|This manual is deprecated. Please visit https://groupoffice.readthedocs.io for the latest documentation.|
Group-Office on separate mail- and webserver howto
I'm going to show an ideal setup of a separate mailserver and Group-Office server.
On both servers we'll install a minimal Debian 6 on a Proxmox virtual environment. You don't need Proxmox but it's an easy and powerful way to virtualize your machines.
- 1 Proxmox notes
- 2 Secure access
- 3 Add Group-Office repository
- 4 Install the mailserver
- 5 Install the webserver
- 6 Enabling SSL
- 7 Configuration script
- 8 Other useful software
After installing Debian 6 on Proxmox the timezone is set to UTC. You can change the timezone by running:
The locale is also not configured:
export LANG=en_US.UTF8 export LC_ALL=en_US.UTF8
Then I installed ntp to make sure the time is updated correctly:
apt-get install ntp
I also had to add:
to /etc/postfix/main.cf because in proxmox I just called the machine "mx1". Changing the hostname afterwards caused problems with proxmox.
Of course you should also apply all latest system updates:
apt-get update && apt-get dist-upgrade
Adding VPS with IP on different subnet then the host
I spent some time in figuring this one out. But to have a guest machine that has an IP address on another subnet you need to change this line in /etc/vz/vz.conf:
First we'll secure the remote access on both servers:
Install fail2ban. This is a program that will monitor various log files and blocks users who make more then 3 failed login attempts.
apt-get install fail2ban
On the Group-Office mailserver it's recommended to enable sasl, dovecot and postfix filters.
Install sudo to allow normal users to execute root commands:
apt-get install sudo
Then add a personal user:
adduser <username> adduser <username> sudo
Generate an ssh keypair for your username on your own machine. We don't cover this here.
Add the public key to:
Set the right permissions:
chmod 700 /home/<username>/.ssh/ chmod 600 /home/<username>/.ssh/authorized_keys
Now test the SSH login with your keypair and make sure it works because we're going to disable any other login method. Make sure this user can use sudo too.
When this works disable root login through SSH and disable login with normal passwords:
PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no
By default when you use sudo -s it doesn't work with ssh agent forwarding. This can be fixed by adding:
to /etc/sudoers with the visudo command.
Add Group-Office repository
You can do that easily by executing the following command in the terminal:
echo -e "\n## Group-Office repository\ndeb http://repos.groupoffice.eu/ fourzero main" | tee -a /etc/apt/sources.list
To authenticate the packages you need to import the public key by running the following commands:
gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-keys 01F1AE44 gpg --export --armor 01F1AE44 | apt-key add -
Install the mailserver
apt-get install groupoffice-mailserver
Install the webserver
If you want multiple Group-Office installations:
apt-get install groupoffice-servermanager
Allow the groupoffice MySQL user to create new databases:
REVOKE ALL PRIVILEGES ON * . * FROM 'groupoffice-com'@'localhost'; GRANT ALL PRIVILEGES ON * . * TO 'groupoffice-com'@'localhost' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
For a single install:
apt-get install groupoffice-com
Now create a global config file for all Group-Office installations with the information to connect to the mailserver. This is for setting vacation messages, changin passwords and adding mailboxes.
<?php $config['serverclient_server_url']="https://mx1.example.com/groupoffice/"; $config['serverclient_username']="admin"; $config['serverclient_password']="secret"; $config['serverclient_mbroot']=""; $config['serverclient_use_ssl']="0"; $config['serverclient_novalidate_cert']="0"; $config['serverclient_type']="imap"; $config['serverclient_host']="imap.imfoss.nl"; $config['serverclient_port']="143"; $config['serverclient_smtp_host']="smtp.interconnect.nl"; $config['serverclient_smtp_port']="25"; $config['serverclient_smtp_encryption']=""; $config['serverclient_smtp_username']=""; $config['serverclient_smtp_password']=""; ?>
Install professional version
Find the right loaders at http://www.ioncube.com/loaders.php
Download them to the server with the "wget" command. Unpack the archive in /usr/local/ioncube:
cd /usr/local/ioncube wget the/url/to/ioncube_loader.....tar.gz tar zxf ioncube_loaders.....tar.gz
Create the file /etc/php5/conf.d/ioncube.ini and put this line in it:
Put the licenses from the Intermesh Software Shop in /usr/share/groupoffice and then run:
apt-get install groupoffice-pro
Now restart the webserver:
Webmail systems make lots of imap connections. It's wise to use imapproxy to cache connections to the IMAP server.
Install imapproxy on the webserver and configure it to proxy the imapserver. Accounts will be configures with "localhost" as the hostname and imapproxy will route this to the real IMAP server.
apt-get install imapproxy ca-certificates
/etc/imapproxy.conf looks like this (Don't forget to add "tls_ca_path /etc/ssl/certs/"):
## imapproxy.conf ## ## This is the global configuration file for imapproxy. ## Lines beginning with a '#' sign are treated as comments and will be ## ignored. Each line to be processed must be a space delimited ## keyword/value pair. ## # ## server_hostname ## ## This setting controls which imap server we proxy our connections to. # server_hostname imap.example.com # ## connect_retries ## ## This setting controls how many times we retry connecting to our server. ## The delay between retries is configurable with 'connect_delay' # connect_retries 10 connect_delay 5 # ## cache_size ## ## This setting determines how many in-core imap connection structures ## will be allocated. As such, it determines not only how many cached ## connections will be allowed, but really the total number of simultaneous ## connections, cached and active. # cache_size 3072 # ## listen_port ## ## This setting specifies which port the proxy server will bind to and ## accept incoming connections from. # listen_port 143 # ## listen_address ## ## This setting specifies which address the proxy server will bind to and ## accept incoming connections to. If undefined, bind to all. ## Must be a dotted decimal IP address. # #listen_address 127.0.0.1 tls_ca_path /etc/ssl/certs/
PhpMyAdmin is very useful in many cases. We just install it by running
apt-get install phpmyadmin
We want to restrict access so it can only be accessed from the office. Edit /etc/apache2/conf.d/phpmyadmin.conf and add
Order Deny,Allow Deny from all Allow from ip.to.office
To the section:
<Directory /usr/share/phpmyadmin> .. </Directory>
This is for a self-signed certificate. You probably want to purchase a real one.
mkdir /etc/apache2/ssl && /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem
Change the VirtualHost port from *:80 to *:443.
Enable the apache SSL module:
Here's an example script that does most of the above automatically:
#!/bin/bash dpkg-reconfigure tzdata dpkg-reconfigure locales export LANG=en_US.UTF8 apt-get install ntp fail2ban sudo vim echo -e "\n## Group-Office repository\ndeb http://repos.groupoffice.eu/ threesix main" | tee -a /etc/apt/sources.list gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-keys 01F1AE44 gpg --export --armor 01F1AE44 | apt-key add - apt-get update && apt-get dist-upgrade apt-get install groupoffice-mailserver groupoffice-servermanager cd /usr/local wget http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz tar zxf http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz rm http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz echo "zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.3.so" > /etc/php5/conf.d/ioncube.ini apt-get install groupoffice-pro
Other useful software
The package "netdiag" provides a command netwatch which will show the bandwidth usage per IP address. Extremely useful to find out who's the problem when you're using too much bandwidth.