sogo installation guide

InstallationandConfigurationGuideforversion2.2.9

InstallationandConfigurationGuideVersion2.2.9-September2014

Permissionisgrantedtocopy,distributeand/ormodifythisdocumentunderthetermsoftheGNUFreeDocumentationLicense,Version1.2oranylaterversionpublishedbytheFreeSoftwareFoundation;withnoInvariantSections,noFront-CoverTexts,andnoBack-CoverTexts.Acopyofthelicenseisincludedinthesectionentitled"GNUFreeDocumentationLicense".

ThefontsusedinthisguidearelicensedundertheSILOpenFontLicense,Version1.1.ThislicenseisavailablewithaFAQat:http://scripts.sil.org/OFL

CopyrightukaszDziedzic,http://www.latofonts.com,withReservedFontName:"Lato".

CopyrightRaphLevien,http://levien.com/,withReservedFontName:"Inconsolata".

http://scripts.sil.org/OFLhttp://scripts.sil.org/OFLhttp://www.latofonts.com/http://levien.com/

iii

TableofContentsAbout thisGuide .............................................................................................................. 1Introduction ..................................................................................................................... 2

ArchitectureandCompatibility ................................................................................... 3SystemRequirements ........................................................................................................ 5

Assumptions ............................................................................................................. 5MinimumHardwareRequirements.............................................................................. 5OperatingSystemRequirements................................................................................ 6

Installation ....................................................................................................................... 8SoftwareDownloads ................................................................................................. 8Software Installation ................................................................................................. 8

Configuration ................................................................................................................. 10GNUstepEnvironmentOverview............................................................................. 10PreferencesHierarchy ............................................................................................. 10GeneralPreferences ................................................................................................ 11AuthenticationusingLDAP...................................................................................... 18LDAPAttributes Indexing ........................................................................................ 24LDAPAttributesMapping ........................................................................................ 24AuthenticatingusingC.A.S. ...................................................................................... 26AuthenticatingusingSAML2.................................................................................... 27DatabaseConfiguration ........................................................................................... 27AuthenticationusingSQL........................................................................................ 29SMTPServerConfiguration ..................................................................................... 31IMAPServerConfiguration ...................................................................................... 32WebInterfaceConfiguration.................................................................................... 34SOGoConfigurationSummary................................................................................. 40Multi-domainsConfiguration.................................................................................... 41ApacheConfiguration .............................................................................................. 43StartingServices ..................................................................................................... 44CronjobEMailreminders ...................................................................................... 44CronjobVacationmessagesexpiration................................................................... 45

ManagingUserAccounts ................................................................................................. 46CreatingtheSOGoAdministrativeAccount............................................................... 46CreatingaUserAccount ......................................................................................... 46

MicrosoftActiveSync ...................................................................................................... 48UsingSOGo ................................................................................................................... 50

SOGoWebInterface .............................................................................................. 50MozillaThunderbirdandLightning............................................................................ 50Apple iCal .............................................................................................................. 51AppleAddressBook ................................................................................................. 51MicrosoftActiveSync/MobileDevices..................................................................... 52

Upgrading ...................................................................................................................... 53Additional Information ..................................................................................................... 55CommercialSupportandContactInformation................................................................... 56

Chapter1

AboutthisGuide 1

AboutthisGuide

ThisguidewillwalkyouthroughtheinstallationandconfigurationoftheSOGosolution. ItalsocoverstheinstallationandconfigurationofSOGoActiveSyncsupportthesolutionusedtosyn-chronizemobiledeviceswithSOGo.

Theinstructionsarebasedonversion2.2.9ofSOGo.

Thelatestversionofthisguideisavailableathttp://www.sogo.nu/downloads/documentation.html.

http://www.sogo.nu/downloads/documentation.html

Chapter2

Introduction 2

Introduction

SOGoisafreeandmodernscalablegroupwareserver.Itofferssharedcalendars,addressbooks,andemailsthroughyourfavouriteWebbrowserandbyusinganativeclientsuchasMozillaThunderbirdandLightning.

SOGoisstandard-compliant.ItsupportsCalDAV,CardDAV,GroupDAV,iMIPandiTIPandreusesexistingIMAP,SMTPanddatabaseservers-makingthesolutioneasytodeployandinteroperablewithmanyapplications.

SOGofeatures:

Scalablearchitecturesuitablefordeploymentsfromdozenstomanythousandsofusers

RichWeb-based interface thatshares the lookandfeel, the featuresandthedataofMozillaThunderbirdandLightning

ImprovedintegrationwithMozillaThunderbirdandLightningbyusingtheSOGoConnectorandtheSOGoIntegrator

NativecompatibilityforMicrosoftOutlook2003,2007,2010,and2013

Two-way synchronization supportwith anyMicrosoftActiveSync-capable device, orOutlook2013

SOGoisdevelopedbyacommunityofdeveloperslocatedmainlyinNorthAmericaandEurope.Moreinformationcanbefoundathttp://www.sogo.nu/

http://www.sogo.nu/

Chapter2

Introduction 3

ArchitectureandCompatibility

Chapter2

Introduction 4

StandardprotocolssuchasCalDAV,CardDAV,GroupDAV,HTTP,IMAPandSMTPareusedtocom-municatewiththeSOGoplatformoritssub-components.MobiledevicessupportingtheMicrosoftActiveSyncprotocolarealsosupported.

ToinstallandconfigurethenativeMicrosoftOutlookcompatibilitylayer,pleaserefertotheSOGoNativeMicrosoftOutlookConfigurationGuide.

Chapter3

SystemRequirements 5

SystemRequirements

Assumptions

SOGoreusesmanycomponentsinaninfrastructure.Thus,itrequiresthefollowing:

Databaseserver(MySQL,PostgreSQLorOracle)

LDAPserver(OpenLDAP,NovelleDirectory,MicrosoftActiveDirectoryandothers)

SMTPserver(Postfix,Sendmailandothers)

IMAPserver(Courier,CyrusIMAPServer,Dovecotandothers)

Inthisguide,weassumethatallthosecomponentsarerunningonthesameserver(i.e.,localhostor127.0.0.1)thatSOGowillbeinstalledon.

GoodunderstandingofthoseunderlyingcomponentsandGNU/LinuxisrequiredtoinstallSOGo.Ifyoumisssomeofthoserequiredcomponents,pleaserefertotheappropriatedocumentationandproceedwiththeinstallationandconfigurationoftheserequirementsbeforecontinuingwiththisguide.

Thefollowingtableprovidesrecommendationsfortherequiredcomponents,togetherwithversionnumbers:

Databaseserver PostgreSQL7.4orlater

LDAPserver OpenLDAP2.3.xorlater

SMTPserver Postfix2.x

IMAPserver CyrusIMAPServer2.3.xorlater

Morerecentversionsofthesoftwarementionedabovecanalsobeused.

MinimumHardwareRequirements

Thefollowingtableprovideshardwarerecommendationsfortheserver,desktopsandmobilede-vices:

Server Evaluationandtesting

Intel,AMD,orPowerPCCPU1GHz

Chapter3


512MBofRAM 1GBofdiskspace

Production

Intel,AMDorPowerPCCPU3GHz 2048MBofRAM 10GBofdiskspace(excludingthemailstore)

Desktop General

Intel,AMD,orPowerPCCPU1.5GHz 1024x768monitorresolution 512MBofRAM 128Kbpsorhighernetworkconnection

MicrosoftWindows

MicrosoftWindowsXPSP2orVista

AppleMacOSX

AppleMacOSX10.2orlater

Linux

YourfavouriteGNU/Linuxdistribution

MobileDevice AnymobiledevicewhichsupportsCalDAV,CardDAVorMicrosoftAc-tiveSync.

OperatingSystemRequirements

Thefollowing32-bitand64-bitoperatingsystemsarecurrentlysupportedbySOGo:

RedHatEnterpriseLinux(RHEL)Server5and6

CommunityENTerpriseOperatingSystem(CentOS)5and6

DebianGNU/Linux5.0(Lenny)to7.0(Wheezy)

Ubuntu10.04(Lucid)to14.04(Trusty)

Makesuretherequiredcomponentsarestartedautomaticallyatboottimeandthattheyarerunningbeforeproceedingwith theSOGoconfiguration.Alsomake sure that you can install additionalpackagesfromyourstandarddistribution.Forexample,ifyouareusingRedHatEnterpriseLinux5,youhavetobesubscribedtotheRedHatNetworkbeforecontinuingwiththeSOGosoftwareinstallation.

ThisdocumentcoverstheinstallationofSOGounderRHEL6.

ForinstallationinstructionsonDebianandUbuntu,pleasereferdirectlytotheSOGowebsiteathttp://www.sogo.nu/.Under thedownloads section, youwill find links for installation steps forDebianandUbuntu.

http://www.sogo.nu/

Chapter3


NotethatoncetheSOGopackagesareinstalledunderDebianandUbuntu,thisguidecanbefol-lowedinordertofullyconfigureSOGo.

Chapter4

Installation 8

Installation

ThissectionwillguideyouthroughtheinstallationofSOGotogetherwithitsdependencies.ThestepsdescribedhereapplytoanRPM-basedinstallationforaRedHatorCentOSdistribution.

SoftwareDownloads

SOGo can be installed using the+yum+utility. To do so, first create the /etc/yum.repos.d/inverse.repoconfigurationfilewiththefollowingcontent:

[SOGo]name=Inverse SOGo Repositorybaseurl=http://inverse.ca/downloads/SOGo/RHEL6/$basearchgpgcheck=0

SomeofthesoftwaresonwhichSOGodependsareavailablefromtherepositoryofRepoForge(previouslyknownasRPMforge).ToaddRepoForgetoyourpackagessources,downloadandinstalltheappropriateRPMpackagefromhttp://packages.sw.be/rpmforge-release/.Alsomakesureyouenabledthe"rpmforge-extras"repository.

FormoreinformationonusingRepoForge,visithttp://repoforge.org/use/.

SoftwareInstallation

Oncetheyumconfigurationfilehasbeencreated,youarenowreadytoinstallSOGoanditsde-pendencies.Todoso,proceedwiththefollowingcommand:

yum install sogo

ThiswillinstallSOGoanditsdependenciessuchasGNUstep,theSOPEpackagesandmemcached.Oncethebasepackagesareinstalled,youneedtoinstalltheproperdatabaseconnectorsuitableforyourenvironment.Youneedtoinstallsope49-gdl1-postgresqlforthePostgreSQLdatabasesystem,sope49-gdl1-mysqlforMySQLorsope49-gdl1-oracleforOracle.Theinstallationcom-mandwillthuslooklikethis:

yum install sope49-gdl1-postgresql

http://packages.sw.be/rpmforge-release/http://repoforge.org/use/

Chapter4

Installation 9

Oncecompleted,SOGowillbefullyinstalledonyourserver.Youarenowreadytoconfigureit.

Chapter5

Configuration 10

Configuration

Inthissection,youlllearnhowtoconfigureSOGotouseyourexistingLDAP,SMTPanddatabaseservers.Aspreviouslymentioned,weassumethatthosecomponentsrunonthesameserveronwhichSOGoisbeinginstalled.Ifthisisnotthecase,pleaseadjusttheconfigurationparameterstoreflectthosechanges.

GNUstepEnvironmentOverview

SOGomakesuseoftheGNUstepenvironment.GNUstepisafreesoftwareimplementationoftheOpenStepspecificationwhichprovidesmanyfacilitiesforbuildingalltypesofserveranddesktopapplications.Amongthosefacilities,thereisaconfigurationAPIsimilartothe"Registry"paradigminMicrosoftWindows.InOpenSTEP,GNUstepandMacOSX,thesearecalledthe"userdefaults".

InSOGo, theusersapplicationssettingsarestored in/etc/sogo/sogo.conf.Youcanuseyourfavouritetexteditortomodifythefile.

Thesogo.conffileisaserializedpropertylist.Thissimpleformatencapsulatesfourbasicdatatypes:arrays,dictionaries (orhashes), stringsandnumbers.Numbersare representedas-is, except forbooleanswhichcantaketheunquotedvaluesYESandNO.Stringsarenotmandatorilyquoted,butdoingsowillavoidyoumanyproblems.Adictionaryisasequenceofkeyandvaluepairsseparatedintheirmiddlewitha=sign.Itstartswitha\{andendswithacorresponding}.Eachvaluedefinitioninadictionaryendswithasemicolon.Anarrayisachainofvaluesstartingwith(andendingwith),wherethevaluesareseparatedwitha,.Also,thefilegenerallyfollowsaC-styleindentationforclaritybutthisindentationisnotrequired,onlyrecommended.Blockcommentsaredelimitedby/*and*/andcanspanmultiplelineswhilelinecommentsmuststartwith//.

PreferencesHierarchy

SOGosupportsdomainnamessegregation,meaningthatyoucanseparatemultiplegroupsofuserswithinoneinstallationofSOGo.Auserassociatedtoadomainislimitedtoaccessonlytheusersdatafromthesamedomain.Consequently,theconfigurationparametersofSOGoaredefinedonthreelevels:

Chapter5

Configuration 11

Eachlevelinheritsthepreferencesoftheparentlevel.Therefore,domainpreferencesdefinethede-faultsvaluesoftheuserpreferences,andthesystempreferencesdefinethedefaultvaluesofalldo-mainspreferences.Bothsystemanddomainspreferencesaredefinedinthe/etc/sogo/sogo.conf,whiletheuserspreferencesareconfigurablebytheuserandstoredinSOGosdatabase.

Toidentifythelevelinwhicheachparametercanbedefined,weusethefollowingabbreviationsinthetablesofthisdocument:

S Parameterexclusivetothesystemandnotconfigurableperdomain

D Parameterexclusivetoadomainandnotconfigurableperuser

U Parameterconfigurablebytheuser

Rememberthatthehierarchyparadigmallowthedefaultvalueofaparametertobedefinedataparentlevel.

GeneralPreferences

Thefollowingtabledescribesthegeneralparametersthatcanbeset:

S WOWorkersCount TheamountofinstancesofSOGothatwillbespawnedtohandlemultiplerequestssimulta-neously.Whenstartedfromtheinitscript,thatamountisoverridenbythePREFORKvaluein/etc/sysconfig/sogoor/etc/default/sogo.Avalueof3isareasonabledefaultforlowus-age.ThemaximumvaluedependsontheCPU

Chapter5

Configuration 12

andIOpowerprovidedbyyourmachine:aval-uesettoohighwillactuallydecreaseperfor-mancesunderhighload.

Defaultsto1whenunset.

S WOListenQueueSize Thisparametercontrolsthebacklogsizeofthesocketlistenqueue.Forlarge-scaledeploy-ments,thisvaluemustbeadjustedincaseallworkersarebusyandtheparentprocessesre-ceiveslotsofincomingconnections.


S WOPort TheTCPlisteningaddressandportusedbytheSOGodaemon.Theformatisipaddress:port.

Defaultsto127.0.0.1:20000whenunset.

S WOLogFile Thefilepathwheretologmessages.Specify-tologtotheconsole.

Defaultsto/var/log/sogo/sogo.log.

S WOPidFile Thefilepathwheretheparentprocessidwillbewritten.

Defaultsto/var/run/sogo/sogo.pid.

S WOWatchDogRequestTimeout Thisparameterspecifiesthenumberofminutesafterwhichabusychildprocesswillbekilledbytheparentprocess.

Defaultsto10(minutes).

Donotsetthistoolowaschildprocessesre-plyingtoclientsonaslowinternetconnectioncouldbekilledprematurely.

S SxVMemLimit Parameterusedtosetthemaximumamountofmemory(inmegabytes)thatachildcanuse.Reachingthatvaluewillforcechildrenprocess-estorestart,inordertopreservesystemmem-ory.

Defaultsto384.

S SOGoMemcachedHost Parameterusedtosetthehostnameandop-tionallytheportofthememcachedserver.

ApathcanalsobeusediftheservermustbereachedviaaUnixsocket.

Defaultstolocalhost.

Seememcached_servers_parse(3)fordetailsonthesyntax.

S SOGoCacheCleanupInterval Parameterusedtosettheexpiration(insec-onds)ofeachobjectinthecache.

Chapter5

Configuration 13

Defaultsto300.

S SOGoAuthenticationType Parameterusedtodefinethewaybywhichuserswillbeauthenticated.ForC.A.S.,speci-fycas.ForSAML2,specifysaml2.Foranythingelse,leavethatvalueempty.

S SOGoTrustProxyAuthentication ParameterusedtosetwhetherHTTPuser-nameshouldbetrusted.

DefaultstoNOwhenunset.

S SOGoEncryptionKey ParameterusedtodefineakeytoencryptthepasswordsofremoteWebcalendarswhenSO-GoTrustProxyAuthenticationisenabled.

S SOGoCASServiceURL WhenusingC.A.S.authentication,thisspeci-fiesthebaseurlforreachingtheC.A.S.service.ThiswillbeusedbySOGotodeducetheprop-erloginpageaswellastheotherC.A.S.ser-vicesthatSOGowilluse.

S SOGoCASLogoutEnabled Booleanvalueindicatingwhetherthe"Logout"linkisenabledwhenusingC.A.S.asauthentica-tionmechanism.

The"Logout"linkwillendupcallingSOGo-CASServiceURL/logouttoterminatetheclientssinglesign-onC.A.S.session.

S SOGoAddressBookDAVAccessEnabled ParametercontrollingWebDAVaccesstotheContactscollections.Thiscanbeusedtode-nyaccesstotheseresourcesfromLightningforexample.

DefaultstoYESwhenunset.

S SOGoCalendarDAVAccessEnabled ParametercontrollingWebDAVaccesstotheCalendarcollections.

Thiscanbeusedtodenyaccesstothesere-sourcesfromLightningforexample.

DefaultstoYESwhenunset.

S SOGoSAML2PrivateKeyLocation ThelocationoftheSSLprivatekeyfileonthefilesystemthatisusedbySOGotosignanden-cryptcommunicationswiththeSAML2identityprovider.ThisfilemustbegeneratedforeachrunningSOGoservice(ratherthanhost).

S SOGoSAML2CertiticateLocation ThelocationoftheSSLcertificatefile.ThisfilemustbegeneratedforeachrunningSOGoser-vice.

S SOGoSAML2IdpMetadataLocation ThelocationofthemetadatafilethatdescribestheservicesavailableontheSAML2identifyprovider.

S SOGoSAML2IdpPublicKeyLocation ThelocationoftheSSLpublickeyfileonthefilesystemthatisusedbySOGotosignanden-

Chapter5

Configuration 14

cryptcommunicationswiththeSAML2identityprovider.Thisfileshouldbepartofthesetupofyouridentityprovider.

S SOGoSAML2IdpCertificateLocation ThelocationoftheSSLcertificatefile.Thisfileshouldbepartofthesetupofyouridentityprovider.

S SOGoSAML2LogoutEnabled Booleanvalueindicatedwhetherthe"Logout"linkisenabledwhenusingSAML2asauthenti-cationmechanism.

D SOGoTimeZone Parameterusedtosetadefaulttimezoneforusers.ThedefaulttimezoneissettoUTC.TheOlsondatabaseisastandarddatabasethattakesallthetimezonesaroundtheworldintoaccountandrepresentsthemalongwiththeirhistory.OnGNU/Linuxsystems,timezonede-finitionfilesareavailableunder/usr/share/zoneinfo.Listingtheavailablefileswillgiveyouthenameoftheavailabletimezones.ThiscouldbeAmerica/New_York,Europe/Berlin,Asia/TokyoorAfrica/Lubumbashi.

Inourexample,wesetthetimezonetoAmeri-ca/Montreal.

D SOGoMailDomain ParameterusedtosetthedefaultdomainnameusedbySOGo.SOGousesthisparametertobuildthelistofvalidemailaddressesforusers.

Inourexample,wesetthedefaultdomaintoacme.com.

D SOGoAppointmentSendEMailNotifications ParameterusedtosetwhetherSOGosendsornotemailnotificationstomeetingparticipants.Possiblevaluesare:

YEStosendnotifications NOtonotsendnotifications


D SOGoFoldersSendEMailNotifications Sameasabove,butthenotificationsaretrig-geredonthecreationofacalendaroranad-dressbook.

D SOGoACLsSendEMailNotifications Sameasabove,butthenotificationsaresenttotheinvolvedusersofacalendaroraddressbooksACLs.

D SOGoCalendarDefaultRoles Parameterusedtodefinethedefaultroleswhengivingpermissionstoausertoaccessacalendar.Defaultsrolesareignoredforpublicaccesses.Mustbeanarrayofuptofivestrings.Eachstringdefiningaroleforaneventcatego-rymustbeginwithoneofthosevalues:

Public

Chapter5

Configuration 15

Confidential Private

Andeachstringmustendwithoneofthosevalues:

Viewer DAndTViewer Modifier Responder

Thearraycanalsocontainoneormanyofthefollowingstrings:

ObjectCreator ObjectEraser

Example:SOGoCalendarDefaultRoles = ("Ob-jectCreator", "PublicViewer");

Defaultstonorolewhenunset.Recommend-edvaluesarePublicViewerandConfidential-DAndTViewer.

D SOGoContactsDefaultRoles Parameterusedtodefinethedefaultroleswhengivingpermissionstoausertoaccessanaddressbook.Defaultsrolesareignoredforpublicaccesses.Mustbeanarrayofoneormanyofthefollowingstrings:

ObjectViewer ObjectEditor ObjectCreator ObjectEraser

Example:SOGoContactsDefaultRoles = ("Ob-jectEditor");

Defaultstonorolewhenunset.

D SOGoSuperUsernames Parameterusedtosetwhichusernamesrequireadministrativeprivilegesoveralltheusersta-bles.Forexample,thiscouldbeusedtoposteventsintheuserscalendarwithoutrequir-ingtheusertoconfigurehis/herACLs.Inthiscaseyouwillneedtospecifythosesuperusersusernameslikethis:SOGoSuperUsernames =([, , ...]);

U SOGoLanguage ParameterusedtosetthedefaultlanguageusedintheWebinterfaceforSOGo.Possiblevaluesare:

BrazilianPortuguese Czech Dutch English

Chapter5

Configuration 16

French German Hungarian Italian Russian Spanish Swedish Welsh

D SOGoNotifyOnPersonalModifications ParameterusedtosetwhetherSOGosendsornotemailreceiptswhensomeonechangeshis/herowncalendar.Possiblevaluesare:


DefaultstoNOwhenunset.Usercanoverwritethisfromthecalendarpropertieswindow.

D SOGoNotifyOnExternalModifications ParameterusedtosetwhetherSOGosendsornotemailreceiptswhenamodificationisbeingdonetohis/herowncalendarbysomeoneelse.Possiblevaluesare:


DefaultstoNOwhenunset.Usercanoverwritethisfromthecalendarpropertieswindow.

D SOGoLDAPContactInfoAttribute ParameterusedtospecifyanLDAPattributethatshouldbedisplayedwhenauto-completingusersearches.

D SOGoiPhoneForceAllDayTransparency WhensettoYES,thiswillforceall-dayeventssentoverbyiPhoneOSbaseddevicestobetransparent.Thismeansthattheall-dayeventswillnotbeconsideredduringfreebusylookups.


S SOGoEnablePublicAccess Parameterusedtoallowornotyouruserstosharepublicly(ie.,requiringnotauthentication)theircalendarsandaddressbooks.

Possiblevaluesare:

YEStoallowthem NOtopreventthemfromdoingso


S SOGoPasswordChangeEnabled ParameterusedtoallowornotuserstochangetheirpasswordsfromSOGo.

Possiblevaluesare:

YEStoallowthem NOtopreventthemfromdoingso

Chapter5

Configuration 17


Forthisfeaturetoworkproperlywhenauthen-ticatingagainstADorSamba4,theLDAPcon-nectionmustuseSSL/TLS.Serversiderestric-tionscanalsocausethepasswordchangetofail,inwhichcaseSOGowillonlylogaCon-straintviolation(0x13)error.Theserestrictionsincludepasswordtooyoung,complexitycon-straintsnotsatisfied,usercannotchangepass-word,etcAlsonotethatSambahasamini-mumpasswordageof1daybydefault.

S SOGoSupportedLanguages ParameterusedtoconfigurewhichlanguagesareavailablefromSOGosWebinterface.Avail-ablelanguagesarespecifiedasanarrayofstring.

Thedefaultvalueis:( "Czech", "Welsh","English", "Spanish", "French", "Ger-man", "Italian", "Hungarian", "Dutch","BrazilianPortuguese", "Polish", "Russ-ian", Ukrainian", "Swedish" )

D SOGoHideSystemEMail ParameterusedtocontrolifSOGoshouldhideornotthesystememailaddress(UIDFieldName@SOGoMailDomain).ThisiscurrentlylimitedtoCalDAV(calendar-user-ad-dress-set).


D SOGoSearchMinimumWordLength Parameterusedtocontroltheminimumlengthtobeusedforthesearchstring(attendeecom-pletion,addressbooksearch,etc.)priortrigger-ingtheserver-sidesearchoperation.

Defaultsto2whenunsetwhichmeansasearchoperationwillbetriggeredonthe3rdtypedcharacter.

S SOGoMaximumFailedLoginCount ParameterusedtocontrolthenumberoffailedloginattemptsrequiredduringSOGoMaximum-FailedLoginIntervalsecondsormore.Ifcondi-tionsaremet,theaccountwillbeblockedforSOGoFailedLoginBlockIntervalsecondssincethefirstfailedloginattempt.

Defaultvalueis0,ordisabled.

S SOGoMaximumFailedLoginInterval Numberofseconds,defaultsto10.

S SOGoFailedLoginBlockInterval Numberofseconds,defaultsto300(or5min-utes).NotethatSOGoCacheCleanupIntervalmustbesettoavalueequalorhigherthanSO-GoFailedLoginBlockInterval.

S SOGoMaximumMessageSubmissionCount ParameterusedtocontrolthenumberofemailmessagesausercansendfromSOGosweb-

mailto:UIDFieldName@SOGoMailDomain

Chapter5

Configuration 18

mailinterface,toSOGoMaximumRecipientCount,inSOGoMaximumSubmissionIntervalsecondsormore.Ifconditionsaremetorexceeded,theuserwontbeabletosendmailsforSOGoMes-sageSubmissionBlockIntervalseconds.

Defaultvalueis0,ordisabled.

S SOGoMaximumRecipientCount Maximumnumberofrecipients.Defaultvalueis0,ordisabled.

S SOGoMaximumSubmissionInterval Numberofseconds,defaultsto30.

S SOGoMessageSubmissionBlockInterval Numberofseconds,defaultto300(or5min-utes).NotethatSOGoCacheCleanupIntervalmustbesettoavalueequalorhigherthanSO-GoFailedLoginBlockInterval.

AuthenticationusingLDAP

SOGocanuseaLDAPservertoauthenticateusersand,ifdesired,toprovideglobaladdressbooks.SOGocanalsouseanSQLbackendforthispurpose(seethesection_AuthenticationusingSQL_laterinthisdocument).Insertthefollowingtextintoyourconfigurationfiletoconfigureanauthen-ticationandglobaladdressbookusinganLDAPdirectoryserver:

SOGoUserSources = ( { type = ldap; CNFieldName = cn; IDFieldName = uid; UIDFieldName = uid; IMAPHostFieldName = mailHost; baseDN = "ou=users,dc=acme,dc=com"; bindDN = "uid=sogo,ou=users,dc=acme,dc=com"; bindPassword = qwerty; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = "ldap://127.0.0.1:389"; id = public; isAddressBook = YES; });

Inourexample,weuseaLDAPserverrunningonthesamehostwhereSOGoisbeinginstalled.

Youcanalso,usingthefilterattribute,restricttheresultstomatchvariouscriteria.Forexample,youcoulddefine,inyour.GNUstepDefaultsfile,thefollowingfiltertoreturnonlyentriesbelongingtotheorganizationInversewithamailaddressandnotinactive:

filter = "(o='Inverse' AND mail='*' AND status 'inactive')";

Chapter5

Configuration 19

SinceLDAPsourcescanserveasuserrepositoriesforauthenticationaswellasaddressbooks,youcanspecifythefollowingforeachsourcetomakethemappearintheaddressbookmodule:

displayName = "";isAddressBook = YES;

ForcertainLDAPsources,SOGoalsosupportsindirectbindsforuserauthentication.Hereisanexample:

SOGoUserSources = ( { type = ldap; CNFieldName = cn; IDFieldName = cn; UIDFieldName = sAMAccountName; baseDN = "cn=Users,dc=acme,dc=com"; bindDN = "cn=sogo,cn=Users,dc=acme,dc=com"; bindFields = (sAMAccountName); bindPassword = qwerty; canAuthenticate = YES; displayName = "Active Directory"; hostname = ldap://10.0.0.1:389; id = directory; isAddressBook = YES; });

Inthisexample,SOGowilluseanindirectbindbyfirstdeterminingtheuserDN.ThatvalueisfoundbydoingasearchonthefieldsspecifiedinbindFields.Mostofthetime,therewillbeonlyonefieldbutitispossibletospecifymoreintheformofanarray(forexample,bindFields = (sAMAc-countName, cn)).Whenusingmultiplefields,onlyoneofthefieldsneedstomatchtheloginname.Intheaboveexample,whenauserlogsin,theloginwillbecheckedagainstthesAMAccountNameentryinalltheusercards,andoncethiscardisfound,theuserDNofthiscardwillbeusedforcheckingtheuserspassword.

Finally,SOGosupportsLDAP-basedgroups.Groupsmustbedefinedlikeanyotherauthenticationsources(ie.,canAuthenticatemustbesettoYESandagroupmusthaveavalidemailaddress).InorderforSOGotodetermineifaspecificLDAPentryisagroup,SOGowill lookforoneofthefollowingobjectClassattributes:

group

groupOfNames

groupOfUniqueNames

posixGroup

YoucansetACLsbasedongroupmembershipand inviteagrouptoameeting (andthegroupwillbedecomposedtoitslistofmembersuponsavebySOGo).YoucanalsocontrolthevisibilityofthegroupfromthelistofsharedaddressbooksorduringmailautocompletionbysettingtheisAddressBookparametertoYESorNO.ThefollowingLDAPentryshowshowatypicalgroupisdefined:

Chapter5

Configuration 20

dn: cn=inverse,ou=groups,dc=inverse,dc=caobjectClass: groupOfUniqueNamesobjectClass: topobjectClass: extensibleObjectuniqueMember: uid=alice,ou=users,dc=inverse,dc=cauniqueMember: uid=bernard,ou=users,dc=inverse,dc=cauniqueMember: uid=bob,ou=users,dc=inverse,dc=cacn: inversestructuralObjectClass: groupOfUniqueNamesmail: [email protected]

ThecorrespondingSOGoUserSourcesentrytohandlegroupslikethisonewouldbe:

{ type = ldap; CNFieldName = cn; IDFieldName = cn; UIDFieldName = cn; baseDN = "ou=groups,dc=inverse,dc=ca; bindDN = "cn=sogo,ou=services,dc=inverse,dc=ca"; bindPassword = zot; canAuthenticate = YES; displayName = Inverse Groups; hostname = ldap://127.0.0.1:389; id = inverse_groups; isAddressBook = YES;}

ThefollowingtabledescribesthepossibleparametersrelatedtoaLDAPsource:

SOGoUserSources ParameterusedtosettheLDAPand/orSQLsourcesusedforauthenticationandglobalad-dressbooks.Multiplesourcescanbespecifiedasanarrayofdictionaries.Adictionarythatde-finesanLDAPsourcecancontainthefollowingvalues:

type Thetypeofthisusersource,settoldap`foranLDAPsource.

id TheidentificationnameoftheLDAPreposi-tory.Thismustbeuniqueevenwhenusingmultipledomains.

CNFieldName Thefieldthatreturnsthecompletename.

IDFieldName ThefieldthatstartsauserDNifbindFieldsisnotused.ThisfieldmustbeuniqueacrosstheentireSOGodomain.

D

UIDFieldName Thefieldthatreturnstheloginnameofauser.

ThereturnedvaluemustbeuniqueacrossthewholeSOGoinstallationsinceitisusedtoidentifytheuserinthefolder_infodatabasetable.

Chapter5

Configuration 21

MailFieldNames Anarrayoffieldsthatreturnstheusersemailaddresses(defaultstomailwhenunset).

SearchFieldNames Anarrayoffieldstotomatchagainstthesearchstringwhenfilteringusers(defaultstosn,displayName,andtelephoneNumberwhenunset).

IMAPHostFieldName(optional) ThefieldthatreturnseitheranURItotheIMAPserverasdescribedforSOGoIMAPServ-er,orasimpleserverhostnamethatwouldbeusedasareplacementforthehostnamepartintheURIprovidedbytheSOGoIMAPServerpara-meter.

IMAPLoginFieldName(optional) ThefieldthatreturnstheIMAPloginnamefortheuser(defaultstothevalueofUIDFieldNamewhenunset).

SieveHostFieldName(optional) ThefieldthatreturnseitheranURItotheSIEVEserverasdescribedforSOGoSieveServ-er,orasimpleserverhostnamethatwouldbeusedasareplacementforthehostnamepartintheURIprovidedbytheSOGoSieveServerpara-meter.

baseDN ThebaseDNofyouruserentries.

KindFieldName(optional) Ifset,SOGowilltrytodetermineifthevalueofthefieldcorrespondstoeither"group","lo-cation"or"thing".Ifthatsthecase,SOGowillconsiderthereturnedentrytobearesource.

ForLDAP-basedsources,SOGocanalsoauto-maticallydetermineifitsaresourceiftheentryhasthecalendarresourceobjectClassset.

MultipleBookingsFieldName(optional) Thevalueofthisattributeisthemaximumnumberofconcurrenteventstowhichare-sourcecanbepartofatanypointintime.

Ifthisissetto0,oriftheattributeismissing,itmeansnolimit.

filter(optional) ThefiltertouseforLDAPqueries,itshouldbedefinedasanEOQualifier.Thefollowingopera-torsaresupported:

inequalityoperator =equalityoperator

MultiplequalifierscanbejoinedbyusingORandAND,theycanalsobegroupedtogetherbyusingparenthesis.Attributevaluesshouldbequotedtoavoidunexpectedbehaviour.

Forexample:filter ="(objectClass='mailUser' ORobjectClass='mailGroup') AND

Chapter5

Configuration 22

accountStatus='active' AND uid 'al-ice'";

scope(optional) EitherBASE,ONEorSUB.

bindDN TheDNoftheloginnametouseforbindingtoyourserver.

bindPassword Itspassword.

bindAsCurrentUser IfsettoYES,SOGowillalwayskeepbindingtotheLDAPserverusingtheDNofthecurrentlyauthenticateduser.IfbindFieldsisset,bindDNandbindPasswordwillstillberequiredtofindtheproperDNoftheuser.

bindFields(optional) Anarrayoffieldstousewhendoingindirectbinds.

hostname Aspace-delimitedlistofLDAPURLsorLDAPhostnames.

LDAPURLsarespecifiedinRFC4516andhavethefollowinggeneralformat:

scheme://host:port/DN?attributes?scope?filter?extensions

NotethatSOGodoesntcurrentlysupportDN,attributes,scopeandfilterinsuchURLs.Usingthemmayhaveundefinedsideeffects.

URLsexamples:

ldap://127.0.0.1:3389 ldaps://127.0.0.1 ldap://127.0.0.1/????!StartTLS

port(deprecated) PortnumberoftheLDAPserver.

Anon-defaultportshouldbepartoftheldapURLinthehostnameparameter.

encryption(deprecated) EitherSSLorSTARTTLS

SSLshouldbespecifiedasldaps://intheLDAPURL.STARTTLSshouldbespecifiedasaLDAPExtensionintheLDAPURL(e.g.ldap://127.0.0.1/????!StartTLS)

userPasswordAlgorithm ThealgorithmusedforpasswordencryptionwhenchangingpasswordswithoutPasswordPoliciesenabled.

Possiblevaluesare:none,plain,crypt,md5,md5-crypt,smd5,cram-md5andsha,sha256,sha512anditsssha(e.g.sshaorssha256)vari-ants(plussettingoftheencodingwith.b64or.hex).

Chapter5

Configuration 23

Foramoredetaileddescriptionseehttp://wiki.dovecot.org/Authentication/Pass-wordSchemes.

Notethatcram-md5isnotactuallyusingcram-md5(duetothelackofchallenge-responsemechanism),itsjustsavingtheintermediateMD5contextasDovecotstoresinitsdatabase.

canAuthenticate IfsettoYES,thisLDAPsourceisusedforau-thentication

passwordPolicy IfsettoYES,SOGowillusetheextendedLDAPPasswordPoliciesattributes.IfyouLDAPserv-erdoesnotsupportthoseandyouactivatethisfeature,everyLDAPrequestswillfail.

isAddressBook IfsettoYES,thisLDAPsourceisusedasasharedaddressbook(withread-onlyaccess).NotethatifsettoNO,autocompletionwillnotworkforentriesinthissourceandthus,free-busylookups.

displayName(optional) Ifsetasanaddressbook,thehumanidentifica-tionnameoftheLDAPrepository

ModulesConstraints(optional) Limitstheaccessofanymodulethroughacon-straintbasedonanLDAPattribute;mustbeadictionarywithkeysMail,and/orCalendar,forexample:

ModulesConstraints = { Calendar = { ou = employees; };};

mapping AdictionarythatmapscontactattributesusedbySOGototheLDAPattributesusedbytheschemaoftheLDAPsource.Eachentrymusthaveanattributenameaskeyandanarrayofstringsasvalue.Thisenablesactualfieldstobemappedoneafteranotherwhenfetchingcon-tactinformations.

SeetheLDAPAttributeMappingsectionbelowforanexampleandalistofsupportedattribut-es.

objectClasses Whenthemodifierslist(seebelow)isset,orwhenusingLDAP-baseduseraddressbooks(seeabOUbelow),thislistofobjectclasseswillbeappliedtonewrecordsastheyarecreated.

modifiers Alist(array)ofusernamesthatareauthorizedtoperformmodificationstotheaddressbookdefinedbythisLDAPsource.

http://wiki.dovecot.org/Authentication/PasswordSchemeshttp://wiki.dovecot.org/Authentication/PasswordSchemeshttp://wiki.dovecot.org/Authentication/PasswordSchemes

Chapter5

Configuration 24

abOU ThisfieldenablesLDAP-baseduseraddressbooksbyspecifyingtheval-ueoftheaddressbookcontainerbe-neatheachuserentry,forexample:ou=addressbooks,uid=username,dc=domain.

The following parameters can be defined along the other keys of each entry of the SO-GoUserSources,butcanalsodefinedatthedomainand/orsystemlevels:

D SOGoLDAPContactInfoAttribute Parameterusedtospecifyanattributethatshouldappearinautocompletionofthewebin-terface.

D SOGoLDAPQueryLimit ParameterusedtolimitthenumberofreturnedresultsfromtheLDAPserverwheneverSO-GoperformsaLDAPquery(forexample,dur-ingaddressescompletioninasharedaddressbook).

D SOGoLDAPQueryTimeout ParametertodefinethetimeoutofLDAPqueries.Theactualtimelimitforoperationsisalsoboundedbythemaximumtimethattheserverisconfiguredtoallow.

Defaultsto0(unlimited).

LDAPAttributesIndexing

ToensureproperperformanceoftheSOGoapplication, thefollowingLDAPattributesmustbefullyindexed:

givenName

cn

mail

sn

Pleaserefertothedocumentationofthesoftwareyouuseinordertoindexthoseattributes.

LDAPAttributesMapping

SomeLDAPattributesaremappedtocontactsattributesintheSOGoUI.Thetablebelowlistmostofthem.Itispossibletooverridethesebyusingthemappingconfigurationparameter.

Forexample,iftheLDAPschemausesthefaxattributetostorethefaxnumber,onecouldmapittothefacsimiletelephonenumberattributelikethis:

Chapter5

Configuration 25

mapping = \{facsimiletelephonenumber = ("fax", "facsimiletelephonenumber");};

Name

First givenName

Last sn

DisplayName displayNameorcnorgivenName+sn

Nickname mozillanickname

Internet

Email mail

Secondaryemail mozillasecondemail

ScreenName nsaimid

Phones

Work telephoneNumber

Home homephone

Mobile mobile

Fax facsimiletelephonenumber

Pager pager

Home

Address mozillahomestreet+mozillahomestreet2

City mozillahomelocalityname

State/Province mozillahomestate

Zip/PostalCode mozillahomepostalcode

Country mozillahomecountryname

Webpage mozillahomeurl

Work

Title title

Department ou

Organization o

Address street+mozillaworkstreet2

City l

State/Province st

Zip/Postalcode postalCode

Country c

Webpage mozillaworkurl

Other

Birthday birthyear-birthmonth-birthday

Note description

Chapter5

Configuration 26

AuthenticatingusingC.A.S.

SOGonativelysupportsC.A.S.authentication.ForactivatingC.A.S.authenticationyouneedfirsttomakesurethattheSOGoAuthenticationType settingissettocasandthattheSOGoCASServiceURLsettingisconfiguredappropriately.

ThetrickypartshowsupwhenusingSOGoasafrontendinterfacetoanIMAPserverasthisimposesconstraintsneededbytheC.A.S.protocoltoensuresecurecommunicationbetweenthedifferentservices.Failingtotakethoseprecautionswillpreventusersfromaccessingtheirmails,whilestillgrantingbasicauthenticationtoSOGoitself.

ThefirstconstraintisthattheamountofworkersthatSOGousesmustbehigherthan1inordertoenabletheC.A.S.servicetoperformsomevalidationrequestsduringIMAPauthentication.Asingleworkeralonewouldnot,bydefinition,beabletorespondtotheC.A.S.requestswhiletreatingtheuserrequestthatrequiredthetriggeringofthoserequests.YoumustthereforeconfiguretheWOWorkersCountsettingappropriately.

ThesecondconstraintisthattheSOGoservicemustbeaccessibleandaccessedviahttps.More-over,thecertificateusedbytheSOGoserverhastoberecognizedandtrustedbytheC.A.S.ser-vice.Inthecaseofacertificateissuedbyathird-partyauthority,thereshouldbenothingtowor-ryabout.Inthecaseofaself-signedcertificate,thecertificatemustberegisteredinthetrustedkeystoreoftheC.A.S.application.Theproceduretoachievethiscanbesummarizedasimportingthecertificateintheproper"keystore"usingthekeytoolutilityandspecifyingthepathforthatkeystoretotheTomcatinstancewhichprovidestheC.A.S.service.Thisisdonebytweakingthejavax.net.ssl.trustStoresetting,eitherinthecatalina.propertiesfileorinthecommand-lineparameters.Ondebian,theSOGocertificatecanalsobeaddedtothetruststoreasfollows:

openssl x509 -in /etc/ssl/certs/sogo-cert.pem -outform DER \ -out /tmp/sogo-cert.derkeytool -import -keystore /etc/ssl/certs/java/cacerts \ -file /tmp/sogo-cert.der -alias sogo-cert# The keystore password is 'changeit'# tomcat must be restarted after this operation

Thecertificateusedby theCASservermustalsobe trustedbySOGo. Incaseofaself-signedcertificate,thismeansexportingtomcatscertificateusingthe+keytool+utility,convertingittoPEMformatandappendingittotheca-certificates.crtfile(thenameandlocationofthatfilediffersbetweendistributions).Basically:

# export tomcat's cert to openssl formatkeytool -keystore /etc/tomcat7/keystore -exportcert -alias tomcat | \ openssl x509 -inform der >tomcat.pem

Enter keystore password: tomcat

# add the pem to the trusted certscp tomcat.pem /etc/ssl/certscat tomcat.pem >>/etc/ssl/certs/ca-certificates

Chapter5

Configuration 27

Ifanyofthoseconstraintsisnotsatisfied,thewebmailinterfaceofSOGowilldisplayanemptyemailaccount.Unfortunately,SOGohasnopossibilitytodetectwhichoneisthecauseoftheproblem.Theonlyindicatorsarelogmessagesthatatleastpinpointthesymptoms:

"failuretoobtainaPGTfromtheC.A.S.service"

SuchanerrorwillshowupduringauthenticationoftheusertoSOGo.Ithappenswhentheauthen-ticationservicehasacceptedtheuserauthenticationticketbuthasnotreturneda"ProxyGrantingTicket".

"aCASfailureoccurredduringoperation."

Thiserrorindicatethatanattemptwasmadetoretrieveanauthenticationticketforathird-partyservicesuchasIMAPorsieve.Mostofthetime,thishappensasaconsequencetotheproblemdescribedabove.Totroubleshoottheseissues,oneshouldbetailingcas.log,pamlogsandsogologs.

Currently,SOGowillaskforaCASticketusingthesameCASservicenameforbothIMAPandSieve.WhenCASifyingsieve,thismeansthatthe-sparameterof`pam_cas`shouldbethesameforbothIMAPandSieve,otherwisetheCASserverwillcomplain:

ERROR [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket[ST-31740-hoV1brhhwMNfnBkSMVUw-ocas] with service [imap://myimapserverdoes not match supplied service [sieve://mysieveserver:2000]

Finally,whenusing imapproxytospeedupthe imapaccesses, theSOGoIMAPCASServiceNameshouldbesettotheactualimapservicenameexpectedbypam_cas,otherwiseitwillfailtoauthen-ticateincomingconnectionproperly.

AuthenticatingusingSAML2

SOGonativelysupportsSAML2authentication.Pleaserefertothedocumentationofyouridenti-typroviderandtheSAML2configurationkeysthatarelistedaboveforpropersetup.OnceaSO-Goinstanceisconfiguredproperly,themetadataforthatinstancecanberetrievedfromhttp:///SOGo/saml2-metadataforregistrationwiththeidentityprovider.

In order to relay authentication information to your IMAP server and if youmake use of theCrudeSAMLSASLplugin,youneedtomakesurethatNGImap4AuthMechanismisconfiguredtousetheSAMLmechanism.IfyoumakeuseoftheCrudeSAMLPAMplugin,thisvaluemaybeleftempty.

DatabaseConfiguration

SOGorequiresa relationaldatabasesystem inorder to storeappointments, tasksandcontactsinformation.ItalsousesthedatabasesystemtostorepersonalpreferencesofSOGousers.Inthisguide,weassumeyouusePostgreSQLsocommandsprovidedthecreatethedatabasearerelatedtothisapplication.However,otherdatabaseserversaresupported,suchasMySQLandOracle.

Chapter5

Configuration 28

First,makesurethatyourPostgreSQLserverhasTCP/IPconnectionssupportenabled.

Createthedatabaseuserandschemausingthefollowingcommands:

su # postgrescreateuser --no-superuser --no-createdb #-no-createrole \ #-encrypted --pwprompt sogo(specify sogo as password)createdb -O sogo sogo

Youshouldthenadjusttheaccessrightstothedatabase.Todoso,modifytheconfigurationfile/var/lib/pgsql/data/pg_hba.confinordertoaddthefollowinglineattheverybeginningofthefile:

host sogo sogo 127.0.0.1/32 md5

Onceadded,restartthePostgreSQLdatabaseservice.Then,modifytheSOGoconfigurationfile(/etc/sogo/sogo.conf)toreflectyourdatabasesettings:

SOGoProfileURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile";OCSFolderInfoURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_folder_info";OCSSessionsFolderURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder";

Thefollowingtabledescribestheparametersthatwereset:

D SOGoProfileURL ParameterusedtosetthedatabaseURLsothatSOGocanretrieveuserprofiles.

ForMySQL,setthedatabaseURLtosomethinglike:mysql://sogo:sogo@localhost:3306/so-go/sogo_user_profile.

D OCSFolderInfoURL ParameterusedtosetthedatabaseURLsothatSOGocanretrievethelocationofuserfolders(addressbooksandcalendars).

ForOracle,setthedatabaseURLtosomethinglike:oracle://sogo:sogo@localhost:1526/so-go/sogo_folder_info.

D OCSSessionsFolderURL ParameterusedtosetthedatabaseURLsothatSOGocanstoreandretrievesecuredusersessionsinformation.ForPostgreSQL,thedata-baseURLcouldbesettosomethinglike:post-gresql://sogo:sogo@localhost:5432/so-go/sogo_sessions_folder.

D OCSEMailAlarmsFolderURL ParameterusedtosetthedatabaseURLforemail-basedalarms(thatcanbesetoneventsandtasks).Thisparameterisrel-evantonlyifSOGoEnableEMailAlarmsissettoYES.ForPostgreSQL,thedatabaseURLcouldbesettosomethinglike:post-

Chapter5

Configuration 29

gresql://sogo:sogo@localhost:5432/so-go/sogo_alarms_folder

Seethe"EMailreminders"sectioninthisdocu-mentformoreinformation.

IfyoureusingMySQL,makesureinyourmy.cnffileyouhave:

[mysqld]...character_set_server=utf8character_set_client=utf8

[client]default-character-set=utf8

[mysql]default-character-set=utf8

AuthenticationusingSQL

SOGocanuseaSQL-baseddatabaseserverforauthentication.TheconfigurationisverysimilartoLDAP-basedauthentication.

ThefollowingtabledescribesallthepossibleparametersrelatedtoaSQLsource:

SOGoUserSources ParameterusedtosettheSQLand/orLDAPsourcesusedforauthenticationandglobalad-dressbooks.Multiplesourcescanbespecifiedasanarrayofdictionaries.Adictionarythatde-finesaSQLsourcecancontainthefollowingvalues:

type Thetypeofthisusersource,settosqlforaSQLsource.

id TheidentificationnameoftheSQLrepository.Thismustbeuniqueevenwhenusingmulti-pledomains.

D

viewURL DatabaseURLoftheviewusedbySOGo.Theviewexpectscolumnstobepresent.Requiredcolumnsare:

c_uid:[email protected]

c_name:willbeusedtouniquelyidentifyen-trieswhichcanbeidenticaltoc_uid

c_password:passwordoftheuser,plaintext,crypt,md5orshaencoded

c_cn:theuserscommonname mail:theusersemailaddress

mailto:[email protected]

Chapter5

Configuration 30

OthercolumnscanexistandwillactuallybemappedautomaticallyiftheyhavethesamenameaspopularLDAPattributes(suchasgivenName,sn,department,title,telepho-neNumber,etc.).

userPasswordAlgorithm Thedefaultalgorithmusedforpassworden-cryptionwhenchangingpasswords.Possiblevaluesare:none,plain,crypt,md5,md5-crypt,smd5,cram-md5,ldap-md5,andsha,sha256,sha512anditsssha(e.g.sshaorssha256)vari-ants.Passwordscanhavetheschemeprepend-edintheform{scheme}encryptedPass.

Ifnoschemeisgiven,userPasswordAlgo-rithmisusedinstead.Theschemeslistedabovefollowthealgorithmsdescribedinhttp://wiki.dovecot.org/Authentication/Pass-wordSchemes.

Notethatcram-md5isnotactuallyusingcram-md5(duetothelackofchallenge-responsemechanism),itsjustsavingtheintermediateMD5contextasDovecotstoresinitsdata-base.

prependPasswordScheme Thedefaultbehaviouristostorenewlysetpasswordswithoutthescheme(default:NO).ThiscanbeoverriddenbysettingtoYESandwillresultinpasswordsstoredas{scheme}encryptedPass.

canAuthenticate IfsettoYES,thisSQLsourceisusedforau-thentication.

isAddressBook IfsettoYES,thisSQLsourceisusedasasharedaddressbook(withread-onlyaccess).NotethatifsettoNO,autocompletionwillnotworkforentriesinthissourceandthus,free-busylookups.

authenticationFilter(optional) Afilterthatlimitswhichuserscanauthenticatefromthissource.

displayName(optional) Ifsetasanaddressbook,thehumanidentifica-tionnameoftheSQLrepository.

LoginFieldNames(optional) Anarrayoffieldsthatspecifiesthecolumnnamesthatcontainvalidauthenticationuser-names(defaultstoc_uidwhenunset).

MailFieldNames(optional) Aanarrayoffieldsthatspecifiesthecolumnnamesthatholdadditionalemailaddresses(be-sidethemailcolumn)foreachuser.

IMAPHostFieldName(optional) ThefieldthatreturnstheIMAPhostnamefortheuser.

IMAPLoginFieldName(optional) ThefieldthatreturnstheIMAPloginnamefortheuser(defaultstoc_uidwhenunset).

http://wiki.dovecot.org/Authentication/PasswordSchemeshttp://wiki.dovecot.org/Authentication/PasswordSchemes

Chapter5

Configuration 31

SieveHostFieldName(optional) ThefieldthatreturnstheSievehostnamefortheuser.

KindFieldName(optional) Ifset,SOGowilltrytodetermineifthevalueofthefieldcorrespondstoeither"group","lo-cation"or"thing".Ifthatsthecase,SOGowillconsiderthereturnedentrytobearesource.

MultipleBookingsFieldName(optional) Thevalueofthisfieldisthemaximumnumberofconcurrenteventstowhicharesourcecanbepartofatanypointintime.

Ifthisissetto0,oriftheattributeismissing,itmeansnolimit.

DomainFieldName(optional) Ifset,SOGowillusethevalueofthatfieldasthedomainassociatedtotheuser.

SeetheMulti-domainsConfigurationsectioninthisdocumentformoreinformation.

HereisanexampleofanSQL-basedauthenticationandaddressbooksource:

SOGoUserSources =( { type = sql; id = directory; viewURL = "postgresql://sogo:[email protected]:5432/sogo/sogo_view"; canAuthenticate = YES; isAddressBook = YES; userPasswordAlgorithm = md5; });

Certaindatabasecolumnsmustbepresentintheview/table,suchas:

c_uidwillbeusedforauthenticationitstheusernameorusername@domain.tld

c_namewhichcanbeidenticaltoc_uidwillbeusedtouniquelyidentifyentries

c_passwordpasswordoftheuser,plain-text,md5orshaencodedfornow

c_cntheuserscommonnamesuchas"JohnDoe"

mailtheusersmailaddress

NotethatgroupsarecurrentlynotsupportedforSQL-basedauthenticationsources.

SMTPServerConfiguration

SOGomakesuseofaSMTPservertosendemailsfromtheWebinterface, iMIP/iTIPmessagesandvariousnotifications.

mailto:[email protected]

Chapter5

Configuration 32

Thefollowingtabledescribestherelatedparameters.

D SOGoMailingMechanism ParameterusedtosethowSOGosendsmailmessages.Possiblevaluesare:

sendmailtousethesendmailbinary smtptousetheSMTPprotocol

D SOGoSMTPServer TheDNSnameorIPaddressoftheSMTPserverusedwhenSOGoMailingMechanismissettosmtp.

D SOGoSMTPAuthenticationType ActivateSMTPauthenticationandspecifieswhichtypeisinuse.Current,onlyPLAINissup-portedandothervalueswillbeignored.

S WOSendMail Thepathofthesendmailbinary.

Defaultsto/usr/lib/sendmail.

D SOGoForceExternalLoginWithEmail Parameterusedtospecifyif,whenloggingintotheSMTPserver,theprimaryemailaddressoftheuserwillbeusedinsteadoftheusername.Possiblevaluesare:

YES NO


IMAPServerConfiguration

SOGorequiresanIMAPserverinordertoletusersconsulttheiremailmessages,managetheirfold-ersandmore.

Thefollowingtabledescribestherelatedparameters.

U SOGoDraftsFolderName ParameterusedtosettheIMAPfoldernameusedtostoredraftsmessages.

DefaultstoDraftswhenunset.

Usea/asahierarchyseparatorifreferringtoanIMAPsubfolder.Forexample:INBOX/Drafts.

U SOGoSentFolderName ParameterusedtosettheIMAPfoldernameusedtostoresentmessages.

DefaultstoSentwhenunset.

Usea/asahierarchyseparatorifreferringtoanIMAPsubfolder.Forexample:INBOX/Sent.

U SOGoTrashFolderName ParameterusedtosettheIMAPfoldernameusedtostoredeletedmessages.

Chapter5

Configuration 33

DefaultstoTrashwhenunset.

Usea/asahierarchyseparatorifreferringtoanIMAPsubfolder.Forexample:INBOX/Trash.

D SOGoIMAPCASServiceName ParameterusedtosettheCASservicename(URL)oftheimapservice.ThisisusefulifSO-GoisconnectingtotheIMAPservicethroughaproxy.Whenusingpam_cas,thisparametershouldbesettothesamevalueasthe-sargu-mentoftheimappamservice.

D SOGoIMAPServer ParameterusedtosettheDNSnameorIPad-dressoftheIMAPserverusedbySOGo.YoucanalsouseSSLorTLSbyprovidingavalueusinganURL,suchas:

imaps://localhost:993 imaps://localhost:143/?tls=YES

D SOGoSieveServer ParameterusedtosettheDNSnameorIPad-dressoftheSieve(managesieve)serverusedbySOGo.YoumustuseanURLsuchas:

sieve://localhost sieve://localhost:2000 sieve://localhost:2000/?tls=YES

NotethatTLSissupportedbutSSLisnot.

D SOGoSieveFolderEncoding ParameterusedtospecifywhichencodingisusedforIMAPfoldernamesinSievefilters.De-faultsto"UTF-7".Theotherpossiblevalueis"UTF-8".

U SOGoMailShowSubscribedFoldersOnly ParameterusedtospecifyiftheWebinter-faceshouldonlyshowsubscribedIMAPfold-ers.Possiblevaluesare:

YES NO


D SOGoIMAPAclStyle ParameterusedtospecifywhichRFCtheIMAPserverimplementswithrespecttoACLs.Possi-blevaluesare:

rfc2086 rfc4314

Defaultstorfc4314whenunset.

D SOGoIMAPAclConformsToIMAPExt ParameterusedtospecifyiftheIMAPserverimplementstheInternetMessageAccessPro-tocolExtension.Possiblevaluesare:

YES NO

Chapter5

Configuration 34


D SOGoForceExternalLoginWithEmail Parameterusedtospecifyif,whenloggingintotheIMAPserver,theprimaryemailaddressoftheuserwillbeusedinsteadoftheusername.Possiblevaluesare:

YES NO


D SOGoMailSpoolPath Parameterusedtosetthepathwheretempo-raryemaildraftsarewritten.Ifyouchangethisvalue,youmustalsomodifythedailycronjobsogo-tmpwatch.

Defaultsto/var/spool/sogo.

S NGImap4ConnectionStringSeparator ParameterusedtosettheIMAPmailboxseparator.SettingthiswillalsohaveanimpactonthemailboxseparatorusedbySievefilters.

Thedefaultseparatoris/.

S NGImap4AuthMechanism TriggertheuseoftheIMAPAUTHENTICATEcommandwiththespecifiedSASLmechanism.Pleasenotethatfeaturemightbelimitedatthistime.

D NGImap4ConnectionGroupIdPrefix PrefixtoprependtonamesinIMAPACLtrans-actions,toindicatethenameisagroupnamenotausername.

RFC4314givesexampleswheregroupnamesareprefixedwith$.Dovecot,forone,followsthisscheme,andwill,forexample,applyper-missionsfor$adminstoallusersingroupad-minsintheabsenceofspecificpermissionsfortheindividualuser.

Thedefaultprefixis$.

WebInterfaceConfiguration

ThefollowingadditionalparametersonlyaffecttheWebinterfacebehaviourofSOGo.

S SOGoPageTitle ParameterusedtodefinetheWebpagetitle.

DefaultstoSOGowhenunset.

U SOGoLoginModule Parameterusedtospecifywhichmoduletoshowafterlogin.Possiblevaluesare:

Chapter5

Configuration 35

Calendar Mail Contacts

DefaultstoCalendarwhenunset.

S SOGoFaviconRelativeURL ParameterusedtospecifytherelativeURLofthesitefavion.

Whenunset,defaultstothefilesogo.icoun-derthedefaultwebresourcesdirectory.

S SOGoZipPath Parameterusedtospecifythepathofthezipbinaryusedtoarchivemessages.

Defaultsto/usr/bin/zipwhenunset.

D SOGoSoftQuotaRatio ParameterusedtochangethequotareturnedbytheIMAPserverbymultiplyingitbythespecifiedratio.Actsasasoftquota.Example:0.8.

U SOGoMailUseOutlookStyleReplies(notcur-rentlyeditableinWebinterface)

ParameterusedtosetifemailrepliesshoulduseOutlooksstyle.


U SOGoMailListViewColumnsOrder(notcur-rentlyeditableinWebinterface)

ParameterusedtospecifythedefaultorderofthecolumnsfromtheSOGowebmailinterface.Theparameterisanarray,forexample:

SOGoMailListViewColumnsOrder = (Flagged, Attachment, Priority, From, Subject, Unread, Date, Size);

D SOGoVacationEnabled Parameterusedtoactivatetheeditionfromthepreferenceswindowofavacationmessage.

RequiresSievescriptsupportontheIMAPhost.


Whenenablingthisparameter,onemustalsoenabletheassociatedcronjobin/etc/cron.d/sogoinordertoactivateautomaticvacationmessageexpiration.

SeetheCronjobVacationmessagesexpirationsectionbelowfordetails.

D SOGoForwardEnabled Parameterusedtoactivatetheeditionfromthepreferenceswindowofaforwardingemailaddress.RequiresSievescriptsupportontheIMAPhost.


Chapter5

Configuration 36

D SOGoSieveScriptsEnabled Parameterusedtoactivatetheeditionfromthepreferenceswindowsofserver-sidemailfil-ters.RequiresSievescriptsupportontheIMAPhost.


D SOGoMailPollingIntervals Parameterusedtodefinethemailpollinginter-vals(inminutes)availabletotheuser.Thepara-meterisanarraythatcancontainthefollowingnumbers:

1 2 5 10 20 30 60

Defaultstothelistabovewhenunset.

U SOGoMailMessageCheck Parameterusedtodefinethemailpollinginter-valatwhichtheIMAPserverisqueriedfornewmessages.Possiblevaluesare:

manually every_minute every_2_minutes every_5_minutes every_10_minutes every_20_minutes every_30_minutes once_per_hour

Defaultstomanuallywhenunset.

D SOGoMailAuxiliaryUserAccountsEnabled ParameterusedtoactivatetheauxiliaryIMAPaccountsinSOGo.WhensettoYES,userscanaddotherIMAPaccountsthatwillbevisiblefromtheSOGoWebmailinterface.


U SOGoDefaultCalendar Parameterusedtospecifywhichcalendarisusedwhencreatinganeventoratask.Possiblevaluesare:

selected personal first

Defaultstoselectedwhenunset.

U SOGoDayStartTime Thehouratwhichthedaystarts(0through12).


Chapter5

Configuration 37

U SOGoDayEndTime Thehouratwhichthedayends(12through23).


U SOGoFirstDayOfWeek Thedayatwhichtheweekstartsintheweekandmonthviews(0through6).0indicatesSun-day.


U SOGoFirstWeekOfYear Parameterusedtodefinedhowisidentifiedthefirstweekoftheyear.Possiblevaluesare:

January1 First4DayWeek FirstFullWeek

DefaultstoJanuary1whenunset.

U SOGoTimeFormat Theformatusedtodisplaytimeinthetimelineofthedayandweekviews.PleaserefertothedocumentationforthedatecommandorthestrftimeCfunctionforthelistofavailablefor-matsequence.

Defaultsto%H:%M.

U SOGoCalendarCategories Parameterusedtodefinethecategoriesthatcanbeassociatedtoevents.Thisparameterisanarrayofarbitrarystrings.

Defaultstoalistthatdependsonthelanguage.

U SOGoCalendarDefaultCategoryColor Parameterusedtodefinethedefaultcolourofcategories.

Defaultsto#F0F0F0whenunset.

U SOGoCalendarEventsDefaultClassification Parameterusedtodefinedthedefaultclassifi-cationfornewevents.Possiblevaluesare:

PUBLIC CONFIDENTIAL PRIVATE

DefaultstoPUBLICwhenunset.

U SOGoCalendarTasksDefaultClassification Parameterusedtodefinedthedefaultclassifi-cationfornewtasks.Possiblevaluesare:

PUBLIC CONFIDENTIAL PRIVATE

DefaultstoPUBLICwhenunset.

U SOGoCalendarDefaultReminder Parameterusedtodefinedadefaultreminderfornewevents.Possiblevaluesare:

Chapter5

Configuration 38

-PT5M -PT10M -PT15M -PT30M -PT45M -PT1H -PT2H -PT5H -PT15H -P1D -P2D -P1W

D SOGoFreeBusyDefaultInterval Thenumberofdaystoincludeinthefreebusyinformation.Theparameterisanarrayoftwonumbers,thefirstbeingthenumberofdayspriortothecurrentdayandthesecondbeingthenumberofdaysfollowingthecurrentday.

Defaultsto(7, 7)whenunset.

U SOGoBusyOffHours Parameterusedtospecifyifoff-hoursshouldbeautomaticallyaddedtothefree-busyinfor-mation.Offhoursincludedweekendsandpe-riodscoveredbetweenSOGoDayEndTimeandSOGoDayStartTime .


U SOGoMailMessageForwarding Themethodthemessageistobeforwarded.Possiblevaluesare:

inline attached

Defaultstoinlinewhenunset.

U SOGoMailCustomFullName Thestringtouseasfullnamewhencomposinganemail,ifSOGoMailCustomFromEnabledissetintheusersdomaindefaults.

Whenunset,thefullnamespecifiedintheusersourcesfortheuserisusedinstead.

U SOGoMailCustomEmail Thestringtouseasemailaddresswhencom-posinganemail,ifSOGoMailCustomFrom-Enabledissetintheusersdomaindefaults.Whenunset,theemailspecifiedintheusersourcesfortheuserisusedinstead.

U SOGoMailReplyPlacement Thereplyplacementwithrespecttothequotedmessage.Possiblevaluesare:

above below

Defaultstobelow.

Chapter5

Configuration 39

U SOGoMailReplyTo Theemailaddresstouseinthereply-tohead-erfieldwhentheusersendsamessage.

Ignoredwhenempty.

U SOGoMailSignaturePlacement Theplacementofthesignaturewithrespecttothequotedmessage.Possiblevaluesare:

above below

Defaultstobelow.

U SOGoMailComposeMessageType Themessagecompositionformat.Possibleval-uesare:

text

html

Defaultstotext.

S SOGoEnableEMailAlarms Parameterusedtoenableemail-basedalarmsoneventsandtasks.


Forthisfeaturetoworkcorrectly,onemustalsosettheOCSEMailAlarmsFolderURLpara-meterandenabletheassociatedcronjob.SeetheCronjobEMailreminderssectionfromthisdocumentformoreinformation.

U SOGoContactsCategories Parameterusedtodefinethecategoriesthatcanbeassociatedtocontacts.Thisparameterisanarrayofarbitrarystrings.

Defaultstoalistthatdependsonthelanguage.

D SOGoUIAdditionalJSFiles Parameterusedtodefinealistofaddition-alJavaScriptfilesloadedbySOGoforalldis-playedwebpages.ThisparameterisanarrayofstringscorrespondingofpathstothearbitraryJavaScriptfiles.ThepathsarerelativetotheWebServerResourcesdirectory,whichisusuallyfoundunder/usr/lib/GNUstep/SOGo/.

D SOGoMailCustomFromEnabled Parameterusedtoallowornotuserstospecifycustom"From"addressesfromSOGosprefer-encespanel.


D SOGoSubscriptionFolderFormat Parameterusedtosetthedefaultformattingofasubscriptionfoldername.Availablevariablesare:

%{FolderName}

%{UserName}

Chapter5

Configuration 40

%{Email}

Defaultsto%{FolderName} (%{UserName} )whenunset.

D SOGoUIxAdditionalPreferences ParameterusedtoenableanextrapreferencestabusingthecontentofthetemplatenamedUIxAdditionalPreferences.wox.Thistem-plateshouldbeputunder~sogo/GNUstep/Li-brary/SOGo/Templates/PreferencesUI/.


SOGoConfigurationSummary

ThecompleteSOGoconfigurationfile+/etc/sogo/sogo.conf+shouldlooklikethis:

Chapter5

Configuration 41

{ SOGoProfileURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_user_profile"; OCSFolderInfoURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_folder_info"; OCSSessionsFolderURL = "postgresql://sogo:sogo@localhost:5432/sogo/sogo_sessions_folder"; SOGoAppointmentSendEMailNotifications = YES; SOGoCalendarDefaultRoles = ( PublicViewer, ConfidentialDAndTViewer ); SOGoLanguage = English; SOGoTimeZone = America/Montreal; SOGoMailDomain = acme.com; SOGoIMAPServer = localhost; SOGoDraftsFolderName = Drafts; SOGoSentFolderName = Sent; SOGoTrashFolderName = Trash; SOGoMailingMechanism = smtp; SOGoSMTPServer = 127.0.0.1; SOGoUserSources = ( { type = ldap; CNFieldName = cn; IDFieldName = uid; UIDFieldName = uid; baseDN = "ou=users,dc=acme,dc=com"; bindDN = "uid=sogo,ou=users,dc=acme,dc=com"; bindPassword = qwerty; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = localhost; id = public; isAddressBook = YES; port = 389; } );}

Multi-domainsConfiguration

Ifyouwantyourinstallationtoisolatetwogroupsofusers,youmustdefineadistinctauthentica-tionsourceforeachdomain.Followingisthesameconfigurationthatnowincludestwodomains(acme.comandcoyote.com):

Chapter5

Configuration 42

{... domains = { acme = { SOGoMailDomain = acme.com; SOGoDraftsFolderName = Drafts; SOGoUserSources = ( { type = ldap; CNFieldName = cn; IDFieldName = uid; UIDFieldName = uid; baseDN = "ou=users,dc=acme,dc=com"; bindDN = "uid=sogo,ou=users,dc=acme,dc=com"; bindPassword = qwerty; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = localhost; id = public_acme; isAddressBook = YES; port = 389; } ); }; coyote = { SOGoMailDomain = coyote.com; SOGoIMAPServer = imap.coyote.com; SOGoUserSources = ( { type = ldap; CNFieldName = cn; IDFieldName = uid; UIDFieldName = uid; baseDN = "ou=users,dc=coyote,dc=com"; bindDN = "uid=sogo,ou=users,dc=coyote,dc=com"; bindPassword = qwerty; canAuthenticate = YES; displayName = "Shared Addresses"; hostname = localhost; id = public_coyote; isAddressBook = YES; port = 389; } ); }; };}

ThefollowingadditionalparametersonlyaffectSOGowhenusingmultipledomains.

S SOGoEnableDomainBasedUID Parameterusedtoactivateuseridentifi-cationbydomain.Userswillbeable(with-outbeingrequired)tologinusingtheform

Chapter5

Configuration 43

username@domain,meaningthatvaluesofUID-FieldNamenolongerhavetobeuniqueamongalldomainsbutonlywithinthesamedomain.Internally,userswillalwaysbeidentifiedbytheconcatenationoftheirusernameanddomain.

Consequently,activatingthisparameteronanexistingsystemimpliesthatuseridentifierswillchangeandtheirpreviouscalendarsandad-dressbookswillnolongerbeaccessibleunlessaconversionisperformed.


S SOGoLoginDomains Parameterusedtodefinewhichdomainsshouldbeselectablefromtheloginpage.Thisparameterisanarrayofkeysfromthedomainsdictionary.

Defaultstoanemptyarray,whichmeansthatnodomainsappearontheloginpage.Ifyoupreferhavingthedomainnameslisted,justusetheseaskeysforthethedomainsdictionary.

S SOGoDomainsVisibility Parameterusedtosetdomainsvisibleamongthemselves.Thisparameterisanarrayofar-rays.

Example:SOGoDomainsVisibility = ((acme,coyote));

Defaultstoanemptyarray,whichmeansdo-mainsareisolatedfromeachother.

ApacheConfiguration

TheSOGoconfigurationforApacheislocatedin/etc/httpd/conf.d/SOGo.conf.

UponSOGoinstallation,adefaultconfigurationfileiscreatedwhichissuitableformostconfigu-rations.

YoumustalsoconfigurethefollowingparametersintheSOGoconfigurationfileforApacheinordertohaveaworkinginstallation:

RequestHeader set "x-webobjects-server-port" "80"RequestHeader set "x-webobjects-server-name" "yourhostname"RequestHeader set "x-webobjects-server-url" "http://yourhostname"

YoumayconsiderenablingSSLontopofthiscurrentinstallationtosecureaccesstoyourSOGoinstallation.

Seehttp://httpd.apache.org/docs/2.2/ssl/fordetails.

http://httpd.apache.org/docs/2.2/ssl/

Chapter5

Configuration 44

YoumightalsohavetoadjusttheconfigurationifyouhaveSELinuxenabled.

Thedefaultconfigurationwillusemod_proxyandmod_headerstorelayrequeststothesogodparentprocess.Thisissuitableforsmalltomediumdeployments.

StartingServices

OnceSOGoiffullyinstalledandconfigured,starttheservicesusingthefollowingcommand:

service sogod start

YoumayverifyusingthechkconfigcommandthattheSOGoserviceisautomaticallystartedatboottime.RestarttheApacheservicesincemodulesandconfigurationfileswereadded:

service httpd restart

Finally,youshouldalsomakesurethatthememcachedserviceisstartedandthatitisalsoautomat-icallystartedatboottime.

CronjobEMailreminders

SOGoallowsyoutosetemail-basedremindersforeventsandtasks.Toenablethis,youmustenabletheSOGoEnableEMailAlarmspreferenceandsettheOCSEMailAlarmsFolderURLpreferenceaccord-ingly.

Onceyouvecorrectlysetthosetwopreferences,youmustcreateacronjobthatwillrununderthe"sogo"user.Thiscronjobshouldberuneveryminute.

Acommentedoutexampleshouldhavebeeninstalledin/etc/cron.d/sogo,toenableit,simplyuncommentit.

Asareference,thecronjobshoulddedefinedlikethis:

* * * * * /usr/sbin/sogo-ealarms-notify

If your mail server requires use of SMTP AUTH, specify a credential file using -p /path/to/credFile. This file should contain the username and password, separated by a colon(username:password)

Chapter5

Configuration 45

CronjobVacationmessagesexpiration

Whenvacationmessagesareenabled(seetheparameterSOGoVacationEnabled ),userscansetanexpirationdatetomessagesauto-reply.Forthisfeaturetowork,youmustrunacronjobunderthe"sogo"user.

Acommentedoutexample shouldhavebeen installed in/etc/cron.d/sogo.Toworkcorrectlythistoolmustloginasanadministrativeuseronthesieveserver.Therequiredcredentialsmustbespecifiedinafilebyusing-p /path/to/credFile.Thisfileshouldcontaintheusernameandpassword,separatedbyacolon(username:password).

Thecronjobshouldlooklikethis:

0 0 * * *sogo /usr/sbin/sogo-tool expire-autoreply -p /etc/sogo/sieve.creds

Chapter6

ManagingUserAccounts 46

ManagingUserAccounts

CreatingtheSOGoAdministrativeAccount

First, create the SOGo administrative account in your LDAP server. The following LDIF file(sogo.ldif)canbeusedasanexample:

dn: uid=sogo,ou=users,dc=acme,dc=comobjectClass: topobjectClass: inetOrgPersonobjectClass: personobjectClass: organizationalPersonuid: sogocn: SOGo Administratormail: [email protected]: AdministratorgivenName: SOGo

LoadtheLDIFfileinsideyourLDAPserverusingthefollowingcommand:

ldapadd -f sogo.ldif -x -w qwerty -D cn=Manager,dc=acme,dc=com

Finally,setthepassword(tothevalueqwerty)oftheSOGoadministrativeaccountusingthefol-lowingcommand:

ldappasswd -h localhost -x -w qwerty -D cn=Manager,dc=acme,dc=com uid=sogo,ou=users,dc=acme,dc=com -s qwerty

CreatingaUserAccount

SOGousesLDAPdirectoriestoauthenticateusers.UsethefollowingLDIFfile(jdoe.ldif)asanexampletocreateaSOGouseraccount:

Chapter6

ManagingUserAccounts 47

dn: uid=jdoe,ou=users,dc=acme,dc=comobjectClass: topobjectClass: inetOrgPersonobjectClass: personobjectClass: organizationalPersonuid: jdoecn: John Doemail: [email protected]: DoegivenName: John

LoadtheLDIFfileinsideyourLDAPserverusingthefollowingcommand:

ldapadd -f jdoe.ldif -x -w qwerty -D cn=Manager,dc=acme,dc=com

Finally,setthepassword(tothevalueqwerty)oftheSOGoadministrativeaccountusingthefol-lowingcommand:

ldappasswd -h localhost -x -w qwerty -D cn=Manager,dc=acme,dc=com uid=jdoe,ou=users,dc=acme,dc=com -s qwerty

Asanalternativetousingcommand-linetools,youcanalsouseLDAPeditorssuchasLumaorApacheDirectoryStudiotomakeyourworkeasier.TheseGUIutilitiescanmakeuseoftemplatestocreateandpre-configuretypicaluseraccountsoranystandardizedLDAPrecord,alongwiththecorrectobjectclasses,fieldsanddefaultvalues.

Chapter7

MicrosoftActiveSync 48

MicrosoftActiveSync

SOGosupportstheMicrosoftActiveSyncprotocol.

ActiveSyncclientscanfullysynchronizecontacts,emails,eventsandtaskswithSOGo.FreebusyandGALlookupsarealsosupported,aswellas"Smartreply"and"Smartforward"operations.

ToenableMicrosoftActiveSyncsupportinSOGo,youmustinstalltherequiredpackages.

yum install sogo-activesync libwbxml

Onceinstalled,simplyuncommentthefollowinglinesfromyourSOGoApacheconfiguration:

ProxyPass /Microsoft-Server-ActiveSync \ http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync \ retry=60 connectiontimeout=5 timeout=360

RestartApacheafterwards.

ThefollowingadditionalparametersonlyaffectSOGowhenusingActiveSync:

S SOGoMaximumPingInterval Parameterusedtosetthemaximumamountoftime,inseconds,SOGowillwaitbeforereplyingtoaPingcommand.

Ifnotset,itdefaultsto5seconds.

S SOGoMaximumSyncInterval Parameterusedtosetthemaximumamountoftime,inseconds,SOGowillwaitbeforereplyingtoaSynccommand.


S SOGoInternalSyncInterval Parameterusedtosetthemaximumamountoftime,inseconds,SOGowillwaitbeforedo-inganinternalcheckfordatachanges(add,delete,andupdate).ThisparametermustbelowerthanSOGoMaximumSyncInterval.


S SOGoMaximumSyncWindowSize ParameterusedtooverwritethemaximumnumberofitemsreturnedduringaSyncopera-tion.

Defaultsto0,whichmeansnooverwriteisper-formed.

Chapter7

MicrosoftActiveSync 49

Settingthisparametertoavaluegreaterthan512willhaveunexpectedbehaviourwithvari-ousActiveSyncclients.

Pleasebeawareofthefollowinglimitations:

Currently,onlythepersonalcalendarandaddressbookaresynchronized.Addingsupportforallfoldersisplanned.

WhencreatinganOutlook2013profile,youmustactuallykillOutlookbeforetheendofthecreationprocess.Seehttp://www.vionblog.com/connect-zimbra-community-with-outlook-2013foraprocedureexample.

Outlook2013doesnotsearchtheGAL.OnepossiblealternativesolutionistoconfigureOutlooktouseaLDAPserver(overSSL)withauthentication.Alternatively,whensupportingmorethanjustthepersonaladdressbook,wellalsobeabletoexposetheLDAP/SQLbasedaddressbooksinSOGooverActiveSync.

Makesureyoudonotuseaself-signedcertificate.Whilethiswillwork,Outlookwillworkinter-mittentlyasitwillraisepopupsforcertificatevalidation,sometimesinbackground,preventingtheusertoseethewarningandthus,preventinganysynchronizationtohappen.

ActiveSyncclientskeepconnectionsopenforawhile.Eachconnectionwillgrabaholdonasogodprocesssoyouwillneedalotofprocessestohandlemanyclients.ThislimitationwilleventuallybeovercomeinSOGo.

Repetitiveeventswithoccurrencesexceptionsarecurrentlynotsupported.

Outlook2013Autodiscoveryiscurrentlynotsupported.

Outlook2013freebusylookupsaresupportedusingtheInternetFree/BusyfeatureofOutlook2013.Pleaseseehttp://support.microsoft.com/kb/291621forconfigurationinstructions.OntheSOGoside,SOGoEnablePublicAccessmustbesettoYESandtheURLtousemustbeofthefol-lowingformat:http:///SOGo/dav/public/%NAME%/freebusy.ifb

InordertousetheSOGoActiveSyncsupportcodeinproductionenvironments,youneedtogetaproperusagelicensefromMicrosoft.Pleasecontactthemdirectlytonegotiatethefeesassociatedtoyouruserbase.

TocontactMicrosoft,pleasevisit:

http://www.microsoft.com/en-us/legal/intellectualproperty/IPLicensing/Programs/exchangeactivesyncprotocol.aspx and send [email protected]

Inverseinc.providesthissoftwareforfree,butisnotresponsibleforanythingrelatedtoitsusage.

http://www.vionblog.com/connect-zimbra-community-with-outlook-2013http://support.microsoft.com/kb/291621http://www.microsoft.com/en-us/legal/intellectualproperty/IPLicensing/Programs/exchangeactivesyncprotocol.aspxhttp://www.microsoft.com/en-us/legal/intellectualproperty/IPLicensing/Programs/exchangeactivesyncprotocol.aspxmailto:[email protected]

Chapter8

UsingSOGo 50

UsingSOGo

SOGoWebInterface

ToaccestheSOGoWebInterface,pointyourWebbrowser,whichisrunningfromthesameserverwhereSOGowasinstalled,tothefollowingURL:http://localhost/SOGo.

Loginusingthe"jdoe"userandthe"qwerty"password.Theunderlyingdatabasetableswillauto-maticallybecreatedbySOGo.

MozillaThunderbirdandLightning

Alternatively,youcanaccessSOGowithaGroupDAVandaCalDAVclient.Atypicalwell-integratedsetupistouseMozillaThunderbirdandMozillaLightningalongwithInversesSOGoConnectorplugintosynchronizeyouraddressbooksandtheInversesSOGoIntegratorplugintoprovideacompleteintegrationofthefeaturesofSOGointoThunderbirdandLightning.RefertothedocumentationofThunderbirdtoconfigureaninitialIMAPaccountpointingtoyourSOGoserverandusingtheusernameandpasswordmentionedabove.

WiththeSOGoIntegratorplugin,yourcalendarsandaddressbookswillbeautomaticallydiscoveredwhenyoulogininThunderbird.Thisplugincanalsopropagatespecificextensionsanddefaultusersettingsamongyoursite.However,beawarethatinordertousetheSOGoIntegratorplugin,youwillneedtorepackageitwithspecificmodifications.Pleaserefertothedocumentationpublishedonline:

http://www.sogo.nu/downloads/documentation.html

IfyouonlyusetheSOGoConnectorplugin,youcanstilleasilyaccessyourdata.

Toaccessyourpersonaladdressbook:

ChooseGo>AddressBook.

ChooseFile>New>RemoteAddressBook.

EnterasignificantnameforyourcalendarintheNamefield.

TypethefollowingURLintheURLfield:http://localhost/SOGo/dav/jdoe/Contacts/person-al/

http://localhost/SOGohttp://www.sogo.nu/downloads/documentation.html

Chapter8

UsingSOGo 51

ClickonOK.

Toaccessyourpersonalcalendar:

ChooseGo>Calendar.

ChooseCalendar>NewCalendar.

SelectOntheNetworkandclickonContinue.

SelectCalDAV.

TypethefollowingURLintheURLfield:http://localhost/SOGo/dav/jdoe/Calendar/person-al/

ClickonContinue.

AppleiCal

AppleiCalcanalsobeusedasaclientapplicationforSOGo.

ToconfigureitsoitworkswithSOGo,createanewaccountandspecify,astheAccountURL,anURLsuchas:

http://localhost/SOGo/dav/jdoe/

NotethatthetrailingslashisimportantforAppleiCal3.

AppleAddressBook

SinceMacOSX10.6(SnowLeopard),AppleAddressBookcanbeconfiguredtouseSOGo.

Inordertomakethiswork,youmustaddanewvirtualhostinyourApacheconfigurationfiletolistenonport8800andhandlerequestscomingfromiOSdevices.

Thevirtualhostshouldbedefinedlike:

http://localhost/SOGo/dav/jdoe/

Chapter8

UsingSOGo 52

RewriteEngine Off ProxyRequests Off SetEnv proxy-nokeepalive 1 ProxyPreserveHost On ProxyPassInterpolateEnv On ProxyPass /principals http://127.0.0.1:20000/SOGo/dav/ interpolate ProxyPass /SOGo http://127.0.0.1:20000/SOGo interpolate ProxyPass / http://127.0.0.1:20000/SOGo/dav/ interpolate

Order allow,deny Allow from all RequestHeader set "x-webobjects-server-port" "8800" RequestHeader set "x-webobjects-server-name" "acme.com:8800" RequestHeader set "x-webobjects-server-url" "http://acme.com:8800" RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0" RequestHeader set "x-webobjects-remote-host" "127.0.0.1" AddDefaultCharset UTF-8 ErrorLog /var/log/apache2/ab-error.log CustomLog /var/log/apache2/ab-access.log combined

ThisconfigurationisalsorequiredifyouwanttoconfigureaCardDAVaccountonanAppleiOSdevice(version4.0andlater).

MicrosoftActiveSync/MobileDevices

Youcansynchronizecontacts,emails,eventsandtasksfromSOGowithanymobiledevicesthatsupportMicrosoftActiveSync.MicrosoftOutlook2013isalsosupported.

The Microsoft ActiveSync server URL is generally something like: http://localhost/Mi-crosoft-Active-Sync.

Chapter9

Upgrading 53

Upgrading

ThissectiondescribeswhatneedstobedonewhenupgradingtothecurrentversionofSOGofromthepreviousrelease.

2.2.8

Theconfigurationconfigurationparameterswererenamed:

SOGoMailMessageCheckwasreplacedwithSOGoRefreshViewCheck SOGoMailPollingIntervalswasreplacedwithSOGoRefreshViewIntervals

Backwardcompatibilityisinplacefortheoldpreferencesvalues.

2.0.5

Theconfigurationisnowstoredin/etc/sogo/sogo.conf.Performthefollowingcommandsasroottomigrateyourprevioususerdefaults:

install -d -m 750 -o sogo -g sogo /etc/sogosudo -u sogo sogo-tool dump-defaults > /etc/sogo/sogo.confchown root:sogo /etc/sogo/sogo.confchmod 640 /etc/sogo/sogo.confsudo -u sogo mv ~/GNUstep/Defaults/.GNUstepDefaults \ ~/GNUstep/Defaults/GNUstepDefaults.old

2.0.4

TheparameterSOGoForceIMAPLoginWithEmailisnowdeprecatedandisreplacedbySOGoForce-ExternalLoginWithEmail(whichextendsthefunctionalitytoSMTPauthentication).Updateyourconfigurationifyouusethisparameter.

Thesogouserisnowasystemuser.Fornewinstalls,thismeansthatsu - sogowontworkany-more.Pleaseusesudo -u sogo instead.Ifusedinscriptsfromcronjobs,requirettymustbedisabledinsudoers.

1.3.17

Runtheshellscriptsql-update-1.3.16_to_1.3.17.shorsql-update-1.3.16_to_1.3.17-mysql.sh(ifyouuseMySQL).

Thiswillgrowthe"cycleinfo"fieldofcalendartablestoalargersize.

1.3.12

OnceyouhaveupdatedandrestartedSOGo,runtheshellscriptsql-update-1.3.11_to_1.3.12.shorsql-update-1.3.11_to_1.3.12-mysql.sh(ifyouuseMySQL).

Thiswillgrowthe"content"fieldofcalendarandaddressbooktablestoalargersizeandfixtheprimarykeyofthesessiontable.

1.3.9

Chapter9

Upgrading 54

ForRedHat-baseddistributions,version1.23ofGNUstepwillbeinstalled.SincethelocationoftheWebresourceschanges,theApacheconfigurationfile(SOGo.conf)hasbeenadapted.VerifyyourApacheconfigurationifyouhavecustomizedthisfile.

Chapter10

AdditionalInformation 55

AdditionalInformation

Formoreinformation,pleaseconsulttheonlineFAQs(FrequentlyAskedQuestions):

http://www.sogo.nu/english/support/faq.html

Youcanalsoreadthemailingarchivesorpostyourquestionstoit.Fordetails,see:

https://lists.inverse.ca/sogo

http://www.sogo.nu/english/support/faq.htmlhttps://lists.inverse.ca/sogo

Chapter11

CommercialSupportandContactInformation 56

CommercialSupportandContactInformation

Foranyquestionsorcomments,donothesitatetocontactusbywritinganemailto:

[email protected]

Inverse(http://inverse.ca)offersprofessionalservicesaroundSOGotohelporganizationsdeploythesolutionandmigratefromtheirlegacysystems.

mailto:[email protected]://inverse.ca/

sogo installation guide

Documents