Proxy for controlling user acces to Sogo

Contents

  1. Proxy for controlling user acces to Sogo
    1. Introduction
    2. Architecture Overview
    3. Installation of the needed packages
    4. Sogo's Settings
    5. More far by restricting external access to the Imap and Smtp services

Introduction

Often companies want to restrict the access to their groupware from the external (public side) and allow just few users or named users. We will do that by setting a proxy who will check if the user who try to access to the groupware is in a specific group.

Architecture Overview

there are a server (called SOGOSERVER ) who sogo is already configurated and running. Internal users access directly on this server without restriction. In this study case Sogo's database is Postgresql but could be adapted to another Database. The authentication is made to an LDAP server (in this study case openldap) but could be ported on another ldap server, even Microsoft Active Directory. The users who are in the public side will access to Sogo by a Proxy Frontend (called SOGOPROXY).This proxy will verify if the user belongs to a group, if yes the user could connect, if not it couldn't. SOGOPROXY could be in a DMZ and SOGOSERVER in the trusted network.

users coming from the internal zone will log on SOGOSERVER and who come from the public side will be redirected on SOGOPROXY

In this study case the SOGOPROXY server is set on a debian 7.x and there are already a Sogo server who is set with LDAP as authentication.

Installation of the needed packages

First we must to install Sogo in the proxy (SOGOPROXY) but without the database

1. Install Sogo (only sogo not the database part)

2. Install Xinetd ( Sogo don t know to access other another IP than the loopback to the database) it will serve at forwarder

3. Install Nginx (or Apache)

Sogo's Settings

1. Create a LDAP group in your LDAP server

In this documentation the LDAP group who will filter the user will be called cn=external access,dc=example,dc=com

LDIF entry :

cn=external access,dc=example,dc=com
cn=external access
member: uid=alain dupont,dc=example,dc=com
objectclass: groupOfNames

2 Settings for Xinetd

create a file in /etc/xinetd.d called postgres (change SOGOSERVER by the IP or the hostname of your sogoserver)

service postgresql
{

  • socket_type =stream
    wait =no
    user = root
    redirect = SOGOSERVER 5432
    bind = 127.0.0.1

}

3 Copy /etc/sogo/sogo.conf from SOGOSERVER

add in the soho.conf the restrition by group in the source section

filter="memberOf='cn=external access,dc=example,dc=com'";

Modify the values of the hosts to reflect the configuration (ldap server, Imap server, Sieve Server) must set to SOGOSERVER.

In this way we will redirect all request made for the loopback to the SOGOSERVER

4 Nginx configuration on SOGOPROXY

This is the same as a server see :

5 On SOGOSERVER set the ACL on the database for allowing SOGOPROXY to connect

Modify the file : /etc/postgresql/8.4/main/postgresql.conf

replace isten_addresses = 'localhost' by listen_addresses = '*'

Modify file : /etc/postgresql/8.4/main/pg_hba.conf

Add the line : host sogo sogo SOGOPROXY/32 md5

Restart postgres

Restart ALL

You should be able to access to SOGo web interface if you are in the group

More far by restricting external access to the Imap and Smtp services

Coming soon ...

CategoryCategory