Defaults    env_keep=SSH_AUTH_SOCK

to /etc/sudoers with the visudo command.

Add Group-Office repository

You can do that easily by executing the following command in the terminal:

echo -e "\n## Group-Office repository\ndeb fourzero main" | tee -a /etc/apt/sources.list

To authenticate the packages you need to import the public key by running the following commands:

gpg --keyserver hkp:// --recv-keys 01F1AE44
gpg --export --armor 01F1AE44 | apt-key add -

Update APT:

apt-get update

Install the mailserver

apt-get install groupoffice-mailserver

Install the webserver

If you want multiple Group-Office installations:

apt-get install groupoffice-servermanager

Allow the groupoffice MySQL user to create new databases:

REVOKE ALL PRIVILEGES ON * . * FROM 'groupoffice-com'@'localhost';

For a single install:

apt-get install groupoffice-com

Now create a global config file for all Group-Office installations with the information to connect to the mailserver. This is for setting vacation messages, changin passwords and adding mailboxes.



Install professional version

Find the right loaders at

Download them to the server with the "wget" command. Unpack the archive in /usr/local/ioncube:

cd /usr/local/ioncube
wget the/url/to/ioncube_loader.....tar.gz
tar zxf ioncube_loaders.....tar.gz

Create the file /etc/php5/conf.d/ioncube.ini and put this line in it:


Put the licenses from the Intermesh Software Shop in /usr/share/groupoffice and then run:

apt-get install groupoffice-pro

Now restart the webserver:

/etc/init.d/apache2 restart

Install imapproxy

Webmail systems make lots of imap connections. It's wise to use imapproxy to cache connections to the IMAP server.

Install imapproxy on the webserver and configure it to proxy the imapserver. Accounts will be configures with "localhost" as the hostname and imapproxy will route this to the real IMAP server.


apt-get install imapproxy ca-certificates

/etc/imapproxy.conf looks like this (Don't forget to add "tls_ca_path /etc/ssl/certs/"):

## imapproxy.conf
## This is the global configuration file for imapproxy.
## Lines beginning with a '#' sign are treated as comments and will be
## ignored.  Each line to be processed must be a space delimited
## keyword/value pair.  

## server_hostname
## This setting controls which imap server we proxy our connections to.

## connect_retries
## This setting controls how many times we retry connecting to our server.
## The delay between retries is configurable with 'connect_delay'
connect_retries 10
connect_delay 5

## cache_size
## This setting determines how many in-core imap connection structures
## will be allocated.  As such, it determines not only how many cached
## connections will be allowed, but really the total number of simultaneous
## connections, cached and active.
cache_size 3072

## listen_port
## This setting specifies which port the proxy server will bind to and
## accept incoming connections from.
listen_port 143

## listen_address
## This setting specifies which address the proxy server will bind to and
## accept incoming connections to.  If undefined, bind to all.
## Must be a dotted decimal IP address.

tls_ca_path /etc/ssl/certs/

Install phpmyadmin

PhpMyAdmin is very useful in many cases. We just install it by running

apt-get install phpmyadmin

We want to restrict access so it can only be accessed from the office. Edit /etc/apache2/conf.d/phpmyadmin.conf and add

Order Deny,Allow
Deny from all
Allow from

To the section:

<Directory /usr/share/phpmyadmin>

Enabling SSL

This is for a self-signed certificate. You probably want to purchase a real one.

mkdir /etc/apache2/ssl && /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Edit /etc/apache2/sites-enabled/000-default:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

Change the VirtualHost port from *:80 to *:443.

Enable the apache SSL module:

a2enmod ssl

Restart Apache:

/etc/init.d/apache2 restart

Configuration script

Here's an example script that does most of the above automatically:


dpkg-reconfigure tzdata

dpkg-reconfigure locales

export LANG=en_US.UTF8

apt-get install ntp fail2ban sudo vim

echo -e "\n## Group-Office repository\ndeb threesix main" | tee -a /etc/apt/sources.list

gpg --keyserver hkp:// --recv-keys 01F1AE44
gpg --export --armor 01F1AE44 | apt-key add -

apt-get update && apt-get dist-upgrade

apt-get install groupoffice-mailserver groupoffice-servermanager

cd /usr/local

tar zxf

echo "zend_extension=/usr/local/ioncube/" > /etc/php5/conf.d/ioncube.ini

apt-get install groupoffice-pro

Other useful software


The package "netdiag" provides a command netwatch which will show the bandwidth usage per IP address. Extremely useful to find out who's the problem when you're using too much bandwidth.