Developers Club geek daily blog

2 years, 3 months ago
Kolab Groupware (Part 2 — Installation)

If you do not know that such Kolab yet, you possibly want to read the first article where I did the detailed overview on this quite functional and completely free the e-mail server with beautiful web muzzle.
This time we will set it.

Kolab Groupware (Part 1 — the Overview)
Kolab Groupware (Part 2 — Installation)

Installation of packets


Packets exist for all popular distribution kits: Red Hat Enterprise Linux, CentOS, Fedora, Debian, is also ex-remental packets for OpenSUSE and Ubuntu, and in ArchLinux Kolab it is possible to collect from AUR.
I will set on Centos 7, but by me is not obligatory to be guided at all, on other distribution kits installation a little than will be differs.

So we will start

Let's set repositories
yum -y update
yum -y install wget epel-release 
cd /etc/yum.repos.d
wget http://obs.kolabsys.com/repositories/Kolab:/3.4/CentOS_7/Kolab:3.4.repo
wget http://obs.kolabsys.com/repositories/Kolab:/3.4:/Updates/CentOS_7/Kolab:3.4:Updates.repo

Let's set keys
gpg --keyserver pgp.mit.edu --recv-key 0x446D5A45
gpg --export --armor devel@lists.kolab.org > devel.asc
rpm --import devel.asc
rm devel.asc

Now packets
yum -y install kolab


Kolab installation


First of all as host name it is necessary to set full FQDN, for example:
echo "mail.example.org" > /etc/hostname

Besides, the dirsrv installation demands that the name of your machine would rezolvitsya in the IP address so we do not forget to add the corresponding entry in DNS and/or in / etc/hosts the file belonging to it.

Now it is a high time to learn that if you want to set Kolab and to use instead of standard 389 Directory Server (further dirsrv), any Active Directory, you need to edit file/etc/kolab/kolab.conf before installation, and to correct the parameters which are responsible for LDAP.
Thus installation will need to be started with parameter - with-ad

Also in centos-systems before installation it is necessary to create the user of dirsrv, at installation of packets, it for some reason is not created, in debian it all to vporyadka.
adduser dirsrv

Ok, now everything is ready, we start installation:
setup-kolab

All installation is reduced to that what to answer questions which will be asked to you by interactive script
Listing
Please supply a password for the LDAP administrator user 'admin', used to login
to the graphical console of 389 Directory server.

Administrator password [sQnPqqaKInB2ObB]: 

Please supply a password for the LDAP Directory Manager user, which is the
administrator user you will be using to at least initially log in to the Web
Admin, and that Kolab uses to perform administrative tasks.

Directory Manager password [ohLY9kxxinHGOGE]: 

Please choose the system user and group the service should use to run under.
These should be existing, unprivileged, local system POSIX accounts with no
shell.

User [dirsrv]: 
Group [dirsrv]: 

This setup procedure plans to set up Kolab Groupware for the following domain
name space. This domain name is obtained from the reverse DNS entry on your
network interface. Please confirm this is the appropriate domain name space.

example.org [Y/n]: y

The standard root dn we composed for you follows. Please confirm this is the root
dn you wish to use.

dc=example,dc=org [Y/n]: y

Setup is now going to set up the 389 Directory Server. This may take a little
while (during which period there is no output and no progress indication).

Shutting down dirsrv: 
    mail...                                                [  OK  ]
Starting dirsrv: 
    mail...                                                [  OK  ]

Please supply a Cyrus Administrator password. This password is used by Kolab to
execute administrative tasks in Cyrus IMAP. You may also need the password
yourself to troubleshoot Cyrus IMAP and/or perform other administrative tasks
against Cyrus IMAP directly.

Cyrus Administrator password [0DIMW-CLUKmsNEU]: 

Please supply a Kolab Service account password. This account is used by various
services such as Postfix, and Roundcube, as anonymous binds to the LDAP server
will not be allowed.

Kolab Service password [dDGgUZAue2Y-LTW]: 
Shutting down postfix:                                     [FAILED]
Starting postfix:                                          [  OK  ]
Shutting down amavisd: The amavisd daemon is apparently not running, no PID file /var/run/amavisd/amavisd.pid
                                                           [FAILED]

Starting amavisd:                                          [  OK  ]

Stopping clamd.amavisd:                                    [FAILED]
Starting clamd.amavisd: LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
                                                           [  OK  ]
Stopping wallaced:                                         [FAILED]
Starting wallaced:                                         [  OK  ]
Stopping mysqld:                                           [  OK  ]
Initializing MySQL database:  Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h mail.example.org password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

                                                           [  OK  ]
Starting mysqld:                                           [  OK  ]
What MySQL server are we setting up?
 - 1: Existing MySQL server (with root password already set).
 - 2: New MySQL server (needs to be initialized).
Choice: 2

Please supply a root password for MySQL. This password will be the administrative
user for this MySQL server, and it should be kept a secret. After this setup
process has completed, Kolab is going to discard and forget about this password,
but you will need it for administrative tasks in MySQL.

MySQL root password [lhBkALCvQpocaiT]: 

Please supply a password for the MySQL user 'kolab'. This password will be used
by Kolab services, such as the Web Administration Panel.

MySQL kolab password [47rxdTc-vIk3WJ8]: 

Please supply the timezone PHP should be using. You have to use a Continent or
Country / City locality name like 'Europe/Berlin', but not just 'CEST'.

Timezone ID [UTC]: Europe/Moscow

Please supply a password for the MySQL user 'roundcube'. This password will be
used by the Roundcube webmail interface.

MySQL roundcube password [o_yUViK4oRy7SX2]: 
Stopping httpd:                                            [FAILED]
Starting httpd:                                            [  OK  ]
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
Stopping kolab-saslauthd:                                  [FAILED]
Starting kolab-saslauthd:                                  [  OK  ]
Shutting down cyrus-imapd:                                 [FAILED]
Starting cyrus-imapd:                                      [  OK  ]
Stopping kolabd:                                           [FAILED]
Starting kolabd:                                           [  OK  ]



After installation you have already quite working installation of Kolab, for test start of it it is quite enough, but for release in prodakshen it is necessary to work as file a little more :)

We edit config


The config is here / etc/kolab/kolab.conf
Here, will be that to twist, here some useful options:

Locale


Locale by default, for Russian specify ru_RU
default_locale = en_US

Generation of uid'ov and names of boxes


Here the rule by which the main mailbox is generated is specified
primary_mail = %(surname)s@%(domain)s

And it rules by which additional mailboxes are generated, as you can see they can be more flexible, than for the basic
secondary_mail = { 
    0: {
    "{0}.{1}@{2}": "format('%(givenname)s'[0:1].capitalize(), '%(surname)s', '%(domain)s')"
    },  
    1: {
    "{0}@{1}": "format('%(uid)s', '%(domain)s')"
    },  
    2: {
    "{0}@{1}": "format('%(givenname)s.%(surname)s', '%(domain)s')"
    }   
    } 

By default in Kolab it is forbidden to change through adminka of primary email and uid, i.e. they have to be generated always proceeding from these rules.
Personally such scheme is not pleasant to me, I like to specify by username and mail address in manual more, well or at least that it could be edited. I will tell as it is possible to make it:

We disconnect check of names of boxes
daemon_rcpt_policy = False

We pass into Kolab adminka, we pass into Settings and for the Kolab User type of the uid and mail attribute we change value from "Generated (read-only)" for "Generated".
Now we can edit uid'y and mail address for our users manually.

Storage of mail


We continue to sort config, here it is specified what folders it is necessary to create by default to the new user
autocreate_folders = { 
    'Archive': {
    'quota': 0,
    },  
    'Calendar': {
    'annotations': {
    '/private/vendor/kolab/folder-type': "event.default",
    '/shared/vendor/kolab/folder-type': "event",
    }, 
...

At desire it is possible to take out different folders into different storages, for example that all folders would be in fast storage, and the archive folder on slow.
For this purpose it is necessary to specify in config of cyrus where to look for these storages.
echo "partition-default: /var/spool/imap" >> /etc/imapd.conf
echo "partition-archive: /var/spool/imap-archive" >> /etc/imapd.conf

And to add the partition parameter to the Archive folder, approximately so:
...
    'Archive': {
    'quota': 0,
    'partition': 'archive'
    },  
...


Multidomain configuration


Kolab from box not absolutely supports some domains. More correct in adminka everything for this purpose is, but all other services, such as postfix, cyrus-imap, amavis, roundcube — all of them are by default configured for support only of one domain.
If you nevertheless need to configure some domains, on official wiki there is very detailed guide about that how to configure all this zoo, for work with several domains
It is worth noticing that after the described actions your logins in mail will exchange from simple username on username@example.org
If this function is not necessary to you, simply we pass this point.

SSL setup


Let's secure our server, we receive the certificate on your domain if you have not made it earlier yet.
Also the certificate of certificate authority is required (in case of StartSSL — sub.class1.server.ca.pem)

Let's set mod_ssl for apache
yum -y install  mod_ssl 


Now we copy our keys on the next ways:
/ etc/pki/tls/private/mail.example.org.key
/ etc/pki/tls/certs/mail.example.org.crt
/ etc/pki/tls/certs/sub.class1.server.ca.pem

# Cоздадим цепочки для наших сертификатов

cat /etc/pki/tls/certs/mail.example.org.crt /etc/pki/tls/private/mail.example.org.key /etc/pki/tls/certs/sub.class1.server.ca.pem > /etc/pki/tls/private/mail.example.org.bundle.pem
cat /etc/pki/tls/certs/mail.example.org.crt /etc/pki/tls/certs/sub.class1.server.ca.pem > /etc/pki/tls/certs/mail.example.org.bundle.pem
cat /etc/pki/tls/certs/sub.class1.server.ca.pem > /etc/pki/tls/certs/mail.example.org.ca-chain.pem

# Настроим права
chown -R root:mail /etc/pki/tls/private
chmod 600 /etc/pki/tls/private/mail.example.org.key
chmod 750 /etc/pki/tls/private
chmod 640 /etc/pki/tls/private/*

# Добавим сертификат центра сертификации в системное хранилище
cat /etc/pki/tls/certs/sub.class1.server.ca.pem >> /etc/pki/tls/certs/ca-bundle.crt

# Настроим сертификаты в apache
sed -i -e '/SSLCertificateFile \/etc\/pki/c\SSLCertificateFile /etc/pki/tls/certs/mail.example.org.crt' /etc/httpd/conf.d/ssl.conf
sed -i -e '/SSLCertificateKeyFile \/etc\/pki/c\SSLCertificateKeyFile /etc/pki/tls/private/mail.example.org.key' /etc/httpd/conf.d/ssl.conf
sed -i -e '/SSLCertificateChainFile \/etc\/pki/c\SSLCertificateChainFile /etc/pki/tls/certs/mail.example.org.ca-chain.pem' /etc/httpd/conf.d/ssl.conf
        
# Настроим редирект на HTTPS по умолчанию
cat >> /etc/httpd/conf/httpd.conf << EOF 

<VirtualHost _default_:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}\$1 [R=301,L]
</VirtualHost>
EOF

#  Настроим сертификаты в cyrus-imap
sed -r -i \
    -e 's|^tls_server_cert:.*|tls_server_cert: /etc/pki/tls/certs/mail.example.org.crt|g' \
    -e 's|^tls_server_key:.*|tls_server_key: /etc/pki/tls/private/mail.example.org.key|g' \
    -e 's|^tls_server_ca_file:.*|tls_server_ca_file: /etc/pki/tls/certs/mail.example.org.ca-chain.pem|g' \
    /etc/imapd.conf
        
# Настроим сертификаты в Postfix
postconf -e smtpd_tls_key_file=/etc/pki/tls/private/mail.example.org.key
postconf -e smtpd_tls_cert_file=/etc/pki/tls/certs/mail.example.org.crt
postconf -e smtpd_tls_CAfile=/etc/pki/tls/certs/mail.example.org.ca-chain.pem
        
# Укажем kolab-cli новую ссылку на api
sed -r -i \
      -e '/api_url/d' \
      -e "s#\[kolab_wap\]#[kolab_wap]\napi_url = https://$(hostname -f)/kolab-webadmin/api#g" \
      /etc/kolab/kolab.conf
          
# Настроим Roundcube
sed -i -e 's/http:/https:/' /etc/roundcubemail/libkolab.inc.php
sed -i -e 's/http:/https:/' /etc/roundcubemail/kolab_files.inc.php
sed -i -e '/^?>/d' /etc/roundcubemail/config.inc.php

# Расскажем iRony о новых ссылках для DAV-протоколов
cat >> /etc/roundcubemail/config.inc.php << EOF
# caldav/webdav
\$config['calendar_caldav_url']             = "https://%h/iRony/calendars/%u/%i";
\$config['kolab_addressbook_carddav_url']   = 'https://%h/iRony/addressbooks/%u/%i';
EOF

# Укажем Rouncdcube принудительно работать по HTTPS
cat >> /etc/roundcubemail/config.inc.php << EOF
# Force https redirect for http requests
\$config['force_https'] = true;
EOF

On it the SSL setup it is possible to consider complete.

DKIM and SPF


What Gmail and other e-mail servers did not bring our letters in spam, it is recommended to configure SPF and DKIM records on our server.
As server part for DKIM I suggest to use OpenDKIM on which setup on Habré already there was remarkable article

Setup of delivery of spam with Amavis


By default amavis simply deletes all spam. Personally I consider that is not absolutely correct and that spam has to be delivered in personal spam folder of users

The matter is that in cyrus-imap it is impossible to make global sieve script as it could be made for example in dovecot, but it allows to deliver mail at once in the necessary folder using for this purpose special divider in the postal address.

Let's configure amavis
# отключим добавление ***spam*** в тему письма
sed -i '/^[^#]*$sa_spam_subject_tag/s/^/#/' /etc/amavisd/amavisd.conf
# включим использование префикса spam+ для доставки почты
sed -i '/^# $recipient_delimiter/s/^# //' /etc/amavisd/amavisd.conf
# разрешим доставку спама
sed -i 's/^\($final_spam_destiny.*= \).*/\1D_PASS;/' /etc/amavisd/amavisd.conf

One more moment that it would be possible to deliver mail at once in the spam folder, for this folder the user of anyone has to have permission of p (i.e. to place in this folder of the letter), otherwise everything will pour in INBOX.
By the way it concerns and Shared Folders if you want to receive in them letters, it is necessary to set you for them similar permissions.

Unfortunately I have not found in cyrus-imap of regular opportunity to define the secret rights for the user of anyone.
But at me is on this solution, we add this line to crontab, and cyrus-imap will pull each 4 hours of kolab that each user in your domain would have "anyone p" for the spam folder.
0 4 * * *  kolab sam user/%/Spam@example.org anyone p

If someone knows solution better, I will be glad to listen to your recommendations in this respect

Protection against brutfors with Fail2ban


Fail2ban — is service which monitors log of other services on too frequent repetition of the wrong attempts of input.
For example if attempts of input with the wrong password from one IP too often repeat, this IP is received by Bang for some minutes.

Let's set Fail2ban from official repositories
yum -y install  fail2ban


Let's create filters for Fail2ban
cat > /etc/fail2ban/filter.d/kolab-cyrus.conf << EOF
[Definition]
failregex = (imaps|pop3s)\[[0-9]*\]: badlogin: \[<HOST>\] (plain|PLAIN|login|plaintext) .*
ignoreregex =
EOF

cat > /etc/fail2ban/filter.d/kolab-postfix.conf << EOF
[Definition]
failregex = postfix\/submission\/smtpd\[[0-9]*\]: warning: unknown\[<HOST>\]: SASL (PLAIN|LOGIN) authentication failed: authentication failure
ignoreregex =
EOF

cat > /etc/fail2ban/filter.d/kolab-roundcube.conf << EOF
[Definition]
failregex = <.*> Failed login for .* from <HOST> in session .*
ignoreregex =
EOF

cat > /etc/fail2ban/filter.d/kolab-irony.conf << EOF
[Definition]
failregex = <.*> Failed login for .* from <HOST> in session .*
ignoreregex =
EOF

cat > /etc/fail2ban/filter.d/kolab-chwala.conf << EOF
[Definition]
failregex = <.*> Failed login for .* from <HOST> in session .*
ignoreregex =
EOF

cat > /etc/fail2ban/filter.d/kolab-syncroton.conf << EOF
[Definition]
failregex = <.*> Failed login for .* from <HOST> in session .*
ignoreregex =
EOF

Now we will set on them Fail2ban
cat >> /etc/fail2ban/jail.conf << EOF

[kolab-cyrus]
enabled = true
filter  = kolab-cyrus
action  = iptables-multiport[name=cyrus-imap,port="143,993,110,995,4190"]
logpath = /var/log/maillog
maxretry = 5

[kolab-postfix]
enabled = true
filter  = kolab-postfix
action  = iptables-multiport[name=kolab-postfix,port="25,587"]
logpath = /var/log/maillog
maxretry = 5

[kolab-roundcube]
enabled = true
filter  = kolab-roundcube
action  = iptables-multiport[name=kolab-roundcube, port="http,https"]
logpath = /var/log/roundcubemail/userlogins
maxretry = 5

[kolab-irony]
enabled = true
filter  = kolab-irony
action  = iptables-multiport[name=kolab-irony,port="http,https"]
logpath = /var/log/iRony/userlogins
maxretry = 5

[kolab-chwala]
enabled = true
filter  = kolab-chwala
action  = iptables-multiport[name=kolab-chwala,port="http,https"]
logpath = /var/log/chwala/userlogins
maxretry = 5

[kolab-syncroton]
enabled = true
filter  = kolab-syncroton
action  = iptables-multiport[name=kolab-syncroton,port="http,https"]
logpath = /var/log/kolab-syncroton/userlogins
maxretry = 5
EOF


Let's configure Roundcube



Subject by default


As I already wrote in the previous article if you do not like by default the subject Chameleon, you can easily replace it with Larry
sed -i "s/\$config\['skin'\] = '.*';/\$config\['skin'\] = 'larry';/g" /etc/roundcubemail/config.inc.php


zipdownload plug-in


Some users complain that there is no such opportunity to download all attachments to the letter at once.
And so, such opportunity is in zipdownload plug-in for Roundcube

Let's download roundcube repository, and we will copy plug-in in the folder with plug-ins of our Roundcube
git clone https://github.com/roundcube/roundcubemail/ --depth 1 /tmp/roundcube
mv /tmp/roundcube/plugins/zipdownload/ /usr/share/roundcubemail/plugins/
rm -rf /tmp/roundcube/

Now it was only necessary to activate it having added it to $config ['plugins'] array in file/etc/roundcubemail/config.inc.php
sed -i "/'contextmenu',/a \            'zipdownload'," /etc/roundcubemail/config.inc.php

One more moment: in the php_zlib module, in the versions delivered with distribution kits there is bug as a result of which if in the letter there are files with Cyrillic names, when packaging in the zip-file their names turn into krakozyabra.
What to solve it, we will collect new php_zlib:
yum -y install php-devel zlib-devel pcre-devel gcc
pecl install zip


Kolab ActiveSync Server


Still couple of words about synchronization: the kolab-synroton service (fork z-push) by default has 2 operation modes: folder-mode and flat-mode.

With folder-mode all folders which you will note in settings of synchronization in Roundcube are transferred in case as is.
In case all these folders integrate with flat-mode in one for mail, one for contacts, one for calendar …

Apple and Windows of the technician by default works in folder-mode, but here for Android, in view of weak support of folder-mode (developers so speak), flat-mode is by default included.
At desire you can try and if your device after all supports folder-mode, you can enter its name to $ext_devices array in the /usr/share/kolab-syncroton/lib/kolab_sync_data .php file

Conclusion


On it installation can be considered finished, whether once again restartuy and we check all services they are started automatically at start of system.

The e-mail client is available according to the link: mail.example.org/webmail
Adminka: mail.example.org/kolab-webadmin

You can also configure automatic redirect with mail.example.org on mail.example.org/webmail
sed -i -e 's/<Directory \/>/<Directory \/>\n    RedirectMatch \^\/$ \/webmail\//g' /etc/httpd/conf/httpd.conf

Official site of the project: kolab.org

Docker image


As bonus I apply to article the image of Kolab'a for Docker where all aforesaid and nginx in addition, it is configured automatically: GitHub, DockerHub

This article is a translation of the original post at habrahabr.ru/post/260527/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: sysmagazine.com@gmail.com.

We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus