Group-Office Installation mit Nginx
Group-Office Konfiguration als SmartHost
Das HowTo bezieht sich auf Version 6.1.x und PHP5. Anpassungen an 6.2.x und PHP7.x sind einfach anhand des Codes zu implementieren.
1. First of all install, configure and get running GO prof as expected via apt-get - then disable
apache:
1. service apache2 stop
2. update-rc.d apache2 disable
2. Install and configure nginx:
1. apt-get install nginx
2. apt-get install php5-fpm php5-mysql
3. edit /etc/php5/fpm/php.ini and activate/add
1. cgi.fix_pathinfo=0
3. create /etc/nginx/sites-available/{my_site} and edit:
server {
listen 80;
server_name {your_server_name_or_IP};
root /usr/share/groupoffice;
index index.php index.html;
#Redirect all traffic to https
return 301 https://$host$request_uri;
}
# HTTPS
server {
listen 443;
server_name {your_server_name_or_IP};
ssl on;
ssl_certificate /etc/letsencrypt/live/{your_server_name}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{your_server_name}/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Fix 'The Logjam Attack'.
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
# generate your dhparam.pem file, run in the terminal
# openssl dhparam -out /etc/ssl/dhparam.pem 2048
ssl_dhparam /etc/ssl/dh2048_param.pem;
add_header Strict-Transport-Security max-age=31536000;
add_header X-XSS-Protection "1; mode=block“;
# Public Key Pinning
# to create hash from certificate:
#openssl x509 -in fullchain.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -
binary | openssl enc -base64
# to create hash from website:
# openssl s_client -connect {your_domain}:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform
der | openssl dgst -sha256 -binary | openssl enc -base64
add_header Public-Key-Pins ‚pin-sha256="cert-hash"; pin-sha256=„website-hash"; max-age=2592000;
includeSubDomains’;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy „no-referrer";
root /usr/share/groupoffice;
index index.php index.html;
location / {
try_files $uri $uri/ =404;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
location /Microsoft-Server-ActiveSync {
alias /usr/share/groupoffice/modules/z-push/index.php/;
}
location /caldav {
alias /usr/share/groupoffice/modules/caldav/calendar.php/;
}
location /carddav {
alias /usr/share/groupoffice/modules/carddav/addressbook.php/;
}
location /webdav {
alias /usr/share/groupoffice/modules/dav/files.php/;
}
location = /.well-known/carddav {
return 301 $scheme://$host/carddav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/caldav;
}
}
5. edit /etc/php5/fpm/php.ini
1. zend_extension=/your_path_to_ioncube/ioncube_loader_lin_5.6.so
6. service nginx restart
7. service php5-fpm restart
Das HowTo bezieht sich auf Version 6.1.x und ältere Ubuntu/Debian Versionen. Anpassungen an aktuelle Systeme sind einfach zu implementieren.
- Prerequisites
1) Install Ubuntu Server 12.04 LTS
2) Configure Ubuntu as minimal system only with OpenSSH Server
3) Edit /etc/network/interfaces (you need address, netmask, gateway and dns-nameservers parameter)
4) Reboot
5) apt-get update
6) apt-get upgrade
7) Insert GO gpg-keys
8) Edit /etc/apt/sources.list to include the GO repos
As of now, this a good moment to make a snapshot if you’re doing this in a virtual machine and considere the next
steps. We need to know:
- the FQDN of the GO-machine in the internal net. Lets assume it’s mta.intern.lan
- the FQDN of the outside relay host which we will use for sending mail into the real world, e. g. mta.outside.com. This
is the name of the SMTP Server - this is not neccessarily the same name as in the eMail account but the MX for your
domain.
and for testing purposes:
- at least one account on mta.outside.com, let’s say me@outside.com
- for sure one aaount for GO: me@intern.lan
- Installing GO
1) apt-get update
2) apt-get install groupoffice-com
3) apt-get install groupoffice-mailserver postfix postfix-mysql dovecot-mysql dovecot-sieve dovecot-managesieved
- Configure Mailserver (important)
1) Select ‘Smart/Relay Host’ when asked during postfix config
2) System eMail name is outside.com
3) SMTP-Relay: mta.outside.com
4) eMail Domain-Name: intern.lan
- Check some settings
1) Make sure that /home/groupoffice/key.txt belongs to www-data:www-data and has permissions 0400
2) If wanted set the varify password vaiable in /etc/groupoffice/config.php to ‘false’
3) edit /etc/postfix/transport:
intern.lan : # the blank is important
* smtp:mta.outside.com
4) postmap transport
5) edit /etc/postfix/main.cf
comment out: myhostname and mydestination
relayhost = mta.outside.com
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
smtp_sasl_security_options = noanonymous
6) touch /etc/postfix/smtp_auth
We need at least the credentials of one valid account on mta.outside.com to put into smtp_auth which
authenti cates us when sending mail via relaying:
mta.outside.com valid_account@ outside.com:password
postmap smtp_auth
7) postfix reload && service postfix restart
8) In /etc/groupoffice/config.php check -> ($config['serverclient_domains']="intern.lan";) and admin email
domain iss et to intern.lan
9) Enable SMTP authentication if you like to connect with eMail clients like Thunderbird, Apple Mail or Outlook
-GO config
1) Add a user
2) Login as this user
3) Configure Mail (Administration Mail Account)
eMail = me@outside.com
Incoming Server = localhost / me@intern.lan / Pass
Outgoing Server = localhost / no auth / Port 25
- Fetchmail (we like to get our outside mail)
1) apt-get install fetchmail
2) edit /etc/default/fetchmail and set ‘start daemon = yes’
3) edit/create /etc/fetchmailrc
# general settings
set daemon 300 # polls every 5 minutes
set syslog # logs into syslog but also to mail.log
set postmaster root
sot no bouncemail
# account settings (use catchall as described in HowTo if you wish)
poll mta.outside.com protocol IMAP user „user@outside.com“ there with password „userpass“ is
user@intern.lan here keep ssl
# repeat this for every user you like to import. If you don’t use the ‘keep’ parameter mail will be dele
ted on outside.com after fetched. Some Mailservers don’t like the ‘ssl’ parameter.
4) service fetchmail restart
That’s all folks.