Reconfigure ZEG v3.0.2 into a usable non-test system
ZEG v3.0.2 is a great pre-built VM for you to test SOGo, but it is already set up for the domain @example.com. While this is fine for testing, I wanted to reconfigure it as a usable proper email server. Through a lot of trial and error, and 4 reinstalls(!) of the VM, I managed to get a working system for my own domain name.
Please note this is specifically for v3.0.2, other versions may differ, and I reconfigure the locale for UK English use
Below is a list of steps to take in order to remove the example set up, and reconfigure it for your own domain:
Phase 1
- Install into Virtual Box, change the NIC from "NAT" to "Bridged" if you want it to be internet-accessible
- Remove the "vagrant" shared folder as it won't exist and will throw an error
Boot the VM and log in as sogo and sudo bash so you can make changes
- Change the sogo password to something more secure
Edit /etc/network/interfaces.d/eth0.cfg and add your static IP address details etc. IPv6 configuration also works on this image. See this page for syntax
Change the timezone if you're not in the US: dpkg-reconfigure tzdata
- Reboot
Phase 2
Log in and sudo bash so you can make changes
apt-get update - Get new repository details
apt-get upgrade - Update installed programs from repository
apt-get install rpl console-data - Install string replacement command and locale changer helper
locale-gen en_GB - Generate (UK) locale
locale-gen en_GB.UTF-8 - Generate UTF-8 (UK) locale
dpkg-reconfigure keyboard-configuration - Choose localized keyboard (if required)
rpl 'en_US.UTF-8' 'en_GB.UTF-8' /etc/default/locale - Make the change permanent (if required)
update-rc.d chef-client disable - Disable chef (I don't use it)
update-rc.d puppet disable - Disable puppet (I don't use this either)
apt-get install htop sysv-rc-conf - Not essential, but useful
- Reboot
Phase 3
This following section is the most complicated. There may be easier ways to do this, but I have not found it yet. Anyway, it's scriptable, so it's not a big deal now that I've figured it out. Note: This will break any config you have done for the example.com domain
Firstly, stop the services:
/etc/init.d/sogo stop /etc/init.d/samba stop service postfix stop
To make things generic (and save repetition), I've separated my details from the commands entered, so configure some environment variables for use later:
DNSSERVERS=<DNS IP1> <DNS IP2> DOMAINNAME=mynewdomain.com HOSTNAME=mail BASEDN='dc=mynewdomain,dc=com' NETBIOSDOMAIN=MYNEWDOMAIN TZ='Europe/London'
Note NETBIOSDOMAIN needs to be 15 characters or less
Replace various strings in config files:
rpl '8.8.4.4' '$DNSSERVERS' /etc/samba/smb.conf rpl 'example.com' '$DOMAINNAME' /etc/samba/smb.conf rpl 'EXAMPLE' '$NETBIOSDOMAIN' /etc/samba/smb.conf rpl 'example.com' '$DOMAINNAME' /etc/mailname rpl 'sogo.example.com' '$HOSTNAME.$DOMAINNAME' /etc/postfix/main.cf rpl 'dc=example,dc=com' '$BASEDN' /etc/postfix/people.ldap rpl 'dc=example,dc=com' '$BASEDN' /etc/saslauthd.conf rpl 'sogo.example.com sogo' '$HOSTNAME.$DOMAINNAME $HOSTNAME' /etc/hosts rpl 'dc=example,dc=com' '$BASEDN' /etc/sogo/sogo.conf rpl 'America/Montreal' '$TZ' /etc/sogo/sogo.conf rpl 'root@example.com' 'root@$DOMAINNAME' /etc/dovecot/dovecot.conf rpl 'dc=example,dc=com' '$BASEDN' /etc/dovecot/dovecot-ldap-ZEG.conf.ext echo $HOSTNAME > /etc/hostname
Reboot
Phase 4
Now you can provision your new domain
samba-tool domain provision openchange_provision --realm=$DOMAINAME
Make sure that the details you enter here are the same as the details you entered above in #Phase 3. So long as you don't get any errors, the system is now ready to create users. When you create users (via the Configuration web page Account Provisioning instructions), the username has to be in the format of the email address you want to use. Also, you may need to use the following command:
samba-tool domain passwordsettings set -–max-pwd-age=0
as the "--noexpiry" option when creating users is fine, but the account used for the LDAP bind may still expire!
Security
Please note that I have only done a minimal amount to secure the server. If it is going to be internet-facing, more reconfiguration should be done. Eg, make samba LDAP only listen on localhost....
[global] interfaces = lo bind interfaces only = yes
and change the LDAP auth password to something that isn't the default OpenChange one.
SSL
I used this link to create a new CA and server certificate, but anything similar will work. There are specific instructions for adding custom non-root certificates on mobile devices, which is out of scope of these instructions.
If you want HTTPS only (recommended), comment out Listen 80 in /etc/apache2/ports.conf and add the following into /etc/apache2/sites-enabled/000-default.conf in the VirtualHost section:
SSLEngine On SSLProtocol all -SSLv3 SSLCipherSuite <Your List of preferred Ciphers> SSLHonorCipherOrder On SSLCertificateFile /etc/apache2/xxxxx.crt SSLCertificateKeyFile /etc/apache2/xxxxx.key
Even though SOGo works on HTTP without Apache config changes, to enable SSL, you need to follow the 5.16. Apache Configuration instructions (subtituting 443 for 80 and https for http, obviously) and add it to the VirtualHost section of 000-default.conf. If this is not done, and you log in via HTTPS, it changes the URL to HTTP.
If you have any questions, feel free to email me on Chris[dot]Clemson[at]GoGreenIT[dot]Net