Seafile And Kolab Deployment
Prerequisites
Prepare 2 Ubuntu servers(version 16.04) under the same VLAN, one for Seafile, one for Kolab.
Note: In the process of installing Ubuntu, do not encrypt the Home directory.
Seafile server deployment
Follow the instructions from the Seafile official installation manual: Deploying Seafile with MySQL, Config Seafhub with Nginx.
When finished, Seafile web service should be running at http://Seafile-server-IP-address .
Kolab server deployment
Setup FQDN
Assuming the FQDN to set is mail.example.com, run the following command.
sudo su
echo 'mail.example.com' > /etc/hostname
sed -i 's|^127.0.1.1.*|127.0.1.1\tmail.example.com\tmail|g' /etc/hostsInstall Kolab
apt update && apt upgrade -y
# add kolab package source
echo '
deb http://obs.kolabsys.com/repositories/Kolab:/16/Ubuntu_16.04/ ./
deb-src http://obs.kolabsys.com/repositories/Kolab:/16/Ubuntu_16.04/ ./
' > /etc/apt/sources.list.d/kolab.list
# import the GPG key used to sign the packages
wget -q -O- https://ssl.kolabsys.com/community.asc | apt-key add -
# make sure the apt preferences pin the obs.kolabsys.com origin as a preferred source
echo '
Package: *
Pin: origin obs.kolabsys.com
Pin-Priority: 501
' > /etc/apt/preferences.d/kolab
# Install kolab to the system
apt update && apt install kolabSetup Kolab
setup-kolabDuring the installation, set the administrative credentials through several prompts.
After the setup is complete, the Kolab web services should be running at http://kolab-server-IP-address/kolab-webadmin and http://kolab-server-IP-address/roundcubemail.
Internet access
- Add A records in the domain admin panel of
example.com, pointingmail.example.comandseafile.example.comto the VLAN’s public IP address. - Map the ports 80 and 443 on the main router to the corresponding ports of the Seafile server .
- Map the ports 143, 993, 25, 587 on the main router to the corresponding ports of the Kolab server.
- In the local DNS server, add DNS records for internal access to the Seafile and Kolab server.
Enable Https for Seafile
To enable Https for Seafile, simply follow the instruction in the Seafile official manual: Enabling Https with Nginx.
Enable SSL for Kolab web client and Acitivesync
Add the following file to /etc/apache2/sites-available/kolab-webmail.conf:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteRule ^/$ /webmail [L,R=301]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/private/officehub.asia.pem
SSLCertificateKeyFile /etc/ssl/private/officehub.asia.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
RewriteEngine on
# RewriteCond %{SERVER_PORT} !^8443$
RewriteRule ^/$ /mail [L,R=301]
</VirtualHost>
</IfModule>Disable the default site conf file and enable kolab-webmail.conf which was created earlier. And then restart the apache process.
a2dissite 000-default.conf
a2ensite kolab-webmail.conf
apache2ctl gracefulReverse proxy for the Kolab web service
Use Nginx on the Seafile server as a proxy server for the Kolab web service.
In the Seafile server terminal, run the following command:
sudo su
touch /etc/nginx/sites-available/kolab.conf
ln -s /etc/nginx/sites-available/kolab.conf /etc/nginx/sites-enabled/kolab.confAssuming below properties:
- Kolab server FQDN: mail.example.com
- Kolab server IP address: 192.168.1.21
- path to cert file:
/etc/ssl/certs/example.com.pem - path to private key file:
/etc/ssl/private/example.com.key - path to
ssl_dhparamfile:/etc/nginx/dhparam.pem( created in enabling Https for Seafile )
Write the following configuration to the kolab.conf file.
server {
listen 80;
server_name mail.example.com;
rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
# Enables or disables emitting nginx version on error pages and in the "Server" response header field.
server_tokens off;
}
server {
listen 443;
ssl on;
ssl_certificate /etc/ssl/certs/example.com.pem; # path to your cacert.pem
ssl_certificate_key /etc/ssl/private/example.com.key; # path to your privkey.pem
server_name mail.example.com;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/dhparam.pem;
# secure settings (A+ at SSL Labs ssltest at time of writing)
# see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS';
ssl_prefer_server_ciphers on;
proxy_set_header X-Forwarded-For $remote_addr;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
server_tokens off;
location / {
proxy_pass https://mail.example.com
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
access_log /var/log/nginx/kolab.access.log;
error_log /var/log/nginx/kolab.error.log;
proxy_read_timeout 1200s;
}Restart the nginx, secured public web access is now applied to the Kolab web client:
nginx -s reloadEnable SSL/TLS for Kolab IMAP and SMTP services
Prepare a certificate bundle file including the cert, the CA cert, the intermediate CA cert and the private key:
cat /path/to/the/cert/example.com.crt \
/path/to/the/ca/cert/example.com.pem \
/path/to/the/intermediate/ca/cert/example.com.pem \
/path/to/the/private/key/example.com.key \
> /etc/ssl/private/cyrus-imapd.pemEnable SSL/TLS for cyrus-imapd and postfix:
sed -r -i \
-e 's|^tls_server_cert.*|tls_server_cert: /etc/ssl/private/cyrus-imapd.pem|g' \
-e 's|^tls_server_key.*|tls_server_key: /etc/ssl/private/cyrus-imapd.pem|g' \
-e 's|^tls_server_ca_file.*|tls_server_ca_file: /etc/ssl/private/cyrus-imapd.pem|g' \
/etc/imapd.conf
sed -i \
's|{\scertfile,.*\s}|{ certfile, "/etc/ssl/private/cyrus-imapd.pem" }|g' \
/etc/guam/sys.config
postconf -e smtpd_tls_key_file=/etc/ssl/private/cyrus-imapd.pem
postconf -e smtpd_tls_cert_file=/etc/ssl/private/cyrus-imapd.pem
postconf -e smtpd_tls_CAfile=/etc/ssl/private/cyrus-imapd.pem
postconf -e smtp_tls_mandatory_protocols='!SSLv2,!SSLv3'
postconf -e smtp_tls_protocols='!SSLv2,!SSLv3'
postconf -e smtpd_tls_mandatory_protocols='!SSLv2,!SSLv3'
postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3'
postconf -e smtpd_tls_mandatory_ciphers=high
postconf -e smtpd_tls_eecdh_grade=ultra
postconf -e tls_preempt_cipherlist=yes
postconf -e tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHAAfter the configuring, restart cyrus-imapd and postfix:
systemctl restart cyrus-imapd postfixAll done.