This manual is deprecated. Please visit https://groupoffice.readthedocs.io for the latest documentation.

Difference between revisions of "Group-Office on separate mail- and webserver howto"

From Group-Office Groupware and CRM Documentation
Jump to: navigation, search
(Proxmox notes)
(Enabling SSL)
Line 188: Line 188:
  
 
<pre>/etc/init.d/apache2 restart</pre>
 
<pre>/etc/init.d/apache2 restart</pre>
 +
 +
==Configuration script==
 +
 +
Here's an example script that does most of the above automatically:
 +
 +
<pre>dpkg-reconfigure tzdata
 +
 +
dpkg-reconfigure locales
 +
 +
export LANG=en_US.UTF8
 +
 +
apt-get install ntp fail2ban sudo vim
 +
 +
echo -e "\n## Group-Office repository\ndeb http://repos.groupoffice.eu/ threesix main" | tee -a /etc/apt/sources.list
 +
 +
gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-keys 01F1AE44
 +
gpg --export --armor 01F1AE44 | apt-key add -
 +
 +
 +
apt-get update && apt-get dist-upgrade
 +
 +
apt-get install groupoffice-mailserver groupoffice-servermanager
 +
 +
 +
cd /usr/local
 +
 +
wget http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz
 +
tar zxf http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz
 +
rm http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz
 +
 +
echo "zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.x.so" > /etc/php5/conf.d/ioncube.ini
 +
 +
apt-get install groupoffice-pro
 +
</pre>
 +
#!/bin/bash

Revision as of 18:19, 27 December 2010

I'm going to show an ideal setup of a separate mailserver and Group-Office server.

On both servers we'll install a minimal Debian 6 on a Proxmox virtual environment. You don't need Proxmox but it's an easy and powerful way to virtualize your machines.

Proxmox notes

After installing Debian 6 on Proxmox the timezone is set to UTC. You can change the timezone by running:

dpkg-reconfigure tzdata

The locale is also not configured:

dpkg-reconfigure locales
export LANG=en_US.UTF8
export LC_ALL=en_US.UTF8

Then I installed ntp to make sure the time is updated correctly:

apt-get install ntp

I also had to add:

myhostname: mx1.example.com

to /etc/postfix/main.cf because in proxmox I just called the machine "mx1". Changing the hostname afterwards caused problems with proxmox.

Of course you should also apply all latest system updates:

apt-get update && apt-get dist-upgrade


Adding VPS with IP on different subnet then the host

I spent some time in figuring this one out. But to have a guest machine that has an IP address on another subnet you need to change this line in /etc/vz/vz/conf:

NEIGHBOUR_DEVS=detect

into:

NEIGHBOUR_DEVS=all

Secure access

First we'll secure the remote access on both servers:

Install fail2ban. This is a program that will monitor various log files and blocks users who make more then 3 failed login attempts.

apt-get install fail2ban

Install sudo to allow normal users to execute root commands:

apt-get install sudo

Then add a personal user:

adduser <username>
adduser <username> sudo

Generate an ssh keypair for your username on your own machine. We don't cover this here.

Add the public key to:

/home/<username>/.ssh/authorized_keys

Set the right permissions:

chmod 700 /home/<username>/.ssh/
chmod 600 /home/<username>/.ssh/authorized_keys

Now test the SSH login with your keypair and make sure it works because we're going to disable any other login method. Make sure this user can use sudo too.

When this works disable root login through SSH and disable login with normal passwords:

Change /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no

By default when you use sudo -s it doesn't work with ssh agent forwarding. This can be fixed by adding:

Defaults    env_keep=SSH_AUTH_SOCK

to /etc/sudoers with the visudo command.

Add Group-Office repository

You can do that easily by executing the following command in the terminal:

echo -e "\n## Group-Office repository\ndeb http://repos.groupoffice.eu/ threesix main" | tee -a /etc/apt/sources.list

To authenticate the packages you need to import the public key by running the following commands:

gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-keys 01F1AE44
gpg --export --armor 01F1AE44 | apt-key add -

Update APT:

apt-get update

Install the mailserver

apt-get install groupoffice-mailserver

Install the webserver

If you want multiple Group-Office installations:

apt-get install groupoffice-servermanager

Allow the groupoffice MySQL user to create new databases:

REVOKE ALL PRIVILEGES ON * . * FROM 'groupoffice-com'@'localhost';
GRANT ALL PRIVILEGES ON * . * TO 'groupoffice-com'@'localhost' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;


For a single install:

apt-get install groupoffice-com

Now create a global config file for all Group-Office installations with the information to connect to the mailserver. This is for setting vacation messages, changin passwords and adding mailboxes.

/etc/groupoffice/globalconfig.inc.php

<?php
$config['serverclient_server_url']="https://mx1.example.com/groupoffice/";
$config['serverclient_username']="admin";
$config['serverclient_password']="secret";
$config['serverclient_mbroot']="";
$config['serverclient_use_ssl']="0";
$config['serverclient_novalidate_cert']="0";
$config['serverclient_type']="imap";
$config['serverclient_host']="imap.imfoss.nl";
$config['serverclient_port']="143";
$config['serverclient_smtp_host']="smtp.interconnect.nl";
$config['serverclient_smtp_port']="25";
$config['serverclient_smtp_encryption']="";
$config['serverclient_smtp_username']="";
$config['serverclient_smtp_password']="";
?>

Install professional version

Find the right loaders at http://www.ioncube.com/loaders.php

Download them to the server with the "wget" command. Unpack the archive in /usr/local/ioncube:

cd /usr/local/ioncube
wget the/url/to/ioncube_loader.....tar.gz
tar zxf ioncube_loaders.....tar.gz

Create the file /etc/php5/conf.d/ioncube.ini and put this line in it:

zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.x.so

Put the licenses from the Intermesh Software Shop in /usr/share/groupoffice and then run:

apt-get install groupoffice-pro

Now restart the webserver:

/etc/init.d/apache2 restart

Enabling SSL

This is for a self-signed certificate. You probably want to purchase a real one.

mkdir /etc/apache2/ssl && /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem

Edit /etc/apache2/sites-enabled/000-default:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem

Change the VirtualHost port from *:80 to *:443.

Enable the apache SSL module:

a2enmod ssl

Restart Apache:

/etc/init.d/apache2 restart

Configuration script

Here's an example script that does most of the above automatically:

dpkg-reconfigure tzdata

dpkg-reconfigure locales

export LANG=en_US.UTF8

apt-get install ntp fail2ban sudo vim

echo -e "\n## Group-Office repository\ndeb http://repos.groupoffice.eu/ threesix main" | tee -a /etc/apt/sources.list

gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-keys 01F1AE44
gpg --export --armor 01F1AE44 | apt-key add -


apt-get update && apt-get dist-upgrade

apt-get install groupoffice-mailserver groupoffice-servermanager


cd /usr/local

wget http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz
tar zxf http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz
rm http://downloads2.ioncube.com/loader_downloads/ioncube_loaders_lin_x86.tar.gz

echo "zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.x.so" > /etc/php5/conf.d/ioncube.ini

apt-get install groupoffice-pro
  1. !/bin/bash