Reconfigure ZEG v3.0.2 into a usable non-test system

ZEG v3.0.2 is a great pre-built VM for you to test SOGo, but it is already set up for the domain @example.com. While this is fine for testing, I wanted to reconfigure it as a usable proper email server. Through a lot of trial and error, and 4 reinstalls(!) of the VM, I managed to get a working system for my own domain name.

Please note this is specifically for v3.0.2, other versions may differ, and I reconfigure the locale for UK English use

Below is a list of steps to take in order to remove the example set up, and reconfigure it for your own domain:

Phase 1

  1. Install into Virtual Box, change the NIC from "NAT" to "Bridged" if you want it to be internet-accessible
  2. Remove the "vagrant" shared folder as it won't exist and will throw an error
  3. Boot the VM and log in as sogo and sudo bash so you can make changes

  4. Change the sogo password to something more secure
  5. Edit /etc/network/interfaces.d/eth0.cfg and add your static IP address details etc. IPv6 configuration also works on this image. See this page for syntax

  6. Change the timezone if you're not in the US: dpkg-reconfigure tzdata

  7. Reboot

Phase 2

  1. Log in and sudo bash so you can make changes

  2. apt-get update - Get new repository details

  3. apt-get upgrade - Update installed programs from repository

  4. apt-get install rpl console-data - Install string replacement command and locale changer helper

  5. locale-gen en_GB - Generate (UK) locale

  6. locale-gen en_GB.UTF-8 - Generate UTF-8 (UK) locale

  7. dpkg-reconfigure keyboard-configuration - Choose localized keyboard (if required)

  8. rpl 'en_US.UTF-8' 'en_GB.UTF-8' /etc/default/locale - Make the change permanent (if required)

  9. update-rc.d chef-client disable - Disable chef (I don't use it)

  10. update-rc.d puppet disable - Disable puppet (I don't use this either)

  11. apt-get install htop sysv-rc-conf - Not essential, but useful

  12. Reboot

Phase 3

This following section is the most complicated. There may be easier ways to do this, but I have not found it yet. Anyway, it's scriptable, so it's not a big deal now that I've figured it out. Note: This will break any config you have done for the example.com domain

Firstly, stop the services:

/etc/init.d/sogo stop
/etc/init.d/samba stop
service postfix stop

To make things generic (and save repetition), I've separated my details from the commands entered, so configure some environment variables for use later:

DNSSERVERS=<DNS IP1> <DNS IP2>
DOMAINNAME=mynewdomain.com
HOSTNAME=mail
BASEDN='dc=mynewdomain,dc=com'
NETBIOSDOMAIN=MYNEWDOMAIN
TZ='Europe/London'

Note NETBIOSDOMAIN needs to be 15 characters or less

Replace various strings in config files:

rpl '8.8.4.4' '$DNSSERVERS' /etc/samba/smb.conf
rpl 'example.com' '$DOMAINNAME' /etc/samba/smb.conf 
rpl 'EXAMPLE' '$NETBIOSDOMAIN' /etc/samba/smb.conf 
rpl 'example.com' '$DOMAINNAME' /etc/mailname
rpl 'sogo.example.com' '$HOSTNAME.$DOMAINNAME' /etc/postfix/main.cf
rpl 'dc=example,dc=com' '$BASEDN' /etc/postfix/people.ldap
rpl 'dc=example,dc=com' '$BASEDN' /etc/saslauthd.conf
rpl 'sogo.example.com sogo' '$HOSTNAME.$DOMAINNAME $HOSTNAME' /etc/hosts
rpl 'dc=example,dc=com' '$BASEDN' /etc/sogo/sogo.conf
rpl 'America/Montreal' '$TZ' /etc/sogo/sogo.conf
rpl 'root@example.com' 'root@$DOMAINNAME' /etc/dovecot/dovecot.conf
rpl 'dc=example,dc=com' '$BASEDN' /etc/dovecot/dovecot-ldap-ZEG.conf.ext
echo $HOSTNAME > /etc/hostname

Reboot

Phase 4

Now you can provision your new domain

samba-tool domain provision
openchange_provision --realm=$DOMAINAME

Make sure that the details you enter here are the same as the details you entered above in #Phase 3. So long as you don't get any errors, the system is now ready to create users. When you create users (via the Configuration web page Account Provisioning instructions), the username has to be in the format of the email address you want to use. Also, you may need to use the following command:

samba-tool domain passwordsettings set -–max-pwd-age=0

as the "--noexpiry" option when creating users is fine, but the account used for the LDAP bind may still expire!

Security

Please note that I have only done a minimal amount to secure the server. If it is going to be internet-facing, more reconfiguration should be done. Eg, make samba LDAP only listen on localhost....

[global]
  interfaces = lo
  bind interfaces only = yes

and change the LDAP auth password to something that isn't the default OpenChange one.

SSL

I used this link to create a new CA and server certificate, but anything similar will work. There are specific instructions for adding custom non-root certificates on mobile devices, which is out of scope of these instructions.

If you want HTTPS only (recommended), comment out Listen 80 in /etc/apache2/ports.conf and add the following into /etc/apache2/sites-enabled/000-default.conf in the VirtualHost section:

SSLEngine On
SSLProtocol all -SSLv3
SSLCipherSuite <Your List of preferred Ciphers>
SSLHonorCipherOrder On
SSLCertificateFile /etc/apache2/xxxxx.crt
SSLCertificateKeyFile /etc/apache2/xxxxx.key

Even though SOGo works on HTTP without Apache config changes, to enable SSL, you need to follow the 5.16. Apache Configuration instructions (subtituting 443 for 80 and https for http, obviously) and add it to the VirtualHost section of 000-default.conf. If this is not done, and you log in via HTTPS, it changes the URL to HTTP.

If you have any questions, feel free to email me on Chris[dot]Clemson[at]GoGreenIT[dot]Net