¿Qué es SOGo?
SOGo (Scalable OpenGroupware), que toma como base el proyecto Opengroupware, ofrece, en un entorno en software libre, un gestor de tareas, agenda y contactos compartidos, ideal para coordinar equipos de trabajo, gestionar de manera individualizada el tiempo o gestionar agendas de manera delegada, por ejemplo, entre un directivo y su asistente. Lógicamente, la posibilidad de compartir datos lleva anexa una completa gestión de permisos, para controlar quién tiene acceso a la información y quién puede, además de acceder, modificarla. Uno de los puntos fuertes de SoGo, además de ser software libre, es su capacidad para establecer conexiones con dispositivos móviles, con los que sincronizar tareas, notas, contactos o la agenda.
SOGo requiere una base de datos en MariaDB/MySQL, pues necesita almacenar datos de los usuarios, sesiones, contactos, agenda, incluso usuarios, aunque también soporta autenticación con LDAP/ADDC ya sea en Windows o Samba4. Esto lo veremos más adelante.
Instalando
cd /opt apt install -y apt-transport-https mc net-tools dnsutils
Configurar repositorio de SOGo
nano /etc/apt/sources.list deb http://packages.inverse.ca/SOGo/nightly/5/debian buster buster
Insertar llave del repositorio en nuestro sistema:
apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 apt update
Instalando
apt install -y sogo sogo-activesync nginx mariadb-server memcached sope4.9-gdl1-mysql libsope-ldap4.9
Y listo!
Configurar MariaDB
Fichero de configuración:
MariaDB – /etc/mysql/my.cnf
En dependencia del sistema o la versión de MariaDB puede existir /etc/mysql/my.cnf o /etc/mysql/mariadb.conf.d/50-server.cnf. Sólo debemos modificar/ajustar las siguientes variables según nuestras necesidades:
nano /etc/mysql/my.cnf [client] default-character-set = utf8 [mysqld] collation-server = utf8_general_ci innodb_file_per_table = TRUE innodb_file_format = barracuda innodb_large_prefix = TRUE character_set_server = utf8 max_connections = 150 max_user_connections = 150 general_log_file = /var/log/mysql/mysql.log general_log = 1 [mysql] default-character-set = utf8
Sólo queda guardar los cambios. Ahora debemos ejecutar el script de seguridad para la configuración de MariaDB:
mysql_secure_installation
Responder las preguntas lo más certeramente posible.
El script de inicio[se usa systemctl, pero yo me siento más cómodo con init.d]:
wget -c https://raw.githubusercontent.com/MariaDB/server/10.4/support-files/mysql.server.sh -P /etc/init.d mv /etc/init.d/mysql.server.sh /etc/init.d/mariadb cd /etc/init.d/ ; update-rc.d mariadb defaults cd /opt
Si usas MariaDB, para resolver el tema del password de MariaDB por default:
mysql -u root -p
ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("Admin*123");
Y no salgas del interprete de comandos de MariaDB.
Creando la base de datos para SOGo, ejecuta cada una de estas líneas a continuación. Lo que haremos será crear un usuario y la base de datos de SOGo:
CREATE DATABASE sogo DEFAULT CHARACTER SET = utf8; USE sogo; CREATE USER 'sogo'@'localhost' IDENTIFIED BY 'sogo*123'; GRANT USAGE ON *.* TO 'sogo'@'localhost' IDENTIFIED BY 'sogo*123'; CREATE TABLE sogo_users (c_uid VARCHAR(10) PRIMARY KEY, c_name VARCHAR(10), c_password VARCHAR(32), c_cn VARCHAR(128), mail VARCHAR(128)); GRANT ALL PRIVILEGES ON sogo .* TO 'sogo'@'localhost'; FLUSH PRIVILEGES; quit;
Una cosa negativa que le encontré, es que no tiene interfaz para crear los usuarios cuando lo usas contra MariaDB/MySQL[al menos eso no lo encontré en la documentación oficial]. Debes crearlos directamente en la consola de la base de datos:
INSERT INTO sogo_users VALUES ('usuario', 'usuario', MD5('usuario*987'), 'Usuario De Correo', '[email protected]');
Habiendo salido de MariaDB, importamos la base de datos en [2] la cual yo descargué y le puse como nombre: sogodb.sql
wget -c https://raw.githubusercontent.com/inverse-inc/sogo/master/Scripts/mysql-utf8.sql -O sogodb.sql mysql -u sogo -p sogo < sogodb.sql /etc/init.d/mariadb restart
Configuración de Nginx
Creando los certificados SSL:
mkdir /etc/nginx/certs openssl ecparam -name secp384r1 -out /etc/nginx/certs/ecparam.pem openssl ecparam -in /etc/nginx/certs/ecparam.pem -genkey -noout -out /etc/nginx/certs/server.key openssl req -new -key /etc/nginx/certs/server.key -out /etc/nginx/certs/server.csr -sha256 openssl req -x509 -days 3650 -key /etc/nginx/certs/server.key -in /etc/nginx/certs/server.csr -out /etc/nginx/certs/server.pem openssl dhparam -out /etc/nginx/certs/dhparam.pem 4096
Y ahora crearemos el archivo de configuración del virtualhost:
server {
listen 80;
server_name correo.inutil.cu mail.inutil.cu;
return 301 https://correo.inutil.cu$request_uri;
}
server {
listen 443 http2 ssl;
server_name correo.inutil.cu;
add_header X-Frame-Options sameorigin;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection '1; mode=block';
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'";
add_header Referrer-Policy strict-origin;
add_header Strict-Transport-Security "max-age=31536000";
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve secp384r1;
ssl_certificate /etc/nginx/certs/server.pem;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_dhparam /etc/nginx/certs/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_session_cache shared:SSL:10m;
root /usr/lib/GNUstep/SOGo/WebServerResources;
rewrite ^/$ http://correo.inutil.cu/SOGo;
access_log /var/log/nginx/sogo-access.log;
error_log /var/log/nginx/sogo-error.log;
# Deny all attempts to access hidden files such as .htaccess.
location ~ /\. { deny all; }
# Handling noisy messages
log_not_found off;
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
client_max_body_size 40M;
client_body_buffer_size 512k;
client_header_timeout 360;
client_body_timeout 360;
send_timeout 360;
autoindex off;
# For Mac OS X and iOS devices.
rewrite ^/.well-known/caldav /SOGo/dav permanent;
rewrite ^/.well-known/carddav /SOGo/dav permanent;
rewrite ^/principals /SOGo/dav permanent;
location ^~ /SOGo {
proxy_pass http://127.0.0.1:20000/SOGo;
proxy_redirect http://127.0.0.1:20000/SOGo /;
# forward user's IP address
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host correo.inutil.cu;
# always use https
proxy_set_header x-webobjects-server-protocol HTTP/1.0;
proxy_set_header x-webobjects-remote-host correo.inutil.cu;
proxy_set_header x-webobjects-server-name correo.inutil.cu;
proxy_set_header x-webobjects-server-url https://correo.inutil.cu;
proxy_connect_timeout 360;
proxy_send_timeout 360;
proxy_read_timeout 360;
proxy_buffer_size 4k;
proxy_buffers 16 64k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
location /.woa/WebServerResources/ {
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
expires max;
}
location /SOGo.woa/WebServerResources/ {
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
expires max;
}
location /SOGo/WebServerResources/ {
alias /usr/lib/GNUstep/SOGo/WebServerResources/;
expires max;
}
location ^/SOGo/so/ControlPanel/Products/([^/]*)/Resources/(.*)$ {
alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
expires max;
}
location ^~ /Microsoft-Server-ActiveSync {
proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync;
proxy_connect_timeout 3540;
proxy_send_timeout 3540;
proxy_read_timeout 3540;
}
location ^~ /SOGo/Microsoft-Server-ActiveSync {
proxy_pass http://127.0.0.1:20000/SOGo/Microsoft-Server-ActiveSync;
proxy_connect_timeout 3540;
proxy_send_timeout 3540;
proxy_read_timeout 3540;
}
}
Y reiniciamos Nginx:
/etc/init.d/nginx restart
Configuración de SOGo
nano /etc/sogo/sogo.conf
{
// Daemon address and port
WOPort = 127.0.0.1:20000;
// PID file
//WOPidFile = /var/run/sogo/sogo.pid;
// Log file
WOLogFile = /var/log/sogo/sogo.log;
// Enable verbose logging. Reference:
// http://www.sogo.nu/nc/support/faq/article/how-to-enable-more-verbose-logging-in-sogo.html
SOGoDebugRequests = YES;
SOGoEASDebugEnabled = YES;
ImapDebugEnabled = YES;
LDAPDebugEnabled = YES;
//MySQL4DebugEnabled = YES;
PGDebugEnabled = YES;
/* Web Interface */
SOGoPageTitle = "Correo INUTIL.cu";
SOGoVacationEnabled = YES;
SOGoForwardEnabled = YES;
SOGoSieveScriptsEnabled = YES;
SOGoMailAuxiliaryUserAccountsEnabled = YES;
SOGoTrustProxyAuthentication = NO;
SOGoXSRFValidationEnabled = YES;
// set the maximum allowed size for content being sent to SOGo, this can
// also limit the file attachment size being uploaded to SOGo when
// composing a mail.
// The value is in kilobyte. Default is 0 or disabled (unlimit).
WOMaxUploadSize = 15360;
// Parameter used to set the maximum allowed email message size when
// composing a mail.
// The value is in kilobytes. By default, the value is 0, or disabled so
// no limit will be set.
SOGoMaximumMessageSizeLimit = 15360;
// Performance Tuning
//
// The amount of instances of SOGo that will be spawned to handle multiple
// requests simultaneously.
// WARNING:
// - on RHEL/CentOS, this setting is controlled by parameter
// 'PREFORK=' defined in /etc/sysconfig/sogo.
// - on Debian/Ubuntu, this setting is controlled by parameter
// 'PREFORK=' defined in /etc/default/sogo.
WOWorkersCount = 10;
// Parameter used to set the maximum amount of time, in seconds, SOGo will
// wait before replying to a Ping command.
// If not set, it defaults to 10 seconds.
SOGoMaximumPingInterval = 3540;
// Parameter used to set the maximum amount of time, in seconds, SOGo will
// wait before replying to a Sync command.
// If not set, it defaults to 30 seconds.
SOGoMaximumSyncInterval = 3540;
// Parameter used to set the maximum amount of time, in seconds, SOGo will
// wait before doing an internal check for data changes (add, delete, and
// update). This parameter must be lower than SOGoMaximumSyncInterval and
// SOGoMaximumPingInterval.
// If not set, it defaults to 10 seconds.
SOGoInternalSyncInterval = 30;
// Specifies the number of minutes after which a busy child process will be
// killed by the parent process.
// Defaults to 10 (minutes).
WOWatchDogRequestTimeout = 61;
// Overwrite the maximum number of items returned during a Sync operation.
// Defaults to 0, which means no overwrite is performed.
// Setting this parameter to a value greater than 512 will have unexpected
// behaviour with various ActiveSync clients.
//SOGoMaximumSyncWindowSize = 100;
// Overwrite the maximum response size during a Sync operation.
// The value is in kilobytes. Setting this to 512 means the response size
// will be of 524288 bytes or less (or a bit greater if needed for syncing
// one item). Note that if you set the value too low and a mail message
// (or any other object like calendar events, tasks and contacts) surpasses
// it, it will still be synced but only this item will be.
// Defaults to 0, which means no overwrite is performed.
//
// Say you have these five mails and you set the limit to 512KB:
// 1. 250 KB
// 2. 250 KB
// 3. 25 KB
// 4. 750 KB
// 5. 10 KB
// Sync iteration no. 1 will pick message 1, 2 and 3.
// Sync iteration no. 2 will pick message 4.
// Sync iteration no. 3 will pick message 5.
SOGoMaximumSyncResponseSize = 2048;
// The maximum amount of memory (in megabytes) that a child can use.
// Reaching that value will force children processes to restart, in order
// to preserve system memory.
//
// Error message when it reaches the value:
// "terminating app, vMem size limit (xxx MB) has been reached (currently xxx MB)"
//
// Defaults to 384.
SxVMemLimit = 500;
// Enable XSRF (also known as CSRF) protection.
SOGoXSRFValidationEnabled = YES;
// IMAP connection pool.
// Your performance will slightly increase, as you won't open a new
// connection for every access to your IMAP server.
// But you will get a lot of simultaneous open connections to your IMAP
// server, so make sure he can handle them.
// For debugging it is reasonable to turn pooling off.
NGImap4DisableIMAP4Pooling = NO;
MySQL4Encoding = "utf8";
SOGoProfileURL = "mysql://sogo:sogo*[email protected]:3306/sogo/sogo_user_profile";
OCSFolderInfoURL = "mysql://sogo:sogo*[email protected]:3306/sogo/sogo_folder_info";
OCSSessionsFolderURL = "mysql://sogo:sogo*[email protected]:3306/sogo/sogo_sessions_folder";
OCSEMailAlarmsFolderURL = "mysql://sogo:sogo*[email protected]:3306/sogo/sogo_alarms_folder";
// With 3 parameters below, SOGo requires only 9 SQL tables in total
// instead of creating 4 SQL tables for each user.
OCSCacheFolderURL = "mysql://sogo:sogo*[email protected]:3306/sogo/sogo_cache_folder";
OCSStoreURL = "mysql://sogo:sogo*[email protected]:3306/sogo/sogo_store";
OCSAclURL = "mysql://sogo:sogo*[email protected]:3306/sogo/sogo_acl";
// Default language in the web interface
SOGoLanguage = English;
//SOGoLanguage = Spanish;
// Specify which module to show after login: Calendar, Mail, Contacts.
SOGoLoginModule = Mail;
// Must login with full email address
SOGoForceExternalLoginWithEmail = YES;
// Allow user to change full name and email address.
SOGoMailCustomFromEnabled = NO;
// IMAP server
// Local connection is considered as secure by Dovecot, so 'imap://' is fine.
// With remote IMAP server, use 'imaps://127.0.0.1:143/?tls=YES' instead;
SOGoIMAPServer = "imap://127.0.0.1:143/";
// Allow user to add other IMAP accounts that will be visible from the SOGo
// Webmail interface.
// Default is NO.
//SOGoMailAuxiliaryUserAccountsEnabled = YES;
// SMTP server
SOGoSMTPServer = 127.0.0.1:25;
SOGoMailDomain = inutil.cu;
SOGoMailingMechanism = smtp;
SOGoForceExternalLoginWithEmail = YES;
SOGoMailSpoolPath = /var/spool/sogo;
NGImap4ConnectionStringSeparator = "/";
SOGoMailCustomFromEnabled = YES;
SOGoDraftsFolderName = Drafts;
SOGoSentFolderName = Sent;
SOGoTrashFolderName = Trash;
SOGoJunkFolderName = Junk;
// Notifications
SOGoAppointmentSendEMailNotifications = YES;
SOGoACLsSendEMailNotifications = NO;
// Enable managesieve service
//
// WARNING: Sieve scripts generated by SOGo is not compatible with Roundcube
// webmail, don't use sieve service in both webmails, otherwise
// it will be messy.
// FYI: https://docs.iredmail.org/why.no.sieve.support.in.sogo.html
//
//SOGoSieveServer = "sieve://127.0.0.1:4190/?tls=YES";
//SOGoSieveScriptsEnabled = YES;
//SOGoVacationEnabled = YES;
//SOGoForwardEnabled = YES;
SOGoSieveFolderEncoding = UTF-8;
// Memcached
SOGoMemcachedHost = 127.0.0.1;
//SOGoMemcachedHost = "/var/run/memcached.sock";
// Parameter used to set which usernames require administrative privileges
// over all the users tables. For example, this could be used to post
// events in the users calendar without requiring the user to configure
// his/her ACLs. In this case you will need to specify those superuser's
// usernames like this :
// SOGoSuperUsernames = ([,, ...]);
//SOGoSuperUsernames = ();
//SOGoTimeZone = "America/New_York";
SOGoTimeZone = "America/Havana";
SOGoFirstDayOfWeek = 1;
SOGoRefreshViewCheck = every_5_minutes;
SOGoMailReplyPlacement = below;
// Disable gravatar
SOGoExternalAvatarsEnabled = NO;
SOGoGravatarEnabled = NO;
// Control WebDAV access to the Calendar / Contacts collections.
// This can be used to deny access to these resources from Thunderbird
// Lightning for example.
// Defaults to YES when unset.
//SOGoCalendarDAVAccessEnabled = NO;
//SOGoAddressBookDAVAccessEnabled = NO;
// Allow users to share publicly (ie., requiring not authentication) their
// calendars and address books.
// Defaults to NO when unset.
//SOGoEnablePublicAccess = YES;
//
// Notifications
//
// Enable email-based alarms on events and tasks.
SOGoEnableEMailAlarms = YES;
// Notify meeting participants
SOGoAppointmentSendEMailNotifications = YES;
// Notify if a calendar or an address book has been created.
SOGoFoldersSendEMailNotifications = NO;
// Notify involved users of a calendar or address book's ACLs.
SOGoACLsSendEMailNotifications = YES;
// Notify when a modification is being done to his/her own calendar by someone else.
SOGoNotifyOnExternalModifications = YES;
// Password
SOGoPasswordChangeEnabled = YES;
// Authentication using SQL
/* SQL backend
SOGoUserSources = (
{
type = sql;
id = users;
viewURL = "mysql://sogo:sogo*[email protected]:3306/sogo/sogo_users";
canAuthenticate = YES;
// The algorithm used for password encryption when changing
// passwords without Password Policies enabled.
// Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
//userPasswordAlgorithm = ssha512;
userPasswordAlgorithm = md5-crypt;
prependPasswordScheme = YES;
// Use `vmail.mailbox` as per-domain address book.
//isAddressBook = YES;
//displayName = "Domain Address Book";
//SOGoEnableDomainBasedUID = YES;
//DomainFieldName = "domain";
// Listing of this LDAP source is only possible when performing a
// search (respecting the SOGoSearchMinimumWordLength parameter)
// or when explicitely typing a single dot.
// Defaults to YES when unset.
//
// WARNING: if you have many accounts in this address book, it may
// reach server-side query size limit, or cause
// performance issue.
listRequiresDot = NO;
},
//{
// displayName = "Global Address Book";
// type = sql;
// id = global_address_book;
// viewURL = "mysql://sogo:[email protected]:3306/sogo/users";
// canAuthenticate = NO;
// isAddressBook = YES;
// listRequiresDot = NO;
// SOGoEnableDomainBasedUID = YES;
// DomainFieldName = "domain";
//},
// Display mailing aliases in address book.
// You need to create SQL view 'sogo.aliases' first.
//
// For MySQL:
//
// CREATE VIEW sogo.aliases (c_uid, c_name, c_password, c_cn, mail, domain)
// AS SELECT address, name, '', name, address, domain
// FROM vmail.alias WHERE active=1;
//
//{
// displayName = "Mailing Lists";
// type = sql;
// id = aliases;
// viewURL = "mysql://sogo:[email protected]:3306/sogo/aliases";
// canAuthenticate = NO;
// isAddressBook = YES;
// listRequiresDot = NO;
// SOGoEnableDomainBasedUID = YES;
// DomainFieldName = "domain";
//},
);
SQL backend */
// Authentication using LDAP
SOGoUserSources = (
{
// Used for user authentication
type = ldap;
id = users;
canAuthenticate = YES;
isAddressBook = YES;
displayName = "Local Address Book";
hostname = "ldap://addc.inutil.cu:389";
baseDN = "ou=inutil,dc=inutil,dc=cu";
bindDN = "cn=postfix,ou=servicios,ou=inutil,dc=inutil,dc=cu";
bindPassword = "postfix*2020";
scope = SUB;
//filter = "objectClass=user AND accountStatus=active";
bindAsCurrentUser = YES;
canAuthenticate = YES;
// Possible values are: plain, crypt, md5-crypt, ssha, ssha512.
//userPasswordAlgorithm = ssha512;
CNFieldName = cn;
IDFieldName = userPrincipalName;
// value of UIDFieldName must be unique on entire server
UIDFieldName = userPrincipalName;
IMAPLoginFieldName = userPrincipalName;
MailFieldNames = (userPrincipalName);
bindFields = (sAMAccountName,userPrincipalName);
}
);
}
Y reiniciamos SOGo:
/etc/init.d/sogo restart
Adjunto les dejo las configuraciones para que les sirva de limonada, digo, de base.
Pantalla inicial:
Ahora sólo les queda loguearse y comenzar a trabajar!
Espero les sirva. Hasta la próxima.
Referencias:
[1] https://sogo.nu/files/docs/SOGoInstallationGuide.html
[2] https://github.com/inverse-inc/sogo/blob/master/Scripts/mysql-utf8.sql
[3] https://wiki.debian.org/SOGo
[4] https://wiki.archlinux.org/index.php/SOGo
[5] http://wiki.sogo.nu/InstallationConfigurationCentos
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 OPR/73.0.3856.284
tienen como migrar de un servidor exchange a SOGO???
Mozilla/5.0 (Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Échale un ojo a este hilo:
https://forums.contribs.org/index.php?topic=50690.0
Y tendrás una idea, más o menos de como deberías proceder…