This manual is deprecated. Please visit https://groupoffice.readthedocs.io for the latest documentation. |
Group-Office on separate mail- and webserver howto
I'm going to show an ideal setup of a separate mailserver and Group-Office server.
On both servers we'll install a minimal Debian 6 on a Proxmox virtual environment. You don't need Proxmox but it's an easy and powerful way to virtualize your machines.
Contents
Proxmox notes
After installing Debian 6 on Proxmox the timezone is set to UTC. You can change the timezone by running:
dpkg-reconfigure tzdata
The locale is also not configured:
dpkg-reconfigure locales
export LANG=en_US.UTF8
Then I installed ntp to make sure the time is updated correctly:
apt-get install ntp
I also had to add:
myhostname: mx1.example.com
to /etc/postfix/main.cf because in proxmox I just called the machine "mx1". Changing the hostname afterwards caused problems with proxmox.
Of course you should also apply all latest system updates:
apt-get update && apt-get dist-upgrade
Secure access
First we'll secure the remote access on both servers:
Install fail2ban. This is a program that will monitor various log files and blocks users who make more then 3 failed login attempts.
apt-get install fail2ban
Install sudo to allow normal users to execute root commands:
apt-get install sudo
Then add a personal user:
adduser <username> adduser <username> sudo
Generate an ssh keypair for your username on your own machine. We don't cover this here.
Add the public key to:
/home/<username>/.ssh/authorized_keys
Set the right permissions:
chmod 700 /home/<username>/.ssh/ chmod 600 /home/<username>/.ssh/authorized_keys
Now test the SSH login with your keypair and make sure it works because we're going to disable any other login method. Make sure this user can use sudo too.
When this works disable root login through SSH and disable login with normal passwords:
Change /etc/ssh/sshd_config:
PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no
Add Group-Office repository
You can do that easily by executing the following command in the terminal:
echo -e "\n## Group-Office repository\ndeb http://repos.groupoffice.eu/ threesix main" | tee -a /etc/apt/sources.list
To authenticate the packages you need to import the public key by running the following commands:
gpg --keyserver hkp://keyserver.ubuntu.com:11371 --recv-keys 01F1AE44 gpg --export --armor 01F1AE44 | apt-key add -
Update APT:
apt-get update
Install the mailserver
apt-get install groupoffice-mailserver
Install the webserver
If you want multiple Group-Office installations:
apt-get install groupoffice-servermanager
For a single install:
apt-get install groupoffice-com
Now create a global config file for all Group-Office installations with the information to connect to the mailserver. This is for setting vacation messages, changin passwords and adding mailboxes.
/etc/groupoffice/globalconfig.inc.php
<?php $config['serverclient_server_url']="https://mx1.example.com/groupoffice/"; $config['serverclient_username']="admin"; $config['serverclient_password']="secret"; $config['serverclient_mbroot']=""; $config['serverclient_use_ssl']="0"; $config['serverclient_novalidate_cert']="0"; $config['serverclient_type']="imap"; $config['serverclient_host']="imap.imfoss.nl"; $config['serverclient_port']="143"; $config['serverclient_smtp_host']="smtp.interconnect.nl"; $config['serverclient_smtp_port']="25"; $config['serverclient_smtp_encryption']=""; $config['serverclient_smtp_username']=""; $config['serverclient_smtp_password']=""; ?>
Install professional version
Find the right loaders at http://www.ioncube.com/loaders.php
Download them to the server withg the "wget" command. Unpack the archive in /usr/local/ioncube. Add
zend_extension=/usr/local/ioncube/ioncube_loader_lin_5.3.so
to /etc/php5/apache2/php.ini and /etc/php5/cli/php.ini
Put the licenses from the Intermesh Software Shop in /usr/share/groupoffice and then run:
apt-get install groupoffice-pro
Now restart the webserver:
/etc/init.d/apache2 restart
Enabling SSL
This is for a self-signed certificate. You probably want to purchase a real one.
mkdir /etc/apache2/ssl && /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Edit /etc/apache2/sites-enabled/000-default:
SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem
Change the VirtualHost port from *:80 to *:443.