A groupware suite is almost always essential for most businesses in order to ensure effective collaboration between users and departments. Just as most people take email for granted these days, the ability to coordinate staff and resources via groupware suite tools is generally only missed when it’s not available.

Pre-packaged, paid-for groupware suites such as Zimbra can be installed on Linux, but in line with the goals of our Linux SBS deployment — a server with minimal monetary cost without consideration for labour cost — this article will demonstrate how to install the freely available Horde Groupware suite, which mimics a typical Microsoft Exchange installation.

A gentle reminder. . .
As per the last part of this series, the instructions detailed in this Masterclass apply to a CentOS 5 server but should apply to most Linux distributions. The applications that are used in this Masterclass are available as binaries on most distributions, but you may have to manually compile some packages mentioned in this guide depending on the distro that you have chosen.

Extend the schema

The LDAP schema that was created in the previous chapter is adequate for basic authentication purposes but does not include fields that record mail attributes including mailbox location and email aliases. Creating such a schema can be
time-consuming, but the JAMM (the Java Mail Manager) project on Sourceforge (http://sourceforge.net/projects/jamm/) provides a suitable and freely available schema — along with a handy Java-based application which can be used to configure attributes within the JAMM schema via a GUI.

Download the .tar.gz file from Sourceforge and extract it under your /root directory. Copy the jamm.schema file from your extracted archive to the /etc/openldap/schema directory. Then, open the /etc/openldap/slapd.conf file in your favourite text editor and add the following line towards the top of the file:

include /etc/openldap/schema/jamm.schema

And add the following lines towards the end of the file (replacing the dc values for what you used for your domain):

access to dn.regex=”.*,jvd=([^,]+),o=mail,dc=contoso,dc=corp”

    attr=userPassword

    by self write

    by group/jammPostmaster/roleOccupant.expand=”cn=postmaster,jvd=$1,o=mail,dc=contoso,dc=corp” write

    by dn=”cn=dovecot,dc=contoso,dc=corp” read

    by anonymous auth

    by * none

access to dn.regex=”.*,jvd=([^,]+),o=mail,dc=contoso,dc=corp”

    by self write

    by group/jammPostmaster/roleOccupant.expand=”cn=postmaster,jvd=$1,o=mail,dc=contoso,dc=corp” write

    by * read

These provide JAMM and Dovecot (the POP3 and IMAP agent that will be installed later) access to the relevant schemas within your directory. Next, we need to add the accounts that JAMM and Dovecot will use to access the directory. Create a new ldif file under your /root directory and name it jamm.ldif. Insert the following lines into the file:

# Create a generic mail object for JAMM/Postfix

dn: o=mail,dc=contoso,dc=corp

objectclass: top

objectclass: organization

o: mail

# Create a service account for Dovecot

dn: cn=dovecot,dc=contoso,dc=corp

objectclass: top

objectclass: inetOrgPerson

objectclass: posixAccount

objectclass: shadowaccount

cn: Dovecot

sn: dovecot

Once you’ve saved the file, execute the following command to import this data into your directory (you’ll need to supply your rootdn password in order for execution of this command to succeed):

ldapadd –x –D “cn=root,dc=contoso,dc=corp” –W –f ~/jamm.ldif

Finally, set a password for the dovecot service account and make a note of it:

ldappasswd –D “cn=root,dc=contoso,dc=corp” –x –W –S “cn=dovecot,dc=contoso,dc=corp”

More Troublesome Administration

The default installation of CentOS (and many other distributions) pops the Sendmail mail Transfer agent (MTA) onto your server. Sendmail is one of the most robust MTAs available, but it isn’t exactly the easiest to configure or administer. In order to make your job easier, remove it from your server and replace it with Postfix. While we’re at it, we may as well install the other components required for our mailing system:

yum remove sendmail

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix dovecot

Once Postfix has been added, we need to add another service account; one that is responsible for writing the contents of received mail destined to the virtual mailer host to the local filesystem (it’s generally best to configure Postfix to use virtual mailer hosts as this provides a more expandable and flexible mail solution). This account should be local, and not created in the directory. If this account was created in the directory, incoming mail will bounce when the directory is inaccessible. If the account is local, mail will be queued in a spool directory until the directory is online again:

adduser vmail

Next, obtain the uid and gid for the account you have just created. You can obtain this by running:

tail -1 /etc/passwd

Postfix and LDAP

The next step is to get Postfix working with your LDAP directory. Create a file named ldap-accounts at /etc/postfix and populate it with the following data:

server_host = localhost

server_port = 389

search_base = dc=contoso,dc=corp

query_filter (&(objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE))

result_attribute = mailbox

bind = no

This file is responsible for locating LDAP accounts that are associated with a mailbox. The next file to create in the same directory is ldap-accountsmap. This file maps primary email addresses to mailboxes and should contain:

server_host = localhost

server_port = 389

search_base = dc=contoso,dc=corp

query_filter = (&(objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE))

result_attribute = mail

bind = no

The next file — ldap-aliases — defines what other email aliases point to which mailboxes. This file should contain the following:

server_host = localhost

server_port = 389

search_base = dc=contoso,dc=corp

query_filter = (&(objectClass=JammMailAlias)(mail=%s)(accountActive=TRUE))

result_attribute = maildrop

bind = no

Fourth on the list of files to create is ldap-domains, which allows Postfix to determine which domains it should accept email for. The contents of this file should be:

server_host = localhost

server_port = 389

search_base = dc=contoso,dc=corp

    by * none

access to dn.regex=”.*,jvd=([^,]+),o=mail,dc=contoso,dc=corp”

    by self write

    by group/jammPostmaster/roleOccupant.expand=”cn=postmaster,jvd=$1,o=mail,dc=contoso,dc=corp” write

    by * read

 The next file — ldap-aliases — defines what other email aliases point to which mailboxes. This file should contain the following:

server_host = localhost
server_port = 389
search_base = dc=contoso,dc=corp
query_filter = (&(objectClass=JammMailAlias)(mail=%s)(accountActive=TRUE))
result_attribute = maildrop
bind = no

Fourth on the list of files to create is ldap-domains, which allows Postfix to determine which domains it should accept email for. The contents of this file should be:

server_host = localhost
server_port = 389
search_base = dc=contoso,dc=corp
query_filter = (&(objectClass=JammVirtualDomain)(jvd=%s)(accountActive=TRUE)(delete=FALSE))
result_attribute = jvd
bind = no
scope = one

The final new file that you will need to create is header_checks, which will be used for content filtering in order to prevent spam:

/^Received:/ HOLD

After those five files have been added, edit the main.cf file so that the following lines are uncommented and set as appropriate for your infrastructure (you may like to refer to the Postfix documentation for a rundown on what each configuration directive is used for):

header_checks = regexp:/etc/postfix/header_checks

myhostname = external_hostname.contoso.com
mydomain = contoso.com
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, $mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks_style = host
relay_domains = $mydestination
mail_spool_directory = /var/spool/mail
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks, reject_unauth_destination, permit
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtp_sasl_auth_enable = no
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
virtual_alias_maps = ldap:/etc/postfix/ldap-accountsmap, ldap:/etc/postfix/ldap-aliases
virtual_transport = virtual
virtual_mailbox_base = /home/vmail/domains
virtual_mailbox_maps = ldap:/etc/postfix/ldap-accounts
virtual_mailbox_domains = ldap:/etc/postfix/ldap-domains
virtual_minimum_uid = 1000
virtual_uid_maps = static:1000
virtual_gid_maps = static:1000

In the above configuration, ensure that the myhostname and mydomain directives refer to externally accessible fully-qualified domain names - your internal network name should not be used for these domains. In addition, ensure that the irtual_uid_maps and virtual_gid_maps directives refer to the uid and the gid of the vmail account that you created earlier.

So far we’ve told Postfix how to use your LDAP directory, as opposed to telling it that it should authenticate users against the directory. You should also verify what methods are used for authentication for Postfix within the Simple Authentication and Security Layer (SASL) libraries.

On an x86 system, you should open /usr/lib/sasl2/smtpd.conf in your favourite text editor. On an x64 system, you should open /usr/lib64/sasl2/smtpd.conf. Ensure that the file contains both of the following lines:

pwcheck_method: saslauthd
mech_list: plain login

Next, edit the /etc/sysconfig/saslauthd file to ensure that the ldap authentication mechanism is used:

MECH=ldap

Finally, the /etc/saslauthd.conf file should also be edited so that it can locate the authentication credentials for users that may log on to Postfix for authenticated relay:

ldap_servers: ldap://127.0.0.1
ldap_search_base: dc=contoso,dc=corp
ldap_filter: (&(objectClass=JammMailAccount)(mail=%u@%r)(accountActive=TRUE)(delete=FALSE))

Adding security

In order to allow other mail servers to establish secured SMTP connections to your mail server, you’ll need to provide Postfix with an SSL certificate. While you could purchase such a certificate from a trusted certificate authority (CA) such as Verisign or Thawte, many businesses only require the ability to encrypt data between endpoints — and the identity verification features of a trusted SSL certificate are not required. To start generating any SSL certificate (be it from a CA or self-signed), issue the following commands:

mkdir /etc/postfix/ssl

cd /etc/postfix/ssl/

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

When you enter the third command, be sure to make a note of the passphrase that you enter. The following commands should then be entered to secure your key and to generate the certificate signing request:

chmod 600 smtpd.key

openssl req -new -key smtpd.key -out smtpd.csr

After you issue the second command shown, you’ll be asked to enter in the details that will be presented to external parties when they download the certificate. It is imperative that the common name entered in the applet matches what you have supplied to the myhostname directive within your Postfix configuration.

If you are obtaining a certificate from a CA, you’d then send the contents of the smtpd.csr file to the CA. If you are generating a self-signed certificate, issue the following command to generate your certificate, entering in the passphrase you noted above when prompted:

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

Once your self-signed certificate is generated, you also need to generate another certificate — one that shows the issuer of your self-signed certificate. The process is similar to that you’ve just gone through and the following commands should do the job:

openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

And on to Dovecot

We’ve now completed our SMTP Server configuration. This allows email to come in to the system but does not allow users to retrieve their messages. That task can be performed by Dovecot via the POP3 or IMAP protocols.

The configuration of Dovecot is far simpler than that of Postfix. Edit the /etc/dovecot.conf file and uncomment or edit the following lines:

protocols = imap imaps pop3 pop3s

ssl_disable = no

disable_plaintext_auth = no

first_valid_uid = 1000

last_valid_uid = 1000

first_valid gid = 1000

last_valid_gid = 1000

default_mail_env = maildir:/home/vmail/domains/%d/%n

auth = default

auth_mechanisms = plain

auth_userdb = ldap /etc/dovecot-ldap.conf

auth_passdb = ldap /etc/dovecot-ldap.conf

auth_user = root

Next, we need to instruct Dovecot how to look users up in your directory. Create a new file in the /etc directory named dovecot-ldap.conf and populate it with the following:

hosts = localhost
dn = cn=dovecot,dc=contoso,dc=corp
dnpass = password
ldap_version = 3
base = dc=contoso,dc=corp
deref = never
scope = subtree
user_attrs = mail,homeDirectory,,,,
user_filter = (&(objectClass=JammMailAccount)(mail=%u)(accountActive=TRUE)(delete=FALSE))
pass_attrs = mail,userPassword
pass_filter = (&(objectClass=JammMailAccount)(mail=%u)(accountActive=TRUE)(delete=FALSE))
default_pass_scheme = CRYPT
user_global_uid = 1000
user_global_gid = 1000

With that configuration done, you can now restart the relevant services and ensure that they commence running upon startup:

chkconfig --levels 235 postfix on

chkconfig --levels 235 saslauthd on

chkconfig --levels 235 dovecot on

service postfix restart

service saslauthd restart

service dovecot restart

Kick out the JAMMs

JAMM is a Java applet that is used to manage the mailboxes on your server, but before we can access it, we need to install a Java Virtual Machine as well as Apache Tomcat (a Java application server).

First, you’ll need to download and install the Sun Java Runtime Environment from http://java.com/en/download/manual.jsp. Detailed instructions on how to install the JRE are provided on the Sun Microsystems web site. There is no freely distributable RPM for Java, therefore it cannot be installed via yum repositories.

Once the JVM is installed, edit /etc/profile and add the following lines (you may need to make slight modifications depending on which version of the JRE is installed):

export JAVA_HOME=/usr/java/j2sdk1.4.2_07
export PATH=$JAVA_HOME/bin:$PATH:$HOME/bin:/sbin:/usr/sbin

Next, proceed to install Apache Tomcat 5 from the yum repositories:

yum install tomcat5 tomcat5-webapps tomcat5-admin-webapps

After installation, extract the files from the jamm-0.9.6.war (located in the directory that you extracted the JAMM files to) and place them in /usr/local/tomcat/webapps/jamm. The following commands should do the job for you:

mv ~/jamm-0.9.6/jamm-0.9.6.war /usr/share/tomcat5/webapps
mkdir /usr/share/tomcat5/webapps/jamm
cd /usr/share/tomcat5/webapps/jamm
jar –xf ../jamm-0.9.6.war

Rename the jamm.properties.dist file, located at /usr/share/tomcat5/webapps/jamm/WEB-INF to jamm.properties and edit it with values that reflect your LDAP installation:

jamm.ldap.search.base = dc=contoso,dc=corp
jamm.ldap.root.dn = cn=root,dc=contoso,dc=corp

Finally, you should be able to access the JAMM web GUI by pointing your browser to http://localhost:8080/jamm after you’ve started Apache Tomcat:

chkconfig --levels 235 tomcat5 on 
service tomcat5 restart

I love LAMP

Now that you have a fully functional mail system, it’s time to LAMP-ify your system — the Horde Groupware suite requires the combination of Linux, the Apache Web Server, MySQL and PHP in order to operate. Building a “LAMP” server is one of the most common tasks under Linux, and there are literally thousands of guides that will show you how to do this for your distro — but the quick and easy way for a Centos5 system is done by issuing the following commands:

yum install httpd httpd-manual system-config-httpd mysql mysql-devel mysql-server php php-cli php-common php-devel 
php-gd php-imap php-ldap php-mbstring php-mcrypt php-mysql php-pdo php-xml

One for the Horde

Our final task is to install the groupware components on our server. Horde Groupware Webmail Edition is a suite of smaller web-accessible applications that are bundled together to offer functionality similar to that of what Microsoft Exchange can offer. It uses PHP’s IMAP libraries to provide mailbox connectivity and stores other collaboration data within a MySQL database. The final piece of preparation you need to perform is to create an account and database within MySQL for Horde Groupware to save all of the collaboration data. To do this, ensure that the MySQL daemon is running, change the root password (only if this is a new installation) and log on to the MySQL Server console:

chkconfig –levels 235 mysqld on
service mysqld restart
mysqladmin –uroot password ‘new_password’
mysql –u root –p

Next, we add the extra network components.