Zarafa Collaboration Platform
Contents
1. v L d 9 v P egen gt f F 6 oa og a n Qc a jaa c ou lt 2G Ls ay co a 228 E s MAPI in SOAP connectivity a 2 on 2 5 o a 8 E t c t 29 E v v oc 2 U ee LDAP connectivity co 5 ce 2 o 55 ox LB Ei re A mY x c ov 9 z Z oo Other connectivity a z OO v5 5 E 9 5 S o E dr o o n ae os 2 E e a Open Source Open Source Zarafa 3rd Party Component Component Propietary Propietary zarala ard Barty Cross platform Mozilla Applications Component Component ean Zaraf Windows 5 Client am ee dd Ld ee No A ud Ne Nast Sool Mit e The Internet a ae a 7 an if as s4 uc AN 27s Pe 2 T D Net os A PES uet Nue Wast Sa Nn ww vee e E ue Fo uan i 2 a s 9 cH MANOS a amp amp a E 2 ra Z z E S s Zarafa G 9 5 Zarafa m PS H ADS g z 2i Quota Plugin amp x ao lt i a o P Gi Nn o E Windows Zarafa Indexer Active MTA Webserver with PHP BlackBerry Directory usually Postfix usually Apache Enterprise Service Server or Zarafa Zarafa Zarafa Zarafa Zarafa Delivery Spooler Gateway WebAccess Exchange Agent pop3 imap Redirector LDAP Service MySQL File system attachments Figure 1 1 Zarafa Collaboration Suite Architecture Diagram 1 3 Components Installations of the Zarafa Collaboration Platform ZCP may consist of the following components Components Zarafa S2. QB Da i0 11 12 13 14 All Attendees John k Beamer p Figure 8 6 Resource option in Freebusy times 8 6 1 Resource booking methods There are two methods for booking resources 1 Direct booking 2 Meeting request booking Both methods are used to book resources The final outcome is that the user can book a resource after which the resource s calendar will show that it is busy for the allocated timeslot Both methods support declining recurring and conflicting meetings but the way that they work differ in various ways Table 8 1 Table Comparison of resource booking methods Direct booking MR booking Books directly in target calendar Sends meeting request which is responded to Needs read write access to resource s calendar Needs no read or write access to resource s calendar Possible to limit bookers through permissions Not possible to limit bookers Does not support multiple resources using the Possible to set double booking limit to 2 or same calendar higher for equipment Doesn t work with external bookers Works with external bookers 8 6 1 1 Direct booking Direct booking is the default resource booking method for Outlook 2000 Outlook 2007 Zarafa WebAccess The way this works is that the client application 1 Opens the resource s calendar 2 Checks the calendar for availability 3 Creates an appointment in the calendar 4 Notifies the user that the resource has been
3. The unique user attribute is the mapping between a mailbox in the database and the actual user in LDAP Make sure this field is never changed as the Zarafa Server will perceive that as a user being deleted and created and will therefore orphan the user s store The email aliases are shown in the Global Address Book details and can be used for resolving email aliases in Postfix However it is not possible to deliver email to email aliases Extra user information like addresses phone numbers and company information can be mapped by an extra configuration file propmap etc zarafa ldap propmap cfg The specified attributes for users will also be used for contacts 5 2 4 Group configuration The groups can be filtered by an extra search filter as well ldap group search filter ldap group unique attribute gidNumber ldap group unique attribute type text For the membership relationships between groups and users each group object has a group member attribute This can be configured by ldap groupmembers attribute memberUid The Zarafa Server will by default use the unique user attribute as value of the group member attribute This can be changed by the group member s relation attribute ldap groupmembers attribute type text ldap groupmembers relation attribute uid Groups can be flagged as security groups by the security group attribute Security groups are available in the Global Address Book when creating a new email an
4. Keep in mind that objects are never hidden for administrator users 1 3 6 1 4 1 26278 1 1 2 11 Integer Multi or Single Valued Single Valued zarafaAliases This attribute will contain all other email addresses for this user Syntax DirectoryString Multi or Single Valued Multi Valued zarafaUserServer This attribute will be the homeserver of a user when running in multi server mode OID 1 3 6 1 4 1 26278 1 1 4 1 DirectoryString Multi or Single Valued Single Valued zarafaSecurityGroup This attribute will specify whether a group has security privileges When the attribute is set to 0 the group will be seen as distribution list OID 1 3 6 1 4 1 26278 1 2 2 1 Integer Multi or Single Valued Single Valued zarafaViewPrivilege This attribute will contain companies with view privileges over the selected company 1 3 6 1 4 1 26278 1 3 2 4 DirectoryString Multi or Single Valued Multi Valued 132 zarafaAdminPrivilege This attribute will contain users from different companies which are administrator over selected company OID 1 3 6 1 4 1 26278 1 3 2 5 Syntax DirectoryString Multi or Single Valued Multi Valued zarafaSystemAdmin This attribute will specify the user who is the system administrator for this company 1 3 6 1 4 1 26278 1 3 2 6 Integer Multi or Single Valued Single Valued zarafaQuotaUserWarningRecipients This attribute
5. See the Section 8 4 User Management with LDAP or Active Directory for more information on how to administer address lists 5 3 6 Testing Active Directory configuration After the LDAP configuration is done the changes can be activated by reloading the Zarafa Server etc init d zarafa server reload To test users and groups will be listed use zarafa admin 1 and zarafa admin L If no users or groups are shown please check the Zarafa server log file for errors Setting the loglevel to 6 inthe etc zarafa server cfg will display all LDAP queries by the Zarafa server and possible errors The first time the zarafa admin 1 is done all mailboxes will be created This can take some time SO be patient More information about the other available LDAP attributes can be found in the man page 49 Chapter 5 Configure 3rd Party Components man zarafa ldap cfg See Chapter 8 User Management for Zarafa user management with Active Directory 5 4 ZCP Postfix integration ZCP does not include it s own MTA but can be integrated all established MTAs found in modern Linux distributions Although ZCP support most Linux MTAs we advise to use Postfix In order to deliver an email into a user s mailbox the zarafa dagent is executed Messages are passed to the zarafa dagent from the standard input or by the LMTP protocol A few examples of the ZCP Postfix integration are described in the following sections Keep in mind that Pos
6. Visible Users 1 Username Fullname Homeserver john John Doe mary Mary Jones When a user is deleted the mailbox of the user will be still kept in the database Use the following command to retrieve a list of stores without a user and users without a store usr bin zarafa admin list orphans Stores without users Store guid Guessed username Last modified Store size CAC27E6D70BB45B0B712B760AE6BA0A8 steve 2010 03 22 14 22 2334KB Users without stores Username It can be decided to remove the store from the database or hook the store to another user to be able to access it once again To remove the store from the database an action which is irreversible use the following command usr bin zarafa admin remove store store guid To hook the store to another user use the following command usr bin zarafa admin hook store store guid u user The user given with the u option will now have the new store attached to it Re login with the webaccess or create a new profile in Outlook to access the store When a store is hooked to a user that already has a store attached to it the original store will be orphaned This original store can be found using the list orphans options of the zarafa admin command 94 Users management with DB plugin In ZCP 6 30 6 and earlier versions the store of the user was moved to the Deleted Stores folder in the public store after a user deletion This folder is only avail
7. created with the device and ipHost objectClass Every multi server node should have a common name FQDN or ip address and the Zarafa server details Make sure the FQDN can always be resolved by the clients Name Value cem ZdsMaster E objectClass device E objectClass ipHost E objectClass zarafa server E objectClass top E zarafaContainsPublic 1 E zarafaFilePath var run zarafa zarafaHttpPort 236 zarafaSslPort 237 3 ipHostNumber 192 168 0 63 Figure 6 6 LDAP server attributes The ZarafaContainsPublic attribute can only be set for one multi server node At the moment there is not support for multiple Public Folders on different nodes The Zarafa LDAP configuration needs to be extended with some extra multi server configuration options An example configuration file for the multi server setup can be found in the usr share doc zarafa example config directory The files 1dapms cfg are the specific multi server configuration files The following LDAP configuration entries need to be configured for a multi server setup ldap server type attribute value zarafa server ldap user server attribute zarafaUserServer ldap server address attribute ipHostNumber ldap server http port attribute zarafaHttpPort ldap server ssl port attribute zarafaSslPort ldap server file path attribute zarafaFilePath ldap server search filter ldap server unique attribute cn 7 Every created
8. file which stores the last date of sending per email address SENDDBTMP TMP tmp zarafa vacation USER tmp temporary file used during update of the database SENDMAILCMD usr sbin sendmail command used to send actual vacation message SENDMAILPARAMS t f parameters used to send actual vacation message If an alternate autoresponder is required please refer to the zarafa dagent manual page which describes how to use an alternate script using the a option 4 3 2 Storing attachments outside the database Since ZCP version 6 0 it is possible to save the attachments outside the database The default method is to save the attachments inside the database like older versions of ZCP For first time installations the attachment storage method should be selected before starting the server for the first time as it is not easy to switch the attachment storage method later on To change the attachment storage location edit the following option in the etc zarafa server cfg attachment storage files For upgrades a script exists that copies the attachments from the database to the file storage This script can be found in usr share doc zarafa and is named db convert attachments to files This script is run as follows db convert attachments to files mysqluser lt mysqlpass gt lt mysqldb gt destination path delete It is only possible to convert from database storage to file storage The delete switch
9. for these stores An overview of all the configuration options of the unix authentication plugin type man zarafa unix cfg 4 2 1 3 The LDAP Authentication Plugin The LDAP plugin is used for coupling any LDAP compliant server with the Zarafa Server This way all users groups and membership information can be retrieved live from an LDAP server The LDAP plugin support next to the default users groups and companies also the following object types e Contacts External SMTP contacts which can be used as members of distribution lists Addresslists Sub categories of the Global Address Book based on a specified LDAP filter Dynamic groups Dynamically created groups based on a specified LDAP filter Therefore LDAP plugin is the recommended user plugin for ZCP The Zarafa Server needs two configuration directives in the server cfg configuration file to use the LDAP backend namely user plugin ldap user plugin config etc zarafa ldap cfg The defaults for OpenLDAP and for Active Directory can be found in the usr share doc zarafa example config directory Based on these examples the etc zarafa 1dap cfg file should be adjusted to configure the LDAP authentication plugin 4 3 syncronise GAB realtime To optimise performance with large Global Address Books in Idap configurations a setting sync gab realtime is optional in server cfg configuration file When set to yes zarafa will synchronize the local us
10. instruction on configuring mobile devices Mobile phones smartphones and PDAs can be synchronized because Z Push emulates the ActiveSync functionality of a MS Exchange server on the server side allowing mobiles to synchronize via over the air ActiveSync AirSync Using Z Push most mobiles can synchronize without installing any additional software on the device Z Push needs to be installed on a web server It is highly recommended to use Apache 5 5 1 Compatibility Z Push allows users with PDAs and smartphones to synchronise their email contacts calendar items and tasks directly from a compatible server over UMTS GPRS WiFi or other GSM data connections The following devices are supported by Z Push e Windows Mobile 5 6 6 1 and 6 5 Nokia E N series with Mail for Exchange MAE Nokia E series with built in ActiveSync Nokia Mail 2 Sony Ericsson with RoadSync Apple iPhone Android Cupcake or Donut with third party tools like Nitrodesk Touchdown Android Eclair with Contacts and Calendar synchronization or third party tools other ActiveSync compatible devices For detailed information about the devices and their compatibily status please consult the Mobile Compatibility List at http z push sourceforge net compaitibility 5 5 2 Security To encrypt data between the mobile devices and the server it s required to enable SSL support in the web server Configuring Apache with SSL certificates is beyond the scope of this
11. s an option always go for RAID10 9 1 5 High rotation speed RPMs for better database performance High end SCSI or SAS disks regularly have high rotation speeds of 10K or even 15K RPMs The rotation speed of the disks affects seek times on the disk Although the Zarafa database format is optimized to have data available on the disk in a serial fashion and most reads are done fairly localized on the disk seek time is still a large speed factor for I O The higher the rotation speed the lower the seek time 9 1 6 Hardware RAID Hardware RAID controllers often have large amounts of cache RAM This can also increase performance and data throughput of the I O subsystem If a hardware RAID controller is used however always make sure that either write back cache is not used or a functioning UPS and shutdown process for the server are available as write cached data will be lost when the power fails This is not only harmfull for the data that was written at that moment the write could actually corrupt the on disk innodb data 9 2 Memory Usage setup There are basically 4 large parts of the server setup that use server memory Zarafa s cell cache caches individual cell data within a table view e MySQL s buffer size caches reads and writes from the ibdata file e MySQL s query cache caches exactly repeated SQL queries In a server purely running Zarafa make sure these caches are setup to use around 80 of the RAM in the serve
12. s not yet a LDAP server available in the environment one has to be setup or the non LDAP user plugin has to be used Please read the documentation of the used Linux distribution on how to setup an OpenLDAP server Connections to OpenLDAP servers run over port 389 or 636 SSL For best speed and reliability it is always best to install an OpenLDAP server on the same physical host as the Zarafa Server that replicates with the main LDAP server Besides performance improvements it also allows the Zarafa Server to run even when the main LDAP server goes down In the follow paragraphs the configuration will be explained Check the location of the the configuration files before changes are made OpenLDAP configuration is usually located in etc depending on the used distribution it is Red Hat Enterprise Linux etc openldap SUSE etc openldap Debian amp Ubuntu etc ldap Through out this guide we use etc openldap 5 2 1 Configuring OpenLDAP to use Zarafa schemas To configure openldap to use Zarafa LDAP schemas the following configuration directives need to be added to etc openldap slapd conf include 7etc openldap schema zarafa schema Copy the schema file to the Idap directory cp usr share doc zarafa zarafa schema etc openldap schema zarafa schema O Most recent Linux distributions use OpenLDAP in dynamic configuration mode For more information about installing the Zarafa schema on an OpenLDAP server with dynam
13. 0 for any address Default value 0 0 0 0 ical_enable Enable plain service with value yes Default value yes ical_port The plain service will listen on this port for incoming connections Default Value 8080 icals_enable Enable secure service with value yes Default value no icals_port The secure service will listen on this port for incoming connections Default value 8443 server_socket The http address of the Zarafa Server Default value http localhost 236 zarafa Sop important It is not advised to specify the UNIX socket here In default configuration the Zarafa Caldav will then be trusted by the zarafa server as set in its local_admin_users configuration setting Unless Zarafa Caldav is specified to run as an untrusted user it always authenticates users even if they provide no or wrong credentials ssl_private_key_file The file that contains the private key used for encrypting the ssl connections The absolute path to the file should be used Default value etc zarafa privkey pem ssl certificate file 27 Chapter 4 Configure ZCP Components The file that contains the certificate for the server The absolute path to the file should be used Default value etc zarafa cert pem ssl_verify_client Enable client certificate verification with value yes Default value no ssl_verify_file ssl_verify_path The file or path to the files to verify the clients certificate with The absolute path should
14. 1 When a user is administrator the user will be allowed to open all Zarafa stores of any user It is also possible to pass 2 as administrator level this will make the user a system administrator who can create modify delete companies All fields except the email address are case sensitive The password can also be set using the P switch The password is then not given at the command prompt but asked for by the zarafa admin tool The password is not echoed on the screen and needs to be typed twice for verification 8 3 2 Non active users A non active user cannot login to ZCP but email can be delivered to this user and the store can be opened by users with correct permissions Non active users can especially used for functional mailboxes resources and rooms To create a non active user use the following command 95 Chapter 8 User Management zarafa admin c lt user name gt P e lt email gt f lt full name gt n 1 In ZCP version 6 30 and earlier its not possible to switch an active user to non active and vice versa Switching the non active value will trigger a mailbox deletion 8 3 3 Updating user information with DB plugin The same zarafa admin tool can be used to update the stores and user information Use the following command to update usr bin zarafa admin u lt user name gt U lt new user name gt p lt new password gt e lt email gt f lt full name gt a lt 0 1 gt All
15. 1 1 Software 11 1 2 Authentication Preparation 11 2 Installation steps 11 3 BES Errors 12 Appendix A Pre 5 2x upgrade strategies 12 1 Database upgrades from 4 1 or 4 2 12 2 Upgrades from 5 0 to 5 1x and up 12 3 Important changes since 4 x and 5 x 13 Appendix B LDAP attribute description Zarafa s Cell Cache cache cell size Zarafa s object cache cache object size MySQL innodb buffer pool size MySQL innodb log file size MySQL innodb log buffer size cache indexedobject size Servers viii Chapter 1 Introduction The Zarafa Collaboration Platform ZCP is an open source software suite capable of replacing Microsoft Exchange It s architecture is very modular makes use of standards wherever possible and integrates with common open source components This document explains how to perform the most common administrative tasks with ZCP Sop important Although we Zarafa try our best to keep the information in this manual as accurate as possible we withold the right to modify this information at any time without prior notice 1 1 Intended Audience This manual is intended for system administrators responsible for installing maintaining and supporting the ZCP deployment Readers of this manual will benefit from prior experience with Linux system administration e Setting up MTA s we use Postfix in this manual LDAP servers like OpenLDAP or
16. 6 Advanced Configurations At this time only the warning quota can be configured for a tenant this means it is not possible to set the soft or hard quota to limit the tenant s email capabilities Just like the user quota there are multiple levels for tenant quota and there is even a new level for the user quota A summary of the possible quota levels which can be set in a multi tenancy environment 1 Tenant company quota a Global company quota Configured in etc zarafa server cfg and affects all tenants within the system b Specific company quota The quota level for a tenant configured through the plugin LDAP or zarafa admin tool 2 User quota a Global user quota This is configured in etc zarafa server cfg and affects all users from all tenants b Company user quota This is the default quota level for all users within a tenant and is configured through the plugin at tenant level c Specific user quota This is the quota level for a specific user and is configured through the user plugin As mentioned above the Global company quota and Global user quota can be configured in the etc zarafa server cfg file in there the options quota warn quota soft and quota hard for the user quota and the options companyquota warn for the tenant quota To configure the Specific company quota the zarafa admin tool can be used when using the DB plugin The following command will set the various quota levels over the tena
17. Active Directory benjamin test Properties J x Dial in Environment Sessions Remote control General Address Account Profile Telephones Organization Member Of Terminal Services Profile COM Zarata Quota Other ri ta M Zarafa Account Warning at fo Mb active user Soft imi p m Hide from addressbook Capacity fo Hadimt 7 Mb ae gt Home Server Select E mail addresses 3 r Send as Benjamin unit5 ztest nl default Add Delete Add Delete Modify Set as default Cancel Apply Figure 8 1 Zarafa user tab 8 4 2 2 Creating groups using ADS In Active Directory both security and distribution groups can be created The security groups can be used for settings permissions and sending emails Distributions groups can only be used for sending emails and will not be displayed when setting the security permissions on a folder ZCP 6 40 and higher versions have support for nested groups The groups can be created by using the default group creation wizard in Active Directory 8 4 2 3 Creating contacts using ADS The Global Address Book can be extended with contacts Contacts are external SMTP addresses which are showed in the Global Address Book and can be used as members of distributionlist 101 Chapter 8 User Management New object contact xj d Create irr zarafa local Peaple Hide
18. Editions and Licensing 1 5 1 The Trial License When using a trial license a period of time is available to test ZCP with full functionality It is possible to continue using the current database when a valid commercial license is installed A trial license can be requested on http www zarafa com serial_request 1 5 2 The ZCP Community Edition The Zarafa Collaboration Platform community edition is licensed under the Affero GPLv3 This edition can be used with for up to three users with the proprietary Zarafa Windows Client for connecting with Microsoft Outlook The WebAccess IMAP gateway and mobile synchronisation can be used for unlimited users http www zarafa com content affero gplv3 Commercial Editions of ZCP To have Outlook support in the community edition the proprietary License Manager component must be running A license is not needed though 1 5 3 Commercial Editions of ZCP Standard Professional and Enterprise editions require a commercial license It will be mentioned in this document whenever a feature or component only available is with a commercial edition 1 5 4 Active and non active users ZCP licenses are on a per named user basis A base license is a license for a fixed number of users which can be extended by adding extra Client Access Licenses i e having a base license for 10 users and a CAL for 10 users is functionally equivalent to having a 20 user base license Licenses are based on
19. LMTP sssesssse 75 6 7 Single Sigm On withi xz CP ient E Pe a e I e Pant e de can 76 6 7 1 NTEM SSO Witli ADS cu pec E ei eri pter tp deg Pete Rn eter ded 76 6 7 2 NTLM SSO with Sambas cee eee Hee E 78 0 7 3 S590 with Kerberos eec reae de e ese heave E eH REB eds 79 6 7 4 Up and runniliqi ice eund te etit tiat dte qutt 82 6 8 Tracking messages with Zarafa Archiver ssssssssssse eme 82 6 8 1 Archive on delivery ssssssssssssssseenen esee nne hes nir n nennen nnn 82 6 8 2 Archive on send 2 d hee te rta tet tut a fte t ert ee Ll P detentus 82 7 Managing ZCP Services 85 7 1 Starting the services iiaii iaoa e a aa a nnne nhe snis aa dian 85 7 1 1 Stopping the services iepa a arana Ta aai eiaeaen aariaa a Ea 85 7 1 2 Reloading service configuration ccc ceeeeeee cece eee ee ee eeee ce eeee eene 86 41 2 HOGGING Options tite it E em et tee rage ed edet te Rude medica divest ie Ef edd 86 4 3 Security logging oe REB RE EUR RUE ERE RECORDAR ERES 86 23 1 LOGGING NEMS 5r dote dade a eee dde eate obse ea doe e pectet eei 87 13 2 Configuration sires reto deen Re ERE RAYS DE ERES case coun ENTIRE ce E RRADA AE ERN DOR FAERIT ERYESE 89 4 4 Zarafa statistics monitoring eio Get kde TH Re A Ne HI Ek e de HT UE ERR RE Ra 90 1 5 Soft Delete SyStem eec ee eR ae aeaa oed eee Exe bed de ERU Dang EE td 90 8 User Management 93 8 1 Public foldet 2 c Do
20. Microsoft Active Directory Managing a MySQL installation 1 2 Architecture In accord with the UNIX philosophy ZCP consists of components that each take care of a well defined task See Figure 1 1 Zarafa Collaboration Suite Architecture Diagram which describes the relationships between the components and the protocols used This diagram describes a simple setup as used by most of our customers Only the most commonly used components are shown in the diagram The top part of the diagram shows the clients software appliances by which users access their data Some of these appliances are desktop applications some are mobile applications In between The Internet and the Zarafa Server the infrastructure components of Zarafa blue and some common infrastructure components grey can be found These components are needed to facilitate communication between the Zarafa Server and various clients Microsoft Outlook does not need any special infrastructure but communicates directly with the Zarafa Server using the Zarafa Windows Client The Zarafa Server is basically serving MAPI calls while storing data in a MySQL database For user authentication several methods are available and discussed in this document most common are servers that implement LDAP e g OpenLDAP or Microsoft Active Directory The next section briefly describes each of ZCP s components Chapter 1 Introduction ZCP Architecture Diagram amp Zarafa
21. Now that the the CA certificate and the server certificate have been created SSL can be enabled in the server cfg file which is normally disabled The port 237 is set for SSL connections This port number can be changed if necessary server ssl enabled yes server ssl port 237 The CA certificate must be set in the server ssl ca file setting The server certificate and password must be set in the server ssl cert fileand server ssl cert pass options server ssl ca file etc zarafa ssl demoCA cacert pem server ssl key file etc zarafa ssl server pem server ssl key pass password Restart the zarafa server process and now it s possible to connect directly to the SSL port Create a new Outlook profile and mark the SSL connection option Set the port to 237 The connection to the server has now been encrypted 4 4 Configure the License Manager With the ZCP community edition the License Manager is not needed The License Manager zarafa licensed expects etc zarafa license to contain a file named base which simply holds the license key To install a license key use the following command mkdir p etc zarafa license echo license key etc zarafa license base license key should be replaced with a valid license key obtained from Zarafa or one of its partners The license key consists only of numbers and capital letters If an extra CAL Client Access License is also available the license key can be a
22. Servers serverA M serverB Central Zarafa stores LDAP ADS user1 d o s 2 Zarafa server A Zarafa server B Figure 6 2 Multiserver environment on one location The multi server support can also be used to support larger number of users or to spread mailboxes over different geographical locations see Figure 6 3 Multiserver environment on two locations Location A Location B LDAP synchronisation Master LDAP ADS server Replica LDAP ADS server Zarafa server A Zarafa server B Figure 6 3 Multiserver environment on two locations The mailbox of a user is always stored on only one server It s not possible to synchronize mailboxes over multiple servers 65 Chapter 6 Advanced Configurations When accessing mulitple mailboxes that are located on different servers the client will make a connection to the different multi server nodes See the flowchart Figure 6 4 Multiserver environment Zarafa LDAP Server Server Node 1 Client Zarafa Server Node 2 Figure 6 4 Multiserver environment User John is located on Node 1 and the user Mary is located on Node 2 John has read access on the mailbox of Mary 1 John starts his Outlook client which connects to Node 1 2 The Zarafa Server Node 1 checks the Home Server attribute in the central LDAP server 3 The Home Server of user John is returned to the Zarafa Server 4 John s mailbox is located on Node 1 so the mailbox will be
23. Zarafa user in the LDAP server needs to be assigned to a Zarafa server node This can be set by using the ZarafaUserServer attribute The attribute should contain the unique server name 67 Chapter 6 Advanced Configurations In a multi tenancy situation all created tenants companies in LDAP needs to be updated with the zarafaCompanyServer attribute Use the server name as well for this 6 3 3 Configuring the servers The following configuration options in server cfg are provided for Multi server support enable distributed zarafa Enable multi server environment When set to true it is possible to spread users and companies over multiple servers When set to false the single server environment is created server name The unique server name used to identify each node in the setup This server name should be correctly configured in the DNS This server name should be the same as the value of the zarafaUserServer attribute To enable multi server support in Zarafa change the following configuration options in server cfg user plugin ldapms enable distributed zarafa yes server name servername server ssl enabled yes An upgrade from single server to multi server support is not a simple task Please check with the Zarafa Support if migration is possible for the setup used 6 3 4 Creating SSL certificates In a multi server setup it s required to configure SSL support because clients like the zarafa dag
24. an index file segment but will trigger more index file segments to be created For batch indexing when index_interval is set to a high value the index max merge docs should be set to a high value as well gt 10000 For interactive indexing when index intervalis set to a low value set index max merge docs to a low value 10000 The fraction of terms in the dictionary which should be stored in memory is controlled by the index term interval configuration option index term interval 128 Smaller values use more memory but make searching slightly faster while larger values use less memory and make searching slightly slower Searching is typically not dominated by dictionary lookup So tweaking this is rarely useful All CLucene writers and searchers are cached to optimize performance at the expense of memory The time in seconds the objects will be kept in cache is controlled by the index cache timeout option index cache timeout 0 If set to 0 caching will be disabled 4 9 5 Attachments Optionally the contents of attachments can be indexed as well When this is enabled when searching through the body of a message the contents will be searched through as well To enable indexing of attachments can be done in etc zarafa indexer cfg index attachments yes Indexing of attachments is done through parsing the attachments to plain text and indexing the text into the main index for the email The required time to parse a
25. can be created manually by executing the following command usr bin zarafa admin s I tenant Replace tenant with the name of the tenant company for which the public store should be created When the I option is not used the public folder will be created for a single tenancy environment And will not be accessible when multi tenancy Zarafa is enabled The public folder is by default available for all users within a tenant company 6 2 3 Managing tenant company spaces Management of tenant company spaces through zarafa admin is only available when using the DB plugin When the LDAP plugin is used all administration needs to be done through the LDAP or Active Directory server 62 Managing users and groups To create a company space use the following command usr bin zarafa admin create company lt companyname gt To delete a company space use the following command usr bin zarafa admin delete company lt companyname gt To change a company space use the following command usr bin zarafa admin set company lt companyname gt This command can be combined with the option qw for setting the quota warning level for the specified company space To control the view privileges for company spaces the following commands can be used usr bin zarafa admin add view viewer I companyname usr bin zarafa admin del view viewer I companyname usr bin zarafa admin list view I lt compan
26. document though many howtos can be found online Keep in mind that some mobile devices require an official SSL certificate and don t work with self signed certificates 5 5 3 Installation Download the latest Z Push software from http z push sourceforge net download To Install Z Push simply untar the Z Push tar to the webroot with 55 Chapter 5 Configure 3rd Party Components tar zxvf z push lt version gt tar gz C var www html The C option is the destination where the files need to be installed In the following table the default webroot directories of where some distributions lets the Apache webserver search for files Table 5 1 Webroot directories Distribution Default webroot Red Hat Enterprise Linux var wwwi html SUSE Debian and Ubuntu srvAwwwi htdocs var www Make sure that the state directory is writeable for the webserver process so either change the owner of the state directory to the UID of the apache process or make it world writeable chmod 755 var www z push state chown apache apache var www z push state The user and group name of Apache will differ per Linux distribution The table below shows an overview of the user and group names of the Apache process Table 5 2 User and groupnames per distribution Distribution Apache username Groupname Debian and Ubuntu www data www data Now Apache must be configured to redirect the UR
27. index pl username index zbk When the items are found place the restore keys in a separated file or give them as parameters to the zarafa restore tool If the restore key of a container is entered the complete container with all its items will be restored on one level If the subcontainers of the selected container need to be restored add the r parameter to the command The following example restores the inbox with subcontainers from userA The restore key AF000000 is found in the userA index zbk file and needs to be defined at the end of the command zarafa restore u userA r c userA index zbk AF000000 The c parameter as a reference for the index file is not necessary when using an index file from the same user For example if using zarafa restore u userA the zarafa restore tool will automatically use the userA index zbk file when index zbk is in the same directory as where the command is executed In the next example a file keys txt containing multiple restore keys from multiple items and folders from user userA is used Every restore key in the file needs to be separated with a new line zarafa restore u userA r i keys txt 120 Restore process For more options of the zarafa restore tool please check the man page man zarafa restore 121 122 Chapter 11 BlackBerry Enterprise Server 11 1 Prerequisites ZCP works with both BlackBerry Enterprise Server 4 and BlackBerry Enterpris
28. information about sessions and server resource usage To use the zarafa stats tool use for example the following command zarafa stats top Last update Tue Mar 29 13 40 18 2011 Sess 1 Sess grp 1 Users 1 Hosts 1 CPU 0 QLen QAge SQL s SEL UPD INS 0 DEL 0 Threads idle SOAP calls 6 VERSION USERID IP PID APP TIME CPUTIME CPU NREQ TASK 7 0 0 24874 SYSTEM 4527 zarafa spooler 0 00 0 00 0 6 tableQueryRows The top overview gives every second status information about CPU usage connected clients active threads queue length and SQL queries When the server has a high queue length and age the amount of threads should be normally increased 7 5 Soft Delete system If a user deletes emails calendar items or complete folders there are by default moved to the Deleted Items folder When the items are removed from the Deleted Items the items still will not be fully removed from the database Rather they are marked as deleted so the user does not see the items Even when a user deletes items with lt SHIFT gt delete they are not removed from the database but marked as deleted This makes restoring of items quick and easy from Outlook choose Extra from the menu bar in Outlook menu and click on Restore deleted items Items are grouped by the folder they were deleted from Most items will appear in the Deleted Items folder as they have been removed from that location Soft deletes always remain in the database u
29. primary email addresses on which the message should be delivered After all users and aliases are added to this file a hash map needs to be created The following command will create the actual hash map etc post fix virtual db postmap etc postfix virtual All incoming emails are delivered to the zarafa dagent over LMTP using the primary mail address of as specified in the hash map After changing the configuration files restart Postfix by its init script etc init d postfix restart For RPM based distributions use chkconfig zarafa dagent on etc init d zarafa dagent start For Debian based distributions enable the zarafa dagent by setting the option DAGENT ENABLED to yes in the file etc default zarafa dagent To enable the zarafa dagent at boot time use update rc d zarafa dagent defaults It s advised to enable logging of the zarafa dagent when running in LMTP mode for monitoring purposes To alter logging options for the zarafa dagent adjust the configuration file etc zarafa dagent cfg 54 Configure Z Push Remote ActiveSync for Mobile Devices 5 5 Configure Z Push Remote ActiveSync for Mobile Devices This chapter describes how to configure the Z Push software to bridge ZCP with ActiveSync enabled PDAs and smartphones Z Push is available as an open source project on Sourceforge hitp z push sourceforge net In this manual only the server part of Z Push is discussed please refer to our User Manual for
30. signal IDs 7 3 1 3 Authentications When a user not the internal SYSTEM user logs in the following message will be printed in the security log Correct authentication authenticate ok user john from 127 0 0 1 method User supplied password program apache2 Incorrect authentication authenticate failed user john from 127 0 0 1 program apache2 Only with sso logins authenticate spoofed user john requested test from 192 168 50 178 method kerberos sso program OUTLOOK EXE The following tags are possible in the authentication line user The username sent to the zarafa server requested The name in the MAPI profile to open the store of user tag will be the actual authenticated user SSO only from Unix socket or IP address the connection to the server was made to 87 Chapter 7 Managing ZCP Services method Method the user was validated with one of the following socket certificate password ntlm sso or kerberos sso program The program being used to login with 7 3 1 4 Sharing actions When a user accesses objects that are not within it s own store a message will be logged This also means that when a user is using the Public store messages will be logged The following message will be printed in the security log Allowed sharing action access allowed objectid 387538 type 3 ownername test username constant rights view Denied sharing action access denied objectid 38
31. sure the Zarafa server process is not running when using this script 16 Finalizing the upgrade The send as options in LDAP are the opposite from 6 30 as of 6 40 This change is done to support groups for the sendas permissions If the send as options for users are used the 1dap switch sendas pl script must be run This script will update the LDAP or ADS server with the current send as information and switches it to the 6 40 format In 6 40 delegations are set on the user Example A non active user info company exists and some users need to send with that address in the from header The users are added on the info company object in the send as attribute list In the LDAP configuration the separate search base options for each object are combined in one search filter option named 1dap search base All other old search base options should be removed Also all scope options should be removed Next object types must be defined This normally goes through the objectClass attribute Every user object must be defined by it s objectClass Lastly the old per object search filters may be emptied since they are double It still is advisable use zarafaAccount in the user filter so the options are still available To protect the server from deleting users a safe mode option is available in the server cfg Enabling this option will disable all delete and create actions of users and groups Add the following option in the etc zar
32. that components usually have to be restarted to make use of updated configuration files read more about this in the Chapter 7 Managing ZCP Services In short after modifications have been made to a component s configuration file that component has to be restarted with etc init d zarafa component name gt restart 4 1 Configure the Zarafa Server The Zarafa Server component is configured by a system wide configuration file usually located here etc zarafa example cfg When installing ZCP an example of this file is put here usr share doc zarafa example config server cfg The options and their default values are explained both by the in line comments of the example file and in the following manual page man zarafa server cfg If a line is not present the default setting will be assumed For most basic setups the defaults of the example file will work fine In this chapter we only explain the basic configuration option of Zarafa Server The Zarafa Server needs a MySQL database to function and therefor needs to know how to connect to the MySQL server and the authentication credentials for its database It will create a database and the tables it needs at first start Make sure that the MySQL user that the Zarafa Server uses to connect to the database has all privileges including the right to create a new database The privilege to create databases could be revoked after the database has been created by the server Also make su
33. the WebAccess uses MAPI in SOAP provided by the PHP MAPI extension to connect to the Zarafa Server The Zarafa Windows Client is a standard Microsoft Windows compatible MAPI provider It connects to the server MAPI in SOAP over the HTTP S protocol 1 4 1 SOAP SOAP is an abbreviation of Simple Object Access Protocol It is a protocol to exchange data and make Remote Procedure Calls between applications over a network or Internet for that matter SOAP is based on XML and HTTP 1 1 port 80 or port 443 in case of HTTPS Because of these standards it is possible to connect transparently through proxies allowing connectivity over most networks without modifications 1 4 2 Secure HTTP HTTPS The Zarafa Windows Client has the possibility to connect to the server over HTTP secured with SSL HTTPS When a MAPI profile from Outlook is created it is possible to set the connection to use HTTPS All connections over the network will then be encrypted making eavesdropping virtually impossible The Zarafa Server must be configured to also accept SSL connections By default this is disabled because it requires the creation of SSL certificates When the server certificate is created SSL connections can be directly accepted from a client As an extra option other Zarafa components like the Zarafa Delivery Agent and the Zarafa Spooler can also connect over HTTPS to the server and authenticate using the Zarafa Server s private key 1 5 ZCP
34. the changes are optional For example only the password for an existing user may be updated leaving the other user information the same as it was 8 3 4 Deleting users with DB plugin To delete a user from the server use the following command usr bin zarafa admin d lt user name gt The user will be deleted from the database However the store will be kept in the database but is not accessible See Section 8 2 General usage of Zarafa admin tool for more information about handling orphant stores 8 3 5 Configuring Send as permissions ZCP supports two kinds of send delegation Send on Behalf permissions If a user grants the appropriate permission to another user the latter can send items on behalf of the other user In this case an email or meeting request will be sent with the following from field delegate on behalf of user This setting can only be set from the WebAccess or Outlook client Send As permissions If the system administrator gives the rights to user B to send as user A the receiver of an email will not see that user B sent the email The receiver will only see the email address of user A in the from field Setting up sendas delegation with zarafa admin is only applicable with the DB or UNIX plugin For setting up LDAP or Active Directory see Section 8 4 User Management with LDAP or Active Directory Add a user to the list of the delegate being updated as a send as user The
35. will not be backed up In effect the dump that is made is a snapshot of the database at the moment that the dump started When using mysqldump it is very important not to do any table locking This means that the opt option and lock tables should never be used while dumping a Zarafa database The reason is that these options will lock the tables while they are being dumped to disk causing any accesses to the database to freeze while the backup runs This is firstly unnecessary and secondly may cause emails that are arriving during backup to bounce depending on the MTA settings A simple mysqldump single transaction p lt database gt gt lt dumpfile gt will start a good dump of the database 10 2 2 Binary data dump via LVM Snapshotting This technique uses the LVM Snapshot feature to effectively freeze a binary view of the database file while the database keeps running This frozen view is then simply binary copied to a remote server This works because innodb makes sure that a single snapshot of a database will always be coherent ie It will be able to recover the database when mysql is started up on this dataset As setting up LVM and configuring LVM for snapshots is a complex process we refer the user to the LVM documentation and tools on how to set up an LVM volume for the MySQL data and how to create and delete snapshot partitions 10 2 3 Attachments backup When using the att
36. you probably want the installation not to install the Zarafa Updater Service The following options can be used to achieve that ADDDEFAULT Client This will make the installer only install the Outlook Client part and not the Updater Service To install this feature too add Updater to this option APPDIR D Zarafa Client To change the default installation path use the APPDIR variable Leave this option to normally install in the Program Files directory Iq Make the installation quiet No graphical interface will be shown To show progress of the installation use the modifier b for basic gui or r for reduced gui If you show the full gui f modifier it will be interactive Run msiexec to see a list of other options that can be used For a typical automated installation use the following command msiexec i zarafaclient en msi ADDDEFAULT Client q Qe um For an automated installation you must use the zarafaclient en msi file This installer contains the English language only and is specially created for this feature 6 5 Running ZCP Services with regular user privileges Normally the Zarafa services are run as root Since version 5 0 there is the option to change the user the service runs as and still start the services as root However there are several things to do before the services can correctly run as a non root user If the log method is set to file make sure this directory and file is writable by the user or
37. zarafa monitor program checks every hour by default for users who have exceeded a quota level and sends emails to a user when the warning or soft quota limit is exceeded Global quota settings can be set in the server configuration User specific levels can be set via zarafa admin when using the db or unix plugin or by editing the LDAP values as described in the User Management section To start the zarafa monitor use etc init d zarafa monitor start or zarafa monitor c etc zarafa monitor cfg The zarafa monitor will daemonise so the prompt will almost immediately return Use F to start it in the foreground More information about the configuration options can be found in the manual page man zarafa monitor cfg 4 8 4 Quota warning templates When working with the zarafa monitor it is possible to modify the contents of the email which will be sent out when a user or company exceeds its quota For each quota level a separate quota template can be specified these can be configured with the following options userquota warning template userquota soft template userquota hard template 32 Configure Zarafa Indexer companyquota_warning_template By default the templates are stored in etc zarafa quotamail in each of these templates certain variables are provided which will be substituted for the real value before the email is sent ZARAFA_QUOTA_NAME The name of the user or company who exceeded his quota Z
38. 0 Capacity fo Hadim D Mb Home Server Seect Emil addresses Sendas admin example com default com default Add Delete Delete t as default co m M3dify 2 Figure 8 4 Hide a user from the Global Address Book using Active Directory The internal System user and the Everyone group can be made hidden in the etc zarafa server cfg 8 4 3 User management from OpenLDAP 8 4 3 1 Creating users using OpenLDAP Users and groups can be created by using a standard OpenLDAP administration for example phpldapadmin or the Windows tool 1dapadmin To configure Zarafa specific information for the user the objectClass zarafa user has to add to the user Adding this objectClass enables you to add Zarafa attributes to the user like quota settings sendas permissions mailbox type 104 User management from OpenLDAP 8 4 3 2 Creating groups using OpenLDAP Created groups in OpenLDAP will be used by default as security groups in ZCP The security groups can be used for settings permissions and sending emails Distributions groups can only be used for sending emails and will not be displayed when setting the security permissions on a folder To switch a group to a distribution group the attribute zarafaSecurityGroup has to be set to 0 8 4 3 3 Creating contacts using OpenLDAP The Global Address Book can be extended with contacts Contacts are typically external
39. 2 NTLM SSO with Samba 6 7 2 1 Installing Linux software The following software needs to be installed on the ZCP server winbind Depending on the Linux distribution used this comes through various package names On Debian use apt get install winbind On Red Hat Enterprise Linux the samba common package is required for this To enable NTLM SSO with ZCP set the following in the etc zarafa server cfg file enable sso ntlmauth yes 6 7 2 2 Joining the domain Now the server need to join the Samba domain by executing the following command net rpc join Finish by typing the Administrator password If successful the prompt should give Joined domain DOMAIN The SSO configuration is now done To test if authentication actually worked try the following command ntlm auth username john Where john is a valid Samba user The program will asks for a password After entering the password it should say 78 SSO with Kerberos NT_STATUS_OK Success 0x0 If this step does not work try restarting winbind check the DNS names check with strace what ntlm auth tries to do check with tcpdump if there is actual traffic on the network from nt1m auth to the domain server and other lowlevel debugging tools 6 7 3 SSO with Kerberos 6 7 3 1 Requirements and Conventions e The server that runs ZCP must have the MIT Kerberos software installed ZCP version 6 40 2 or higher needs to be installed for SSO with Outl
40. 4bit hardware and OS are available It is recommended to run on 64bit whenever possible Sop important Support for the 1a64 architecture will be dropped in the ZCP 7 x x cycle Table 2 2 Supported platforms for ZCP s back end components OS Release RHEL 4 RHEL 5 RHEL 6 SLES 10 SLES 11 Debian 4 0 Etch Supported CPU Architectures i386 x86_64 ia64 i386 x86_64 ia64 i686 x86_64 i586 x86_64 ia64 i586 x86_64 ia64 i386 x86_64 ia64 Chapter 2 Installing OS Release Supported CPU Architectures Debian 5 0 Lenny i386 x86_64 ia64 Debian 6 0 Squeeze i386 x86_64 Ubuntu 6 06 LTS Dapper i386 x86_64 Ubuntu 8 04 LTS Hardy i386 x86_64 Ubuntu 10 04 LTS Lucid i386 x86_64 deprecated support for these distributions will be discontinued from ZCP 7 0 onward beta these distributions are in development and will be fully supported once released We currently build packages for SUSE 9 1 i568 10 0 i568 and 10 2 i568 and x86 64 which we do not officially support These packages are deprecated from ZCP 7 0 onward we will no longer build for these version of SUSE but only for SLES Besides these packages that are build and shipped by us there are several platforms supported by community build packages For example Fedora Mandriva Gentoo Arch Linux and OpenBSD We also have pack
41. 7 1 1 Stopping the services To stop a service type etc init d zarafa servicename stop Most services will stop almost immediately The zarafa spooler may take up to 10 seconds to stop The zarafa server may take up to 60 seconds to stop 85 Chapter 7 Managing ZCP Services 7 1 2 Reloading service configuration Some options can be modified and reloaded by the service in a live environment The options that can be reloaded are described in the manual page of the service configuration file Example for the zarafa server type the following command to get the configuration manual page man zarafa server cfg In the reloading chapter are all the options that can be reloaded for that service To make a service reload the configuration file type etc init d zarafa servicename reload 7 2 Logging options Each component allows the log method to be chosen in its configuration file Two ways of logging methods are supported file and syslog Normally all ZCP components log to their respective file located in var log zarafa This directory is created when the packages are installed When this directory is not present or not writable under the running user services will not be able to open their log file and will print the log messages to the standard output Log messages of the server can be configured The following options need to be altered in the configuration file log method How to log the messages file s
42. 7538 type 3 ownername test username constant rights view The following tags are possible in the sharing line objectid The object being acted on type The MAPI type of the object only store folder and message possible ownername The owner of the store the objectid is in not necessarily the user that actually created that object username The user performing the action on the object rights The action being performed For the Public store the ownername will be SYSTEM in single tenancy mode and the company name in multi tenancy mode Possible actions in rights read Reading the object create Creating a new object edit Editing an existing object eg altering properties but also adding removing of recipients and attachments 88 Configuration delete Deleting softdelete or moving the object create folder Creating a new folder view Reading the folder hierarchy contents tables folder permissions Altering the permissions on a folder owner submitMessage finishMessage abortSubmit sending email actions in someone else s store is never permitted unless you re the owner admin Unused will never actually be printed 7 3 1 5 Log parsing When a user is accessing a delegate store or folder an entry is written to the audit log To have a more userfriendly overview of the delegate folders are accessed the audit log can parsed The following command will parse the logfile and make the outpu
43. AM size so that Zarafa s Cell Cache can also be set to this value 9 2 5 MySQL innodb log file size The innodb log file size is the size of the transaction log By default there are two logfiles The preferred value size for the innodb log file size is 25 ofthe innodb buffer pool size 9 2 6 MySQL innodb log buffer size The size of the innodb log buffer size that InnoDB uses to write to the log files on disk A large log buffer allows large transactions to run without a need to write the log to disk before the transactions commit If big transactions are present making the log buffer larger will save disk I O This value should be 2596 of the innodb log file size 115 Chapter 9 Performance Tuning 9 2 7 MySQL query_cache_size The MySQL query cache is normally disabled Enabling the query cache can cause a small performance increase but increasing it to more than a few MBs is not necessary as most recurring SQL queries are rather small 9 2 8 Setup of modules on different servers There are several parts of the Zarafa server that can be hosted on different servers In fact almost each part of the server can be run on a different system However in practice splitting all modules of the server on the different servers will not increase performance The main parts that should be considered are Server1 MySQL server Server2 Zarafa server Server3 MTA AntiSpam AntiVirus Server4 WebServer If these 4 parts w
44. ARAFA QUOTA COMPANY The name of the company to which the user belongs ZARAFA QUOTA STORE SIZE When a user exceeds his quota this variable contains the total size of the user s store When a company exceeds its quota this variable contains the total size of all stores including the public store within the company space ZARAFA QUOTA WARN SIZE The quota warning limit for the user or company ZARAFA QUOTA SOFT SIZE The quota soft limit for the user or company ZARAFA QUOTA HARD SIZE The quota hard limit for the user or company Variables containing a size always include the size unit B KB MB GB as part of the variable 4 9 Configure Zarafa Indexer The zarafa indexer service introduced in ZCP 6 40 offers full text searching capabilities for the Zarafa Server The service will periodically index all mails and optionally their attachments from the server When searching for a particular mail the required time to find the requested emails will be seriously reduced When attachment indexing is enabled it is even possible to index the contents of attached files for common file types 4 9 1 Enabling indexing service To start the indexing service execute the following command etc init d zarafa indexer start To enable the full text searching edit the etc zarafa server cfg configuration file index_services_enabled yes During searching the zarafa server will connect with the zarafa indexer service To set th
45. Class top 3 uu objectClass organizational nt cn S ales objectClass zaata company uidejohn ou Company A amp ousCompany B ousCompany C L3 cn Manager Figure 6 1 LDAP tree multi tenant environment Change the following lines in the LDAP configuration file to configure the multi tenancy support ldap company unique attribute ou ldap companyname attribute text ldap company scope sub Test the settings by using zarafa admin list companies and zarafa admin 1 If no companies or users are shown please check the Zarafa server log file for errors Setting the loglevel to 6 in the etc zarafa server cfg will display all LDAP queries by the Zarafa server and possible errors With multi tenancy support enabled it s not only possible to have different organizations on a single server but also more advanced settings can be configured like cross organization mailbox delegation different administrator levels and organization quota levels See the zarafa ldap cfg man page for more detailed information about these multi tenancy LDAP features man zarafa ldap cfg 6 2 2 5 Public stores Once the server has been correctly started stores can be created There are two type of stores Private and public stores There can only be one public store per company space When creating a company the public store will be created simultaneously If for some reason the public store for the specific company is not created the public store
46. DAP Condition examples For both addresslists and dynamic groups a LDAP filter need to specified For example the Global Address Book contains Dutch and German users It is possible to view these users per country by creating two addresslists in the LDAP tree All German users have the domain example de in the mail address and all the Dutch have example nl In this situation the condition mail example de is used for the addresslist German and mail example n1 for the addresslist Dutch Any combination with LDAP attributes are applicable This following example selects everyone that is a Zarafa administrator and has the character p in the cn value amp cn p zarafaAdmin 1 106 Resource configuration This example selects all users with mailaddress piet example com or klaas example com mail piet example com mail klaas example com 8 6 Resource configuration ZCP supports automatic booking of resources like beamers rooms or other equipment To create a resource add a new non active mailbox or select in Active Directory or OpenLDAP the resource user type Before a resource can be booked by users the resource has to configured to automatically accept meeting requests The automatic acception of meeting request can be configured in two ways by using the zarafa admin tool or by using the Outlook client To configure the resource from Outlook use the following steps Make the resource temporari
47. Indexer configuration During indexing the index file for each store is stored on the harddisk The location of these files can be configured in etc zarafa indexer cfg index_path var lib zarafa index Beneath this folder a subfolder will be created for each Zarafa server within the environment Beneath these folders each store will receive its own folder containing the index files Soy important Files and folders within this index path should not be touched while the indexer is running If a store must be re indexed the zarafa indexer must be halted first before deleting the folder for that particular store The zarafa indexer service can use streaming synchronization offered by the zarafa server for fast synchronization of messages at the expense of higher memory consumption To enable streaming ensure that the configuration option is enabled index sync stream yes If this option is enabled the enhanced ICS option in etc zarafa server cfg must be enabled as well enable enhanced ics yes 34 CLucene configuration These options are both enabled by default and normally there is no reason to disable them The indexing interval can be configured in etc zarafa indexer cfg index interval 5 This interval should be provided in minutes When this value is increased the delay between receiving the mail and its visibility in search results will also be increase
48. L Microsoft Server ActiveSync to the index php file in the z push directory This can be done by adding the line to the httpd conf file Alias Microsoft Server ActiveSync var www html z push index php Make sure that the line is added to the correct part of the Apache configuration taking care of virtual hosts and other Apache configurations Sp important It is not possible simply rename the Z Push directory to Microsoft Server ActiveSync This will cause Apache to send redirects to the PDA which will definitely prevent proper synchronization Lastly make sure that PHP has the following settings php_flag magic_quotes_gpc off php_flag register_globals off php_flag magic_quotes_runtime off php_flag short_open_tag on Set this in the php ini or ina htaccess file in the root directory of Z Push If not setup correctly the PDA will not be able to login correctly via Z Push Reload Apache to activate these changes 56 Mobile Device Management 5 5 4 Mobile Device Management Users can remote wipe own mobile devices from the ZCP Webaccess without interaction of the system administrator The Mobile Device Management MDM plugin can be downloaded at hitp www zarafa com integrations mobile device management plugin The system administrator can remote wipe devices from the command line using the z push admin tool 5 5 5 Upgrade Upgrading to a newer Z Push version follows the same path a
49. P attribute description This appendix will describe all available LDAP attributes available in the Zarafa schema The Zarafa schema is available in the Active Directory integration toolkit and in the directory usr share doc zarafa Please keep in mind that the Zarafa LDAP configuration files are very flexible so these attributes are not in all cases used zarafaQuotaOverride This attribute is used to override the default quota which is configured in the etc zarafa server cfg This attribute always need to be enabled to use a custom quota setting OID 1 3 6 1 4 1 26278 1 1 1 1 Syntax Integer Multi or Single Valued Single Valued zarafaQuotaWarn This attribute contains the warning quota level in Mb Syntax Integer Multi or Single Valued Single Valued zarafaQuotaSoft This attribute contains the soft quota level in Mb OID 1 3 6 1 4 1 26278 1 1 1 3 Syntax Integer Multi or Single Valued Single Valued zarafaQuotaHard This attribute contains the hard quota level in Mb OID 1 3 6 1 4 1 26278 1 1 1 4 Syntax Integer Multi or Single Valued Single Valued zarafaUserDefaultQuotaOverride This attribute will override the system wide quota settings for all users of the company 1 3 6 1 4 1 26278 1 1 1 5 Integer Multi or Single Valued Single Valued 129 Chapter 13 Appendix B LDAP attribute description zarafaUserDefaultQuotaWarn This attrib
50. SMTP addresses and can be used as members of distributionlist Contacts must have the same unique attribute as users Please check the ldap unique user attribute in the Idap cfg for the correct attribute 8 4 3 4 Configuring sendas permissions using OpenLDAP Sendas permissions can be configured both on users and contacts The users or groups that should be able to sendas a specific address need to be added in the sendas privilege list To check wether the permissions are correctly set use zarafa admin list sendas username For example zarafa admin list sendas helpdesk Send as list 1 for user helpdesk Username Fullname The users that have the sendas permissions should now be able to add the other address in the FROM field and sendas this account Since ZCP 6 40 the sendas system is changed Configuring the sendas permissions is the other way around than previous Zarafa versions Sendas permissions now have to be configured on the user which is select as the FROM address See Section 3 3 1 From 6 30 to 6 40 for converting the sendas permissions Groups can now also be used for setting sendas permissions X When using groups for the sendas permissions make sure the ldap sendas attribute type is set to dn See the following LDAP configuration ldap sendas attribute zarafaSendAsPrivilege ldap sendas attribute type dn ldap sendas relation attribute 105 Chapter 8 Use
51. Storing attachments outside the database ssssssee 4 3 3 SSL connections and certificates erpii AE EKAA EERENS EAEE KER 4 4 Configure the License Manager cccceeeee nee ceeeeeeceeee cece eeee seca nnne nenne theses nas 4 5 Configure the Zarafa Spooler ccccccce cece ee eeee eee ee eee ca eeee ae eeeeeeeeaeeeeeaeeesaeeeeaaeeeseeeeaes 4 5 1 Configuration s 3 2 idee d suet ELE eei de dana RE eee 4 6 Configure Zarafa Caldav ssssssssssssssssssee mene hene nnne nnne nnns AIG TT SSINA EIE 2 6 2 Calendar access tics Sache ehe tete kel teed b tre ae Rude 4 7 Configure Zarafa Gateway IMAP and POP3 sssssssseeee eene a a ae E a E E M cated hater sete as EET E T ETE E E ET 4 7 2 Important NOS e e pea eds been RH a A ER Ed ERE S SERERE paaa sec 4 8 Configure Zarafa Quota Manager cceceeeeee ce eeee eee scence eee nen hne nnne nnne rre nns 4 8 1 Setup server wide quota sssssssssssseeee mene eene nnne nnne nnns 4 8 2 Setup quota per user eee be epe Pee a a e ER EPA 4 8 3 Monitoring for quota exceeding sssssssssese mme 4 8 4 Quota warning templates sssssssessseseseneee enne hehehe nennen nnns Zarafa Collaboration Platform 4 9 Configure Zarafa Indexer 0 0 cc ccceeece eee e ee ee cece eect aa ee eee ee cate eeaa ee asa ee inen net hes nsn sehen nennen 33 4 9 1 Enabling indexing service ahtaan
52. ZCP 6 40 build 34695 Zarafa Collaboration Platform The Administrator Manual Zarafa Zarafa Collaboration Platform ZCP 6 40 build 34695 Zarafa Collaboration Platform The Administrator Manual Edition 2 0 Copyright 2011 Zarafa BV The text of and illustrations in this document are licensed by Zarafa BV under a Creative Commons Attribution Share Alike 3 0 Unported license CC BY SA An explanation of CC BY SA is available at the creativecommons org website In accordance with CC BY SA if you distribute this document or an adaptation of it you must provide the URL for the original version Linux is the registered trademark of Linus Torvalds in the United States and other countries MySQLO is a registered trademark of MySQL AB in the United States the European Union and other countries Red Hat Red Hat Enterprise Linux Fedora and RHCE are trademarks of Red Hat Inc registered in the United States and other countries Ubuntu and Canonical are registered trademarks of Canonical Ltd Debian is a registered trademark of Software in the Public Interest Inc SUSE and eDirectory are registered trademarks of Novell Inc Microsoft Windows Microsoft Office Outlook Microsoft Exchange and Microsoft Active Directory are registered trademarks of Microsoft Corporation in the United States and or other countries The Trademark BlackBerry is owned by Research In Motion Limited and is regist
53. _socket file var run zarafa Deploy all certificates to the different multi server nodes scp r etc zarafa ssl etc zarafa sslkeys root node2 etc zarafa Remember to copy the root CA to the different nodes if this file is placed outside the directories that have just been copied Repeat the above steps to configure the server cfg and dagent cfg on all the different nodes On RedHat based nodes also add the root CA to the CA bundle When done test remote delivery width zarafa dagent v c etc zarafa dagent cfg lt username_on_other_node gt Subject test email Test lt ctrl d gt This delivery should not result in any delivery errors otherwise please check created certificates It s now possible to deliver email from a central MTA to the different multiserver nodes The client SSL certificates can be used for the following tools to connect to a remote Zarafa server zarafa dagent zarafa spooler zarafa backup zarafa restore zarafa admin For advanced multi server environments and the best Zarafa configuration for a specific setup the Zarafa Professional Services are open for advise and support 6 4 Zarafa Windows Client Updater ZCP contains a mechanism that allows Zarafa Windows Clients to update themselves to the latest version 70 Server side configuration The Zarafa Windows Client Updater is only available to those running the ZCP Professional or Enterprise edition Zarafa server Containi
54. aContainsPublic attribute enabled Currently the Public Store can be created on only one server See Section 6 3 2 Prepare setup the LDAP server for multi server setup for more information The Public store is by default accessible and writable for all users Please review the permissions before start using the Zarafa system 8 2 General usage of Zarafa admin tool ZCP offers the zarafa admin administration tool for managing user and groups When using the DB plugin the tool can be used to create or delete users and groups When using the unix or ldap plugin the tool can t be used for creation of users and groups but the tool can still be used to get more information about users and groups All available users or groups can be displayed by using the following commands zarafa admin 1 zarafa admin L To display more information of a specific user use zarafa admin details john Username john Fullname John Doe Emailaddress j doeQexample com Active yes Administrator no Address book Visible Last logon 03 25 11 19 50 29 Last logoff Quota overrides 03 25 11 19 50 29 no Warning level 1024 MB Soft level 2048 MB Hard level 3072 MB Current store size 462 MB Groups 1 93 Chapter 8 User Management Everyone Sales team To display more information of a specific group use zarafa admin details sales type group Groupname sales Fullname sales Emailaddress Address book
55. able for a client zarafa server will send the update to the client machine to update itself with the latest client version By default clients communicate with the server over HTTP on port 236 HTTPS on port 237 unless a non default port is specified in the server cfg Clients send a request to download a virtual file which provides the most current version of the client available on the server The client communicates with the server using an encrypted message format This prevents misuse of this mechanism for any malicious intent If the default profile is set to use encryption via port 237 the root CA certificate needs to be installed on the desktop used 6 4 2 Client side configuration The Zarafa Windows Client s auto update mechanism consists of an application to start the auto update process by the name of ZarafaLaunchUpdater exe and a windows service known as ZarafaUpdaterService exe Zarafa Updater service Zarafa server Zarafa Launcher application Zarafa server machine PC with Zarafa Client Figure 6 8 Auto update structure The Launch Updater application will be launched at Windows startup The command to run the application is placed in the registry here 72 Client side configuration HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion Run This application will find out client s current version from the following registry key HKEY_LOCAL_MACHINE Software Zarafa Client Version Th
56. able for administrative users Administrators can browse the folders or delete the deleted stores completely by removing the corresponding folder from the Deleted stores folder This is relevant for all user plugins More information about all options of the zarafa admin can be found in the man page man zarafa admin 8 3 Users management with DB plugin By default the DB plugin will be used as user management plugin Below will be described how to manage users with the zarafa admin command For user management with the LDAP user plugin please see Section 8 4 User Management with LDAP or Active Directory At the moment ZCP doesn t provide a graphical or webbased user management interface 8 3 1 Creating users with DB plugin To create a new user use the following command usr bin zarafa admin c user name gt p password e email f full name a administrator The fields between should be filled in as follows User name The name of the user With this name the user will log on to the store Password The password in plain text The password will be stored encrypted in the database Email The email address of the user Often this is user name gt lt email domain Full name The full name of the user Because the full name will contain space characters and maybe other non alphanumeric characters the name should be entered with qoutes Administrator This value should be 0 or
57. ache configuration if an error is displayed Synchronization problems If synchronization problems are encountered a debug txt file has to be created in the root directory of Z Push This file should be writeable by the Apache server process touch var www z push debug txt 57 Chapter 5 Configure 3rd Party Components chmod 777 var www z push debug txt The debug txt file will collect debug information about the synchronisation To obtain a complete synchronization log the file woxm1 php has to be edited and the parameter WBXML_DEBUG set to true define WBXML DEBUG true Sop important c The debug txt logfile contains sensible data and should be protected so it can not be downloaded from the internet To protect the debug txt logfile a htaccess has to be created in the z push root directory containing Files debug txt gt Deny from All lt Files gt Log messages Repeatedly Command denied Retry after sending a PROVISIONING command Most probably the mobile device does not support provisioning The LOOSE_PROVISIONING parameter should be enabled in the configuration If the messages continues the ActiveSync profile should be reconfigured on the device If this does not help the PROVISIONING could be disabled completely in the config file applies to all devices More information can be found at hitp www zarafa com wiki index php Z Push Provisioning Exceptio
58. achments storage outside the database make sure that these attachments are also backupped Some backup methods thtat can be used to backup the attachments Rsync Copy all files to external backup server or external attached hard drive Use of a commercial backup agent for Linux like SEP Bacula Arkeia or others 10 3 Brick level backups The commercial editions of ZCP provide a brick level backup tool This tool will create a backup of the mailboxes to separate files The second time a backup is performed only the changed and new items are added to the backup Please note that this kind of backup is not meant for disaster recovery Only items are written in the backup No information about the users or specific information the user create like rules are not backed up 118 Backup format 10 3 1 Backup format The backup tool creates 2 files for each mail store a data file and an index file The index file contains information about folders the hierarchy and messages The fields are colon separated There are 3 types of entries in the index file which are R C and M The R stands for Root and is always the first and the only R entry in the index It contains a key which folders use as their parent key to denote that they are directly connected to the root container of the store The C stands for Container which can be any type of folder It has 2 keys one parent and one to identify the container itself It als
59. ackup Tools zarafa backup zarafa restore A brick level backup tools to create simple backups of stores and to restore part of those backups on a later point in time This part is only available in Zarafa commercial editions Zarafa Indexer Optional service to provide full text indexing This offers fast searching through email and attachments Apache Serves web pages of the WebAccess to the users browser PHP The WebAccess is written in this programming language PHP MAPI extension Module for PHP to enable use of the MAPI layer Through this module MAPI functions are made accessible for PHP developers This effectively means that MAPI web clients can be written The WebAccess is such a client For connectivity with mobile devices we recommend using Z Push see Section 5 5 Configure Z Push Remote ActiveSync for Mobile Devices an open source implementation of the ActiveSync protocol For older mobile devices and mobile devices that do not support the ActiveSync protocol we ship the Zarafa WebAccess Mobile zarafa webaccess mobile which provides basic web interface with limited functionality Please note that this component is deprecated and will probably be removed from future version of ZCP t http z push sourceforge net Chapter 1 Introduction 1 4 Protocols and Connections All applications which directly connect to the Zarafa Server use MAPI in SOAP to do so see the Architecture Diagram Even
60. afa server cfg to enable safe mode user safe mode yes Check the server logfile after starting the Zarafa Server for detection of user changes If no users are recreated or deleted the configuration file is correct and user safe mode can safely be disabled If safe mode is enabled it is possible that users don t have access to public folder Please disable safe mode if this is the case 3 4 Finalizing the upgrade After checked the new configuration options have been checked the services can be started again etc init d zarafa server start etc init d zarafa spooler start etc init d zarafa licensed start The optional services can also be started again etc init d zarafa dagent start etc init d zarafa gateway start etc init d zarafa ical start etc init d zarafa indexer start etc init d zarafa monitor start 17 Chapter 3 Upgrading In the community edition the package zarafa licensed is not needed though in order to have Outlook support in the community edition the zarafa licensed daemon has to run Since upgrades usually include a changed the php mapi extension the webserver has to be restarted as well etc init d apache2 restart etc init d httpd restart Chapter 4 Configure ZCP Components Most ZCP and 3rd party components are configured by a configuration file This section explain the most common options that are set to get these component up and running It is important to note
61. ages in the Canonical Partner Repository Please have a look at our wiki page on this topic for more information Table 2 3 Supported platforms for ZCP s Windows Client Migration Tool and ADS Plugin MS Windows Release Windows Server 2008 Windows 7 Supported CPU Architectures 32bit 64bit 32bit 64bit 32bit 64bit 32bit 64bit 32bit 64bit These are the supported Microsoft Windows platforms the components that require a Windows platform namely the Windows Client the Migration Tool and the ADS Plugin K The Migration Tool is currently not available for 64bit platforms Supported browsers by ZCP s WebAccess Officially we support Mozilla Firefox 3 0 up to the latest version and Internet Explorer version 6 to 9 We recommend Firefox as it is more secure and performs better Although not officially supported most modern browsers are known to simply work with the Zarafa WebAccess z https fedoraproject org wiki Zarafa http en gentoo wiki com wiki Zarafa 3 http aur archlinux org packages php ID 31174 http openports se mail zarafa zarafa http www zarafa com wiki index php Install Zarafa from Ubuntu Repository Dependencies Two Firefox add ons are available on the Firefox Add ons website The first adds drag and drop functionality and is developed by Zarafa itself The second add on features a new mail indicator to Firefox Supported Microsoft Outlo
62. arafa sslkey file ssl cert sslkey pass pass Servers server alias1 https server1 237 zarafa Mapping useri https server2 237 zarafa user2 server_alias1 s Logging log file var log zarafa msr log 8 7 5 1 Connection Section The Connection section contains information on how to connect to a particular node in the multi server cluster Table 8 2 Connection section options Default value Description serverpath file var run zaratfa Path to the server Can be any node in the cluster sslkey_file Path the the SSL key file 111 Chapter 8 User Management Option Default value Description sslkey_pass Password for the SSL key specified with sslkey_file 8 7 5 2 Servers Section The Servers section is an optional section that contains a list of server aliases These aliases can be used in the Mapping section when a lot of mailboxes are relocated to the same server The Servers section has no predefined options Instead the format is sever_alias server_path As many items as needed can be placed in this section 8 7 5 3 Mapping Section The Mapping section contains the list of usernames and the destination node for their mailboxes The destination node can be a full server path or an alias specified in the Servers section The Mapping section has no predefined options Instead the format is username destination_node As many items as needed can
63. are present As an example the configuration options needed to edit on the dagent cfg file are as follows server socket https name or ip address 237 zarafa sslkey file etc zarafa ssl client pem sslkey pass ssl client password Enter the correct name or IP address in the server socket option If Another port number for the SSL connections on the server is used enter the right port number as well Replace the password with the password used while creating the certificate Copy the client public pem file to the server location mkdir etc zarafa sslkeys mv client public pem etc zarafa sslkeys Now the client knows the private key and the server knows the public key The client can login with this key to the server from anywhere on the network or internet Be careful with the client pem file Anybody who has this private key can login to the Zarafa server and will be the internal SYSTEM user who can do anything without restriction 6 2 Multi tenancy configurations This section will provide information regarding the multi tenancy functionality which was introduced in Zarafa 6 10 The feature is available in all editions but only officially supported in the Professional and Enterprise editions 59 Chapter 6 Advanced Configurations 6 2 1 Support user plugins Multi tenancy support can only be enabled when using the DB or LDAP plugin Currently it s not possible to use the Unix plugin When using the DB plug
64. ary actions during these events ie store creation and removal Any other events can be scripted by the system administrator This means that by default no actions are performed during group creation and group deletion 8 4 1 2 Group membership Zarafa synchronises users groups and companies so that it can assign user ID s to them but the group membership for users is never stored on the Zarafa server This means that group membership changes are real time also and the Zarafa server will query group membership for a user or a user list for a group directly from the LDAP server How the mapping between group members and users is done will be discussed later 8 4 1 3 LDAP server dependency Due to the fact that the Zarafa users database doesn t actually hold the user or group information but only a reference to the LDAP server the Zarafa server cannot function without a running and accessible LDAP server If the LDAP server goes down while Zarafa is running Zarafa tools will not be able to perform any actions as almost all server side actions require some kind of interaction with the LDAP server For example just opening an email requires a query to the LDAP server for the groups that the current user has been assigned to Only after fetching this information can Zarafa determine whether the current user has the access rights to open the message 99 Chapter 8 User Management When using OpenLDAP as an LDAP source it s recom
65. atabase format or newer 12 3 Important changes since 4 x and 5 x A configuration option in the server cfg has been changed since 4 20 The option server name has been renamed to server bind A configuration file with typing errors in the option names or non existing options will render a service inoperable and it will not start All the errors found in the configuration file will be printed For the 5 0 version some unused options have been removed from the server configuration SQLite support was removed so the option internal path was also removed If this option is in the server cfg file please remove this line before starting the zarafa server process Options not set in a configuration file will keep their default value Default values can be found in the example configuration file found in usr share doc zarafa exampl1le conf ig Alternatively the specific manual page for the service can be read man zarafa lt service gt cfg The Zarafa services did not daemonise in versions before 5 0 However versions 5 0 and newer do daemonise and run in the background To revert this behavior use the F switch of a service to keep it running in the foreground Other configuration changes are found in the gateway The defaults for the ssl private file key and ssl certificate file have been changed The default directory is now etc zarafa gateway to distinguish it from the service ssl files 128 Chapter 13 Appendix B LDA
66. ated response etc the autoresponder will only send one autoresponse message per day for any unique sender e mail address The autoresponder will also not respond in any of the following cases Sending an out of office message to yourself Original message was to mailer daemon postmaster or root Original message was from mailer daemon postmaster or root Furthermore the autoresponder is configured by default to respond only to e mails in which the user was explicitly mentioned in the To header This means that e mails that were received because the user was in the Cc header or because the user was in a distribution group are not responded to Most behaviour can be configured by editing the file etc zarafa autorespond This file contains the following settings which will be used for all autorespond messages server wide AUTORESPOND CC 0 Set this value to 1 to allow autoresponding to messages in which the recipient was only stated in the Cc header AUTORESPOND_NORECIP 0 Set this value to 1 to autorespond to all messages even if the recipient is not stated in any header for example when the email was directed at a mailing list or group TIMELIMIT 24 60 60 Sets the minimum number of seconds between autoresponses to the same e mail address The following settings normally do not need to be modified SENDDB TMP tmp zarafa vacation USER db 22 Storing attachments outside the database
67. batch indexing the index_interval option is set to a high value In that case set index merge factor to a high value gt 10 as well For more interactive indexing where the index intervalis set to a low value the index merge factor should be set to a low value lt 10 The maximum buffered documents controls the maximum number of documents kept in memory before CLucene writes them into a new index file segment on the harddisk index max buffered docs 10 Larger values will increase memory usage but makes the indexing process faster Larger values also mean that less index segments will be written to disk which controls how often the segments will be merged also depending on the index merge factor configuration option The minimum number of messages in a single store which are indexed in memory before the index writer flushed the index to disk as a new index file is controlled using the index min merge docs option 35 Chapter 4 Configure ZCP Components index_min_merge_docs 10 Creating new index file segments often increases IO access to disk but reduces the amount of memory required during the indexing process The maximum number of documents which can exist in a index file segment can be controlled by the index_max_merge_docs option index_max_merge_docs 2147483647 When a segment contains index_max_merge_docs documents it will no longer be merged with other index segments This will limit the total size of
68. be placed in this section To relocate the public store a special name should be used for the username 1 Ina multi tenant environment the name of the tenant for which to relocate the public store must be used 2 Inasingle tenant environment the special name public must be used 8 7 5 4 Logging Section The Logging section is optional and contaings logging specific settings Currently the only setting is the log file setting which allows an alternate log file to be selected By default a file called zarafa msr 1og will be created in the working directory 112 Chapter 9 Performance Tuning When installing a Linux server with Zarafa it is imperative that MYSQL is correctly configured to achieve maximum performance on the server almost all performance bottlenecks are within the database access itself so getting the SQL queries to run as quickly as possible is very important For large installations it is also a good idea to tune Zarafa s cache parameters as well These are normally set quite low to make sure that Zarafa can run on relatively low end servers but in anything but the smallest installations these defaults needs to be upped Any installation with 50 or more users should definitely tune the cache parameters for maximum performance This document assumes the primary role of the server is to run Zarafa Always make sure that other factors are taken into account for example an anti spam system or a webserver
69. be used for both options no default logging The Caldav component has the same configuration options as the server to configure logging options 4 6 1 SSLITLS As mentioned before the Zarafa Caldav component supports SSL TLS for this the OpenSSL library is used The private key for encryption and the certificate for authentication file can be set in the configuration file with ss1_private_key_file and ssl_certificate_file The Zarafa Caldav component can also authenticate the calendar clients that try to connect to it verifying the client certificates using one or more verification files This can be set with ssl verify client ssl verify fileandssl verify path Certificates can be self signed or signed by a trusted certificate authority The following command generates an RSA key of 2048 bytes openssl genrsa out etc zarafa privkey pem 2048 This command creates a self signed test certificate valid for 3 years openssl req new x509 key etc zarafa privkey pem out etc zarafa cert pem days 1095 If a cer file and a key file are already present you can create a pem file from these using the following command cat my server key my server combined pem cat my server cer my server combined pem And then use the my server combined pem file for ss1 private key file or ssl certificate file Please make shure first the key file is processed and then the cer file 4 6 2 Calendar access Calendar folders se
70. because they will be marked as new in the other folder they we re moved to If a message was changed by the user since the last backup the item will have a new last modification date and will be backed up again in it s totality since the backup would become unbearably slow if it would need to check all the properties of a message to see which property changed and which not Overwriting the old message is also problematic because the new message may be bigger than the old and it will not fit on the old space of the message Then when the actual backup process starts it will first remove the old index The index file will then be rebuild while the backup processes each message found in the list The data file will be appended with the new data keeping the old information which was still available and did not need to be stored again For more options of the zarafa backup tool use man zarafa backup 10 3 3 Restore process In order to restore items from the zarafa backup tool use the zarafa restore tool To restore items or complete folders find the corresponding restore key in the user index zbk file This index file isn t humanly readable with a text editor Instead use the readable index p1l perl script which can be found in usr share zarafa zarafa backup helpers To identify items use the container name field or the subject to find the items needed to be restored usr share zarafa zarafa backup helpers readable
71. booked 108 Meeting request MR booking This has the main drawback that the client needs to have write access to the calendar This in turn means that the user doing the booking could in theory also book other appointments in the resource s calendar without adhering to the requirements eg double booking a room In Outlook 2010 the default booking method has changed to MR based booking It can be re enabled on a per user basis by adding the following registry key HKEY_CURRENT_USER Sof tware Microsoft Office 14 0 Outlook Options Calendar EnableDirectBooking DWORD 0x00000001 Other versions of outlook also support the registry key for disabling direct booking For more information see htto support microsoft com kb 982774 8 6 2 Meeting request MR booking MR booking was introduced in Zarafa 7 0 3 Attempting to use MR booking in versions prior to 7 0 3 will result in all resource meeting request remaining unconfirmed and items not being booked in the resource s calendar Booking by meeting requests works exactly the same as sending a meeting request to another user When booking the resource a user sends a meeting request to the resource in an e mail The resource then receives the e mail checks availability and replies to the meeting requests just like a human user would the booker receives and Accepted or Declined meeting response by email This means that when the meeting is sent to the attendees the reso
72. d The indexing of stores can be divided over multiple threads when working on a multiserver environment The number of index threads can be configured by changing the configuration value index_threads 1 Each thread will only index the stores from a single Zarafa server The number of threads will thus never exceed the number of servers within the multiserver environment For single server environments this value should be kept at 1 4 9 4 CLucene configuration The zarafa indexer uses the open source CLucene library for indexing and searching all messages in the stores CLucene can be configured through the following configuration parameters By changing the maximum field length the maximum number of words from a single message which will be indexed can be controlled All words above the maximum will be discarded index_max_field_length 10000 This value is used to control the amount of required memory during the indexing process When index_max_field_length value is increased the more memory will be required during indexing The merge factor indicates the number of index file segments per store before CLucene merges the segments into a single file index_merge_factor 10 A low value will cause less memory to be used during indexing but the increased IO access to disk causes the indexing process to be slower while searching will be faster A high value will speed up the indexing process while searching will be slower For
73. d PHP support use apt get install apache2 mpm prefork libapache2 mod php5 If the Zarafa packages fail to install because of dependencies please use the following command to install these dependencies apt get f install If Apache with PHP support is installed after the Zarafa packages have been install please use the following command to automatically update PHP configuration dpkg reconfigure zarafa 2 2 3 3 Installing from Source ZCP is not officially supported by Zarafa when build from source yet in some situations i e using ZCP on unsupported environments or when preparing patches for ZCP it is very useful to install from source Since most of ZCP is distributed under an open source license AGPLv3 it is in one s right to build ZCP from source How to exactly install ZCP from source is beyond the scope of this document The procedure is also slightly different for each distribution and subject to change Please have a look at our wiki search for from source for the latest information regarding installation from source 2 3 Troubleshooting Installation Issues 2 3 1 Server processes Make sure at least MySQL 4 1 is installed The server will only run with this version of the database Server or a more recent version If errors when loading libraries occur or connecting to MySQL fails the errors are printed in the log Always check if the service was started correctly When an invalid configuration option i
74. d setting permissions To achieve this the attibute here zarafaSecurityGroup must be set to 1 When the zarafaSecurityGroup attribute is set to 0 the group will be a distribution group Distribution groups are only available in the Global Address Book when creating a new email but cannot be used for configuring mailbox permissions ldap group security attribute zarafaSecurityGroup ldap group security attribute type boolean 5 2 5 Addresslist configuration Addresslists are groups of users that match a custom condition These addresslists are shown as sub folders in the Global Address Book 43 Chapter 5 Configure 3rd Party Components Address Book Type Name Show names from the A Global Address Book iv Global Address Book B File as Display Name Administration WO Aake AafkeTest Wow 7 7 e 2 Aaltje Aaltje Test Contacts Marisa Test Abel Abel Test Abel rotterdam uni 4 Abigail Abigail Test Abiaail rotterdam Figure 5 1 Addresslists in Global Adress Book Change or add in ldap cfg the following configuration settings for the addresslist objects ldap addresslist search filter ldap addresslist unique attribute gidNumber ldap addresslist unique attribute type text ldap addresslist filter attribute zarafaFilter ldap addresslist name attribute cn See Section 8 4 User Management with LDAP or Active Directory for more information on how to adminis
75. dded with Chapter 4 Configure ZCP Components echo CAL key gt etc zarafa license cali If more than one CAL are available please install one CAL per file in the license directory The filename of the CAL is of no importance Sub folders in the etc zarafa license folder are not allowed 4 5 Configure the Zarafa Spooler The Zarafa spooler sends email from the global outgoing queue to a SMTP server which sends the email to the correct address When an email message is sent from Outlook or WebAccess the message is placed in the Outbox folder and a submit message is sent to the Zarafa server The server notifies the Zarafa spooler to send the email to the SMTP server The spooler will now start to convert the message to a normal email message When the conversion is complete a connection to the supplied SMTP server is created and the email is sent to the SMTP server The spooler will send the email and after the mail is sent will move the mail automatically to the user s Sent Items folder If at any time an error was found the user will be notified with an Undeliverable message The message will contain an error description on which error was found Often the user can retry to send the message Both external and internal emails will be send via the MTA 4 5 1 Configuration The Spooler is configured the same as the server Options in the spooler configuration file are the name or ip address of the SMTP server wh
76. delegate can now send mails as the updated users name unless the updated user set the delegate as a user based delegate This option is only valid with the u update action 96 Groups zarafa admin u lt delegate gt add sendas lt user gt For example zarafa admin u helpdesk add sendas john Remove a user from the list of the delegate being updated as a send as user This option is only valid with the u update action zarafa admin u lt delegate gt del sendas lt user gt List all users who are in the list of the delegate zarafa admin list sendas helpdesk Send as list 1 for user helpdesk Username Fullname John Doe With the DB plugin sendas permissions can not be configured on groups When both the send on behalf of and sendas permissions are configured on the same user the email will always be sent with on behalf of 8 3 6 Groups The server supports groups Users can belong to any number of groups Every user always belongs to the special group Everyone Defining security settings on folders and items are the same for both users and groups For example the group Everyone has read access to the Inbox of Peter At this point every user may read the email in Peter s Inbox because all users are a member of the group Everyone When a new Zarafa user is created only the free busy information is open for read access for the group Everyone by default 8 3 6 1 Creating groups wi
77. directly loaded 5 John sends a request to the Zarafa Server to open the mailbox of Mary 6 The Zarafa Server Node 1 checks the Home Server attribute of Mary in the central LDAP server 7 The Home Server of user Mary is returned to the Zarafa Server 8 Aredirect request is send back to the client 9 The client setup a connection to Node 2 to open the mailbox of Mary 6 3 2 Prepare setup the LDAP server for multi server setup The Zarafa multi server version can only be used with the LDAP user plugin In a multi server setup the Zarafa Server will not only request user and group information from the LDAP server but also information about the different multi server nodes will be requested 1 Setup the LDAP server using Section 5 2 Configure ZCP OpenLDAP integration or Section 5 3 Configure ZCP Active Directory integration in this manual 66 Prepare setup the LDAP server for multi server setup 2 Add inthe LDAP structure a folder or organization unit for each Zarafa Server node in the multi server setup 3 Oh de zarafal 192 168 0 29 iS ou Zarafa MS Example E enegroups B E enesservers lo cnezarafat ijo cnezarafa2 cn users i uid cody Figure 6 5 Setup directory with all the multi server nodes uid imar uid vin Add all the multi server nodes to this directory or organization unit In Active Directory the Computer template can be used for this When using OpenLDAP a custom LDAP object can be
78. doc zarafa db convert 4 20 to innodb sql Depending on the size of the database and the speed of the system this script will take a long to very long time Reserve up to 8 hours of time for this conversion to complete for a database with several gigabytes of data If the MySQL memory settings are optimized before this script is started it will run much faster db convert 4 2x to 5 00 127 Chapter 12 Appendix A Pre 5 2x upgrade strategies This perl script upgrades the database from 4 2x to the 5 0 format This script calculates and adds a store column to the properties table This makes the table sorted on the disk increasing data throughput Execute this script as described for the db convert 4 1 to 4 2 script Depending on the size of the database and the speed of the system this script might take a while but it will probably complete within 10 to 30 minutes on a fast machine i It advisable to start this script with screen so this script can continue in the background 12 2 Upgrades from 5 0 to 5 1x and up The Zarafa 5 10 server can upgrade the database itself It can do this from the database version which is needed in 5 0 When upgrading from 4 x installations to 5 10 or higher the database first needs to be upgraded with the scripts described above to the 5 0 format Then the 5 10 server can be started which will finalize the upgrade from 5 0 to 5 10 itself Later versions of Zarafa can always upgrade from a 5 0 d
79. e Because all Zarafa components use the same MAPI interface to connect to the server backend a situation can t arise with any of the Zarafa tools where the user database is out of sync For example delivering an email to a user that was just created will never fail due to the user not existing in the Zarafa users table To optimise this synchronisation with very large Global Address Books in LDAP there is a optional setting sync_gab_realtime in the server cfg configuration file When this option is set to no there is no real time synchronisation between the LDAP directory and the Zarafa server In this case all Global Address Book entries will be retrieved from the cache of the Zarafa server This is especially useful for setups which have large addressbooks more than 10000 entries in the addressbook Synchronisation between the LDAP and Zarafa server need to be forced with the following command zarafa admin sync This command can be executed on daily or hourly basis from a cronjob 8 4 1 1 Add Remove events The mechanism above creates a situation in which there are six events that can be signaled User creation Group creation Company creation User deletion Group deletion Company deletion These six events can be coupled to a script which will be described later so that system administrators can perform specific actions on their servers with these events By default Zarafa will only perform the absolute necess
80. e connection path change the following configuration option index_services_path file var run zarafa indexer 4 9 2 Users companies and servers By default the indexing service will index the mail from all users in all companies on all Zarafa servers within the Zarafa environment To disable the indexing of mails from specific users the following configuration options in etc zarafa indexer cfg can be used index_block_users 33 Chapter 4 Configure ZCP Components All user names which should not be indexed should be added to this configuration option Each name must be separated with a single SPACE character Similarly all users from specific companies can be excluded from indexing index_block_companies Again all companies which should be excluded must be separated with a single SPACE character For multiserver installations the filter works reversed Each server which must be indexed must be configured using the option index_allow_servers If this option is empty all servers within the environment will be included by the indexing service All server names must be separated by a single SPACE character Normally only a single zarafa indexer instance is needed for a multiserver environment For performance it is possible to run multiple instances on multiple servers By using using index_allow_servers correctly it is possible to divide the tasks over the different zarafa indexer instances 4 9 3
81. e Server 5 Express however it s recommended to use the latest Blackberry Enterprise Server 5 11 1 1 Software To use BlackBerry Enterprise Server BES with Zarafa the following software packages are needed Zarafa client 6 40 5 of higher Zarafa BES connector BlackBerry Enterprise Server 5 or Blackberry Enterprise Server Express for MS Exchange Microsoft Outlook 2003 or 2007 Microsoft CDO part of Office 2003 installation or separate download for Office 2007 A ZCP 6 40 0 or 6 30 18 or later server package running and configured is also required 11 1 2 Authentication Preparation A trust certificate is needed for communication between the calendaring component of BES CalHelper exe and Zarafa For normal email communication all that is necessary is a user on the server with administrator privileges An existing administrator account can be used for this but it is also possible to create a new administrator account normally besadmin To create the SSL certificate follow the steps in Chapter 6 Advanced Configurations One certificate is needed Copy the private key e g bes pem to the window machine running BES and place the public key e g bes public pem in Zarafa s etc zarafa sslkeys folder If a self signed certificate is being used very likely then outlook MUST be started under the user account which BES is using and connect to the server once using SSL This will pop up the SSL warning dialog whic
82. ends the messages to a file On Linux systems syslog sends the messages to the default maillog through syslog log file When the log method is set to file this is the variable that defines the name of file The server needs write access to the directory and file log level Increase the level of messages that will be logged Level 6 is the highest level log timestamp 1 or 0 This will enable or disable a timestamp when using a file as the log method Logging of other services than zarafa server are configured in a same manner as the server 7 3 Security logging In ZCP version 7 0 and 6 40 7 a feature for additional security logging was added Based on this logging auditing can be done on the Zarafa server This logging will contain startup messages user authentications and access actions on delegate stores 86 Logging items 7 3 1 Logging items 7 3 1 1 Startup When the server is re started the following message will be printed in the security log zarafa server startup by user uid 0 The following tag is possible in the startup line uid The unix user id used to start the server not necessarily the user the server will be running as 7 3 1 2 Signals When the server receives a signal the following message will be printed in the security log zarafa server signalled sig 15 The following tag is possible in the signal line sig The signal the server received See man 7 signal for a list of most common
83. ent pem and client public pem The client pem is the private key and will be used by a client like dagent or spooler The client public pem is the public key which is used by the server Move the public key to the etc zarafa sslkeys directory mv etc zarafa ssl client public pem etc zarafa sslkeys Restart the zarafa server on all nodes to activate the new certificates etc init d zarafa server restart To test the client SSL certificates change the following lines in the etc zarafa dagent cfg server socket https 127 0 0 1 237 zarafa sslkey file etc zarafa ssl client pem sslkey pass lt ssl client password gt 69 Chapter 6 Advanced Configurations 13 14 15 When the certificates have been set up email can now be delivered by using the ssl socket with the dagent s private key in this test case on localhost zarafa dagent v c etc zarafa dagent cfg lt username_on_this_node gt Subject test email Test lt ctrl d gt When connecting through ssl the dagent will verify the private against the root CA On Red Hat based systems generated hashed file names have to created of the root certificates cat etc CA cacert pem gt gt etc pki tls certs ca bundle crt This way the dagent is able to verify the private key against the CA bundle On Ubuntu systems this step can be ignored If the test case is successful it is possible to change the following value in the dagent cfg back to server
84. ent zarafa admin zarafa monitor need a SSL certifcate to login to the different multi server nodes It s required to first create server side certificates so the Zarafa Server is able to accept SSL connections For the SSL authentication of the Linux clients like the zarafa dagent a private and public key need to be created Follow the steps below to create both the server and client certificates 1 First create the directory which will contain the certificates mkdir etc zarafa ssl chmod 700 etc zarafa ssl 2 Create the server certificate by using the ss1 certificates sh script in the usr share doc zarafa directory which uses the openssl command and the CA p1 script Before a server certificate can be created a root CA is required If no root CA is found the script will first create an own CA cd etc zarafa ss1 sh usr share doc zarafa ssl certificates sh server 68 Creating SSL certificates 10 11 12 Enter a password passphrase if you want to use a password for the server key If a password is set then this password is needed later on to sign certificate requests Then enter the certificate information Give extra attention to the Common Name This has to be the fqdn of the server The challenge password at the end may be left empty At the end of the certificate creation the certificate need to be signed against the CA Accept twice the question for the signing and fill the password of the CA agai
85. er en re Deae de ettet Dee eres Uo o tiere 93 8 2 General usage of Zarafa admin tool sssssssssssssssss emen 93 8 3 Users management with DB plugin sssssen emen 95 8 3 1 Creating users with DB plugin ssssssse meme 95 8 32 Non ative USES cn cero UE e LE redeo ie degli ed boe Ede nae 95 8 3 3 Updating user information with DB plugin sse 96 8 3 4 Deleting users with DB plugin ssssse Hmm 96 8 3 5 Configuring Send as permissions ssssssssss eee 96 8 3 6 GIOUDS 5 icc ee ade cag ema ie o c HU tit serta Lol ecen deer Lec tes uev eeu LUE ea 97 8 4 User Management with LDAP or Active Directory sssssem Hm 98 8 4 1 The Zarafa user synchronization principle sssseeen 98 8 4 2 User management from ADS sssssssssssssseemeeeee mene nnne nnns 100 8 4 3 User management from OpenLDAP sssssssssse meme ener 104 8 5 LDAP Condition examples Leite re t ed deci Maat ph ea eres 106 8 6 Resource configuration 0 cece cece ete e eee ee eee eee ee ee nene enne nenne then AAAA tnn nnan nennen nne 107 8 6 1 Resource booking methods ssssssssssseem eene nnns 108 8 6 2 Meeting request MR booking sssssseeem ems 109 8 6 3 Setting the resource booking method sssssssseeem 110 8 7 Mailbox Storage Relocator ssssssssssessseee me
86. er list whenever a list of users is requested eg during zarafa admin or when opening the addressbook This was the default for zarafa 6 40 4 and earlier When setting this value to no synchronization will only occur during zarafa admin sync This is useful for setups which have 21 Chapter 4 Configure ZCP Components large addressbooks more than 1000 entries in the addressbook This option is forced to yes when using the db plugin since synchronization is implicit in that case More information of the configuration options for this plugin can be found with man zarafa ldap cfg More details about configuring the LDAP plugin with OpenLDAP see Section 5 2 Configure ZCP OpenLDAP integration or Section 5 3 Configure ZCP Active Directory integration for Active Directory 4 3 1 Autoresponder ZCP contains an autoresponder that can be used when a user is out of the office to reply automatically to all incoming e mails The autoresponder will automatically be spawned whenever an e mail is delivered by zarafa dagent to a store that has the Out of Office option turned ON Users can manage the autoresponder of their own store as well as of stores to which one has at least secretary rights Note that this includes public folders Please refer to the User manual on how to manage these settings To prevent autoresponder loops e g when sending automated responses to an automated response which in turn sends an autom
87. ere to be hosted on 4 servers each server would communicate with the others to work as a single system This setup can be made quite easily simply by configuring the various parts of the system to communicate with another server For the MySQL server this only has to be accessed by the zarafa server process on Server2 This can very easily be done by setting the correct login and host configuration in Zarafa s server cfg The Zarafa Server will itself be contacted by Outlook Clients Server3 MTA and Server4 WebServer This can be done because the zarafa server process is listening on port 236 on Server2 and the other servers can connect with it Server3 will accept email on port 25 or fetch email via some email protocol like POP3 After passing the email through anti spam and anti virus the email will be passed to the zarafa dagent process The zarafa dagent process can be configured to connect with an SSL certificate with Server2 This SSL certificate is required because the zarafa dagent needs to be authenticated because it is connecting from a different server over port 236 When this is configured in both Server3 and Server2 the email can be delivered directly to Server2 by Server3 Server4 is the WebAccess server running Apache and accepting connections on port 80 or 443 for SSL The Zarafa WebAccess can be configured in config php to connect over port 236 or port 237 for SSL to Server2 for the actual data Once this has been c
88. ere to find the Zarafa server and logging options smtp server The name or IP address of the SMTP server which will send the email to the destination This server may also be given as an argument when starting the spooler server socket The UNIX socket of the Zarafa server The spooler will use this socket to create a connection to the server This value should be the same as set in the server configuration file The default value is var run zarafa 1ogging The spooler has the same configuration options as the server to configure logging options For an overview of all the configuration options of the zarafa spooler use man zarafa spooler cfg 26 Configure Zarafa Caldav 4 6 Configure Zarafa Caldav Zarafa Caldav is a component that enables users to view their calendar data by clients that support the Caldav standard like Sunbird or Evolution This component connects with the Zarafa Server using MAPI over HTTP Caldav and iCal push and retrieve complete calendars Sunbird and other clients support both retrieving and pushing while Evolution does only support retrieving of calendars The Zarafa Caldav component can be configured using a configuration file in the same fashion as the Zarafa Server It supports both plain and SSL TLS secured connections To increase security it is recommended to enable secure Caldav connectivity exclusively The configuration options are server_bind IP address to bind to 0 0 0
89. ered in the United States and may be pending or registered in other countries Zarafa BV is not endorsed sponsored affiliated with or otherwise authorized by Research In Motion Limited All trademarks are the property of their respective owners Disclaimer Although all documentation is written and compiled with care Zarafa is not responsible for direct actions or consequences derived from using this documentation including unclear instructions or missing information not contained in these documents The Zarafa Collaboration Platform ZCP combines the usability of Outlook with the stability and flexibility of a Linux server It features a rich web interface the Zarafa WebAccess and provides brilliant integration options with all sorts of clients including all most popular mobile platforms Most components of ZCP are open source licensed under the AGPLV3 can therefore be downloaded freely as ZCP s Community Edition Several closed source components exist most notably 4 http creativecommons org licenses by sa 3 0 http www gnu org licenses agpl 3 0 html http www zarafa com content community the Zarafa Windows Client providing Outlook integration the Zarafa BES Integration providing Blackberry Enterprise Server connectivity the Zarafa ADS Plugin providing Active Directory integration and the Zarafa Backup Tools These components together with several advanced features for large setups and hosters are o
90. erver Zarafa server The server process accepts connections for all clients through SOAP HTTP and stores the data in an SQL database Zarafa License Manager zarafa licensed The licensed process checks which features will be available dependent on the license chosen for the Community Standard Professional or Enterprise edition Zarafa Windows Client The Zarafa client provides access to Outlook through an interface known as MAPI The connections with the server are handled by SOAP Zarafa WebAccess zarafa webaccess A full featured web interface with an Outlook look and feel that enables users to collaborate from any computer with an internet connection Zarafa Delivery Agent and Zarafa Spooler zarafa dagent zarafa spooler The tools which serve the email communication with the outside world The dagent delivers mail from the Mail Transport Agent MTA to a Zarafa user The spooler sends mail waiting in the outgoing queue to the specified MTA Zarafa Admin zarafa admin The command line administration tool is used to manage users user information and groups Zarafa Gateway zarafa gateway Optional service to provide POP3 and IMAP access to Zarafa users Zarafa Monitor zarafa monitor Service which monitors user stores for quota exceeds Zarafa Caldav zarafa caldav Optional service that provides iCal and CalDAV support CalDAV is recommended due to speed and less data transfer Zarafa B
91. es 11 3 BES Errors Most problems arise from the following Bad SSL setup on client MAPI E INVALID ARG errors in MAGT log bad SSL cert or password Bad SSL setup on server MAPI E NETWORK ERROR errors in MAGT log Server SSL certificate not accepted for this account MAPI E NETWORK ERROR errors in MAGT log Fix it by starting outlook using SSL once and connect with all the servers in the cluster MAGT log complains about BlackBerryServer profile missing PR PROFILE USER or PR PROFILE HOME SERVER DN The BES profile BlackBerryServer must be recreated using the start menu item Start Zarafa Zarafa exchange redirector Create BES profile MAST log complains about not being able to update user list from GAB ZCP 6 40 0 or 6 30 18 or later on your server Some hints and tricks for the ZCP BlackBerry integration can also be found on hitp www zarafa com wiki index php Blackberry integration 125 126 Chapter 12 Appendix A Pre 5 2x upgrade strategies 12 1 Database upgrades from 4 1 or 4 2 Before Zarafa can be started again the database must be updated There are several scripts required depending on which version is upgraded from Upgrade scripts are only needed when upgrading from a 5 0x version or older The scripts are as follows db convert 4 1 to 4 2 This perl script upgrades the database from 4 1 to the 4 20 format These are changes that regard how users are stored in the da
92. fa uses the LDAP server as a source for user group contact and company information In most cases the particular setup used will require other options and settings than those described in this document It is therefore assumed that the reader has a good understanding of how LDAP trees work and how they are configured in their network For more information please refer to the example configurations and manual pages available on all systems on which Zarafa is installed 8 4 1 The Zarafa user synchronization principle In any Zarafa server there is a database holding the actual data needed while running Zarafa Apart from the actual folder and item data the database also holds information on data access rights user settings and user meta data set for users and groups A lot of this data refers to a specific user ID For example an ACL Access Control List for the inbox for user A will be stored in the database as a record in the ACL table This record holds the actual access rights for the objects and the user ID to whom the access control entry has been assigned The user ID stated above is therefore a reference to a user ID within the Zarafa database This ID is stored in the users table along with a reference to the ID of the user in the external user database in this case an LDAP server For example user A may have user ID 5 in the Zarafa system and may refer to the item dnzcnzuser dc example dc com on the LDAP ser
93. fix can be configured with virtual users in a hash map In this section we explain how By default Postfix will only accept incoming emails from localhost To accept emails from the complete network configure the following option inet interfaces all All Postfix configuration files can be found in etc postfix directory The main configuration file is logically called main cf In order to make Postfix aware of the local email domains add the following line to the main cf 53 Chapter 5 Configure 3rd Party Components virtual_mailbox_domains example com example org example net Postfix will now regard these domains as it s local email domains In order to accept incoming emails Postfix will also need to validate the recipient Add the following lines to the main cf config file in order to have Postfix look up recipient from a hash map virtual mailbox maps hash etc postfix virtual virtual alias maps hash etc postfix virtual virtual transport 1mtp 127 0 0 1 2003 The file etc postfix virtual should contain all email addresses and aliases of a user in the following structure Emailaddress or alias primary mailaddress of user johnQexample com johnQexample com useri example com useri example com useri example net useri example com alias_useri example com useri example com info example com user2 example com useri example com The left column contains the email address or alias the right column contains the
94. for more information 5 1 3 Apache as a HTTP Proxy The transmitted data between the client and server is compressed XML wrapped in HTTP packets The use of HTTP allows packets to be forwarded a proxy or a webserver with built in proxy functionality for example Apache version 2 The following lines are an example of how Apache can be configured to forward incoming connections on port 80 to the Zarafa Server on port 236 When the Apache server also accepts HTTPS connections the proxyed connections can also be encrypted The proxy and proxy html modules of Apache need to be loaded IfModule mod proxy c ProxyPass zarafa http 127 0 0 1 236 ProxyPassReverse zarafa http 127 0 0 1 236 lt IfModule gt This means that URLs that begin with zarafa will be forwarded to localhost on port 236 where the Zarafa Server listens for incoming connections These lines can be placed globally or within a VirtualHost declaration Keep in mind that using the HTTP proxy has some performance overhead so for larger setups it s not recommended to use this 40 Configure ZCP OpenLDAP integration 5 2 Configure ZCP OpenLDAP integration In several network infrastructures OpenLDAP is used as the directory server keeping track of various bit of information most notably users and their permissions ZCP integrates with LDAP servers and supports OpenLDAP in particular Zarafa doesn t include a LDAP server in the product so if there
95. fram addressbook E mail amp ddress i doe amail com Back Cancel Figure 8 2 Contact creation wizard 8 4 2 4 Configuring sendas permissions using ADS Sendas permissions can be configured both on users and contacts The users or groups that should be able to sendas a specific address need to be added in the sendas privilege list of the user or contact To check wether the permissions are correctly set use zarafa admin list sendas lt username gt For example zarafa admin list sendas helpdesk Send as list 1 for user helpdesk Username Fullname john John Doe The users that have the sendas permissions should now be able to add the other address in the FROM field and sendas this account Since ZCP 6 40 the sendas system is changed Configuring the sendas permissions is the other way around than previous Zarafa versions Sendas permissions now have to be configured on the user which is select as the FROM address 102 User management from ADS See Section 3 3 1 From 6 30 to 6 40 for converting the sendas permissions Groups can now also be used for setting sendas permissions 8 4 2 5 Setup addresslists in ADS Addresslists are subsets of the Global Address Book that match a specific criteria For example you can create an address list that contains all users in Manchester and another that contains all users in Stuttgart Address Book Type Name Show names fro
96. g emails are delivered to the LMTP service of the zarafa dagent The delivery needs to be done on the primary mail address of a user For resolving the primary mail address of the user create the file etc postfix ldap users cf and add the following lines 192 168 0 100 ou Users dc example dc local server_host search_base version 3 bind yes bind_dn cn zarafa ou Users dc example dc local bind_pw secret scope sub query filter amp objectClass person mail s result_attribute mail For lookups of mail aliases create the file etc postfix ldap aliases cf and add the following lines server_host 192 168 0 100 search base ou Users dc example dc local version 3 bind yes bind_dn cn zarafa ou Users dc example dc local bind_pw secret scope sub query filter amp objectClass person otherMailbox s result_attribute mail Active Directory has the possibility to create distribution groups which can be used as email distribution list in ZCP To use integrate Postfix with distribution groups Postfix 2 4 or higher is required Some linux distributions like RHEL 4 and 5 do not include Postfix 2 4 or higher Packages of newer versions of Postfix are usually available as community contributed packages In case of RHEL 4 and 5 these packages can be found here http www linuxmail info postfix rpm packages 52 Configure ZCP Postfix integration with virtual users To s
97. g of the zarafa dagent when running in LMTP mode for monitoring purposes Enable the logging options in the zarafa dagent in etc zarafa dagent cfg 5 4 2 Configure ZCP Postfix integration with Active Directory The Postfix can resolve primary mail addresses and aliases of users and groups from the Active Directory server The Postfix package in most Linux distributions has LDAP support enabled by default To read more about Postfix LDAP support see the LDAP README on the Postfix website All Postfix configuration files can be found in etc postfix directory The main configuration file is logically called main cf By default Postfix will only accept incoming emails from localhost To accept emails from the complete network configure the following option 3 http www postfix org LDAP README html 51 Chapter 5 Configure 3rd Party Components inet_interfaces all In order to make Postfix aware of the local emaildomains add the following line to the main cf virtual mailbox domains example com example org example net Postfix will now see the configured domains as it s local email domains however to accept incoming emails Postfix will do a recipient check This recipient check can be done on the Active Directory server Add the following lines to the main cf virtual mailbox maps ldap etc postfix ldap users cf virtual alias maps ldap etc postfix ldap aliases cf virtual transport 1mtp 127 0 0 1 2003 All incomin
98. group the service will be running as When a logrotate happens by sending the service the HUP signal a new file is created which will be owned by the user the service is running under The service should still be started as root since it will create a pid file under the system location var run and will open the network sockets which most likely have a number under 1024 which may only be opened as root The following example shows how to configure the zarafa server to run as user zarafa and group zarafa 74 Single Instance Attachment Storage addgroup system zarafa adduser system home dev null no create home ingroup zarafa disabled password gecos Zarafa services shell bin false zarafa mkdir var log zarafa chown zarafa zarafa var log zarafa The addgroup and adduser tools may have different syntax on different distributions Edit the run as user and run as group options in the server cfg file and set them both to zarafa Make sure the local admin users option still contains root as an administrative user so the zarafa admin tool can still be used Otherwise su or sudo has to be used each time the zarafa admin tool is started 6 6 Single Instance Attachment Storage Since ZCP 6 30 the Zarafa Server provides Single Instance Attachment Storage to avoid redundant storage of attachments This feature as its name implies only keeps one copy of each attachment when a message is sent to multiple
99. h allows a remember this choice option If this is not selected problems will arise with calendar synchronization later on If a cluster is being run each server must be connected to 11 2 Installation steps If an existing BES4 server is being replaced please make sure that the old CalHelper exe local directory is deleted as it is no longer needed in this version 123 Chapter 11 BlackBerry Enterprise Server Sop important BES 5 0 requires an Active Directory Server for installation However this is only needed during installation and is not required while the server is running Also the machine installing BES5 must be a domain member even though everything can be installed using a local Administrator account If neither of these is available the installation will fail to complete 1 Make sure the ZCP server is setup correctly for SSL see previous step 2 Install Outlook In Outlook 2003 use the custom install mode to enable CDO 3 Install CDO only needed when using Outlook 2007 4 Make sure to copy cdo d11 and gapi32 d11 from c program files common files system msmapi langid to c windows system32 otherwise blackberry server will be unable to detect CDO 5 Install the Zarafa Windows Client 6 Install the Zarafa BES connector 7 Start Zarafa Zarafa BES connector Create MAPI profile This will prompt for Zarafa s server address username and password A
100. h other the handling of single storage will be transparent Thus considering the example above if user A sends the message to 30 users of tenant1 and 50 users of tenant2 provided that the tenants reside on the same server only one copy of the attachments is saved 75 Chapter 6 Advanced Configurations Single instanced attachments will be handled per server when sending an email with attachment to multiple Zarafa users spread over multiple servers each server will get its own Single instance attachment 6 7 Single Sign On with ZCP This chapter will describe how to set up a Single Sign On environment with ZCP so users can authenticate without entering their password ZCP supports both the NTLM and Kerberos authentication protocol The Kerberos support is available from ZCP 6 40 2 and higher Both methods will be described in the following sections 6 7 1 NTLM SSO with ADS 6 7 1 1 Installing Linux software The following software needs to be installed winbind e kinit Depending on the linux distribution used this comes through various package names On Debian use apt get install krb5 user winbind krb5 user will also install the Kerberos library configuration files in etc The package winbind depends on samba common which will therefore be installed as well On Red Hat Enterprise Linux both the krb5 workstation and the samba common package are required for this To enable NTLM SSO with ZCP set the followi
101. he levels will be reached the user receives an email with the quota sizes and which quota level was reached The quota settings can be configured server wide in the server cfg or per user via the user plugin When a user reaches the warning quota level the user will receive an email with a warning and quota information As the user reaches the soft quota limit the user will not be able to sent email until the size of the store is reduced When the hard quota limit is reached email can also not be delivered to that user anymore 4 8 1 Setup server wide quota The server wide quota can be configured in the configuration file of the server 31 Chapter 4 Configure ZCP Components quota_warn 100 quota_soft 150 quota_hard 200 The values are all in megabytes These values will be honored for all users present in the server When the values are set to 0 that particular quota level is disabled 4 8 2 Setup quota per user By using the zarafa admin tool the user quota can be set for a specific user Example Set the quota of the user John with the settings Warning level to 80 Mb soft level to 90 Mb and hard level to 100 Mb zarafa admin u john qo 1 qw 80 qs 90 qh 100 K Set user quota with zarafa admin does not work with LDAP With LDAP the properties are stored in the LDAP server per user See the Chapter 8 User Management for more information 4 8 3 Monitoring for quota exceeding The
102. her setenforce permissive When it is chosen to disable SELinux etc sysconfig selinux also has to be edited to disable it for after reboots too SELinux information can be found here hitp fedora redhat com docs selinux faq 13 14 Chapter 3 Upgrading 3 1 Preparing Before upgrading to a new version of ZCP it is recommended to make a backup of the database and the configuration files First stop the running services so database is not in use anymore etc init d zarafa spooler stop etc init d zarafa server stop etc init d zarafa licensed stop And the optional services too if they were started etc init d zarafa dagent stop etc init d zarafa gateway stop etc init d zarafa ical stop etc init d zarafa indexer stop etc init d zarafa monitor stop Important When the attachments are kept in the database an upgrade to 6 30 x or later will grow database storage file by the combined size of all attachments as stored in the lob table During the upgrade a temporary table to store all attachments is created and removed since it is not possible to shrink the database storage file it will grow by the combined size of the attachments stored in it Information on migrating the attachments from the database to the file system can be found on our wiki When upgrading a licensed version of ZCP to a new major release like from 6 30 x to 6 40 x the license key has to be converted Converting
103. i so Common places for the php ini file are etc php ini etc php5 apache2 php ini With the phpinfo function it is possible to check whether the module will be loaded correctly Search for the MAPT part to check for the module The phpinfo can also be viewed by running php i on the command line if php cli is installed 5 1 2 Configure Apache To correctly load the recently added mapi so extension the webserver needs to be restarted The following example shows how to restart Apache2 etc init d apache2 restart 39 Chapter 5 Configure 3rd Party Components or etc init d httpd restart The website files are by default installed in the WebAccess directory Make sure the webclient s login page can be opened by browsing to the correct url http lt ip address server gt webaccess If the login page is not shown the webserver needs to be configured to let it access the correct directory The following example shows a configuration for Apache2 Alias webaccess usr share zarafa webaccess lt Directory usr share zarafa webaccess gt AllowOverride None Order allow deny Allow from all lt Directory gt Make sure the correct directory holding the PHP WebAccess files is typed The following command will tell apache2 to reread its config file etc init d apache2 reload The WebAccess should now be visible If it still does not show up please see Section 2 3 Troubleshooting Installation Issues
104. ic configuration see http www zarafa com wiki index php OpenLdap Switch to dynamic config backend 9628cn963Dconfig9629 5 2 2 Configuring ZCP for OpenLDAP To integrate ZCP with an OpenLDAP server change the following option in the ldap cfg configuration file Specify in the 1dap host option the ip address or server name of the LDAP server ldap host localhost 41 Chapter 5 Configure 3rd Party Components At the moment ZCP doesn t support the configuration of multiple LDAP servers By default the plain LDAP protocol will be used For configuring secure LDAP change the following settings A howto for configuring OpenLDAP with SSL certificates can be found on hitp wiki zarafa com ldap port 389 ldap protocol ldap The Zarafa Server will only read from the OpenLDAP server The specified bind user should at least have read access on the LDAP server ldap bind user cn Manager dc example dc com ldap bind passwd secret ldap authentication method bind The authentication method can be set to password so the Zarafa Server will compare the encrypted password from the LDAP server with the encrypted password the user filled in during the login For this method the specified bind user has to be an administrative user in OpenLDAP and have read access on the password attribute The LDAP search base base DN that the search for the different objects should start at This should be the root of the LDAP directo
105. ide the database to update the backup strategy accordingly 4 3 3 SSL connections and certificates The Zarafa Server is capable of directly accepting encrypted SSL connections This feature may already be available when the HTTPS Apache server is setup to proxy these connections to the Zarafa Server However having native SSL connections to the server has an interesting advantage Zarafa components running beyond localhost can login using their SSL certificate This section will describe how to setup certificates to add native SSL connections to Zarafa First we will create the directory to contain the certificate and setup the permissions since it contains our private key mkdir etc zarafa ssl chmod 700 etc zarafa ssl If Zarafa is run as another user as described in the Running as non root user section do not forget to chown the directory as well Now we are ready to create a Certificate Authority CA This CA will be used to create the server certificate and sign it We provide a ss1 certificates sh script in the usr share doc zarafa directory which uses the openssl command and the CA p1 script from OpenSSL Depending on the distribution used this script can be installed in different directories The script will try to find it on its own If it is not found either OpenSSL is not installed or the script is in an unknown location and location of the script has to be provided manually Normally the ss1 certificates sh scr
106. ies tenants increases It is easier when the loginname contains the companyname as well to ensure all loginnames are unique The way the companyname is attached to the username to create the loginname can be configured with the ILoginname format configuration option in server cfg This configuration option can contain the following variables e u The username c The companyname to which the user belongs 60 Configuring the server As separation character between the username and companyname a character should be chosen that does not appear inside the username or companyname itself Valid characters for example are and XN Some example loginname format for a user named John Doe who is member of Exampleorg u gt john u c gt johnGexampleorg c u gt exampleorg john Although having a loginname that contains a c is mandatory for the DB plugin it is optional for the LDAP plugin Managing unique oginname_s is easier in LDAP because it is possible to use the email address as the loginname attribute See the LDAP configuration file for more information about the loginname attribute lccm san When passing a username to the zarafa admin tool it should be formatted as configured For example if the Loginname format configuration value includes company name variable 96c the company name should be passed to the zarafa admin tool everytime a username is needed 6 2 2 3 Configuri
107. igh as possible without making the system needing to swap out important parts of available memory It is very difficult to give a fixed value for what the optimal memory usage distribution is for a given server as data access patterns vary wildly from server to server We will describe some rule of thumb parameters here and make the RAM usage patterns as clear as possible here 9 1 2 Hardware considerations In servers running Zarafa the main performance bottleneck will be the route between the data on the hard disk and the time it takes to get to the client This means that generally I O performance is more important than CPU performance Using this as a basis the following pointers may help in selecting the correct hardware for the system 9 1 3 More Memory is More Speed More RAM means better caching and therefore better speed 113 Chapter 9 Performance Tuning Zarafa is specifically designed to make use of the large amounts of RAM that is available in modern servers On the other hand please remember that in normal Linux server the maximum amount of usable RAM in a 32 bit server is 3Gb unless PAE physical address extension is supported in the kernel CPU and mainboard If more than 3Gb is needed without some sort of limitation use a 64 bit system a 64 bit Linux OS and a 64 bit Zarafa package 9 1 4 RAID 1 10 is faster than RAID 5 In general a RAID1 or RAID10 array is faster at database accesses than RAIDS If it
108. ime so opening an inbox twice in succession should result in disk accesses for the second access It is a good idea to set the cell cache as high as can be managed usually about the same size as the MySQL buffer size 9 2 2 Zarafa s object cache cache object size The Zarafa object cache is used to cache the hierarchy table Each object that is accessed will be placed in this cache making it faster to retrieve the information again without accessing the database The more items users have in their folders the more important this cache becomes Since the information is quite small this cache does not need to be large About 1Mb for 10 users is even an overestimation 9 2 3 Zarafa s indexedobject cache cache indexedobject size To open a specific item the program needs to send the server a unique key called an entryid to the server to request that item This cache is a 2 way index of the MAPI key to a database key and the other way around The translation of the keys are quite important This cache is filled per folder so large folders will push out otherwise important information Normal usage is about 0 5 Mb per user 9 2 4 MySQL innodb buffer pool size The MySQL buffer is used to cache reads and writes to the ibdata file In a dedicated MySQL machine this would be anywhere between 50 to 80 of the physical RAM size in the machine When MySQL is run on the same machine as Zarafa it is recommended to be around 25 of physical R
109. in the zarafa admin tool can be used to manage tenants companies while with the LDAP plugin all information will come directly from LDAP or Active Directory The preferred user plugin for multi tenancy setups is the LDAP plugin 6 2 2 Configuring the server The following configuration options in server cfg will be used when enabling the multi tenancy support enable_hosted_zarafa When set to true it s possible to create tenants within the Zarafa instance and assign all users and groups to particular tenants When set to false the normal single tenancy environment is created createcompany_script Location of the createcompany script which will be executed when a new tenant has been created deletecompany_script Location of the deletecompany script which will be executed when a tenant has been deleted loginname_format See Section 6 2 2 2 Configuring login name for more details about this configuration option storename_format See Section 6 2 2 3 Configuring store name for more details about this configuration option 6 2 2 1 Enabling Multi tenancy To enable multi tenancy support in Zarafa change the following configuration option in server cfg enable hosted zarafa yes 6 2 2 2 Configuring login name The loginname of a user must be unique in order to correctly allow the login attempt When enabling multi tenancy support in Zarafa having an unique loginname can become difficult as the number of compan
110. ipt can be run without problems cd etc zarafa ssl sh usr share doc zarafa ssl certificates sh server The parameter server is added so the name of the new certificate will be called server pem When the CA is not found in the default demoCA directory it needs to be created By pressing enter the creation of the new CA is started Enter a password passphrase when asked for This is the password used later on to sign certificate requests Then certificate information should be entered Do not leave the Common Name field blank otherwise the creation will fail 24 Configure the License Manager Now that we have a CA we can create self signed certificates The ss1 certificates sh script will automatically continue with this step Enter a password for the request and enter the certificate details Some details need to be different from those typed when the CA was created At least the field Organizational Unit Name needs to be different The challenge password at the end may be left empty This step created a Certificate Request that needs to be signed by the CA that was created in the first step of the script Type the password of the CA again when asked for The details of the certificate will be shown and asked for acceptance Accept the certificate As the last step the public key of this certificate will be offered Since the server certificate just was created the public key of this certificate is not needed
111. ires write access to update the Active Directory Schema To get the write access the registry key Schema Update Allowed must be enabled To edit the registry key perform the follow steps 1 Click Start click Run and then in the Open box type regedit Then press ENTER 2 Locate and click the following registry key HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services NTDS Parameters 3 On the Edit menu click New and then click DWORD Value 4 Enter the value data when the following registry value is displayed Value Name Schema Update Allowed Data Type REG DWORD Base Binary Value Data Type 1 to enable this feature or 0 zero to disable it 5 Quit Registry Editor Now the Zarafa Active Directory installer can be executed For more information take a look at hitp support microsoft com kb 285172 lccm Don t forget to switch the registry key back after the installation 5 3 1 2 Windows 2003 2008 Server For Windows 2003 and 2008 Server it s possible to step through the setup by clicking the next button If the Zarafa ADS Plugin is installed it is possible to edit the Zarafa specific attributes For editing a user go to users and computers select a user and get the properties The Zarafa tab should be available if the installation is successfully completed 45 Chapter 5 Configure 3rd Party Components benjamin test Properties 2 x Dial in Environment Sessions Remote contr
112. is attribute OID 1 3 6 1 4 1 26278 1 4 4 4 Syntax Integer Multi or Single Valued Single Valued zarafaFilter This attribute will contain the LDAP filter to apply for an addresslist or dynamic group OID 1 3 6 1 4 1 26278 1 5 5 1 Syntax DirectoryString Multi or Single Valued Single Valued zarafaBase This attribute will contain the LDAP search base to apply for an addresslist or dynamic group OID 1 3 6 1 4 1 26278 1 5 5 2 Syntax DirectoryString Multi or Single Valued Single Valued 134
113. is is a new registry key introduced for updater mechanism it will contain the version of the Zarafa Windows Client installed on the machine The Launch Updater application will read default Outlook profile from the registry to gather the credentials needed to connect to the Zarafa Server It informs the Zarafa Server which version of the Zarafa Windows Client is running the Zarafa Server responds with a newer Zarafa Windows Client in case that exists 6 4 2 1 Zarafa Updater Service The zarafa updater service runs as a local system account Therefore it has all the needed privileges to install the Zarafa Windows Client on the desktop 5 Services File Action View Help E E E 2 E m Ry Services Local Name Description Status Startup Type Log On As Rs Windows Manageme Provides systems ma Manual Local System Sa Windows Media Playe Shares Windows Medi Manual Network S Rs Windows Presentatio Optimizes performanc Manual Local Service amp amp Windows Search Provides content inde Started Automatic Local System Ra Windows Time Maintains date and ti Started Automatic Local System Sy Wired AutoConfig This service performs Manual Local System Rs Wireless Zero Config Provides automatic co Started Automatic Local System Bq WMI Performance Ad Provides performance Manual Local System Sy Workstation Creates and maintain Started Automatic Local System s Zarafa Updater Service This service will u
114. is optional If this parameter is given the attachments are also removed from the database Keep in mind that during the conversion the storage of the attachments on the harddisk will double The amount of storage in MySQL used by ZCP can be looked up the with the following MySQL statements mysql use zarafa mysql show table status Check the data length column for the lob table This contains the number of bytes needed for the attachment storage To select this new storage method change the attachment storage option in the server cfg file and point the attachment path option to the folder where the attachments should be stored After changing this option zarafa server needs to be started once with the ignore attachment storage conflict parameter Advantages of attachments outside the database are MySQL does not save the large binary blobs in the database This improves the general read and write access 23 Chapter 4 Configure ZCP Components Attachments will not cause cache purges of MySQL Disadvantages of attachments outside the database are A MySQL dump of the database is not enough for a full recovery Remote storage of attachments requires a new system like folder mounted through NFS or Samba In most cases it is advisable to store attachments apart from the database especially in setups with more then 100 users Sp important It is very important when choosing to store the attachments outs
115. l and sql scripts which upgrade the database format for the new version Some scripts have to be run for the new version of ZCP to start while other scripts are recommended for speed increases 3 3 1 From 6 30 to 6 40 There are some configuration changes in version 6 40 to support new features in the Global Address Book like contacts dynamic groups and security groups Especially when using the LDAP user plugin the server will not start correctly without any changes to the LDAP configuration file being made If the DB or Unix plugin is in use no changes are required to the configuration files However it may be helpful to view them to configure new options Please check the upgrade page on http wiki zarafa com for up to date upgrade details To correctly support contacts from Microsoft Active Directory the 1dap user unique attribute config field must be changed from objectSid to objectGuid Since this is the unique identifier for users changing this without updating the database will make the Zarafa server delete all users and recreate the new detected users This is not wanted so it s required to use the db upgrade objectsid to objectguid p1l script found in