Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download
コンテンツにスキップ
メインメニュー
メインメニュー
サイドバーに移動
非表示
案内
メインページ
目次
コミュニティに貢献
最近の出来事
おまかせ表示
特別ページ
交流
ヘルプ
貢献
最近の更新
最近の議論
新しいページ
統計
リクエスト
ArchWiki
検索
検索
表示
アカウント作成
ログイン
個人用ツール
アカウント作成
ログイン
SOGoのソースを表示
ページ
議論
日本語
閲覧
ソースを閲覧
履歴を表示
ツール
ツール
サイドバーに移動
非表示
操作
閲覧
ソースを閲覧
履歴を表示
全般
リンク元
関連ページの更新状況
ページ情報
表示
サイドバーに移動
非表示
←
SOGo
あなたには「このページの編集」を行う権限がありません。理由は以下の通りです:
この操作は、次のグループに属する利用者のみが実行できます:
登録利用者
。
このページのソースの閲覧やコピーができます。
[[Category:グループウェア]] [[Category:ウェブアプリケーション]] [[en:SOGo]] {{Related articles start}} {{Related|Apache HTTP Server}} {{Related|Dovecot}} {{Related|MySQL}} {{Related|Nginx}} {{Related|OpenLDAP}} {{Related|Postfix}} {{Related|PostgreSQL}} {{Related|Samba/Active Directory ドメインコントローラ}} {{Related|仮想ユーザーメールシステム}} {{Related articles end}} [http://www.sogo.nu/ SOGo] はリッチな AJAX ベースのウェブインターフェイスであり CalDAV, CardDAV GroupDAV などの標準プロトコルあるいは Microsoft ActiveSync を使用する様々なネイティブクライアントをサポートしています。この記事では SOGo を使用してグループウェアサーバーをセットアップする方法を説明します。 == インストール == === 確認事項 === SOGo では様々な方法でユーザー認証を行うことができます。Active Directory, OpenLDAP, MySQL/MariaDB, PostgreSQL などに限らず PAM があれば他の方法も使えるでしょう。この記事では集中的なユーザー管理データベースを使用して認証を行い、グローバルなアドレスリストを供給します ([[Samba/Active Directory ドメインコントローラ]]の記事に従います)。 また、ユーザーのカレンダーやアドレス帳を保存するために {{Pkg|mariadb}} と {{Pkg|postgresql}} のどちらかを使用する必要があります。執筆時点では、SOGo ドキュメントは MariaDB (または MySQL) を推奨していますが、既に PostgreSQL をインストールしているのであれば、PostgreSQL を使うのも良いでしょう。他の SQL 実装もサポートされていますが、インストール方法は書かれていません。 最後に、SOGo には活発に開発されているバージョンが2つ存在します。SOGo-2.x はデスクトップクライアントと同じようなルックアンドフィールで、SOGo-3.x は Google の AngularJS による近代的なインターフェイスを備えています。インストールの手順や設定方法はどちらのバージョンでも同じです。 === 要件 === 必要なパッケージを[[インストール]]してください: [[公式リポジトリ]]の {{Pkg|dovecot}}, {{Pkg|mariadb}}, {{Pkg|pigeonhole}}, {{Pkg|postfix}}, {{Pkg|postgresql}}, {{Pkg|mysql-python}} と {{Pkg|apache}} または {{Pkg|nginx}}。[[AUR]] の {{AUR|libwbxml}}, {{AUR|python2-sievelib}}, {{AUR|sogo}} (または {{AUR|sogo2}}), {{AUR|sope}} (または {{AUR|sope2}})。 == ウェブサーバーの初期設定 == === Apache === ウェブサーバーとして [[Apache]] を使用する場合、{{ic|/etc/httpd/conf/httpd.conf}} に以下の行を追加して Apache に SOGo を追加してください: ... # Include SOGo configuration include conf/extra/SOGo.conf {{ic|/etc/httpd/conf/httpd.conf}} で mod_proxy_html を有効化してください: # cp /etc/httpd/conf/httpd.conf{,.bak} # sed /mod_proxy_html\.so/s/#// -i /etc/httpd/conf/httpd.conf {{ic|/etc/httpd/conf/extra/SOGo.conf}} ファイルを編集して以下の行を変更してください ('''mail.domain.tld''' は適当なドメインに置き換えてください): <nowiki>... ## adjust the following to your configuration RequestHeader set "x-webobjects-server-port" "443" RequestHeader set "x-webobjects-server-name" "</nowiki>'''mail.domain.tld'''<nowiki>" RequestHeader set "x-webobjects-server-url" "https://</nowiki>'''mail.domain.tld'''<nowiki>" ...</nowiki> === nginx === ウェブサーバーとして [[nginx]] を使用する場合、443 で設定を行って、先に SSL 証明書を配置する必要があります。以下を {{ic|/etc/nginx/nginx.conf}} に追加してください: server { listen 443; root /usr/lib/GNUstep/SOGo/WebServerResources/; server_name '''mail.domain.tld''' server_tokens off; client_max_body_size 100M; index index.php index.html index.htm; autoindex off; ssl on; ssl_certificate path '''/path/to/your/certfile'''; #eg. /etc/ssl/certs/keyfile.crt ssl_certificate_key '''/path/to/your/keyfile'''; #eg /etc/ssl/private/keyfile.key ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; #optional ssl_stapling on; #optional ssl_stapling_verify on; #optional ssl_trusted_certificate /etc/ssl/private/cacert-stapeling.pem; #optional resolver 8.8.4.4 8.8.8.8 valid=300s; #optionalresolver_timeout 10s; ssl_prefer_server_ciphers on; #optional ssl_dhparam /etc/ssl/certs/dhparam.pem; #optional add_header Strict-Transport-Security max-age=63072000; #optional add_header X-Frame-Options DENY; #optional add_header X-Content-Type-Options nosniff; location = / { rewrite ^ <nowiki>https://$server_name/SOGo;</nowiki> allow all; } location = /principals/ { rewrite ^ <nowiki>https://$server_name/SOGo/dav;</nowiki> allow all; } location ^~/SOGo { proxy_pass <nowiki>http://127.0.0.1:20000;</nowiki> proxy_redirect <nowiki>http://127.0.0.1:20000 default;</nowiki> # forward user's IP address proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header x-webobjects-server-protocol HTTP/1.0; proxy_set_header x-webobjects-remote-host 127.0.0.1; proxy_set_header x-webobjects-server-name $server_name; proxy_set_header x-webobjects-server-url $scheme://$host; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; client_max_body_size 50m; client_body_buffer_size 128k; break; } location /SOGo.woa/WebServerResources/ { alias /usr/lib/GNUstep/SOGo/WebServerResources/; allow all; } location /SOGo/WebServerResources/ { alias /usr/lib/GNUstep/SOGo/WebServerResources/; allow all; } location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ { alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; } location ^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$ { alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2; } } === ウェブアクセスの起動とテスト === 状態ディレクトリを作成してサービスを起動します: # mkdir /var/run/sogo # chown sogo:sogo /var/run/sogo # chown sogo:sogo /etc/sogo/sogo.conf # chmod 0644 /etc/sogo/sogo.conf それから {{ic|sogo}} サービスと {{ic|httpd}} または {{ic|nginx}} サービスを起動・有効化してください。 ブラウザを起動して Apache の場合は http://'''mail.domain.tld'''/SOGo/ を、nginx の場合は https://'''mail.domain.tld'''/SOGo/ を開いてください。ログインはまだ試してはいけません。接続してログイン画面が表示されることだけ確認してください。 == SOGo データベースの設定 == === MySQL/MariaDB === MySQL データベースをまだ作成していない場合、以下のコマンドで作成してください: # mysql_install_db --user=mysql --basedir=/usr/ --ldata=/var/lib/mysql/ {{ic|mysqld}} を起動・有効化して、MySQL シェルに root ユーザーでログインしてください: # mysql -u root mysql のプロンプトで、以下のコマンドを入力します ('''SogoPW''' は安全なパスワードに置き換えてください): CREATE DATABASE sogo; CREATE USER 'sogo'@'localhost' IDENTIFIED BY ''''SogoPW''''; GRANT ALL PRIVILEGES ON `sogo`.* TO 'sogo'@'localhost' WITH GRANT OPTION; FLUSH PRIVILEGES; ==== PostgreSQL の設定から移行する ==== 以前に PostgreSQL を使っていた場合、sogo-tool を使ってユーザーデータを MySQL/MariaDB に移行してバックアップ・リストアすることができます。場合によりますが、大抵は上手く行きます。sogo データベースをフルバックアップするには: # mkdir /root/sogo-backup # sogo-tool backup /root/sogo-backup ALL sogo デーモンを停止して、(他の目的で使っていない場合) postgresql を停止し、sogo を再設定してください ({{ic|/etc/sogo/sogo.conf}})。sogo ユーザーと sogo データベースの両方を使用してパスの最後の部分は変えないでおきます (下の例を参照)。 ユーザーデータを全てリストアするには、以下のコマンドを実行: # for user in `ls -d /root/sogo-backup/*` do sogo-tool restore -f /root/sogo-backup $(basename $user) done sogo を再起動したら MySQL/MariaDB を使用することができます。 === PostgreSQL === MySQL/MariaDB ではなく PostgreSQL を使用する場合、古いインストール手順が役に立ちます。新規インストールする場合、sogo/openchange のデータを保存するのには MySQL/MariaDB を使うことを推奨します。 デフォルトデータベースを初期化して PostgreSQL を起動 ('''en_US.UTF-8''' は適当なロケールに置き換えてください): # mkdir -p /var/lib/postgres/data # chown -R postgres:postgres /var/lib/postgres # su - postgres -c "initdb --locale '''en_US.UTF-8''' -D '/var/lib/postgres/data'" そして {{ic|postgresql}} サービスを起動・有効化します。 PostgreSQL で sogo ユーザーと sogo データベースを作成してください (sogo ユーザーのパスワードは強固なものではなくてかまいません、単に "sogo" で十分です。これは一時的なパスワードであり後で変更します): # su - postgres $ createuser --no-superuser --no-createdb --no-createrole --encrypted --pwprompt sogo $ createdb -O sogo sogo openchange DB のアクセス設定を編集: # cp /var/lib/postgres/data/pg_hba.conf{,.bak} # sed \ 's/D$/D\n\n#Configuration for OpenChange/' \ -i /var/lib/postgres/data/pg_hba.conf # sed \ 's/ange$/ange\nhost\topenchange\topenchange\t127.0.0.1\/32\t\tmd5/' \ -i /var/lib/postgres/data/pg_hba.conf # chown postgres:postgres /var/lib/postgres/data/pg_hba.conf{,.bak} {{ic|postgresql}} サービスを再起動してください。 == ユーザーデータベースの設定 == === Active Directory === Active Directory を使ってユーザー認証を行う場合、Samba ([[Samba/Active Directory ドメインコントローラ]]を参照) と Microsoft サーバーのどちらを使うのであれ、メールユーザーに必要な属性はデフォルトスキーマに最初から存在します。しかしながら、ユーザーは ''mail'' と ''proxyAddresses'' 属性の両方を設定する必要があります。(smtp ではなく) '''SMTP''' という名前の ''proxyAddress'' 属性がデフォルトのメールアドレスです。内部ドメインと外部ドメインを使用する場合、SMTP をユーザーの外部アドレスに設定する必要があります。また、ユーザーの外部メールアドレスに ''mail'' 属性を設定する必要があります。 For Samba, you can use the ''ldbedit'' command to edit users. In this example, we'll modify the "Administrator" user and add aliases for postmaster, as well as internal and external email addresses. Replace ''vim'' in the following command with your preferred editor: # LDB_MODULES_PATH="/usr/lib/samba/ldb" ldbedit -e ''vim'' -H /var/lib/samba/private/sam.ldb '(samaccountname='''administrator''')' It is important to change both the '''mail''' attribute (this is what will be used for group expansion and global address list functionality), and the primary '''SMTP''' address. The '''smtp''' entries for proxyAddresses act as aliases. Add the following attributes (again, substitute appropriate values for '''internal'''.'''domain'''.'''tld''' and '''domain'''.'''tld'''): {{bc|1=... mail: administrator@'''domain'''.'''tld''' proxyAddresses: SMTP:administrator@'''domain'''.'''tld''' proxyAddresses: smtp:postmaster@'''internal'''.'''domain'''.'''tld''' proxyAddresses: smtp:postmaster@'''domain'''.'''tld''' proxyAddresses: smtp:administrator@'''internal'''.'''domain'''.'''tld''' ...}} If using Microsoft's Active Directory Users and Computers MMC snap-in to edit users, you'll need to enable "Show Advanced Features" from the Tools menu, and use the Attribute Editor tab. Next, allow daemons to lookup users in the directory using LDAP. To do this, create an unprivileged user to use for LDAP lookups and optionally (recommended), set the password not to expire. If using Samba, execute the following commands. Be certain to set a suitably strong password: # samba-tool user create ldap --description="Unprivileged user for LDAP lookups" # samba-tool user setexpiry ldap --noexpiry Finally, with Samba after 4.3.8 or 4.2.2, non-encrypted communication is disabled by default. Add the following configuration item to the [global] section of {{ic|/etc/samba/smb.conf}} if you are not in a position to enable TLS or StartTLS: {{bc|1=<nowiki> ldap server require strong auth = no</nowiki>}} == Dovecot の設定 == === 基本設定 === Create a very basic dovecot configuration: # cp /etc/dovecot/dovecot.conf{.sample,} # chown root:root /etc/dovecot/dovecot.conf Then create the file {{ic|/etc/dovecot/conf.d/local.conf}} with this content: auth_mechanisms = plain login disable_plaintext_auth = no ssl = no auth_username_format = %n mail_location = /home/vmail/%Lu/Maildir Enable and start {{ic|dovecot}}. === ユーザーソース === ==== Active Directory ==== Add the LDAP lookup configuation {{ic|/etc/dovecot/conf.d/ldap.conf}}: passdb ldap { driver = ldap args = /etc/dovecot/dovecot-ldap-passdb.conf } userdb ldap { driver = ldap args = /etc/dovecot/dovecot-ldap-userdb.conf } Set permissions: # chmod 0644 /etc/dovecot/conf.d/ldap.conf # chown root:root /etc/dovecot/conf.d/ldap.conf Create the LDAP user and password configuration files (replace dc='''internal''',dc='''domain''',dc='''tld''', '''INTERNAL''', and '''ldapPW''' with appropriate values). Remove the tls lines below if you haven't enabled the TLS configuration in your directory: {{ic|/etc/dovecot/dovecot-ldap-passdb.conf}} hosts = localhost auth_bind = yes auth_bind_userdn = '''INTERNAL'''\%u ldap_version = 3 tls = yes base = dc='''internal''',dc='''domain''',dc='''tld''' scope = subtree deref = never pass_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*)) {{ic|/etc/dovecot/dovecot-ldap-userdb.conf}} hosts = localhost dn = cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld''' dnpass = '''ldapPW''' ldap_version = 3 tls = yes base = cn=Users,dc='''internal''',dc='''domain''',dc='''tld''' user_attrs = =uid=5000,=gid=5000,=home=/home/vmail/%Lu,=mail=maildir:/home/vmail/%Lu/Maildir/ user_filter = (&(objectClass=person)(sAMAccountName=%u)(mail=*)) # Attributes and filter to get a list of all users iterate_attrs = sAMAccountName=user iterate_filter = (objectClass=person) Set permissions: # chown root:root /etc/dovecot/dovecot-ldap-{pass,user}db.conf # chmod 0600 /etc/dovecot/dovecot-ldap-userdb.conf # chmod 0644 /etc/dovecot/dovecot-ldap-passdb.conf Create the SASL configuation {{ic|/etc/dovecot/conf.d/sasl.conf}}: service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } } Set permissions: # chmod 0644 /etc/dovecot/conf.d/sasl.conf # chown root:root /etc/dovecot/conf.d/sasl.conf Reload Dovecot for the configuration to take effect: # dovecot reload === Dovecot 認証のテスト === vmail ユーザーとグループを作成: # groupadd -g 5000 vmail # useradd -u 5000 -g vmail -s /usr/bin/nologin -d /home/vmail -m vmail # chmod 750 /home/vmail Open a ''telnet'' session and test (commands you enter are in bold, replace ''Administrator'' with a valid user account and ''UserPass'' with your real password): '''telnet localhost 143''' Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. '''a LOGIN Administrator UserPass''' . OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in '''a LOGOUT''' * BYE Logging out . OK Logout completed. Connection closed by foreign host. If anything other than OK is returned, go back and double check the configuration before continuing. === LMTP の設定 === LMTP 設定ファイル {{ic|/etc/dovecot/conf.d/lmtp.conf}} を作成: mail_location = /home/vmail/%Lu/Maildir service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { mode = 0600 user = postfix group = postfix } user = vmail } protocol lmtp { postmaster_address = postmaster@'''domain'''.'''tld''' } # chmod 0644 /etc/dovecot/conf.d/lmtp.conf # dovecot reload === TLS の設定 === Put your certificates into place and create the TLS configuration file {{ic|/etc/dovecot/conf.d/tls.conf}} (adjust paths and names as necessary). The keyfile should be owned by root with 0400 permissions. Any intermediate certificates should be concatenated after the public cert: ssl = yes ssl_cert = </etc/dovecot/ssl/'''host'''.'''domain'''.'''tld'''.pem ssl_key = </etc/dovecot/ssl/'''host'''.'''domain'''.'''tld'''.key # chmod 644 /etc/dovecot/conf.d/tls.conf # chmod 600 /etc/dovecot/ssl/'''host'''.'''domain'''.'''tld'''.key Remove the earlier explicitly defined values from {{ic|local.conf}} and reload Dovecot: # sed -e '/^ssl/d' -e '/disable_plaintext/s/no/yes/' \ -i /etc/dovecot/conf.d/local.conf # dovecot reload === Sieve の設定 === Edit {{ic|/etc/dovecot/dovecot.conf}}, uncomment the protocols line and add sieve as a service (remove pop3 as well if you do not intend to provide pop access): protocols = imap lmtp sieve Append the following to {{ic|/etc/dovecot/conf.d/local.conf}}: ... plugin { sieve_before = /home/vmail/sieve/spam-global.sieve sieve=/home/vmail/%Lu/dovecot.sieve sieve_dir=/home/vmail/%Lu/sieve } Create the global sieve directory: mkdir -p /home/vmail/sieve/ Create the {{ic|/home/vmail/sieve/spam-global.sieve}} file with the following contents: require "fileinto"; if header :contains "X-Spam-Flag" "YES" { fileinto "Spam"; } Set permissions on the directory (and file): chown -R vmail:vmail /home/vmail/sieve Modify the {{ic|/etc/dovecot/conf.d/lmtp.conf}} file, adding the bold text below: mail_location = /home/vmail/%Lu/Maildir service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { mode = 0600 user = postfix group = postfix } user = vmail } protocol lmtp { postmaster_address = postmaster@domain.tld '''mail_plugins = sieve''' } '''plugin {''' '''sieve_before = /home/vmail/sieve/spam-global.sieve''' '''sieve = /home/vmail/%Lu/dovecot.sieve''' '''sieve_dir = /home/vmail/%Lu/sieve''' '''}''' Reload dovecot == Postfix の設定 == === 基本設定 === Create a minimal Postfix configuration. Replace '''server'''.'''internal'''.'''domain.tld''' with a valid internal FQDN): # postconf -e myhostname='''server'''.'''internal'''.'''domain.tld''' # postconf -e mydestination=localhost If this server will be accessible from the internet, set the HELO/EHLO values to match the FQDN as seen from the internet (replace '''mail'''.'''domain'''.'''tld'''): # postconf -e smtp_helo_name='''mail'''.'''domain'''.'''tld''' # postconf -e smtpd_banner='$smtp_helo_name ESMTP $mail_name' Enable and start {{ic|postfix}}. Configure Postfix to use the vmail user and group: # postconf -e virtual_minimum_uid=5000 # postconf -e virtual_uid_maps=static:5000 # postconf -e virtual_gid_maps=static:5000 # postconf -e virtual_mailbox_base=/home/vmail # postfix reload === ユーザーソース === ==== Active Directory ==== Now, create a LDAP alias and group maps for Postfix by pasting the following lines in the file {{ic|/etc/postfix/ldap-alias.cf}} as root (replace dc='''internal''',dc='''domain''',dc='''tld''' with appropriate values and '''ldapPW''' with the password of the ldap user). If TLS has not been configured for your directory, remove the start_tls line: # Directory settings server_host = 127.0.0.1 search_base = dc='''internal''',dc='''domain''',dc='''tld''' scope = sub version = 3 start_tls = yes # User Binding bind = yes bind_dn = cn=ldap,cn=users,dc='''internal''',dc='''domain''',dc='''tld''' bind_pw = '''ldapPW''' # Filter query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s)) result_attribute = samaccountname result_format = %s@'''internal'''.'''domain'''.'''tld''' Create the group map: # sed -e '/^query/d' \ -e '/^result/d' \ /etc/postfix/ldap-alias.cf > /etc/postfix/ldap-group.cf Append the following lines to the newly created {{ic|/etc/postfix/ldap-group.cf}} (in the #Filter secton): query_filter = (&(objectclass=group)(mail=%s)) special_result_attribute = member leaf_result_attribute = mail Set the permissions: # chmod 0600 /etc/postfix/ldap-{alias,group}.cf Next test our lookup maps for users (groups have not yet been created) (substitute '''internal.domain.tld'''): # postmap -q administrator@'''domain.tld''' ldap:/etc/postfix/ldap-alias.cf # postmap -q administrator@'''internal.domain.tld''' ldap:/etc/postfix/ldap-alias.cf The following output should be displayed for both commands: Administrator@internal.domain.tld Append any other hosted domains to the first command below, add the maps, and then reload the Postfix configuration (again replacing domain values): # postconf -e virtual_mailbox_domains="'''domain.tld''', '''internal.domain.tld'''" # postconf -e virtual_alias_maps="ldap:/etc/postfix/ldap-alias.cf, ldap:/etc/postfix/ldap-group.cf" # postfix reload === SASL の設定 === Modify the default smtpd instance: # postconf -e smtpd_sasl_type=dovecot # postconf -e smtpd_sasl_path=private/auth # postconf -e smtpd_sasl_auth_enable=yes # postconf -e smtpd_relay_restrictions="permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination" === LMTP の設定 === Use dovecot LMTP for delivery: # postconf -e virtual_transport=lmtp:unix:private/dovecot-lmtp === TLS の設定 === If you intend to use STARTTLS (as you should), enable the mail submission port and restrict to authenticated clients. Edit the following lines in {{ic|/etc/postfix/master.cf}}: submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_login_maps=ldap:/etc/postfix/ldap-sender.cf -o smtpd_sender_restrictions=reject_sender_login_mismatch -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject Add SSL certificates. If you intend to put Postfix in a chroot jail (not discussed in this guide), these need to be placed in the Postfix configuration directory as opposed to the default /etc/ssl/private directory. Additionally, any intermediate certs should be concatenated with the public cert being first in the chain, and the key file should be owned by root with 0400 permission mode (replace '''mail.domain.tld'''): # postconf -e smtpd_tls_key_file=/etc/postfix/ssl/'''mail.domain.tld.key''' # postconf -e smtpd_tls_cert_file=/etc/postfix/ssl/'''mail.domain.tld.pem''' Create a map to verify addresses to authenticated users {{ic|/etc/postfix/ldap-sender.cf}}: # Directory settings server_host = localhost search_base = dc='''internal''',dc='''domain''',dc='''tld''' version = 3 scope = sub # User Binding bind = yes bind_dn = cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld bind_pw = '''ldapPW''' # Filter query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s)) leaf_result_attribute = proxyAddresses result_attribute = sAMAccountName Set permissions: # chown root:root /etc/postfix/ldap-sender.cf # chmod 0640 /etc/postfix/ldap-sender.cf If you would like to enable TLS on the default SMTP port, you should make it optional. If you make it required, you will not be able to receive mail from many hosts on the internet. # postconf -e smtpd_tls_security_level=may Reload postfix to apply the configuration changes: # postfix reload === Postfix SASL 設定のテスト === Begin by getting a base64 encoded version of the username and password (replace '''Administrator''' with a valid username and '''UserPass''' with your real password): $ echo -ne '\000'''Administrator'''\000'''UserPass'''' | openssl base64 You should receive output similar to the following: AEFkbWluaXN0cmF0b3IAVXNlclBhc3M= Now, open a ''telnet'' session and test (commands you enter are in bold, replace '''host.domain.tld''' with the real external FQDN and '''AEFkbWluaXN0cmF0b3IAVXNlclBhc3M=''' with the result of the previous command): $ '''telnet localhost 25''' Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 host.domain.tld ESMTP Postfix '''ehlo host.domain.tld''' 250-mail.lucasit.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN '''AUTH PLAIN AEFkbWluaXN0cmF0b3IAVXNlclBhc3M=''' 235 2.7.0 Authentication successful '''quit''' 221 2.0.0 Bye Connection closed by foreign host. If anything other than a 235 message is returned, something is wrong and you should troubleshoot now rather than later. == SOGo の設定 == === 基本設定 === Edit the SOGo http configuration file, {{ic|/etc/httpd/conf/extra/SOGo.conf}}, and comment out the following lines for testing (until SSL certs are in place and configuration is complete): {{bc| ## adjust the following to your configuration # RequestHeader set "x-webobjects-server-port" "443" # RequestHeader set "x-webobjects-server-name" "yourhostname" # RequestHeader set "x-webobjects-server-url" "<nowiki>https://yourhostname</nowiki>" }} Create a suitable SOGo configuration file in {{ic|/etc/sogo/sogo.conf}} (replace items in bold with appropriate values). If using PostgreSQL, replace the "mysql:" lines with the appropriate "postgresql:" lines (as above): { /* Database Configuration */ SOGoProfileURL = "mysql://sogo:'''SogoPW'''@localhost/sogo/sogo_user_profile"; OCSFolderInfoURL = "mysql://sogo:'''SogoPW'''@localhost/sogo/sogo_folder_info"; OCSSessionsFolderURL = "mysql://sogo:'''SogoPW'''@localhost/sogo/sogo_sessions_folder"; /* Mail */ SOGoDraftsFolderName = Drafts; SOGoSentFolderName = Sent; SOGoTrashFolderName = Trash; SOGoIMAPServer = localhost; SOGoSieveServer = sieve://127.0.0.1:4190; SOGoSMTPServer = 127.0.0.1; SOGoMailDomain = '''internal'''.'''domain'''.'''tld'''; SOGoMailingMechanism = smtp; SOGoForceExternalLoginWithEmail = NO; SOGoMailSpoolPath = /var/spool/sogo; NGImap4ConnectionStringSeparator = "/"; /* Notifications */ SOGoAppointmentSendEMailNotifications = YES; SOGoACLsSendEMailNotifications = NO; SOGoFoldersSendEMailNotifications = NO; /* Authentication */ SOGoPasswordChangeEnabled = YES; /* Web Interface */ SOGoPageTitle = SOGo; SOGoVacationEnabled = YES; SOGoForwardEnabled = YES; SOGoSieveScriptsEnabled = YES; SOGoMailAuxiliaryUserAccountsEnabled = YES; SOGoTrustProxyAuthentication = NO; /* General */ SOGoLanguage = '''English'''; SOGoTimeZone = '''America/Chicago'''; SOGoCalendarDefaultRoles = ( PublicDAndTViewer, ConfidentialDAndTViewer ); SOGoSuperUsernames = ('''administrator'''); SxVMemLimit = 384; //WOPidFile = "/var/run/sogo/sogo.pid"; SOGoMemcachedHost = "'''127.0.0.1'''"; /* Debug */ //SOGoDebugRequests = YES; //SoDebugBaseURL = YES; //ImapDebugEnabled = YES; //LDAPDebugEnabled = YES; //PGDebugEnabled = YES; //MySQL4DebugEnabled = YES; //SOGoUIxDebugEnabled = YES; //WODontZipResponse = YES; //WOLogFile = /var/log/sogo/sogo.log; } Then issue the following commands: # chown sogo:sogo /etc/sogo/sogo.conf # chmod 0600 /etc/sogo/sogo.conf # mkdir /var/spool/sogo # chown sogo:sogo /var/spool/sogo # chmod 700 /var/spool/sogo === SOGo ユーザーソース === ==== Active Directory ==== Modify the {{ic|/etc/sogo/sogo.conf}} file and add the LDAP user sources (and global address list). Place the following contents before the ''Web Interface'' section. If TLS is not configured for your Directory, exclude the "'''/????!StartTLS'''" strings at the end of the LDAP URIs: /* User Authentication */ SOGoUserSources = ( { id = directory; displayName = "Active Directory"; canAuthenticate = YES; type = ldap; CNFieldName = cn; IDFieldName = sAMAccountName; UIDFieldName = sAMAccountName; baseDN = "dc='''internal''',dc='''domain''',dc='''tld'''"; bindDN = "cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''"; bindFields = (sAMAccountName); bindPassword = '''ldapPW'''; hostname = ldap://'''server'''.'''internal'''.'''domain'''.'''tld''':389/????!StartTLS; }, { id = sambaShared; displayName = "Shared Addressbook"; canAuthenticate = NO; isAddressBook = YES; type = ldap; CNFieldName = cn; IDFieldName = mail; UIDFieldName = mail; hostname = ldap://'''server'''.'''internal'''.'''domain'''.'''tld''':389/????!StartTLS; baseDN = "dc='''internal''',dc='''domain''',dc='''tld'''"; bindDN = "cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''"; bindPassword = '''ldapPW'''; filter = "((NOT isCriticalSystemObject='TRUE') AND (mail=\'*\') AND (NOT objectClass=contact))"; //Uncomment to list local users in WebUI without searching (small directories only) //listRequiresDot = NO; }, { id = sambaContacts; displayName = "Shared Contacts"; canAuthenticate = NO; isAddressBook = YES; type = ldap; CNFieldName = cn; IDFieldName = mail; UIDFieldName = mail; hostname = ldap://'''server'''.'''internal'''.'''domain'''.'''tld''':389/????!StartTLS; baseDN = "dc='''internal''',dc='''domain''',dc='''tld'''"; bindDN = "cn=ldap,cn=Users,dc='''internal''',dc='''domain''',dc='''tld'''"; bindPassword = '''ldapPW'''; filter = "((((objectClass=person) AND (objectClass=contact) AND ((uidNumber>=2000) OR (mail='*'))) AND (NOT isCriticalSystemObject='TRUE') AND (NOT showInAdvancedViewOnly='TRUE') AND (NOT uid=Guest)) OR (((objectClass=group) AND (gidNumber>=2000)) AND (NOT isCriticalSystemObject='TRUE') AND (NOT showInAdvancedViewOnly='TRUE')))"; mapping = { displayname = ("cn"); //Uncomment to list contacts in WebUI without searching (few contacts only) //listRequiresDot = NO; }; } ); === 設定の完了 === Now enable and start the {{ic|memcached}} service and restart the {{ic|sogo}} service. Test by visiting http://'''server.internal.domain.tld'''/SOGo/ . == ウェブサーバーの最終設定 == === Apache === If all is well with SOGo without SSL, go ahead and enable SSL in httpd if using Apache (modify paths and filenames as necessary): # sed -e '/httpd-ssl.conf/s/#//' \ -e '/modules\/mod_ssl.so/s/#//' \ -e '/mod_socache_shmcb/s/#//' \ -i /etc/httpd/conf/httpd.conf # sed -e '/^SSLCertificateFile/s@/etc/httpd/conf/server.crt@/etc/httpd/ssl/'''mail'''.'''domain'''.'''tld'''.pem@' \ -e '/^SSLCertificateKeyFile/s@/etc/httpd/conf/server.key@/etc/httpd/ssl/'''mail'''.'''domain'''.'''tld'''.key@' \ -i /etc/httpd/conf/extra/httpd-ssl.conf Now go ahead and edit the {{ic|/etc/httpd/conf/extra/SOGo.conf}} file and uncomment the following lines, edit to suit your site: ## adjust the following to your configuration RequestHeader set "x-webobjects-server-port" "443" RequestHeader set "x-webobjects-server-name" "'''mail'''.'''domain'''.'''tld'''" RequestHeader set "x-webobjects-server-url" "<nowiki>https://</nowiki>'''mail'''.'''domain'''.'''tld'''" Restart {{ic|httpd}} service for the changes to take effect. Go ahead and go to the regular http page and it should redirect you to the https site. === nginx === Since the nginx configuration was already setup for SSL, nothing more need be done. == ActiveSync の設定 == === Apache === To add ActiveSync support, simply uncomment the following lines in {{ic|/etc/httpd/conf/extra/SOGo.conf}}: ... ProxyPass /Microsoft-Server-ActiveSync \ <nowiki>http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync</nowiki> \ retry=60 connectiontimeout=5 timeout=3600 ... This will result in extended locking delays if you have more than a handful of users, so some tuning is required. You may notice that the above line was changed from 360 seconds to 3600 seconds (or one hour). This is because EAS devices need to keep their HTTP connections open for very long times (up to one hour). Because of this, you will need to tell SOGo (see below) to honor that timeout. === nginx === Add the following to your server definition for SOGo in {{ic|/etc/nginx/nginx.com}}: ... location ^~ /Microsoft-Server-ActiveSync { proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; proxy_redirect http://127.0.0.1:20000/Microsoft-Server-ActiveSync /; } location ^~ /SOGo/Microsoft-Server-ActiveSync { proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync; proxy_redirect http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync /; } ... Additional tuning may be required for the parameters in the SOGo section below (timeout, retry, and next host values, specifically). === SOGo === As stated above for the listed HTTP servers, some tuning is required to use EAS. While the timeouts below (59 minutes) are appropriate for the HTTP session timeout set above, the number of workers is dependent on the number of simultaneous EAS clients you must support. In short, you will always need more workers than EAS clients to allow start of another worker for push operations. Additionally, the sync interval will allow you to reduce the load on the server so that less delay is generated, and this dependent on the total number of clients. The SOGo configuration guide, available at http://sogo.nu/files/docs/SOGoInstallationGuide.pdf, lists two example configurations. The 100 user with 10 EAS users example was chosen for this article. Append the following lines to {{ic|/etc/sogo/sogo.conf}} making sure that they are placed before the closing brace ("}") character: /* ActiveSync */ WOWorkersCount = 15; SOGoMaximumPingInterval = 3540; SOGoMaximumSyncInterval = 3540; SOGoInternalSyncInterval = 30;
このページで使用されているテンプレート:
テンプレート:AUR
(
ソースを閲覧
)
テンプレート:Bc
(
ソースを閲覧
)
テンプレート:Ic
(
ソースを閲覧
)
テンプレート:META Related articles start
(
ソースを閲覧
)
テンプレート:Pkg
(
ソースを閲覧
)
テンプレート:Related
(
ソースを閲覧
)
テンプレート:Related articles end
(
ソースを閲覧
)
テンプレート:Related articles start
(
ソースを閲覧
)
SOGo
に戻る。
検索
検索
SOGoのソースを表示
話題を追加