1

--

CentOS-7 Zarafa

Download Zarafa

https://download.zarafa.com/community/final/7.2/7.2.1-51838/

Overview

This are my notes to install Zarafa on a hosted VM in internet.

It is not finished yet, but it is a good start.

I hope this will help others to get started this great groupware.

Base Configuration

yum makecache yum upgrade reboot

fail2ban

yum remove iptables-services yum install fail2ban fail2ban-firewalld firewalld systemctl restart firewalld firewall-cmd --permanent --add-service=ssh systemctl restart firewalld firewall-cmd --list-all

[DEFAULT] ignoreip = 127.0.0.1/8 bantime  = 3600 findtime  = 300 maxretry = 3 destemail = admin@bitbull.ch sender = admin@bitbull.ch mta = sendmail loglevel = WARNING banaction = firewallcmd-new  [sshd] enabled = true

systemctl enable fail2ban firewalld systemctl restart fail2ban firewalld

fail2ban-client status sshd iptables-save | grep f2b

Install Zarafa

yum -y install zarafa zarafa-webaccess zarafa-search httpd mariadb-server 

yum -y install postfix cyrus-sasl cyrus-sasl-plain 

yum -y install php-cli php-soap php-process

/var/lib/zarafa/attachments

Install/Update Zarafa WebApp

mkdir /root/dl cd /root/dl mkdir old mv * old/ wget https://download.zarafa.com/community/final/WebApp/2.1.1/rhel-7/zarafa-webapp-2.1.1-468.1.noarch.rpm wget https://download.zarafa.com/community/final/WebApp/2.1.1/rhel-7/zarafa-webapp-browsercompatibility-2.1.1-468.1.noarch.rpm wget https://download.zarafa.com/community/final/WebApp/2.1.1/rhel-7/zarafa-webapp-lang-2.1.1-468.1.noarch.rpm wget https://download.zarafa.com/community/final/WebApp/2.1.1/rhel-7/zarafa-webapp-plugins-spell-de-ch-1.0-4.1.noarch.rpm wget https://download.zarafa.com/community/final/WebApp/2.1.1/rhel-7/zarafa-webapp-plugins-delayeddelivery-1.0-27.1.noarch.rpm # wget https://download.zarafa.com/community/final/WebApp/2.1.1/rhel-7/zarafa-webapp-files-2.1.1-468.1.noarch.rpm wget https://download.zarafa.com/community/final/WebApp/2.1.1/rhel-7/zarafa-webapp-plugins-spell-1.0-21.1.noarch.rpm yum update *.rpm yum install *.rpm

Install Zarafa WebApp Password Change Plugin

cd /usr/share/zarafa-webapp/plugins wget https://github.com/silentsakky/zarafa-webapp-passwd/raw/master/builds/passwd-1.2.zip unzip passwd-1.2.zip rm -f passwd-1.2.zip 

define('PLUGIN_PASSWD_USER_DEFAULT_ENABLE', true);

Install Zarafa Webapp Mobile Device Admin

yum install https://download.zarafa.com/community/beta/WebApp/plugins/MDM%20beta2/rhel-7/zarafa-webapp-plugins-mdm-1.0.1453470163.f6c94a8-34.1.noarch.rpm

Centos-6: 

yum install https://download.zarafa.com/community/final/WebApp/plugins/MDM%201.0/rhel-6/zarafa-webapp-plugins-mdm-1.0.1453470163.f6c94a8-34.2.noarch.rpm

yum install https://download.zarafa.com/community/final/WebApp/plugins/MDM%201.0/fedora-22/zarafa-webapp-plugins-mdm-1.0.1453470163.f6c94a8-34.2.noarch.rpm 

define('PLUGIN_MDM_USER_DEFAULT_ENABLE_MDM', true);

Configure Webserver

rm -f /etc/httpd/conf.d/welcome.conf echo GO AWAY > /var/www/html/index.html 

cgi.fix_pathinfo=0 date.timezone = Europe/Zurich

ServerAdmin admin@bitbull.ch ServerName elvis.bitbull.ch # line 151 AllowOverride All

systemctl enable httpd systemctl restart httpd

Probably you get this apache logs while apache is died:

H00060: seg fault or similar nasty error detected in the parent process

This is caused by mapi php module, I have not traced down to reason, but others have to, so I wait for update :-)

# php-mapi bug, causes apache reload to crash, waiting for upstream */15 * * * * /usr/bin/pgrep httpd >/dev/null || /usr/bin/systemctl restart httpd

/var/log/httpd/*log {     missingok     notifempty     sharedscripts     delaycompress     postrotate         #/bin/systemctl restart httpd.service > /dev/null 2>/dev/null || true         # some modules can cause apache to crash by reload, avoid that by logrotate         /bin/systemctl restart httpd.service > /dev/null 2>/dev/null || true     endscript }

Configure MariaDB

# add follows within [mysqld] section character-set-server=utf8

mysql -V

systemctl start mariadb systemctl enable mariadb

/etc/init.d/mysql start

/etc/init.d/mysql restart

[client] host=localhost user=root password=your_password

[root@elvis ~]# mysql -u root MariaDB [(none)]> create database zarafa; MariaDB [(none)]> grant all privileges on zarafa.* to zarafa@'localhost' identified by '123456'; MariaDB [(none)]> flush privileges; MariaDB [(none)]> exit

wget -O - https://launchpad.net/mysql-tuning-primer/trunk/1.6-r1/+download/tuning-primer.sh > /usr/local/sbin/tuning-primer.sh chmod 700 /usr/local/sbin/tuning-primer.sh # run after 1 week of mysqld uptime

Configure Zarafa Server

system_email_address    = admin@bitbull.ch mysql_user = zarafa mysql_password = 123456

limit_results           =       200 index_attachments       = yes index_attachment_max_size = 2M index_attachment_parser_max_cputime = 60

Configure SASL SMTP AUTH

MECH=rimap FLAGS="-O 127.0.0.1"

pwcheck_method: saslauthd mech_list: PLAIN LOGIN allow_plaintext: true # log_level: 3

submission inet n       -       n       -       -       smtpd

# SASL for clients that not aware of RFC2554 broken_sasl_auth_clients = yes # incoming SASL smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous # smtpd_tls_auth_only = no smtpd_sasl_path = smtpd

firewall-cmd --permanent --add-port=587/tcp service firewalld restart

# disabled_features = imap pop3 disabled_features = pop3

server_hostname = elvis.bitbull.ch pop3_enable     =       no pop3s_enable    =       no imap_enable     =       yes imaps_enable    =       no

Do not open firewalld for port 143, as it is only needed for rimap with saslauthd.

By default we use active sync over https, other access is prohibited.

systemctl enable postfix saslauthd systemctl restart postfix saslauthd

mkdir /root/dl cd /root/dl

wget http://download.z-push.org/final/2.2/z-push-2.2.7.tar.gz wget http://download.z-push.org/final/2.2/z-push-2.2.7.txt tar zxvf z-push-*.tar.gz -C /usr/share/ ln -s /usr/share/z-push-2.2.7 /usr/share/z-push rm -fr /var/lib/z-push/state /var/log/z-push mkdir -p /var/lib/z-push/state /var/log/z-push chmod 755 -R /var/lib/z-push /var/log/z-push chown apache:apache /var/lib/z-push /var/log/z-push

# Creat user account zarafa-admin -c u1 -p 123 -e u1@worldcm.net -f "user1" zarafa-admin -c u2 -p 123 -e u2@worldcm.net -f "user2" #ADMIN account zarafa-admin -c admin -p 123456 -e admin@worldcm.net -f "Admin" -a 1 ##user Delate zarafa-admin -d u2 # systemctl start zarafa-server # systemctl start zarafa-dagent # systemctl start zarafa-gateway # systemctl start zarafa-spooler systemctl enable zarafa-server systemctl enable zarafa-dagent systemctl enable zarafa-gateway systemctl enable zarafa-spooler 

define('TIMEZONE', 'Europe/Zurich'); define('LOGAUTHFAIL', true);

Alias /Microsoft-Server-ActiveSync /usr/share/z-push/index.php <Directory /usr/share/z-push/>     Options -Indexes +FollowSymLinks     <IfModule mod_authz_core.c>         Require all granted     </IfModule>     <IfModule !mod_authz_core.c>         Order allow,deny         Allow from all     </IfModule>     php_flag register_globals off     php_flag magic_quotes_gpc off     php_flag magic_quotes_runtime off     php_flag short_open_tag on     php_value memory_limit 128M </Directory>

ln -s /usr/share/z-push/z-push-admin.php /usr/local/sbin/z-push-admin ln -s /usr/share/z-push/z-push-top.php /usr/local/sbin/z-push-top chown root.apache /etc/zarafa/php-mapi.cfg

cd /root/dl wget -O passwd.tar.gz https://community.zarafa.com/mod/community_plugins/download.php?release_guid=158 tar vxfz passwd.tar.gz mv passwd /usr/share/zarafa-webaccess/plugins/

$passwd_cmd = "/usr/bin/zarafa-passwd -u %s -o %s -p %s";

Secure Postfix

This is my entire postfix config, pick things out you want.

home_mailbox = Maildir/ inet_interfaces = all inet_protocols = ipv4 mailbox_command = /usr/bin/zarafa-dagent "$USER" mailbox_size_limit = 1073741824 message_size_limit = 10485760 mydomain = bitbull.ch mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost, credo-systems.ch myhostname = elvis.bitbull.ch mynetworks = 127.0.0.0/8 myorigin = $mydomain smtpd_banner = $myhostname ESMTP alias_maps = hash:/etc/aliases  # MX backup maximal_queue_lifetime = 30d  # consult spamassassin  smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions =     permit_mynetworks,     permit_sasl_authenticated,     reject_non_fqdn_helo_hostname,     reject_invalid_helo_hostname,     reject_unknown_helo_hostname,     permit  smtpd_sender_restrictions =      permit_mynetworks,     reject_non_fqdn_sender,     reject_unknown_sender_domain,     permit  smtpd_recipient_restrictions =    permit_mynetworks,    permit_mx_backup,    permit_sasl_authenticated,    reject_sender_login_mismatch,    reject_non_fqdn_sender,    reject_non_fqdn_recipient,    reject_unknown_client_hostname,    reject_unknown_reverse_client_hostname,    reject_unknown_sender_domain,    reject_unknown_recipient_domain,    reject_unauth_pipelining,    reject_unauth_destination,    reject_unlisted_sender,    check_client_access hash:/etc/postfix/client_checks,    check_sender_access hash:/etc/postfix/sender_checks,    reject_rbl_client dnsbl-1.uceprotect.net,    reject_rbl_client dnsbl-2.uceprotect.net,    reject_rbl_client dnsbl-3.uceprotect.net,    reject_rbl_client multi.uribl.com,    reject_rbl_client dsn.rfc-ignorant.org,    reject_rbl_client ix.dnsbl.manitu.net,    reject_rbl_client combined.rbl.msrbl.net,    reject_rbl_client sbl.spamhaus.org,    reject_rbl_client sbl-xbl.spamhaus.org,    reject_rbl_client cbl.abuseat.org,    reject_rbl_client dul.dnsbl.sorbs.net,    permit  disable_vrfy_command = yes smtpd_error_sleep_time = 1s smtpd_soft_error_limit = 10 smtpd_hard_error_limit = 20  # mailbackup configuration relay_domains = hash:/etc/postfix/relay_domains transport_maps = hash:/etc/postfix/relay_transport  broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_path = smtpd

euphoria.com anything wicked-networks.com anything

euphoria.com relay:mail1.euphoria.com wicked-networks.com relay:mx1.wicked-networks.com

postmap /etc/postfix/relay_domains postmap /etc/postfix/relay_transport

curl http://www.joreybump.com/dnsblcount/dnsblcount > /usr/local/sbin/dnsblcount yum -y install postfix-perl-scripts chmod 700 /usr/local/sbin/dnsblcount

1 4 * * * /usr/local/sbin/dnsblcount /var/log/maillog 2 4 * * * /usr/sbin/pflogsumm /var/log/maillog

for SRV in postfix saslauthd mariadb httpd zarafa-server zarafa-dagent zarafa-gateway zarafa-ical zarafa-monitor zarafa-search zarafa-spooler do    echo $SRV:    systemctl enable $SRV    sleep 2    systemctl restart $SRV done

Secure Postfix and Webmail with fail2ban

Here we secure sasl smtp-auth, zarafa webaccess and webapp for failed logins, this will help to protect password from bruteforce scans

# add at end of file [postfix-sasl] enabled = true port = 25,587  [zarafa-webmail] port = http,https logpath  = %(apache_error_log)s enabled = true

# Fail2Ban filter for zarafa webaccess and webauth # # Author: Chris Ruettimann<chris@bitbull.ch>  [Definition] _daemon = zarafa-webmail   failregex = \[.*\] \[:error\] \[pid \d+\] \[client <HOST>:\d+\] .*user(|:) .* authentication failure at MAPI, referer: .*  ignoreregex =

systemctl restart fail2ban systemctl enable fail2ban fail2ban-client status

Secure Postfix and Webmail with spamassasin

yum install spamassassin

required_hits 5 report_safe 0 rewrite_header Subject [SPAM] report_safe             1 use_bayes               1 bayes_auto_learn        1 skip_rbl_checks         0 use_razor2              1 use_pyzor               1 ok_locales              all

groupadd spamd useradd -g spamd -M -s /bin/false -d /var/lib/spamassassin spamd

chown spamd:spamd /var/lib/spamassassin

SPAMDOPTIONS="-d -c -m5 -H -u spamd -g spamd"

# modify line 11 smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin -o smtpd_tls_security_level=none -o smtpd_sasl_auth_enable=no # add @ EOF spamassassin unix - n n - - pipe flags=R user=spamd argv=/usr/bin/spamc -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

cd /usr/share/zarafa-webapp/plugins wget "https://community.zarafa.com/mod/community_plugins/download.php?release_guid=21796" -O 20130921_spamtrain_plugin.tar.gz tar vxfz 20130921_spamtrain_plugin.tar.gz rm -f 20130921_spamtrain_plugin.tar.gz

define('PLUGIN_SPAMTRAIN_TRAIN_SPAM_CMD', '/usr/bin/sa-learn --spam --username %u'); define('PLUGIN_SPAMTRAIN_TRAIN_HAM_CMD', '/usr/bin/sa-learn --ham --username %u'); define('PLUGIN_SPAMTRAIN_USER_DEFAULT_ENABLE', true);

mkdir -p /usr/share/httpd/.spamassassin chown apache.apache /usr/share/httpd/.spamassassin

sa-update --nogpg

grep rbl /etc/postfix/main.cf | awk '{print $2}' | sed 's/,//g' | while read f; do fgrep -lirs $f /var/lib/spamassassin/ && echo $f; done

systemctl restart spamassassin systemctl enable spamassassin systemctl restart  postfix

Users Handling

Create Aliases

Since we have no virtual domain configuration in postfix, this is a simple way to create mail alias for user.

root: mike mike.meyers: mike

newaliases service postfix restart

Create New User

useradd -s /bin/false -b /tmp -M -g nobody mike zarafa-admin -c mike -p myS3cret -e mike@bitbull.ch -f "Mike Meyers"

Modify User

zarafa-admin -d tom # delete user zarafa-admin -u chris -p s3cret. #change password zarafa-admin -u chris -a y #create admin

User Details

zarafa-admin --details tom # show user details z-push-admin -a list #list all z-push users z-push-admin -a lastsync # show sync state of devices z-push-admin -a wipe -u chris # wipe all devices for user chris z-push-admin -a remove -u chris # remove all state data for user chris's devices z-push-top # top activity monitor for z-push zarafa-stats --top # top activity monitor for zarafa

Bug Fixing

# grep -A2 -B1 sleep\ 30  /etc/init.d/zarafa-server      start) /usr/bin/sleep 30 start ;; 

Kategorie: Howtos

----------XXXXXXXXXXXXXXXXXXXXXXXXXX----------------------XXXXXXXXXXXXXXXXXXXXXXXXXX----------XXXXXXXXXXXXXXXX

tail -f /var/log/zarafa/server.log

# systemctl enable mariadb.service

 # systemctl enable zarafa-server.service

#systemctl status zarafa-server.service

--------

-------------------------------------------------------------------------------

Centos 6

/etc/init.d/postfix restart; /etc/init.d/httpd2 restart; /etc/init.d/mysqld restart; /etc/init.d/zarafa-dagent restart; /etc/init.d/zarafa-gateway restart; /etc/init.d/zarafa-ical restart; /etc/init.d/zarafa-indexer restart || /etc/init.d/zarafa-search restart; /etc/init.d/zarafa-monitor restart; /etc/init.d/zarafa-server restart; /etc/init.d/zarafa-spooler restart;

service zarafa-server restart

service zarafa-dagent restart

service zarafa-gateway restart

service zarafa-spooler restart

chkconfig zarafa-server on

chkconfig zarafa-dagent on

chkconfig zarafa-gateway on

chkconfig zarafa-spooler on

service zarafa-server start

service zarafa-dagent start

service zarafa-gateway start

service zarafa-spooler start

chkconfig zarafa-server on

chkconfig zarafa-dagent on

chkconfig zarafa-gateway on

chkconfig zarafa-spooler on

---------------------------------------------------------------------------------------------------

zarafa-licensed

ftp://www.timburgess.net/zarafa/

ftp://www.timburgess.net/zarafa/zarafa-licensed-7.1.4-41394.i686.rpm

ftp://www.timburgess.net/zarafa/zarafa-licensed-7.1.4-41394.x86_64.rpm

# rpm -Uvh --nodeps zarafa-licensed-7.1.4-41394.x86_64.rpm 

----##############################################

Your webmail is usually set up to http://yourserver/webaccess. It might be easier to redirect so people must not type webaccess. You can do this by doing the following steps:

# rm /etc/httpd/conf.d/welcome.conf and modifiy the following line in /etc/httpd/conf/httpd.conf

DocumentRoot "/usr/share/zarafa-webaccess"

Don't forget to lauch apache

# service httpd start # chkconfig httpd on

If you use a SELinux setup, you might want to let apache create new sockets:

# setsebool http_can_network_connect=1

-----------------------------------------------------------------

zarafa server also contain the port

Code:

define('MAPI_SERVER', 'http://ip-of-zarafa-server:236/zarafa

-------------

 remove packages with yum

 

#su -c 'yum clean all && rpm --rebuilddb'

#su -c 'package-cleanup --problems'

Then run:

#su -c 'yum erase zarafa*'

Edit #1: Try running the next command:

# su -c 'yum --setopt=tsflags=noscripts remove zarafa*'

If that doesn't work, try this:

# su -c 'rpm -e --noscripts zarafa*'

---------------