Install and configure openchange for CentOS 6.5

    In RuNet, and indeed on the Internet, little is said about such an interesting product as openchange.
    In theory, openchange and its associated components should completely replace MS Exchange Server, but in practice this does not work out completely.
    Those who are interested in asking in the post itself. There you will learn about installing on CentOS 6.5.

    I must say right away that the product is raw enough and is not suitable for a large organization.

    Initial data:
    1) A large domain with subdomains and various trusted relationships with other domains.
    2) In connection with the division of a large company into separate legal entities, the need for their own mail appeared.
    3) Users are accustomed to the goodies in the form of shared calendars, address books, and more.
    Solution: postfix + dovecot and try to all this openchange on the test domain.


    Installation was done on the CentOS distribution, iptables and selinux were disabled.
    Initially, postfix and dovecot with authorization in AD were installed and configured.
    There are a lot of installation guides on the Internet, so I won’t give the settings in detail, but I’ll say right away that I used only standard repositories.
    As internal transport lmtp is used.
    To synchronize messages received through MAPI and IAMP, the following lines are added to the LDAP config:
    passdb {
    driver = static
    args = nopassword = y allow_nets = / 32

    This is necessary to authorize openchange in dovecot.
    Now we proceed directly to the installation of openchange.
    We connect the necessary repository.
    name = Inverse SOGo Repository
    baseurl = http: //$basearch
    gpgcheck = 0
    enable = 1

    We start the installation.
    yum install samba4 openchange sogo-openchange-backend openchange-ocsmanager openchange-rpcproxy sogo

    I love mysql more than postgresql, so sogo will work under mysql.
    Additionally, put mysql and connector for sogo
    yum install mysql-server sope49-gdl1-mysql

    Samba setup

    We connect our samba4 in windows AD
    samba-tool domain join testmail.local DC -UAdministrator --realm = testmail.local

    The connection is automatic, you only need to enter the password for the Administrator account.
    Add the following lines to /etc/samba4/smb.conf
    # Begin OpenChange Server Configuration
    dcerpc endpoint servers = + epmapper, + mapiproxy, + dnsserver
    dcerpc_mapiproxy: server = true
    dcerpc_mapiproxy: interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr
    # End OpenChange Server configuration

    After that we launch samba
    samba -d 3 -i -M = single

    Just in case, I
    ’ll explain what this command means -d is debug mode. The number 3 means the debug level
    -i this is interactive, that is, all the output to the console
    -M = single is the actual operation mode without forks.
    For a reason I don’t understand, samba4 does not open the necessary sockets if you try to run it through the samba command, and through the init script it generally refuses to run with this configuration in smb.conf
    Therefore, you have to run it with the command above, but it goes perfectly to the background via nohup .

    After starting, we check the replication.
    samba-tool drs kcc -Uadministrator dcmail.testmail.local
    samba-tool drs showrepl

    For its work, openchange rules the AD schema, but only does it when it is the owner of the schema.
    We transfer the rights to the circuit to our Linux controller.
    samba-tool fsmo seize --role = schema

    Run the setup of openchange
    openchange_provision --openchangedb

    After that we restart samba

    We pass to setup ocsmanager

    vim /etc/ocsmanager/ocsmanager.ini Change the
    settings for connecting to LDAP
    # Possible authentication system
    auth = ldap
    mapistore_root = / var / lib / samba4 / private
    mapistore_data = / var / lib / samba4 / private / mapistore
    debug = no

    [auth: ldap]
    #host = ldap: // localhost
    host = mail.testmail.local
    port = 3268
    bind_dn = CN = user, CN = users, DC = testmail, DC = local
    bind_pw = password
    basedn = CN = Users, dc = testmail, dc = local

    [rpcproxy: ldap]
    host = mail. testmail.local
    port = 389
    basedn = CN = Users, dc = testmail, dc = local

    Also indicate where samba is located

    In the LDAP and SAMBA_HOST settings, you can specify the domain controller for windows, this does not affect the correct operation.
    Launch ocsmanager
    service openchange-ocsmanager start

    Sogo setup

    Create a database and user.
    CREATE USER 'sogo' @ 'localhost' IDENTIFIED BY 'sogo';
    GRANT ALL PRIVILEGES ON `sogo`. * TO 'sogo' @ 'localhost' WITH GRANT OPTION;

    Edit the config /etc/sogo/sogo.conf

    Specify where the base is located
    SOGoProfileURL = "mysql: // sogo: sogo @ localhost: 3306 / sogo";
    OCSFolderInfoURL = "mysql: // sogo: sogo @ localhost: 3306 / sogo / sogo_folder_info";
    OCSSessionsFolderURL = "mysql: // sogo: sogo @ localhost: 3306 / sogo / sogo_sessions_folder";

    We indicate the location of the directories for letters, as well as the imap and postfix server
    // SOGoDraftsFolderName = Drafts; But with this line samba I fell with errors that were not always reproduced, so unfortunately drafts are moved to the trash.
    SOGoDraftsFolderName = Trash;
    SOGoSentFolderName = Sent;
    SOGoTrashFolderName = Trash;
    SOGoIMAPServer = imaps: // localhost: 993;
    SOGoSMTPServer =;
    SOGoMailDomain = testmail.local;
    SOGoMailingMechanism = smtp;
    SOGoForceExternalLoginWithEmail = NO;
    SOGoMailSpoolPath = / var / spool / sogo;
    NGImap4ConnectionStringSeparator = "/";

    Specify the location of the LDAP server
    SOGoUserSources = (
    type = ldap;
    CNFieldName = cn;
    UIDFieldName = sAMAccountName;
    baseDN = "CN = users, DC = testmail, DC = local";
    bindDN = "CN = user, CN = users, DC = testmail, DC = local ";
    BindFields = (sAMAccountName, mail);
    bindPassword = password;
    canAuthenticate = YES;
    displayName =" Public ";
    hostname =" dcmail.testmail.local "; // This is the windows controller
    port =" 389 ";
    filter =" mail = '*' ”;
    Id = testmail.local;
    isAddressBook = NO;

    The key point is if you specify our samba as the hostname, then when you try to log outlook samba hangs tightly.
    But maybe this is a bug only on my server.

    Specify the language and time zone
    SOGoLanguage = Russian;
    SOGoTimeZone = Europe / Moscow;

    Optionally, you can turn on the web interface in the same place, but I left layout on it in all browsers.
    / * Web Interface * /
    SOGoPageTitle = SOGo;
    SOGoVacationEnabled = YES;
    SOGoForwardEnabled = YES;
    SOGoSieveScriptsEnabled = YES;
    SOGoMailAuxiliaryUserAccountsEnabled = YES;
    SOGoTrustProxyAuthentication = NO;

    Also, if you use the web interface, you must remember to specify which ip address sogo will listen to (default
    WOPort = "";
    We start sogo
    service sogod start

    We pass to setup of a web part
    /etc/httpd/conf.d/rpcproxy.conf We
    specify the SetEnv parameter SAMBA_HOST
    We give the rights to a directory / var / cache / ntlmauthhandler
    chown -R apache: apache / var / cache / ntlmauthhandler

    Using ssl is advisable. Install mod_ssl and generate a certificate.

    When using ssl, you must enable it in the sogo settings
    RequestHeader set “x-webobjects-server-port” “443”
    RequestHeader set “x-webobjects-server-name” “mail.testmail.local”
    RequestHeader set “x-webobjects-server-url” “ mail.testmail.local

    We start apache
    service httpd start

    On this installation can be considered complete.
    For those who need boxes, create them with the
    openchange_newuser command --create user

    You can proceed to the outlook configuration.
    Unfortunately autodiscover at the moment does not work correctly correctly completely and you have to set parameters manually.
    In my case, it looks like this:
    Server: mail.testmail.local
    Username: user
    We go to the "Other settings" menu, the security section and put a check mark in front of "Always ask for login credentials"
    When connecting from outside, specify a proxy server.


    On a domain with subdomains, openchange did not work at all, strange bugs were revealed, somehow the bug with sogo described above. Also, samba periodically fell if the user is in AD, but he does not have a mailbox. At the moment, stopped falling. But the most unpleasant thing is that with some problems samba just crashes with a PANIC message, which makes diagnosis difficult.
    The developers of this product did not promise integration into the already working windows AD, so the crawled bugs may well refer to the fact that we are doing what is not entirely provided for by the developers.
    But at the moment I managed to stably run this product for testing.
    I believe that the optimal structure for openchange at this stage of product development will be:
    1) Install a separate samba4 \ windows AD controller
    2) Transferring to a separate dovecot + postfix server with LDAP authorization (in the event of an openchange failure, the organization will still remain with a working mailer)
    3) Those who need calendars and address books (and as practice has shown, not everyone needs them) connect mapi to openchange.
    4) Write bug reports to developers to bring openchange to a more stable state as soon as possible.

    Also popular now: