From 6b2eb41193eb174b14853e593d8d7f324861eeca Mon Sep 17 00:00:00 2001 From: andreas Date: Sun, 11 Feb 2024 11:54:51 +0000 Subject: [PATCH] update recovered sdlc git repo --- .env | 17 +- core/Dockerfile | 19 +- core/entrypoint.sh | 7 + core/scratchpad.sh | 4 +- docker-compose.yml | 48 +- etc-template/kopano/admin.cfg | 7 + etc-template/kopano/autorespond.cfg | 22 + etc-template/kopano/backup.cfg | 31 ++ etc-template/kopano/dagent.cfg | 93 ++++ etc-template/kopano/gateway.cfg | 47 ++ etc-template/kopano/grapi.cfg | 38 ++ etc-template/kopano/ical.cfg | 34 ++ etc-template/kopano/kapid-pubs-secret.key | 1 + etc-template/kopano/kapid.cfg | 66 +++ .../kopano/konnectd-encryption-secret.key | 1 + .../kopano/konnectd-identifier-scopes.yaml | 14 + .../kopano/konnectd-signing-private-key.pem | 1 + etc-template/kopano/konnectd.cfg | 146 ++++++ .../konnectkeys/konnect-20210314-0ae1.pem | 52 +++ etc-template/kopano/kweb/.kweb/.setup-done | 0 etc-template/kopano/kwebd.cfg | 137 ++++++ etc-template/kopano/ldap.cfg | 36 ++ etc-template/kopano/monitor.cfg | 28 ++ etc-template/kopano/php-mapi.cfg | 30 ++ .../kopano/quotamail/companywarning.mail | 11 + .../quotamail/companywarning.mail.dpkg-new | 11 + etc-template/kopano/quotamail/userhard.mail | 17 + .../kopano/quotamail/userhard.mail.dpkg-new | 17 + etc-template/kopano/quotamail/usersoft.mail | 17 + .../kopano/quotamail/usersoft.mail.dpkg-new | 17 + .../kopano/quotamail/userwarning.mail | 17 + .../quotamail/userwarning.mail.dpkg-new | 17 + etc-template/kopano/search.cfg | 39 ++ etc-template/kopano/server.cfg | 121 +++++ etc-template/kopano/spamd.cfg | 53 +++ etc-template/kopano/spooler.cfg | 30 ++ .../kopano/ssl/certs/balusign-ca-chain.pem | 106 +++++ etc-template/kopano/ssl/openssl.cnf | 350 +++++++++++++++ .../kopano/ssl/private/server-key-cert.pem | 81 ++++ .../kopano/ssl/private/system-key-cert.pem | 81 ++++ .../kopano/sslkeys/system-public-key.pem | 11 + etc-template/kopano/statsd.cfg | 8 + etc-template/kopano/unix.cfg | 42 ++ etc-template/kopano/webapp/.htaccess | 28 ++ .../kopano/webapp/config-contactfax.php | 4 + etc-template/kopano/webapp/config-gmaps.php | 13 + .../kopano/webapp/config-intranet.php | 17 + .../kopano/webapp/config-mattermost.php | 9 + etc-template/kopano/webapp/config-meet.php | 19 + .../kopano/webapp/config-pimfolder.php | 4 + .../kopano/webapp/config-threema4deskapp.php | 6 + .../kopano/webapp/config-whatsapp4deskapp.php | 6 + etc-template/kopano/webapp/config.php | 331 ++++++++++++++ etc-template/postfix/main.cf | 64 +++ etc-template/postfix/master.cf | 84 ++++ etc-template/postfix/virtual | 3 + etc-template/postfix/virtual.db | Bin 0 -> 12288 bytes etc-template/postfix/vmailbox | 8 + etc-template/postfix/vmailbox.db | Bin 0 -> 12288 bytes etc-template/z-push/autodiscover.conf.php | 88 ++++ .../z-push/autodiscover.conf.php.dist | 88 ++++ etc-template/z-push/gabsync.conf.php | 86 ++++ etc-template/z-push/kopano.conf.php | 83 ++++ etc-template/z-push/policies.ini | 234 ++++++++++ etc-template/z-push/z-push.conf.php | 373 ++++++++++++++++ etc-template/z-push/z-push.conf.php.dpkg-dist | 418 ++++++++++++++++++ etc-zntrl/kopano/dagent.cfg | 4 +- etc-zntrl/kopano/search.cfg | 2 +- etc-zntrl/kopano/spooler.cfg | 2 +- etc-zntrl/z-push/z-push.conf.php | 2 +- .../00-create-kopano-user.sql | 2 +- postfix/Dockerfile | 5 +- postfix/scratchpad.sh | 2 +- spampd/Dockerfile | 3 +- spampd/scratchpad.sh | 2 +- ssl/create-key | 2 +- ssl/dist-certs | 5 + ssl/mkcerts | 7 +- webapp/Dockerfile | 14 +- webapp/scratchpad.sh | 4 +- z-push/Dockerfile | 5 +- z-push/scratchpad.sh | 4 +- 82 files changed, 3903 insertions(+), 53 deletions(-) create mode 100644 etc-template/kopano/admin.cfg create mode 100644 etc-template/kopano/autorespond.cfg create mode 100644 etc-template/kopano/backup.cfg create mode 100644 etc-template/kopano/dagent.cfg create mode 100644 etc-template/kopano/gateway.cfg create mode 100644 etc-template/kopano/grapi.cfg create mode 100644 etc-template/kopano/ical.cfg create mode 100644 etc-template/kopano/kapid-pubs-secret.key create mode 100644 etc-template/kopano/kapid.cfg create mode 100644 etc-template/kopano/konnectd-encryption-secret.key create mode 100644 etc-template/kopano/konnectd-identifier-scopes.yaml create mode 120000 etc-template/kopano/konnectd-signing-private-key.pem create mode 100644 etc-template/kopano/konnectd.cfg create mode 100644 etc-template/kopano/konnectkeys/konnect-20210314-0ae1.pem create mode 100644 etc-template/kopano/kweb/.kweb/.setup-done create mode 100644 etc-template/kopano/kwebd.cfg create mode 100644 etc-template/kopano/ldap.cfg create mode 100644 etc-template/kopano/monitor.cfg create mode 100644 etc-template/kopano/php-mapi.cfg create mode 100644 etc-template/kopano/quotamail/companywarning.mail create mode 100644 etc-template/kopano/quotamail/companywarning.mail.dpkg-new create mode 100644 etc-template/kopano/quotamail/userhard.mail create mode 100644 etc-template/kopano/quotamail/userhard.mail.dpkg-new create mode 100644 etc-template/kopano/quotamail/usersoft.mail create mode 100644 etc-template/kopano/quotamail/usersoft.mail.dpkg-new create mode 100644 etc-template/kopano/quotamail/userwarning.mail create mode 100644 etc-template/kopano/quotamail/userwarning.mail.dpkg-new create mode 100644 etc-template/kopano/search.cfg create mode 100644 etc-template/kopano/server.cfg create mode 100644 etc-template/kopano/spamd.cfg create mode 100644 etc-template/kopano/spooler.cfg create mode 100644 etc-template/kopano/ssl/certs/balusign-ca-chain.pem create mode 100644 etc-template/kopano/ssl/openssl.cnf create mode 100644 etc-template/kopano/ssl/private/server-key-cert.pem create mode 100644 etc-template/kopano/ssl/private/system-key-cert.pem create mode 100644 etc-template/kopano/sslkeys/system-public-key.pem create mode 100644 etc-template/kopano/statsd.cfg create mode 100644 etc-template/kopano/unix.cfg create mode 100644 etc-template/kopano/webapp/.htaccess create mode 100644 etc-template/kopano/webapp/config-contactfax.php create mode 100644 etc-template/kopano/webapp/config-gmaps.php create mode 100644 etc-template/kopano/webapp/config-intranet.php create mode 100644 etc-template/kopano/webapp/config-mattermost.php create mode 100644 etc-template/kopano/webapp/config-meet.php create mode 100644 etc-template/kopano/webapp/config-pimfolder.php create mode 100644 etc-template/kopano/webapp/config-threema4deskapp.php create mode 100644 etc-template/kopano/webapp/config-whatsapp4deskapp.php create mode 100644 etc-template/kopano/webapp/config.php create mode 100644 etc-template/postfix/main.cf create mode 100644 etc-template/postfix/master.cf create mode 100644 etc-template/postfix/virtual create mode 100644 etc-template/postfix/virtual.db create mode 100644 etc-template/postfix/vmailbox create mode 100644 etc-template/postfix/vmailbox.db create mode 100644 etc-template/z-push/autodiscover.conf.php create mode 100644 etc-template/z-push/autodiscover.conf.php.dist create mode 100644 etc-template/z-push/gabsync.conf.php create mode 100644 etc-template/z-push/kopano.conf.php create mode 100644 etc-template/z-push/policies.ini create mode 100644 etc-template/z-push/z-push.conf.php create mode 100644 etc-template/z-push/z-push.conf.php.dpkg-dist create mode 100644 ssl/dist-certs diff --git a/.env b/.env index 20d40d5..7e86462 100644 --- a/.env +++ b/.env @@ -1,14 +1,19 @@ -COMPOSE_PROJECT_NAME=kopano +TAG=zntrl +COMPOSE_PROJECT_NAME=$TAG # database credentials MYSQL_ROOT_PASSWORD=modT9&?. MYSQL_KOPANO_PASSWORD=zAKt(85& +MYSQL_PORT=3307 # -MAIL_DOMAIN=zntrl.de +MAIL_DOMAIN=$TAG.de POSTFIX_MTA_HOST=mta.$MAIL_DOMAIN POSTFIX_SMTP_PORT=8025 -POSTFIX_MTA_SSL_KEY= -POSTFIX_MTA_SSL_CERT= POSTFIX_RELAY_HOST=relay.zntrl.de POSTFIX_RELAY_PORT=465 -POSTFIX_RELAY_SSL_KEY= -POSTFIX_RELAY_SSL_CERT= \ No newline at end of file +# +WEBAPP_PORT=8080 +Z_PUSH_PORT=8081 +# +DCKR_SERVER=$TAG-server-1 +DCKR_DAGENT=$TAG-dagent-1 +DCKR_SERVER=$TAG-server-1 diff --git a/core/Dockerfile b/core/Dockerfile index d9a8f43..7becef2 100644 --- a/core/Dockerfile +++ b/core/Dockerfile @@ -17,7 +17,7 @@ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* ~/.cache ~/.npm rm -rf core-11.0.2.50.507cbae-Ubuntu_20.04-amd64 EOF # use envsubst in entrypoint script to convert config templates to actual config files -COPY --chmod=0775 entrypoint.sh /entrypoint.sh +COPY --chmod=0775 core/entrypoint.sh /entrypoint.sh # https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#configure-kopano-dagent-for-delivery-via-unix-socket # mapi (client-server) #EXPOSE 236 @@ -25,6 +25,23 @@ COPY --chmod=0775 entrypoint.sh /entrypoint.sh #EXPOSE 237 # lmtp (dagent) #EXPOSE 2003 +COPY etc-template /root/etc/ +RUN << EOF +cp -p /etc/kopano/server.cfg /etc/kopano/server.cfg-dist +sed -i \ + -e's/server_listen = \*\%lo:236/server_listen = 0.0.0.0:236/' \ + -e's|#server_ssl_key_file = /etc/kopano/ssl/server.pem|server_ssl_key_file = /etc/kopano/ssl/private/server-key-cert.pem|' \ + -e's|#server_ssl_ca_file = /etc/kopano/ssl/cacert.pem|server_ssl_ca_file = /etc/kopano/ssl/certs/balusign-ca-chain.pem|' \ + -e's|#server_ssl_ca_path = /etc/kopano/ssl/certs|server_ssl_ca_path = /etc/kopano/ssl/certs|' \ + -e's|#sslkeys_path = /etc/kopano/sslkeys|sslkeys_path = /etc/kopano/sslkeys|' \ + -e's|#server_name =|server_name = zntrl.de|' \ + -e's|#database_engine = mysql|database_engine = mysql|' \ + -e's|#mysql_host = localhost|mysql_host = mysql|' \ + -e's|#mysql_user = root|mysql_user = kopano|' \ + -e's|#mysql_password =|mysql_password = $MYSQL_PASSWD|' \ + -e's|#mysql_database = kopano|mysql_database = kopano|' \ + /etc/kopano/server.cfg +EOF VOLUME /var/lib/kopano/attachments VOLUME /var/lib/kopano/search ENTRYPOINT ["/entrypoint.sh"] diff --git a/core/entrypoint.sh b/core/entrypoint.sh index b453729..a7e79f8 100644 --- a/core/entrypoint.sh +++ b/core/entrypoint.sh @@ -2,4 +2,11 @@ set -e chown kopano:kopano /var/lib/kopano/attachments # runas user kopano +env +cp -rp /root/etc/kopano/* /etc/kopano +for $F in $(find /root/etc/kopano -name '*.cfg' -type f) +do + envsubst <$F >/etc/kopano/${F##*/} + diff $F /etc/kopano/${F##*/} +done exec "$@" diff --git a/core/scratchpad.sh b/core/scratchpad.sh index 669f847..46f122d 100644 --- a/core/scratchpad.sh +++ b/core/scratchpad.sh @@ -1,8 +1,8 @@ #!/usr/bin/bash # export DOCKER_BUILDKIT=1 docker run -d --rm --name dist -p80:80 -v/root/kopano-docker/dist:/usr/local/apache2/htdocs httpd -docker build --no-cache --progress=plain -t core . -docker build -t core . +docker build --no-cache --progress=plain -t core -f core/Dockerfile . +docker build -t core -f core/Dockerfile . docker run --rm -it --name core -p8081:80 core bash docker logs -f core docker exec -it core bash diff --git a/docker-compose.yml b/docker-compose.yml index 10e5e1f..4b27018 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,8 +1,10 @@ # name_prefix: kopano, see COMPOSE_PROJECT_NAME in .env services: server: - build: ./core - image: baloan/core + build: + context: . + dockerfile: core/Dockerfile + # image: baloan/core depends_on: - mysql ports: @@ -12,8 +14,10 @@ services: - attachments:/var/lib/kopano/attachments command: /usr/sbin/kopano-server search: - build: ./core - image: baloan/core + build: + context: . + dockerfile: core/Dockerfile + # image: baloan/core depends_on: - server volumes: @@ -21,16 +25,20 @@ services: - search:/var/lib/kopano/search command: /usr/sbin/kopano-search spooler: - build: ./core - image: baloan/core + build: + context: . + dockerfile: core/Dockerfile + # image: baloan/core depends_on: - server volumes: - ./etc-zntrl/kopano:/etc/kopano:ro command: /usr/sbin/kopano-spooler dagent: - build: ./core - image: baloan/core + build: + context: . + dockerfile: core/Dockerfile + # image: baloan/core volumes: - ./etc-zntrl/kopano:/etc/kopano:ro depends_on: @@ -47,8 +55,10 @@ services: ports: - 3307:3306 webapp: - build: ./webapp - image: baloan/webapp + build: + context: . + dockerfile: webapp/Dockerfile + # image: baloan/webapp labels: - traefik.enable=true - traefik.http.routers.webapp.rule=Host(`$MAIL_DOMAIN`) && PathPrefix(`/webapp`) @@ -64,8 +74,10 @@ services: - default - traefik z-push: - build: ./z-push - image: baloan/z-push + build: + context: . + dockerfile: z-push/Dockerfile + # image: baloan/z-push labels: - traefik.enable=true - traefik.http.routers.webapp.rule=Host(`$MAIL_DOMAIN`) && PathPrefix(`/Microsoft-Server-ActiveSync`) @@ -82,17 +94,21 @@ services: - default - traefik postfix: - build: ./postfix + build: + context: . + dockerfile: postfix/Dockerfile + # image: baloan/postfix tty: true - image: baloan/postfix ports: - 8025:25 volumes: - spool:/var/spool/postfix spampd: - build: ./spampd + build: + context: . + dockerfile: spampd/Dockerfile + # image: baloan/spampd tty: true - image: baloan/spampd volumes: - spamassassin:/var/lib/spamassassin networks: diff --git a/etc-template/kopano/admin.cfg b/etc-template/kopano/admin.cfg new file mode 100644 index 0000000..935a65d --- /dev/null +++ b/etc-template/kopano/admin.cfg @@ -0,0 +1,7 @@ +# The language for folders in newly-created stores, specified as a +# locale identifier ("en_US", "de_DE", etc.) +#default_store_locale = + +#server_socket = default: +#sslkey_file = some.pem +#sslkey_pass = magic diff --git a/etc-template/kopano/autorespond.cfg b/etc-template/kopano/autorespond.cfg new file mode 100644 index 0000000..cba6d83 --- /dev/null +++ b/etc-template/kopano/autorespond.cfg @@ -0,0 +1,22 @@ +############################################################## +# AUTORESPOND SETTINGS + +# Autorespond if the recipient is in the Cc field +#autorespond_cc = no + +# Autorespond if the recipient is in the Bcc field +#autorespond_bcc = no + +# Autorespond if the recipient is not in any of To, Cc or Bcc +# (i.e. received the message through a distribution list) +#autorespond_norecip = no + +# Only send reply to same e-mail address once per 24 hours +#timelimit = 86400 + +# File which contains when vacation message was sent +#senddb = /var/lib/kopano/autorespond.db + +# Copy to sentmail - whether responses should be saved in the +# users sentmail folder or not +#copy_to_sentmail = yes diff --git a/etc-template/kopano/backup.cfg b/etc-template/kopano/backup.cfg new file mode 100644 index 0000000..446a394 --- /dev/null +++ b/etc-template/kopano/backup.cfg @@ -0,0 +1,31 @@ +############################################################## +# SERVER SETTINGS + +# Socket to find the connection to the storage server. +# Use https to reach servers over the network +#server_socket = file:///var/run/kopano/server.sock + +# Login to the storage server using this SSL Key +#sslkey_file = /etc/kopano/ssl/search.pem + +# The password of the SSL Key +#sslkey_pass = replace-with-server-cert-password + +############################################################## +# LOG SETTINGS + +# Logging method (syslog, file) +#log_method = file + +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +#log_level = 3 + +# Logfile for log_method = file, use '-' for stderr +# Default: - +#log_file = /var/log/kopano/backup.log + +############################################################## +# BACKUP SETTINGS + +# maximum number of stores to backup in parallel +#worker_processes = 1 diff --git a/etc-template/kopano/dagent.cfg b/etc-template/kopano/dagent.cfg new file mode 100644 index 0000000..c31bb8f --- /dev/null +++ b/etc-template/kopano/dagent.cfg @@ -0,0 +1,93 @@ +# See the kopano-dagent.cfg(5) manpage for details and more directives. + +# Space-separated list of address:port specifiers with optional %interface +# infix for where the server should listen for LMTP connections. +# +# "unix:/var/spool/kopano/dagent.sock" — local socket +# "*:2003" — port 2003, all protocols +# "[::]:2003" — port 2003 on IPv6 only +# "[2001:db8::1]:2003" — port 2003 on specific address only +# +lmtp_listen = *:2003 +#lmtp_listen = unix:/var/spool/kopano/dagent.sock + +# connection to the storage server +#server_socket = file:///var/run/kopano/server.sock +server_socket = https://zntrl-server-1:237 +# Login to the storage server using this SSL Key +sslkey_file = /etc/kopano/ssl/private/dagent-key-cert.pem +# The password of the SSL Key +sslkey_pass = + +#log_method = auto +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +log_level = 5 +# log_file = /var/log/kopano/dagent.log +log_timestamp = yes + +# Log raw message to a file. Can be "no", "all", or a list of usernames +# for which messages should be saved. +#log_raw_message = no +#log_raw_message_path = /var/lib/kopano + +# Maximum LMTP threads that can be running simultaneously +# This is also limited by your SMTP server. (20 is the postfix default concurrency limit) +#lmtp_max_threads = 20 + +# The following e-mail header will mark the mail as spam, so the mail +# is placed in the Junk Mail folder, and not the Inbox. +# The name is case insensitive. +# set to empty to not use this detection scheme. +#spam_header_name = X-Spam-Status + +# If the above header is found, and contains the following value +# the mail will be considered as spam. +# Notes: +# - The value is case insensitive. +# - Leading and trailing spaces are stripped. +# - The word 'bayes' also contains the word 'yes'. +#spam_header_value = Yes, + +# Enable archive_on_delivery to automatically archive all incoming +# messages on delivery. +# This will do nothing if no archive is attached to the target mailbox. +#archive_on_delivery = no + +# Enable the dagent Python plugin framework. Disables threading. +#plugin_enabled = yes + +# Path to the activated dagent plugins. +# This folder contains symlinks to the kopano plugins and custom scripts. The plugins are +# installed in '/usr/share/kopano-dagent/python/plugins/'. To activate a plugin create a symbolic +# link in the 'plugin_path' directory. +# +# Example: +# $ ln -s /usr/share/kopano-dagent/python/plugins/BMP2PNG.py /var/lib/kopano/dagent/plugins/BMP2PNG.py +#plugin_path = /var/lib/kopano/dagent/plugins + +############################################################## +# DAGENT RULE SETTINGS + +# Enable the addition of X-Kopano-Rule-Action headers on messages +# that have been forwarded or replied by a rule. +#set_rule_headers = yes + +# Enable this option to prevent rules from potentially causing a loop. An +# e-mail can only be forwarded once when this option is enabled. Requires the +# set_rule_headers option to also be enabled. +#no_double_forward = yes + +# Domain list to which forwarding is allowed. (Cuts off after 1000 characters, +# and knows no escape chars, so use the _file variants if needed.) +#forward_whitelist_domains = * +#forward_whitelist_domains_file = +#forward_whitelist_domain_subject = REJECT: %subject not forwarded (administratively blocked) +#forward_whitelist_domain_message = The Kopano mail system has rejected your request to forward your e-mail with subject %subject (via mail filters) to %sender: the operation is not permitted.\n\nRemove the rule or contact your administrator about the forward_whitelist_domains setting. +#forward_whitelist_domain_message_file = + +# When multiple HTML MIME parts are found, they can be joined to form a +# continuous e-mail. (If not, they will become attachments.) Joining them +# however can compromise the document integrity, as stylesheets and JavaScripts +# affect the entire joined document. +# +#insecure_html_join = no diff --git a/etc-template/kopano/gateway.cfg b/etc-template/kopano/gateway.cfg new file mode 100644 index 0000000..9a326d3 --- /dev/null +++ b/etc-template/kopano/gateway.cfg @@ -0,0 +1,47 @@ +# See the kopano-gateway.cfg(5) manpage for details and more directives. + +# Space-separated list of address:port specifiers with optional %interface +# infix for where the server should listen for connections. +# imaps is normally on 993, pop3s on 995. +# +#pop3_listen = *%lo:110 +#pop3s_listen = +#imap_listen = *%lo:143 +#imaps_listen = +# File with RSA key for SSL +#ssl_private_key_file = /etc/kopano/gateway/privkey.pem +#File with certificate for SSL +#ssl_certificate_file = /etc/kopano/gateway/cert.pem + +# Disable all plaintext authentications unless SSL/TLS is used +#disable_plaintext_auth = no +# Verify client certificate +#ssl_verify_client = no +# Client verify file and/or path +#ssl_verify_file = +#ssl_verify_path = +#tls_min_proto = tls1.2 + +# Connection to the storage server. +# Please refer to the administrator manual or manpage why HTTP is used rather than the UNIX socket. +#server_socket = http://localhost:236/ +# Bypass authentification when connecting as an administrator to the UNIX socket. +#bypass_auth = no + +# Whether to show the hostname in the logon greeting to clients. +#server_hostname_greeting = no +# Override own DNS name for presentation in the protocol greeting line. +#server_hostname = + +#log_method = auto +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +log_level = 5 +log_file = /var/log/kopano/gateway.log +#log_timestamp = yes + +# Only mail folder for IMAP or all subfolders (calendar, contacts, tasks, etc. too) +#imap_only_mailfolders = yes +# Show Public folders for IMAP +#imap_public_folders = yes +# The maximum size of an email that can be uploaded to the gateway +#imap_max_messagesize = 128M diff --git a/etc-template/kopano/grapi.cfg b/etc-template/kopano/grapi.cfg new file mode 100644 index 0000000..303e640 --- /dev/null +++ b/etc-template/kopano/grapi.cfg @@ -0,0 +1,38 @@ +############################################################## +# Groupware REST API SETTINGS + +# Number of worker processes. +num_workers = 2 + +# Disable TLS validation for all client request. +# When set to yes, TLS certificate validation is turned off. This is insecure +# and should not be used in production setups. +#insecure = no + +# Path where to create the gc-rest sockets. +#socket_path = /var/run/kopano-grapi + +# Socket to find the connection to the storage server. +# Use https to reach servers over the network. +#server_socket = file:///var/run/kopano/server.sock + +# Path where to store persistent runtime data. +#persistency_path = /var/lib/kopano-grapi + +# Path where to find translation catalogs. +#translations_path = /usr/share/kopano-grapi/i18n + +# The API includes experimental endpoints which are not yet recommended to run +# in production setups and are thus disabled by default. When set to yes, all +# endpoints marked experimental are made available. Defaults to no. +#enable_experimental_endpoints = yes + +############################################################### +# Log settings + +# Log level controls the verbosity of the output log. It can be one of +# `critical`, `error`, `warning`, `info` or `debug`. Defaults to `info`. +log_level = info +log_method = file +log_file = /var/log/kopano/server.log + diff --git a/etc-template/kopano/ical.cfg b/etc-template/kopano/ical.cfg new file mode 100644 index 0000000..f61e2ff --- /dev/null +++ b/etc-template/kopano/ical.cfg @@ -0,0 +1,34 @@ +# See the kopano-ical.cfg(5) manpage for details and more directives. + +# Space-separated list of address:port specifiers with optional %interface +# infix for where the server should listen for connections. +# ical has often been placed on 8080 and icals on 8443. +# +#ical_listen = *%lo:8080 +#icals_listen = +#tls_min_proto = tls1.2 +# File with RSA key for SSL +#ssl_private_key_file = /etc/kopano/ical/privkey.pem +# File with certificate for SSL +#ssl_certificate_file = /etc/kopano/ical/cert.pem + +# Verify client certificate +#ssl_verify_client = no +# Client verify file and/or path +#ssl_verify_file = +#ssl_verify_path = + +# default connection to the storage server +# Please refer to the administrator manual or manpage why HTTP is used rather than the UNIX socket. +#server_socket = http://localhost:236/ + +#log_method = auto +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +#log_level = 3 +#log_file = /var/log/kopano/ical.log +#log_timestamp = yes + +# The timezone of the system clock +#server_timezone = Europe/Amsterdam +# Enable the iCalendar GET method for downloading calendars +#enable_ical_get = yes diff --git a/etc-template/kopano/kapid-pubs-secret.key b/etc-template/kopano/kapid-pubs-secret.key new file mode 100644 index 0000000..656700f --- /dev/null +++ b/etc-template/kopano/kapid-pubs-secret.key @@ -0,0 +1 @@ +3be77a9c8294eb60dadf05399576a9048582bb77f8fc86af40660f931d743b65 \ No newline at end of file diff --git a/etc-template/kopano/kapid.cfg b/etc-template/kopano/kapid.cfg new file mode 100644 index 0000000..9052a5a --- /dev/null +++ b/etc-template/kopano/kapid.cfg @@ -0,0 +1,66 @@ +############################################################## +# Kopano API SETTINGS + +# OpenID Connect Issuer Identifier. +#oidc_issuer_identifier= + +# Address:port specifier for where kapid should listen for +# incoming connections. +#listen = 127.0.0.1:8039 + +# Disable TLS validation for all client request. +# When set to yes, TLS certificate validation is turned off. This is insecure +# and should not be used in production setups. +#insecure = no + +# Comman separated list of plugin names which should be loaded. +# If this is not set or the value is empty, kapid scans the plugins_path +# on startup and loads all plugins found. +#plugins = + +# Path to the location of kapi plugins. +#plugins_path = /usr/lib/kopano/kapi-plugins + +############################################################### +# Log settings + +# Log level controls the verbosity of the output log. It can be one of +# `panic`, `fatal`, `error`, `warn`, `info` or `debug`. Defaults to `info`. +#log_level = info + +############################################################### +# Groupware REST API (grapi) Plugin settings + +# Path where to find Kopano Groupware REST (grapi) sockets. +#plugin_grapi_socket_path = /var/run/kopano-grapi + +############################################################### +# Pubs API (pubs) Plugin settings + +# Path to a key file to be used as secret for Pubs HMAC tokens. +# If no secret_key file is set, a random value will be generated on +# startup (not suitable for production use, since it changes on +# restart). A suitable key file can be generated with +# `openssl rand -out /etc/kopano/kapid-pubs-secret.key -hex 64`. +#plugin_pubs_secret_key = /etc/kopano/kapid-pubs-secret.key + +############################################################### +# Key value store API (kvs) Plugin settings + +# Database backend to use for persistent storage of kvs data. A supported +# backend must be set (sqlite3, mysql). Defaults to `sqlite3` if not set. +#plugin_kvs_db_drivername = sqlite3 + +# Database backend data source name. This setting depends on the storage +# backend (plugin_kvs_db_drivername). A DNS is required to use the kvs plugin. +# - For `sqlite3` the value should be the full path to the database file. +# - For `mysql`, us a MySQL DSN in the following format: +# [username[:password]@][protocol[(address)]]/dbname[?param1=value1&...¶mN=valueN] +# See https://github.com/go-sql-driver/mysql#dsn-data-source-name for a +# full list of supported MySQL DSN params with examples. +# If not set and plugin_kvs_db_drivername is also not set a default value will +# be used which uses SQLite3. +#plugin_kvs_db_datasource = /var/lib/kopano/kapi-kvs/kvs.db + +# Path where to find the database migration scripts. +#plugin_kvs_db_migrations = /usr/lib/kopano/kapi-kvs/db/migrations diff --git a/etc-template/kopano/konnectd-encryption-secret.key b/etc-template/kopano/konnectd-encryption-secret.key new file mode 100644 index 0000000..1dd1515 --- /dev/null +++ b/etc-template/kopano/konnectd-encryption-secret.key @@ -0,0 +1 @@ +rL(k"u$ԟ+oF3 8k \ No newline at end of file diff --git a/etc-template/kopano/konnectd-identifier-scopes.yaml b/etc-template/kopano/konnectd-identifier-scopes.yaml new file mode 100644 index 0000000..f9b4b6e --- /dev/null +++ b/etc-template/kopano/konnectd-identifier-scopes.yaml @@ -0,0 +1,14 @@ +# This file contains additional scopes for Konnect. All of the scopes listed +# here are made available to clients upon request if not limited by other means. + +--- +scopes: + kopano/kwm: + description: "Access Kopano Meet" + + kopano/kvs: + description: "Access Kopano Key Value Store" + + kopano/pubs: + description: "Access Kopano Pub/Sub" + diff --git a/etc-template/kopano/konnectd-signing-private-key.pem b/etc-template/kopano/konnectd-signing-private-key.pem new file mode 120000 index 0000000..cce160f --- /dev/null +++ b/etc-template/kopano/konnectd-signing-private-key.pem @@ -0,0 +1 @@ +/etc/kopano/konnectkeys/konnect-20210314-0ae1.pem \ No newline at end of file diff --git a/etc-template/kopano/konnectd.cfg b/etc-template/kopano/konnectd.cfg new file mode 100644 index 0000000..e9bf222 --- /dev/null +++ b/etc-template/kopano/konnectd.cfg @@ -0,0 +1,146 @@ +############################################################## +# Kopano Konnect SETTINGS + +# OpenID Connect Issuer Identifier. +# This setting defines the OpenID Connect Issuer Identifier to be provided by +# this Konnect server. Setting this is mandatory and the setting must be a +# https URL which can be accessed by all applications and users which are to +# use this Konnect for sign-in or validation. Defaults to "https://localhost" to +# allow unconfigured startup. +#oidc_issuer_identifier=https://localhost + +# Address:port specifier for where konnectd should listen for +# incoming connections. Defaults to `127.0.0.1:8777`. +#listen = 127.0.0.1:8777 + +# Disable TLS validation for all client request. +# When set to yes, TLS certificate validation is turned off. This is insecure +# and should not be used in production setups. Defaults to `no`. +#insecure = no + +# Identity manager which provides the user backend Konnect should use. This is +# one of `kc` or `ldap`. Defaults to `kc`, which means Konnect will use a +# Kopano Groupware Storage server as backend. +#identity_manager = kc + +# Full file path to a PEM encoded PKCS#1 or PKCS#5 private key which is used to +# sign tokens. This file must exist and be valid to be able to start the +# service. A suitable key can be generated with: +# `openssl genpkey -algorithm RSA \ +# -out konnectd-signing-private-key.pem.pem \ +# -pkeyopt rsa_keygen_bits:4096` +# If this is not set, Konnect will try to load +# /etc/kopano/konnectd-signing-private-key.pem +# and if not found, fall back to a random key on every startup. Not set by +# default. If set, the file must be there. +#signing_private_key = /etc/kopano/konnectd-signing-private-key.pem + +# Key ID to use in created JWT. This setting is useful once private keys need +# to be changed because they expire. It should be a unique value identiying +# the signing_private_key. Example: `k20180912-1`. Not set by default, which +# means that Konnect uses the file name of the key file (dereferencing symlinks) +# without extension. +#signing_kid = + +# JWT signing method. This must match the private key type as defined in +# signing_private_key and defaults to `PS256`. +#signing_method = PS256 + +# Full path to a directory containing pem encoded keys for validation. Konnect +# loads all `*.pem` files in that directory and adds the public key parts (if +# found) to the validator for received tokens using the file name without +# extension as key ID. +#validation_keys_path = + +# Full file path to a encryption secret key file containing random bytes. This +# file must exist to be able to start the service. A suitable file can be +# generated with: +# `openssl rand -out konnectd-encryption-secret.key 32` +# If this is not set, Konnect will try to load +# /etc/kopano/konnectd-encryption-secret.key +# and if not found, fall back to a random key on every startup. Not set by +# default. If set, the file must be there. +#encryption_secret_key = /etc/kopano/konnectd-encryption-secret.key + +# Full file path to the identifier registration configuration file. This file +# must exist to be able to start the service. An example file is shipped with +# the documentation / sources. If not set, Konnect will try to load +# /etc/kopano/konnectd-identifier-registration.yaml +# without failing when the file is not there. If set, the file must be there. +#identifier_registration_conf = /etc/kopano/konnectd-identifier-registration.yaml + +# Full file path to the identifier scopes configuration file. An example file is +# shipped with the documentation / sources. If not set, Konnect will try to +# load /etc/kopano/konnectd-identifier-scopes.yaml without failing if the file +# is not there. If set, the file must be there. +#identifier_scopes_conf = /etc/kopano/konnectd-identifier-scopes.yaml + +# Path to the location of konnectd web resources. This is a mandatory setting +# since Konnect needs to find its web resources to start. +#web_resources_path = /usr/share/kopano-konnect + +# Custom base path for URI endpoints for Konnect API and the identifier web +# application. This needs to be changed when Konnect is served from a path +# instead of the root of the domain. +#uri_base_path = / + +# Space separated list of scopes to be accepted by this Konnect server. By +# default this is not set, which means that all scopes which are known by the +# Konnect server and its configured identifier backend are allowed. +#allowed_scopes = + +# Space separated list of IP address or CIDR network ranges of remote addresses +# which are to be trusted. This is used to allow special behavior if Konnect +# runs behind a trusted proxy which injects authentication credentials into +# HTTP requests. Not set by default. +#trusted_proxies = + +# Flag to enable client controlled guest support. When set to `yes`, a registered +# client can send authorize guests, by sending signed requests. Defaults to `no`. +#allow_client_guests = no + +# Flag to enable dynamic client registration API. When set to `yes`, clients +# can register themselves and make authorized calls to the token endpoint. +# Defaults to `no`. +#allow_dynamic_client_registration = no + +# Additional arguments to be passed to the identity manager. +#identity_manager_args = + +############################################################### +# Log settings + +# Log level controls the verbosity of the output log. It can be one of +# `panic`, `fatal`, `error`, `warn`, `info` or `debug`. Defaults to `info`. +#log_level = info + +############################################################### +# Kopano Groupware Storage Server Identity Manager (kc) + +# URI for connecting to the Kopano Groupware Storage server. This can either be +# a http(s):// URL for remote systems or a file:// URI to a socket for local +# connection. Defaults to `file:///run/kopano/server.sock` and is only used +# when the identity_manager is `kc`. +#kc_server_uri = file:///run/kopano/server.sock + +# Session timeout for sessions of the Kopano Groupware Storage server in +# seconds. Access token valid duration is limited to this value and Konnect +# will expire sessions if they are inactive for the timeout duration. This value +# needs to be lower or same as the corresponding value used in the Kopano +# Groupware Storage server's configuration to avoid constant session expiration +# and recreation. +#kc_session_timeout = 300 + +############################################################### +# LDAP Identity Manager (ldap) + +# Below are the settings for the LDAP identity manager. They are only used when +# the identity_manager is `ldap`. +#ldap_uri = +#ldap_binddn = +#ldap_bindpw = +#ldap_basedn = +#ldap_scope = sub +#ldap_login_attribute = uid +#ldap_uuid_attribute = uidNumber +#ldap_filter = (objectClass=inetOrgPerson) diff --git a/etc-template/kopano/konnectkeys/konnect-20210314-0ae1.pem b/etc-template/kopano/konnectkeys/konnect-20210314-0ae1.pem new file mode 100644 index 0000000..3d0c625 --- /dev/null +++ b/etc-template/kopano/konnectkeys/konnect-20210314-0ae1.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDKeeORq+iJ/Rzp +Q9Jhqldvx0jEprZkTz30DWQrxgzr3lgpowY4sPT9P4uu73Y+czMv8CvMX9gacBv8 +ctbhPL2unmYpRX1Vpgw25E768CyX4etn+LCkZy4KvevuPB8Z6Hx1BseM3tu/nWYP +Uf9TczHN48vjLKrsu6zeEXy3TsUpmEqgIQN9DxdMCVlzh9wl7+gx/9JrpM24slFA +4S/ieeaOtlzv8nIWWUB+qeWM35b5ZEtejsiqDaBGHhNhj2z6igUfRrmEkL3V0lkd +nwaMIWYg0mhiZrX1fQy2wsEpWwDjhy6GQp15IIySv9NgjN5P/PqnCjhPQAxwznt8 +KwZucCAh52g/rwykPoMW14SlfVe97zxjEw1MfFmjwi/7jFHh8AGTNl+BVIbZZ/O/ +YgxLurKbNEeNcyl/aaZFlNL11RYRa5QOwrc65+ChRhO4rbvsenstpQbky/vvbZ8v +9BbvcuC/I0TTWJxFBpGHuK2iTFiViAE9bLfKAxsXuZofw74pwltTXU2wyTm/weih +HVTs4DlUtUefsltZRFHVBDDTcUc9WwVtKjvCNKUbE5ZXHRkiZuWxLgjci/4UvrRj +WstQVzbGfGWgi710ZovvKqn1gRJoakJTrdYk9YQMnKuLWuq9DNby4N/jdlbAs7NM +8jEe9TTnJW8z7HX6NQPT/ugoqfnPFQIDAQABAoICAFVU8VefP62IAvs8HhoTFC6D +qmNWb1/vFYkZa7IXEbMGTdmeXyzdRyLD+TaMrSS8oEH/0jWb3xOlU+Yc7/qVAsvo +7d1O7/d8t4Eazz5qoiCQkgmLgcaHxZu5VwlcRS9CD9GyPb9c3PfweebTA+xDjCXd +bzwawx5qKfydGhaXF/jjue+qejHmfkcJWa2bAGjspssLqb68Agdo/118ihXEkipr +KNfnMbXBf7DiIWAxiwsn/auoOWGRxI5IdpqTO7aLHIWF5QG9joPi1rPpJXVBTi1e +/6cY6m6/ePA9O/MV61X4zt6+jGdUFGp0db0nITpMv8ZORFUCBTw1iU1XRKqejqt6 +/dYb1BTSy5vSUUkjV5isrvXsZd4ZEXzC8xvdu4PyXfIUXDJrCR4N/bLCup6C0r82 +7goPw1Lxlr1nPN5A8rzABFrRgcWiiQNs0s82qbE+bf/ZLDXkjK62dDg9ziKE5mQ6 +sXQOBZYIYrdAXLs7SRHcPXyWgCZKlps02jA1w0jWRJPXooeq34ce7N0BlkS6oSde +nH/m+EiYf3EFJtgIRcp+Wp3uXc2Se87fSs6GFK6FkHt496yZLY8UuFdXky1XQQJB +FsrPNJr9vuYz38AwACm7mylw7G1zn9WvIbBP83lA/TmlO/dhQiX/zgcILhA4lYod +ackLcmQlJCY1Oa9tVUIBAoIBAQDx5oJ/99xq0PC9zNBew9NTMqsDhLjNwEq6xdIe +RcXRlXubZVA7yTnQ6xRQsEyRU2538hq8ErVCngNMOrgS3iTiADIWhRLr0VBEe4rj +IGJGIXbrXNUE3tZvnn/OljNz08grzqsCRJSk2OYvCk/9W7v5gXNIkTXIpUO4TXys +s78BSGkg5k4AWv8i16PUrVblOTJgjCD2EkYrBWD4BazjlkbKNwGnbpEAjfgjuKmT +DyK4fJ+vHc1pjR+2QZyEy94CyVsSi+n9al90ydTzf6kzIPBaYTjbp8edp8Z3dZKL +fyUaQoZ1a+bEBxBQp0qVsFeOCUhMSq65cwt4je2W4TLLmyOhAoIBAQDWRx0nkmIa +zQpsyr7ebpUJ7i973gw4qynnMrWQYlRq7TgGNoYBKmPe/3d+PBBjTsTWT7q8AdFD +KAENEaWM+FzGErR3bu3sR1Flo1aF02mA6p4BEcSVX25PDsBdzBEg5CwVn+pHf1u4 +4GpXlmLhd3HiSzXOUPKrRRhzJHm3GKqoCRIW00eFllPI4vr/4kpgh8V/l4JpKZow +/Sx882EjtxeGC14xKm9y9MF56oajxrPqxu574tBlfTn4eXyTiW4BsTcLcuf+s/lz +R39Ky/FTY9P42QNHIlSX1tlXTe1gRc2qE3QlQYXcc2+P+yasiXNeEiAQFo63TH4I +pWYKmaiTxPb1AoIBAQChr76YhHbK2t+fLbA1N1UgLiTKlELmG9qXXrRkUaS4wt68 +7oojfAvuDcMlb8Gt/YNAHw4pmaOYZH+1yyXQTrV+bj0MemQ8RUsOizk5OSMW1zVi +eklUGRJhxyKMVi8MA4mvZlM9j9N/IA8zcAQpR9CsJA+HeK/nbjeGkBx+XyKTW/AQ +8n8+k5QnmNVDyZzkWEfI6sD5WRuXk9/NyBVYhdDJRt0PKcM4CKzMS5jk1+AQShR9 ++0CahZ6lttNEm/PIDwiVq/l5zkkBigqRu0nACAs/je5wO4QcZ9ErdeW+4fxNwhuX +jsjPTB1mm3sp9JWBNckiXWTORgxrxwoAqIPIPekhAoIBAQCt5TSR4shfO7uUIs3X +siKd1oEOo1uDudTd3lde/43G4REwaZtC4uX+GZEeDxy1mz0/N6Ex5r+vIo4HzyRt +TTntPUzcCFhqAk7ajz4uiS38A2uLLqI9Hx9kZXJULMJR0Rq9yfPVZlRHq0hiIJfK +pqbzoVnfP+5QdFitSRLGNux4RjQ59ej7Ts5cH2jXtQvrXwQ20fxx3+NUkoJCPTm+ +RF6A2ETu3aNoxZ0mleAClcV5aUwtmhrJ4mDjd6RUD5oJIYqsbeo82E4+8e0qBGyq +4j8qmuOAHSpNt3zWz1UvZjbMKdF+UriR+dS2Inp2V24bD9aZd9UGiLtXxPMU8zLO +CXDpAoIBAEycsfTcArULdH9q8mDEM+PiTr49kNL9X7UYDLziNTuU363jcYQ/iXDp +gAdL21caMhcV3C+iAjSb70HwXu6NKEO7Lb703OtgTWHZE9kFssRlA91VSw3X5fCT +I88MqRzFDsdrE9tUlDbQ2S3GP18PuMhLFJdPuZ4whdqiQMfnQxD25rG/Gi8eypz9 +J/t/LhciIJxaaBaT5YU/t0KGEAlsSrpuPN3sSq7iQYrrUKQY2Mghy4wKP1qwLhLX +DEr1HZ3gfTZcdvk5ftkGvy4QP6rNRMNo/74l1yp+vAUf/4uA1Wu9QWOJfFOVvfV3 +bPlsxOijJGo9JSDH/en3wE654P52ygY= +-----END PRIVATE KEY----- diff --git a/etc-template/kopano/kweb/.kweb/.setup-done b/etc-template/kopano/kweb/.kweb/.setup-done new file mode 100644 index 0000000..e69de29 diff --git a/etc-template/kopano/kwebd.cfg b/etc-template/kopano/kwebd.cfg new file mode 100644 index 0000000..cb6727f --- /dev/null +++ b/etc-template/kopano/kwebd.cfg @@ -0,0 +1,137 @@ +############################################################## +# Kopano Web SETTINGS + +# Site's host name. +# Full qualified host name. If set, kweb provides HTTP/HTTPS for this host +# including automatic ACME CA TLS and Content Security Policy generation. If not +# set (the default), kweb is available under all names and does not try to +# obtain a certificate via ACME. +#hostname= + +# ACME CA email. +# To allow automatic TLS via ACME, the CA needs an email address. Provide your +# email address here to enable automatic TLS via ACME. If tls_acme_email and +# hostname are set, kweb will automatically manage TLS certificates unless +# explictly disabled by other settings. +#tls_acme_email = + +# ACME CA subscriber agreement. +# Set to `yes` to accept the CA's subscriber agreement. If this is `no` or +# not set and kweb is otherwise configured to use ACME, kweb will log the link +# to the CA's subscriber agreement and then exit. You have to change this +# setting to `yes` to use automatic TLS via ACME. +#tls_acme_agree = no + +# ACME CA server directory. +# URL to the certificate authority's ACME server directory. Default is to use +# Let's Encrypt (https://acme-v02.api.letsencrypt.org/directory). +#tls_acme_ca = https://acme-v02.api.letsencrypt.org/directory + +# HTTP Strict Transport Security. +# Value for HTTP Strict Transport Security response header. Default to +# `max-age=31536000;` and is only used if hostname is set. Set explicitly to +# empty to disable. +#hsts=max-age=31536000; + +# Bind address to bind the listeners. +# This setting defines where to bind kweb http listeners. By default kweb binds +# to all interfaces/ips since it needs to be available from external. +#bind=0.0.0.0 + +# Web root folder. +# Full path to the web root. All files below that folder are served by kweb and +# the path is used as base for otherwise relative paths. +# Default: `/usr/share/kopano-kweb/www` +#web_root = /usr/share/kopano-kweb/www + +# Port for HTTPS listener. +# When TLS is enabled, kweb will serve the TLS listener on this port. Defaults +# to 9443 if `hostname` is not set and `443` otherwise. +https_port = 7443 + +# Port for HTTP listener. +# When TLS is disabled, kweb will serve the listener on this port. Defaults to +# 9080 if `hostname` is not set and `80` otherwise. +http_port = 7080 + +# HTTP/2 support. +# Set to `yes` to enable HTTP/2 support on all TLS listeners. HTTP/2 is enabled +# by default. Set to `no` to disable. +#http2 = yes + +# QUIC support. +# Experimental support for QUIC. Set to `true` to enable. Default is `no`. +#quic = no + +############################################################### +# Log settings + +# HTTP request log file (access log in combined format). +# Full path to log file where to log HTTP requests. Not set by default which +# means requests are not logged. +#request_log_file = /var/log/kopano-kweb/access.log + +############################################################### +# TLS settings + +# TLS support. +# Support encrypted listeners and automatic TLS certificate creation when set +# to `yes`. Set to `no` to disable all TLS and listen on plain HTTP. +#tls = yes + +# TLS certificate bundle. +# Path to a TLS certificate bundle (concatenation of the server's certificate +# followed by the CA's certificate chain). If set, the TLS listener will use +# that certificate instead of trying automatic TLS. +#tls_cert = + +# TLS private key. +# Path to the server's private key file which matches the certificate bundle. It +# must match the certificate in tls_cert. +#tls_key = + +# TLS protocols. +# Minimal and maximal TLS protocol versions to be offered. Defaults to TLS 1.2 +# and TLS 1.3 (`tls1.2 tls1.3`). +#tls_protocols = tls1.2 tls1.3 + +# TLS self sign. +# By default kweb creates self signed TLS certificates on startup on if ACME is +# not possible due to missing settings. If set to `yes`, ACME is disabled and a +# self signed certificate will always be created. Default: `no`. +#tls_always_self_sign = no + +# TLS must stable. +# Enables must stable for certificates managed by kweb. If this is set to `yes` +# and kweb requests certificates via ACME, those certificates will require that +# the OSCP information is stapled with the response. Defaults to `no`. +#tls_must_staple = no + +############################################################### +# App settings + +# Default top level redirect. +# When set, top level requests `/` will redirect to the configured value. +# Not set by default. +#default_redirect = + +# Legacy support. +# To make integration into existing environments easier kwebd can act as a +# reverse proxy to allow serving requests Kopano WebApp and Z-Push running e.g. +# in Apache or Nginx. Set the address to the legacy web server here. Not set by +# default. +#legacy_reverse_proxy = 127.0.0.1:8000 + +############################################################### +# Limiting settings + +# Rate limit tate. +# Limits Excessive access to services. Requests will be terminated with an error +# 429 (Too Many Requests) and X-RateLimit-RetryAfter is added. +# Format "rate burst unit", Defaults to "100 200 minute". +#ratelimit_rate = "100 200 minute" + +# Rate limit whitelist. +# Your trusted IPs (comma separated). Defines the CIDR IP range you don't want +# to perform rate limit. Defaults to `127.0.0.1/8`. +#ratelimit_whitelist = 127.0.0.1/8 diff --git a/etc-template/kopano/ldap.cfg b/etc-template/kopano/ldap.cfg new file mode 100644 index 0000000..9064409 --- /dev/null +++ b/etc-template/kopano/ldap.cfg @@ -0,0 +1,36 @@ +# See the kopano-ldap.cfg(5) manpage for details and more directives + +# Select implementation. +# If you have any reason to override settings from /usr/share/kopano/*.cfg, +# do so at the end of this (/etc-resident) config file. +# +!include /usr/share/kopano/ldap.openldap.cfg +#!include /usr/share/kopano/ldap.active-directory.cfg + +# List of URIs of LDAP servers to use. Make sure that etc/ldap/ldap.conf is +# /configured correctly with TLS_CACERT when using "ldaps". +ldap_uri = +#ldap_starttls = no + +# The DN of the user to bind as for normal operations. +# When empty, uses anonymous binding. +ldap_bind_user = +ldap_bind_passwd = + +# Top level search base, every object should be available under this tree +ldap_search_base = + +# The timeout for network operations in seconds +#ldap_network_timeout = 30 + +# ldap_page_size limits the number of results from a query that will be downloaded at a time. +# Default ADS MaxPageSize is 1000. +#ldap_page_size = 1000 + +#ldap_membership_cache_size = 256k +#ldap_membership_cache_lifetime = 5 + +# Use custom defined LDAP property mappings +# This is not a requirement for most environments but allows custom mappings of +# special LDAP properties to custom MAPI attributes +#!propmap /etc/kopano/ldap.propmap.cfg diff --git a/etc-template/kopano/monitor.cfg b/etc-template/kopano/monitor.cfg new file mode 100644 index 0000000..010b342 --- /dev/null +++ b/etc-template/kopano/monitor.cfg @@ -0,0 +1,28 @@ +# See the kopano-monitor.cfg(5) manpage for details and more directives. + +#server_socket = file:///var/run/kopano/server.sock +# Login to the storage server using this SSL Key +#sslkey_file = /etc/kopano/ssl/monitor.pem +# The password of the SSL Key +#sslkey_pass = replace-with-monitor-cert-password +# in a multi-server environment, which servers to monitor (default all) +#servers = + +#log_method = auto +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +#log_level = 3 +#log_file = - +#log_timestamp = yes + +# Quota check interval (in minutes) +#quota_check_interval = 15 +# Quota mail interval in days +#mailquota_resend_interval = 1 + +# Template to be used for quota emails which are sent to the user +# when the various user quota levels have been exceeded. +#userquota_warning_template = /etc/kopano/quotamail/userwarning.mail + +# Templates to be used for quota emails which are sent to the company administrators +# when the company quota level has been exceeded. +#companyquota_warning_template = /etc/kopano/quotamail/companywarning.mail diff --git a/etc-template/kopano/php-mapi.cfg b/etc-template/kopano/php-mapi.cfg new file mode 100644 index 0000000..f36b4d4 --- /dev/null +++ b/etc-template/kopano/php-mapi.cfg @@ -0,0 +1,30 @@ +############################################################## +# LOG SETTINGS + +# Logging method (syslog, file), syslog facility is 'mail' +#log_method = syslog + +# Logfile (for log_method = file, '-' for stderr) +#log_file = /var/log/kopano/php-mapi.log + +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +#log_level = 3 + +# Log timestamp - prefix each log line with timestamp in 'file' +# logging mode +#log_timestamp = yes + +# Buffer logging in what sized blocks. 0 for line-buffered (syslog-style). +#log_buffer_size = 0 + +# This setting will make php-mapi trace how long each MAPI-call +# took into the selected logfile. +# Make sure that the file exists and/or can be written to by the +# apache user. +# php_mapi_performance_trace_file = /var/log/kopano/php-mapi-perf-trace.log + +# Enable debug output for the mapi extension +# Bitmask: +# 1 = Log start of a function +# 2 = Log end of a function +#php_mapi_debug = 0 diff --git a/etc-template/kopano/quotamail/companywarning.mail b/etc-template/kopano/quotamail/companywarning.mail new file mode 100644 index 0000000..fd22f6c --- /dev/null +++ b/etc-template/kopano/quotamail/companywarning.mail @@ -0,0 +1,11 @@ +Subject: Quota of company ${KOPANO_QUOTA_COMPANY} has been exceeded + +The size of the public store for company ${KOPANO_QUOTA_COMPANY} has exceeded +the size limits set by the administrator. +The public store size is ${KOPANO_QUOTA_STORE_SIZE}. + +Mailbox size limit: + * Warninglevel (${KOPANO_QUOTA_WARN_SIZE}) + - When this limit is exceeded this warning message will be sent + +See client Help for more information. diff --git a/etc-template/kopano/quotamail/companywarning.mail.dpkg-new b/etc-template/kopano/quotamail/companywarning.mail.dpkg-new new file mode 100644 index 0000000..fd22f6c --- /dev/null +++ b/etc-template/kopano/quotamail/companywarning.mail.dpkg-new @@ -0,0 +1,11 @@ +Subject: Quota of company ${KOPANO_QUOTA_COMPANY} has been exceeded + +The size of the public store for company ${KOPANO_QUOTA_COMPANY} has exceeded +the size limits set by the administrator. +The public store size is ${KOPANO_QUOTA_STORE_SIZE}. + +Mailbox size limit: + * Warninglevel (${KOPANO_QUOTA_WARN_SIZE}) + - When this limit is exceeded this warning message will be sent + +See client Help for more information. diff --git a/etc-template/kopano/quotamail/userhard.mail b/etc-template/kopano/quotamail/userhard.mail new file mode 100644 index 0000000..2c499cb --- /dev/null +++ b/etc-template/kopano/quotamail/userhard.mail @@ -0,0 +1,17 @@ +Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded + +Your mailbox has exceeded one or more size limits set by your administrator. +Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}. + +Mailbox size limits: + * Warninglevel (${KOPANO_QUOTA_WARN_SIZE}) + - When this limit is exceeded a warning message will be sent + * Softlevel (${KOPANO_QUOTA_SOFT_SIZE}) + - When this limit is exceeded you will not be able to send new email + * Hardlevel (${KOPANO_QUOTA_HARD_SIZE}) + - When this limit is exceeded you will not be able to send and receive new email + +To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server. +Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit. +You must empty the Deleted Items folder after deleting items or the space will not be freed. +See client Help for more information. diff --git a/etc-template/kopano/quotamail/userhard.mail.dpkg-new b/etc-template/kopano/quotamail/userhard.mail.dpkg-new new file mode 100644 index 0000000..2c499cb --- /dev/null +++ b/etc-template/kopano/quotamail/userhard.mail.dpkg-new @@ -0,0 +1,17 @@ +Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded + +Your mailbox has exceeded one or more size limits set by your administrator. +Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}. + +Mailbox size limits: + * Warninglevel (${KOPANO_QUOTA_WARN_SIZE}) + - When this limit is exceeded a warning message will be sent + * Softlevel (${KOPANO_QUOTA_SOFT_SIZE}) + - When this limit is exceeded you will not be able to send new email + * Hardlevel (${KOPANO_QUOTA_HARD_SIZE}) + - When this limit is exceeded you will not be able to send and receive new email + +To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server. +Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit. +You must empty the Deleted Items folder after deleting items or the space will not be freed. +See client Help for more information. diff --git a/etc-template/kopano/quotamail/usersoft.mail b/etc-template/kopano/quotamail/usersoft.mail new file mode 100644 index 0000000..2c499cb --- /dev/null +++ b/etc-template/kopano/quotamail/usersoft.mail @@ -0,0 +1,17 @@ +Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded + +Your mailbox has exceeded one or more size limits set by your administrator. +Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}. + +Mailbox size limits: + * Warninglevel (${KOPANO_QUOTA_WARN_SIZE}) + - When this limit is exceeded a warning message will be sent + * Softlevel (${KOPANO_QUOTA_SOFT_SIZE}) + - When this limit is exceeded you will not be able to send new email + * Hardlevel (${KOPANO_QUOTA_HARD_SIZE}) + - When this limit is exceeded you will not be able to send and receive new email + +To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server. +Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit. +You must empty the Deleted Items folder after deleting items or the space will not be freed. +See client Help for more information. diff --git a/etc-template/kopano/quotamail/usersoft.mail.dpkg-new b/etc-template/kopano/quotamail/usersoft.mail.dpkg-new new file mode 100644 index 0000000..2c499cb --- /dev/null +++ b/etc-template/kopano/quotamail/usersoft.mail.dpkg-new @@ -0,0 +1,17 @@ +Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded + +Your mailbox has exceeded one or more size limits set by your administrator. +Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}. + +Mailbox size limits: + * Warninglevel (${KOPANO_QUOTA_WARN_SIZE}) + - When this limit is exceeded a warning message will be sent + * Softlevel (${KOPANO_QUOTA_SOFT_SIZE}) + - When this limit is exceeded you will not be able to send new email + * Hardlevel (${KOPANO_QUOTA_HARD_SIZE}) + - When this limit is exceeded you will not be able to send and receive new email + +To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server. +Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit. +You must empty the Deleted Items folder after deleting items or the space will not be freed. +See client Help for more information. diff --git a/etc-template/kopano/quotamail/userwarning.mail b/etc-template/kopano/quotamail/userwarning.mail new file mode 100644 index 0000000..2c499cb --- /dev/null +++ b/etc-template/kopano/quotamail/userwarning.mail @@ -0,0 +1,17 @@ +Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded + +Your mailbox has exceeded one or more size limits set by your administrator. +Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}. + +Mailbox size limits: + * Warninglevel (${KOPANO_QUOTA_WARN_SIZE}) + - When this limit is exceeded a warning message will be sent + * Softlevel (${KOPANO_QUOTA_SOFT_SIZE}) + - When this limit is exceeded you will not be able to send new email + * Hardlevel (${KOPANO_QUOTA_HARD_SIZE}) + - When this limit is exceeded you will not be able to send and receive new email + +To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server. +Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit. +You must empty the Deleted Items folder after deleting items or the space will not be freed. +See client Help for more information. diff --git a/etc-template/kopano/quotamail/userwarning.mail.dpkg-new b/etc-template/kopano/quotamail/userwarning.mail.dpkg-new new file mode 100644 index 0000000..2c499cb --- /dev/null +++ b/etc-template/kopano/quotamail/userwarning.mail.dpkg-new @@ -0,0 +1,17 @@ +Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded + +Your mailbox has exceeded one or more size limits set by your administrator. +Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}. + +Mailbox size limits: + * Warninglevel (${KOPANO_QUOTA_WARN_SIZE}) + - When this limit is exceeded a warning message will be sent + * Softlevel (${KOPANO_QUOTA_SOFT_SIZE}) + - When this limit is exceeded you will not be able to send new email + * Hardlevel (${KOPANO_QUOTA_HARD_SIZE}) + - When this limit is exceeded you will not be able to send and receive new email + +To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server. +Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit. +You must empty the Deleted Items folder after deleting items or the space will not be freed. +See client Help for more information. diff --git a/etc-template/kopano/search.cfg b/etc-template/kopano/search.cfg new file mode 100644 index 0000000..0321f0e --- /dev/null +++ b/etc-template/kopano/search.cfg @@ -0,0 +1,39 @@ +# See kopano-search.cfg(5) for more details and directives. + +# Location of the index files +#index_path = /var/lib/kopano/search/ +# Limit the number of results returned (0 = no limit) +#limit_results = 1000 + +# Use https to reach servers over the network +server_socket = https://zntrl-server-1:237 +# Login to the storage server using this SSL Key +sslkey_file = /etc/kopano/ssl/private/system-key-cert.pem +# The password of the SSL Key +#sslkey_pass = replace-with-server-cert-password + +# To setup for multi-server, use: http://0.0.0.0:port or https://0.0.0.0:port +#server_bind_name = file:///var/run/kopano/search.sock +# File with certificate for SSL, used when server_bind_name uses https://... +#ssl_certificate_file = /etc/kopano/search/cert.pem +# File with RSA key for SSL, used when server_bind_name uses https://... +#ssl_private_key_file = /etc/kopano/search/privkey.pem + +#log_method = auto +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +log_level = 6 +#log_file = /var/log/kopano/search.log +#log_timestamp = yes + +# Number of indexing processes used during initial indexing +#index_processes = 1 +#index_drafts = yes +#index_junk = yes +# Prepare search suggestions ("did-you-mean?") during indexing +# This takes up a large percentage of the used disk space +#suggestions = yes + +# Should attachments be indexed +#index_attachments = no +# Maximum file size for attachments +#index_attachment_max_size = 5M diff --git a/etc-template/kopano/server.cfg b/etc-template/kopano/server.cfg new file mode 100644 index 0000000..4950309 --- /dev/null +++ b/etc-template/kopano/server.cfg @@ -0,0 +1,121 @@ +# See the kopano-server.cfg(5) manpage for details and more directives. + +# If a directive is not used (i.e. commented out), the built-in server default +# is used, so to disable certain features, the empty string value must explicitly be +# set on them. + +# Space-separated list of address:port specifiers with optional %interface +# infix for where the server should listen for connections. +server_listen = 0.0.0.0:236 +server_listen_tls = 0.0.0.0:237 +# server_ssl_key_file: needs key and certificate +server_ssl_key_file = /etc/kopano/ssl/private/server-key-cert.pem +#server_ssl_key_pass = +server_ssl_ca_file = /etc/kopano/ssl/certs/balusign-ca-chain.pem +#server_ssl_ca_path = /etc/kopano/ssl/certs +#server_tls_min_proto = tls1.2 +# Path of SSL Public keys of clients +sslkeys_path = /etc/kopano/sslkeys + +# Name for identifying the server in a multi-server environment. Need +# not be a DNS name, but this name needs to be present on a LDAP +# kopano-server object's cn value. +#server_name = kopano.server +# Multi-server +#enable_distributed_kopano = false + +database_engine = mysql +mysql_host = mysql +mysql_port = 3306 +mysql_user = kopano +mysql_password = zAKt(85& +mysql_database = kopano + +# Allow connections from normal users through the Unix socket +#allow_local_users = yes + +# Space-separated list of users that are considered Kopano admins. +local_admin_users = root kopano + +log_method = auto +# log_file = /var/log/kopano/server.log +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +log_level = 6 +log_timestamp = yes + +# Attachment backend driver type: "database", "files", "files_v2", "s3" +#attachment_storage = files +#attachment_path = /var/lib/kopano/attachments + +#attachment_s3_hostname = s3-eu-west-1.amazonaws.com +# The region where the bucket is located, e.g. "eu-west-1" +#attachment_s3_region = +# The protocol that should be used to connect to S3, 'http' or 'https' (preferred) +#attachment_s3_protocol = +# The URL style of the bucket, "virtualhost" or "path" +#attachment_s3_uristyle = +# The access key id of your S3 account +#attachment_s3_accesskeyid = +# The secret access key of your S3 account +#attachment_s3_secretaccesskey = +# The bucket name in which the files will be stored +#attachment_s3_bucketname = + +# User backend driver type: "db", "unix", "ldap" +#user_plugin = db +#user_plugin_config = /etc/kopano/ldap.cfg +#enable_sso = false +# Hostname override for Kerberos SSO +#server_hostname = + +# OpenID Connect Issuer Identifier. When set, the server attempts OIDC discovery +# and initialization on startup, using the configured issuer identifier. +#kcoidc_issuer_identifier = +#kcoidc_initialize_timeout = 60 + +# Skip creation/deletion of users for testing purposes, instead log it. +#user_safe_mode = no + +# Multi-tenancy +#enable_hosted_kopano = false +# Display format of store name +# Allowed variables: +# %u Username +# %f Full name +# %c Tenant's name +#storename_format = %f + +# Loginname format for multi-tenancy installations +# When the user does not login through a system-wide unique +# username (like the email address) a unique name is created +# by combining the username and the tenantname. +# With this configuration option you can set how the +# loginname should be built up. +# +# Note: Do not use the = character in the format. +# +# Allowed variables: +# %u Username +# %c Teantname +# +#loginname_format = %u + +#enable_gab = yes +# Whether to hide/show the special GAB "Everyone" group that contains +# every user and group for non-admins. +#hide_everyone = no +# Whether to hide/show the special GAB "SYSTEM" user for non-admins. +#hide_system = yes +# Synchronize GAB users on every open of the GAB (otherwise, only on +# kopano-admin --sync) +#sync_gab_realtime = yes + +# Use indexing service for faster searching. +# Enabling this option requires kopano-indexd or kopano-search to be active. +#search_enabled = yes +#search_socket = file:///var/run/kopano/search.sock +#search_timeout = 10 + +# Disable features for users. This list is space separated. +# Currently valid values: imap pop3 mobile outlook webapp +disabled_features = pop3 diff --git a/etc-template/kopano/spamd.cfg b/etc-template/kopano/spamd.cfg new file mode 100644 index 0000000..c51812b --- /dev/null +++ b/etc-template/kopano/spamd.cfg @@ -0,0 +1,53 @@ +############################################################## +# SPAMD SERVICE SETTINGS + +# run as specific user +#run_as_user = kopano + +# run as specific group +#run_as_group = kopano + +# control pid file +#pid_file = /var/run/kopano/spamd.pid + +# run server in this path (when not using the -F switch) +#running_path = /var/lib/kopano + +############################################################## +# LOG SETTINGS + +# Logging method (syslog, file) +#log_method = file + +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +#log_level = 3 + +# Logfile for log_method = file, use '-' for stderr +#log_file = /var/log/kopano/spamd.log + +# Log timestamp - prefix each log line with timestamp in 'file' logging mode +#log_timestamp = 1 + +############################################################### +# SPAMD Specific settings + +# The dir where spam mails are written to which are later picked up +# by the sa-learn program +#spam_dir = /var/lib/kopano/spamd/spam + +# Location for the database containing metadata on learned spam +#spam_db = /var/lib/kopano/spamd/spam.db + +# Learn ham, when the user moves emails from junk to inbox, +# enabled by default. +#learn_ham = yes + +# The dir where ham mails are written to which are later picked up +# by the sa-learn program +#ham_dir = /var/lib/kopano/spamd/ham + +# Spamassassin group +#sa_group = amavis + +# Header tag for spam emails +#header_tag = X-Spam-Flag diff --git a/etc-template/kopano/spooler.cfg b/etc-template/kopano/spooler.cfg new file mode 100644 index 0000000..a0beb41 --- /dev/null +++ b/etc-template/kopano/spooler.cfg @@ -0,0 +1,30 @@ +# See the kopano-spooler.cfg(5) manpage for details and more directives. + +# Outgoing mailserver +smtp_server = postfix +smtp_port = 25 + +# Server Unix socket location +server_socket = https://zntrl-server-1:237 +# Login to the storage server using this SSL Key +sslkey_file = /etc/kopano/ssl/private/system-key-cert.pem +# The password of the SSL Key +sslkey_pass = + +#log_method = auto +# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug)) +log_level = 6 +#log_file = - +#log_timestamp = yes + +# Dump raw messages into specified directory before sending via SMTP. +#log_raw_message_path = /var/lib/kopano +#log_raw_message_stage1 = no + +# Maximum number of threads used to send outgoing messages +#max_threads = 5 + +# spooler Python plugin framework. Disables threading. +#plugin_enabled = no +# Path to the activated spooler plugins. +#plugin_path = /var/lib/kopano/spooler/plugins diff --git a/etc-template/kopano/ssl/certs/balusign-ca-chain.pem b/etc-template/kopano/ssl/certs/balusign-ca-chain.pem new file mode 100644 index 0000000..10c08d7 --- /dev/null +++ b/etc-template/kopano/ssl/certs/balusign-ca-chain.pem @@ -0,0 +1,106 @@ +-----BEGIN CERTIFICATE----- +MIIJgTCCBamgAwIBAgIBAjANBgkqhkiG9w0BAQwFADCBjzESMBAGCgmSJomT8ixk +ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp +Z24gUHJpdmF0ZSBTaXRlMRUwEwYDVQQLDAxQS0kgU2VydmljZXMxKTAnBgNVBAMM +IEJhbHVTaWduIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIzMDQwNzA5NTIx +MFoXDTMzMDQwNjA5NTIxMFowgY8xEjAQBgoJkiaJk/IsZAEZFgJkZTEXMBUGCgmS +JomT8ixkARkWB2JhbG9naHMxHjAcBgNVBAoMFUJhbHVTaWduIFByaXZhdGUgU2l0 +ZTEiMCAGA1UECwwZSW5mb3JtYXRpb24gU2VjdXJpdHkgVW5pdDEcMBoGA1UEAwwT +QmFsdVNpZ24gU2lnbmluZyBDQTCCA+IwDQYJKoZIhvcNAQEBBQADggPPADCCA8oC +ggPBAKeU5NqQjKgTDVUYWwJanWyDiOLR7RyobQeFAVeGogwZQ/hOy+INl5VAps+7 +7YB6PnjXOa6tCFdJW+tQaXJxqsdU51W4LE6Iq5BpWGx9ltnqDcksXww7iIdHgblv +4db0ErZM3CogOF3Sr2jYo28OmpqsEFMrbvJ2FDxgBG4/NIGUIqZumY8Aq9JyqA2a +8yOKPiFyjeiABlNdyvoGNF0RnzxOeErO2loKtUuW5hfLxnUvzin1WnVtipEy1TOd +E/eRoBfUpexyUXH2/DKw9CvH/ZGGz8oApe8SWSJlO4xSOgxONkuaybs+VzaMxtPU +ACeeyOILVbQ25BhWSVOW9CfcUeQwqf7pViCUPx7kBSR/RpiLN1JGpEACW6B1D4wy +OsOq55I0qSou7lJSJtkplSSzS1OxbK+SW1yq/FdPOJvqMIB88OuvrKlve4tDG7tQ +hfbGrLnF0BKcBE3H2qkkujQ5zULptX1WpklBDnPvxcmlCGwW0XzrRHpOPQDTPbkh +pH4a4Sph2rWFK7A0Qft8j2eMis7D1Wc30miV4DFYekQc5C3PernGwci3BM7qX4Xt +5oNbjMk53N2VB5MjT1aVLWlW66+M9vPZ9Y+VCTfSs0p+rUwtyLoYPKulQRhg7zcS +im6VnQatsiPZM6ssUNFu3602f6E6t0wdIOr1/WAuaIN0WWMWATkPhJ6tpcRSbu3e +PpOwSbjbwxEPfk5q73xyJZ63XCfFAKihK2KpDOM2D2n0QhKyWOBa5Yw9BZaouSQz +kBVFYYLm26wfOwvUKwLXX76BDOW33YO61EwV5Jswwp6L+x4Jn6CD4oloBR35ix9t +aFXTmKA0zoRgrf7SiV38O6GCK3fIxGCz3YC3WRBWoZ519fM7YqqtG71LFPr5cTa8 +EU2QAxizw82Rp0e06yWCFGbfq+8eJB4r8f4+NM6Nqc/4IZZVcmMX3k/R9bOXw7L9 +7HI68QIa34KhQs9KFHUedr5QDS5yU2Ts1mpgzAkCvNqVYGbovm19OTwglDCrb6+i +KQ29wi1CK9VJUSJx2RaOufh9COndNi640clgSWqClLPChCyhgosuwVPFOQYko6Ez +nWl5LCvnLh3ieAqVys61t98ll9ueoVyD4HIcseuu9+h7xh02i/SVpD34CZlNwT+u +BkhSzCoVoj2yp5RZeJFSqXT/99avmbI99O5RGxpTzB3MtADrX0zD1LK2jzvumRrv +HIPGfB8TTl6aN1dDZ7aA67SnI7cybxhja+52DECwWCnxXx6MTM86/0ZNG6hZe/wu +SQ3Q0QIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIB +ADAdBgNVHQ4EFgQUypuBBCYN5ViDw4UBxZtTxzBXbBAwHwYDVR0jBBgwFoAU+o8o +2baOIFDraC5/jXb/T0MRzrYwDQYJKoZIhvcNAQEMBQADggPBAKK6zoKmVe5FxVaP +85TgjvbVQWZdaejlma9xZuSJPxicHuaEjuSrcthaqQ6rhdccLcniuY3+heKAjKqU +fdGzOhjwyfAGFjP/xd/xb4c7eh7EQ/NnYPM82Miiw1pd4sA+8hJnDoLlK1dO+SAw +5N0UrJLl+N33DT95fjykxNysCOxPSnNihKI86QlkpCUJ1GgupoRFRNJ7ditW8Fcu +vWfZw3GSwWQNFAzBL0/xbiVh1/mZRnaKRK8APVT70M40UtIzu/Rr8D9TfoyDzuy5 +pkjQXhclz/tuctnvkwOEwmeOYHtozdg4SZlePJ4hrUkLIwgEcN1xk4XueioTT5+d +VouUg6kg7YdpRiJH4PvLudUnoGs8+277gQZIyQgMoF0iR9IYXMBcDcaOnb6fcmKD +Pxiu395c0a3alnugmkqRoJboiGFPbU0BUOXTV0uRLkXVFSs5FSccfUGrnPP+Kk73 +ePfOLVazmsiSF0J+k0ngh9U6I067FdAEqEFyqLj7nLT9B8Wd6YR1mCFzPUNg5k70 +pXeyap1Y+kW03+bsw/uakqTSf6aCFa+vXwyHoMsC1Pb8hCRtYh/FisON9IcGe0em +A3JAwoiwLyAQT94/fNm+kf7LiM+lQP0Odj/dos9yBBqu5oZ2J0f+AAGpOqOy9zez +hC8lEtn14y9QMmEoEHUdNPMIHS3W859ejF+tmZ+rpfLgL1VHmiv162gw0tRz1hX7 +NDNhqlNNBygC83hi+BzHLgfZIqTumRVIQulwzyhX6tqtG4TGvxQ3MXluKH2RA9Yk +SM2Shm8l6RVaadA0gGmfmd97WVnd0jUJXFMpZSZCsLuI9PesTkW59cIloVvl6AXM +csVJqGCiuElHZDAjGmGvHJJEnnckZCTC0czaoRSEN8GmDCWnewPn7VAUTR+Qv30G +26yVOQWcNr7h8I7dkXEF9DfJRz/5p3+Tu0T7HCi8vwz4dAaB4YPm1Zl5TZSIF8U5 +TgV15BFN1nXSyLLdZsn1wcGjjFKR22kdyKonZjh2M+9ZGHDLAhY5abHzvK08d1av +NvgPcddVAJCWxgabjdrA/gB4GDeNRSLYWPmvb5O4H/FfYteAVbbasoSmc+4zhv4D +ZXsQvYwuyLuv6dDIlGeiHM8+u1wSP2Dp8PdE1E0xSg0kYp8AmwCTsjoKowMH8A7A +wm/eGWZED2yoZLmIalE1ps76kfBBzNbJQMyioE0nrfU+0RF/RSAv/AzH6fz2pTta +9lzdU5OOIo4HNAwaHyxla5gW6P0N+i1mUAq/z7ZLVrI7DvuRww== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIJfjCCBaagAwIBAgIBATANBgkqhkiG9w0BAQwFADCBjzESMBAGCgmSJomT8ixk +ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp +Z24gUHJpdmF0ZSBTaXRlMRUwEwYDVQQLDAxQS0kgU2VydmljZXMxKTAnBgNVBAMM +IEJhbHVTaWduIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIzMDQwNzA5NTA1 +OFoXDTMzMDQwNjA5NTA1OFowgY8xEjAQBgoJkiaJk/IsZAEZFgJkZTEXMBUGCgmS +JomT8ixkARkWB2JhbG9naHMxHjAcBgNVBAoMFUJhbHVTaWduIFByaXZhdGUgU2l0 +ZTEVMBMGA1UECwwMUEtJIFNlcnZpY2VzMSkwJwYDVQQDDCBCYWx1U2lnbiBDZXJ0 +aWZpY2F0aW9uIEF1dGhvcml0eTCCA+IwDQYJKoZIhvcNAQEBBQADggPPADCCA8oC +ggPBAOWJ0SL/yhWvkUlqKyAvDKKa5BFEAgUci1LYMUya0nm1SZZCg5J/PCr459LQ +pLfzQCRKZsLlx3EDxvsw6hMtFzGKIUGVtEkNpxWcbKZhhln0jScdsyyVrdbYSXp3 +BwXtP2iC843Mk6vSSl7VKDmLAellR8Z3W3mjb6LXOBx3imitFNUDZpKv2jBrvHiv +XeLcym6KuQ8EWZKGZNYUCrlQCpvbuAaHKF1C7KlKhR1LRZl7NcvFvnlrl4uUopSt +TsZcK3Kb6jaiYr/19RNxDy/4GXbTsCtC9/lpo42iPm8KzNlTapZ2zGbmDeCzveDg +N9NWNXyO5mYpnkFXTSEkmiwIdyWVLcomvyVKW0cyTUcET1s1D6NZokqvjolscyno +Ff8Ez24IWbfRxT+OFHSqJwSHc7rXPGftoB1KBP7UP2K1EYYnC+vxDejRkdC0IFuv +KrzonogkDDaJb6A0+hWSBSGMQpKfCbayTkU8nBzo8ilSM9S+dW0SIbWkptNdXZqL +AQjT8hJe3vGejGXyGC7zLd0kEGBz098+JpbZLVyStakpJcn0HkZzUjxh7DSS3vtp +3QV5IUZ4jBxp5/lRvCQ/Uz0re4KSXPXOMpEQwD1Ay7uPzADXv0ibMFfE22PT80fr +r1YsJjT01C0QUbM4j++1w2kVara9wRaa/x2eEpCDHRRbvtNZ8K4YxqXxhoc7POOo +X3/w9keXobo4BmH9uV2t2twg/lHiyBrQfSfsAr2+3/5Tt/pv6wuVCVJcxwFSm0ey +ighWD5WUAvMvShFkGr8D/tyTulq33IySbh7tZFj40Fh88TD2Z1VWFWK+5OHWjsK0 +GSuOANw8Mj5Seq2RH8CkbrALok547YGLfls7pw4PTXkW/rmPallQLLLs8VT6MDwg +SPk6sIMVOFF6rq9q5QV8EQliSYQ/vS4rh0qAG0zltaoWS40rTPsOGBJCftDOJFJp +06XuLTyKrFRtCWP6dSuh+ju6EGTYk0rcBLeiKhFptB9HZtwE5Cd1khysfE3pDMiw +ksGEjMnzhbLuTeBH9QlcYLZWqmH9ZK35qZ9cKvsHf0jlHYZOASnEaPX8CXhGWXKn +skzOq4ihc6gZXKlSjX9Mglkfzru6hwg8f4i7L20wySrl/HOc8kuPZZ/UqLulBCI2 +yr6TKlvJXu5BkRUJZ0EGnpRCLaxWiNah+DcpbKeoHVIj5Z9Xq5p78N+d4LD9dKw0 +6VwcH74LJDT4jHVKu2zTuqyKTWw0jitqWjeexxPbeZTV4KBiIDYMEYVsr/Swx+u7 +4dU8YQIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAd +BgNVHQ4EFgQU+o8o2baOIFDraC5/jXb/T0MRzrYwHwYDVR0jBBgwFoAU+o8o2baO +IFDraC5/jXb/T0MRzrYwDQYJKoZIhvcNAQEMBQADggPBAAjgeEvyz2I/ZW81OIl2 +VsEMLuxq7GnCXabsKTklhHygjHPs1hr5/pn9fWo8pSSQGAOBFL/EnnHW+qYvzswY +XSzIBVi2j7oUDRL2T9t3pBi0gNO9LYhAhSExocN9KStqQlxHZ5ei0QTbWCA6uArk +lcwKhAihV7GvbPGYfRPSg95a/UXwyGAY8IffEL4J9Qn2LtyT57izErP3uPW8d3w7 +bNe2+Yqzd69Nk2CzSvIqtMSOoEFzTgvmzVoQdU9pi7zulkQYxIFmWvXxUnO2v+Jc +exZ/CsJzCJBP8eQGY+5FUsunncnm16VS7bHoD5ZtWFcXsiM8xTt6mt7lMbjSl5px +7N+FUPJHOpokXyX3Y/JK0KJCTcuJtyoZK81uJN6tgRaNN7GXn3Mlg0cmsG4d+Fib +zxNAyhgtX6P0SpIfWLNBpdDWyjl6BnX4A7UtuH3eIEbYlms/kTm2ty0xJQiDrZkT +yc9xNs+k9C8XKmPEnDK0BSObMmyEIz+lox32GS6vbNq18jLsjs+jk/1Zs72XAdNK +AlU7+DrgbE3oulqKjTMqruuG/8WoF9s70ds1WUYwBGXzbjq6zR1xWb+vNGQ9ePpP +KiTdJIPg0GO25MrZPVsHURsrFVTgdB5qfRj6RhDRrdMXuZ/mWMCetRd1EETzRIO0 +GgkGFHUFAWwiQDkmJYLrGB5t55Nq2JetAvwiUZuco8krUUQXcUu+sFrNjencctnX +MHWYRERKMOB/eqhWdeTG04c94nV8BlpHAT3Iee8FfWA4zm0RxVreXICNOCPtxNXH +aSEsgWBWw8/Zmk6VCEhuX6CernSmyqUc6PzREZRHFZD18lTRL5JxjXdm+qh8Nrxt +puj2FaXSotGQZywm8hmqMU8hCti3m93FQDpcsgoSqiilmnLRIAWXVrSKRlXXTxKs +Lpq3x9ZoARYbLEyxhRTdoMeU95OE64R1c6mcCcWPu53v59wYKmVMBOi4blTAXFn2 +9KEbwtgDcAdXTn6SGAOvrdibEG2GnBhTw689vJfC7Z2imGoDxwMKToCnK9tgwAwO +/lv7oKpnA3GxzYojGZcKMGGGlfKFftZd36X/NZDmn9nmIGCqR0P04YWoX3utJOJH +03bK11O62l9DQNEJSQ5Zjow5HMuhxTfhka4I0edjsoIekxePAR11riIHpfwLQWmF +OybPqyC9MHzTLzSsISdZV1SDRQzCfpGbRtQSYAPF/T/hr2E2g+L+1tduQ07LICB0 ++yKYtwF1rXkWwD4NvVYrk94fTCBPHK5SaMol8YlPer1ZUw== +-----END CERTIFICATE----- diff --git a/etc-template/kopano/ssl/openssl.cnf b/etc-template/kopano/ssl/openssl.cnf new file mode 100644 index 0000000..4acca4b --- /dev/null +++ b/etc-template/kopano/ssl/openssl.cnf @@ -0,0 +1,350 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# Note that you can include other files from the main configuration +# file using the .include directive. +#.include filename + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several certs with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +basicConstraints = critical,CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) +ess_cert_id_alg = sha1 # algorithm to compute certificate + # identifier (optional, default: sha1) diff --git a/etc-template/kopano/ssl/private/server-key-cert.pem b/etc-template/kopano/ssl/private/server-key-cert.pem new file mode 100644 index 0000000..d8410b4 --- /dev/null +++ b/etc-template/kopano/ssl/private/server-key-cert.pem @@ -0,0 +1,81 @@ +-----BEGIN PRIVATE KEY----- +MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDD8D6c+I14MM0k +1Qj7wegQ7SutYDWXSfpLSQXp9RuB3ZKyjU9c0J4wilkK00Y7gdIKZN8tMlF2rQ3F +Uwvn9uewq5k3pe2tE4v+Oooh5F9aNttTHOeRHTkgAkvcqyHPpCV8yO0a8t7elSzx +dY3BBkIruO/zpvouhoYWXpdGxS+ctU/XlGFyWEUQkwVCPPreiDd3EP1h8idMikiD +i4oKAYOa/xY/YKr29mp8rXK8xYn5xTV2xn62gLK1FB2g5l/XJt9sQY+g4Y04h8V8 +gYwSLLHBIbg6CCxK6kqY6qEgSMQ9y4swQ1q4R0adlN3gai5rFLeWcFnXVL4XCjoI +A2GKFKDro/0/i2STQVi4+Hyyh6n3yfAm6PN5WX8FiVRRCCxf+kxqHJgpM8etqNyf +fuADs49p8hc2efsTF8weCq4V3V0OyKU87GP1pKEfbERwJwE25C+V9Vp3Yi+3G8c3 +PU89qK/xTiCKZMK7Zsgmi5ROPBBVaM31GOcjS0YnErnvBc5LqGsCAwEAAQKCAYEA +hwpdHPJxDhUUTf5FYr4RoxjSsXtNdCeYSaraWJSFkMuU/1pFCEL/w5SWKc/S59Bh +YqiC6DN10cUTaJwD6KtSo4Cg6KmDVXXTVjQiX5l13kdQgce6EVmCtXzfrAaGFwWa +kJYqVBhvYhiOERxjxlT55ghf2B2M7+PnJiOrPytH1Ulg7cNmJdiQQQwS48QDYrue +/oDHIWozi50CvSa+zIaenYSRYLzPF8ZdPfCM022R2oMAhgvn6QBqKkLi6LHd+/rd +azKksg1Gzhq2TzJohoVsvvmJsRBJansobr40WcUNUCvg8VsCp39GEEjb9Purkwkl +l2klq/dbvtiI011DtUyQi/zpcVaQykllm5bNTpVIm7waTz6BtaOnAGWJpIw8TtFh +ri2VM2e1XTlQbxzohIzqk1W3vJkxXnK4uWG5XDuhcKkRmAb4sEZ6KIr3KKMsiK6g +a9Rc+xcoVnC+N2nDUkMZHIhutgGBKX2qOqpkxRpIfXdxLEZPTjXaNR3g3ypdNtcB +AoHBAPZH+p+d1ias+7ZzY8nTiB2bUwyXWGq0awt7mwj3cmucxqXKAd7QUnwAR8vm +i9bNqZixKR8Y/kNC0aBwoWwROPC3AisRkHovYSF2IX+5kkvE0Q9zhNxe590e96Go +gB+oF1OVIu/6v3G/t2wB1Q2ebrj+gQ9T5wz0u3pO0XXRe1ZT08Dse/Z2t4RyCzIL +c/eq/PJE0cSfEvNDUVFfOFIrlzk65wxjuPt6xEma8nyCQjcwSOFc73KaZQc61qGr +ibSDSQKBwQDLq691PN0XplkWn6kvJlx8xHbkM9Qtcm71OpdSNXCIftXJVzovJlmE +nPNQr1do52zX2SRyyVp/majnZxduW4R/P2GnM7fMv1rcuKAWaAhXND4hvycKUB/L +kzQXoGqIm+4tBdoO5BpAiwdovB2LC4Uq1CWxKf04FJsLgeY/zYEp149eqQb4M5ED +U0bTIg05oONpzmjfFUCZQ3DdNRXDdfVx98Y9+uvxcR4dNV+ffg7ptx833+dANsV+ +j9njR5uMmhMCgcB3cs3BoOH+/CNRiIG7n9cC1RTgpH8DseHBPgAhxzI9s1o9is6B +bPS0o8YuxPDKDBHXtwVEyfB4Wu4lLLt+GJRPW9O3Y9t5B4XKnur8cdrc2Oa04chs +wbMfcieUxo7ty68UoN7DGhDEcMHbpr/YzSDSpM2fy4fipshPN+8rf6CcbCfmCEzP +ayDzIgUADsH+O3ZXYr2C6cxdJCdKmi5M3EuKPGFXhv5vKkoNkRNPBDZtYgPXGiYg +pXWenhD/dJ1jadECgcAb0TQiqBBuZXrvexkJZozlQZQXcPi+yE1dUwZN5Rycl+4t +FKvOuscpNKKK15fxrQIRrQesYdHpcZw/FrZ9jSRYmNiGlKq63TvUv6alyMmy12DR +DSGQ6AafsFhCDdffFqT+Izl4JTFstVBqvp6uWgFzKwyG2PxLx4yxkqlW94N3qohb +XmykQ66/rIUU2ybBQzcsQVPTfDyZcjudCt4RFzBRw4yg9H97N37scFjCGN6Cj09F +O2CDRbfNpGoW/7XAC18CgcEA3dlrXNY/zA3BMtN6HgxkrVrbIDd5BPkbfuhBTSb4 +1KJNOsynbZPQ6ADlOVWEjKvJAapyffkgOXbPMSUCX49tTO2UGU+2zE+oegKdhIgc +OJse92htMDQTsXLBT+J5ujeqvGIoGVK7eXWJewBiaQAQE+hBqoXrusRbn0Kw8YPN +4kLhbUn9jU5asTcL22V2Z8M/ic833VqNCYmucGUUx6j6QQgfbYM+hsQ5w4MFwrae +O8ZUs6iTPyVgxAbBt2zFMH4I +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIHTDCCA3SgAwIBAgIBAjANBgkqhkiG9w0BAQwFADCBjzESMBAGCgmSJomT8ixk +ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp +Z24gUHJpdmF0ZSBTaXRlMSIwIAYDVQQLDBlJbmZvcm1hdGlvbiBTZWN1cml0eSBV +bml0MRwwGgYDVQQDDBNCYWx1U2lnbiBTaWduaW5nIENBMB4XDTIzMDQwNzA5NTky +NloXDTI0MDQwNjA5NTkyNlowcDESMBAGCgmSJomT8ixkARkWAmRlMRcwFQYKCZIm +iZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNpZ24gUHJpdmF0ZSBTaXRl +MRAwDgYDVQQLDAdJbmZvU2VjMQ8wDQYDVQQDDAZzZXJ2ZXIwggGiMA0GCSqGSIb3 +DQEBAQUAA4IBjwAwggGKAoIBgQDD8D6c+I14MM0k1Qj7wegQ7SutYDWXSfpLSQXp +9RuB3ZKyjU9c0J4wilkK00Y7gdIKZN8tMlF2rQ3FUwvn9uewq5k3pe2tE4v+Oooh +5F9aNttTHOeRHTkgAkvcqyHPpCV8yO0a8t7elSzxdY3BBkIruO/zpvouhoYWXpdG +xS+ctU/XlGFyWEUQkwVCPPreiDd3EP1h8idMikiDi4oKAYOa/xY/YKr29mp8rXK8 +xYn5xTV2xn62gLK1FB2g5l/XJt9sQY+g4Y04h8V8gYwSLLHBIbg6CCxK6kqY6qEg +SMQ9y4swQ1q4R0adlN3gai5rFLeWcFnXVL4XCjoIA2GKFKDro/0/i2STQVi4+Hyy +h6n3yfAm6PN5WX8FiVRRCCxf+kxqHJgpM8etqNyffuADs49p8hc2efsTF8weCq4V +3V0OyKU87GP1pKEfbERwJwE25C+V9Vp3Yi+3G8c3PU89qK/xTiCKZMK7Zsgmi5RO +PBBVaM31GOcjS0YnErnvBc5LqGsCAwEAAaOBkDCBjTAOBgNVHQ8BAf8EBAMCBaAw +CQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0O +BBYEFBKiISlxH+ktQIPjAMBTsxskqkKUMB8GA1UdIwQYMBaAFMqbgQQmDeVYg8OF +AcWbU8cwV2wQMBEGA1UdEQQKMAiCBnNlcnZlcjANBgkqhkiG9w0BAQwFAAOCA8EA +bUVsCWPSANeyHAtGERQxTRwwFcshva8MjrQjxuKhLcMCnVqUrLRZ9Yq7VsPlrGoq +vc5+zDnS0WU6PkdvsOElFcfRjvo80NueWrTSreBzAAwNDlGjRxJSw/jeRnaOOgN2 +khqnQSi8w3VhlzVNwG2OrNzED0zf3Kp0oaAnaOy/55rS+xVKGydguwuCsZf3Pi3e +h1G4GuDjCoGbAKnSQPfXavGaRrDHPuNMmiqOFkC0eEMTT9z3vsqXVWYwWMt2PRtf +ASPauYRGpmh/ZWpfTAno4boTFIXC4xnKpQZuEBKwLUaw2/bAENhzesxe/DzjxUNK +2O6o+2NCz9phydOWovbe4k+ybvRXCZcZ0nbdcJb8WU2lq3ceht1jxwHObLkv1bV3 +kJlxnd1pyw+wR83H+FkwCVODsvlJGbpThyRHtj3T2TCrPXqgJDHmva19r6p1YKXR +p7v6TljZ9FFYhu4tYCtN8O/xb6mF1BN6JpzADgiGreejClST1oEQToVZu06mPanv +mRVHuS4Em+L0KX0tV9a3WPhHP9dggxfYZ6HI258sXonnpZaKZRnYlaGyUVE6FDpF +qBzvKFxLGM2ttbd91CzeRqDXodG8ehYp5ed8e4mEbeT2JseLaUYMskYi6TVIIWll +YKouPCxcacyf570TPnqQog/YLkz0bZDYagOA1vtno6ViViDo541xQ4B6tVuVTLVT +n6NglRiSGo081ntmnt6t3AkU38kPP/GX55kq5naP+ydIUC0XU2ENLXFkZIR/1+Sj +zZt7rXDOmTR2QOb2LqlL+ucZahGNOoeFP4aP1gqgjnxzuVPakXt3pRaK1NAHO/Eb +117r06ueKfMXBeGanADT3Zjnoj5ep6Ti49MF8TTw75pT3nilbmMuvdfwtYIbD4kV +aDD1SP4wgnRBVavehaIVx8lN5d5py0gN/BjqqmFwqg953K2Q8/3vwZWQTfhedfa/ +YQlq4sjYpmvAQExUAMsOUiNDbuTMgi7fD/fC3Dxvb3t/QQ+IdzWxH9Ls0j805sHb +ybc4X2zeZU3Bd6xO1ngo+6ki910Yuj/vXHlXl7RF3axdKj6ZrpysC/VGewmPtUa4 +EcgV16vxIgCyiL0ePzcn9Ni8Li/qXE6QrSfZF59kOaMk3dnXAkgx6hHA99Sa7OX7 +qgjZ/M3dTf7I4dkwy+YqHWfwstw0RByrvw4xY7expbgp0wdvhXQWc9wF1mL8usNB +6TF4biVcOQMtVz7l3JHuZiYACFvE+/sf0GcLGI//9NxkSmL8nYOlGRxWU47rhQoz +-----END CERTIFICATE----- diff --git a/etc-template/kopano/ssl/private/system-key-cert.pem b/etc-template/kopano/ssl/private/system-key-cert.pem new file mode 100644 index 0000000..229efe1 --- /dev/null +++ b/etc-template/kopano/ssl/private/system-key-cert.pem @@ -0,0 +1,81 @@ +-----BEGIN PRIVATE KEY----- +MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQC6TbbQSfuxKR6m +B/u+MRh5OFmXFS3E89oO8hgHJ9XhLOutqSlYrU0gjSDCBURmCtpwjUYFay4N6KR2 +N/iAUlLDvJyJQgtWO6ur64/WiDzxLobjDb/11pLFWmdw26nKJz6cT8mrid/SbtS7 +gsIZgsaQGzx3evNhrbvh3/ue8gYEQamhqRaxIZXZckTgVSgydtEun+6rs99fSQVI +fd6kB+1IB1mqtBhl8m6hy5cX6+hKQbyScXlvKhQFhQpxmVHsa9+ry8l31YIcGs2p +e4q+AxzTpXmLpllmy8FIRn6J3//gGBv1QZLc3RC/sbQI0BNkRqpSSGU/tvIIp8m6 +7kdyzwIKIbASM8Ff+47A/ejVM27SJ6QsRUWShQjKY3v7953R+U9PevroGPVlAUiR +LVdSKFqaIePTgvnAZj/fEZhtdiuB3G9i274EFMIuPwsqC3YiKS10R1XlZ+g+ZWMa +aZ5FOGKFsurXggDJSxIABOWtPDNs2Tp11acszf5L5cv8blHwmjMCAwEAAQKCAYEA +rCcJyhjDQiacEpIH9uyJD+KZLrm8TGWE1xCwUVRnF6cZtKQ+95lUTsL6RS720FAx +H5X74R/0M5gI+NCpiXII1qRgBZmIvktvS/LlPDkyDy+OJxtaiYGYqFLsiOYCVDHF +ck1sLl29/Ea7vvWKBGbKsvjn/AQaB+WxWnxNl8dO9fnzFNYZiN5fCMrFiIJIHbGb +hDj3I6SXwQXJov3kkLBee5OHMO0wKmxF/K4TVWCBirSJ2syOiMFaNOuGBgjGIfBe +7/xg9wpMP786iX4mStQH8lyDhAE99GzUgT6oQfqiXOVWMX4/y0nqr3F7zJ3EisEP +zyROpZZqLCCf7ZhlpVxhZlLNz2E1omDHy5xfim/Q/oWmtOfjqlL/DNHceJekmQ/P +Qtnb6gs07hdtjKfz+YFMDpuqyc7HY2gnosQacOsWySssNhrj5Y4yKlPdY9m6IjQP +0VI9GwnKJhxXIeCzTlIzSM9izso2U15JISiaxOJ4saBBnNrkp9Eu1/fDDCAgIk7B +AoHBAOOx2PZ8TqLfc3ADk/yS0evV6K5I2isdIMcvECLhMIKfPcTmwfQCMmuTmnG/ +7n5pHTeO3g6IA4b2MhTvgrdvKPNtEwhYSBsenDN0bMC8+DJKH1wsOi/+ksTpND7i +fa7/FNM77SDpBH63Mkm/LVt/8ItkYCbHH58vb/HtFaYsIwEVrZwzlZtA8GgXJCWC +wAX8fNjXJKRn59Gaz9nEkbcsMarHqruJJ7QtGemPEwPb5wZlFyQveDbxjgyiD0QF +8GOhoQKBwQDRdqKyNeKXwDTORkXpXSxt611xHS7stGkCGEZLn8iS6RXB2goElTpz +xVA128jKqzTDBD3ySiB1R2/GmDjX/jUN8htt4y4TajBOvolUO+jStVVSPIafNqpO +IeDJEyi3DIooipeVa0EOWHpsSS9qLg2fzPe2LeuURR397RCf9eYb2JGwgnv7IQlB +QijFIxEBYIMU+xhJUdqOsSn6xc4zzkEeEhrg/AbCkpOadVDgtL+nBXmju32y8I2l +sX10jyK8U1MCgcEAqBtsdj88x592WSMrJXU4q4gY7GQ5P0+YHbcvkLD14dqz/iXo +2MCufSJTCtyLtqTgv14psEzXXdNzEmXq+oeFkoPbY3PaeLtW096HVJ2wGWEEWkcF +Bt5Lejo7KpqJ9KO7umEqJ/wiJ3QWGsCdOkrxS9jl7Htja2HYoqNKMo+voGNi9EpZ +kHCXjiJXu6IXJ9RMUMQ293MHgodsIfmxI63rVY1pDmCrAamy0e+iOF0o6l3EgiDR +/q7FE6qq3qwL2WNBAoHASjeD3CsVl3lF/JSPrukRlfzgRfT2LG6cCl75gVAjLFKk +H+SWyhrp9B1El2DBm3XgIv08yb2UFJn0M+S5t2Zd/Av9xgjJyZ1FcpE2bX8wtoAD +tDi35m/jFf4Q/I3qTjmGNmks3od7LI8TCY1A3JlmwGlKl+VbZFS9FLzLuDHTj6hD +rsv9C/Ufp1y+v2L2YouExolViJ0VGJwTaMRvlJGPJw15MqB58LUo0YCh4IyKn65j +9Cy5lA6B0eS6s/MHdrz7AoHAX39pf8mkBoK8HwxahCIQZG5iDZdaqIKh4+YT2coA +YPC15q5t4ZKE9kxYMBi4iiNZ9ffAUbYoRRjRus7Xv5Aq6h5zlGTANhUy0vT71HDv +jih0ZvPVJ0VMfsyeAuMl+hVaPt7tE4FBlHsK72+/EDyzt0S22E1FXi8QnP31b0Zt +GlpvOi6ybxYjzU/MQo++aMEaHHM1l9cDFrBVKaUChx/s4qmW8H3jPusiX0BEQI4+ ++TVfDYZt4VumRof/NszbiNo9 +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIHTDCCA3SgAwIBAgIBATANBgkqhkiG9w0BAQwFADCBjzESMBAGCgmSJomT8ixk +ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp +Z24gUHJpdmF0ZSBTaXRlMSIwIAYDVQQLDBlJbmZvcm1hdGlvbiBTZWN1cml0eSBV +bml0MRwwGgYDVQQDDBNCYWx1U2lnbiBTaWduaW5nIENBMB4XDTIzMDQwNzA5NTgy +N1oXDTI0MDQwNjA5NTgyN1owcDESMBAGCgmSJomT8ixkARkWAmRlMRcwFQYKCZIm +iZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNpZ24gUHJpdmF0ZSBTaXRl +MRAwDgYDVQQLDAdJbmZvU2VjMQ8wDQYDVQQDDAZzeXN0ZW0wggGiMA0GCSqGSIb3 +DQEBAQUAA4IBjwAwggGKAoIBgQC6TbbQSfuxKR6mB/u+MRh5OFmXFS3E89oO8hgH +J9XhLOutqSlYrU0gjSDCBURmCtpwjUYFay4N6KR2N/iAUlLDvJyJQgtWO6ur64/W +iDzxLobjDb/11pLFWmdw26nKJz6cT8mrid/SbtS7gsIZgsaQGzx3evNhrbvh3/ue +8gYEQamhqRaxIZXZckTgVSgydtEun+6rs99fSQVIfd6kB+1IB1mqtBhl8m6hy5cX +6+hKQbyScXlvKhQFhQpxmVHsa9+ry8l31YIcGs2pe4q+AxzTpXmLpllmy8FIRn6J +3//gGBv1QZLc3RC/sbQI0BNkRqpSSGU/tvIIp8m67kdyzwIKIbASM8Ff+47A/ejV +M27SJ6QsRUWShQjKY3v7953R+U9PevroGPVlAUiRLVdSKFqaIePTgvnAZj/fEZht +diuB3G9i274EFMIuPwsqC3YiKS10R1XlZ+g+ZWMaaZ5FOGKFsurXggDJSxIABOWt +PDNs2Tp11acszf5L5cv8blHwmjMCAwEAAaOBkDCBjTAOBgNVHQ8BAf8EBAMCBaAw +CQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0O +BBYEFNarMOs1gZ+SF8je3HIVWc33CiU2MB8GA1UdIwQYMBaAFMqbgQQmDeVYg8OF +AcWbU8cwV2wQMBEGA1UdEQQKMAiCBnN5c3RlbTANBgkqhkiG9w0BAQwFAAOCA8EA +cI5rB8CVIJW9orWtHGGd+WjDxzljowd4lPSxkkxC1MewUOGQ6csN+e6MFKnLF6Kn +nnMMjRKms7cPL+vC4bBqNmyroYNlYzt9PEjd5Ruwy44+H895wkPZkIzUnjusQcgY +kd/SLQcLo53S/YYVSO/02Ma1i9rPbpN8RNSVhkvwA0rCMV85hGGoTlfZ3gLVpjR/ +zMRiFAdAhAQ4+RRFm6GtcBv8CZ7W/ctkmp/ybFyAtotCkhsIcPAjnHrBvlxxkWxf +lsB/ydCMqQWJmgO8MUmZazu3JD1ZRICLBXzIvx1z6REFx4SGArM0JxkXkgLB+8O4 +HXc8pPcxfcTx46A7Pqg5UpD7E1jcrbxcpw4+paTaRBdMSzpZhOeVA4R1yeMjmd4w +/M4ZQ89szU4Bf9cGkj9QU2op7NGPNFu/WezibxjM/TDxwfPW2MdRaXe0rv8nEdeg +tpinawr+7Adl51J76kKGXnyVMAjNV5OtjeYPGBEvcAOJQj92bD8CrEwA8qetPZBb +jeMv1CgCZuUTq1OUFy9bWiE6tHJwhrP88ZCcHtFEOmo02TyW0mQsyUQAA8/KYvVe +icFBWIj+WXPOSQDzFYi7HLR4BNH8gZlqrWdGSzbg1YaXFBB7rDMvQhZqvqJ/K0Ot +967obnQQe+kalwsRsXAWPfp7LcyHBQCVvJO//IDa5pyHVpyVk/WgOcE1QOyLnccf +gLTxcxymWAUh09WjjKKRc5IkWFkHaczyW8DxchLxjYJWk8wmwR9cTvmSuss6QeSb +a7SlcRyDPrCD2irZnpLEfPLl5BNjlCiv1AXhxGm/LXSh2h2Ynaa5MAE7fdDfl0CV +b2vZrligtpdezVAkWDB3w/DTrh3CJc0FdpLRwp7Ee53DGyVLFMCalpoPeqBpqpq5 +tAfCNoJ8pzoe5P7cYyY72cWaxMHdcqhVvSvJkYEmdqSY1pRMF6pttnRwj7Oi0XUr +W9bi5QrkqKe+SB7nK3+dPbhWTH9T5Cyo7tI8fbujIBZ1pQHprONDlMWaqECReP22 +jhMqKkNA1V4rgNehMDUODgcDYGb4Xcghp0n7Epgp/Ep9axVa/kRv3uYGzcgXYwLY ++aKu1LkAyVplg6Vb5Q+HRweA7/m3rB6afd073i/jYkjuWGVo5Cq9RQ++BRyd6dqg +/VqWcn4iZ0VeXH3O909td/Jrq29RbC2Yj1Zb4Qg5NQ2hmOkXsYCptBXJpQXcel2W +jSz2CSGkuPtPVykaiBhwcXlHJYJ3ezUDpirM1+JckO0JTblDd385esuR8XAfqe9W +-----END CERTIFICATE----- \ No newline at end of file diff --git a/etc-template/kopano/sslkeys/system-public-key.pem b/etc-template/kopano/sslkeys/system-public-key.pem new file mode 100644 index 0000000..325bad9 --- /dev/null +++ b/etc-template/kopano/sslkeys/system-public-key.pem @@ -0,0 +1,11 @@ +-----BEGIN PUBLIC KEY----- +MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuk220En7sSkepgf7vjEY +eThZlxUtxPPaDvIYByfV4SzrrakpWK1NII0gwgVEZgracI1GBWsuDeikdjf4gFJS +w7yciUILVjurq+uP1og88S6G4w2/9daSxVpncNupyic+nE/Jq4nf0m7Uu4LCGYLG +kBs8d3rzYa274d/7nvIGBEGpoakWsSGV2XJE4FUoMnbRLp/uq7PfX0kFSH3epAft +SAdZqrQYZfJuocuXF+voSkG8knF5byoUBYUKcZlR7Gvfq8vJd9WCHBrNqXuKvgMc +06V5i6ZZZsvBSEZ+id//4Bgb9UGS3N0Qv7G0CNATZEaqUkhlP7byCKfJuu5Hcs8C +CiGwEjPBX/uOwP3o1TNu0iekLEVFkoUIymN7+/ed0flPT3r66Bj1ZQFIkS1XUiha +miHj04L5wGY/3xGYbXYrgdxvYtu+BBTCLj8LKgt2IiktdEdV5WfoPmVjGmmeRThi +hbLq14IAyUsSAATlrTwzbNk6ddWnLM3+S+XL/G5R8JozAgMBAAE= +-----END PUBLIC KEY----- \ No newline at end of file diff --git a/etc-template/kopano/statsd.cfg b/etc-template/kopano/statsd.cfg new file mode 100644 index 0000000..26050b8 --- /dev/null +++ b/etc-template/kopano/statsd.cfg @@ -0,0 +1,8 @@ +# One address:port specifier for where to listen for HTTP connections. +#statsd_listen = unix:/var/run/kopano/statsd.sock + +# Location for keeping RRD files +#statsd_rrd = /var/lib/kopano/rrd + +#run_as_user = kopano +#run_as_group = kopano diff --git a/etc-template/kopano/unix.cfg b/etc-template/kopano/unix.cfg new file mode 100644 index 0000000..b1d807f --- /dev/null +++ b/etc-template/kopano/unix.cfg @@ -0,0 +1,42 @@ +############################################################## +# UNIX USER PLUGIN SETTINGS +# +# Any of these directives that are required, are only required if the +# userplugin parameter is set to unix. + +# Charset used in /etc/passwd for the fullname of a user. Normally this +# is us-ascii, but this can differ according to your setup. +# The charset specified here must be supported by your iconv(1) +# setup. See iconv -l for all charsets. +fullname_charset = iso-8859-15 + +# Default email domain for constructing new users +# Required, no default +default_domain = kopano.com + +# The lowest user id that is considered a regular user +# Optional, default = 1000 +min_user_uid = 1000 + +# The highest user id that is considered a regular user +# Optional, default = 10000 +max_user_uid = 10000 + +# A list of user ids that are not considered to be regular users +# Optional, default = empty +# except_user_uids = + +# The lowest group id that is considered a regular group +# Optional, default = 1000 +min_group_gid = 1000 + +# The highest group id that is considered a regular group +# Optional, default = 10000 +max_group_gid = 10000 + +# A list of group ids that are not considered to be regular groups +# Optional, default = empty +# except_group_gids = + +# Create a user as non-active when it has this Unix shell +non_login_shell = /sbin/nologin /bin/false diff --git a/etc-template/kopano/webapp/.htaccess b/etc-template/kopano/webapp/.htaccess new file mode 100644 index 0000000..a6c4a4f --- /dev/null +++ b/etc-template/kopano/webapp/.htaccess @@ -0,0 +1,28 @@ +# some apache settings +Options -Indexes + +# The maximum POST limit. To upload large files, this value must be larger than upload_max_filesize. + + php_value post_max_size 31M + php_value upload_max_filesize 30M + + + + php_value post_max_size 31M + php_value upload_max_filesize 30M + + +# Deny access to config.php, config.php.dist, debug.php, debug.php.dist, defaults.php +# because they could become a security vulnerability when accessible +# Better safe then sorry + + + Deny from all + + + = 2.4> + + Require all denied + + + diff --git a/etc-template/kopano/webapp/config-contactfax.php b/etc-template/kopano/webapp/config-contactfax.php new file mode 100644 index 0000000..06f2da4 --- /dev/null +++ b/etc-template/kopano/webapp/config-contactfax.php @@ -0,0 +1,4 @@ + diff --git a/etc-template/kopano/webapp/config-gmaps.php b/etc-template/kopano/webapp/config-gmaps.php new file mode 100644 index 0000000..9f2acd1 --- /dev/null +++ b/etc-template/kopano/webapp/config-gmaps.php @@ -0,0 +1,13 @@ + diff --git a/etc-template/kopano/webapp/config-intranet.php b/etc-template/kopano/webapp/config-intranet.php new file mode 100644 index 0000000..6682ac0 --- /dev/null +++ b/etc-template/kopano/webapp/config-intranet.php @@ -0,0 +1,17 @@ +'); + +// This setting can be changed by the user in his settings. +// Here you can define the default behaviour. +define('PLUGIN_MATTERMOST_AUTOSTART', true); diff --git a/etc-template/kopano/webapp/config-meet.php b/etc-template/kopano/webapp/config-meet.php new file mode 100644 index 0000000..44dc00b --- /dev/null +++ b/etc-template/kopano/webapp/config-meet.php @@ -0,0 +1,19 @@ + + * + *******************************************************************************/ + +// This file contains the configuration options of the Meet plugin + +// This disables the plugin by default +define('PLUGIN_MEET_USER_DEFAULT_ENABLE', false); + +// The URL of the Meet PWA +//define('PLUGIN_MEET_MEET_URL', 'https://'); + +// The URL of the Meet join flow +//define('PLUGIN_MEET_MEET_JOIN_URL' '/meet/r/join/group/'); diff --git a/etc-template/kopano/webapp/config-pimfolder.php b/etc-template/kopano/webapp/config-pimfolder.php new file mode 100644 index 0000000..261104f --- /dev/null +++ b/etc-template/kopano/webapp/config-pimfolder.php @@ -0,0 +1,4 @@ + diff --git a/etc-template/kopano/webapp/config-threema4deskapp.php b/etc-template/kopano/webapp/config-threema4deskapp.php new file mode 100644 index 0000000..4bd35a7 --- /dev/null +++ b/etc-template/kopano/webapp/config-threema4deskapp.php @@ -0,0 +1,6 @@ + 'pink', + // 'displayName' => _('Pink'), + // 'base' => '#ff0099' + // ) + // ))); + + // Additional categories can be added by uncommenting and editing the following define. + // The format is the same as the format of DEFAULT_CATEGORIES which is defined in default.php + // To change the default categories, DEFAULT_CATEGORIES can also be defined here. + // Note: Every category should have a unique name, because it is used to identify the category + // define("ADDITIONAL_CATEGORIES", json_encode(array( + // array( + // 'name' => _('Family'), + // 'color' => '#000000', + // 'quickAccess' => true, + // 'sortIndex' => 10 + // ) + // ))); + + // Additional Prefix for the Contact name can be added by uncommenting and editing the following define. + // define("CONTACT_PREFIX", json_encode(array( + // array(_('Er.')), + // array(_('Gr.')) + // ))); + + // Additional Suffix for the Contact name can be added by uncommenting and editing the following define. + // define("CONTACT_SUFFIX", json_encode(array( + // array(_('A')), + // array(_('B')) + // ))); + + // Define the polling interval in minutes for unread mail in shared stores. + define("SHARED_STORE_POLLING_INTERVAL", 15); + + // Define the amount of emails to load in the background, in batches of 10 emails per request every x seconds + // defined by PREFETCH_EMAIL_INTERVAL until the defined amount of items is loaded. Setting this value to zero + // disables this feature. + define("PREFETCH_EMAIL_COUNT", 10); + + // Define the interval between loading of new emails in the background. + define("PREFETCH_EMAIL_INTERVAL", 30); + + /**************************************\ + * Memory usage and timeouts * + \**************************************/ + + // This sets the maximum time in seconds that is allowed to run before it is terminated by the parser. + ini_set("max_execution_time", 300); // 5 minutes + + // BLOCK_SIZE (in bytes) is used for attachments by mapi_stream_read/mapi_stream_write + define("BLOCK_SIZE", 1048576); + + // Time that static files may exist in the client's cache (13 weeks) + define("EXPIRES_TIME", 60*60*24*7*13); + + // Time that the state files are allowed to survive (in seconds) + // For filesystems on which relatime is used, this value should be larger then the relatime_interval + // for kernels 2.6.30 and above relatime is enabled by default, and the relatime_interval is set to + // 24 hours. + define("STATE_FILE_MAX_LIFETIME", 28*60*60); + + // Time that attachments are allowed to survive (in seconds) + define("UPLOADED_ATTACHMENT_MAX_LIFETIME", 6*60*60); + + /********************************************************************************** + * Logging settings + * + * Possible LOG_USER_LEVEL values are: + * LOGLEVEL_OFF - no logging + * LOGLEVEL_FATAL - log only critical errors + * LOGLEVEL_ERROR - logs events which might require corrective actions + * LOGLEVEL_WARN - might lead to an error or require corrective actions in the future + * LOGLEVEL_INFO - usually completed actions + * LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers + * + * The verbosity increases from top to bottom. More verbose levels include less verbose + * ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR, + * LOGLEVEL_WARN and LOGLEVEL_INFO level entries. + * + **************************************************************************************/ + define("LOG_USER_LEVEL", LOGLEVEL_INFO); + + // To save e.g. user activity data only for selected users, provide the username followed by semicolon. + // The data will be saved into a dedicated file per user in the LOG_FILE_DIR + // Users have to be encapsulated in quotes, several users are semicolon separated, like: + // define('LOG_USERS', 'user1;user2;user3'); + define("LOG_USERS", ""); + + // Location of the log directory + // e.g /var/log/webapp-userslog/users/ + // The directory will be created when it does not exist. + // Webserver user should have permissions to write in this folder + define("LOG_FILE_DIR", ""); + + /**************************************\ + * Languages * + \**************************************/ + + // Location to the translations + define("LANGUAGE_DIR", "server/language/"); + + // Defines the default interface language. This can be overridden by the user. + if (isset($_ENV['LANG']) && $_ENV['LANG']!="C") { + define('LANG', $_ENV["LANG"]); // This means the server environment language determines the web client language. + } else { + define('LANG', 'en_US.UTF-8'); // default fallback language + } + + // List of languages that should be enabled in the logon + // screen's language drop down. Languages should be specified + // using _[.UTF-8], and separated with + // semicolon. A list of available languages can be found in + // the manual or by looking at the list of directories in + // /usr/share/kopano-webapp/server/language . + define("ENABLED_LANGUAGES", "cs_CZ;da_DK;de_DE;en_GB;en_US;es_CA;es_ES;fi_FI;fr_FR;hu_HU;it_IT;ja_JP;nb_NO;nl_NL;pl_PL;pt_BR;ru_RU;sl_SI;tr_TR;zh_CN"); + + // Defines the default time zone + if (!ini_get('date.timezone')) { + date_default_timezone_set('Europe/Berlin'); + } + + /**************************************\ + * Powerpaste * + \**************************************/ + + // Options for TinyMCE's powerpaste plugin, see https://www.tiny.cloud/docs/plugins/powerpaste/#configurationoptions + // for more details. + define("POWERPASTE_WORD_IMPORT", "merge"); + define("POWERPASTE_HTML_IMPORT", "merge"); + define("POWERPASTE_ALLOW_LOCAL_IMAGES", true); + + /**************************************\ + * Debugging * + \**************************************/ + + // Do not log errors into stdout, since this generates faulty JSON responses. + ini_set("display_errors", false); + + ini_set("log_errors", true); + error_reporting(E_ERROR); + + // Log successful logins + define("LOG_SUCCESSFUL_LOGINS", false); + + if (file_exists('debug.php')) { + include_once('debug.php'); + } else { + // define empty dump function in case we still use it somewhere + function dump(){} + } +?> diff --git a/etc-template/postfix/main.cf b/etc-template/postfix/main.cf new file mode 100644 index 0000000..4bb165d --- /dev/null +++ b/etc-template/postfix/main.cf @@ -0,0 +1,64 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version +smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) +biff = no +# maillog_file = /dev/stdout +# maillog_file=/var/log/postfix.log +# maillog_file_permissions=0644 + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h +readme_directory = no + +# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on fresh installs. +compatibility_level = 2 + +# local domains +myhostname = nuc0.zntrl.de +mydestination = $myhostname, localhost.$mydomain, localhost +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = $mydomain +# mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +# trusts all hosts in the kopano docker network +mynetworks_style = subnet + +# virtual domains +virtual_mailbox_domains = zntrl.de ads64.de +virtual_mailbox_maps = hash:/etc/postfix/vmailbox +virtual_alias_maps = hash:/etc/postfix/virtual +# virtual_transport = lmtp:unix:/var/spool/kopano/dagent.sock +virtual_transport = lmtp:dagent:2003 +lmtp_tls_loglevel = 1 + +# default outbound transport for all domains, use one relay for all domains +# authenticates to relay.zntrl.de for authorisation to relay mail, see also: SMTP (outbound) +default_transport = smtp:[relay.zntrl.de]:465 + +# SMTPD (inbound) TLS parameters +smtpd_tls_CApath = /etc/ssl/certs +smtpd_tls_CAfile = /usr/local/share/ca-certificates/kopano-ca.crt +smtpd_tls_key_file = /etc/ssl/private/zntrl.key +smtpd_tls_cert_file = /etc/ssl/zntrl.crt +smtpd_tls_security_level = may +smtpd_tls_loglevel = 1 + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination + +# SMTP (outbound) +smtp_tls_CApath=/etc/ssl/certs +smtp_tls_CAfile = /usr/local/share/ca-certificates/kopano-ca.crt +smtp_tls_key_file = /etc/ssl/private/zntrl.key +smtp_tls_cert_file = /etc/ssl/zntrl.crt +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_wrappermode = yes +smtp_tls_security_level = encrypt +smtp_tls_loglevel = 1 + +mailbox_size_limit = 0 +message_size_limit = 50000000 +recipient_delimiter = + +inet_interfaces = all +inet_protocols = all diff --git a/etc-template/postfix/master.cf b/etc-template/postfix/master.cf new file mode 100644 index 0000000..17ecf60 --- /dev/null +++ b/etc-template/postfix/master.cf @@ -0,0 +1,84 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - y - - smtpd + -o content_filter=scan:kopano-spampd-1:10025 + -o receive_override_options=no_address_mappings +#smtp inet n - y - 1 postscreen +#smtpd pass - - y - - smtpd +#dnsblog unix - - y - 0 dnsblog +#tlsproxy unix - - y - 0 tlsproxy +#submission inet n - y - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - y - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - y - - qmqpd +pickup unix n - y 60 1 pickup +cleanup unix n - y - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - y 1000? 1 tlsmgr +rewrite unix - - y - - trivial-rewrite +bounce unix - - y - 0 bounce +defer unix - - y - 0 bounce +trace unix - - y - 0 bounce +verify unix - - y - 1 verify +flush unix n - y 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - y - - smtp +relay unix - - y - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - y - - showq +error unix - - y - - error +retry unix - - y - - error +discard unix - - y - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - y - 1 anvil +scache unix - - y - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# Proxy receiver, see https://cwiki.apache.org/confluence/display/spamassassin/IntegratePostfixViaSpampd +# +10026 inet n - n - 10 smtpd + -o content_filter= + -o myhostname=mta.zntrl.de + -o mynetworks=127.0.0.0/8 + -o smtpd_authorized_xforward_hosts=127.0.0.0/8 + -o smtpd_tls_security_level=none + -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters + -o smtpd_helo_restrictions= + -o smtpd_client_restrictions= + -o smtpd_sender_restrictions= + -o smtpd_relay_restrictions= + -o smtpd_recipient_restrictions=permit_mynetworks,reject diff --git a/etc-template/postfix/virtual b/etc-template/postfix/virtual new file mode 100644 index 0000000..1734f7f --- /dev/null +++ b/etc-template/postfix/virtual @@ -0,0 +1,3 @@ +postmaster@zntrl.de postmaster +abuse@zntrl.de postmaster + diff --git a/etc-template/postfix/virtual.db b/etc-template/postfix/virtual.db new file mode 100644 index 0000000000000000000000000000000000000000..b82c97ab0eb18343d2ec273666a84b962c13147e GIT binary patch literal 12288 zcmeI&%?ScA5QgDz7xCwy5yZO{Sc8=aD+WCH$L@+?50>P~0>mCHzy<^}xZ>(wL_EHM zB*SEw!*iWTQWUnWq+eIdf^OJN3#9mQy`2Yjq+2NIZ3m6w#dznz%{UKofU!fy`00IagfB*srAb{Uh=EA&`_*~g$*#zU$m8Mu^Ut!c z9P2!BaX;i(U7j7svG#Z;5g!O3fB*srAbcU)#N}n>Z7Ru0R!x@0!kyaLg)56}oLXtknk+Z2nTfw2 z>;LvS|3I!n{r{#f`lJtft2cVBVWe)qIscD$2sr<*$p{cY009ILKmY**5I_I{1Q2Ko nG==&y_vN|qr7fCbee0}A{n4~r9AEw=76E-kF_vwG7f4l_~- literal 0 HcmV?d00001 diff --git a/etc-template/z-push/autodiscover.conf.php b/etc-template/z-push/autodiscover.conf.php new file mode 100644 index 0000000..3bd1540 --- /dev/null +++ b/etc-template/z-push/autodiscover.conf.php @@ -0,0 +1,88 @@ +. +* +* Consult LICENSE file for details +************************************************/ + +/********************************************************************************** + * Default settings + */ + + // Replace zpush.example.com with your z-push's host name and uncomment the line below. + define('ZPUSH_HOST', 'zntrl.de'); + + // Defines the default time zone, change e.g. to "Europe/London" if necessary + define('TIMEZONE', 'Europe/Berlin'); + + // Defines the base path on the server + define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/'); + + /* + * Whether to use the complete email address as a login name + * (e.g. user@company.com) or the username only (user). + * Possible values: + * false - use the username only (default). + * true - use the complete email address. + */ + define('USE_FULLEMAIL_FOR_LOGIN', false); + +/********************************************************************************** + * Logging settings + * Possible LOGLEVEL and LOGUSERLEVEL values are: + * LOGLEVEL_OFF - no logging + * LOGLEVEL_FATAL - log only critical errors + * LOGLEVEL_ERROR - logs events which might require corrective actions + * LOGLEVEL_WARN - might lead to an error or require corrective actions in the future + * LOGLEVEL_INFO - usually completed actions + * LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers + * LOGLEVEL_WBXML - also prints the WBXML sent to/from the device + * LOGLEVEL_DEVICEID - also prints the device id for every log entry + * LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack + * + * The verbosity increases from top to bottom. More verbose levels include less verbose + * ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR, + * LOGLEVEL_WARN and LOGLEVEL_INFO level entries. + */ + + define('LOGBACKEND', 'filelog'); + + define('LOGFILEDIR', '/var/log/z-push/'); + define('LOGFILE', LOGFILEDIR . 'autodiscover.log'); + define('LOGERRORFILE', LOGFILEDIR . 'autodiscover-error.log'); + define('LOGLEVEL', LOGLEVEL_WBXML); + define('LOGUSERLEVEL', LOGLEVEL); + $specialLogUsers = array(); + + // Syslog settings + // false will log to local syslog, otherwise put the remote syslog IP here + define('LOG_SYSLOG_HOST', false); + // Syslog port + define('LOG_SYSLOG_PORT', 514); + // Program showed in the syslog. Useful if you have more than one instance login to the same syslog + define('LOG_SYSLOG_PROGRAM', 'z-push-autodiscover'); + // Syslog facility - use LOG_USER when running on Windows + define('LOG_SYSLOG_FACILITY', LOG_LOCAL0); +/********************************************************************************** + * Backend settings + */ + // the backend data provider + define('BACKEND_PROVIDER', ''); diff --git a/etc-template/z-push/autodiscover.conf.php.dist b/etc-template/z-push/autodiscover.conf.php.dist new file mode 100644 index 0000000..4075594 --- /dev/null +++ b/etc-template/z-push/autodiscover.conf.php.dist @@ -0,0 +1,88 @@ +. +* +* Consult LICENSE file for details +************************************************/ + +/********************************************************************************** + * Default settings + */ + + // Replace zpush.example.com with your z-push's host name and uncomment the line below. + // define('ZPUSH_HOST', 'zpush.example.com'); + + // Defines the default time zone, change e.g. to "Europe/London" if necessary + define('TIMEZONE', ''); + + // Defines the base path on the server + define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/'); + + /* + * Whether to use the complete email address as a login name + * (e.g. user@company.com) or the username only (user). + * Possible values: + * false - use the username only (default). + * true - use the complete email address. + */ + define('USE_FULLEMAIL_FOR_LOGIN', false); + +/********************************************************************************** + * Logging settings + * Possible LOGLEVEL and LOGUSERLEVEL values are: + * LOGLEVEL_OFF - no logging + * LOGLEVEL_FATAL - log only critical errors + * LOGLEVEL_ERROR - logs events which might require corrective actions + * LOGLEVEL_WARN - might lead to an error or require corrective actions in the future + * LOGLEVEL_INFO - usually completed actions + * LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers + * LOGLEVEL_WBXML - also prints the WBXML sent to/from the device + * LOGLEVEL_DEVICEID - also prints the device id for every log entry + * LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack + * + * The verbosity increases from top to bottom. More verbose levels include less verbose + * ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR, + * LOGLEVEL_WARN and LOGLEVEL_INFO level entries. + */ + + define('LOGBACKEND', 'filelog'); + + define('LOGFILEDIR', '/var/log/z-push/'); + define('LOGFILE', LOGFILEDIR . 'autodiscover.log'); + define('LOGERRORFILE', LOGFILEDIR . 'autodiscover-error.log'); + define('LOGLEVEL', LOGLEVEL_INFO); + define('LOGUSERLEVEL', LOGLEVEL); + $specialLogUsers = array(); + + // Syslog settings + // false will log to local syslog, otherwise put the remote syslog IP here + define('LOG_SYSLOG_HOST', false); + // Syslog port + define('LOG_SYSLOG_PORT', 514); + // Program showed in the syslog. Useful if you have more than one instance login to the same syslog + define('LOG_SYSLOG_PROGRAM', 'z-push-autodiscover'); + // Syslog facility - use LOG_USER when running on Windows + define('LOG_SYSLOG_FACILITY', LOG_LOCAL0); +/********************************************************************************** + * Backend settings + */ + // the backend data provider + define('BACKEND_PROVIDER', ''); diff --git a/etc-template/z-push/gabsync.conf.php b/etc-template/z-push/gabsync.conf.php new file mode 100644 index 0000000..5993ef4 --- /dev/null +++ b/etc-template/z-push/gabsync.conf.php @@ -0,0 +1,86 @@ +. +* +* Consult LICENSE file for details +* ************************************************/ + +// The field to be hashed that is unique and never changes +// in the entire lifetime of the GAB entry. +define('HASHFIELD', 'account'); +define('AMOUNT_OF_CHUNKS', 10); + +// SyncWorker implementation to be used +define('SYNCWORKER', 'Kopano'); + +// Unique id to find a contact from the GAB (value to be supplied by -u on the command line) +// Zarafa supports: 'account' and 'smtpAddress' (email) +define('UNIQUEID', 'smtpAddress'); + +// Server connection settings +// Depending on your setup, it might be advisable to change the lines below to one defined with your +// default socket location. +// Normally "default:" points to the default setting ("file:///var/run/kopano/server.sock") +// Examples: define("SERVER", "default:"); +// define("SERVER", "http://localhost:236/kopano"); +// define("SERVER", "https://localhost:237/kopano"); +// define("SERVER", "file:///var/run/kopano/server.sock"); +// If you are using ZCP >= 7.2.0, set it to the zarafa location, e.g. +// define("SERVER", "http://localhost:236/zarafa"); +// define("SERVER", "https://localhost:237/zarafa"); +// define("SERVER", "file:///var/run/zarafad/server.sock"); +// For ZCP versions prior to 7.2.0 the socket location is different (http(s) sockets are the same): +// define("SERVER", "file:///var/run/zarafa"); + +define('SERVER', 'http://server:236/kopano'); + +define('USERNAME', 'SYSTEM'); +define('PASSWORD', ''); +define('CERTIFICATE', null); +define('CERTIFICATE_PASSWORD', null); + +// Store where the hidden folder is located. +// For the public folder, use SYSTEM +// to use another store, use the same as USERNAME +// or another store where USERNAME has full access to. +define('HIDDEN_FOLDERSTORE', 'SYSTEM'); + +/// Do not change (unless you know exactly what you do) +define('HIDDEN_FOLDERNAME', 'Z-Push-KOE-GAB'); + +// Types of the objects to sync to GAB. +define('GAB_SYNC_USER', 1); +define('GAB_SYNC_CONTACT', 2); +define('GAB_SYNC_GROUP', 4); +define('GAB_SYNC_ROOM', 8); +define('GAB_SYNC_EQUIPMENT', 16); + +define('GAB_SYNC_ALL', GAB_SYNC_USER | GAB_SYNC_CONTACT | GAB_SYNC_GROUP | GAB_SYNC_ROOM | GAB_SYNC_EQUIPMENT); + +// Set which items from GAB should be synced. +// Default value is GAB_SYNC_ALL which syncs all items. +// In order to sync only some specific types combine them with "|", e.g. +// to sync only users and groups use: +// define('GAB_SYNC_TYPES', GAB_SYNC_USER | GAB_SYNC_CONTACT); +// In order to exclude specific types combine "& ~TYPE", e.g. +// to sync all types except rooms and equipments use: +// define('GAB_SYNC_TYPES', GAB_SYNC_ALL & ~GAB_SYNC_ROOM & ~GAB_SYNC_EQUIPMENT); +define('GAB_SYNC_TYPES', GAB_SYNC_ALL); diff --git a/etc-template/z-push/kopano.conf.php b/etc-template/z-push/kopano.conf.php new file mode 100644 index 0000000..9a76a96 --- /dev/null +++ b/etc-template/z-push/kopano.conf.php @@ -0,0 +1,83 @@ +. +* +* Consult LICENSE file for details +************************************************/ + +// ************************ +// BackendKopano settings +// ************************ + +// Defines the server to which we want to connect. +// +// Depending on your setup, it might be advisable to change the lines below to one defined with your +// default socket location. +// Normally "default:" points to the default setting ("file:///var/run/kopano/server.sock") +// Examples: define("MAPI_SERVER", "default:"); +// define("MAPI_SERVER", "http://localhost:236/kopano"); +// define("MAPI_SERVER", "https://localhost:237/kopano"); +// define("MAPI_SERVER", "file:///var/run/kopano/server.sock"); +// If you are using ZCP >= 7.2.0, set it to the zarafa location, e.g. +// define("MAPI_SERVER", "http://localhost:236/zarafa"); +// define("MAPI_SERVER", "https://localhost:237/zarafa"); +// define("MAPI_SERVER", "file:///var/run/zarafad/server.sock"); +// For ZCP versions prior to 7.2.0 the socket location is different (http(s) sockets are the same): +// define("MAPI_SERVER", "file:///var/run/zarafa"); + +define('MAPI_SERVER', 'http://$DCKR_SERVER:236/kopano'); + +// Read-Only shared folders +// When trying to write a change on a read-only folder this data is dropped and replaced on the device of the user. +// Enabling the option below, sends an email to the user notifying that this happened (default enabled). +// If this is disabled, the data will be dropped silently and will be lost. +// The template of the email sent can be customized here. The placeholders can also be used in the subject. +define('READ_ONLY_NOTIFY_LOST_DATA', true); +// String to mark the data changed by the user (that he is trying to save) +define('READ_ONLY_NOTIFY_YOURDATA', 'Your data'); +// Email template to be sent to the user +define('READ_ONLY_NOTIFY_SUBJECT', "Z-Push: Writing operation not permitted - data reset"); +define('READ_ONLY_NOTIFY_BODY', <<0 - Store the minimum number of previously used passwords. +devpwhistory = 0 + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Policies for ActiveSync version 12.1 and higher +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; The device allows to use a storage card. +; 0 - SD card not allowed. +; 1 - SD card allowed. +allowstoragecard = 1 + +; The device allows to use the built-in camera. +; 0 - Usage of the built-in camera not allowed. +; 1 - Usage of built-in the camera allowed. +allowcam = 1 + +; Specifies if the client uses encryption. +; 0 - Encryption not required. +; 1 - Encryption required. +reqdevenc = 0 + +; Specifies if the device allows unsigned applications to execute. +; 0 - Unsigned applications not allowed to execute. +; 1 - Unsigned applications allowed to execute. +allowunsignedapps = 1 + +; The required complexity level of the device password. +; Valid values for mindevcomplexchars are between 1 and 4. The value specifies +; the number of character groups to be contained in the password. +; The character groups are: +; - Lower case alphabetical characters +; - Upper case alphabetical characters +; - Numbers +; - Non-alphanumeric characters +; For example, if the value of mindevcomplexchars is 2, a password may contain +; lower case and upper case characters. A password with numbers and non-alphanumeric +; characters would be also valid. +mindevcomplexchars = 3 + +; The device allows the use of Wi-Fi connections. +; 0 - The use of Wi-Fi connections not allowed. +; 1 - The use of Wi-Fi connections allowed. +allowwifi = 1 + +; The device allows the use of SMS or text messaging. +; 0 - SMS or text messaging not allowed. +; 1 - SMS or text messaging allowed. +allowtextmessaging = 1 + +; The device allows access to POP or IMAP email. +; 0 - POP or IMAP email access not allowed. +; 1 - POP or IMAP email access allowed. +allowpopimapemail = 1 + +; The use of Bluetooth on the device. +; 0 - Disable Bluetooth. +; 1 - Disable Bluetooth, but allow the configuration of hands-free profiles. +; 2 - Allow Bluetooth. +allowbluetooth = 2 + +; The device allows the use of IrDA (infrared) connections. +; 0 - Disable IrDA. +; 1 - Allow IrDA. +allowirda = 1 + +; The device requires manual synchronization when the device is roaming. +; 0 - Do not require manual sync; allow direct push when roaming. +; 1 - Require manual sync when roaming. +reqmansyncroam = 0 + +; The maximum number of calendar days that can be synchronized. +; 0 - All days +; 4 - 2 weeks +; 5 - 1 month +; 6 - 3 months +; 7 - 6 months +maxcalagefilter = 0 + +; Specifies if the client uses HTML-formatted email. +; 0 - HTML-formatted email not allowed. +; 1 - HTML-formatted email allowed. +allowhtmlemail = 1 + +; The email age limit for synchronization. +; 0 - Sync all +; 1 - 1 day +; 2 - 3 days +; 3 - 1 week +; 4 - 2 weeks +; 5 - 1 month +maxemailagefilter = 0 + +; The maximum truncation size for plain text–formatted email. +; -1 - No truncation. +; 0 - Truncate only the header. +; >0 - Truncate the email body to the specified size. +maxemailbodytruncsize = -1 + +; The maximum truncation size for HTML-formatted email. +; -1 - No truncation. +; 0 - Truncate only the header. +; >0 - Truncate the email body to the specified size. +maxemailhtmlbodytruncsize = -1 + +; Specifies if the client sends signed S/MIME messages. +; 0 - Signed S/MIME messages not required. +; 1 - Signed S/MIME messages required. +reqsignedsmimemessages = 0 + +; Specifies if the client sends encrypted email messages. +; 0 - Encrypted email messages not required. +; 1 - Email messages required to be encrypted. +reqencsmimemessages = 0 + +; The algorithm used to sign S/MIME messages. +; 0 - Use SHA1. +; 1 - Use MD5. +reqsignedsmimealgorithm = 0 + +; The algorithm used to encrypt S/MIME messages. +; 0 - TripleDES algorithm +; 1 - DES algorithm +; 2 - RC2128bit +; 3 - RC264bit +; 4 - RC240bit +reqencsmimealgorithm = 0 + +; Controls negotiation of the encryption algorithm. +; 0 - Do not negotiate. +; 1 - Negotiate a strong algorithm. +; 2 - Negotiate any algorithm. +allowsmimeencalgneg = 2 + +; Specifies if the client can use soft certificates to sign outgoing messages. +; 0 - Soft certificates are not allowed. +; 1 - Soft certificates are allowed. +allowsmimesoftcerts = 1 + +; Specifies if the device allows the use of a web browser. +; 0 - Do not allow the use of a web browser. +; 1 - Allow the use of a web browser. +allowbrowser = 1 + +; Specifies if the device allows the user to configure a personal email account. +; 0 - Do not allow the user to configure a personal email account. +; 1 - Allow the user to configure a personal email account. +allowconsumeremail = 1 + +; Specifies if the device allows the use of Internet Sharing. +; 0 - Do not allow the use of Internet Sharing. +; 1 - Allow the use of Internet Sharing. +allowinternetsharing = 1 \ No newline at end of file diff --git a/etc-template/z-push/z-push.conf.php b/etc-template/z-push/z-push.conf.php new file mode 100644 index 0000000..0aed8cf --- /dev/null +++ b/etc-template/z-push/z-push.conf.php @@ -0,0 +1,373 @@ +. +* +* Consult LICENSE file for details +************************************************/ + +/********************************************************************************** + * Default settings + */ + // Defines the default time zone, change e.g. to "Europe/London" if necessary + define('TIMEZONE', 'Europe/Berlin'); + + // Defines the base path on the server + define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/'); + + // Try to set unlimited timeout + define('SCRIPT_TIMEOUT', 0); + + // When accessing through a proxy, the "X-Forwarded-For" header contains the original remote IP + define('USE_CUSTOM_REMOTE_IP_HEADER', false); + + // When using client certificates, we can check if the login sent matches the owner of the certificate. + // This setting specifies the owner parameter in the certificate to look at. + define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN"); + + /* + * Whether to use the complete email address as a login name + * (e.g. user@company.com) or the username only (user). + * This is required for Z-Push to work properly after autodiscover. + * Possible values: + * false - use the username only. + * true - string the mobile sends as username, e.g. full email address (default). + */ + define('USE_FULLEMAIL_FOR_LOGIN', true); + +/********************************************************************************** + * StateMachine setting + * + * These StateMachines can be used: + * FILE - FileStateMachine (default). Needs STATE_DIR set as well. + * SQL - SqlStateMachine has own configuration file. STATE_DIR is ignored. + * State migration script is available, more informations: https://wiki.z-hub.io/x/xIAa + */ + define('STATE_MACHINE', 'FILE'); + define('STATE_DIR', '/var/lib/z-push/'); + +/********************************************************************************** + * IPC - InterProcessCommunication + * + * Is either provided by using shared memory on a single host or + * using the memcache provider for multi-host environments. + * When another implementation should be used, the class can be set here explicitly. + * If empty Z-Push will try to use available providers. + */ + define('IPC_PROVIDER', ''); + +/********************************************************************************** + * Logging settings + * + * The LOGBACKEND specifies where the logs are sent to. + * Either to file ("filelog") or to a "syslog" server or a custom log class in core/log/logclass. + * filelog and syslog have several options that can be set below. + * For more information about the syslog configuration, see https://wiki.z-hub.io/x/HIAT + + * Possible LOGLEVEL and LOGUSERLEVEL values are: + * LOGLEVEL_OFF - no logging + * LOGLEVEL_FATAL - log only critical errors + * LOGLEVEL_ERROR - logs events which might require corrective actions + * LOGLEVEL_WARN - might lead to an error or require corrective actions in the future + * LOGLEVEL_INFO - usually completed actions + * LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers + * LOGLEVEL_WBXML - also prints the WBXML sent to/from the device + * LOGLEVEL_DEVICEID - also prints the device id for every log entry + * LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack + * + * The verbosity increases from top to bottom. More verbose levels include less verbose + * ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR, + * LOGLEVEL_WARN and LOGLEVEL_INFO level entries. + * + * LOGAUTHFAIL is logged to the LOGBACKEND. + */ + define('LOGBACKEND', 'filelog'); + define('LOGLEVEL', LOGLEVEL_INFO); + define('LOGAUTHFAIL', false); + + // To save e.g. WBXML data only for selected users, add the usernames to the array + // The data will be saved into a dedicated file per user in the LOGFILEDIR + // Users have to be encapusulated in quotes, several users are comma separated, like: + // $specialLogUsers = array('info@domain.com', 'myusername'); + define('LOGUSERLEVEL', LOGLEVEL_DEVICEID); + $specialLogUsers = array('andreas',); + + // Filelog settings + define('LOGFILEDIR', '/var/log/z-push/'); + define('LOGFILE', LOGFILEDIR . 'z-push.log'); + define('LOGERRORFILE', LOGFILEDIR . 'z-push-error.log'); + + // Syslog settings + // false will log to local syslog, otherwise put the remote syslog IP here + define('LOG_SYSLOG_HOST', false); + // Syslog port + define('LOG_SYSLOG_PORT', 514); + // Program showed in the syslog. Useful if you have more than one instance login to the same syslog + define('LOG_SYSLOG_PROGRAM', 'z-push'); + // Syslog facility - use LOG_USER when running on Windows + define('LOG_SYSLOG_FACILITY', LOG_LOCAL0); + + // Location of the trusted CA, e.g. '/etc/ssl/certs/EmailCA.pem' + // Uncomment and modify the following line if the validation of the certificates fails. + // define('CAINFO', '/etc/ssl/certs/EmailCA.pem'); + +/********************************************************************************** + * Mobile settings + */ + // Device Provisioning + define('PROVISIONING', true); + + // This option allows the 'loose enforcement' of the provisioning policies for older + // devices which don't support provisioning (like WM 5 and HTC Android Mail) - dw2412 contribution + // false (default) - Enforce provisioning for all devices + // true - allow older devices, but enforce policies on devices which support it + define('LOOSE_PROVISIONING', false); + + // The file containing the policies' settings. + // Set a full path or relative to the z-push main directory + define('PROVISIONING_POLICYFILE', 'policies.ini'); + + // Default conflict preference + // Some devices allow to set if the server or PIM (mobile) + // should win in case of a synchronization conflict + // SYNC_CONFLICT_OVERWRITE_SERVER - Server is overwritten, PIM wins + // SYNC_CONFLICT_OVERWRITE_PIM - PIM is overwritten, Server wins (default) + define('SYNC_CONFLICT_DEFAULT', SYNC_CONFLICT_OVERWRITE_PIM); + + // Global limitation of items to be synchronized + // The mobile can define a sync back period for calendar and email items + // For large stores with many items the time period could be limited to a max value + // If the mobile transmits a wider time period, the defined max value is used + // Applicable values: + // SYNC_FILTERTYPE_ALL (default, no limitation) + // SYNC_FILTERTYPE_1DAY, SYNC_FILTERTYPE_3DAYS, SYNC_FILTERTYPE_1WEEK, SYNC_FILTERTYPE_2WEEKS, + // SYNC_FILTERTYPE_1MONTH, SYNC_FILTERTYPE_3MONTHS, SYNC_FILTERTYPE_6MONTHS + define('SYNC_FILTERTIME_MAX', SYNC_FILTERTYPE_ALL); + + // Interval in seconds before checking if there are changes on the server when in Ping. + // It means the highest time span before a change is pushed to a mobile. Set it to + // a higher value if you have a high load on the server. + define('PING_INTERVAL', 30); + + // Set the fileas (save as) order for contacts in the webaccess/webapp/outlook. + // It will only affect new/modified contacts on the mobile which then are synced to the server. + // Possible values are: + // SYNC_FILEAS_FIRSTLAST - fileas will be "Firstname Middlename Lastname" + // SYNC_FILEAS_LASTFIRST - fileas will be "Lastname, Firstname Middlename" + // SYNC_FILEAS_COMPANYONLY - fileas will be "Company" + // SYNC_FILEAS_COMPANYLAST - fileas will be "Company (Lastname, Firstname Middlename)" + // SYNC_FILEAS_COMPANYFIRST - fileas will be "Company (Firstname Middlename Lastname)" + // SYNC_FILEAS_LASTCOMPANY - fileas will be "Lastname, Firstname Middlename (Company)" + // SYNC_FILEAS_FIRSTCOMPANY - fileas will be "Firstname Middlename Lastname (Company)" + // The company-fileas will only be set if a contact has a company set. If one of + // company-fileas is selected and a contact doesn't have a company set, it will default + // to SYNC_FILEAS_FIRSTLAST or SYNC_FILEAS_LASTFIRST (depending on if last or first + // option is selected for company). + // If SYNC_FILEAS_COMPANYONLY is selected and company of the contact is not set + // SYNC_FILEAS_LASTFIRST will be used + define('FILEAS_ORDER', SYNC_FILEAS_LASTCOMPANY); + + // Maximum amount of items to be synchronized per request. + // Normally this value is requested by the mobile. Common values are 5, 25, 50 or 100. + // Exporting too much items can cause mobile timeout on busy systems. + // Z-Push will use the lowest provided value, either set here or by the mobile. + // MS Outlook 2013+ request up to 512 items to accelerate the sync process. + // If you detect high load (also on subsystems) you could try a lower setting. + // max: 512 - value used if mobile does not limit amount of items + define('SYNC_MAX_ITEMS', 512); + + // The devices usually send a list of supported properties for calendar and contact + // items. If a device does not includes such a supported property in Sync request, + // it means the property's value will be deleted on the server. + // However some devices do not send a list of supported properties. It is then impossible + // to tell if a property was deleted or it was not set at all if it does not appear in Sync. + // This parameter defines Z-Push behaviour during Sync if a device does not issue a list with + // supported properties. + // See also https://jira.z-hub.io/browse/ZP-302. + // Possible values: + // false - do not unset properties which are not sent during Sync (default) + // true - unset properties which are not sent during Sync + define('UNSET_UNDEFINED_PROPERTIES', false); + + // ActiveSync specifies that a contact photo may not exceed 48 KB. This value is checked + // in the semantic sanity checks and contacts with larger photos are not synchronized. + // This limitation is not being followed by the ActiveSync clients which set much bigger + // contact photos. You can override the default value of the max photo size. + // default: 5242880 - 5 MB default max photo size in bytes + define('SYNC_CONTACTS_MAXPICTURESIZE', 5242880); + + // Over the WebserviceUsers command it is possible to retrieve a list of all + // known devices and users on this Z-Push system. The authenticated user needs to have + // admin rights and a public folder must exist. + // In multicompany environments this enable an admin user of any company to retrieve + // this full list, so this feature is disabled by default. Enable with care. + define('ALLOW_WEBSERVICE_USERS_ACCESS', false); + + // Users with many folders can use the 'partial foldersync' feature, where the server + // actively stops processing the folder list if it takes too long. Other requests are + // then redirected to the FolderSync to synchronize the remaining items. + // Device compatibility for this procedure is not fully understood. + // NOTE: THIS IS AN EXPERIMENTAL FEATURE WHICH COULD PREVENT YOUR MOBILES FROM SYNCHRONIZING. + define('USE_PARTIAL_FOLDERSYNC', false); + + // The minimum accepted time in second that a ping command should last. + // It is strongly advised to keep this config to false. Some device + // might not be able to send a higher value than the one specificied here and thus + // unable to start a push connection. + // If set to false, there will be no lower bound to the ping lifetime. + // The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes). + define('PING_LOWER_BOUND_LIFETIME', false); + + // The maximum accepted time in second that a ping command should last. + // If set to false, there will be no higher bound to the ping lifetime. + // The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes). + define('PING_HIGHER_BOUND_LIFETIME', false); + + // Maximum response time + // Mobiles implement different timeouts to their TCP/IP connections. Android devices for example + // have a hard timeout of 30 seconds. If the server is not able to answer a request within this timeframe, + // the answer will not be recieved and the device will send a new one overloading the server. + // There are three categories + // - Short timeout - server has up within 30 seconds - is automatically applied for not categorized types + // - Medium timeout - server has up to 90 seconds to respond + // - Long timeout - server has up to 4 minutes to respond + // If a timeout is almost reached the server will break and sent the results it has until this + // point. You can add DeviceType strings to the categories. + // In general longer timeouts are better, because more data can be streamed at once. + define('SYNC_TIMEOUT_MEDIUM_DEVICETYPES', "SAMSUNGGTI"); + define('SYNC_TIMEOUT_LONG_DEVICETYPES', "iPod, iPad, iPhone, WP, WindowsOutlook, WindowsMail"); + + // Time in seconds the device should wait whenever the service is unavailable, + // e.g. when a backend service is unavailable. + // Z-Push sends a "Retry-After" header in the response with the here defined value. + // It is up to the device to respect or not this directive so even if this option is set, + // the device might not wait requested time frame. + // Number of seconds before retry, to disable set to: false + define('RETRY_AFTER_DELAY', 300); + +/********************************************************************************** + * Backend settings + */ + // the backend data provider + define('BACKEND_PROVIDER', ''); + +/********************************************************************************** + * Search provider settings + * + * Alternative backend to perform SEARCH requests (GAL search) + * By default the main Backend defines the preferred search functionality. + * If set, the Search Provider will always be preferred. + * Use 'BackendSearchLDAP' to search in a LDAP directory (see backend/searchldap/config.php) + */ + define('SEARCH_PROVIDER', ''); + // Time in seconds for the server search. Setting it too high might result in timeout. + // Setting it too low might not return all results. Default is 10. + define('SEARCH_WAIT', 10); + // The maximum number of results to send to the client. Setting it too high + // might result in timeout. Default is 10. + define('SEARCH_MAXRESULTS', 10); + +/********************************************************************************** + * Kopano Outlook Extension - Settings + * + * The Kopano Outlook Extension (KOE) provides MS Outlook 2013 and newer with + * functionality not provided by ActiveSync or not implemented by Outlook. + * For more information, see: https://wiki.z-hub.io/x/z4Aa + */ + // Global Address Book functionality + define('KOE_CAPABILITY_GAB', true); + // Synchronize mail flags from the server to Outlook/KOE + define('KOE_CAPABILITY_RECEIVEFLAGS', true); + // Encode flags when sending from Outlook/KOE + define('KOE_CAPABILITY_SENDFLAGS', true); + // Out-of-office support + define('KOE_CAPABILITY_OOF', true); + // Out-of-office support with start & end times (superseeds KOE_CAPABILITY_OOF) + define('KOE_CAPABILITY_OOFTIMES', true); + // Notes support + define('KOE_CAPABILITY_NOTES', true); + // Shared folder support + define('KOE_CAPABILITY_SHAREDFOLDER', true); + // Send-As support for Outlook/KOE and mobiles + define('KOE_CAPABILITY_SENDAS', true); + // Secondary Contact folders (own and shared) + define('KOE_CAPABILITY_SECONDARYCONTACTS', true); + // Copy WebApp signature into KOE + define('KOE_CAPABILITY_SIGNATURES', true); + + // To synchronize the GAB KOE, the GAB store and folderid need to be specified. + // Use the gab-sync script to generate this data. The name needs to + // match the config of the gab-sync script. + // More information here: https://wiki.z-hub.io/x/z4Aa (GAB Sync Script) + define('KOE_GAB_STORE', 'SYSTEM'); + define('KOE_GAB_FOLDERID', ''); + define('KOE_GAB_NAME', 'Z-Push-KOE-GAB'); + +/********************************************************************************** + * Synchronize additional folders to all mobiles + * + * With this feature, special folders can be synchronized to all mobiles. + * This is useful for e.g. global company contacts. + * + * This feature is supported only by certain devices, like iPhones. + * Check the compatibility list for supported devices: + * http://z-push.org/compatibility + * + * To synchronize a folder, add a section setting all parameters as below: + * store: the ressource where the folder is located. + * Kopano users use 'SYSTEM' for the 'Public Folder' + * folderid: folder id of the folder to be synchronized + * name: name to be displayed on the mobile device + * type: supported types are: + * SYNC_FOLDER_TYPE_USER_CONTACT + * SYNC_FOLDER_TYPE_USER_APPOINTMENT + * SYNC_FOLDER_TYPE_USER_TASK + * SYNC_FOLDER_TYPE_USER_MAIL + * SYNC_FOLDER_TYPE_USER_NOTE + * + * Additional notes: + * - on Kopano systems use backend/kopano/listfolders.php script to get a list + * of available folders + * + * - all Z-Push users must have at least reading permissions so the configured + * folders can be synchronized to the mobile. Else they are ignored. + * + * - this feature is only partly suitable for multi-tenancy environments, + * as ALL users from ALL tenents need access to the configured store & folder. + * When configuring a public folder, this will cause problems, as each user has + * a different public folder in his tenant, so the folder are not available. + + * - changing this configuration could cause HIGH LOAD on the system, as all + * connected devices will be updated and load the data contained in the + * added/modified folders. + */ + + $additionalFolders = array( + // demo entry for the synchronization of contacts from the public folder. + // uncomment (remove '/*' '*/') and fill in the folderid +/* + array( + 'store' => "SYSTEM", + 'folderid' => "", + 'name' => "Public Contacts", + 'type' => SYNC_FOLDER_TYPE_USER_CONTACT, + ), +*/ + ); diff --git a/etc-template/z-push/z-push.conf.php.dpkg-dist b/etc-template/z-push/z-push.conf.php.dpkg-dist new file mode 100644 index 0000000..7fe9cbb --- /dev/null +++ b/etc-template/z-push/z-push.conf.php.dpkg-dist @@ -0,0 +1,418 @@ +. +* +* Consult LICENSE file for details +************************************************/ + +/********************************************************************************** + * Default settings + */ + // Defines the default time zone, change e.g. to "Europe/London" if necessary + define('TIMEZONE', ''); + + // Defines the base path on the server + define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/'); + + // Try to set unlimited timeout + define('SCRIPT_TIMEOUT', 0); + + // This should be solved on THE webserver level if there are proxies + // between mobile client and Z-Push. + // IMPORTANT: This setting will be deprecated in Z-Push 2.7.0. + // Use a custom header to determinate the remote IP of a client. + // By default, the server provided REMOTE_ADDR is used. If the header here set + // is available, the provided value will be used, else REMOTE_ADDR is maintained. + // set to false to disable this behaviour. + // common values: 'HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP' (casing is ignored) + define('USE_CUSTOM_REMOTE_IP_HEADER', false); + + // When using client certificates, we can check if the login sent matches the owner of the certificate. + // This setting specifies the owner parameter in the certificate to look at. + define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN"); + + /* + * Whether to use the complete email address as a login name + * (e.g. user@company.com) or the username only (user). + * This is required for Z-Push to work properly after autodiscover. + * Possible values: + * false - use the username only. + * true - string the mobile sends as username, e.g. full email address (default). + */ + define('USE_FULLEMAIL_FOR_LOGIN', true); + +/********************************************************************************** + * StateMachine setting + * + * These StateMachines can be used: + * FILE - FileStateMachine (default). Needs STATE_DIR set as well. + * SQL - SqlStateMachine has own configuration file. STATE_DIR is ignored. + * State migration script is available, more informations: https://wiki.z-hub.io/x/xIAa + */ + define('STATE_MACHINE', 'FILE'); + define('STATE_DIR', '/var/lib/z-push/'); + +/********************************************************************************** + * IPC - InterProcessCommunication + * + * Is either provided by using shared memory on a single host or + * using the memcache provider for multi-host environments. + * When another implementation should be used, the class can be set here explicitly. + * If empty Z-Push will try to use available providers. + + * Possible values: + * IpcSharedMemoryProvider - default. Requires z-push-ipc-sharedmemory package. + * IpcMemcachedProvider - requires z-push-ipc-memcached package. It is necessary to set up + * memcached server before (it won't be installed by z-push-ipc-memcached). + * IpcWincacheProvider - for windows systems. + */ + define('IPC_PROVIDER', ''); + +/********************************************************************************** + * Logging settings + * + * The LOGBACKEND specifies where the logs are sent to. + * Either to file ("filelog") or to a "syslog" server or a custom log class in core/log/logclass. + * filelog and syslog have several options that can be set below. + * For more information about the syslog configuration, see https://wiki.z-hub.io/x/HIAT + + * Possible LOGLEVEL and LOGUSERLEVEL values are: + * LOGLEVEL_OFF - no logging + * LOGLEVEL_FATAL - log only critical errors + * LOGLEVEL_ERROR - logs events which might require corrective actions + * LOGLEVEL_WARN - might lead to an error or require corrective actions in the future + * LOGLEVEL_INFO - usually completed actions + * LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers + * LOGLEVEL_WBXML - also prints the WBXML sent to/from the device + * LOGLEVEL_DEVICEID - also prints the device id for every log entry + * LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack + * + * The verbosity increases from top to bottom. More verbose levels include less verbose + * ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR, + * LOGLEVEL_WARN and LOGLEVEL_INFO level entries. + * + * LOGAUTHFAIL is logged to the LOGBACKEND. + */ + define('LOGBACKEND', 'filelog'); + define('LOGLEVEL', LOGLEVEL_INFO); + define('LOGAUTHFAIL', false); + + // To save e.g. WBXML data only for selected users, add the usernames to the array + // The data will be saved into a dedicated file per user in the LOGFILEDIR + // Users have to be encapusulated in quotes, several users are comma separated, like: + // $specialLogUsers = array('info@domain.com', 'myusername'); + define('LOGUSERLEVEL', LOGLEVEL_DEVICEID); + $specialLogUsers = array(); + + // Filelog settings + define('LOGFILEDIR', '/var/log/z-push/'); + define('LOGFILE', LOGFILEDIR . 'z-push.log'); + define('LOGERRORFILE', LOGFILEDIR . 'z-push-error.log'); + + // Syslog settings + // false will log to local syslog, otherwise put the remote syslog IP here + define('LOG_SYSLOG_HOST', false); + // Syslog port + define('LOG_SYSLOG_PORT', 514); + // Program showed in the syslog. Useful if you have more than one instance login to the same syslog + define('LOG_SYSLOG_PROGRAM', 'z-push'); + // Syslog facility - use LOG_USER when running on Windows + define('LOG_SYSLOG_FACILITY', LOG_LOCAL0); + + // Location of the trusted CA, e.g. '/etc/ssl/certs/EmailCA.pem' + // Uncomment and modify the following line if the validation of the certificates fails. + // define('CAINFO', '/etc/ssl/certs/EmailCA.pem'); + +/********************************************************************************** + * Mobile settings + */ + // Device Provisioning + define('PROVISIONING', true); + + // This option allows the 'loose enforcement' of the provisioning policies for older + // devices which don't support provisioning (like WM 5 and HTC Android Mail) - dw2412 contribution + // false (default) - Enforce provisioning for all devices + // true - allow older devices, but enforce policies on devices which support it + define('LOOSE_PROVISIONING', false); + + // The file containing the policies' settings. + // Set a full path or relative to the z-push main directory + define('PROVISIONING_POLICYFILE', 'policies.ini'); + + // Default conflict preference + // Some devices allow to set if the server or PIM (mobile) + // should win in case of a synchronization conflict + // SYNC_CONFLICT_OVERWRITE_SERVER - Server is overwritten, PIM wins + // SYNC_CONFLICT_OVERWRITE_PIM - PIM is overwritten, Server wins (default) + define('SYNC_CONFLICT_DEFAULT', SYNC_CONFLICT_OVERWRITE_PIM); + + // Global limitation of items to be synchronized + // The mobile can define a sync back period for calendar and email items + // For large stores with many items the time period could be limited to a max value + // If the mobile transmits a wider time period, the defined max value is used + // Applicable values: + // SYNC_FILTERTYPE_ALL (default, no limitation) + // SYNC_FILTERTYPE_1DAY, SYNC_FILTERTYPE_3DAYS, SYNC_FILTERTYPE_1WEEK, SYNC_FILTERTYPE_2WEEKS, + // SYNC_FILTERTYPE_1MONTH, SYNC_FILTERTYPE_3MONTHS, SYNC_FILTERTYPE_6MONTHS + define('SYNC_FILTERTIME_MAX', SYNC_FILTERTYPE_ALL); + + // Interval in seconds before checking if there are changes on the server when in Ping. + // It means the highest time span before a change is pushed to a mobile. Set it to + // a higher value if you have a high load on the server. + define('PING_INTERVAL', 30); + + // Set the fileas (save as) order for contacts in the webaccess/webapp/outlook. + // It will only affect new/modified contacts on the mobile which then are synced to the server. + // Possible values are: + // SYNC_FILEAS_FIRSTLAST - fileas will be "Firstname Middlename Lastname" + // SYNC_FILEAS_LASTFIRST - fileas will be "Lastname, Firstname Middlename" + // SYNC_FILEAS_COMPANYONLY - fileas will be "Company" + // SYNC_FILEAS_COMPANYLAST - fileas will be "Company (Lastname, Firstname Middlename)" + // SYNC_FILEAS_COMPANYFIRST - fileas will be "Company (Firstname Middlename Lastname)" + // SYNC_FILEAS_LASTCOMPANY - fileas will be "Lastname, Firstname Middlename (Company)" + // SYNC_FILEAS_FIRSTCOMPANY - fileas will be "Firstname Middlename Lastname (Company)" + // The company-fileas will only be set if a contact has a company set. If one of + // company-fileas is selected and a contact doesn't have a company set, it will default + // to SYNC_FILEAS_FIRSTLAST or SYNC_FILEAS_LASTFIRST (depending on if last or first + // option is selected for company). + // If SYNC_FILEAS_COMPANYONLY is selected and company of the contact is not set + // SYNC_FILEAS_LASTFIRST will be used + define('FILEAS_ORDER', SYNC_FILEAS_LASTFIRST); + + // Maximum amount of items to be synchronized per request. + // Normally this value is requested by the mobile. Common values are 5, 25, 50 or 100. + // Exporting too much items can cause mobile timeout on busy systems. + // Z-Push will use the lowest provided value, either set here or by the mobile. + // MS Outlook 2013+ request up to 512 items to accelerate the sync process. + // If you detect high load (also on subsystems) you could try a lower setting. + // max: 512 - value used if mobile does not limit amount of items + define('SYNC_MAX_ITEMS', 512); + + // The devices usually send a list of supported properties for calendar and contact + // items. If a device does not includes such a supported property in Sync request, + // it means the property's value will be deleted on the server. + // However some devices do not send a list of supported properties. It is then impossible + // to tell if a property was deleted or it was not set at all if it does not appear in Sync. + // This parameter defines Z-Push behaviour during Sync if a device does not issue a list with + // supported properties. + // See also https://jira.z-hub.io/browse/ZP-302. + // Possible values: + // false - do not unset properties which are not sent during Sync (default) + // true - unset properties which are not sent during Sync + define('UNSET_UNDEFINED_PROPERTIES', false); + + // ActiveSync specifies that a contact photo may not exceed 48 KB. This value is checked + // in the semantic sanity checks and contacts with larger photos are not synchronized. + // This limitation is not being followed by the ActiveSync clients which set much bigger + // contact photos. You can override the default value of the max photo size. + // default: 5242880 - 5 MB default max photo size in bytes + define('SYNC_CONTACTS_MAXPICTURESIZE', 5242880); + + // Over the WebserviceUsers command it is possible to retrieve a list of all + // known devices and users on this Z-Push system. The authenticated user needs to have + // admin rights and a public folder must exist. + // In multicompany environments this enable an admin user of any company to retrieve + // this full list, so this feature is disabled by default. Enable with care. + define('ALLOW_WEBSERVICE_USERS_ACCESS', false); + + // Users with many folders can use the 'partial foldersync' feature, where the server + // actively stops processing the folder list if it takes too long. Other requests are + // then redirected to the FolderSync to synchronize the remaining items. + // Device compatibility for this procedure is not fully understood. + // NOTE: THIS IS AN EXPERIMENTAL FEATURE WHICH COULD PREVENT YOUR MOBILES FROM SYNCHRONIZING. + define('USE_PARTIAL_FOLDERSYNC', false); + + // The minimum accepted time in second that a ping command should last. + // It is strongly advised to keep this config to false. Some device + // might not be able to send a higher value than the one specificied here and thus + // unable to start a push connection. + // If set to false, there will be no lower bound to the ping lifetime. + // The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes). + define('PING_LOWER_BOUND_LIFETIME', false); + + // The maximum accepted time in second that a ping command should last. + // If set to false, there will be no higher bound to the ping lifetime. + // The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes). + define('PING_HIGHER_BOUND_LIFETIME', false); + + // Maximum response time + // Mobiles implement different timeouts to their TCP/IP connections. Android devices for example + // have a hard timeout of 30 seconds. If the server is not able to answer a request within this timeframe, + // the answer will not be recieved and the device will send a new one overloading the server. + // There are three categories + // - Short timeout - server has up within 30 seconds - is automatically applied for not categorized types + // - Medium timeout - server has up to 90 seconds to respond + // - Long timeout - server has up to 4 minutes to respond + // If a timeout is almost reached the server will break and sent the results it has until this + // point. You can add DeviceType strings to the categories. + // In general longer timeouts are better, because more data can be streamed at once. + define('SYNC_TIMEOUT_MEDIUM_DEVICETYPES', "SAMSUNGGTI"); + define('SYNC_TIMEOUT_LONG_DEVICETYPES', "iPod, iPad, iPhone, WP, WindowsOutlook, WindowsMail"); + + // Time in seconds the device should wait whenever the service is unavailable, + // e.g. when a backend service is unavailable. + // Z-Push sends a "Retry-After" header in the response with the here defined value. + // It is up to the device to respect or not this directive so even if this option is set, + // the device might not wait requested time frame. + // Number of seconds before retry, to disable set to: false + define('RETRY_AFTER_DELAY', 300); + +/********************************************************************************** + * Backend settings + */ + // The backend data provider. + // Leave this value empty and Z-Push will autoload a backend. The sequence of autoload is: + // BackendKopano, BackendCombined, BackendIMAP, BackendVCardDir, BackendMaildir. + // If BackendKopano is not installed, Z-Push will load BackendCombined. If BackendCombined + // also is not installed, Z-Push will load BackendIMAP and so on. + // If you prefer explicitly configure a backend provider, currently possible values are: + // BackendKopano - to use with the Kopano groupware. Syncs emails, calendar items, + // contacts, tasks and notes or any combination of the listed items. + // BackendCombined - combine multiple backends for different items, e.g. + // BackendIMAP for emails, BackendCalDAV for calendar items, + // BackendCardDAV for contacts etc. You can configure what backend + // syncs which items in /etc/combined.conf.php. + // BackendIMAP - to sync emails with an IMAP server. + // BackendCalDAV - to sync calendar items and / or tasks with a CalDAV server. + // BackendCardDAV - to sync contacts with a CardDAV server. + // BackendMaildir - to sync emails from a Maildir. + // BackendStickyNote - to sync notes with a Postgres server. + // BackendVCardDir - to sync contacts with vcard folder. + define('BACKEND_PROVIDER', ''); + +/********************************************************************************** + * Search provider settings + * + * Alternative backend to perform SEARCH requests (GAL search) + * By default the main Backend defines the preferred search functionality. + * If set, the Search Provider will always be preferred. + * Use 'BackendSearchLDAP' to search in a LDAP directory (see backend/searchldap/config.php) + */ + define('SEARCH_PROVIDER', ''); + // Time in seconds for the server search. Setting it too high might result in timeout. + // Setting it too low might not return all results. Default is 10. + define('SEARCH_WAIT', 10); + // The maximum number of results to send to the client. Setting it too high + // might result in timeout. Default is 10. + define('SEARCH_MAXRESULTS', 10); + +/********************************************************************************** + * Kopano Outlook Extension - Settings + * + * The Kopano Outlook Extension (KOE) provides MS Outlook 2013 and newer with + * functionality not provided by ActiveSync or not implemented by Outlook. + * For more information, see: https://wiki.z-hub.io/x/z4Aa + */ + // Global Address Book functionality + define('KOE_CAPABILITY_GAB', true); + // Synchronize mail flags from the server to Outlook/KOE + define('KOE_CAPABILITY_RECEIVEFLAGS', true); + // Encode flags when sending from Outlook/KOE + define('KOE_CAPABILITY_SENDFLAGS', true); + // Out-of-office support + define('KOE_CAPABILITY_OOF', true); + // Out-of-office support with start & end times (superseeds KOE_CAPABILITY_OOF) + define('KOE_CAPABILITY_OOFTIMES', true); + // Notes support + define('KOE_CAPABILITY_NOTES', true); + // Shared folder support + define('KOE_CAPABILITY_SHAREDFOLDER', true); + // Send-As support for Outlook/KOE and mobiles + define('KOE_CAPABILITY_SENDAS', true); + // Secondary Contact folders (own and shared) + define('KOE_CAPABILITY_SECONDARYCONTACTS', true); + // Copy WebApp signature into KOE + define('KOE_CAPABILITY_SIGNATURES', true); + // Delivery receipt requests + define('KOE_CAPABILITY_RECEIPTS', true); + // Impersonate other users + define('KOE_CAPABILITY_IMPERSONATE', true); + + // To synchronize the GAB KOE, the GAB store and folderid need to be specified. + // Use the gab-sync script to generate this data. The name needs to + // match the config of the gab-sync script. + // More information here: https://wiki.z-hub.io/x/z4Aa (GAB Sync Script) + define('KOE_GAB_STORE', 'SYSTEM'); + define('KOE_GAB_FOLDERID', ''); + define('KOE_GAB_NAME', 'Z-Push-KOE-GAB'); + +/********************************************************************************** + * Synchronize additional folders to all mobiles + * + * With this feature, special folders can be synchronized to all mobiles. + * This is useful for e.g. global company contacts. + * + * This feature is supported only by certain devices, like iPhones. + * Check the compatibility list for supported devices: + * http://z-push.org/compatibility + * + * To synchronize a folder, add a section setting all parameters as below: + * store: the ressource where the folder is located. + * Kopano users use 'SYSTEM' for the 'Public Folder' + * folderid: folder id of the folder to be synchronized + * name: name to be displayed on the mobile device + * type: supported types are: + * SYNC_FOLDER_TYPE_USER_CONTACT + * SYNC_FOLDER_TYPE_USER_APPOINTMENT + * SYNC_FOLDER_TYPE_USER_TASK + * SYNC_FOLDER_TYPE_USER_MAIL + * SYNC_FOLDER_TYPE_USER_NOTE + * flags: sets additional options on the shared folder. Supported are: + * DeviceManager::FLD_FLAGS_NONE + * No flags configured, default flag to be set + * DeviceManager::FLD_FLAGS_SENDASOWNER + * When replying in this folder, automatically do Send-As + * DeviceManager::FLD_FLAGS_CALENDARREMINDERS + * If set, Outlook shows reminders for these shares with KOE + * DeviceManager::FLD_FLAGS_NOREADONLYNOTIFY + * If set, Z-Push won't send notification emails for changes + * if the folder is read-only + * + * Additional notes: + * - on Kopano systems use backend/kopano/listfolders.php script to get a list + * of available folders + * + * - all Z-Push users must have at least reading permissions so the configured + * folders can be synchronized to the mobile. Else they are ignored. + * + * - this feature is only partly suitable for multi-tenancy environments, + * as ALL users from ALL tenents need access to the configured store & folder. + * When configuring a public folder, this will cause problems, as each user has + * a different public folder in his tenant, so the folder are not available. + + * - changing this configuration could cause HIGH LOAD on the system, as all + * connected devices will be updated and load the data contained in the + * added/modified folders. + */ + + $additionalFolders = array( + // demo entry for the synchronization of contacts from the public folder. + // uncomment (remove '/*' '*/') and fill in the folderid +/* + array( + 'store' => "SYSTEM", + 'folderid' => "", + 'name' => "Public Contacts", + 'type' => SYNC_FOLDER_TYPE_USER_CONTACT, + 'flags' => DeviceManager::FLD_FLAGS_NONE, + ), +*/ + ); diff --git a/etc-zntrl/kopano/dagent.cfg b/etc-zntrl/kopano/dagent.cfg index f61d751..c31bb8f 100644 --- a/etc-zntrl/kopano/dagent.cfg +++ b/etc-zntrl/kopano/dagent.cfg @@ -13,9 +13,9 @@ lmtp_listen = *:2003 # connection to the storage server #server_socket = file:///var/run/kopano/server.sock -server_socket = https://server:237 +server_socket = https://zntrl-server-1:237 # Login to the storage server using this SSL Key -sslkey_file = /etc/kopano/ssl/private/system-key-cert.pem +sslkey_file = /etc/kopano/ssl/private/dagent-key-cert.pem # The password of the SSL Key sslkey_pass = diff --git a/etc-zntrl/kopano/search.cfg b/etc-zntrl/kopano/search.cfg index 7f0772f..0321f0e 100644 --- a/etc-zntrl/kopano/search.cfg +++ b/etc-zntrl/kopano/search.cfg @@ -6,7 +6,7 @@ #limit_results = 1000 # Use https to reach servers over the network -server_socket = https://server:237 +server_socket = https://zntrl-server-1:237 # Login to the storage server using this SSL Key sslkey_file = /etc/kopano/ssl/private/system-key-cert.pem # The password of the SSL Key diff --git a/etc-zntrl/kopano/spooler.cfg b/etc-zntrl/kopano/spooler.cfg index fb97131..a0beb41 100644 --- a/etc-zntrl/kopano/spooler.cfg +++ b/etc-zntrl/kopano/spooler.cfg @@ -5,7 +5,7 @@ smtp_server = postfix smtp_port = 25 # Server Unix socket location -server_socket = https://server:237 +server_socket = https://zntrl-server-1:237 # Login to the storage server using this SSL Key sslkey_file = /etc/kopano/ssl/private/system-key-cert.pem # The password of the SSL Key diff --git a/etc-zntrl/z-push/z-push.conf.php b/etc-zntrl/z-push/z-push.conf.php index 79c197a..0aed8cf 100644 --- a/etc-zntrl/z-push/z-push.conf.php +++ b/etc-zntrl/z-push/z-push.conf.php @@ -27,7 +27,7 @@ * Default settings */ // Defines the default time zone, change e.g. to "Europe/London" if necessary - define('TIMEZONE', ''); + define('TIMEZONE', 'Europe/Berlin'); // Defines the base path on the server define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/'); diff --git a/mysql/docker-entrypoint-initdb.d/00-create-kopano-user.sql b/mysql/docker-entrypoint-initdb.d/00-create-kopano-user.sql index e9bc804..b40afff 100644 --- a/mysql/docker-entrypoint-initdb.d/00-create-kopano-user.sql +++ b/mysql/docker-entrypoint-initdb.d/00-create-kopano-user.sql @@ -1,4 +1,4 @@ -CREATE USER 'kopano' IDENTIFIED BY 'Asdf2345'; +CREATE USER 'kopano' IDENTIFIED BY '$MYSQL_KOPANO_PASSWORD'; GRANT ALL ON kopano.* TO 'kopano'@'%'; flush privileges; -- database is created by server automatically if not present diff --git a/postfix/Dockerfile b/postfix/Dockerfile index fe2c454..5e4e604 100644 --- a/postfix/Dockerfile +++ b/postfix/Dockerfile @@ -10,8 +10,7 @@ apt-get install -y rsyslog apt-get autoclean rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* ~/.cache ~/.npm EOF -COPY etc/postfix/ /etc/postfix/ -COPY etc/ssl/ /etc/ssl/ +COPY etc-template /root/etc # https://github.com/moby/moby/issues/31243#issuecomment-406879017 RUN <certs/$CN-key-certs.pem \ No newline at end of file +cat certs/$CN.key certs/$CN.crt >certs/$CN-key-certs.pem diff --git a/ssl/dist-certs b/ssl/dist-certs new file mode 100644 index 0000000..eec1074 --- /dev/null +++ b/ssl/dist-certs @@ -0,0 +1,5 @@ +#!/usr/bin/bash +cp certs/relay_clientcerts ~/kopano-docker/etc-relay/postfix +cp certs/relay_clientcerts ~/kopano-docker/etc-zntrl/postfix +cp certs/relay_clientcerts ~/kopano-docker/etc-baloghs/postfix +cp certs/relay_clientcerts ~/kopano-docker/etc-ads64/postfix diff --git a/ssl/mkcerts b/ssl/mkcerts index 2cdf14e..a8be9e9 100644 --- a/ssl/mkcerts +++ b/ssl/mkcerts @@ -29,11 +29,8 @@ openssl ca -batch -selfsign -in tmp/kopano-ca.csr -passin env:CA_PWD -notext -ou ./create-key z-push # create postfix clients ssl key pair (for authentification) -echo >certs/relay_clientcerts +echo -n >certs/relay_clientcerts ./create-postfix-certs relay ./create-postfix-certs zntrl ./create-postfix-certs baloghs - -cp certs/relay_clientcerts ~/kopano-docker/etc-relay/postfix -cp certs/relay_clientcerts ~/kopano-docker/etc-zntrl/postfix -cp certs/relay_clientcerts ~/kopano-docker/etc-baloghs/postfix +./create-postfix-certs ads64 diff --git a/webapp/Dockerfile b/webapp/Dockerfile index d2a5b2f..e96eae7 100644 --- a/webapp/Dockerfile +++ b/webapp/Dockerfile @@ -24,11 +24,17 @@ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* ~/.cache ~/.npm rm -rf webapp-6.0.0.57.1049268-Ubuntu_20.04-all rm -rf core-11.0.2.50.507cbae-Ubuntu_20.04-amd64 EOF +COPY etc-zntrl /root/etc +# RUN <