Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: StuartNaylor on June 22, 2014, 05:44:55 am
-
I have been having a few probs with the Zarafa Schema Extentions but might as well kickstart things.
I am not a great fan of the Zentyal User manager and have been trying to connect with phpldapadmin to not avail.
Having a web application would be great but just haven't had much success so its back to the desktop with Jxplorer.
Jxplorer is a really great java ldap browser and editor and it can connect to samba.
sudo apt-get install jxplorer
I think only Administrator is set up as a schema administrator but I will have to check this.
I had a domain admin account and for some reason couldn't connect, when I used the Administrator account no problem.
The contents of /etc/dovecot/dovecot-ldap.conf will help you with connection details.
Here is mine.
# Generated by Zentyal
hosts = 127.0.0.1:3268
dn = "CN=Administrator,CN=Users,DC=zentyal,DC=lan"
dnpass = "a@qdErceqlL5ROrhxy8E"
sasl_bind = no
tls = no
ldap_version = 3
deref = never
scope = subtree
base = DC=zentyal,DC=lan
auth_bind = yes
user_filter = (&(mail=%u)(objectClass=user)(!(userAccountControl=514)))
pass_filter = (&(mail=%u)(objectClass=user)(!(userAccountControl=514)))
user_attrs = =home=/var/vmail/%Ld/%Ln/,=mail=maildir:/var/vmail/%Ld/%Ln/Maildir/
pass_attrs = userPassword=password
For some reason Zentyal have used the global catalog port of 3268. I haven't a clue why as this will create havoc if Zentyal ever does become part of a forrest.
I suggest using 389 in fact I don't just suggest use 389
So as I say didn't get far with schema's but instead of https://community.zarafa.com/pg/plugins/release/21794/developer/tdeklein/samba4-ad-integration-for-zarafa
I am just going to manually add the schema.
Hopefully others will join and add to the thread.
-
https://community.zarafa.com/pg/plugins/release/21794/developer/tdeklein/samba4-ad-integration-for-zarafa
Works and adds the schema
You need to install dos2unix as its part of the script
apt-get install dos2unix
Make sure Samba is stopped
service samba-ad-dc stop
Or use webmin >System>Bootup & Shutdown
Run the script from the download
bash zarafa_schema_add.sh DC=ZENTYAL,DC=LAN ./ -v -H /var/lib/samba/private/sam.ldb -writechanges -dontclean
It takes so long that I thought it was in an endless loop, doh!
-
Thank you for information... i like your post
-
Still working on Zarafa and getting to grips with things. Please join as the help will be appreciated.
-
I was really disappointed by the dropping of Zarafa in 3.5
Great job making the effort to continue work on Zarafa in Zentyal. I'm probably too early with this question, but just wondering what your intention might be in terms of a management GUI. Is Zentyal too non-standard in Ubuntu terms that Z-Admin could not co-exist ?
I have some spare hardware so might try to replicate your work when I get some time. Happy to participate in anyway.
-
Sorry slowed down my efforts and need to get back to it.
I started with jxplorer but finding Apache Directory Studio much better.
In fact its not called directory studio for no reason.
Still stuck with the problem that to get the relevant security id's you need to use samba-tool to add new users.
http://linuxcostablanca.blogspot.co.uk/2012/02/samba-4-posix-domain-user.html has some excellent examples.
I have been toying with the idea of maybe making a webmin module for samba4 users that allows custom classes to be added.
This not just with Zarafa but for any specific application ldap requirements to automount entries.
I could do with a few of us getting together maybe.
I suffer from recurring TM which is a bit like MS and just had another bout, which has knocked me off me feet a bit.
Been relatively ok this last month but still a bit crap.
I like Zentyal but I really find the custom community requirements in dev and support way to high.
I hate to mention webmin so much but its a great complement to Zentyal and very easy to create and add modules.
You can just import them on the fly.
I have a bit of a per project on http://sourceforge.net/projects/samba4all/ and I will give it a go there.
That is vanilla samba4 then will try it out on zentyal.
[EDIT]
I have been trying to find a ldap tool that is web based that could run from server just like the zentyal webadmin or webmin.
phpldapadmin eventually I got going but its buggy, so I am running a mile from that.
Usually complex actions on the CLI have me running for cover. I have memory problems and a GUI is just great for me.
ldbedit is really simple to use and the below example edits the entry where samaccountname=winadmin which is my windows administration account.
ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(samaccountname=winadmin)'
Give that a go as -e is the editor you want to use I prefer the simplicity of nano and just change winadmin to the user you need.
-
Ok posting to myself but starting to get somewhere with Zarafa on 3.5.
I really do think Zentyal should bring back the Zarafa option until stability and migration options with Openchange are finalised.
But hey. Here is Zarafa install on 3.5 and could do with some feedback.
My fqdn zent1.zentyal.lan
wget http://download.zarafa.com/community/final/7.1/7.1.10-44973/zcp-7.1.10-44973-ubuntu-14.04-x86_64-free.tar.gz
tar zxvf zcp-7.1.10-44973-ubuntu-14.04-x86_64-free.tar.gz
cd zcp-7.1.10-44973-ubuntu-14.04-x86_64
dpkg -i *.deb
apt-get install -f
I noticed in there is zarafamigration.exe http://doc.zarafa.com/trunk/Migration_Manual/en-US/html-single/
Haven't tried it but the zarafa to pst migration might be handy for some and also the is always imapcopy.
Anyway I digress.
In /var/lib/zentyal/conf we have various files that contain various essential details.
samba.passwd the administrator password which is why you shouldn't change things but really the administrator should be visible and maybe a ebox samba account should be used.
I did notice that the zentyal dovecot settings are using the global catalog still, #hosts = 127.0.0.1:3268# which could be a source of problems down the road.
I dunno I guess because the DN's are for this realm it doesn't matter. I have been trying to get my head round the implications of running various sites that might all have there own email server. Then also being the global catalog this will also be a forest of several domains. A nasty smell of burning came from my right ear, so decided to stop thinking about it.
I did also notice Zentyal have moved from the administrator for mail directory tasks which is great, not sure why not a single ebox account for the system though.
Anyway the samba.password file contains oiAmNqpWR2H6Ua@k8jqx
and the zentyal-mysql.passwd contains oA5TGRwf
Apols but I use webmin for quite a few tasks so install webmin if you want to follow my procedure.
apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python
wget http://prdownloads.sourceforge.net/webadmin/webmin_1.690_all.deb
dpkg --install webmin_1.690_all.deb
Create a service for webmin allow port 10000 then on the firewall allow the webmin service on the local lan. (for me this is acceptable and no less secure than the zentyal web admin) Both I never allow wan side and use a VPN.
In webmin in the others section there is a filemanager that makes things easy.
/etc/zarafa/server.cfg
# Name for identifying the server in a multi-server environment
server_name = zent1
##############################################################
# MYSQL SETTINGS (for database_engine = mysql)
# The password for the user (leave empty for no password)
mysql_password = oA5TGRwf
In the zarafa server config I use the hostname as the servername and we need to supply the root password of my SQL.
Also in /etc/mysql/conf.d/zentyal.cnf
[mysqld]
innodb = on
default-storage-engine = MyISAM
character-set-server=utf8
[client]
default-character-set=utf8I had to change innodb = off to innodb = on because Zarafa requires this. I am not sure why Zentyal force it off as the default is MyISAM. Dunno maybe someone can say why?
Webmin >System>Bootup & Shutdown tick zarafa-server and restart.
root@zent1:~# zarafa-admin -l
User list for Default(1):
Username Fullname Homeserver
------------------------------------------
SYSTEM SYSTEM zent1
zarafa-admin -l shows that zarafa is running but we have no users because we are purely using database authentication which we need to change to ldap.
From the previous post we need to add the schema to the LDAP.
https://forum.zentyal.org/index.php/topic,22332.msg85942.html#msg85942
This adds the schema but doesn't add the classes or entries to the user.
I made a little script and will do this with that bash ZarafaAD username baseDN maildomain should setup your user.
Its set to create the user as a Zarafa admin so you might want to edit this.
bash ZarafaAD winadmin DC=zentyal,DC=lan zentyal.lan
Modified my Winadmin user and set him up with some defaults.
You can always use the following to edit at a later stage.
ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(samaccountname=winadmin)'
copy /etc/zarafa/ldap.active-directory.cfg to /etc/zarafa/ldap.conf
Edit the following sections so the match your ldap.
ldap_host = localhost
ldap_bind_user = CN=Administrator,CN=Users,DC=zentyal,DC=lan
ldap_bind_passwd = oiAmNqpWR2H6Ua@k8jqx
ldap_search_base = dc=zentyal,dc=lan
Edit /etc/zarafa/server.cfg
user_plugin = ldap
Restart zarafa-server & zarafa-admin -l should show something like the following.
root@zent1:~# zarafa-admin -l
User list for Default(7):
Username Fullname Homeserver
--------------------------------------------------------------
SYSTEM SYSTEM zent1
zentyal-mail-zent1 zentyal-mail-zent1
Administrator Administrator
winadmin Win Admin
dns-zent1 dns-zent1
krbtgt krbtgt
Guest Guest
Starting to get somewhere. Haven't checked the zarafa to postfix settings yet or if sending and receiving mails works.
a2ensite zarafa-webaccess for some reason doesn't work and currently scratching around this one?
OK a new one for me, renamed the two files in sites-available and added .conf to the end.
a2ensite zarafa-webaccess.conf and a2ensite zarafa-webapp.conf now work!!!?
-
...
In /var/lib/zentyal/conf we have various files that contain various essential details.
samba.passwd the administrator password which is why you shouldn't change things but really the administrator should be visible and maybe a ebox samba account should be used.
...
zentyal 3.5, in /var/lib/zentyal/conf there is no samba.passwd, only samba.keytab... Password now encripted with Kerberos?
-
Yeah I was working on a daily of 3.5 which zentyal have moved to a better user. They have moved the account from Administrator which needed to be done.
dn = "CN=zentyal-mail-zent1,CN=Users,DC=office,DC=zentyal,DC=lan" could use that one and have a look in /etc for the dovecot or postfix as the password is there.
Or you can create another user who can browse the ldap and use that with the password you supply or stay with the administrator.
I seemed to have problems with the ldb tools and with any other distro debian, unbuntu, arch I don't have.
I have been meaning to come back but wondering if its worth while.
-
Went back to zarafa and have a automated install.
Its should get zarafa up and running on 3.5.
Setup Zentyal with file and mail services and create a user / domain admin say zarafa.
disable the pop and imap of the mail as zarafa will do that.
Run bash zarafa-install from root (sudo -i to get there)
Supply the user details and password and go hopefully
If anybody has a VM or test machine would you give it a try and report back.
Many Thanks
Stuart
PS Script attached
Will have a look at zpush and getting things completly tidy
Would appreciate so input
http://doc.zarafa.com/7.1/Migration_Manual/en-US/html-single/
-
Hi Stuart,
Tried your script & it seemed to work fine. Box rebooted. Zarafa Webapp displayed ok so I guess all ok from the Apache side.
But at the command line a "zarafa-admin -l" told me zarafa-server was not running. Ok, "service zarafa-server start" seemed to work ok but then the service stopped after a few seconds. Checking "/var/log/zarafa/server.log" showed me:-
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Wed Jul 30 19:00:17 2014: Starting zarafa-server version 7,1,10,44973, pid 4482
Wed Jul 30 19:00:17 2014: Listening for priority pipe connections on /var/run/zarafa-prio
Wed Jul 30 19:00:17 2014: Listening for pipe connections on /var/run/zarafa
Wed Jul 30 19:00:17 2014: Listening for TCP connections on port 236
Wed Jul 30 19:00:17 2014: Connection to database 'zarafa' succeeded
Wed Jul 30 19:00:17 2014: zarafa-licensed is running, but no license key was found. Not all commercial features will be available.
Wed Jul 30 19:00:17 2014: Cannot instantiate user plugin: ldap_bind_s: Invalid credentials
Wed Jul 30 19:00:17 2014: Unable to initialize user plugin
Wed Jul 30 19:00:23 2014: Server shutdown complete.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I checked "/etc/zarafa/ldap.cfg" & it has the correct credentials for the "Domain Admin" user I created & used to run your zarafa-install script. I then thought about where I might find alternative ldap credentials. Tried the Zentyal install "administrator" account (the one created during zentyal install) but no joy there either. Not sure where to find any alternative LDAP credentials?
That's all I've got for now. I really want to offer you encouragement. I see you doing all sorts of good work in these forums & I wish I had both the time & skills to be of more assistance. The dropping of Zarafa from Zentyal is, to me, a crying shame. I will try to get back here & feed back to you as much as possible.
-
I would love for it to be able to drop custom ldifs in the Zentyal user manager.
This would add the required attributes, a hook for the action would be brilliant as you could use parameters to set variable data.
Also and ldif that would display these in the similar way RSAT has a custom attributes page in AD users & computers.
Until then we will have to resort to ldbedit -H /var/lib/samba/private/sam.ldb -e nano '(samaccountname=userid)' or something like guess we could make a little script that made it a bit more tidy.
I wasn't sure how many of the community would be able to work out of the normal user manager and if it was worth while.
Once they are setup there is not much to do and the script would automate that but quota's changes and deactivation would require the above.
I think its always good to have alternatives but I stopped because of lack of interest.
If you email me I will walk you through or post on the thread.
which account did you choose to connect to the ldap Administrator? Domain Admins is a group isn't it? Create a user call it Zarafa and use that
-
Yes, I created a user (called zarafa) & made it a member of the Domain Admins group & used it to run the install. I'll retry the install to double check my work.
-
I will start up the install again and see how I go. Make sure everything is currently working.
-
Borrowing one of your tips from earlier in the thread Stuart, I retrieved the ldap credentials from /etc/dovecot/dovecot-ldap.conf, then used them to replace the "ldap_bind_user" & "ldap_bind_passwd" values in /etc/zarafa/ldap.cfg
zarafa-server now starts & runs without error & created users can login to Webapp. Mail send appears to work but not yet being received into mailboxes, but hey, it's a start. No more time now but thanks again.
-
Damn looks like I haven't documented it.
Its a single line in postfix main.cf
where you set the virtual transport.
I am also presuming you installed the mail but turned off all the zentyal services.
But when I edit /etc/postfix/main.cf and add the following info,
Code:
virtual_mailbox_domains = mydomain.com, example.org, example.net
virtual_mailbox_maps = hash:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_transport = lmtp:localhost:2003
postfix is just not forwarding the mails to the zarafa MTA
Anyone running 3.3 or less with Zarafa running would they /etc/postfix/main.cf
I think the above single line of virtual_transport = lmtp:localhost:2003 is all that is needed.
Then this is where I stopped as wasn't sure about distribution groups.
I think what I will do is alter the script to use the dovecot user and details and add that line. To the .mas template of zentyal or each reboot we will be back to square one.
Was there anything else you had to do manually to get to this stage?
Yeah also add to init.d so it runs at start.
-
Yes, I did install Zentyal Mail services & disable pop3, pop3s, imap, imaps. I think that's what you're asking? And no, I've done nothing more than what I've already described to get this far.
I have a Zentyal 3.2 with Zarafa running. In that /etc/postfix/main.cf file I have a line "virtual_transport = dovecot". That's exactly the same as what the 3.5 box has.
-
The zarafa mta is lmtp:localhost:2003
So it needs to be edited it was the only thing missing
Someone with an older version with Zarafa installed may confirm this.
I guess we need to do a post hook on the mail with a grep for that line and piped to a sed to change it.
Lol did I just write that change it manually for now and restart postfix and see how things go.
A sed pattern will do it as there is only a singular virtual_transport = dovecot I guess
-
Correct again Stuart. I editing /usr/share/zentyal/stubs/mail/main.cf.mas as follows:-
--------------------------------------------------------
# virtual_transport = dovecot
virtual_transport = lmtp:localhost:2003
--------------------------------------------------------
So now that setting sticks after reboot, & yes, mail is now being delivered to the zarafa mailboxes. However:-
This just confirms for me that my Zentyal 3.2 box (Zarafa 7.1.7) routes mail differently (or at least the settings would make you think so). In both /usr/share/zentyal/stubs/mail/main.cf.mas & /etc/postfix/main.cf on the Zentyal 3.2 box, the setting is:
virtual_transport = dovecot
Gotta go now. Will look into all that further & get back.
-
It must be my legendary memory only did that script a couple of weeks ago.
It rings a bell but let me check. I can't be dovecot as that is an imap server and our imap server is Zarafa.
http://doc.zarafa.com/7.1/Administrator_Manual/en-US/html-single/#_MTAIntegration
Tose hopefully after we can document all this in the communtiy wiki.
5.4.1. Configure ZCP Postfix integration with OpenLDAP
The Postfix MTA can connect to an OpenLDAP server to resolve primary mail addresses and aliases of users and groups. The Postfix package in most Linux distributions has LDAP support enabled by default. To read more about Postfix LDAP support see the LDAP README on the Postfix website.
All Postfix configuration files can be found in /etc/postfix directory. The main configuration file is logically called main.cf
By default Postfix will only accept incoming emails from localhost. To accept emails from the complete network, configure the following option:
inet_interfaces = all
In order to make Postfix aware of the local emaildomains, add the following line to the main.cf.
virtual_mailbox_domains = example.com, example.org, example.net
Postfix will now see the configured domains as it’s local email domains, however to accept incoming emails Postfix will do a recipient check. Add the following lines to the main.cf to have Postfix use LDAP for looking up (valid) recipients:
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf
virtual_transport = lmtp:127.0.0.1:2003
All incoming emails are delivered to the LMTP service of the zarafa-dagent. The delivery needs to be done on the primary mail address of a user. For resolving the primary mail address of the user, create the file /etc/postfix/ldap-users.cf and add the following lines:
server_host = localhost
search_base = ou=Users,dc=example,dc=com
version = 3
scope = sub
query_filter = (&(objectClass=posixAccount)(mail=%s))
result_attribute = mail
For lookups of mail aliases create the file /etc/postfix/ldap-aliases.cf and add the following lines:
server_host = localhost
search_base = ou=Users,dc=example,dc=com
version = 3
scope = sub
query_filter = (&(objectClass=posixAccount)(zarafaAliases=%s))
result_attribute = mail
The search base of users and aliases need to match the search base of the LDAP server. After the configuration files have been changed Postfix need to be restarted:
/etc/init.d/postfix restart
Make sure the zarafa-dagent is run as a daemon and started at boot time.
For RPM based distributions use:
chkconfig zarafa-dagent on
/etc/init.d/zarafa-dagent start
For Debian based distributions enable the zarafa-dagent by setting the option DAGENT_ENABLED to yes in the file /etc/default/zarafa-dagent. To enable the zarafa-dagent at boot time use:
update-rc.d zarafa-dagent defaults
Note
It is advised to enable logging of the zarafa-dagent when running in LMTP mode for monitoring purposes. Enable the logging options in the zarafa-dagent in /etc/zarafa/dagent.cfg.
I am going to run through the install again but dont have the VM I created it on so will have to do new from fresh.
I think I will go right through and make it complete.
I am going to have a look at the code posted in contrib section of the zentyal git of all the dropped modules.
IE Zarafa. I had a go but it didn't start well things don't seem to be as there documentation and basically my irc and emails received no reply
-
Ok, mystery solved as regards the way Zentyal 3.2 routes mail from postfix. There is a file "/etc/postfix/transport" which appears to define unique transport methods on a domain or recipient address basis. Mine looks like this:-
--------------------------------------------------
ham@lloydcorporate.com dovecot
spam@lloydcorporate.com dovecot
lloydcorporate.com lmtp:127.0.0.1:2003
ham@tosi.id.au dovecot
spam@tosi.id.au dovecot
tosi.id.au lmtp:127.0.0.1:2003
--------------------------------------------------
So only the mail addressed to the Zarafa Virtual Domains is forwarded by lmtp. My Zentyal 3.5 box has no such file.
-
Yeah I forgot that you could run pop on dovecot and imap on zarafa so you could have them working at the same time.
All depends if the are setup as a zarafauser or not.
Starts getting hard work that and I am going to assume that we are just going to use Zarafa.
So the transport map in main.cf should suffice. I am not going to do the option of running non zarafa mail users in this example at least.
I am pushing my scripting ability and these are just working hacks
Would you check these two out for me.
I apologise as Doh! what about the user ldap zarafa attributes to say they are a zarafa user.
I have done a script called zarafa-user
sudo bash zarafa-user 'User CN'
wrap in single quotes because of the space
./zarafa-user 'Stuart Naylor'
Zentyal still adds CN's as givenName Surname which personal opinion I don't understand
But just if you fall foul wondering why its not the samaccountname
Please give these a go.
The install should be OK but verifies these work.
Many Apols
I would have to hack the zentyal code so the defaults get added on normal Zentyal user creation.
Possible just haven't
Will have to see what needs to be done next.
Mail should work
Hopefully all good for a community module.
For other users.
install samba and mail but turn off all the zentyal mail ports so just smtp is running
ldbedit -e nano -H /var/lib/samba/private/sam.ldb '(samaccountname=Administrator)'
Change zarafaAdmin = 1 to make Zarafa administrator
Many apols as totally forgot about user attributes. I had already done that bit on my test VM
-
Stuart,
I completely agree about not catering for zarafa and non-zarafa mail transport.
Thanks for the zarafa-user script. That made me think, what about my current 3.5 install? It doesn't have those attributes set yet. Not even "zafafaUser". But if I create a new user in Zentyal, that user can login to Zarafa webapp straight up & send/receive mail. Just makes me wonder what the "zarafaUser" attribute actually does?
Great work yet again Stuart. Will run through it again as a fresh install, hopefully later today, and report results back here.
-
zarafaAccount: 1
zarafaAdmin: 1
zarafaDisabledFeatures: pop3
zarafaEnabledFeatures: imap
zarafaQuotaHard: 1200000000
zarafaQuotaOverride: 1
zarafaQuotaSoft: 1100000000
zarafaQuotaWarn: 1000000000
zarafaUserServer: zent1
zarafaAccount=1 is important and that must of been used for either dovecot or zarafa. I could send but couldn't receive until that was set?
I can add these when you create a user or mail account zarafa is using the standard mail attributes
I will have a look at hiding all the system users and groups next.
showInAdvancedViewOnly: TRUE is only on a few objects or Hint: Use the zarafaAccount attribute in the filter to differentiate
##########
# Misc. settings
# Attribute which indicates if the user should be hidden from addressbook
ldap_addressbook_hide_attribute = zarafaHidden
# LDAP object search filter. %s in this filter will be replaced with
# the object being searched.
# Hint: Use the zarafaAccount attribute in the filter to differentiate
# between non-zarafa and zarafa objects.
# Default: empty
# ADS recommended: (anr=%s)
# OpenLDAP optional: (|(mail=%s*)(uid=%s*)(cn=*%s*)(fullname=*%s*)(givenname=*%s*)(lastname=*%s*)(sn=*%s*))
ldap_object_search_filter = (anr=%s)
Then its about working out shared contact list and dist groups.
In fact here is the full administrator account
objectClass: fetchmailUser
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: user
objectClass: userZentyalMail
objectClass: zarafaUser
cn: Administrator
instanceType: 4
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=office,DC=zentyal,DC
=lan
accountExpires: 9223372036854775807
adminCount: 1
badPasswordTime: 0
badPwdCount: 0
codePage: 0
countryCode: 0
description: Built-in account for administering the computer/domain
distinguishedName: CN=Administrator,CN=Users,DC=office,DC=zentyal,DC=lan
fetchmailAccount: stuartiannaylor@inbox.com:pop3:my.inbox.com:110::phone4394
01
gidNumber: 2512
homeDirectory: \\zent1.OFFICE.ZENTYAL.LAN\Administrator
homeDrive: H:
isCriticalSystemObject: TRUE
lastLogoff: 0
lastLogon: 0
logonCount: 0
mail: Administrator@zentyal.lan
mailbox: zentyal.lan/Administrator/
mailHomeDirectory: /var/vmail/
mailquota: 0
memberOf: CN=Administrators,CN=Builtin,DC=office,DC=zentyal,DC=lan
memberOf: CN=Domain Admins,CN=Users,DC=office,DC=zentyal,DC=lan
memberOf: CN=Enterprise Admins,CN=Users,DC=office,DC=zentyal,DC=lan
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=office,DC=zentyal,DC=la
n
memberOf: CN=Schema Admins,CN=Users,DC=office,DC=zentyal,DC=lan
name: Administrator
objectGUID:: Yp+EBRGkv0SIYmVQGOlSSA==
objectSid:: AQUAAAAAAAUVAAAAqBn7Al1FSGbTMZ2u9AEAAA==
primaryGroupID: 513
pwdLastSet: 130514302870000000
sAMAccountName: Administrator
sAMAccountType: 805306368
uidNumber: 2500
userAccountControl: 512
userMaildirSize: 0
uSNChanged: 4962
uSNCreated: 3545
whenChanged: 20140802195152.0Z
whenCreated: 20140802051658.0Z
zarafaAccount: 1
zarafaAdmin: 1
zarafaDisabledFeatures: pop3
zarafaEnabledFeatures: imap
zarafaQuotaHard: 1200000000
zarafaQuotaOverride: 1
zarafaQuotaSoft: 1100000000
zarafaQuotaWarn: 1000000000
zarafaUserServer: zent1
There is also a bug with zarafa-search which and upgrade with the libkyoto(something) fixed.
Missing this attribute zarafaSharedStoreOnly so on the todo
# Whether a user is a non-active user. This means that the user will
# not count towards your user count, but the user will also not be
# able to log in
# Optional, default = zarafaSharedStoreOnly
# Active directory: zarafaSharedStoreOnly
# LDAP: zarafaSharedStoreOnly
ldap_nonactive_attribute = zarafaSharedStoreOnly
/etc/mysql/my.cnf
thread_stack = 192K change to thread_stack = 256k
/etc/zarafa/server.cfg
enable_sql_procedures = no change to enable_sql_procedures = yes
Apols its a todo list
-
I'm sure zarafaAccount=1 is very important for all sorts of reasons. And what I've discovered is probably not much more than an anomaly that will be of little use going forward. However, here are the ldap attributes of one of my users:-
--------------------------------------------------------------------------------------------------------------------
dn: CN=Craig Tosi,CN=Users,DC=ctstest,DC=lan
cn: Craig Tosi
sn: Tosi
givenName: Craig
instanceType: 4
whenCreated: 20140803050020.0Z
whenChanged: 20140803050020.0Z
displayName: Craig Tosi
uSNCreated: 4914
name: Craig Tosi
objectGUID: ae7490b6-9563-46bb-b419-b856ccd67b8d
badPwdCount: 0
codePage: 0
countryCode: 0
homeDirectory: /home/tose
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-3932363027-2996284228-1642769443-1108
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: tose
sAMAccountType: 805306368
userPrincipalName: tose@CTSTEST.LAN
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ctstest,DC=lan
uidNumber: 2504
gidNumber: 2513
quota: 500
pwdLastSet: 130515156200000000
userAccountControl: 512
objectClass: top
objectClass: fetchmailUser
objectClass: posixAccount
objectClass: userZentyalMail
objectClass: person
objectClass: systemQuotas
objectClass: organizationalPerson
objectClass: user
mail: tose@tosi.id.au
mailbox: tosi.id.au/tose/
userMaildirSize: 0
mailquota: 0
mailHomeDirectory: /var/vmail/
uSNChanged: 4919
distinguishedName: CN=Craig Tosi,CN=Users,DC=ctstest,DC=lan
------------------------------------------------------------------------------------------------------------------------------------------------------
Not a Zarafa specific attribute there, but that user can login to Zarafa Webapp & send/receive mail. What I think is happening, is that Zarafa is happy to store mail based on:-
----------------------------------------------
mail: tose@tosi.id.au
mailbox: tosi.id.au/tose/
userMaildirSize: 0
mailquota: 0
mailHomeDirectory: /var/vmail/
----------------------------------------------
Infact, if I look at /var/vmail it contains a folder for each of my created Zentyal users. "objectClass: userZentyalMail" may play a part also
Anyway. Didn't want to get side-tracked into this as going forward we obviously want to make Zarafa work the way it was designed & intended too, rather than some happy coincidence of it falling back to local mail storage (if infact that's what's happening).
Anyhow, off to start afresh with both your revised scripts now. Will get back with results.
-
There is one thing that I forgot to mention.
Attachments can either be in the database or filebased.
The Zarafa-search (full text indexer) seems to be set up for filebased only. I should know but I don't think you can index blob database content.
So its a double edge sword when you backup Zarafa its a combination of messages database and file attachments or all database but no Zarafa search.
I have left it with zarafa-search and file based as with the community version there is no brick level but remember the attachment directories.
Actually I have in the past restored the database and attachments to a VM and used imapsync back to the specific user.
Any thoughts on attachment storage and the indexer? I see the indexer more important than backup ease.
I created a bulk import script that is for Openchange
https://forum.zentyal.org/index.php/topic,22477.msg86479.html#msg86479
I will do the same for Zarafa so you can quickly setup many users via a csv file.
ldap_company_type_attribute_value = organizationalUnit not really sure as I use OU's for group policies and how this works dunno.
ldap_emailaddress_attribute = mail
ldap_emailaliases_attribute = otherMailbox
Zarafa seems to suggest using zarafaAliases but otherMailbox I think is exchange compatible and Zentyal use it.
Strange really as they suggest zarafaAliases but it was set to otherMailbox.
The other stuff is the post fix and dovecot stuff. It will be possible if zarafaAccount=0 then they are a dovecot user and maybe pop on dovecot and imap on zarafa.
I have just enabled imap on zarafa but if we changed to non standard ports both could operate.
-
Stuart,
Ok, as regards your revised zarafa-install script, there is a problem with the setting of the "ldap_bind_user" into /etc/zarafa/ldap.cfg. I thing it's probably:-
ldapuser=$(grep 'dn =' /etc/dovecot/dovecot-ldap.conf | sed -e 's/dn = "CN=\(.*\),CN=Users,DC=office,DC=zentyal,DC=lan"/\1/')
The "DC=office" certainly isn't relevant to my install. Either that or:-
sed -i "/ldap_bind_user =/c\ldap_bind_user = CN="${ldapuser}",CN=Users,"${mybasedn} /etc/zarafa/ldap.cfg
Either way the script returns (in my case):-
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
sed: can't read =: No such file or directory
sed: can't read "CN=zentyal-mail-zentyal,CN=Users,DC=ctstest,DC=lan",CN=Users,DC=ctstest,DC=lan: No such file or directory
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
If I had even a smidgen of scripting skill I'd look into that. As it is, I just manually edited /etc/zarafa/ldap.cfg with the correct ldap_bind_user value. Reboot, & all up & running.
Your "zarafa-user" script worked as intended, adding the nine zarafa attributes to the user I ran it against.
-
Doh!
Lol will get on just had to go out.
The script is recreating the full DN so I don't need to extract the user then later add to the basedn to make the full dn.
I will sort it.
Hey don't worry sed and regex expressions to extract text hate them as much as they confuse me.
Stupid mistake.
PS having your input is invaluable many thanks
"zarafa-user" script I will hack the zentyal mail functions so it works automatically through the gui.
What I will do is separate the ldif from the script and the ldif will just act as a user template for those settings.
I am going to do that this afternoon.
Zarafa search has bug which is due to an external library and apt-get upgrade should fix things.
I use webmin as its a gui and it will force upgrades because you can select individual items.
If you have a prob its something called libkyoto(something) :)
libkyotocabinet-dev amd64 Kyoto Cabinet is a library of routines for managing a database. New version 1.2.76-4 Trusty
libkyotocabinet16 amd64 Kyoto Cabinet is a library of routines for managing a database.
You could force an upgrade but that will pull in everything.
apt-get install -f libkyotocabinet16 probably better
I suggest installing webmin and creating a network service on port 10000 and allowing on the firewall.
I turn off the automatic start and use service webmin start when I need it or is it /etc/init.d/webmin start and sometimes remember to stop it when finished
I bolt down the server after completed.
All the scripts are written through the webmin file manager copy and paste in wordpad or anything in windows has a different codepage or something, its a world of hell if you do.
There is a utility dos2unix but the above does the job.
Also Apache directory studio is just fantastic for ldap the more I use it the more I find how good it is.
In the context menu (right click) in advanced you can export any selection as ldif pairs.
-
Ok, just reran your newly revised zarafa-install script on a fresh install & all good.
Just a thought (because it tripped me up untill I recalled I'd missed something). How hard would it be to disable POP3, POP3S, IMAP, IMAPS in the Zentyal Mail module as part of your install script? I know I've seen where that's set in the past but it's after midnight here & I'm not finding it.
Sleep time for me
-
Pretty easy.
There are two levels at the user and at the server. To be honest user level doesn't make an awful lot of sense to me. Guess it just stops external access.
Providing that webapp or webaccess isn't public?
/etc/zarafa/gateway.cfg
##############################################################
# GATEWAY SETTINGS
server_bind = 0.0.0.0
# Please refer to the administrator manual or manpage why HTTP is used rather than the UNIX socket.
server_socket = http://localhost:236/zarafa
# Set this value to a name to show in the logon greeting to clients.
# Leave empty to use DNS to find this name.
server_hostname =
# Whether to show the hostname in the logon greeting to clients.
server_hostname_greeting = no
# drop privileges and run the process as this user
run_as_user =
# drop privileges and run the process as this group
run_as_group =
# create a pid file for stopping the service via the init.d scripts
pid_file = /var/run/zarafa-gateway.pid
# run server in this path (when not using the -F switch)
running_path = /
# create memory coredumps upon crash in the running_path directory
coredump_enabled = no
# enable/disable POP3, and POP3 listen port
pop3_enable = yes
pop3_port = 110
# enable/disable Secure POP3, and Secure POP3 listen port
pop3s_enable = no
pop3s_port = 995
# enable/disable IMAP, and IMAP listen port
imap_enable = yes
imap_port = 143
# enable/disable Secure IMAP, and Secure IMAP listen port
imaps_enable = no
imaps_port = 993
# Only mail folder for IMAP or all subfolders (calendar, contacts, tasks, etc. too)
imap_only_mailfolders = yes
# Show Public folders for IMAP
imap_public_folders = yes
# IMAP clients may use IDLE command
imap_capability_idle = yes
# The maximum size of an email that can be uploaded to the gateway
imap_max_messagesize = 128M
# Override the e-mail charset and generate using utf-8 (when imap data is not present on the item)
imap_generate_utf8 = no
# Internally issue the expunge command to directly delete e-mail marked for deletion in IMAP.
imap_expunge_on_delete = no
# Store full rfc822 message during APPEND
imap_store_rfc822 = yes
# Maximum count of allowed failed IMAP command counts per client
imap_max_fail_commands = 10
# Disable all plaintext authentications unless SSL/TLS is used
disable_plaintext_auth = no
# File with RSA key for SSL
ssl_private_key_file = /etc/zarafa/gateway/privkey.pem
#File with certificate for SSL
ssl_certificate_file = /etc/zarafa/gateway/cert.pem
# Verify client certificate
ssl_verify_client = no
# Client verify file and/or path
ssl_verify_file =
ssl_verify_path =
# Accept SSLv2 only incoming connections
ssl_enable_v2 = no
# Process model, using pthreads (thread) or processes (fork)
process_model = fork
##############################################################
# GATEWAY LOG SETTINGS
# Logging method (syslog, file)
log_method = file
# Loglevel (0=no logging, 5=full logging)
log_level = 2
# Logfile for log_method = file, use '-' for stderr
log_file = /var/log/zarafa/gateway.log
# Log timestamp - prefix each log line with timestamp in 'file' logging mode
log_timestamp = 1
Which I glad you mentioned as I haven't created the certificate file
# File with RSA key for SSL
ssl_private_key_file = /etc/zarafa/gateway/privkey.pem
#File with certificate for SSL
ssl_certificate_file = /etc/zarafa/gateway/cert.pem
Also same with /etc/zarafa/ical.cfg
##############################################################
# ICAL SETTINGS
# drop privileges and run the process as this user
run_as_user =
# drop privileges and run the process as this group
run_as_group =
# create a pid file for stopping the service via the init.d scripts
pid_file = /var/run/zarafa-ical.pid
# run server in this path (when not using the -F switch)
running_path = /
# IP Address to bind to (0.0.0.0 for ANY)
server_bind = 0.0.0.0
# wether normal connections can be made to the ical server
ical_enable = yes
# port which the ical server listens on for normal connections
ical_port = 8080
# wether ssl connections can be made to the ical server
icals_enable = no
# port which the ical server listens on for ssl connections
icals_port = 8443
# default connection to the Zarafa server
# Please refer to the administrator manual or manpage why HTTP is used rather than the UNIX socket.
server_socket = http://localhost:236/zarafa
# Process model, using pthreads (thread) or processes (fork)
process_model = fork
##############################################################
# ICAL LOG SETTINGS
# Logging method (syslog, file)
log_method = file
# Loglevel (0=no logging, 5=full logging)
log_level = 2
# Logfile for log_method = file, use '-' for stderr
log_file = /var/log/zarafa/ical.log
# Log timestamp - prefix each log line with timestamp in 'file' logging mode
log_timestamp = 1
##############################################################
# ICAL SSL SETTINGS FOR INCOMING CONNECTIONS
# File with RSA key for SSL
ssl_private_key_file = /etc/zarafa/ical/privkey.pem
# File with certificate for SSL
ssl_certificate_file = /etc/zarafa/ical/cert.pem
# Verify client certificate
ssl_verify_client = no
# Client verify file and/or path
ssl_verify_file =
ssl_verify_path =
# Accept SSLv2 only incoming connections
ssl_enable_v2 = no
##############################################################
# OTHER ICAL SETTINGS
# The timezone of the system clock
server_timezone = Europe/Amsterdam
# The charset of data to expect when the client doesn't specify any
default_charset = utf-8
# Enable the iCalendar GET method for downloading calendars
enable_ical_get = yes
The services for ical I would probably add to the mail network service as they make a logical group.
Or create separate services for each protocol and use the firewall to select which are available?
-
Few changes added stored procedures in the install.
Main is separate script for ssl.
zarafa-sslkey
Will prompt you to create self cert only important part is the CN.
This should be the FQDN of the server hostname+registereddomainname
I always get confused with certs but some clients want the cn to match the server
It creates a directory /etc/zarafa/certs/
The passphraise is in with the certs.
It turns on ssl for the gateway pop3s, imaps and the server uses port 237 for ssl (236 being the normal)
Tose by any chance you can not connect to smtp lol.
-
Before I try the zarafa-sslkey script, did you intend for the line that copies zarafa.key to zarafa.key.web to be commented out?
-
And to answer your question regarding SMTP, the answer is no. What I get is:-
5.1.0 - Unknown address error 550-'5.1.1 <test@tosi.id.au>: Recipient address rejected: User unknown in virtual mailbox table'
Stuart, I may not have too much time over the next day or 2. I'll do what I can. Just so you know.
-
Yeah I just thought actually I can do that on the next line.
zarafa.key is key with passphraise which causes all sorts of problems on restarts
zarafa.key.web just has the passphraise removed and should never leave the server.
I am getting similar errors and was just a little downbeat as this is the smtp side of things.
This should be purely zentyal and work as I am concerned. I will have a look :)
It seems that the smtp is trying to force a kerberos session.
Prob if you where part of the domain this would work
Lol Zarafa is almost done now I am in a more tricky area as have to work out the Zentyal post fix settings.
Might be because purely we are not on a client joined to the domain.
In postfix /etc/main.cf
#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access pcre:/etc/postfix/helo_checks.pcre
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_checks.pcre
Not sure why I wasn't getting the fqdn as in the maillog it was just the host name of the client
so removed reject_non_fqdn_helo_hostname that and outlook now seems to work.
# Generated by Zentyal
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# require helo
smtpd_delay_reject = yes
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
smtpd_banner = zent1.office.zentyal.lan ESMTP
biff = no
# appending .domain is the MUAs job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
myorigin = /etc/mailname
myhostname = zent1.zentyal.lan
mydestination = $myorigin,$myhostname,localhost,localhost.$mydomain
smtp_helo_name = zent1.zentyal.lan
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
relayhost =
mynetworks = 127.0.0.0/8
message_size_limit = 0
mailbox_size_limit = 0
virtual_mailbox_limit = 0
recipient_delimiter = +
inet_interfaces = all
# Aliases
virtual_alias_domains = $virtual_alias_maps
virtual_alias_maps = ldap:/etc/postfix/valiases.cf,ldap:/etc/postfix/useraliases.cf,ldap:/etc/postfix/groupaliases.cf
# Virtual Domains
dovecot_destination_recipient_limit = 1
virtual_transport = lmtp:127.0.0.1:2003
virtual_mailbox_base = /var/vmail/
virtual_mailbox_maps= ldap:/etc/postfix/mailbox.cf
virtual_mailbox_domains = ldap:/etc/postfix/vdomains.cf
virtual_minimum_uid = 100
virtual_uid_maps = static:108
virtual_gid_maps = static:114
# TLS/SSL
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/sasl/postfix.pem
smtpd_tls_cert_file = /etc/postfix/sasl/postfix.pem
#smtpd_tls_loglevel = 0
# recipient restrictions
#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access pcre:/etc/postfix/helo_checks.pcre
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_checks.pcre
submission_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject
smtpd_restriction_classes = submission_recipient_restrictions
# SASL authentication
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
#smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = $myorigin
broken_sasl_auth_clients = yes
smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
smtpd_sender_login_maps = ldap:/etc/postfix/login.cf
Dunno really always expected this bit to work.
The zarafa part is working and so is receiving, use webapp for now.
I guess I can just rewrite the postfix settings and just create them on a hook.
Do you want lan only clients or is this internal and external mail clients as forcing kerberos isn't going to work. Unless via a vpn and logon.
-
I don't really care about POP or IMAP. I don't even care about Outlook clients. Webapp is my main thing, so no disaster from my point of view.
At the end of the day I've already learned a lot & it's a win already for me from that perspective too.
I have to go away for a week in a day or 2. So won't be around to do any testing but will follow the thread & keep feedback going. Hoping we can hang in there and get something sorted for all your work so far.
-
To be honest I am exactly the same.
Centralised install once web based systems why do I want client installs, expensive and time consuming.
So web app works strange thing is that the zentyal mail module on its own now doesn't work and I guess this is another that Zentyal is Openchange only?
Haven't had a look further stopped there.
If anybody else would like to have a look at why postfix is setup so please do.
many thanks tose.
Next is to hide all those horrid system accounts
-
Install Zentyal Samba, web server & mail.
Allow ssl and create your vmail domain & virtual domain.
Turn off all pop, imap services in mail so its just running smtp
As root
./zarafa-install
./zarafa-sslkey
or
bash zarafa-install
bash zarafa-sslkey
cn to match mail server fqdn
Reboot
Add your users in Zentyal.
In network create a service Zarafa
Add the ports in the attached picture Zarafa-Services
Enable in firewall up to you internal/external
To update zentyal accounts to allow zarafa accounts
./zarafa-user 'user-cn'
or
bash zarafa-user 'user-cn'
The user cn will be 'givenname surname'
Just a slight update with smtp working.
-
If you have many users and can export them to csv
Zarafa-bulk-users uses users.csv to bulk import zentyal/mail users.
Read users.csv for format
zarafa-hide will hide users/groups from addressbook.
Haven't added OU's but maybe another time
You can add other OU's and contacts through the Zentyal User manager
http://clearsdn.clearcenter.com/zarafa-tools/7.1.8/ ::)