1
--
CentOS-7 Zarafa
Download Zarafa
https://download.zarafa.com/community/final/7.2/7.2.1-51838/
1 Overview
2 Base Configuration
2.1 fail2ban
2.2 Install Zarafa
2.3 Install/Update Zarafa WebApp
2.4 Install Zarafa WebApp Password Change Plugin
2.5 Install Zarafa Webapp Mobile Device Admin
2.6 Configure Webserver
2.7 Configure MariaDB
2.8 Configure Zarafa Server
2.9 Configure SASL SMTP AUTH
2.10 Secure Postfix
2.11 Secure Postfix and Webmail with fail2ban
2.12 Secure Postfix and Webmail with spamassasin
3 Users Handling
3.1 Create Aliases
3.2 Create New User
3.3 Modify User
3.4 User Details
3.5 Bug Fixing
Overview
This are my notes to install Zarafa on a hosted VM in internet.
It is not finished yet, but it is a good start.
I hope this will help others to get started this great groupware.
Base Configuration
yum makecache yum upgrade reboot
fail2ban
yum remove iptables-services yum install fail2ban fail2ban-firewalld firewalld systemctl restart firewalld firewall-cmd --permanent --add-service=ssh systemctl restart firewalld firewall-cmd --list-all
/etc/fail2ban/jail.local
[DEFAULT] ignoreip = 127.0.0.1/8 bantime = 3600 findtime = 300 maxretry = 3 destemail = admin@bitbull.ch sender = admin@bitbull.ch mta = sendmail loglevel = WARNING banaction = firewallcmd-new [sshd] enabled = true
systemctl enable fail2ban firewalld systemctl restart fail2ban firewalld
test fail2ban
fail2ban-client status sshd iptables-save | grep f2b
Install Zarafa
Zarafa Server Software
yum -y install zarafa zarafa-webaccess zarafa-search httpd mariadb-server
Postfix with SASL Support
yum -y install postfix cyrus-sasl cyrus-sasl-plain
Z-Push deps
yum -y install php-cli php-soap php-process
/etc/updatedb.conf #add this to PRUNEPATHS
/var/lib/zarafa/attachments
Install/Update Zarafa WebApp
mkdir /root/dl cd /root/dl mkdir old mv * old/ wget https://download.zarafa.com/community/final/WebApp/2.1.1/rhel-7/zarafa-webapp-2.1.1-468.1.noarch.rpm wget https://download.zarafa.com/community/final/WebApp/2.1.1/rhel-7/zarafa-webapp-browsercompatibility-2.1.1-468.1.noarch.rpm wget https://download.zarafa.com/community/final/WebApp/2.1.1/rhel-7/zarafa-webapp-lang-2.1.1-468.1.noarch.rpm wget https://download.zarafa.com/community/final/WebApp/2.1.1/rhel-7/zarafa-webapp-plugins-spell-de-ch-1.0-4.1.noarch.rpm wget https://download.zarafa.com/community/final/WebApp/2.1.1/rhel-7/zarafa-webapp-plugins-delayeddelivery-1.0-27.1.noarch.rpm # wget https://download.zarafa.com/community/final/WebApp/2.1.1/rhel-7/zarafa-webapp-files-2.1.1-468.1.noarch.rpm wget https://download.zarafa.com/community/final/WebApp/2.1.1/rhel-7/zarafa-webapp-plugins-spell-1.0-21.1.noarch.rpm yum update *.rpm yum install *.rpm
Install Zarafa WebApp Password Change Plugin
cd /usr/share/zarafa-webapp/plugins wget https://github.com/silentsakky/zarafa-webapp-passwd/raw/master/builds/passwd-1.2.zip unzip passwd-1.2.zip rm -f passwd-1.2.zip
/usr/share/zarafa-webapp/plugins/passwd/config.php
define('PLUGIN_PASSWD_USER_DEFAULT_ENABLE', true);
Install Zarafa Webapp Mobile Device Admin
Centos-6:
yum install https://download.zarafa.com/community/final/WebApp/plugins/MDM%201.0/rhel-6/zarafa-webapp-plugins-mdm-1.0.1453470163.f6c94a8-34.2.noarch.rpm
yum install https://download.zarafa.com/community/final/WebApp/plugins/MDM%201.0/fedora-22/zarafa-webapp-plugins-mdm-1.0.1453470163.f6c94a8-34.2.noarch.rpm
/etc/zarafa/webapp/config-mdm.php
define('PLUGIN_MDM_USER_DEFAULT_ENABLE_MDM', true);
Configure Webserver
rm -f /etc/httpd/conf.d/welcome.conf echo GO AWAY > /var/www/html/index.html
/etc/php.ini
cgi.fix_pathinfo=0 date.timezone = Europe/Zurich
/etc/httpd/conf/httpd.conf
ServerAdmin admin@bitbull.ch ServerName elvis.bitbull.ch # line 151 AllowOverride All
systemctl enable httpd systemctl restart httpd
Probably you get this apache logs while apache is died:
H00060: seg fault or similar nasty error detected in the parent process
This is caused by mapi php module, I have not traced down to reason, but others have to, so I wait for update :-)
crontab -e -u root
# php-mapi bug, causes apache reload to crash, waiting for upstream */15 * * * * /usr/bin/pgrep httpd >/dev/null || /usr/bin/systemctl restart httpd
/etc/logrotate.d/httpd
/var/log/httpd/*log { missingok notifempty sharedscripts delaycompress postrotate #/bin/systemctl restart httpd.service > /dev/null 2>/dev/null || true # some modules can cause apache to crash by reload, avoid that by logrotate /bin/systemctl restart httpd.service > /dev/null 2>/dev/null || true endscript }
Configure MariaDB
/etc/my.cnf [ No need configure This---creat problem to restart mysql ]
# add follows within [mysqld] section character-set-server=utf8
mysql -V
systemctl start mariadb systemctl enable mariadb
/etc/init.d/mysql start
/etc/init.d/mysql restart
/root/.my.cnf
[client] host=localhost user=root password=your_password
[root@elvis ~]# mysql -u root MariaDB [(none)]> create database zarafa; MariaDB [(none)]> grant all privileges on zarafa.* to zarafa@'localhost' identified by '123456'; MariaDB [(none)]> flush privileges; MariaDB [(none)]> exit
wget -O - https://launchpad.net/mysql-tuning-primer/trunk/1.6-r1/+download/tuning-primer.sh > /usr/local/sbin/tuning-primer.sh chmod 700 /usr/local/sbin/tuning-primer.sh # run after 1 week of mysqld uptime
Configure Zarafa Server
/etc/zarafa/server.cfg
system_email_address = admin@bitbull.ch mysql_user = zarafa mysql_password = 123456
/etc/zarafa/search.cfg
limit_results = 200 index_attachments = yes index_attachment_max_size = 2M index_attachment_parser_max_cputime = 60
Configure SASL SMTP AUTH
/etc/sysconfig/saslauthd
MECH=rimap FLAGS="-O 127.0.0.1"
/etc/sasl2/smtpd.conf
pwcheck_method: saslauthd mech_list: PLAIN LOGIN allow_plaintext: true # log_level: 3
/etc/postfix/master.cf
submission inet n - n - - smtpd
/etc/postfix/main.cf
# SASL for clients that not aware of RFC2554 broken_sasl_auth_clients = yes # incoming SASL smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous # smtpd_tls_auth_only = no smtpd_sasl_path = smtpd
firewall-cmd --permanent --add-port=587/tcp service firewalld restart
/etc/zarafa/server.cfg
# disabled_features = imap pop3 disabled_features = pop3
/etc/zarafa/gateway.cfg
server_hostname = elvis.bitbull.ch pop3_enable = no pop3s_enable = no imap_enable = yes imaps_enable = no
NOTE
Do not open firewalld for port 143, as it is only needed for rimap with saslauthd.
By default we use active sync over https, other access is prohibited.
systemctl enable postfix saslauthd systemctl restart postfix saslauthd
install Z-PUSH
mkdir /root/dl cd /root/dl
wget http://download.z-push.org/final/2.2/z-push-2.2.7.tar.gz wget http://download.z-push.org/final/2.2/z-push-2.2.7.txt tar zxvf z-push-*.tar.gz -C /usr/share/ ln -s /usr/share/z-push-2.2.7 /usr/share/z-push rm -fr /var/lib/z-push/state /var/log/z-push mkdir -p /var/lib/z-push/state /var/log/z-push chmod 755 -R /var/lib/z-push /var/log/z-push chown apache:apache /var/lib/z-push /var/log/z-push
# Creat user account zarafa-admin -c u1 -p 123 -e u1@worldcm.net -f "user1" zarafa-admin -c u2 -p 123 -e u2@worldcm.net -f "user2" #ADMIN account zarafa-admin -c admin -p 123456 -e admin@worldcm.net -f "Admin" -a 1 ##user Delate zarafa-admin -d u2 # systemctl start zarafa-server # systemctl start zarafa-dagent # systemctl start zarafa-gateway # systemctl start zarafa-spooler systemctl enable zarafa-server systemctl enable zarafa-dagent systemctl enable zarafa-gateway systemctl enable zarafa-spooler
/usr/share/z-push/config.php
define('TIMEZONE', 'Europe/Zurich'); define('LOGAUTHFAIL', true);
/etc/httpd/conf.d/z-push.conf
Alias /Microsoft-Server-ActiveSync /usr/share/z-push/index.php <Directory /usr/share/z-push/> Options -Indexes +FollowSymLinks <IfModule mod_authz_core.c> Require all granted </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Allow from all </IfModule> php_flag register_globals off php_flag magic_quotes_gpc off php_flag magic_quotes_runtime off php_flag short_open_tag on php_value memory_limit 128M </Directory>
ln -s /usr/share/z-push/z-push-admin.php /usr/local/sbin/z-push-admin ln -s /usr/share/z-push/z-push-top.php /usr/local/sbin/z-push-top chown root.apache /etc/zarafa/php-mapi.cfg
Install Password Change Plugin
cd /root/dl wget -O passwd.tar.gz https://community.zarafa.com/mod/community_plugins/download.php?release_guid=158 tar vxfz passwd.tar.gz mv passwd /usr/share/zarafa-webaccess/plugins/
/usr/share/zarafa-webaccess/plugins/passwd/dialogs/pwdchange.php
$passwd_cmd = "/usr/bin/zarafa-passwd -u %s -o %s -p %s";
Secure Postfix
This is my entire postfix config, pick things out you want.
/etc/postfix/main.cf
home_mailbox = Maildir/ inet_interfaces = all inet_protocols = ipv4 mailbox_command = /usr/bin/zarafa-dagent "$USER" mailbox_size_limit = 1073741824 message_size_limit = 10485760 mydomain = bitbull.ch mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost, credo-systems.ch myhostname = elvis.bitbull.ch mynetworks = 127.0.0.0/8 myorigin = $mydomain smtpd_banner = $myhostname ESMTP alias_maps = hash:/etc/aliases # MX backup maximal_queue_lifetime = 30d # consult spamassassin smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_recipient_restrictions = permit_mynetworks, permit_mx_backup, permit_sasl_authenticated, reject_sender_login_mismatch, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_client_hostname, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, reject_unlisted_sender, check_client_access hash:/etc/postfix/client_checks, check_sender_access hash:/etc/postfix/sender_checks, reject_rbl_client dnsbl-1.uceprotect.net, reject_rbl_client dnsbl-2.uceprotect.net, reject_rbl_client dnsbl-3.uceprotect.net, reject_rbl_client multi.uribl.com, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client combined.rbl.msrbl.net, reject_rbl_client sbl.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, permit disable_vrfy_command = yes smtpd_error_sleep_time = 1s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20 # mailbackup configuration relay_domains = hash:/etc/postfix/relay_domains transport_maps = hash:/etc/postfix/relay_transport broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_path = smtpd
/etc/postfix/relay_domains
euphoria.com anything wicked-networks.com anything
/etc/postfix/relay_transport
euphoria.com relay:mail1.euphoria.com wicked-networks.com relay:mx1.wicked-networks.com
postmap /etc/postfix/relay_domains postmap /etc/postfix/relay_transport
Get Spam Statistics
curl http://www.joreybump.com/dnsblcount/dnsblcount > /usr/local/sbin/dnsblcount yum -y install postfix-perl-scripts chmod 700 /usr/local/sbin/dnsblcount
crontab -e -u root
1 4 * * * /usr/local/sbin/dnsblcount /var/log/maillog 2 4 * * * /usr/sbin/pflogsumm /var/log/maillog
enable and start services
for SRV in postfix saslauthd mariadb httpd zarafa-server zarafa-dagent zarafa-gateway zarafa-ical zarafa-monitor zarafa-search zarafa-spooler do echo $SRV: systemctl enable $SRV sleep 2 systemctl restart $SRV done
Secure Postfix and Webmail with fail2ban
Here we secure sasl smtp-auth, zarafa webaccess and webapp for failed logins, this will help to protect password from bruteforce scans
/etc/fail2ban/jail.local
# add at end of file [postfix-sasl] enabled = true port = 25,587 [zarafa-webmail] port = http,https logpath = %(apache_error_log)s enabled = true
/etc/fail2ban/filter.d/zarafa-webmail.conf
# Fail2Ban filter for zarafa webaccess and webauth # # Author: Chris Ruettimann<chris@bitbull.ch> [Definition] _daemon = zarafa-webmail failregex = \[.*\] \[:error\] \[pid \d+\] \[client <HOST>:\d+\] .*user(|:) .* authentication failure at MAPI, referer: .* ignoreregex =
systemctl restart fail2ban systemctl enable fail2ban fail2ban-client status
Secure Postfix and Webmail with spamassasin
yum install spamassassin
/etc/mail/spamassassin/local.cf
required_hits 5 report_safe 0 rewrite_header Subject [SPAM] report_safe 1 use_bayes 1 bayes_auto_learn 1 skip_rbl_checks 0 use_razor2 1 use_pyzor 1 ok_locales all
groupadd spamd useradd -g spamd -M -s /bin/false -d /var/lib/spamassassin spamd
chown spamd:spamd /var/lib/spamassassin
/etc/sysconfig/spamassassin
SPAMDOPTIONS="-d -c -m5 -H -u spamd -g spamd"
/etc/postfix/master.cf
# modify line 11 smtp inet n - n - - smtpd -o content_filter=spamassassin -o smtpd_tls_security_level=none -o smtpd_sasl_auth_enable=no # add @ EOF spamassassin unix - n n - - pipe flags=R user=spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
cd /usr/share/zarafa-webapp/plugins wget "https://community.zarafa.com/mod/community_plugins/download.php?release_guid=21796" -O 20130921_spamtrain_plugin.tar.gz tar vxfz 20130921_spamtrain_plugin.tar.gz rm -f 20130921_spamtrain_plugin.tar.gz
/usr/share/zarafa-webapp/plugins/spamtrain/config.php
define('PLUGIN_SPAMTRAIN_TRAIN_SPAM_CMD', '/usr/bin/sa-learn --spam --username %u'); define('PLUGIN_SPAMTRAIN_TRAIN_HAM_CMD', '/usr/bin/sa-learn --ham --username %u'); define('PLUGIN_SPAMTRAIN_USER_DEFAULT_ENABLE', true);
mkdir -p /usr/share/httpd/.spamassassin chown apache.apache /usr/share/httpd/.spamassassin
sa-update --nogpg
remove this blacklist from main.cf to avoid doubble checks
grep rbl /etc/postfix/main.cf | awk '{print $2}' | sed 's/,//g' | while read f; do fgrep -lirs $f /var/lib/spamassassin/ && echo $f; done
systemctl restart spamassassin systemctl enable spamassassin systemctl restart postfix
Users Handling
Create Aliases
Since we have no virtual domain configuration in postfix, this is a simple way to create mail alias for user.
/etc/aliases
root: mike mike.meyers: mike
newaliases service postfix restart
Create New User
useradd -s /bin/false -b /tmp -M -g nobody mike zarafa-admin -c mike -p myS3cret -e mike@bitbull.ch -f "Mike Meyers"
Modify User
zarafa-admin -d tom # delete user zarafa-admin -u chris -p s3cret. #change password zarafa-admin -u chris -a y #create admin
User Details
zarafa-admin --details tom # show user details z-push-admin -a list #list all z-push users z-push-admin -a lastsync # show sync state of devices z-push-admin -a wipe -u chris # wipe all devices for user chris z-push-admin -a remove -u chris # remove all state data for user chris's devices z-push-top # top activity monitor for z-push zarafa-stats --top # top activity monitor for zarafa
Bug Fixing
zarafa-server is starting before mariadb comes up
# grep -A2 -B1 sleep\ 30 /etc/init.d/zarafa-server start) /usr/bin/sleep 30 start ;;
----------XXXXXXXXXXXXXXXXXXXXXXXXXX----------------------XXXXXXXXXXXXXXXXXXXXXXXXXX----------XXXXXXXXXXXXXXXX
tail -f /var/log/zarafa/server.log
# systemctl enable mariadb.service
# systemctl enable zarafa-server.service
#systemctl status zarafa-server.service
--------
-------------------------------------------------------------------------------
Centos 6
/etc/init.d/postfix restart; /etc/init.d/httpd2 restart; /etc/init.d/mysqld restart; /etc/init.d/zarafa-dagent restart; /etc/init.d/zarafa-gateway restart; /etc/init.d/zarafa-ical restart; /etc/init.d/zarafa-indexer restart || /etc/init.d/zarafa-search restart; /etc/init.d/zarafa-monitor restart; /etc/init.d/zarafa-server restart; /etc/init.d/zarafa-spooler restart;
service zarafa-server restart
service zarafa-dagent restart
service zarafa-gateway restart
service zarafa-spooler restart
chkconfig zarafa-server on
chkconfig zarafa-dagent on
chkconfig zarafa-gateway on
chkconfig zarafa-spooler on
service zarafa-server start
service zarafa-dagent start
service zarafa-gateway start
service zarafa-spooler start
chkconfig zarafa-server on
chkconfig zarafa-dagent on
chkconfig zarafa-gateway on
chkconfig zarafa-spooler on
---------------------------------------------------------------------------------------------------
zarafa-licensed
ftp://www.timburgess.net/zarafa/
ftp://www.timburgess.net/zarafa/zarafa-licensed-7.1.4-41394.i686.rpm
ftp://www.timburgess.net/zarafa/zarafa-licensed-7.1.4-41394.x86_64.rpm
# rpm -Uvh --nodeps zarafa-licensed-7.1.4-41394.x86_64.rpm
----##############################################
Your webmail is usually set up to http://yourserver/webaccess. It might be easier to redirect so people must not type webaccess. You can do this by doing the following steps:
# rm /etc/httpd/conf.d/welcome.conf and modifiy the following line in /etc/httpd/conf/httpd.conf
DocumentRoot "/usr/share/zarafa-webaccess"
Don't forget to lauch apache
# service httpd start # chkconfig httpd on
If you use a SELinux setup, you might want to let apache create new sockets:
# setsebool http_can_network_connect=1
-----------------------------------------------------------------
zarafa server also contain the port
Code:
define('MAPI_SERVER', 'http://ip-of-zarafa-server:236/zarafa
-------------
remove packages with yum
#su -c 'yum clean all && rpm --rebuilddb'
#su -c 'package-cleanup --problems'
Then run:
#su -c 'yum erase zarafa*'
Edit #1: Try running the next command:
# su -c 'yum --setopt=tsflags=noscripts remove zarafa*'
If that doesn't work, try this:
# su -c 'rpm -e --noscripts zarafa*'
---------------