Install and configure openchange under CentOS 6.5
In runet and in general, there is little talk about such an interesting product as openchange on the Internet.
In theory, openchange and its associated components should completely replace the MS Exchange Server, but in practice this is not entirely possible.
Those who are interested in asking in the post itself. There it will be told about installation on CentOS 6.5.
I have to say that the product is rather raw and is not suitable for a large organization.
Initial data:
1) Large domain with subdomains and various trusted links to other domains.
2) In connection with the division of a large firm into separate legal entities, the need for its own mail appeared.
3) Users are accustomed to the buns in the form of shared calendars, address book and other things.
Solution: postfix + dovecot and try to all this openchange on the test domain.
')
The installation was performed on the CentOS distribution, iptables and selinux were disabled.
Initially, postfix and dovecot were installed and configured with authorization in AD.
There are a lot of installation manuals on the Internet, so I’ll not give you the details in detail, but I’ll say right away that I used only standard repositories.
As inland transport is used lmtp.
To synchronize the messages received via MAPI and IAMP, the following lines were added to the LDAP config:
This is required to authorize openchange with dovecot.
Now let's proceed directly to installing openchange.
We connect the necessary repository.
Run the installation.
I love mysql more than postgresql, so sogo will work under mysql.
Additionally, we put mysql and a connector for sogo
We attach our samba4 in windows AD
Joining is automatic; you only need to enter the password for the Administrator account.
Add the following lines to /etc/samba4/smb.conf
After that we start samba
Just in case, I will explain what this command means.
-d is debug mode. The number 3 indicates the level of debag
-i is interactive, that is, all output to the console
-M = single proper operation mode without forks.
For reasons that I don’t understand, samba4 doesn’t open the necessary sockets if you try to run it through the samba command, and through init the script it refuses to start with this configuration in smb.conf
Therefore, we have to launch it with the command above, but at the same time it is perfectly sent to the background through nohup.
After start we check replication work.
For its work, openchange rules the AD schema, but does so only when it itself is the owner of the schema.
We transfer the rights to the scheme to our Linux controller.
Run openchange setup
After that, restart samba
vim /etc/ocsmanager/ocsmanager.ini
Changing LDAP Connection Settings
We also indicate where samba is
In the LDAP and SAMBA_HOST settings, you can specify the windows domain controller, this does not affect the correctness of the operation.
We start ocsmanager
service openchange-ocsmanager start
Create a database and user.
Rule config /etc/sogo/sogo.conf
Specify where the base is
We specify the location of the letter directories, as well as the imap and postfix servers
Specify the location of the LDAP server
The key point is if you specify our samba as the hostname, then when you try to enter the outlook, samba hangs tight.
But maybe this is a bug only on my server.
Specify the language and time zone
Optionally, you can also enable the web interface, but I have left the layout in all browsers.
Also, if you use the web interface, you need to remember to specify which ip address will be listened to by sogo (by default 127.0.0.1)
WOPort = "0.0.0.0:20000";
Run sogo
service sogod start
Go to setting up the web part.
/etc/httpd/conf.d/rpcproxy.conf
Specify the SetEnv SAMBA_HOST 127.0.0.1 parameter
We issue rights to the / var / cache / ntlmauthhandler directory
It is desirable to use ssl. Install mod_ssl and generate a certificate.
/etc/httpd/conf.d/SOGo.conf
When using ssl you need to enable it in the sogo settings
Run apache
service httpd start
At this installation can be considered complete.
For those who need boxes we create them by the team
openchange_newuser --create user
You can proceed to configure outlook.
Unfortunately, autodiscover at the moment does not correctly work correctly completely and you have to set the parameters by hand.
In my case, it looks like this:
Server: mail.testmail.local
Username: user
Go to the "Other Settings" menu, the security section and tick the box "Always request login credentials"
When connecting from outside, we specify a proxy server.
On the domain with openchange subdomains did not work at all, strange bugs were discovered, such as the above described bug with sogo. Also, samba periodically fell, if the user is in AD, but he does not have a box. At the moment, the fall has ceased. But the most annoying thing is that with some problems, the samba just falls with the PANIC message, which makes diagnosis difficult.
The developers of this product didn’t promise to integrate into already working windows AD, so the creeping bugs may well relate to the fact that we are doing something that is not completely provided by the developers.
But at the moment I managed to consistently launch this product for testing.
I believe that the optimal structure for openchange at this stage of product development will be:
1) Install a separate samba4 \ windows AD controller
2) Delivery to a separate server dovecot + postfix with authorization via LDAP (in case of openchange failure, the organization will still stay with a working mailer)
3) Those who need calendars and address books (and as practice has shown, they are not necessary for everyone) should be connected via mapi to openchange.
4) Write bug reports to developers for speeding up openchange to a more stable state.
In theory, openchange and its associated components should completely replace the MS Exchange Server, but in practice this is not entirely possible.
Those who are interested in asking in the post itself. There it will be told about installation on CentOS 6.5.
I have to say that the product is rather raw and is not suitable for a large organization.
Initial data:
1) Large domain with subdomains and various trusted links to other domains.
2) In connection with the division of a large firm into separate legal entities, the need for its own mail appeared.
3) Users are accustomed to the buns in the form of shared calendars, address book and other things.
Solution: postfix + dovecot and try to all this openchange on the test domain.
')
Installation
The installation was performed on the CentOS distribution, iptables and selinux were disabled.
Initially, postfix and dovecot were installed and configured with authorization in AD.
There are a lot of installation manuals on the Internet, so I’ll not give you the details in detail, but I’ll say right away that I used only standard repositories.
As inland transport is used lmtp.
To synchronize the messages received via MAPI and IAMP, the following lines were added to the LDAP config:
passdb {
driver = static
args = nopassword = y allow_nets = 127.0.0.1 / 32
}
This is required to authorize openchange with dovecot.
Now let's proceed directly to installing openchange.
We connect the necessary repository.
[sogo-rhel6]
name = Inverse SOGo Repository
baseurl = http: //inverse.ca/downloads/SOGo/RHEL6/$basearch
gpgcheck = 0
enable = 1
Run the installation.
yum install samba4 openchange sogo-openchange-backend openchange-ocsmanager openchange-rpcproxy sogo
I love mysql more than postgresql, so sogo will work under mysql.
Additionally, we put mysql and a connector for sogo
yum install mysql-server sope49-gdl1-mysql
Samba setup
We attach our samba4 in windows AD
samba-tool domain join testmail.local DC -UAdministrator --realm = testmail.local
Joining is automatic; you only need to enter the password for the Administrator account.
Add the following lines to /etc/samba4/smb.conf
# Begin OpenChange Server Configuration
dcerpc endpoint servers = + epmapper, + mapiproxy, + dnsserver
dcerpc_mapiproxy: server = true
dcerpc_mapiproxy: interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr
# End OpenChange Server configuration
After that we start samba
samba -d 3 -i -M = single
Just in case, I will explain what this command means.
-d is debug mode. The number 3 indicates the level of debag
-i is interactive, that is, all output to the console
-M = single proper operation mode without forks.
For reasons that I don’t understand, samba4 doesn’t open the necessary sockets if you try to run it through the samba command, and through init the script it refuses to start with this configuration in smb.conf
Therefore, we have to launch it with the command above, but at the same time it is perfectly sent to the background through nohup.
After start we check replication work.
samba-tool drs kcc -Uadministrator dcmail.testmail.local
samba-tool drs showrepl
For its work, openchange rules the AD schema, but does so only when it itself is the owner of the schema.
We transfer the rights to the scheme to our Linux controller.
samba-tool fsmo seize --role = schema
Run openchange setup
openchange_provision
openchange_provision --openchangedb
After that, restart samba
Proceed to setting up ocsmanager
vim /etc/ocsmanager/ocsmanager.ini
Changing LDAP Connection Settings
[main]
# Possible authentication system
auth = ldap
mapistore_root = / var / lib / samba4 / private
mapistore_data = / var / lib / samba4 / private / mapistore
debug = no
[auth: ldap]
#host = ldap: // localhost
host = mail.testmail.local
port = 3268
bind_dn = CN = user, CN = users, DC = testmail, DC = local
bind_pw = password
basedn = CN = Users, dc = testmail, dc = local
[rpcproxy: ldap]
host = mail.testmail.local
port = 389
basedn = CN = Users, dc = testmail, dc = local
We also indicate where samba is
SAMBA_HOST = 127.0.0.1
In the LDAP and SAMBA_HOST settings, you can specify the windows domain controller, this does not affect the correctness of the operation.
We start ocsmanager
service openchange-ocsmanager start
Sogo setup
Create a database and user.
CREATE DATABASE `sogo` CHARACTER SET = 'utf8';
CREATE USER 'sogo' @ 'localhost' IDENTIFIED BY 'sogo';
GRANT ALL PRIVILEGES ON `sogo`. * TO 'sogo' @ 'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
Rule config /etc/sogo/sogo.conf
Specify where the base is
SOGoProfileURL = "mysql: // sogo: sogo @ localhost: 3306 / sogo";
OCSFolderInfoURL = "mysql: // sogo: sogo @ localhost: 3306 / sogo / sogo_folder_info";
OCSSessionsFolderURL = "mysql: // sogo: sogo @ localhost: 3306 / sogo / sogo_sessions_folder";
We specify the location of the letter directories, as well as the imap and postfix servers
// SOGoDraftsFolderName = Drafts; But with this line samba I fell with errors that were not always reproduced, so unfortunately the drafts are moved to the trash.
SOGoDraftsFolderName = Trash;
SOGoSentFolderName = Sent;
SOGoTrashFolderName = Trash;
SOGoIMAPServer = imaps: // localhost: 993;
SOGoSMTPServer = 127.0.0.1;
SOGoMailDomain = testmail.local;
SOGoMailingMechanism = smtp;
SOGoForceExternalLoginWithEmail = NO;
SOGoMailSpoolPath = / var / spool / sogo;
NGImap4ConnectionStringSeparator = "/";
Specify the location of the LDAP server
SOGoUserSources = (
{
type = ldap;
CNFieldName = cn;
UIDFieldName = sAMAccountName;
baseDN = "CN = users, DC = testmail, DC = local";
bindDN = "CN = user, CN = users, DC = testmail, DC = local";
bindFields = (sAMAccountName, mail);
bindPassword = password;
canAuthenticate = YES;
displayName = "Public";
hostname = "dcmail.testmail.local"; // This is a windows controller
port = "389";
filter = "mail = '*'";
id = testmail.local;
isAddressBook = NO;
}
);
The key point is if you specify our samba as the hostname, then when you try to enter the outlook, samba hangs tight.
But maybe this is a bug only on my server.
Specify the language and time zone
SOGoLanguage = Russian;
SOGoTimeZone = Europe / Moscow;
Optionally, you can also enable the web interface, but I have left the layout in all browsers.
/ * Web Interface *
SOGoPageTitle = SOGo;
SOGoVacationEnabled = YES;
SOGoForwardEnabled = YES;
SOGoSieveScriptsEnabled = YES;
SOGoMailAuxiliaryUserAccountsEnabled = YES;
SOGoTrustProxyAuthentication = NO;
Also, if you use the web interface, you need to remember to specify which ip address will be listened to by sogo (by default 127.0.0.1)
WOPort = "0.0.0.0:20000";
Run sogo
service sogod start
Go to setting up the web part.
/etc/httpd/conf.d/rpcproxy.conf
Specify the SetEnv SAMBA_HOST 127.0.0.1 parameter
We issue rights to the / var / cache / ntlmauthhandler directory
chown -R apache: apache / var / cache / ntlmauthhandler
It is desirable to use ssl. Install mod_ssl and generate a certificate.
/etc/httpd/conf.d/SOGo.conf
When using ssl you need to enable it in the sogo settings
RequestHeader set "x-webobjects-server-port" "443"
RequestHeader set "x-webobjects-server-name" "mail.testmail.local"
RequestHeader set "x-webobjects-server-url" " mail.testmail.local "
Run apache
service httpd start
At this installation can be considered complete.
For those who need boxes we create them by the team
openchange_newuser --create user
You can proceed to configure outlook.
Unfortunately, autodiscover at the moment does not correctly work correctly completely and you have to set the parameters by hand.
In my case, it looks like this:
Server: mail.testmail.local
Username: user
Go to the "Other Settings" menu, the security section and tick the box "Always request login credentials"
When connecting from outside, we specify a proxy server.
Conclusion
On the domain with openchange subdomains did not work at all, strange bugs were discovered, such as the above described bug with sogo. Also, samba periodically fell, if the user is in AD, but he does not have a box. At the moment, the fall has ceased. But the most annoying thing is that with some problems, the samba just falls with the PANIC message, which makes diagnosis difficult.
The developers of this product didn’t promise to integrate into already working windows AD, so the creeping bugs may well relate to the fact that we are doing something that is not completely provided by the developers.
But at the moment I managed to consistently launch this product for testing.
I believe that the optimal structure for openchange at this stage of product development will be:
1) Install a separate samba4 \ windows AD controller
2) Delivery to a separate server dovecot + postfix with authorization via LDAP (in case of openchange failure, the organization will still stay with a working mailer)
3) Those who need calendars and address books (and as practice has shown, they are not necessary for everyone) should be connected via mapi to openchange.
4) Write bug reports to developers for speeding up openchange to a more stable state.
Source: https://habr.com/ru/post/227893/
All Articles