andreas/kopano-docker
1
0
Fork 0
Code Issues 8 Pull Requests Packages Projects 1 Releases Wiki Activity

update recovered sdlc git repo

Browse Source
This commit is contained in:
andreas
2024-02-11 11:54:51 +00:00
parent f808ebae4a
commit 6b2eb41193
82 changed files with 3903 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
etc-template/kopano/admin.cfg Normal file
View File

@@ -0,0 +1,7 @@
# The language for folders in newly-created stores, specified as a
# locale identifier ("en_US", "de_DE", etc.)
#default_store_locale =
#server_socket = default:
#sslkey_file = some.pem
#sslkey_pass = magic

22
etc-template/kopano/autorespond.cfg Normal file
View File

@@ -0,0 +1,22 @@
##############################################################
# AUTORESPOND SETTINGS
# Autorespond if the recipient is in the Cc field
#autorespond_cc = no
# Autorespond if the recipient is in the Bcc field
#autorespond_bcc = no
# Autorespond if the recipient is not in any of To, Cc or Bcc
# (i.e. received the message through a distribution list)
#autorespond_norecip = no
# Only send reply to same e-mail address once per 24 hours
#timelimit = 86400
# File which contains when vacation message was sent
#senddb = /var/lib/kopano/autorespond.db
# Copy to sentmail - whether responses should be saved in the
# users sentmail folder or not
#copy_to_sentmail = yes

31
etc-template/kopano/backup.cfg Normal file
View File

@@ -0,0 +1,31 @@
##############################################################
# SERVER SETTINGS
# Socket to find the connection to the storage server.
# Use https to reach servers over the network
#server_socket = file:///var/run/kopano/server.sock
# Login to the storage server using this SSL Key
#sslkey_file = /etc/kopano/ssl/search.pem
# The password of the SSL Key
#sslkey_pass = replace-with-server-cert-password
##############################################################
# LOG SETTINGS
# Logging method (syslog, file)
#log_method = file
# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
#log_level = 3
# Logfile for log_method = file, use '-' for stderr
# Default: -
#log_file = /var/log/kopano/backup.log
##############################################################
# BACKUP SETTINGS
# maximum number of stores to backup in parallel
#worker_processes = 1

93
etc-template/kopano/dagent.cfg Normal file
View File

@@ -0,0 +1,93 @@
# See the kopano-dagent.cfg(5) manpage for details and more directives.
# Space-separated list of address:port specifiers with optional %interface
# infix for where the server should listen for LMTP connections.
#
# "unix:/var/spool/kopano/dagent.sock" — local socket
# "*:2003" — port 2003, all protocols
# "[::]:2003" — port 2003 on IPv6 only
# "[2001:db8::1]:2003" — port 2003 on specific address only
#
lmtp_listen = *:2003
#lmtp_listen = unix:/var/spool/kopano/dagent.sock
# connection to the storage server
#server_socket = file:///var/run/kopano/server.sock
server_socket = https://zntrl-server-1:237
# Login to the storage server using this SSL Key
sslkey_file = /etc/kopano/ssl/private/dagent-key-cert.pem
# The password of the SSL Key
sslkey_pass =
#log_method = auto
# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
log_level = 5
# log_file = /var/log/kopano/dagent.log
log_timestamp = yes
# Log raw message to a file. Can be "no", "all", or a list of usernames
# for which messages should be saved.
#log_raw_message = no
#log_raw_message_path = /var/lib/kopano
# Maximum LMTP threads that can be running simultaneously
# This is also limited by your SMTP server. (20 is the postfix default concurrency limit)
#lmtp_max_threads = 20
# The following e-mail header will mark the mail as spam, so the mail
# is placed in the Junk Mail folder, and not the Inbox.
# The name is case insensitive.
# set to empty to not use this detection scheme.
#spam_header_name = X-Spam-Status
# If the above header is found, and contains the following value
# the mail will be considered as spam.
# Notes:
# - The value is case insensitive.
# - Leading and trailing spaces are stripped.
# - The word 'bayes' also contains the word 'yes'.
#spam_header_value = Yes,
# Enable archive_on_delivery to automatically archive all incoming
# messages on delivery.
# This will do nothing if no archive is attached to the target mailbox.
#archive_on_delivery = no
# Enable the dagent Python plugin framework. Disables threading.
#plugin_enabled = yes
# Path to the activated dagent plugins.
# This folder contains symlinks to the kopano plugins and custom scripts. The plugins are
# installed in '/usr/share/kopano-dagent/python/plugins/'. To activate a plugin create a symbolic
# link in the 'plugin_path' directory.
#
# Example:
# $ ln -s /usr/share/kopano-dagent/python/plugins/BMP2PNG.py /var/lib/kopano/dagent/plugins/BMP2PNG.py
#plugin_path = /var/lib/kopano/dagent/plugins
##############################################################
# DAGENT RULE SETTINGS
# Enable the addition of X-Kopano-Rule-Action headers on messages
# that have been forwarded or replied by a rule.
#set_rule_headers = yes
# Enable this option to prevent rules from potentially causing a loop. An
# e-mail can only be forwarded once when this option is enabled. Requires the
# set_rule_headers option to also be enabled.
#no_double_forward = yes
# Domain list to which forwarding is allowed. (Cuts off after 1000 characters,
# and knows no escape chars, so use the _file variants if needed.)
#forward_whitelist_domains = *
#forward_whitelist_domains_file =
#forward_whitelist_domain_subject = REJECT: %subject not forwarded (administratively blocked)
#forward_whitelist_domain_message = The Kopano mail system has rejected your request to forward your e-mail with subject %subject (via mail filters) to %sender: the operation is not permitted.\n\nRemove the rule or contact your administrator about the forward_whitelist_domains setting.
#forward_whitelist_domain_message_file =
# When multiple HTML MIME parts are found, they can be joined to form a
# continuous e-mail. (If not, they will become attachments.) Joining them
# however can compromise the document integrity, as stylesheets and JavaScripts
# affect the entire joined document.
#
#insecure_html_join = no

47
etc-template/kopano/gateway.cfg Normal file
View File

@@ -0,0 +1,47 @@
# See the kopano-gateway.cfg(5) manpage for details and more directives.
# Space-separated list of address:port specifiers with optional %interface
# infix for where the server should listen for connections.
# imaps is normally on 993, pop3s on 995.
#
#pop3_listen = *%lo:110
#pop3s_listen =
#imap_listen = *%lo:143
#imaps_listen =
# File with RSA key for SSL
#ssl_private_key_file = /etc/kopano/gateway/privkey.pem
#File with certificate for SSL
#ssl_certificate_file = /etc/kopano/gateway/cert.pem
# Disable all plaintext authentications unless SSL/TLS is used
#disable_plaintext_auth = no
# Verify client certificate
#ssl_verify_client = no
# Client verify file and/or path
#ssl_verify_file =
#ssl_verify_path =
#tls_min_proto = tls1.2
# Connection to the storage server.
# Please refer to the administrator manual or manpage why HTTP is used rather than the UNIX socket.
#server_socket = http://localhost:236/
# Bypass authentification when connecting as an administrator to the UNIX socket.
#bypass_auth = no
# Whether to show the hostname in the logon greeting to clients.
#server_hostname_greeting = no
# Override own DNS name for presentation in the protocol greeting line.
#server_hostname =
#log_method = auto
# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
log_level = 5
log_file = /var/log/kopano/gateway.log
#log_timestamp = yes
# Only mail folder for IMAP or all subfolders (calendar, contacts, tasks, etc. too)
#imap_only_mailfolders = yes
# Show Public folders for IMAP
#imap_public_folders = yes
# The maximum size of an email that can be uploaded to the gateway
#imap_max_messagesize = 128M

38
etc-template/kopano/grapi.cfg Normal file
View File

@@ -0,0 +1,38 @@
##############################################################
# Groupware REST API SETTINGS
# Number of worker processes.
num_workers = 2
# Disable TLS validation for all client request.
# When set to yes, TLS certificate validation is turned off. This is insecure
# and should not be used in production setups.
#insecure = no
# Path where to create the gc-rest sockets.
#socket_path = /var/run/kopano-grapi
# Socket to find the connection to the storage server.
# Use https to reach servers over the network.
#server_socket = file:///var/run/kopano/server.sock
# Path where to store persistent runtime data.
#persistency_path = /var/lib/kopano-grapi
# Path where to find translation catalogs.
#translations_path = /usr/share/kopano-grapi/i18n
# The API includes experimental endpoints which are not yet recommended to run
# in production setups and are thus disabled by default. When set to yes, all
# endpoints marked experimental are made available. Defaults to no.
#enable_experimental_endpoints = yes
###############################################################
# Log settings
# Log level controls the verbosity of the output log. It can be one of
# `critical`, `error`, `warning`, `info` or `debug`. Defaults to `info`.
log_level = info
log_method = file
log_file = /var/log/kopano/server.log

34
etc-template/kopano/ical.cfg Normal file
View File

@@ -0,0 +1,34 @@
# See the kopano-ical.cfg(5) manpage for details and more directives.
# Space-separated list of address:port specifiers with optional %interface
# infix for where the server should listen for connections.
# ical has often been placed on 8080 and icals on 8443.
#
#ical_listen = *%lo:8080
#icals_listen =
#tls_min_proto = tls1.2
# File with RSA key for SSL
#ssl_private_key_file = /etc/kopano/ical/privkey.pem
# File with certificate for SSL
#ssl_certificate_file = /etc/kopano/ical/cert.pem
# Verify client certificate
#ssl_verify_client = no
# Client verify file and/or path
#ssl_verify_file =
#ssl_verify_path =
# default connection to the storage server
# Please refer to the administrator manual or manpage why HTTP is used rather than the UNIX socket.
#server_socket = http://localhost:236/
#log_method = auto
# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
#log_level = 3
#log_file = /var/log/kopano/ical.log
#log_timestamp = yes
# The timezone of the system clock
#server_timezone = Europe/Amsterdam
# Enable the iCalendar GET method for downloading calendars
#enable_ical_get = yes

1
etc-template/kopano/kapid-pubs-secret.key Normal file
View File

@@ -0,0 +1 @@
3be77a9c8294eb60dadf05399576a9048582bb77f8fc86af40660f931d743b65

66
etc-template/kopano/kapid.cfg Normal file
View File

@@ -0,0 +1,66 @@
##############################################################
# Kopano API SETTINGS
# OpenID Connect Issuer Identifier.
#oidc_issuer_identifier=
# Address:port specifier for where kapid should listen for
# incoming connections.
#listen = 127.0.0.1:8039
# Disable TLS validation for all client request.
# When set to yes, TLS certificate validation is turned off. This is insecure
# and should not be used in production setups.
#insecure = no
# Comman separated list of plugin names which should be loaded.
# If this is not set or the value is empty, kapid scans the plugins_path
# on startup and loads all plugins found.
#plugins =
# Path to the location of kapi plugins.
#plugins_path = /usr/lib/kopano/kapi-plugins
###############################################################
# Log settings
# Log level controls the verbosity of the output log. It can be one of
# `panic`, `fatal`, `error`, `warn`, `info` or `debug`. Defaults to `info`.
#log_level = info
###############################################################
# Groupware REST API (grapi) Plugin settings
# Path where to find Kopano Groupware REST (grapi) sockets.
#plugin_grapi_socket_path = /var/run/kopano-grapi
###############################################################
# Pubs API (pubs) Plugin settings
# Path to a key file to be used as secret for Pubs HMAC tokens.
# If no secret_key file is set, a random value will be generated on
# startup (not suitable for production use, since it changes on
# restart). A suitable key file can be generated with
# `openssl rand -out /etc/kopano/kapid-pubs-secret.key -hex 64`.
#plugin_pubs_secret_key = /etc/kopano/kapid-pubs-secret.key
###############################################################
# Key value store API (kvs) Plugin settings
# Database backend to use for persistent storage of kvs data. A supported
# backend must be set (sqlite3, mysql). Defaults to `sqlite3` if not set.
#plugin_kvs_db_drivername = sqlite3
# Database backend data source name. This setting depends on the storage
# backend (plugin_kvs_db_drivername). A DNS is required to use the kvs plugin.
# - For `sqlite3` the value should be the full path to the database file.
# - For `mysql`, us a MySQL DSN in the following format:
# [username[:password]@][protocol[(address)]]/dbname[?param1=value1&...&paramN=valueN]
# See https://github.com/go-sql-driver/mysql#dsn-data-source-name for a
# full list of supported MySQL DSN params with examples.
# If not set and plugin_kvs_db_drivername is also not set a default value will
# be used which uses SQLite3.
#plugin_kvs_db_datasource = /var/lib/kopano/kapi-kvs/kvs.db
# Path where to find the database migration scripts.
#plugin_kvs_db_migrations = /usr/lib/kopano/kapi-kvs/db/migrations

1
etc-template/kopano/konnectd-encryption-secret.key Normal file
View File

@@ -0,0 +1 @@
<EFBFBD>r<EFBFBD><EFBFBD>L<EFBFBD>(<28>k<EFBFBD><6B><10>"u$ԟ+o<>F<1D><02>3

14
etc-template/kopano/konnectd-identifier-scopes.yaml Normal file
View File

@@ -0,0 +1,14 @@
# This file contains additional scopes for Konnect. All of the scopes listed
# here are made available to clients upon request if not limited by other means.
---
scopes:
kopano/kwm:
description: "Access Kopano Meet"
kopano/kvs:
description: "Access Kopano Key Value Store"
kopano/pubs:
description: "Access Kopano Pub/Sub"

1
etc-template/kopano/konnectd-signing-private-key.pem Symbolic link
View File

@@ -0,0 +1 @@
/etc/kopano/konnectkeys/konnect-20210314-0ae1.pem

146
etc-template/kopano/konnectd.cfg Normal file
View File

@@ -0,0 +1,146 @@
##############################################################
# Kopano Konnect SETTINGS
# OpenID Connect Issuer Identifier.
# This setting defines the OpenID Connect Issuer Identifier to be provided by
# this Konnect server. Setting this is mandatory and the setting must be a
# https URL which can be accessed by all applications and users which are to
# use this Konnect for sign-in or validation. Defaults to "https://localhost" to
# allow unconfigured startup.
#oidc_issuer_identifier=https://localhost
# Address:port specifier for where konnectd should listen for
# incoming connections. Defaults to `127.0.0.1:8777`.
#listen = 127.0.0.1:8777
# Disable TLS validation for all client request.
# When set to yes, TLS certificate validation is turned off. This is insecure
# and should not be used in production setups. Defaults to `no`.
#insecure = no
# Identity manager which provides the user backend Konnect should use. This is
# one of `kc` or `ldap`. Defaults to `kc`, which means Konnect will use a
# Kopano Groupware Storage server as backend.
#identity_manager = kc
# Full file path to a PEM encoded PKCS#1 or PKCS#5 private key which is used to
# sign tokens. This file must exist and be valid to be able to start the
# service. A suitable key can be generated with:
# `openssl genpkey -algorithm RSA \
# -out konnectd-signing-private-key.pem.pem \
# -pkeyopt rsa_keygen_bits:4096`
# If this is not set, Konnect will try to load
# /etc/kopano/konnectd-signing-private-key.pem
# and if not found, fall back to a random key on every startup. Not set by
# default. If set, the file must be there.
#signing_private_key = /etc/kopano/konnectd-signing-private-key.pem
# Key ID to use in created JWT. This setting is useful once private keys need
# to be changed because they expire. It should be a unique value identiying
# the signing_private_key. Example: `k20180912-1`. Not set by default, which
# means that Konnect uses the file name of the key file (dereferencing symlinks)
# without extension.
#signing_kid =
# JWT signing method. This must match the private key type as defined in
# signing_private_key and defaults to `PS256`.
#signing_method = PS256
# Full path to a directory containing pem encoded keys for validation. Konnect
# loads all `*.pem` files in that directory and adds the public key parts (if
# found) to the validator for received tokens using the file name without
# extension as key ID.
#validation_keys_path =
# Full file path to a encryption secret key file containing random bytes. This
# file must exist to be able to start the service. A suitable file can be
# generated with:
# `openssl rand -out konnectd-encryption-secret.key 32`
# If this is not set, Konnect will try to load
# /etc/kopano/konnectd-encryption-secret.key
# and if not found, fall back to a random key on every startup. Not set by
# default. If set, the file must be there.
#encryption_secret_key = /etc/kopano/konnectd-encryption-secret.key
# Full file path to the identifier registration configuration file. This file
# must exist to be able to start the service. An example file is shipped with
# the documentation / sources. If not set, Konnect will try to load
# /etc/kopano/konnectd-identifier-registration.yaml
# without failing when the file is not there. If set, the file must be there.
#identifier_registration_conf = /etc/kopano/konnectd-identifier-registration.yaml
# Full file path to the identifier scopes configuration file. An example file is
# shipped with the documentation / sources. If not set, Konnect will try to
# load /etc/kopano/konnectd-identifier-scopes.yaml without failing if the file
# is not there. If set, the file must be there.
#identifier_scopes_conf = /etc/kopano/konnectd-identifier-scopes.yaml
# Path to the location of konnectd web resources. This is a mandatory setting
# since Konnect needs to find its web resources to start.
#web_resources_path = /usr/share/kopano-konnect
# Custom base path for URI endpoints for Konnect API and the identifier web
# application. This needs to be changed when Konnect is served from a path
# instead of the root of the domain.
#uri_base_path = /
# Space separated list of scopes to be accepted by this Konnect server. By
# default this is not set, which means that all scopes which are known by the
# Konnect server and its configured identifier backend are allowed.
#allowed_scopes =
# Space separated list of IP address or CIDR network ranges of remote addresses
# which are to be trusted. This is used to allow special behavior if Konnect
# runs behind a trusted proxy which injects authentication credentials into
# HTTP requests. Not set by default.
#trusted_proxies =
# Flag to enable client controlled guest support. When set to `yes`, a registered
# client can send authorize guests, by sending signed requests. Defaults to `no`.
#allow_client_guests = no
# Flag to enable dynamic client registration API. When set to `yes`, clients
# can register themselves and make authorized calls to the token endpoint.
# Defaults to `no`.
#allow_dynamic_client_registration = no
# Additional arguments to be passed to the identity manager.
#identity_manager_args =
###############################################################
# Log settings
# Log level controls the verbosity of the output log. It can be one of
# `panic`, `fatal`, `error`, `warn`, `info` or `debug`. Defaults to `info`.
#log_level = info
###############################################################
# Kopano Groupware Storage Server Identity Manager (kc)
# URI for connecting to the Kopano Groupware Storage server. This can either be
# a http(s):// URL for remote systems or a file:// URI to a socket for local
# connection. Defaults to `file:///run/kopano/server.sock` and is only used
# when the identity_manager is `kc`.
#kc_server_uri = file:///run/kopano/server.sock
# Session timeout for sessions of the Kopano Groupware Storage server in
# seconds. Access token valid duration is limited to this value and Konnect
# will expire sessions if they are inactive for the timeout duration. This value
# needs to be lower or same as the corresponding value used in the Kopano
# Groupware Storage server's configuration to avoid constant session expiration
# and recreation.
#kc_session_timeout = 300
###############################################################
# LDAP Identity Manager (ldap)
# Below are the settings for the LDAP identity manager. They are only used when
# the identity_manager is `ldap`.
#ldap_uri =
#ldap_binddn =
#ldap_bindpw =
#ldap_basedn =
#ldap_scope = sub
#ldap_login_attribute = uid
#ldap_uuid_attribute = uidNumber
#ldap_filter = (objectClass=inetOrgPerson)

52
etc-template/kopano/konnectkeys/konnect-20210314-0ae1.pem Normal file
View File

@@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDKeeORq+iJ/Rzp
Q9Jhqldvx0jEprZkTz30DWQrxgzr3lgpowY4sPT9P4uu73Y+czMv8CvMX9gacBv8
ctbhPL2unmYpRX1Vpgw25E768CyX4etn+LCkZy4KvevuPB8Z6Hx1BseM3tu/nWYP
Uf9TczHN48vjLKrsu6zeEXy3TsUpmEqgIQN9DxdMCVlzh9wl7+gx/9JrpM24slFA
4S/ieeaOtlzv8nIWWUB+qeWM35b5ZEtejsiqDaBGHhNhj2z6igUfRrmEkL3V0lkd
nwaMIWYg0mhiZrX1fQy2wsEpWwDjhy6GQp15IIySv9NgjN5P/PqnCjhPQAxwznt8
KwZucCAh52g/rwykPoMW14SlfVe97zxjEw1MfFmjwi/7jFHh8AGTNl+BVIbZZ/O/
YgxLurKbNEeNcyl/aaZFlNL11RYRa5QOwrc65+ChRhO4rbvsenstpQbky/vvbZ8v
9BbvcuC/I0TTWJxFBpGHuK2iTFiViAE9bLfKAxsXuZofw74pwltTXU2wyTm/weih
HVTs4DlUtUefsltZRFHVBDDTcUc9WwVtKjvCNKUbE5ZXHRkiZuWxLgjci/4UvrRj
WstQVzbGfGWgi710ZovvKqn1gRJoakJTrdYk9YQMnKuLWuq9DNby4N/jdlbAs7NM
8jEe9TTnJW8z7HX6NQPT/ugoqfnPFQIDAQABAoICAFVU8VefP62IAvs8HhoTFC6D
qmNWb1/vFYkZa7IXEbMGTdmeXyzdRyLD+TaMrSS8oEH/0jWb3xOlU+Yc7/qVAsvo
7d1O7/d8t4Eazz5qoiCQkgmLgcaHxZu5VwlcRS9CD9GyPb9c3PfweebTA+xDjCXd
bzwawx5qKfydGhaXF/jjue+qejHmfkcJWa2bAGjspssLqb68Agdo/118ihXEkipr
KNfnMbXBf7DiIWAxiwsn/auoOWGRxI5IdpqTO7aLHIWF5QG9joPi1rPpJXVBTi1e
/6cY6m6/ePA9O/MV61X4zt6+jGdUFGp0db0nITpMv8ZORFUCBTw1iU1XRKqejqt6
/dYb1BTSy5vSUUkjV5isrvXsZd4ZEXzC8xvdu4PyXfIUXDJrCR4N/bLCup6C0r82
7goPw1Lxlr1nPN5A8rzABFrRgcWiiQNs0s82qbE+bf/ZLDXkjK62dDg9ziKE5mQ6
sXQOBZYIYrdAXLs7SRHcPXyWgCZKlps02jA1w0jWRJPXooeq34ce7N0BlkS6oSde
nH/m+EiYf3EFJtgIRcp+Wp3uXc2Se87fSs6GFK6FkHt496yZLY8UuFdXky1XQQJB
FsrPNJr9vuYz38AwACm7mylw7G1zn9WvIbBP83lA/TmlO/dhQiX/zgcILhA4lYod
ackLcmQlJCY1Oa9tVUIBAoIBAQDx5oJ/99xq0PC9zNBew9NTMqsDhLjNwEq6xdIe
RcXRlXubZVA7yTnQ6xRQsEyRU2538hq8ErVCngNMOrgS3iTiADIWhRLr0VBEe4rj
IGJGIXbrXNUE3tZvnn/OljNz08grzqsCRJSk2OYvCk/9W7v5gXNIkTXIpUO4TXys
s78BSGkg5k4AWv8i16PUrVblOTJgjCD2EkYrBWD4BazjlkbKNwGnbpEAjfgjuKmT
DyK4fJ+vHc1pjR+2QZyEy94CyVsSi+n9al90ydTzf6kzIPBaYTjbp8edp8Z3dZKL
fyUaQoZ1a+bEBxBQp0qVsFeOCUhMSq65cwt4je2W4TLLmyOhAoIBAQDWRx0nkmIa
zQpsyr7ebpUJ7i973gw4qynnMrWQYlRq7TgGNoYBKmPe/3d+PBBjTsTWT7q8AdFD
KAENEaWM+FzGErR3bu3sR1Flo1aF02mA6p4BEcSVX25PDsBdzBEg5CwVn+pHf1u4
4GpXlmLhd3HiSzXOUPKrRRhzJHm3GKqoCRIW00eFllPI4vr/4kpgh8V/l4JpKZow
/Sx882EjtxeGC14xKm9y9MF56oajxrPqxu574tBlfTn4eXyTiW4BsTcLcuf+s/lz
R39Ky/FTY9P42QNHIlSX1tlXTe1gRc2qE3QlQYXcc2+P+yasiXNeEiAQFo63TH4I
pWYKmaiTxPb1AoIBAQChr76YhHbK2t+fLbA1N1UgLiTKlELmG9qXXrRkUaS4wt68
7oojfAvuDcMlb8Gt/YNAHw4pmaOYZH+1yyXQTrV+bj0MemQ8RUsOizk5OSMW1zVi
eklUGRJhxyKMVi8MA4mvZlM9j9N/IA8zcAQpR9CsJA+HeK/nbjeGkBx+XyKTW/AQ
8n8+k5QnmNVDyZzkWEfI6sD5WRuXk9/NyBVYhdDJRt0PKcM4CKzMS5jk1+AQShR9
+0CahZ6lttNEm/PIDwiVq/l5zkkBigqRu0nACAs/je5wO4QcZ9ErdeW+4fxNwhuX
jsjPTB1mm3sp9JWBNckiXWTORgxrxwoAqIPIPekhAoIBAQCt5TSR4shfO7uUIs3X
siKd1oEOo1uDudTd3lde/43G4REwaZtC4uX+GZEeDxy1mz0/N6Ex5r+vIo4HzyRt
TTntPUzcCFhqAk7ajz4uiS38A2uLLqI9Hx9kZXJULMJR0Rq9yfPVZlRHq0hiIJfK
pqbzoVnfP+5QdFitSRLGNux4RjQ59ej7Ts5cH2jXtQvrXwQ20fxx3+NUkoJCPTm+
RF6A2ETu3aNoxZ0mleAClcV5aUwtmhrJ4mDjd6RUD5oJIYqsbeo82E4+8e0qBGyq
4j8qmuOAHSpNt3zWz1UvZjbMKdF+UriR+dS2Inp2V24bD9aZd9UGiLtXxPMU8zLO
CXDpAoIBAEycsfTcArULdH9q8mDEM+PiTr49kNL9X7UYDLziNTuU363jcYQ/iXDp
gAdL21caMhcV3C+iAjSb70HwXu6NKEO7Lb703OtgTWHZE9kFssRlA91VSw3X5fCT
I88MqRzFDsdrE9tUlDbQ2S3GP18PuMhLFJdPuZ4whdqiQMfnQxD25rG/Gi8eypz9
J/t/LhciIJxaaBaT5YU/t0KGEAlsSrpuPN3sSq7iQYrrUKQY2Mghy4wKP1qwLhLX
DEr1HZ3gfTZcdvk5ftkGvy4QP6rNRMNo/74l1yp+vAUf/4uA1Wu9QWOJfFOVvfV3
bPlsxOijJGo9JSDH/en3wE654P52ygY=
-----END PRIVATE KEY-----

0
etc-template/kopano/kweb/.kweb/.setup-done Normal file
View File

137
etc-template/kopano/kwebd.cfg Normal file
View File

@@ -0,0 +1,137 @@
##############################################################
# Kopano Web SETTINGS
# Site's host name.
# Full qualified host name. If set, kweb provides HTTP/HTTPS for this host
# including automatic ACME CA TLS and Content Security Policy generation. If not
# set (the default), kweb is available under all names and does not try to
# obtain a certificate via ACME.
#hostname=
# ACME CA email.
# To allow automatic TLS via ACME, the CA needs an email address. Provide your
# email address here to enable automatic TLS via ACME. If tls_acme_email and
# hostname are set, kweb will automatically manage TLS certificates unless
# explictly disabled by other settings.
#tls_acme_email =
# ACME CA subscriber agreement.
# Set to `yes` to accept the CA's subscriber agreement. If this is `no` or
# not set and kweb is otherwise configured to use ACME, kweb will log the link
# to the CA's subscriber agreement and then exit. You have to change this
# setting to `yes` to use automatic TLS via ACME.
#tls_acme_agree = no
# ACME CA server directory.
# URL to the certificate authority's ACME server directory. Default is to use
# Let's Encrypt (https://acme-v02.api.letsencrypt.org/directory).
#tls_acme_ca = https://acme-v02.api.letsencrypt.org/directory
# HTTP Strict Transport Security.
# Value for HTTP Strict Transport Security response header. Default to
# `max-age=31536000;` and is only used if hostname is set. Set explicitly to
# empty to disable.
#hsts=max-age=31536000;
# Bind address to bind the listeners.
# This setting defines where to bind kweb http listeners. By default kweb binds
# to all interfaces/ips since it needs to be available from external.
#bind=0.0.0.0
# Web root folder.
# Full path to the web root. All files below that folder are served by kweb and
# the path is used as base for otherwise relative paths.
# Default: `/usr/share/kopano-kweb/www`
#web_root = /usr/share/kopano-kweb/www
# Port for HTTPS listener.
# When TLS is enabled, kweb will serve the TLS listener on this port. Defaults
# to 9443 if `hostname` is not set and `443` otherwise.
https_port = 7443
# Port for HTTP listener.
# When TLS is disabled, kweb will serve the listener on this port. Defaults to
# 9080 if `hostname` is not set and `80` otherwise.
http_port = 7080
# HTTP/2 support.
# Set to `yes` to enable HTTP/2 support on all TLS listeners. HTTP/2 is enabled
# by default. Set to `no` to disable.
#http2 = yes
# QUIC support.
# Experimental support for QUIC. Set to `true` to enable. Default is `no`.
#quic = no
###############################################################
# Log settings
# HTTP request log file (access log in combined format).
# Full path to log file where to log HTTP requests. Not set by default which
# means requests are not logged.
#request_log_file = /var/log/kopano-kweb/access.log
###############################################################
# TLS settings
# TLS support.
# Support encrypted listeners and automatic TLS certificate creation when set
# to `yes`. Set to `no` to disable all TLS and listen on plain HTTP.
#tls = yes
# TLS certificate bundle.
# Path to a TLS certificate bundle (concatenation of the server's certificate
# followed by the CA's certificate chain). If set, the TLS listener will use
# that certificate instead of trying automatic TLS.
#tls_cert =
# TLS private key.
# Path to the server's private key file which matches the certificate bundle. It
# must match the certificate in tls_cert.
#tls_key =
# TLS protocols.
# Minimal and maximal TLS protocol versions to be offered. Defaults to TLS 1.2
# and TLS 1.3 (`tls1.2 tls1.3`).
#tls_protocols = tls1.2 tls1.3
# TLS self sign.
# By default kweb creates self signed TLS certificates on startup on if ACME is
# not possible due to missing settings. If set to `yes`, ACME is disabled and a
# self signed certificate will always be created. Default: `no`.
#tls_always_self_sign = no
# TLS must stable.
# Enables must stable for certificates managed by kweb. If this is set to `yes`
# and kweb requests certificates via ACME, those certificates will require that
# the OSCP information is stapled with the response. Defaults to `no`.
#tls_must_staple = no
###############################################################
# App settings
# Default top level redirect.
# When set, top level requests `/` will redirect to the configured value.
# Not set by default.
#default_redirect =
# Legacy support.
# To make integration into existing environments easier kwebd can act as a
# reverse proxy to allow serving requests Kopano WebApp and Z-Push running e.g.
# in Apache or Nginx. Set the address to the legacy web server here. Not set by
# default.
#legacy_reverse_proxy = 127.0.0.1:8000
###############################################################
# Limiting settings
# Rate limit tate.
# Limits Excessive access to services. Requests will be terminated with an error
# 429 (Too Many Requests) and X-RateLimit-RetryAfter is added.
# Format "rate burst unit", Defaults to "100 200 minute".
#ratelimit_rate = "100 200 minute"
# Rate limit whitelist.
# Your trusted IPs (comma separated). Defines the CIDR IP range you don't want
# to perform rate limit. Defaults to `127.0.0.1/8`.
#ratelimit_whitelist = 127.0.0.1/8

36
etc-template/kopano/ldap.cfg Normal file
View File

@@ -0,0 +1,36 @@
# See the kopano-ldap.cfg(5) manpage for details and more directives
# Select implementation.
# If you have any reason to override settings from /usr/share/kopano/*.cfg,
# do so at the end of this (/etc-resident) config file.
#
!include /usr/share/kopano/ldap.openldap.cfg
#!include /usr/share/kopano/ldap.active-directory.cfg
# List of URIs of LDAP servers to use. Make sure that etc/ldap/ldap.conf is
# /configured correctly with TLS_CACERT when using "ldaps".
ldap_uri =
#ldap_starttls = no
# The DN of the user to bind as for normal operations.
# When empty, uses anonymous binding.
ldap_bind_user =
ldap_bind_passwd =
# Top level search base, every object should be available under this tree
ldap_search_base =
# The timeout for network operations in seconds
#ldap_network_timeout = 30
# ldap_page_size limits the number of results from a query that will be downloaded at a time.
# Default ADS MaxPageSize is 1000.
#ldap_page_size = 1000
#ldap_membership_cache_size = 256k
#ldap_membership_cache_lifetime = 5
# Use custom defined LDAP property mappings
# This is not a requirement for most environments but allows custom mappings of
# special LDAP properties to custom MAPI attributes
#!propmap /etc/kopano/ldap.propmap.cfg

28
etc-template/kopano/monitor.cfg Normal file
View File

@@ -0,0 +1,28 @@
# See the kopano-monitor.cfg(5) manpage for details and more directives.
#server_socket = file:///var/run/kopano/server.sock
# Login to the storage server using this SSL Key
#sslkey_file = /etc/kopano/ssl/monitor.pem
# The password of the SSL Key
#sslkey_pass = replace-with-monitor-cert-password
# in a multi-server environment, which servers to monitor (default all)
#servers =
#log_method = auto
# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
#log_level = 3
#log_file = -
#log_timestamp = yes
# Quota check interval (in minutes)
#quota_check_interval = 15
# Quota mail interval in days
#mailquota_resend_interval = 1
# Template to be used for quota emails which are sent to the user
# when the various user quota levels have been exceeded.
#userquota_warning_template = /etc/kopano/quotamail/userwarning.mail
# Templates to be used for quota emails which are sent to the company administrators
# when the company quota level has been exceeded.
#companyquota_warning_template = /etc/kopano/quotamail/companywarning.mail

30
etc-template/kopano/php-mapi.cfg Normal file
View File

@@ -0,0 +1,30 @@
##############################################################
# LOG SETTINGS
# Logging method (syslog, file), syslog facility is 'mail'
#log_method = syslog
# Logfile (for log_method = file, '-' for stderr)
#log_file = /var/log/kopano/php-mapi.log
# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
#log_level = 3
# Log timestamp - prefix each log line with timestamp in 'file'
# logging mode
#log_timestamp = yes
# Buffer logging in what sized blocks. 0 for line-buffered (syslog-style).
#log_buffer_size = 0
# This setting will make php-mapi trace how long each MAPI-call
# took into the selected logfile.
# Make sure that the file exists and/or can be written to by the
# apache user.
# php_mapi_performance_trace_file = /var/log/kopano/php-mapi-perf-trace.log
# Enable debug output for the mapi extension
# Bitmask:
# 1 = Log start of a function
# 2 = Log end of a function
#php_mapi_debug = 0

11
etc-template/kopano/quotamail/companywarning.mail Normal file
View File

@@ -0,0 +1,11 @@
Subject: Quota of company ${KOPANO_QUOTA_COMPANY} has been exceeded
The size of the public store for company ${KOPANO_QUOTA_COMPANY} has exceeded
the size limits set by the administrator.
The public store size is ${KOPANO_QUOTA_STORE_SIZE}.
Mailbox size limit:
* Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
- When this limit is exceeded this warning message will be sent
See client Help for more information.

11
etc-template/kopano/quotamail/companywarning.mail.dpkg-new Normal file
View File

@@ -0,0 +1,11 @@
Subject: Quota of company ${KOPANO_QUOTA_COMPANY} has been exceeded
The size of the public store for company ${KOPANO_QUOTA_COMPANY} has exceeded
the size limits set by the administrator.
The public store size is ${KOPANO_QUOTA_STORE_SIZE}.
Mailbox size limit:
* Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
- When this limit is exceeded this warning message will be sent
See client Help for more information.

17
etc-template/kopano/quotamail/userhard.mail Normal file
View File

@@ -0,0 +1,17 @@
Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded
Your mailbox has exceeded one or more size limits set by your administrator.
Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}.
Mailbox size limits:
* Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
- When this limit is exceeded a warning message will be sent
* Softlevel (${KOPANO_QUOTA_SOFT_SIZE})
- When this limit is exceeded you will not be able to send new email
* Hardlevel (${KOPANO_QUOTA_HARD_SIZE})
- When this limit is exceeded you will not be able to send and receive new email
To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server.
Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit.
You must empty the Deleted Items folder after deleting items or the space will not be freed.
See client Help for more information.

17
etc-template/kopano/quotamail/userhard.mail.dpkg-new Normal file
View File

@@ -0,0 +1,17 @@
Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded
Your mailbox has exceeded one or more size limits set by your administrator.
Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}.
Mailbox size limits:
* Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
- When this limit is exceeded a warning message will be sent
* Softlevel (${KOPANO_QUOTA_SOFT_SIZE})
- When this limit is exceeded you will not be able to send new email
* Hardlevel (${KOPANO_QUOTA_HARD_SIZE})
- When this limit is exceeded you will not be able to send and receive new email
To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server.
Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit.
You must empty the Deleted Items folder after deleting items or the space will not be freed.
See client Help for more information.

17
etc-template/kopano/quotamail/usersoft.mail Normal file
View File

@@ -0,0 +1,17 @@
Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded
Your mailbox has exceeded one or more size limits set by your administrator.
Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}.
Mailbox size limits:
* Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
- When this limit is exceeded a warning message will be sent
* Softlevel (${KOPANO_QUOTA_SOFT_SIZE})
- When this limit is exceeded you will not be able to send new email
* Hardlevel (${KOPANO_QUOTA_HARD_SIZE})
- When this limit is exceeded you will not be able to send and receive new email
To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server.
Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit.
You must empty the Deleted Items folder after deleting items or the space will not be freed.
See client Help for more information.

17
etc-template/kopano/quotamail/usersoft.mail.dpkg-new Normal file
View File

@@ -0,0 +1,17 @@
Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded
Your mailbox has exceeded one or more size limits set by your administrator.
Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}.
Mailbox size limits:
* Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
- When this limit is exceeded a warning message will be sent
* Softlevel (${KOPANO_QUOTA_SOFT_SIZE})
- When this limit is exceeded you will not be able to send new email
* Hardlevel (${KOPANO_QUOTA_HARD_SIZE})
- When this limit is exceeded you will not be able to send and receive new email
To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server.
Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit.
You must empty the Deleted Items folder after deleting items or the space will not be freed.
See client Help for more information.

17
etc-template/kopano/quotamail/userwarning.mail Normal file
View File

@@ -0,0 +1,17 @@
Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded
Your mailbox has exceeded one or more size limits set by your administrator.
Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}.
Mailbox size limits:
* Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
- When this limit is exceeded a warning message will be sent
* Softlevel (${KOPANO_QUOTA_SOFT_SIZE})
- When this limit is exceeded you will not be able to send new email
* Hardlevel (${KOPANO_QUOTA_HARD_SIZE})
- When this limit is exceeded you will not be able to send and receive new email
To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server.
Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit.
You must empty the Deleted Items folder after deleting items or the space will not be freed.
See client Help for more information.

17
etc-template/kopano/quotamail/userwarning.mail.dpkg-new Normal file
View File

@@ -0,0 +1,17 @@
Subject: Quota of user ${KOPANO_QUOTA_NAME} has been exceeded
Your mailbox has exceeded one or more size limits set by your administrator.
Your mailbox size is ${KOPANO_QUOTA_STORE_SIZE}.
Mailbox size limits:
* Warninglevel (${KOPANO_QUOTA_WARN_SIZE})
- When this limit is exceeded a warning message will be sent
* Softlevel (${KOPANO_QUOTA_SOFT_SIZE})
- When this limit is exceeded you will not be able to send new email
* Hardlevel (${KOPANO_QUOTA_HARD_SIZE})
- When this limit is exceeded you will not be able to send and receive new email
To make more space available, delete any items that you are no longer using or use Kopano Archiver to move old items to an archive server.
Items in all of your mailbox folders including the Deleted Items and Sent Items folders count against your size limit.
You must empty the Deleted Items folder after deleting items or the space will not be freed.
See client Help for more information.

39
etc-template/kopano/search.cfg Normal file
View File

@@ -0,0 +1,39 @@
# See kopano-search.cfg(5) for more details and directives.
# Location of the index files
#index_path = /var/lib/kopano/search/
# Limit the number of results returned (0 = no limit)
#limit_results = 1000
# Use https to reach servers over the network
server_socket = https://zntrl-server-1:237
# Login to the storage server using this SSL Key
sslkey_file = /etc/kopano/ssl/private/system-key-cert.pem
# The password of the SSL Key
#sslkey_pass = replace-with-server-cert-password
# To setup for multi-server, use: http://0.0.0.0:port or https://0.0.0.0:port
#server_bind_name = file:///var/run/kopano/search.sock
# File with certificate for SSL, used when server_bind_name uses https://...
#ssl_certificate_file = /etc/kopano/search/cert.pem
# File with RSA key for SSL, used when server_bind_name uses https://...
#ssl_private_key_file = /etc/kopano/search/privkey.pem
#log_method = auto
# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
log_level = 6
#log_file = /var/log/kopano/search.log
#log_timestamp = yes
# Number of indexing processes used during initial indexing
#index_processes = 1
#index_drafts = yes
#index_junk = yes
# Prepare search suggestions ("did-you-mean?") during indexing
# This takes up a large percentage of the used disk space
#suggestions = yes
# Should attachments be indexed
#index_attachments = no
# Maximum file size for attachments
#index_attachment_max_size = 5M

121
etc-template/kopano/server.cfg Normal file
View File

@@ -0,0 +1,121 @@
# See the kopano-server.cfg(5) manpage for details and more directives.
# If a directive is not used (i.e. commented out), the built-in server default
# is used, so to disable certain features, the empty string value must explicitly be
# set on them.
# Space-separated list of address:port specifiers with optional %interface
# infix for where the server should listen for connections.
server_listen = 0.0.0.0:236
server_listen_tls = 0.0.0.0:237
# server_ssl_key_file: needs key and certificate
server_ssl_key_file = /etc/kopano/ssl/private/server-key-cert.pem
#server_ssl_key_pass =
server_ssl_ca_file = /etc/kopano/ssl/certs/balusign-ca-chain.pem
#server_ssl_ca_path = /etc/kopano/ssl/certs
#server_tls_min_proto = tls1.2
# Path of SSL Public keys of clients
sslkeys_path = /etc/kopano/sslkeys
# Name for identifying the server in a multi-server environment. Need
# not be a DNS name, but this name needs to be present on a LDAP
# kopano-server object's cn value.
#server_name = kopano.server
# Multi-server
#enable_distributed_kopano = false
database_engine = mysql
mysql_host = mysql
mysql_port = 3306
mysql_user = kopano
mysql_password = zAKt(85&
mysql_database = kopano
# Allow connections from normal users through the Unix socket
#allow_local_users = yes
# Space-separated list of users that are considered Kopano admins.
local_admin_users = root kopano
log_method = auto
# log_file = /var/log/kopano/server.log
# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
log_level = 6
log_timestamp = yes
# Attachment backend driver type: "database", "files", "files_v2", "s3"
#attachment_storage = files
#attachment_path = /var/lib/kopano/attachments
#attachment_s3_hostname = s3-eu-west-1.amazonaws.com
# The region where the bucket is located, e.g. "eu-west-1"
#attachment_s3_region =
# The protocol that should be used to connect to S3, 'http' or 'https' (preferred)
#attachment_s3_protocol =
# The URL style of the bucket, "virtualhost" or "path"
#attachment_s3_uristyle =
# The access key id of your S3 account
#attachment_s3_accesskeyid =
# The secret access key of your S3 account
#attachment_s3_secretaccesskey =
# The bucket name in which the files will be stored
#attachment_s3_bucketname =
# User backend driver type: "db", "unix", "ldap"
#user_plugin = db
#user_plugin_config = /etc/kopano/ldap.cfg
#enable_sso = false
# Hostname override for Kerberos SSO
#server_hostname =
# OpenID Connect Issuer Identifier. When set, the server attempts OIDC discovery
# and initialization on startup, using the configured issuer identifier.
#kcoidc_issuer_identifier =
#kcoidc_initialize_timeout = 60
# Skip creation/deletion of users for testing purposes, instead log it.
#user_safe_mode = no
# Multi-tenancy
#enable_hosted_kopano = false
# Display format of store name
# Allowed variables:
# %u Username
# %f Full name
# %c Tenant's name
#storename_format = %f
# Loginname format for multi-tenancy installations
# When the user does not login through a system-wide unique
# username (like the email address) a unique name is created
# by combining the username and the tenantname.
# With this configuration option you can set how the
# loginname should be built up.
#
# Note: Do not use the = character in the format.
#
# Allowed variables:
# %u Username
# %c Teantname
#
#loginname_format = %u
#enable_gab = yes
# Whether to hide/show the special GAB "Everyone" group that contains
# every user and group for non-admins.
#hide_everyone = no
# Whether to hide/show the special GAB "SYSTEM" user for non-admins.
#hide_system = yes
# Synchronize GAB users on every open of the GAB (otherwise, only on
# kopano-admin --sync)
#sync_gab_realtime = yes
# Use indexing service for faster searching.
# Enabling this option requires kopano-indexd or kopano-search to be active.
#search_enabled = yes
#search_socket = file:///var/run/kopano/search.sock
#search_timeout = 10
# Disable features for users. This list is space separated.
# Currently valid values: imap pop3 mobile outlook webapp
disabled_features = pop3

53
etc-template/kopano/spamd.cfg Normal file
View File

@@ -0,0 +1,53 @@
##############################################################
# SPAMD SERVICE SETTINGS
# run as specific user
#run_as_user = kopano
# run as specific group
#run_as_group = kopano
# control pid file
#pid_file = /var/run/kopano/spamd.pid
# run server in this path (when not using the -F switch)
#running_path = /var/lib/kopano
##############################################################
# LOG SETTINGS
# Logging method (syslog, file)
#log_method = file
# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
#log_level = 3
# Logfile for log_method = file, use '-' for stderr
#log_file = /var/log/kopano/spamd.log
# Log timestamp - prefix each log line with timestamp in 'file' logging mode
#log_timestamp = 1
###############################################################
# SPAMD Specific settings
# The dir where spam mails are written to which are later picked up
# by the sa-learn program
#spam_dir = /var/lib/kopano/spamd/spam
# Location for the database containing metadata on learned spam
#spam_db = /var/lib/kopano/spamd/spam.db
# Learn ham, when the user moves emails from junk to inbox,
# enabled by default.
#learn_ham = yes
# The dir where ham mails are written to which are later picked up
# by the sa-learn program
#ham_dir = /var/lib/kopano/spamd/ham
# Spamassassin group
#sa_group = amavis
# Header tag for spam emails
#header_tag = X-Spam-Flag

30
etc-template/kopano/spooler.cfg Normal file
View File

@@ -0,0 +1,30 @@
# See the kopano-spooler.cfg(5) manpage for details and more directives.
# Outgoing mailserver
smtp_server = postfix
smtp_port = 25
# Server Unix socket location
server_socket = https://zntrl-server-1:237
# Login to the storage server using this SSL Key
sslkey_file = /etc/kopano/ssl/private/system-key-cert.pem
# The password of the SSL Key
sslkey_pass =
#log_method = auto
# Loglevel (0(none), 1(crit), 2(err), 3(warn), 4(notice), 5(info), 6(debug))
log_level = 6
#log_file = -
#log_timestamp = yes
# Dump raw messages into specified directory before sending via SMTP.
#log_raw_message_path = /var/lib/kopano
#log_raw_message_stage1 = no
# Maximum number of threads used to send outgoing messages
#max_threads = 5
# spooler Python plugin framework. Disables threading.
#plugin_enabled = no
# Path to the activated spooler plugins.
#plugin_path = /var/lib/kopano/spooler/plugins

106
etc-template/kopano/ssl/certs/balusign-ca-chain.pem Normal file
View File

@@ -0,0 +1,106 @@
-----BEGIN CERTIFICATE-----
MIIJgTCCBamgAwIBAgIBAjANBgkqhkiG9w0BAQwFADCBjzESMBAGCgmSJomT8ixk
ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp
Z24gUHJpdmF0ZSBTaXRlMRUwEwYDVQQLDAxQS0kgU2VydmljZXMxKTAnBgNVBAMM
IEJhbHVTaWduIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIzMDQwNzA5NTIx
MFoXDTMzMDQwNjA5NTIxMFowgY8xEjAQBgoJkiaJk/IsZAEZFgJkZTEXMBUGCgmS
JomT8ixkARkWB2JhbG9naHMxHjAcBgNVBAoMFUJhbHVTaWduIFByaXZhdGUgU2l0
ZTEiMCAGA1UECwwZSW5mb3JtYXRpb24gU2VjdXJpdHkgVW5pdDEcMBoGA1UEAwwT
QmFsdVNpZ24gU2lnbmluZyBDQTCCA+IwDQYJKoZIhvcNAQEBBQADggPPADCCA8oC
ggPBAKeU5NqQjKgTDVUYWwJanWyDiOLR7RyobQeFAVeGogwZQ/hOy+INl5VAps+7
7YB6PnjXOa6tCFdJW+tQaXJxqsdU51W4LE6Iq5BpWGx9ltnqDcksXww7iIdHgblv
4db0ErZM3CogOF3Sr2jYo28OmpqsEFMrbvJ2FDxgBG4/NIGUIqZumY8Aq9JyqA2a
8yOKPiFyjeiABlNdyvoGNF0RnzxOeErO2loKtUuW5hfLxnUvzin1WnVtipEy1TOd
E/eRoBfUpexyUXH2/DKw9CvH/ZGGz8oApe8SWSJlO4xSOgxONkuaybs+VzaMxtPU
ACeeyOILVbQ25BhWSVOW9CfcUeQwqf7pViCUPx7kBSR/RpiLN1JGpEACW6B1D4wy
OsOq55I0qSou7lJSJtkplSSzS1OxbK+SW1yq/FdPOJvqMIB88OuvrKlve4tDG7tQ
hfbGrLnF0BKcBE3H2qkkujQ5zULptX1WpklBDnPvxcmlCGwW0XzrRHpOPQDTPbkh
pH4a4Sph2rWFK7A0Qft8j2eMis7D1Wc30miV4DFYekQc5C3PernGwci3BM7qX4Xt
5oNbjMk53N2VB5MjT1aVLWlW66+M9vPZ9Y+VCTfSs0p+rUwtyLoYPKulQRhg7zcS
im6VnQatsiPZM6ssUNFu3602f6E6t0wdIOr1/WAuaIN0WWMWATkPhJ6tpcRSbu3e
PpOwSbjbwxEPfk5q73xyJZ63XCfFAKihK2KpDOM2D2n0QhKyWOBa5Yw9BZaouSQz
kBVFYYLm26wfOwvUKwLXX76BDOW33YO61EwV5Jswwp6L+x4Jn6CD4oloBR35ix9t
aFXTmKA0zoRgrf7SiV38O6GCK3fIxGCz3YC3WRBWoZ519fM7YqqtG71LFPr5cTa8
EU2QAxizw82Rp0e06yWCFGbfq+8eJB4r8f4+NM6Nqc/4IZZVcmMX3k/R9bOXw7L9
7HI68QIa34KhQs9KFHUedr5QDS5yU2Ts1mpgzAkCvNqVYGbovm19OTwglDCrb6+i
KQ29wi1CK9VJUSJx2RaOufh9COndNi640clgSWqClLPChCyhgosuwVPFOQYko6Ez
nWl5LCvnLh3ieAqVys61t98ll9ueoVyD4HIcseuu9+h7xh02i/SVpD34CZlNwT+u
BkhSzCoVoj2yp5RZeJFSqXT/99avmbI99O5RGxpTzB3MtADrX0zD1LK2jzvumRrv
HIPGfB8TTl6aN1dDZ7aA67SnI7cybxhja+52DECwWCnxXx6MTM86/0ZNG6hZe/wu
SQ3Q0QIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIB
ADAdBgNVHQ4EFgQUypuBBCYN5ViDw4UBxZtTxzBXbBAwHwYDVR0jBBgwFoAU+o8o
2baOIFDraC5/jXb/T0MRzrYwDQYJKoZIhvcNAQEMBQADggPBAKK6zoKmVe5FxVaP
85TgjvbVQWZdaejlma9xZuSJPxicHuaEjuSrcthaqQ6rhdccLcniuY3+heKAjKqU
fdGzOhjwyfAGFjP/xd/xb4c7eh7EQ/NnYPM82Miiw1pd4sA+8hJnDoLlK1dO+SAw
5N0UrJLl+N33DT95fjykxNysCOxPSnNihKI86QlkpCUJ1GgupoRFRNJ7ditW8Fcu
vWfZw3GSwWQNFAzBL0/xbiVh1/mZRnaKRK8APVT70M40UtIzu/Rr8D9TfoyDzuy5
pkjQXhclz/tuctnvkwOEwmeOYHtozdg4SZlePJ4hrUkLIwgEcN1xk4XueioTT5+d
VouUg6kg7YdpRiJH4PvLudUnoGs8+277gQZIyQgMoF0iR9IYXMBcDcaOnb6fcmKD
Pxiu395c0a3alnugmkqRoJboiGFPbU0BUOXTV0uRLkXVFSs5FSccfUGrnPP+Kk73
ePfOLVazmsiSF0J+k0ngh9U6I067FdAEqEFyqLj7nLT9B8Wd6YR1mCFzPUNg5k70
pXeyap1Y+kW03+bsw/uakqTSf6aCFa+vXwyHoMsC1Pb8hCRtYh/FisON9IcGe0em
A3JAwoiwLyAQT94/fNm+kf7LiM+lQP0Odj/dos9yBBqu5oZ2J0f+AAGpOqOy9zez
hC8lEtn14y9QMmEoEHUdNPMIHS3W859ejF+tmZ+rpfLgL1VHmiv162gw0tRz1hX7
NDNhqlNNBygC83hi+BzHLgfZIqTumRVIQulwzyhX6tqtG4TGvxQ3MXluKH2RA9Yk
SM2Shm8l6RVaadA0gGmfmd97WVnd0jUJXFMpZSZCsLuI9PesTkW59cIloVvl6AXM
csVJqGCiuElHZDAjGmGvHJJEnnckZCTC0czaoRSEN8GmDCWnewPn7VAUTR+Qv30G
26yVOQWcNr7h8I7dkXEF9DfJRz/5p3+Tu0T7HCi8vwz4dAaB4YPm1Zl5TZSIF8U5
TgV15BFN1nXSyLLdZsn1wcGjjFKR22kdyKonZjh2M+9ZGHDLAhY5abHzvK08d1av
NvgPcddVAJCWxgabjdrA/gB4GDeNRSLYWPmvb5O4H/FfYteAVbbasoSmc+4zhv4D
ZXsQvYwuyLuv6dDIlGeiHM8+u1wSP2Dp8PdE1E0xSg0kYp8AmwCTsjoKowMH8A7A
wm/eGWZED2yoZLmIalE1ps76kfBBzNbJQMyioE0nrfU+0RF/RSAv/AzH6fz2pTta
9lzdU5OOIo4HNAwaHyxla5gW6P0N+i1mUAq/z7ZLVrI7DvuRww==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIJfjCCBaagAwIBAgIBATANBgkqhkiG9w0BAQwFADCBjzESMBAGCgmSJomT8ixk
ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp
Z24gUHJpdmF0ZSBTaXRlMRUwEwYDVQQLDAxQS0kgU2VydmljZXMxKTAnBgNVBAMM
IEJhbHVTaWduIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTIzMDQwNzA5NTA1
OFoXDTMzMDQwNjA5NTA1OFowgY8xEjAQBgoJkiaJk/IsZAEZFgJkZTEXMBUGCgmS
JomT8ixkARkWB2JhbG9naHMxHjAcBgNVBAoMFUJhbHVTaWduIFByaXZhdGUgU2l0
ZTEVMBMGA1UECwwMUEtJIFNlcnZpY2VzMSkwJwYDVQQDDCBCYWx1U2lnbiBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTCCA+IwDQYJKoZIhvcNAQEBBQADggPPADCCA8oC
ggPBAOWJ0SL/yhWvkUlqKyAvDKKa5BFEAgUci1LYMUya0nm1SZZCg5J/PCr459LQ
pLfzQCRKZsLlx3EDxvsw6hMtFzGKIUGVtEkNpxWcbKZhhln0jScdsyyVrdbYSXp3
BwXtP2iC843Mk6vSSl7VKDmLAellR8Z3W3mjb6LXOBx3imitFNUDZpKv2jBrvHiv
XeLcym6KuQ8EWZKGZNYUCrlQCpvbuAaHKF1C7KlKhR1LRZl7NcvFvnlrl4uUopSt
TsZcK3Kb6jaiYr/19RNxDy/4GXbTsCtC9/lpo42iPm8KzNlTapZ2zGbmDeCzveDg
N9NWNXyO5mYpnkFXTSEkmiwIdyWVLcomvyVKW0cyTUcET1s1D6NZokqvjolscyno
Ff8Ez24IWbfRxT+OFHSqJwSHc7rXPGftoB1KBP7UP2K1EYYnC+vxDejRkdC0IFuv
KrzonogkDDaJb6A0+hWSBSGMQpKfCbayTkU8nBzo8ilSM9S+dW0SIbWkptNdXZqL
AQjT8hJe3vGejGXyGC7zLd0kEGBz098+JpbZLVyStakpJcn0HkZzUjxh7DSS3vtp
3QV5IUZ4jBxp5/lRvCQ/Uz0re4KSXPXOMpEQwD1Ay7uPzADXv0ibMFfE22PT80fr
r1YsJjT01C0QUbM4j++1w2kVara9wRaa/x2eEpCDHRRbvtNZ8K4YxqXxhoc7POOo
X3/w9keXobo4BmH9uV2t2twg/lHiyBrQfSfsAr2+3/5Tt/pv6wuVCVJcxwFSm0ey
ighWD5WUAvMvShFkGr8D/tyTulq33IySbh7tZFj40Fh88TD2Z1VWFWK+5OHWjsK0
GSuOANw8Mj5Seq2RH8CkbrALok547YGLfls7pw4PTXkW/rmPallQLLLs8VT6MDwg
SPk6sIMVOFF6rq9q5QV8EQliSYQ/vS4rh0qAG0zltaoWS40rTPsOGBJCftDOJFJp
06XuLTyKrFRtCWP6dSuh+ju6EGTYk0rcBLeiKhFptB9HZtwE5Cd1khysfE3pDMiw
ksGEjMnzhbLuTeBH9QlcYLZWqmH9ZK35qZ9cKvsHf0jlHYZOASnEaPX8CXhGWXKn
skzOq4ihc6gZXKlSjX9Mglkfzru6hwg8f4i7L20wySrl/HOc8kuPZZ/UqLulBCI2
yr6TKlvJXu5BkRUJZ0EGnpRCLaxWiNah+DcpbKeoHVIj5Z9Xq5p78N+d4LD9dKw0
6VwcH74LJDT4jHVKu2zTuqyKTWw0jitqWjeexxPbeZTV4KBiIDYMEYVsr/Swx+u7
4dU8YQIDAQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQU+o8o2baOIFDraC5/jXb/T0MRzrYwHwYDVR0jBBgwFoAU+o8o2baO
IFDraC5/jXb/T0MRzrYwDQYJKoZIhvcNAQEMBQADggPBAAjgeEvyz2I/ZW81OIl2
VsEMLuxq7GnCXabsKTklhHygjHPs1hr5/pn9fWo8pSSQGAOBFL/EnnHW+qYvzswY
XSzIBVi2j7oUDRL2T9t3pBi0gNO9LYhAhSExocN9KStqQlxHZ5ei0QTbWCA6uArk
lcwKhAihV7GvbPGYfRPSg95a/UXwyGAY8IffEL4J9Qn2LtyT57izErP3uPW8d3w7
bNe2+Yqzd69Nk2CzSvIqtMSOoEFzTgvmzVoQdU9pi7zulkQYxIFmWvXxUnO2v+Jc
exZ/CsJzCJBP8eQGY+5FUsunncnm16VS7bHoD5ZtWFcXsiM8xTt6mt7lMbjSl5px
7N+FUPJHOpokXyX3Y/JK0KJCTcuJtyoZK81uJN6tgRaNN7GXn3Mlg0cmsG4d+Fib
zxNAyhgtX6P0SpIfWLNBpdDWyjl6BnX4A7UtuH3eIEbYlms/kTm2ty0xJQiDrZkT
yc9xNs+k9C8XKmPEnDK0BSObMmyEIz+lox32GS6vbNq18jLsjs+jk/1Zs72XAdNK
AlU7+DrgbE3oulqKjTMqruuG/8WoF9s70ds1WUYwBGXzbjq6zR1xWb+vNGQ9ePpP
KiTdJIPg0GO25MrZPVsHURsrFVTgdB5qfRj6RhDRrdMXuZ/mWMCetRd1EETzRIO0
GgkGFHUFAWwiQDkmJYLrGB5t55Nq2JetAvwiUZuco8krUUQXcUu+sFrNjencctnX
MHWYRERKMOB/eqhWdeTG04c94nV8BlpHAT3Iee8FfWA4zm0RxVreXICNOCPtxNXH
aSEsgWBWw8/Zmk6VCEhuX6CernSmyqUc6PzREZRHFZD18lTRL5JxjXdm+qh8Nrxt
puj2FaXSotGQZywm8hmqMU8hCti3m93FQDpcsgoSqiilmnLRIAWXVrSKRlXXTxKs
Lpq3x9ZoARYbLEyxhRTdoMeU95OE64R1c6mcCcWPu53v59wYKmVMBOi4blTAXFn2
9KEbwtgDcAdXTn6SGAOvrdibEG2GnBhTw689vJfC7Z2imGoDxwMKToCnK9tgwAwO
/lv7oKpnA3GxzYojGZcKMGGGlfKFftZd36X/NZDmn9nmIGCqR0P04YWoX3utJOJH
03bK11O62l9DQNEJSQ5Zjow5HMuhxTfhka4I0edjsoIekxePAR11riIHpfwLQWmF
OybPqyC9MHzTLzSsISdZV1SDRQzCfpGbRtQSYAPF/T/hr2E2g+L+1tduQ07LICB0
+yKYtwF1rXkWwD4NvVYrk94fTCBPHK5SaMol8YlPer1ZUw==
-----END CERTIFICATE-----

350
etc-template/kopano/ssl/openssl.cnf Normal file
View File

@@ -0,0 +1,350 @@
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)

81
etc-template/kopano/ssl/private/server-key-cert.pem Normal file
View File

@@ -0,0 +1,81 @@
-----BEGIN PRIVATE KEY-----
MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDD8D6c+I14MM0k
1Qj7wegQ7SutYDWXSfpLSQXp9RuB3ZKyjU9c0J4wilkK00Y7gdIKZN8tMlF2rQ3F
Uwvn9uewq5k3pe2tE4v+Oooh5F9aNttTHOeRHTkgAkvcqyHPpCV8yO0a8t7elSzx
dY3BBkIruO/zpvouhoYWXpdGxS+ctU/XlGFyWEUQkwVCPPreiDd3EP1h8idMikiD
i4oKAYOa/xY/YKr29mp8rXK8xYn5xTV2xn62gLK1FB2g5l/XJt9sQY+g4Y04h8V8
gYwSLLHBIbg6CCxK6kqY6qEgSMQ9y4swQ1q4R0adlN3gai5rFLeWcFnXVL4XCjoI
A2GKFKDro/0/i2STQVi4+Hyyh6n3yfAm6PN5WX8FiVRRCCxf+kxqHJgpM8etqNyf
fuADs49p8hc2efsTF8weCq4V3V0OyKU87GP1pKEfbERwJwE25C+V9Vp3Yi+3G8c3
PU89qK/xTiCKZMK7Zsgmi5ROPBBVaM31GOcjS0YnErnvBc5LqGsCAwEAAQKCAYEA
hwpdHPJxDhUUTf5FYr4RoxjSsXtNdCeYSaraWJSFkMuU/1pFCEL/w5SWKc/S59Bh
YqiC6DN10cUTaJwD6KtSo4Cg6KmDVXXTVjQiX5l13kdQgce6EVmCtXzfrAaGFwWa
kJYqVBhvYhiOERxjxlT55ghf2B2M7+PnJiOrPytH1Ulg7cNmJdiQQQwS48QDYrue
/oDHIWozi50CvSa+zIaenYSRYLzPF8ZdPfCM022R2oMAhgvn6QBqKkLi6LHd+/rd
azKksg1Gzhq2TzJohoVsvvmJsRBJansobr40WcUNUCvg8VsCp39GEEjb9Purkwkl
l2klq/dbvtiI011DtUyQi/zpcVaQykllm5bNTpVIm7waTz6BtaOnAGWJpIw8TtFh
ri2VM2e1XTlQbxzohIzqk1W3vJkxXnK4uWG5XDuhcKkRmAb4sEZ6KIr3KKMsiK6g
a9Rc+xcoVnC+N2nDUkMZHIhutgGBKX2qOqpkxRpIfXdxLEZPTjXaNR3g3ypdNtcB
AoHBAPZH+p+d1ias+7ZzY8nTiB2bUwyXWGq0awt7mwj3cmucxqXKAd7QUnwAR8vm
i9bNqZixKR8Y/kNC0aBwoWwROPC3AisRkHovYSF2IX+5kkvE0Q9zhNxe590e96Go
gB+oF1OVIu/6v3G/t2wB1Q2ebrj+gQ9T5wz0u3pO0XXRe1ZT08Dse/Z2t4RyCzIL
c/eq/PJE0cSfEvNDUVFfOFIrlzk65wxjuPt6xEma8nyCQjcwSOFc73KaZQc61qGr
ibSDSQKBwQDLq691PN0XplkWn6kvJlx8xHbkM9Qtcm71OpdSNXCIftXJVzovJlmE
nPNQr1do52zX2SRyyVp/majnZxduW4R/P2GnM7fMv1rcuKAWaAhXND4hvycKUB/L
kzQXoGqIm+4tBdoO5BpAiwdovB2LC4Uq1CWxKf04FJsLgeY/zYEp149eqQb4M5ED
U0bTIg05oONpzmjfFUCZQ3DdNRXDdfVx98Y9+uvxcR4dNV+ffg7ptx833+dANsV+
j9njR5uMmhMCgcB3cs3BoOH+/CNRiIG7n9cC1RTgpH8DseHBPgAhxzI9s1o9is6B
bPS0o8YuxPDKDBHXtwVEyfB4Wu4lLLt+GJRPW9O3Y9t5B4XKnur8cdrc2Oa04chs
wbMfcieUxo7ty68UoN7DGhDEcMHbpr/YzSDSpM2fy4fipshPN+8rf6CcbCfmCEzP
ayDzIgUADsH+O3ZXYr2C6cxdJCdKmi5M3EuKPGFXhv5vKkoNkRNPBDZtYgPXGiYg
pXWenhD/dJ1jadECgcAb0TQiqBBuZXrvexkJZozlQZQXcPi+yE1dUwZN5Rycl+4t
FKvOuscpNKKK15fxrQIRrQesYdHpcZw/FrZ9jSRYmNiGlKq63TvUv6alyMmy12DR
DSGQ6AafsFhCDdffFqT+Izl4JTFstVBqvp6uWgFzKwyG2PxLx4yxkqlW94N3qohb
XmykQ66/rIUU2ybBQzcsQVPTfDyZcjudCt4RFzBRw4yg9H97N37scFjCGN6Cj09F
O2CDRbfNpGoW/7XAC18CgcEA3dlrXNY/zA3BMtN6HgxkrVrbIDd5BPkbfuhBTSb4
1KJNOsynbZPQ6ADlOVWEjKvJAapyffkgOXbPMSUCX49tTO2UGU+2zE+oegKdhIgc
OJse92htMDQTsXLBT+J5ujeqvGIoGVK7eXWJewBiaQAQE+hBqoXrusRbn0Kw8YPN
4kLhbUn9jU5asTcL22V2Z8M/ic833VqNCYmucGUUx6j6QQgfbYM+hsQ5w4MFwrae
O8ZUs6iTPyVgxAbBt2zFMH4I
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIHTDCCA3SgAwIBAgIBAjANBgkqhkiG9w0BAQwFADCBjzESMBAGCgmSJomT8ixk
ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp
Z24gUHJpdmF0ZSBTaXRlMSIwIAYDVQQLDBlJbmZvcm1hdGlvbiBTZWN1cml0eSBV
bml0MRwwGgYDVQQDDBNCYWx1U2lnbiBTaWduaW5nIENBMB4XDTIzMDQwNzA5NTky
NloXDTI0MDQwNjA5NTkyNlowcDESMBAGCgmSJomT8ixkARkWAmRlMRcwFQYKCZIm
iZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNpZ24gUHJpdmF0ZSBTaXRl
MRAwDgYDVQQLDAdJbmZvU2VjMQ8wDQYDVQQDDAZzZXJ2ZXIwggGiMA0GCSqGSIb3
DQEBAQUAA4IBjwAwggGKAoIBgQDD8D6c+I14MM0k1Qj7wegQ7SutYDWXSfpLSQXp
9RuB3ZKyjU9c0J4wilkK00Y7gdIKZN8tMlF2rQ3FUwvn9uewq5k3pe2tE4v+Oooh
5F9aNttTHOeRHTkgAkvcqyHPpCV8yO0a8t7elSzxdY3BBkIruO/zpvouhoYWXpdG
xS+ctU/XlGFyWEUQkwVCPPreiDd3EP1h8idMikiDi4oKAYOa/xY/YKr29mp8rXK8
xYn5xTV2xn62gLK1FB2g5l/XJt9sQY+g4Y04h8V8gYwSLLHBIbg6CCxK6kqY6qEg
SMQ9y4swQ1q4R0adlN3gai5rFLeWcFnXVL4XCjoIA2GKFKDro/0/i2STQVi4+Hyy
h6n3yfAm6PN5WX8FiVRRCCxf+kxqHJgpM8etqNyffuADs49p8hc2efsTF8weCq4V
3V0OyKU87GP1pKEfbERwJwE25C+V9Vp3Yi+3G8c3PU89qK/xTiCKZMK7Zsgmi5RO
PBBVaM31GOcjS0YnErnvBc5LqGsCAwEAAaOBkDCBjTAOBgNVHQ8BAf8EBAMCBaAw
CQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0O
BBYEFBKiISlxH+ktQIPjAMBTsxskqkKUMB8GA1UdIwQYMBaAFMqbgQQmDeVYg8OF
AcWbU8cwV2wQMBEGA1UdEQQKMAiCBnNlcnZlcjANBgkqhkiG9w0BAQwFAAOCA8EA
bUVsCWPSANeyHAtGERQxTRwwFcshva8MjrQjxuKhLcMCnVqUrLRZ9Yq7VsPlrGoq
vc5+zDnS0WU6PkdvsOElFcfRjvo80NueWrTSreBzAAwNDlGjRxJSw/jeRnaOOgN2
khqnQSi8w3VhlzVNwG2OrNzED0zf3Kp0oaAnaOy/55rS+xVKGydguwuCsZf3Pi3e
h1G4GuDjCoGbAKnSQPfXavGaRrDHPuNMmiqOFkC0eEMTT9z3vsqXVWYwWMt2PRtf
ASPauYRGpmh/ZWpfTAno4boTFIXC4xnKpQZuEBKwLUaw2/bAENhzesxe/DzjxUNK
2O6o+2NCz9phydOWovbe4k+ybvRXCZcZ0nbdcJb8WU2lq3ceht1jxwHObLkv1bV3
kJlxnd1pyw+wR83H+FkwCVODsvlJGbpThyRHtj3T2TCrPXqgJDHmva19r6p1YKXR
p7v6TljZ9FFYhu4tYCtN8O/xb6mF1BN6JpzADgiGreejClST1oEQToVZu06mPanv
mRVHuS4Em+L0KX0tV9a3WPhHP9dggxfYZ6HI258sXonnpZaKZRnYlaGyUVE6FDpF
qBzvKFxLGM2ttbd91CzeRqDXodG8ehYp5ed8e4mEbeT2JseLaUYMskYi6TVIIWll
YKouPCxcacyf570TPnqQog/YLkz0bZDYagOA1vtno6ViViDo541xQ4B6tVuVTLVT
n6NglRiSGo081ntmnt6t3AkU38kPP/GX55kq5naP+ydIUC0XU2ENLXFkZIR/1+Sj
zZt7rXDOmTR2QOb2LqlL+ucZahGNOoeFP4aP1gqgjnxzuVPakXt3pRaK1NAHO/Eb
117r06ueKfMXBeGanADT3Zjnoj5ep6Ti49MF8TTw75pT3nilbmMuvdfwtYIbD4kV
aDD1SP4wgnRBVavehaIVx8lN5d5py0gN/BjqqmFwqg953K2Q8/3vwZWQTfhedfa/
YQlq4sjYpmvAQExUAMsOUiNDbuTMgi7fD/fC3Dxvb3t/QQ+IdzWxH9Ls0j805sHb
ybc4X2zeZU3Bd6xO1ngo+6ki910Yuj/vXHlXl7RF3axdKj6ZrpysC/VGewmPtUa4
EcgV16vxIgCyiL0ePzcn9Ni8Li/qXE6QrSfZF59kOaMk3dnXAkgx6hHA99Sa7OX7
qgjZ/M3dTf7I4dkwy+YqHWfwstw0RByrvw4xY7expbgp0wdvhXQWc9wF1mL8usNB
6TF4biVcOQMtVz7l3JHuZiYACFvE+/sf0GcLGI//9NxkSmL8nYOlGRxWU47rhQoz
-----END CERTIFICATE-----

81
etc-template/kopano/ssl/private/system-key-cert.pem Normal file
View File

@@ -0,0 +1,81 @@
-----BEGIN PRIVATE KEY-----
MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQC6TbbQSfuxKR6m
B/u+MRh5OFmXFS3E89oO8hgHJ9XhLOutqSlYrU0gjSDCBURmCtpwjUYFay4N6KR2
N/iAUlLDvJyJQgtWO6ur64/WiDzxLobjDb/11pLFWmdw26nKJz6cT8mrid/SbtS7
gsIZgsaQGzx3evNhrbvh3/ue8gYEQamhqRaxIZXZckTgVSgydtEun+6rs99fSQVI
fd6kB+1IB1mqtBhl8m6hy5cX6+hKQbyScXlvKhQFhQpxmVHsa9+ry8l31YIcGs2p
e4q+AxzTpXmLpllmy8FIRn6J3//gGBv1QZLc3RC/sbQI0BNkRqpSSGU/tvIIp8m6
7kdyzwIKIbASM8Ff+47A/ejVM27SJ6QsRUWShQjKY3v7953R+U9PevroGPVlAUiR
LVdSKFqaIePTgvnAZj/fEZhtdiuB3G9i274EFMIuPwsqC3YiKS10R1XlZ+g+ZWMa
aZ5FOGKFsurXggDJSxIABOWtPDNs2Tp11acszf5L5cv8blHwmjMCAwEAAQKCAYEA
rCcJyhjDQiacEpIH9uyJD+KZLrm8TGWE1xCwUVRnF6cZtKQ+95lUTsL6RS720FAx
H5X74R/0M5gI+NCpiXII1qRgBZmIvktvS/LlPDkyDy+OJxtaiYGYqFLsiOYCVDHF
ck1sLl29/Ea7vvWKBGbKsvjn/AQaB+WxWnxNl8dO9fnzFNYZiN5fCMrFiIJIHbGb
hDj3I6SXwQXJov3kkLBee5OHMO0wKmxF/K4TVWCBirSJ2syOiMFaNOuGBgjGIfBe
7/xg9wpMP786iX4mStQH8lyDhAE99GzUgT6oQfqiXOVWMX4/y0nqr3F7zJ3EisEP
zyROpZZqLCCf7ZhlpVxhZlLNz2E1omDHy5xfim/Q/oWmtOfjqlL/DNHceJekmQ/P
Qtnb6gs07hdtjKfz+YFMDpuqyc7HY2gnosQacOsWySssNhrj5Y4yKlPdY9m6IjQP
0VI9GwnKJhxXIeCzTlIzSM9izso2U15JISiaxOJ4saBBnNrkp9Eu1/fDDCAgIk7B
AoHBAOOx2PZ8TqLfc3ADk/yS0evV6K5I2isdIMcvECLhMIKfPcTmwfQCMmuTmnG/
7n5pHTeO3g6IA4b2MhTvgrdvKPNtEwhYSBsenDN0bMC8+DJKH1wsOi/+ksTpND7i
fa7/FNM77SDpBH63Mkm/LVt/8ItkYCbHH58vb/HtFaYsIwEVrZwzlZtA8GgXJCWC
wAX8fNjXJKRn59Gaz9nEkbcsMarHqruJJ7QtGemPEwPb5wZlFyQveDbxjgyiD0QF
8GOhoQKBwQDRdqKyNeKXwDTORkXpXSxt611xHS7stGkCGEZLn8iS6RXB2goElTpz
xVA128jKqzTDBD3ySiB1R2/GmDjX/jUN8htt4y4TajBOvolUO+jStVVSPIafNqpO
IeDJEyi3DIooipeVa0EOWHpsSS9qLg2fzPe2LeuURR397RCf9eYb2JGwgnv7IQlB
QijFIxEBYIMU+xhJUdqOsSn6xc4zzkEeEhrg/AbCkpOadVDgtL+nBXmju32y8I2l
sX10jyK8U1MCgcEAqBtsdj88x592WSMrJXU4q4gY7GQ5P0+YHbcvkLD14dqz/iXo
2MCufSJTCtyLtqTgv14psEzXXdNzEmXq+oeFkoPbY3PaeLtW096HVJ2wGWEEWkcF
Bt5Lejo7KpqJ9KO7umEqJ/wiJ3QWGsCdOkrxS9jl7Htja2HYoqNKMo+voGNi9EpZ
kHCXjiJXu6IXJ9RMUMQ293MHgodsIfmxI63rVY1pDmCrAamy0e+iOF0o6l3EgiDR
/q7FE6qq3qwL2WNBAoHASjeD3CsVl3lF/JSPrukRlfzgRfT2LG6cCl75gVAjLFKk
H+SWyhrp9B1El2DBm3XgIv08yb2UFJn0M+S5t2Zd/Av9xgjJyZ1FcpE2bX8wtoAD
tDi35m/jFf4Q/I3qTjmGNmks3od7LI8TCY1A3JlmwGlKl+VbZFS9FLzLuDHTj6hD
rsv9C/Ufp1y+v2L2YouExolViJ0VGJwTaMRvlJGPJw15MqB58LUo0YCh4IyKn65j
9Cy5lA6B0eS6s/MHdrz7AoHAX39pf8mkBoK8HwxahCIQZG5iDZdaqIKh4+YT2coA
YPC15q5t4ZKE9kxYMBi4iiNZ9ffAUbYoRRjRus7Xv5Aq6h5zlGTANhUy0vT71HDv
jih0ZvPVJ0VMfsyeAuMl+hVaPt7tE4FBlHsK72+/EDyzt0S22E1FXi8QnP31b0Zt
GlpvOi6ybxYjzU/MQo++aMEaHHM1l9cDFrBVKaUChx/s4qmW8H3jPusiX0BEQI4+
+TVfDYZt4VumRof/NszbiNo9
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIHTDCCA3SgAwIBAgIBATANBgkqhkiG9w0BAQwFADCBjzESMBAGCgmSJomT8ixk
ARkWAmRlMRcwFQYKCZImiZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNp
Z24gUHJpdmF0ZSBTaXRlMSIwIAYDVQQLDBlJbmZvcm1hdGlvbiBTZWN1cml0eSBV
bml0MRwwGgYDVQQDDBNCYWx1U2lnbiBTaWduaW5nIENBMB4XDTIzMDQwNzA5NTgy
N1oXDTI0MDQwNjA5NTgyN1owcDESMBAGCgmSJomT8ixkARkWAmRlMRcwFQYKCZIm
iZPyLGQBGRYHYmFsb2doczEeMBwGA1UECgwVQmFsdVNpZ24gUHJpdmF0ZSBTaXRl
MRAwDgYDVQQLDAdJbmZvU2VjMQ8wDQYDVQQDDAZzeXN0ZW0wggGiMA0GCSqGSIb3
DQEBAQUAA4IBjwAwggGKAoIBgQC6TbbQSfuxKR6mB/u+MRh5OFmXFS3E89oO8hgH
J9XhLOutqSlYrU0gjSDCBURmCtpwjUYFay4N6KR2N/iAUlLDvJyJQgtWO6ur64/W
iDzxLobjDb/11pLFWmdw26nKJz6cT8mrid/SbtS7gsIZgsaQGzx3evNhrbvh3/ue
8gYEQamhqRaxIZXZckTgVSgydtEun+6rs99fSQVIfd6kB+1IB1mqtBhl8m6hy5cX
6+hKQbyScXlvKhQFhQpxmVHsa9+ry8l31YIcGs2pe4q+AxzTpXmLpllmy8FIRn6J
3//gGBv1QZLc3RC/sbQI0BNkRqpSSGU/tvIIp8m67kdyzwIKIbASM8Ff+47A/ejV
M27SJ6QsRUWShQjKY3v7953R+U9PevroGPVlAUiRLVdSKFqaIePTgvnAZj/fEZht
diuB3G9i274EFMIuPwsqC3YiKS10R1XlZ+g+ZWMaaZ5FOGKFsurXggDJSxIABOWt
PDNs2Tp11acszf5L5cv8blHwmjMCAwEAAaOBkDCBjTAOBgNVHQ8BAf8EBAMCBaAw
CQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0O
BBYEFNarMOs1gZ+SF8je3HIVWc33CiU2MB8GA1UdIwQYMBaAFMqbgQQmDeVYg8OF
AcWbU8cwV2wQMBEGA1UdEQQKMAiCBnN5c3RlbTANBgkqhkiG9w0BAQwFAAOCA8EA
cI5rB8CVIJW9orWtHGGd+WjDxzljowd4lPSxkkxC1MewUOGQ6csN+e6MFKnLF6Kn
nnMMjRKms7cPL+vC4bBqNmyroYNlYzt9PEjd5Ruwy44+H895wkPZkIzUnjusQcgY
kd/SLQcLo53S/YYVSO/02Ma1i9rPbpN8RNSVhkvwA0rCMV85hGGoTlfZ3gLVpjR/
zMRiFAdAhAQ4+RRFm6GtcBv8CZ7W/ctkmp/ybFyAtotCkhsIcPAjnHrBvlxxkWxf
lsB/ydCMqQWJmgO8MUmZazu3JD1ZRICLBXzIvx1z6REFx4SGArM0JxkXkgLB+8O4
HXc8pPcxfcTx46A7Pqg5UpD7E1jcrbxcpw4+paTaRBdMSzpZhOeVA4R1yeMjmd4w
/M4ZQ89szU4Bf9cGkj9QU2op7NGPNFu/WezibxjM/TDxwfPW2MdRaXe0rv8nEdeg
tpinawr+7Adl51J76kKGXnyVMAjNV5OtjeYPGBEvcAOJQj92bD8CrEwA8qetPZBb
jeMv1CgCZuUTq1OUFy9bWiE6tHJwhrP88ZCcHtFEOmo02TyW0mQsyUQAA8/KYvVe
icFBWIj+WXPOSQDzFYi7HLR4BNH8gZlqrWdGSzbg1YaXFBB7rDMvQhZqvqJ/K0Ot
967obnQQe+kalwsRsXAWPfp7LcyHBQCVvJO//IDa5pyHVpyVk/WgOcE1QOyLnccf
gLTxcxymWAUh09WjjKKRc5IkWFkHaczyW8DxchLxjYJWk8wmwR9cTvmSuss6QeSb
a7SlcRyDPrCD2irZnpLEfPLl5BNjlCiv1AXhxGm/LXSh2h2Ynaa5MAE7fdDfl0CV
b2vZrligtpdezVAkWDB3w/DTrh3CJc0FdpLRwp7Ee53DGyVLFMCalpoPeqBpqpq5
tAfCNoJ8pzoe5P7cYyY72cWaxMHdcqhVvSvJkYEmdqSY1pRMF6pttnRwj7Oi0XUr
W9bi5QrkqKe+SB7nK3+dPbhWTH9T5Cyo7tI8fbujIBZ1pQHprONDlMWaqECReP22
jhMqKkNA1V4rgNehMDUODgcDYGb4Xcghp0n7Epgp/Ep9axVa/kRv3uYGzcgXYwLY
+aKu1LkAyVplg6Vb5Q+HRweA7/m3rB6afd073i/jYkjuWGVo5Cq9RQ++BRyd6dqg
/VqWcn4iZ0VeXH3O909td/Jrq29RbC2Yj1Zb4Qg5NQ2hmOkXsYCptBXJpQXcel2W
jSz2CSGkuPtPVykaiBhwcXlHJYJ3ezUDpirM1+JckO0JTblDd385esuR8XAfqe9W
-----END CERTIFICATE-----

11
etc-template/kopano/sslkeys/system-public-key.pem Normal file
View File

@@ -0,0 +1,11 @@
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuk220En7sSkepgf7vjEY
eThZlxUtxPPaDvIYByfV4SzrrakpWK1NII0gwgVEZgracI1GBWsuDeikdjf4gFJS
w7yciUILVjurq+uP1og88S6G4w2/9daSxVpncNupyic+nE/Jq4nf0m7Uu4LCGYLG
kBs8d3rzYa274d/7nvIGBEGpoakWsSGV2XJE4FUoMnbRLp/uq7PfX0kFSH3epAft
SAdZqrQYZfJuocuXF+voSkG8knF5byoUBYUKcZlR7Gvfq8vJd9WCHBrNqXuKvgMc
06V5i6ZZZsvBSEZ+id//4Bgb9UGS3N0Qv7G0CNATZEaqUkhlP7byCKfJuu5Hcs8C
CiGwEjPBX/uOwP3o1TNu0iekLEVFkoUIymN7+/ed0flPT3r66Bj1ZQFIkS1XUiha
miHj04L5wGY/3xGYbXYrgdxvYtu+BBTCLj8LKgt2IiktdEdV5WfoPmVjGmmeRThi
hbLq14IAyUsSAATlrTwzbNk6ddWnLM3+S+XL/G5R8JozAgMBAAE=
-----END PUBLIC KEY-----

8
etc-template/kopano/statsd.cfg Normal file
View File

@@ -0,0 +1,8 @@
# One address:port specifier for where to listen for HTTP connections.
#statsd_listen = unix:/var/run/kopano/statsd.sock
# Location for keeping RRD files
#statsd_rrd = /var/lib/kopano/rrd
#run_as_user = kopano
#run_as_group = kopano

42
etc-template/kopano/unix.cfg Normal file
View File

@@ -0,0 +1,42 @@
##############################################################
# UNIX USER PLUGIN SETTINGS
#
# Any of these directives that are required, are only required if the
# userplugin parameter is set to unix.
# Charset used in /etc/passwd for the fullname of a user. Normally this
# is us-ascii, but this can differ according to your setup.
# The charset specified here must be supported by your iconv(1)
# setup. See iconv -l for all charsets.
fullname_charset = iso-8859-15
# Default email domain for constructing new users
# Required, no default
default_domain = kopano.com
# The lowest user id that is considered a regular user
# Optional, default = 1000
min_user_uid = 1000
# The highest user id that is considered a regular user
# Optional, default = 10000
max_user_uid = 10000
# A list of user ids that are not considered to be regular users
# Optional, default = empty
# except_user_uids =
# The lowest group id that is considered a regular group
# Optional, default = 1000
min_group_gid = 1000
# The highest group id that is considered a regular group
# Optional, default = 10000
max_group_gid = 10000
# A list of group ids that are not considered to be regular groups
# Optional, default = empty
# except_group_gids =
# Create a user as non-active when it has this Unix shell
non_login_shell = /sbin/nologin /bin/false

28
etc-template/kopano/webapp/.htaccess Normal file
View File

@@ -0,0 +1,28 @@
# some apache settings
Options -Indexes
# The maximum POST limit. To upload large files, this value must be larger than upload_max_filesize.
<IfModule mod_php5.c>
php_value post_max_size 31M
php_value upload_max_filesize 30M
</IfModule>
<IfModule mod_php7.c>
php_value post_max_size 31M
php_value upload_max_filesize 30M
</IfModule>
# Deny access to config.php, config.php.dist, debug.php, debug.php.dist, defaults.php
# because they could become a security vulnerability when accessible
# Better safe then sorry
<FilesMatch "^(config|debug|defaults|init)\.php">
<IfVersion < 2.4>
Deny from all
</IfVersion>
<IfVersion >= 2.4>
<RequireAll>
Require all denied
</RequireAll>
</IfVersion>
</FilesMatch>

4
etc-template/kopano/webapp/config-contactfax.php Normal file
View File

@@ -0,0 +1,4 @@
<?php
define('PLUGIN_CONTACTFAXPLUGIN_USER_DEFAULT_ENABLE', false);
define('PLUGIN_CONTACTFAXPLUGIN_FAX_DOMAIN_NAME', 'officefax.net');
?>

13
etc-template/kopano/webapp/config-gmaps.php Normal file
View File

@@ -0,0 +1,13 @@
<?php
//by default gmaps plugin is disabled
define('PLUGIN_GMAPS_USER_DEFAULT_ENABLE', false);
define ('PLUGIN_GMAPS_DEFAULT_ADDRESS','Elektronicaweg 18, 2628 XG Delft, The Netherlands');
define ('PLUGIN_GMAPS_SHOW_ROUTES', false);
// This plugin requires a valid Google API key. You can get an API key (and more information) at
// https://developers.google.com/maps/documentation/javascript/get-api-key
// Please note that there are usage limits for a particular API key:
// https://developers.google.com/maps/documentation/javascript/usage
define ('PLUGIN_GMAPS_GOOGLE_API_KEY', 'YOUR GOOGLE API KEY');
?>

17
etc-template/kopano/webapp/config-intranet.php Normal file
View File

@@ -0,0 +1,17 @@
<?php
define('PLUGIN_INTRANET_USER_DEFAULT_ENABLE', false);
define('PLUGIN_INTRANET_BUTTON_TITLE', 'Kopano.io');
define('PLUGIN_INTRANET_URL', 'https://kopano.io/');
define('PLUGIN_INTRANET_AUTOSTART', false);
define('PLUGIN_INTRANET_ICON', 'resources/icons/icon_default.png');
// More buttons can be added by adding a number as follows
// Note: Numbers must start with 1 and be sequential
define('PLUGIN_INTRANET_BUTTON_TITLE_1', 'Kopano.com');
define('PLUGIN_INTRANET_URL_1', 'https://kopano.com/');
define('PLUGIN_INTRANET_AUTOSTART_1', false);
define('PLUGIN_INTRANET_ICON_1', 'resources/icons/icon_default.png');

9
etc-template/kopano/webapp/config-mattermost.php Normal file
View File

@@ -0,0 +1,9 @@
<?php
define('PLUGIN_MATTERMOST_USER_DEFAULT_ENABLE', false);
define('PLUGIN_MATTERMOST_URL', '<URL-OF-YOUR-MATTERMOST>');
// This setting can be changed by the user in his settings.
// Here you can define the default behaviour.
define('PLUGIN_MATTERMOST_AUTOSTART', true);

19
etc-template/kopano/webapp/config-meet.php Normal file
View File

@@ -0,0 +1,19 @@
<?php
/*******************************************************************************
*
* This file is part of the Meet plugin for Kopano WebApp
*
* (c) 2019 Kopano <info@kopano.com>
*
*******************************************************************************/
// This file contains the configuration options of the Meet plugin
// This disables the plugin by default
define('PLUGIN_MEET_USER_DEFAULT_ENABLE', false);
// The URL of the Meet PWA
//define('PLUGIN_MEET_MEET_URL', 'https://<URL_OF_YOUR_MEET_INSTALLATION>');
// The URL of the Meet join flow
//define('PLUGIN_MEET_MEET_JOIN_URL' '/meet/r/join/group/');

4
etc-template/kopano/webapp/config-pimfolder.php Normal file
View File

@@ -0,0 +1,4 @@
<?php
/** Enable the pimfolder plugin for all users */
define('PLUGIN_PIMFOLDER_USER_DEFAULT_ENABLE', false);
?>

6
etc-template/kopano/webapp/config-threema4deskapp.php Normal file
View File

@@ -0,0 +1,6 @@
<?php
define('PLUGIN_THREEMA4DESKAPP_USER_DEFAULT_ENABLE', false);
define('PLUGIN_THREEMA4DESKAPP_BUTTON_TITLE', 'Threema');
define('PLUGIN_THREEMA4DESKAPP_URL', 'https://web.threema.ch/');

6
etc-template/kopano/webapp/config-whatsapp4deskapp.php Normal file
View File

@@ -0,0 +1,6 @@
<?php
define('PLUGIN_WHATSAPP4DESKAPP_USER_DEFAULT_ENABLE', false);
define('PLUGIN_WHATSAPP4DESKAPP_BUTTON_TITLE', 'WhatsApp');
define('PLUGIN_WHATSAPP4DESKAPP_URL', 'https://web.whatsapp.com/');

331
etc-template/kopano/webapp/config.php Normal file
View File

@@ -0,0 +1,331 @@
<?php
// The config file for the webapp.
// All possible web client settings can be set in this file. Some settings
// (language) can also be set per user or logon.
// Comment next line to disable the config check (or set FALSE to log the config errors)
define("CONFIG_CHECK", TRUE);
// Use these options to optionally disable some PHP configuration checks.
// WARNING: these checks will disable checks regarding the security of the WebApp site configuration,
// only change them if you know the consequences - improper use will lead to an insecure installation!
define("CONFIG_CHECK_COOKIES_HTTP", FALSE);
define("CONFIG_CHECK_COOKIES_SSL", FALSE);
// Depending on your setup, it might be advisable to change the lines below to one defined with your
// default socket location.
// Normally "default:" points to the default setting ("file:///var/run/kopano/server.sock")
// Examples: define("DEFAULT_SERVER", "default:");
// define("DEFAULT_SERVER", "http://localhost:236/kopano");
// define("DEFAULT_SERVER", "https://localhost:237/kopano");
// define("DEFAULT_SERVER", "file:///var/run/kopano/server.sock");
define("DEFAULT_SERVER", "http://server:236/kopano");
// When using a Single-Sign-On (SSO) system on your webserver and Kopano Core is on another server
// you can use https to access the Kopano server, and authenticate using an SSL certificate.
define("SSLCERT_FILE", NULL);
define("SSLCERT_PASS", NULL);
// Set to false to disable login with Single Sign-On (SSO) on SSO environments.
define("ENABLE_REMOTE_USER_LOGIN", true);
// OIDC Server Configuration, introduced in Kopano Core 8.7.0
define("OIDC_ISS", "");
define("OIDC_CLIENT_ID", "");
define("OIDC_SCOPE", "openid profile email kopano/gc");
// set to 'true' to strip domain from login name found from Single Sign-On webservers
define("LOGINNAME_STRIP_DOMAIN", false);
// Name of the cookie that is used for the session
define("COOKIE_NAME", "KOPANO_WEBAPP");
// Set to 'false' to disable secure session cookies and to allow log-in without HTTPS.
define("SECURE_COOKIES", false);
// Use DOMPurify to filter HTML
// Caution: disabling DOMPurify is a potential security risk.
define("ENABLE_DOMPURIFY_FILTER", true);
// The timeout (in seconds) for the session. User will be logged out of WebApp
// when he has not actively used the WebApp for this time.
// Set to 0 (or remove) for no timeout during browser session.
define("CLIENT_TIMEOUT", 0);
// Defines the domains from which cross domain authentication requests
// are allowed. E.g. if WebMeetings runs under a different domain than
// the WebApp then add this domain here. Add http(s):// to the domains
// and separate domains with spaces.
// Set to empty string (default) to only allow authentication requests
// from within the same domain.
// Set to "*" to allow authentication requests from any domain. (not
// recommended)
define("CROSS_DOMAIN_AUTHENTICATION_ALLOWED_DOMAINS", "");
// Defines the domains to which redirection after login is allowed.
// Add http(s):// to the domains and separate domains with spaces.
// Note: The domain under which WebApp runs, is always allowed and does
// not need to be added here.
define("REDIRECT_ALLOWED_DOMAINS", "");
// Defines the base url and end with a slash.
$base_url = dirname($_SERVER["PHP_SELF"]);
if(substr($base_url,-1)!="/") $base_url .="/";
define("BASE_URL", $base_url);
// Defines the temp path (absolute). Here uploaded attachments will be saved.
// The web client doesn't work without this directory.
define("TMP_PATH", "/var/lib/kopano-webapp/tmp");
// Define the path to the plugin directory (No slash at the end)
define("PATH_PLUGIN_DIR", "plugins");
// Enable the plugins
define("ENABLE_PLUGINS", true);
// Define list of disabled plugins separated by semicolon
// Plugin directory name should be used in this list.
define("DISABLED_PLUGINS_LIST", "");
// Define a list of plugins that cannot be disabled by users.
// Plugins should be seperated by a semicolon (;). A wildcard (*)
// can be used to identify multiple plugins.
// Plugin directory name should be used in this list.
define("ALWAYS_ENABLED_PLUGINS_LIST", "");
// General WebApp theme. This will be loaded by default for every user
// (if the theme is installed as a plugin)
// Users can override the 'logged-in' theme in the settings.
// The theme directory should be added here, not the display name.
define("THEME", "");
// Enable themes.
define("ENABLE_THEMES", true);
// General WebApp icon set. This will be loaded by default for every user.
// Users can override the iconset in the settings.
define("ICONSET", "breeze");
// Enable iconsets.
define("ENABLE_ICONSETS", true);
// The title that will be shown in the title bar of the browser
define("WEBAPP_TITLE", "Kopano WebApp");
// The base URL where the User Manual for WebApp can be found
define("PLUGIN_WEBAPPMANUAL_URL", "https://documentation.kopano.io/user_manual_webapp/");
// When set to false, GAB does not show any user, unless searched for.
define("ENABLE_FULL_GAB", true);
// Set a maximum number of (search) results for the addressbook
// When more results are found no results will be displayed in the client.
// Set to 0 to disable this feature and show all results.
define("MAX_GAB_RESULTS", 0);
// Set to true to show public contact folders in address-book folder list,
// false will hide public contact folders in address-book folder list.
define("ENABLE_PUBLIC_CONTACT_FOLDERS", false);
// Set true to show public folders in hierarchy, false will disable public folders in hierarchy.
define("ENABLE_PUBLIC_FOLDERS", true);
// Set true to hide shared contact folders in address-book folder list,
// false will show shared contact folders in address-book folder list.
define("ENABLE_SHARED_CONTACT_FOLDERS", false);
// Set to true to give users the option to enable file previewer in their settings
// Set to false to hide the setting and disable file previewer for all users
define("ENABLE_FILE_PREVIEWER", true);
// Set to true to give users the possiblity to edit, create, and delete mail filters on the store
// of other users. The user needs owner permissions on the store of the other user.
define("ENABLE_SHARED_RULES", false);
// Booking method (true = direct booking, false = send meeting request)
define("ENABLE_DIRECT_BOOKING", true);
// Enable GZIP compression for responses
define("ENABLE_RESPONSE_COMPRESSION", true);
// When set to false this disables the welcome screen shown to new users.
define("ENABLE_WELCOME_SCREEN", true);
// Set to false to disable the "What's new dialog" that will be shown to users to introduce new features.
define("ENABLE_WHATS_NEW_DIALOG", true);
// When set to false it will disable showing of advanced settings.
define("ENABLE_ADVANCED_SETTINGS", false);
// Freebusy start offset that will be used to load freebusy data in appointments, number is subtracted from current time
define("FREEBUSY_LOAD_START_OFFSET", 7);
// Freebusy end offset that will be used to load freebusy data in appointments, number is added to current time
define("FREEBUSY_LOAD_END_OFFSET", 90);
// Maximum eml files to be included in a single ZIP archive
define("MAX_EML_FILES_IN_ZIP", 50);
// Set true to default soft delete the shared store items
define("ENABLE_DEFAULT_SOFT_DELETE", false);
// Enable widgets/today context.
define("ENABLE_WIDGETS", true);
// Additional color schemes for the calendars can be added by uncommenting and editing the following define.
// The format is the same as the format of COLOR_SCHEMES which is defined in default.php
// To change the default colors, COLOR_SCHEMES can also be defined here.
// Note: Every color should have a unique name, because it is used to identify the color
// define("ADDITIONAL_COLOR_SCHEMES", json_encode(array(
// array(
// 'name' => 'pink',
// 'displayName' => _('Pink'),
// 'base' => '#ff0099'
// )
// )));
// Additional categories can be added by uncommenting and editing the following define.
// The format is the same as the format of DEFAULT_CATEGORIES which is defined in default.php
// To change the default categories, DEFAULT_CATEGORIES can also be defined here.
// Note: Every category should have a unique name, because it is used to identify the category
// define("ADDITIONAL_CATEGORIES", json_encode(array(
// array(
// 'name' => _('Family'),
// 'color' => '#000000',
// 'quickAccess' => true,
// 'sortIndex' => 10
// )
// )));
// Additional Prefix for the Contact name can be added by uncommenting and editing the following define.
// define("CONTACT_PREFIX", json_encode(array(
// array(_('Er.')),
// array(_('Gr.'))
// )));
// Additional Suffix for the Contact name can be added by uncommenting and editing the following define.
// define("CONTACT_SUFFIX", json_encode(array(
// array(_('A')),
// array(_('B'))
// )));
// Define the polling interval in minutes for unread mail in shared stores.
define("SHARED_STORE_POLLING_INTERVAL", 15);
// Define the amount of emails to load in the background, in batches of 10 emails per request every x seconds
// defined by PREFETCH_EMAIL_INTERVAL until the defined amount of items is loaded. Setting this value to zero
// disables this feature.
define("PREFETCH_EMAIL_COUNT", 10);
// Define the interval between loading of new emails in the background.
define("PREFETCH_EMAIL_INTERVAL", 30);
/**************************************\
* Memory usage and timeouts *
\**************************************/
// This sets the maximum time in seconds that is allowed to run before it is terminated by the parser.
ini_set("max_execution_time", 300); // 5 minutes
// BLOCK_SIZE (in bytes) is used for attachments by mapi_stream_read/mapi_stream_write
define("BLOCK_SIZE", 1048576);
// Time that static files may exist in the client's cache (13 weeks)
define("EXPIRES_TIME", 60*60*24*7*13);
// Time that the state files are allowed to survive (in seconds)
// For filesystems on which relatime is used, this value should be larger then the relatime_interval
// for kernels 2.6.30 and above relatime is enabled by default, and the relatime_interval is set to
// 24 hours.
define("STATE_FILE_MAX_LIFETIME", 28*60*60);
// Time that attachments are allowed to survive (in seconds)
define("UPLOADED_ATTACHMENT_MAX_LIFETIME", 6*60*60);
/**********************************************************************************
* Logging settings
*
* Possible LOG_USER_LEVEL values are:
* LOGLEVEL_OFF - no logging
* LOGLEVEL_FATAL - log only critical errors
* LOGLEVEL_ERROR - logs events which might require corrective actions
* LOGLEVEL_WARN - might lead to an error or require corrective actions in the future
* LOGLEVEL_INFO - usually completed actions
* LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers
*
* The verbosity increases from top to bottom. More verbose levels include less verbose
* ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
* LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
*
**************************************************************************************/
define("LOG_USER_LEVEL", LOGLEVEL_INFO);
// To save e.g. user activity data only for selected users, provide the username followed by semicolon.
// The data will be saved into a dedicated file per user in the LOG_FILE_DIR
// Users have to be encapsulated in quotes, several users are semicolon separated, like:
// define('LOG_USERS', 'user1;user2;user3');
define("LOG_USERS", "");
// Location of the log directory
// e.g /var/log/webapp-userslog/users/
// The directory will be created when it does not exist.
// Webserver user should have permissions to write in this folder
define("LOG_FILE_DIR", "");
/**************************************\
* Languages *
\**************************************/
// Location to the translations
define("LANGUAGE_DIR", "server/language/");
// Defines the default interface language. This can be overridden by the user.
if (isset($_ENV['LANG']) && $_ENV['LANG']!="C") {
define('LANG', $_ENV["LANG"]); // This means the server environment language determines the web client language.
} else {
define('LANG', 'en_US.UTF-8'); // default fallback language
}
// List of languages that should be enabled in the logon
// screen's language drop down. Languages should be specified
// using <languagecode>_<regioncode>[.UTF-8], and separated with
// semicolon. A list of available languages can be found in
// the manual or by looking at the list of directories in
// /usr/share/kopano-webapp/server/language .
define("ENABLED_LANGUAGES", "cs_CZ;da_DK;de_DE;en_GB;en_US;es_CA;es_ES;fi_FI;fr_FR;hu_HU;it_IT;ja_JP;nb_NO;nl_NL;pl_PL;pt_BR;ru_RU;sl_SI;tr_TR;zh_CN");
// Defines the default time zone
if (!ini_get('date.timezone')) {
date_default_timezone_set('Europe/Berlin');
}
/**************************************\
* Powerpaste *
\**************************************/
// Options for TinyMCE's powerpaste plugin, see https://www.tiny.cloud/docs/plugins/powerpaste/#configurationoptions
// for more details.
define("POWERPASTE_WORD_IMPORT", "merge");
define("POWERPASTE_HTML_IMPORT", "merge");
define("POWERPASTE_ALLOW_LOCAL_IMAGES", true);
/**************************************\
* Debugging *
\**************************************/
// Do not log errors into stdout, since this generates faulty JSON responses.
ini_set("display_errors", false);
ini_set("log_errors", true);
error_reporting(E_ERROR);
// Log successful logins
define("LOG_SUCCESSFUL_LOGINS", false);
if (file_exists('debug.php')) {
include_once('debug.php');
} else {
// define empty dump function in case we still use it somewhere
function dump(){}
}
?>

64
etc-template/postfix/main.cf Normal file
View File

@@ -0,0 +1,64 @@
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# maillog_file = /dev/stdout
# maillog_file=/var/log/postfix.log
# maillog_file_permissions=0644
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on fresh installs.
compatibility_level = 2
# local domains
myhostname = nuc0.zntrl.de
mydestination = $myhostname, localhost.$mydomain, localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = $mydomain
# mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
# trusts all hosts in the kopano docker network
mynetworks_style = subnet
# virtual domains
virtual_mailbox_domains = zntrl.de ads64.de
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_alias_maps = hash:/etc/postfix/virtual
# virtual_transport = lmtp:unix:/var/spool/kopano/dagent.sock
virtual_transport = lmtp:dagent:2003
lmtp_tls_loglevel = 1
# default outbound transport for all domains, use one relay for all domains
# authenticates to relay.zntrl.de for authorisation to relay mail, see also: SMTP (outbound)
default_transport = smtp:[relay.zntrl.de]:465
# SMTPD (inbound) TLS parameters
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_CAfile = /usr/local/share/ca-certificates/kopano-ca.crt
smtpd_tls_key_file = /etc/ssl/private/zntrl.key
smtpd_tls_cert_file = /etc/ssl/zntrl.crt
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
# SMTP (outbound)
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_CAfile = /usr/local/share/ca-certificates/kopano-ca.crt
smtp_tls_key_file = /etc/ssl/private/zntrl.key
smtp_tls_cert_file = /etc/ssl/zntrl.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtp_tls_loglevel = 1
mailbox_size_limit = 0
message_size_limit = 50000000
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

84
etc-template/postfix/master.cf Normal file
View File

@@ -0,0 +1,84 @@
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
-o content_filter=scan:kopano-spampd-1:10025
-o receive_override_options=no_address_mappings
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - y - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# Proxy receiver, see https://cwiki.apache.org/confluence/display/spamassassin/IntegratePostfixViaSpampd
#
10026 inet n - n - 10 smtpd
-o content_filter=
-o myhostname=mta.zntrl.de
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_tls_security_level=none
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject

3
etc-template/postfix/virtual Normal file
View File

@@ -0,0 +1,3 @@
postmaster@zntrl.de postmaster
abuse@zntrl.de postmaster

BIN
etc-template/postfix/virtual.db Normal file
View File

Binary file not shown.

8
etc-template/postfix/vmailbox Normal file
View File

@@ -0,0 +1,8 @@
baloan@zntrl.de notused
blu3prince@zntrl.de notused
fafnir@zntrl.de notused
postmaster@zntrl.de notused
andreas@ads64.de notused
postmaster@ads64.de notused
# Comment out the entry below to implement a catch-all.
# @zntrl.de notused

BIN
etc-template/postfix/vmailbox.db Normal file
View File

Binary file not shown.

88
etc-template/z-push/autodiscover.conf.php Normal file
View File

@@ -0,0 +1,88 @@
<?php
/***********************************************
* File : config.php
* Project : Z-Push
* Descr : Autodiscover configuration file
*
* Created : 30.07.2014
*
* Copyright 2007 - 2016 Zarafa Deutschland GmbH
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Consult LICENSE file for details
************************************************/
/**********************************************************************************
* Default settings
*/
// Replace zpush.example.com with your z-push's host name and uncomment the line below.
define('ZPUSH_HOST', 'zntrl.de');
// Defines the default time zone, change e.g. to "Europe/London" if necessary
define('TIMEZONE', 'Europe/Berlin');
// Defines the base path on the server
define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
/*
* Whether to use the complete email address as a login name
* (e.g. user@company.com) or the username only (user).
* Possible values:
* false - use the username only (default).
* true - use the complete email address.
*/
define('USE_FULLEMAIL_FOR_LOGIN', false);
/**********************************************************************************
* Logging settings
* Possible LOGLEVEL and LOGUSERLEVEL values are:
* LOGLEVEL_OFF - no logging
* LOGLEVEL_FATAL - log only critical errors
* LOGLEVEL_ERROR - logs events which might require corrective actions
* LOGLEVEL_WARN - might lead to an error or require corrective actions in the future
* LOGLEVEL_INFO - usually completed actions
* LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers
* LOGLEVEL_WBXML - also prints the WBXML sent to/from the device
* LOGLEVEL_DEVICEID - also prints the device id for every log entry
* LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack
*
* The verbosity increases from top to bottom. More verbose levels include less verbose
* ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
* LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
*/
define('LOGBACKEND', 'filelog');
define('LOGFILEDIR', '/var/log/z-push/');
define('LOGFILE', LOGFILEDIR . 'autodiscover.log');
define('LOGERRORFILE', LOGFILEDIR . 'autodiscover-error.log');
define('LOGLEVEL', LOGLEVEL_WBXML);
define('LOGUSERLEVEL', LOGLEVEL);
$specialLogUsers = array();
// Syslog settings
// false will log to local syslog, otherwise put the remote syslog IP here
define('LOG_SYSLOG_HOST', false);
// Syslog port
define('LOG_SYSLOG_PORT', 514);
// Program showed in the syslog. Useful if you have more than one instance login to the same syslog
define('LOG_SYSLOG_PROGRAM', 'z-push-autodiscover');
// Syslog facility - use LOG_USER when running on Windows
define('LOG_SYSLOG_FACILITY', LOG_LOCAL0);
/**********************************************************************************
* Backend settings
*/
// the backend data provider
define('BACKEND_PROVIDER', '');

88
etc-template/z-push/autodiscover.conf.php.dist Normal file
View File

@@ -0,0 +1,88 @@
<?php
/***********************************************
* File : config.php
* Project : Z-Push
* Descr : Autodiscover configuration file
*
* Created : 30.07.2014
*
* Copyright 2007 - 2016 Zarafa Deutschland GmbH
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Consult LICENSE file for details
************************************************/
/**********************************************************************************
* Default settings
*/
// Replace zpush.example.com with your z-push's host name and uncomment the line below.
// define('ZPUSH_HOST', 'zpush.example.com');
// Defines the default time zone, change e.g. to "Europe/London" if necessary
define('TIMEZONE', '');
// Defines the base path on the server
define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
/*
* Whether to use the complete email address as a login name
* (e.g. user@company.com) or the username only (user).
* Possible values:
* false - use the username only (default).
* true - use the complete email address.
*/
define('USE_FULLEMAIL_FOR_LOGIN', false);
/**********************************************************************************
* Logging settings
* Possible LOGLEVEL and LOGUSERLEVEL values are:
* LOGLEVEL_OFF - no logging
* LOGLEVEL_FATAL - log only critical errors
* LOGLEVEL_ERROR - logs events which might require corrective actions
* LOGLEVEL_WARN - might lead to an error or require corrective actions in the future
* LOGLEVEL_INFO - usually completed actions
* LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers
* LOGLEVEL_WBXML - also prints the WBXML sent to/from the device
* LOGLEVEL_DEVICEID - also prints the device id for every log entry
* LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack
*
* The verbosity increases from top to bottom. More verbose levels include less verbose
* ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
* LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
*/
define('LOGBACKEND', 'filelog');
define('LOGFILEDIR', '/var/log/z-push/');
define('LOGFILE', LOGFILEDIR . 'autodiscover.log');
define('LOGERRORFILE', LOGFILEDIR . 'autodiscover-error.log');
define('LOGLEVEL', LOGLEVEL_INFO);
define('LOGUSERLEVEL', LOGLEVEL);
$specialLogUsers = array();
// Syslog settings
// false will log to local syslog, otherwise put the remote syslog IP here
define('LOG_SYSLOG_HOST', false);
// Syslog port
define('LOG_SYSLOG_PORT', 514);
// Program showed in the syslog. Useful if you have more than one instance login to the same syslog
define('LOG_SYSLOG_PROGRAM', 'z-push-autodiscover');
// Syslog facility - use LOG_USER when running on Windows
define('LOG_SYSLOG_FACILITY', LOG_LOCAL0);
/**********************************************************************************
* Backend settings
*/
// the backend data provider
define('BACKEND_PROVIDER', '');

86
etc-template/z-push/gabsync.conf.php Normal file
View File

@@ -0,0 +1,86 @@
<?php
/***********************************************
* File : config.php
* Project : Z-Push - tools - GAB sync
* Descr : Configuration file.
*
* Created : 28.01.2016
*
* Copyright 2016 Zarafa Deutschland GmbH
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Consult LICENSE file for details
* ************************************************/
// The field to be hashed that is unique and never changes
// in the entire lifetime of the GAB entry.
define('HASHFIELD', 'account');
define('AMOUNT_OF_CHUNKS', 10);
// SyncWorker implementation to be used
define('SYNCWORKER', 'Kopano');
// Unique id to find a contact from the GAB (value to be supplied by -u on the command line)
// Zarafa supports: 'account' and 'smtpAddress' (email)
define('UNIQUEID', 'smtpAddress');
// Server connection settings
// Depending on your setup, it might be advisable to change the lines below to one defined with your
// default socket location.
// Normally "default:" points to the default setting ("file:///var/run/kopano/server.sock")
// Examples: define("SERVER", "default:");
// define("SERVER", "http://localhost:236/kopano");
// define("SERVER", "https://localhost:237/kopano");
// define("SERVER", "file:///var/run/kopano/server.sock");
// If you are using ZCP >= 7.2.0, set it to the zarafa location, e.g.
// define("SERVER", "http://localhost:236/zarafa");
// define("SERVER", "https://localhost:237/zarafa");
// define("SERVER", "file:///var/run/zarafad/server.sock");
// For ZCP versions prior to 7.2.0 the socket location is different (http(s) sockets are the same):
// define("SERVER", "file:///var/run/zarafa");
define('SERVER', 'http://server:236/kopano');
define('USERNAME', 'SYSTEM');
define('PASSWORD', '');
define('CERTIFICATE', null);
define('CERTIFICATE_PASSWORD', null);
// Store where the hidden folder is located.
// For the public folder, use SYSTEM
// to use another store, use the same as USERNAME
// or another store where USERNAME has full access to.
define('HIDDEN_FOLDERSTORE', 'SYSTEM');
/// Do not change (unless you know exactly what you do)
define('HIDDEN_FOLDERNAME', 'Z-Push-KOE-GAB');
// Types of the objects to sync to GAB.
define('GAB_SYNC_USER', 1);
define('GAB_SYNC_CONTACT', 2);
define('GAB_SYNC_GROUP', 4);
define('GAB_SYNC_ROOM', 8);
define('GAB_SYNC_EQUIPMENT', 16);
define('GAB_SYNC_ALL', GAB_SYNC_USER | GAB_SYNC_CONTACT | GAB_SYNC_GROUP | GAB_SYNC_ROOM | GAB_SYNC_EQUIPMENT);
// Set which items from GAB should be synced.
// Default value is GAB_SYNC_ALL which syncs all items.
// In order to sync only some specific types combine them with "|", e.g.
// to sync only users and groups use:
// define('GAB_SYNC_TYPES', GAB_SYNC_USER | GAB_SYNC_CONTACT);
// In order to exclude specific types combine "& ~TYPE", e.g.
// to sync all types except rooms and equipments use:
// define('GAB_SYNC_TYPES', GAB_SYNC_ALL & ~GAB_SYNC_ROOM & ~GAB_SYNC_EQUIPMENT);
define('GAB_SYNC_TYPES', GAB_SYNC_ALL);

83
etc-template/z-push/kopano.conf.php Normal file
View File

@@ -0,0 +1,83 @@
<?php
/***********************************************
* File : config.php
* Project : Z-Push
* Descr : Kopano backend configuration file
*
* Created : 27.11.2012
*
* Copyright 2007 - 2016 Zarafa Deutschland GmbH
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Consult LICENSE file for details
************************************************/
// ************************
// BackendKopano settings
// ************************
// Defines the server to which we want to connect.
//
// Depending on your setup, it might be advisable to change the lines below to one defined with your
// default socket location.
// Normally "default:" points to the default setting ("file:///var/run/kopano/server.sock")
// Examples: define("MAPI_SERVER", "default:");
// define("MAPI_SERVER", "http://localhost:236/kopano");
// define("MAPI_SERVER", "https://localhost:237/kopano");
// define("MAPI_SERVER", "file:///var/run/kopano/server.sock");
// If you are using ZCP >= 7.2.0, set it to the zarafa location, e.g.
// define("MAPI_SERVER", "http://localhost:236/zarafa");
// define("MAPI_SERVER", "https://localhost:237/zarafa");
// define("MAPI_SERVER", "file:///var/run/zarafad/server.sock");
// For ZCP versions prior to 7.2.0 the socket location is different (http(s) sockets are the same):
// define("MAPI_SERVER", "file:///var/run/zarafa");
define('MAPI_SERVER', 'http://$DCKR_SERVER:236/kopano');
// Read-Only shared folders
// When trying to write a change on a read-only folder this data is dropped and replaced on the device of the user.
// Enabling the option below, sends an email to the user notifying that this happened (default enabled).
// If this is disabled, the data will be dropped silently and will be lost.
// The template of the email sent can be customized here. The placeholders can also be used in the subject.
define('READ_ONLY_NOTIFY_LOST_DATA', true);
// String to mark the data changed by the user (that he is trying to save)
define('READ_ONLY_NOTIFY_YOURDATA', 'Your data');
// Email template to be sent to the user
define('READ_ONLY_NOTIFY_SUBJECT', "Z-Push: Writing operation not permitted - data reset");
define('READ_ONLY_NOTIFY_BODY', <<<END
Dear **USERFULLNAME**,
on **DATE** at **TIME** you've tried to save a data in the folder '**FOLDERNAME**' on your device '**MOBILETYPE**' ID: '**MOBILEDEVICEID**'.
This operation was not successful, as you lack write access to this folder.
Your data has been dropped and replaced with the original data on your device to ensure data integrity.
Below is a copy of the data you tried to save. If you want your changes to be stored permanently you should forward this email to a person with write access to this folder asking to perform these changes again.
**DIFFERENCES**
If you have questions about this email, please contact your e-mail administrator.
Sincerely,
Your Z-Push system
END
);
// Format of the **DATE** and **TIME** placeholders - more information on formats, see http://php.net/manual/en/function.strftime.php
define('READ_ONLY_NOTIFY_DATE_FORMAT', "%d.%m.%Y");
define('READ_ONLY_NOTIFY_TIME_FORMAT', "%H:%M:%S");
// Comma separated list of folder ids as string for which the notification emails of the changes in read-only folders shouldn't be sent.
// E.g. define('READ_ONLY_NONOTIFY', '1, 2, 3, 4');
// When configuring $additionalFolders it is possible to use DeviceManager::FLD_FLAGS_NOREADONLYNOTIFY in the flags bitmask
// in order to prevent the notifications as well.
define('READ_ONLY_NONOTIFY', '');

234
etc-template/z-push/policies.ini Normal file
View File

@@ -0,0 +1,234 @@
;;;;;;;;;;;;;;;;;;;;;;;;
; About policies.ini ;
;;;;;;;;;;;;;;;;;;;;;;;;
; Z-Push policies' file holds the configuration to be applied
; during the provisioning of a mobile device.
; Check Z-Push wiki page regarding the provisioning policies:
; https://wiki.z-hub.io/x/eYAa
; For more information see the ActiveSync documentation at:
; https://msdn.microsoft.com/en-us/library/dd299443.aspx
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; The default ActiveSync policy. Do not change its name.
[default]
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Policies for ActiveSync version 12.0 and higher
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Specifies if a device requires a password to unlock it.
; 0 - Password not required.
; 1 - Password is required.
devpwenabled = 0
; Specifies if a device requires an alphanumeric password to unlock it.
; 0 - Alphanumeric password not required.
; 1 - Alphanumeric password required.
alphanumpwreq = 0
; Deprecated. Specifies if the device encrypts the content of the storage card.
; 0 - Storage card encryption not enabled.
; 1 - Storage card encryption enabled.
devencenabled = 0
; Specifies if the server supports storing a recovery password which could be
; sent by the client using the Settings command.
; This policy is currently not supported by Z-Push.
; 0 - Password recovery not enabled on the server.
; 1 - Password recovery enabled on the server.
; pwrecoveryenabled = 0
; Deprecated.
docbrowseenabled =
; Specifies if email attachments are enabled for download.
; 0 - Attachments not allowed for download.
; 1 - Attachments allowed for download.
attenabled = 1
; Specifies the minimum client password length to unlock it.
; The mindevpwlenngth can be empty or have a value between 1 and 16.
; If the value is empty or 1, there is no minimum length for the device password.
mindevpwlenngth = 4
; The maximum number of seconds of inactivity before the device locks itself.
; If this value is greater than or equal to 9999, the client interprets it as unlimited.
maxinacttimedevlock = 900
; The maximum number of failed password attempts to unlock the device.
; The client SHOULD perform a local wipe or enter a timed lock out mode if the maximum
; number of failed password attempts is reached.
; The maxdevpwfailedattempts can be empty or have a value between 4 and 16.
; If the value is empty, the client interprets this as no maximum number of
; failed password attempts has been set by the security policy.
maxdevpwfailedattempts = 8
; The maximum attachment size in bytes as determined by security policy.
maxattsize = ''
; Specifies if the device allows simple passwords. A simple password contains
; repeated ("0000") or sequential ("xyz") characters only.
allowsimpledevpw = 1
; The maximum number of days until a password expires.
; Empty or 0 devpwexpiration value indicates that the password will not expire.
devpwexpiration = 0
; The minimum number of previously used passwords stored to prevent reuse by the device.
; 0 - Do not store previously used passwords.
; >0 - Store the minimum number of previously used passwords.
devpwhistory = 0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Policies for ActiveSync version 12.1 and higher
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; The device allows to use a storage card.
; 0 - SD card not allowed.
; 1 - SD card allowed.
allowstoragecard = 1
; The device allows to use the built-in camera.
; 0 - Usage of the built-in camera not allowed.
; 1 - Usage of built-in the camera allowed.
allowcam = 1
; Specifies if the client uses encryption.
; 0 - Encryption not required.
; 1 - Encryption required.
reqdevenc = 0
; Specifies if the device allows unsigned applications to execute.
; 0 - Unsigned applications not allowed to execute.
; 1 - Unsigned applications allowed to execute.
allowunsignedapps = 1
; The required complexity level of the device password.
; Valid values for mindevcomplexchars are between 1 and 4. The value specifies
; the number of character groups to be contained in the password.
; The character groups are:
; - Lower case alphabetical characters
; - Upper case alphabetical characters
; - Numbers
; - Non-alphanumeric characters
; For example, if the value of mindevcomplexchars is 2, a password may contain
; lower case and upper case characters. A password with numbers and non-alphanumeric
; characters would be also valid.
mindevcomplexchars = 3
; The device allows the use of Wi-Fi connections.
; 0 - The use of Wi-Fi connections not allowed.
; 1 - The use of Wi-Fi connections allowed.
allowwifi = 1
; The device allows the use of SMS or text messaging.
; 0 - SMS or text messaging not allowed.
; 1 - SMS or text messaging allowed.
allowtextmessaging = 1
; The device allows access to POP or IMAP email.
; 0 - POP or IMAP email access not allowed.
; 1 - POP or IMAP email access allowed.
allowpopimapemail = 1
; The use of Bluetooth on the device.
; 0 - Disable Bluetooth.
; 1 - Disable Bluetooth, but allow the configuration of hands-free profiles.
; 2 - Allow Bluetooth.
allowbluetooth = 2
; The device allows the use of IrDA (infrared) connections.
; 0 - Disable IrDA.
; 1 - Allow IrDA.
allowirda = 1
; The device requires manual synchronization when the device is roaming.
; 0 - Do not require manual sync; allow direct push when roaming.
; 1 - Require manual sync when roaming.
reqmansyncroam = 0
; The maximum number of calendar days that can be synchronized.
; 0 - All days
; 4 - 2 weeks
; 5 - 1 month
; 6 - 3 months
; 7 - 6 months
maxcalagefilter = 0
; Specifies if the client uses HTML-formatted email.
; 0 - HTML-formatted email not allowed.
; 1 - HTML-formatted email allowed.
allowhtmlemail = 1
; The email age limit for synchronization.
; 0 - Sync all
; 1 - 1 day
; 2 - 3 days
; 3 - 1 week
; 4 - 2 weeks
; 5 - 1 month
maxemailagefilter = 0
; The maximum truncation size for plain textformatted email.
; -1 - No truncation.
; 0 - Truncate only the header.
; >0 - Truncate the email body to the specified size.
maxemailbodytruncsize = -1
; The maximum truncation size for HTML-formatted email.
; -1 - No truncation.
; 0 - Truncate only the header.
; >0 - Truncate the email body to the specified size.
maxemailhtmlbodytruncsize = -1
; Specifies if the client sends signed S/MIME messages.
; 0 - Signed S/MIME messages not required.
; 1 - Signed S/MIME messages required.
reqsignedsmimemessages = 0
; Specifies if the client sends encrypted email messages.
; 0 - Encrypted email messages not required.
; 1 - Email messages required to be encrypted.
reqencsmimemessages = 0
; The algorithm used to sign S/MIME messages.
; 0 - Use SHA1.
; 1 - Use MD5.
reqsignedsmimealgorithm = 0
; The algorithm used to encrypt S/MIME messages.
; 0 - TripleDES algorithm
; 1 - DES algorithm
; 2 - RC2128bit
; 3 - RC264bit
; 4 - RC240bit
reqencsmimealgorithm = 0
; Controls negotiation of the encryption algorithm.
; 0 - Do not negotiate.
; 1 - Negotiate a strong algorithm.
; 2 - Negotiate any algorithm.
allowsmimeencalgneg = 2
; Specifies if the client can use soft certificates to sign outgoing messages.
; 0 - Soft certificates are not allowed.
; 1 - Soft certificates are allowed.
allowsmimesoftcerts = 1
; Specifies if the device allows the use of a web browser.
; 0 - Do not allow the use of a web browser.
; 1 - Allow the use of a web browser.
allowbrowser = 1
; Specifies if the device allows the user to configure a personal email account.
; 0 - Do not allow the user to configure a personal email account.
; 1 - Allow the user to configure a personal email account.
allowconsumeremail = 1
; Specifies if the device allows the use of Internet Sharing.
; 0 - Do not allow the use of Internet Sharing.
; 1 - Allow the use of Internet Sharing.
allowinternetsharing = 1

373
etc-template/z-push/z-push.conf.php Normal file
View File

@@ -0,0 +1,373 @@
<?php
/***********************************************
* File : config.php
* Project : Z-Push
* Descr : Main configuration file
*
* Created : 01.10.2007
*
* Copyright 2007 - 2016 Zarafa Deutschland GmbH
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Consult LICENSE file for details
************************************************/
/**********************************************************************************
* Default settings
*/
// Defines the default time zone, change e.g. to "Europe/London" if necessary
define('TIMEZONE', 'Europe/Berlin');
// Defines the base path on the server
define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
// Try to set unlimited timeout
define('SCRIPT_TIMEOUT', 0);
// When accessing through a proxy, the "X-Forwarded-For" header contains the original remote IP
define('USE_CUSTOM_REMOTE_IP_HEADER', false);
// When using client certificates, we can check if the login sent matches the owner of the certificate.
// This setting specifies the owner parameter in the certificate to look at.
define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN");
/*
* Whether to use the complete email address as a login name
* (e.g. user@company.com) or the username only (user).
* This is required for Z-Push to work properly after autodiscover.
* Possible values:
* false - use the username only.
* true - string the mobile sends as username, e.g. full email address (default).
*/
define('USE_FULLEMAIL_FOR_LOGIN', true);
/**********************************************************************************
* StateMachine setting
*
* These StateMachines can be used:
* FILE - FileStateMachine (default). Needs STATE_DIR set as well.
* SQL - SqlStateMachine has own configuration file. STATE_DIR is ignored.
* State migration script is available, more informations: https://wiki.z-hub.io/x/xIAa
*/
define('STATE_MACHINE', 'FILE');
define('STATE_DIR', '/var/lib/z-push/');
/**********************************************************************************
* IPC - InterProcessCommunication
*
* Is either provided by using shared memory on a single host or
* using the memcache provider for multi-host environments.
* When another implementation should be used, the class can be set here explicitly.
* If empty Z-Push will try to use available providers.
*/
define('IPC_PROVIDER', '');
/**********************************************************************************
* Logging settings
*
* The LOGBACKEND specifies where the logs are sent to.
* Either to file ("filelog") or to a "syslog" server or a custom log class in core/log/logclass.
* filelog and syslog have several options that can be set below.
* For more information about the syslog configuration, see https://wiki.z-hub.io/x/HIAT
* Possible LOGLEVEL and LOGUSERLEVEL values are:
* LOGLEVEL_OFF - no logging
* LOGLEVEL_FATAL - log only critical errors
* LOGLEVEL_ERROR - logs events which might require corrective actions
* LOGLEVEL_WARN - might lead to an error or require corrective actions in the future
* LOGLEVEL_INFO - usually completed actions
* LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers
* LOGLEVEL_WBXML - also prints the WBXML sent to/from the device
* LOGLEVEL_DEVICEID - also prints the device id for every log entry
* LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack
*
* The verbosity increases from top to bottom. More verbose levels include less verbose
* ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
* LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
*
* LOGAUTHFAIL is logged to the LOGBACKEND.
*/
define('LOGBACKEND', 'filelog');
define('LOGLEVEL', LOGLEVEL_INFO);
define('LOGAUTHFAIL', false);
// To save e.g. WBXML data only for selected users, add the usernames to the array
// The data will be saved into a dedicated file per user in the LOGFILEDIR
// Users have to be encapusulated in quotes, several users are comma separated, like:
// $specialLogUsers = array('info@domain.com', 'myusername');
define('LOGUSERLEVEL', LOGLEVEL_DEVICEID);
$specialLogUsers = array('andreas',);
// Filelog settings
define('LOGFILEDIR', '/var/log/z-push/');
define('LOGFILE', LOGFILEDIR . 'z-push.log');
define('LOGERRORFILE', LOGFILEDIR . 'z-push-error.log');
// Syslog settings
// false will log to local syslog, otherwise put the remote syslog IP here
define('LOG_SYSLOG_HOST', false);
// Syslog port
define('LOG_SYSLOG_PORT', 514);
// Program showed in the syslog. Useful if you have more than one instance login to the same syslog
define('LOG_SYSLOG_PROGRAM', 'z-push');
// Syslog facility - use LOG_USER when running on Windows
define('LOG_SYSLOG_FACILITY', LOG_LOCAL0);
// Location of the trusted CA, e.g. '/etc/ssl/certs/EmailCA.pem'
// Uncomment and modify the following line if the validation of the certificates fails.
// define('CAINFO', '/etc/ssl/certs/EmailCA.pem');
/**********************************************************************************
* Mobile settings
*/
// Device Provisioning
define('PROVISIONING', true);
// This option allows the 'loose enforcement' of the provisioning policies for older
// devices which don't support provisioning (like WM 5 and HTC Android Mail) - dw2412 contribution
// false (default) - Enforce provisioning for all devices
// true - allow older devices, but enforce policies on devices which support it
define('LOOSE_PROVISIONING', false);
// The file containing the policies' settings.
// Set a full path or relative to the z-push main directory
define('PROVISIONING_POLICYFILE', 'policies.ini');
// Default conflict preference
// Some devices allow to set if the server or PIM (mobile)
// should win in case of a synchronization conflict
// SYNC_CONFLICT_OVERWRITE_SERVER - Server is overwritten, PIM wins
// SYNC_CONFLICT_OVERWRITE_PIM - PIM is overwritten, Server wins (default)
define('SYNC_CONFLICT_DEFAULT', SYNC_CONFLICT_OVERWRITE_PIM);
// Global limitation of items to be synchronized
// The mobile can define a sync back period for calendar and email items
// For large stores with many items the time period could be limited to a max value
// If the mobile transmits a wider time period, the defined max value is used
// Applicable values:
// SYNC_FILTERTYPE_ALL (default, no limitation)
// SYNC_FILTERTYPE_1DAY, SYNC_FILTERTYPE_3DAYS, SYNC_FILTERTYPE_1WEEK, SYNC_FILTERTYPE_2WEEKS,
// SYNC_FILTERTYPE_1MONTH, SYNC_FILTERTYPE_3MONTHS, SYNC_FILTERTYPE_6MONTHS
define('SYNC_FILTERTIME_MAX', SYNC_FILTERTYPE_ALL);
// Interval in seconds before checking if there are changes on the server when in Ping.
// It means the highest time span before a change is pushed to a mobile. Set it to
// a higher value if you have a high load on the server.
define('PING_INTERVAL', 30);
// Set the fileas (save as) order for contacts in the webaccess/webapp/outlook.
// It will only affect new/modified contacts on the mobile which then are synced to the server.
// Possible values are:
// SYNC_FILEAS_FIRSTLAST - fileas will be "Firstname Middlename Lastname"
// SYNC_FILEAS_LASTFIRST - fileas will be "Lastname, Firstname Middlename"
// SYNC_FILEAS_COMPANYONLY - fileas will be "Company"
// SYNC_FILEAS_COMPANYLAST - fileas will be "Company (Lastname, Firstname Middlename)"
// SYNC_FILEAS_COMPANYFIRST - fileas will be "Company (Firstname Middlename Lastname)"
// SYNC_FILEAS_LASTCOMPANY - fileas will be "Lastname, Firstname Middlename (Company)"
// SYNC_FILEAS_FIRSTCOMPANY - fileas will be "Firstname Middlename Lastname (Company)"
// The company-fileas will only be set if a contact has a company set. If one of
// company-fileas is selected and a contact doesn't have a company set, it will default
// to SYNC_FILEAS_FIRSTLAST or SYNC_FILEAS_LASTFIRST (depending on if last or first
// option is selected for company).
// If SYNC_FILEAS_COMPANYONLY is selected and company of the contact is not set
// SYNC_FILEAS_LASTFIRST will be used
define('FILEAS_ORDER', SYNC_FILEAS_LASTCOMPANY);
// Maximum amount of items to be synchronized per request.
// Normally this value is requested by the mobile. Common values are 5, 25, 50 or 100.
// Exporting too much items can cause mobile timeout on busy systems.
// Z-Push will use the lowest provided value, either set here or by the mobile.
// MS Outlook 2013+ request up to 512 items to accelerate the sync process.
// If you detect high load (also on subsystems) you could try a lower setting.
// max: 512 - value used if mobile does not limit amount of items
define('SYNC_MAX_ITEMS', 512);
// The devices usually send a list of supported properties for calendar and contact
// items. If a device does not includes such a supported property in Sync request,
// it means the property's value will be deleted on the server.
// However some devices do not send a list of supported properties. It is then impossible
// to tell if a property was deleted or it was not set at all if it does not appear in Sync.
// This parameter defines Z-Push behaviour during Sync if a device does not issue a list with
// supported properties.
// See also https://jira.z-hub.io/browse/ZP-302.
// Possible values:
// false - do not unset properties which are not sent during Sync (default)
// true - unset properties which are not sent during Sync
define('UNSET_UNDEFINED_PROPERTIES', false);
// ActiveSync specifies that a contact photo may not exceed 48 KB. This value is checked
// in the semantic sanity checks and contacts with larger photos are not synchronized.
// This limitation is not being followed by the ActiveSync clients which set much bigger
// contact photos. You can override the default value of the max photo size.
// default: 5242880 - 5 MB default max photo size in bytes
define('SYNC_CONTACTS_MAXPICTURESIZE', 5242880);
// Over the WebserviceUsers command it is possible to retrieve a list of all
// known devices and users on this Z-Push system. The authenticated user needs to have
// admin rights and a public folder must exist.
// In multicompany environments this enable an admin user of any company to retrieve
// this full list, so this feature is disabled by default. Enable with care.
define('ALLOW_WEBSERVICE_USERS_ACCESS', false);
// Users with many folders can use the 'partial foldersync' feature, where the server
// actively stops processing the folder list if it takes too long. Other requests are
// then redirected to the FolderSync to synchronize the remaining items.
// Device compatibility for this procedure is not fully understood.
// NOTE: THIS IS AN EXPERIMENTAL FEATURE WHICH COULD PREVENT YOUR MOBILES FROM SYNCHRONIZING.
define('USE_PARTIAL_FOLDERSYNC', false);
// The minimum accepted time in second that a ping command should last.
// It is strongly advised to keep this config to false. Some device
// might not be able to send a higher value than the one specificied here and thus
// unable to start a push connection.
// If set to false, there will be no lower bound to the ping lifetime.
// The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes).
define('PING_LOWER_BOUND_LIFETIME', false);
// The maximum accepted time in second that a ping command should last.
// If set to false, there will be no higher bound to the ping lifetime.
// The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes).
define('PING_HIGHER_BOUND_LIFETIME', false);
// Maximum response time
// Mobiles implement different timeouts to their TCP/IP connections. Android devices for example
// have a hard timeout of 30 seconds. If the server is not able to answer a request within this timeframe,
// the answer will not be recieved and the device will send a new one overloading the server.
// There are three categories
// - Short timeout - server has up within 30 seconds - is automatically applied for not categorized types
// - Medium timeout - server has up to 90 seconds to respond
// - Long timeout - server has up to 4 minutes to respond
// If a timeout is almost reached the server will break and sent the results it has until this
// point. You can add DeviceType strings to the categories.
// In general longer timeouts are better, because more data can be streamed at once.
define('SYNC_TIMEOUT_MEDIUM_DEVICETYPES', "SAMSUNGGTI");
define('SYNC_TIMEOUT_LONG_DEVICETYPES', "iPod, iPad, iPhone, WP, WindowsOutlook, WindowsMail");
// Time in seconds the device should wait whenever the service is unavailable,
// e.g. when a backend service is unavailable.
// Z-Push sends a "Retry-After" header in the response with the here defined value.
// It is up to the device to respect or not this directive so even if this option is set,
// the device might not wait requested time frame.
// Number of seconds before retry, to disable set to: false
define('RETRY_AFTER_DELAY', 300);
/**********************************************************************************
* Backend settings
*/
// the backend data provider
define('BACKEND_PROVIDER', '');
/**********************************************************************************
* Search provider settings
*
* Alternative backend to perform SEARCH requests (GAL search)
* By default the main Backend defines the preferred search functionality.
* If set, the Search Provider will always be preferred.
* Use 'BackendSearchLDAP' to search in a LDAP directory (see backend/searchldap/config.php)
*/
define('SEARCH_PROVIDER', '');
// Time in seconds for the server search. Setting it too high might result in timeout.
// Setting it too low might not return all results. Default is 10.
define('SEARCH_WAIT', 10);
// The maximum number of results to send to the client. Setting it too high
// might result in timeout. Default is 10.
define('SEARCH_MAXRESULTS', 10);
/**********************************************************************************
* Kopano Outlook Extension - Settings
*
* The Kopano Outlook Extension (KOE) provides MS Outlook 2013 and newer with
* functionality not provided by ActiveSync or not implemented by Outlook.
* For more information, see: https://wiki.z-hub.io/x/z4Aa
*/
// Global Address Book functionality
define('KOE_CAPABILITY_GAB', true);
// Synchronize mail flags from the server to Outlook/KOE
define('KOE_CAPABILITY_RECEIVEFLAGS', true);
// Encode flags when sending from Outlook/KOE
define('KOE_CAPABILITY_SENDFLAGS', true);
// Out-of-office support
define('KOE_CAPABILITY_OOF', true);
// Out-of-office support with start & end times (superseeds KOE_CAPABILITY_OOF)
define('KOE_CAPABILITY_OOFTIMES', true);
// Notes support
define('KOE_CAPABILITY_NOTES', true);
// Shared folder support
define('KOE_CAPABILITY_SHAREDFOLDER', true);
// Send-As support for Outlook/KOE and mobiles
define('KOE_CAPABILITY_SENDAS', true);
// Secondary Contact folders (own and shared)
define('KOE_CAPABILITY_SECONDARYCONTACTS', true);
// Copy WebApp signature into KOE
define('KOE_CAPABILITY_SIGNATURES', true);
// To synchronize the GAB KOE, the GAB store and folderid need to be specified.
// Use the gab-sync script to generate this data. The name needs to
// match the config of the gab-sync script.
// More information here: https://wiki.z-hub.io/x/z4Aa (GAB Sync Script)
define('KOE_GAB_STORE', 'SYSTEM');
define('KOE_GAB_FOLDERID', '');
define('KOE_GAB_NAME', 'Z-Push-KOE-GAB');
/**********************************************************************************
* Synchronize additional folders to all mobiles
*
* With this feature, special folders can be synchronized to all mobiles.
* This is useful for e.g. global company contacts.
*
* This feature is supported only by certain devices, like iPhones.
* Check the compatibility list for supported devices:
* http://z-push.org/compatibility
*
* To synchronize a folder, add a section setting all parameters as below:
* store: the ressource where the folder is located.
* Kopano users use 'SYSTEM' for the 'Public Folder'
* folderid: folder id of the folder to be synchronized
* name: name to be displayed on the mobile device
* type: supported types are:
* SYNC_FOLDER_TYPE_USER_CONTACT
* SYNC_FOLDER_TYPE_USER_APPOINTMENT
* SYNC_FOLDER_TYPE_USER_TASK
* SYNC_FOLDER_TYPE_USER_MAIL
* SYNC_FOLDER_TYPE_USER_NOTE
*
* Additional notes:
* - on Kopano systems use backend/kopano/listfolders.php script to get a list
* of available folders
*
* - all Z-Push users must have at least reading permissions so the configured
* folders can be synchronized to the mobile. Else they are ignored.
*
* - this feature is only partly suitable for multi-tenancy environments,
* as ALL users from ALL tenents need access to the configured store & folder.
* When configuring a public folder, this will cause problems, as each user has
* a different public folder in his tenant, so the folder are not available.
* - changing this configuration could cause HIGH LOAD on the system, as all
* connected devices will be updated and load the data contained in the
* added/modified folders.
*/
$additionalFolders = array(
// demo entry for the synchronization of contacts from the public folder.
// uncomment (remove '/*' '*/') and fill in the folderid
/*
array(
'store' => "SYSTEM",
'folderid' => "",
'name' => "Public Contacts",
'type' => SYNC_FOLDER_TYPE_USER_CONTACT,
),
*/
);

418
etc-template/z-push/z-push.conf.php.dpkg-dist Normal file
View File

@@ -0,0 +1,418 @@
<?php
/***********************************************
* File : config.php
* Project : Z-Push
* Descr : Main configuration file
*
* Created : 01.10.2007
*
* Copyright 2007 - 2016 Zarafa Deutschland GmbH
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* Consult LICENSE file for details
************************************************/
/**********************************************************************************
* Default settings
*/
// Defines the default time zone, change e.g. to "Europe/London" if necessary
define('TIMEZONE', '');
// Defines the base path on the server
define('BASE_PATH', dirname($_SERVER['SCRIPT_FILENAME']). '/');
// Try to set unlimited timeout
define('SCRIPT_TIMEOUT', 0);
// This should be solved on THE webserver level if there are proxies
// between mobile client and Z-Push.
// IMPORTANT: This setting will be deprecated in Z-Push 2.7.0.
// Use a custom header to determinate the remote IP of a client.
// By default, the server provided REMOTE_ADDR is used. If the header here set
// is available, the provided value will be used, else REMOTE_ADDR is maintained.
// set to false to disable this behaviour.
// common values: 'HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP' (casing is ignored)
define('USE_CUSTOM_REMOTE_IP_HEADER', false);
// When using client certificates, we can check if the login sent matches the owner of the certificate.
// This setting specifies the owner parameter in the certificate to look at.
define("CERTIFICATE_OWNER_PARAMETER", "SSL_CLIENT_S_DN_CN");
/*
* Whether to use the complete email address as a login name
* (e.g. user@company.com) or the username only (user).
* This is required for Z-Push to work properly after autodiscover.
* Possible values:
* false - use the username only.
* true - string the mobile sends as username, e.g. full email address (default).
*/
define('USE_FULLEMAIL_FOR_LOGIN', true);
/**********************************************************************************
* StateMachine setting
*
* These StateMachines can be used:
* FILE - FileStateMachine (default). Needs STATE_DIR set as well.
* SQL - SqlStateMachine has own configuration file. STATE_DIR is ignored.
* State migration script is available, more informations: https://wiki.z-hub.io/x/xIAa
*/
define('STATE_MACHINE', 'FILE');
define('STATE_DIR', '/var/lib/z-push/');
/**********************************************************************************
* IPC - InterProcessCommunication
*
* Is either provided by using shared memory on a single host or
* using the memcache provider for multi-host environments.
* When another implementation should be used, the class can be set here explicitly.
* If empty Z-Push will try to use available providers.
* Possible values:
* IpcSharedMemoryProvider - default. Requires z-push-ipc-sharedmemory package.
* IpcMemcachedProvider - requires z-push-ipc-memcached package. It is necessary to set up
* memcached server before (it won't be installed by z-push-ipc-memcached).
* IpcWincacheProvider - for windows systems.
*/
define('IPC_PROVIDER', '');
/**********************************************************************************
* Logging settings
*
* The LOGBACKEND specifies where the logs are sent to.
* Either to file ("filelog") or to a "syslog" server or a custom log class in core/log/logclass.
* filelog and syslog have several options that can be set below.
* For more information about the syslog configuration, see https://wiki.z-hub.io/x/HIAT
* Possible LOGLEVEL and LOGUSERLEVEL values are:
* LOGLEVEL_OFF - no logging
* LOGLEVEL_FATAL - log only critical errors
* LOGLEVEL_ERROR - logs events which might require corrective actions
* LOGLEVEL_WARN - might lead to an error or require corrective actions in the future
* LOGLEVEL_INFO - usually completed actions
* LOGLEVEL_DEBUG - debugging information, typically only meaningful to developers
* LOGLEVEL_WBXML - also prints the WBXML sent to/from the device
* LOGLEVEL_DEVICEID - also prints the device id for every log entry
* LOGLEVEL_WBXMLSTACK - also prints the contents of WBXML stack
*
* The verbosity increases from top to bottom. More verbose levels include less verbose
* ones, e.g. setting to LOGLEVEL_DEBUG will also output LOGLEVEL_FATAL, LOGLEVEL_ERROR,
* LOGLEVEL_WARN and LOGLEVEL_INFO level entries.
*
* LOGAUTHFAIL is logged to the LOGBACKEND.
*/
define('LOGBACKEND', 'filelog');
define('LOGLEVEL', LOGLEVEL_INFO);
define('LOGAUTHFAIL', false);
// To save e.g. WBXML data only for selected users, add the usernames to the array
// The data will be saved into a dedicated file per user in the LOGFILEDIR
// Users have to be encapusulated in quotes, several users are comma separated, like:
// $specialLogUsers = array('info@domain.com', 'myusername');
define('LOGUSERLEVEL', LOGLEVEL_DEVICEID);
$specialLogUsers = array();
// Filelog settings
define('LOGFILEDIR', '/var/log/z-push/');
define('LOGFILE', LOGFILEDIR . 'z-push.log');
define('LOGERRORFILE', LOGFILEDIR . 'z-push-error.log');
// Syslog settings
// false will log to local syslog, otherwise put the remote syslog IP here
define('LOG_SYSLOG_HOST', false);
// Syslog port
define('LOG_SYSLOG_PORT', 514);
// Program showed in the syslog. Useful if you have more than one instance login to the same syslog
define('LOG_SYSLOG_PROGRAM', 'z-push');
// Syslog facility - use LOG_USER when running on Windows
define('LOG_SYSLOG_FACILITY', LOG_LOCAL0);
// Location of the trusted CA, e.g. '/etc/ssl/certs/EmailCA.pem'
// Uncomment and modify the following line if the validation of the certificates fails.
// define('CAINFO', '/etc/ssl/certs/EmailCA.pem');
/**********************************************************************************
* Mobile settings
*/
// Device Provisioning
define('PROVISIONING', true);
// This option allows the 'loose enforcement' of the provisioning policies for older
// devices which don't support provisioning (like WM 5 and HTC Android Mail) - dw2412 contribution
// false (default) - Enforce provisioning for all devices
// true - allow older devices, but enforce policies on devices which support it
define('LOOSE_PROVISIONING', false);
// The file containing the policies' settings.
// Set a full path or relative to the z-push main directory
define('PROVISIONING_POLICYFILE', 'policies.ini');
// Default conflict preference
// Some devices allow to set if the server or PIM (mobile)
// should win in case of a synchronization conflict
// SYNC_CONFLICT_OVERWRITE_SERVER - Server is overwritten, PIM wins
// SYNC_CONFLICT_OVERWRITE_PIM - PIM is overwritten, Server wins (default)
define('SYNC_CONFLICT_DEFAULT', SYNC_CONFLICT_OVERWRITE_PIM);
// Global limitation of items to be synchronized
// The mobile can define a sync back period for calendar and email items
// For large stores with many items the time period could be limited to a max value
// If the mobile transmits a wider time period, the defined max value is used
// Applicable values:
// SYNC_FILTERTYPE_ALL (default, no limitation)
// SYNC_FILTERTYPE_1DAY, SYNC_FILTERTYPE_3DAYS, SYNC_FILTERTYPE_1WEEK, SYNC_FILTERTYPE_2WEEKS,
// SYNC_FILTERTYPE_1MONTH, SYNC_FILTERTYPE_3MONTHS, SYNC_FILTERTYPE_6MONTHS
define('SYNC_FILTERTIME_MAX', SYNC_FILTERTYPE_ALL);
// Interval in seconds before checking if there are changes on the server when in Ping.
// It means the highest time span before a change is pushed to a mobile. Set it to
// a higher value if you have a high load on the server.
define('PING_INTERVAL', 30);
// Set the fileas (save as) order for contacts in the webaccess/webapp/outlook.
// It will only affect new/modified contacts on the mobile which then are synced to the server.
// Possible values are:
// SYNC_FILEAS_FIRSTLAST - fileas will be "Firstname Middlename Lastname"
// SYNC_FILEAS_LASTFIRST - fileas will be "Lastname, Firstname Middlename"
// SYNC_FILEAS_COMPANYONLY - fileas will be "Company"
// SYNC_FILEAS_COMPANYLAST - fileas will be "Company (Lastname, Firstname Middlename)"
// SYNC_FILEAS_COMPANYFIRST - fileas will be "Company (Firstname Middlename Lastname)"
// SYNC_FILEAS_LASTCOMPANY - fileas will be "Lastname, Firstname Middlename (Company)"
// SYNC_FILEAS_FIRSTCOMPANY - fileas will be "Firstname Middlename Lastname (Company)"
// The company-fileas will only be set if a contact has a company set. If one of
// company-fileas is selected and a contact doesn't have a company set, it will default
// to SYNC_FILEAS_FIRSTLAST or SYNC_FILEAS_LASTFIRST (depending on if last or first
// option is selected for company).
// If SYNC_FILEAS_COMPANYONLY is selected and company of the contact is not set
// SYNC_FILEAS_LASTFIRST will be used
define('FILEAS_ORDER', SYNC_FILEAS_LASTFIRST);
// Maximum amount of items to be synchronized per request.
// Normally this value is requested by the mobile. Common values are 5, 25, 50 or 100.
// Exporting too much items can cause mobile timeout on busy systems.
// Z-Push will use the lowest provided value, either set here or by the mobile.
// MS Outlook 2013+ request up to 512 items to accelerate the sync process.
// If you detect high load (also on subsystems) you could try a lower setting.
// max: 512 - value used if mobile does not limit amount of items
define('SYNC_MAX_ITEMS', 512);
// The devices usually send a list of supported properties for calendar and contact
// items. If a device does not includes such a supported property in Sync request,
// it means the property's value will be deleted on the server.
// However some devices do not send a list of supported properties. It is then impossible
// to tell if a property was deleted or it was not set at all if it does not appear in Sync.
// This parameter defines Z-Push behaviour during Sync if a device does not issue a list with
// supported properties.
// See also https://jira.z-hub.io/browse/ZP-302.
// Possible values:
// false - do not unset properties which are not sent during Sync (default)
// true - unset properties which are not sent during Sync
define('UNSET_UNDEFINED_PROPERTIES', false);
// ActiveSync specifies that a contact photo may not exceed 48 KB. This value is checked
// in the semantic sanity checks and contacts with larger photos are not synchronized.
// This limitation is not being followed by the ActiveSync clients which set much bigger
// contact photos. You can override the default value of the max photo size.
// default: 5242880 - 5 MB default max photo size in bytes
define('SYNC_CONTACTS_MAXPICTURESIZE', 5242880);
// Over the WebserviceUsers command it is possible to retrieve a list of all
// known devices and users on this Z-Push system. The authenticated user needs to have
// admin rights and a public folder must exist.
// In multicompany environments this enable an admin user of any company to retrieve
// this full list, so this feature is disabled by default. Enable with care.
define('ALLOW_WEBSERVICE_USERS_ACCESS', false);
// Users with many folders can use the 'partial foldersync' feature, where the server
// actively stops processing the folder list if it takes too long. Other requests are
// then redirected to the FolderSync to synchronize the remaining items.
// Device compatibility for this procedure is not fully understood.
// NOTE: THIS IS AN EXPERIMENTAL FEATURE WHICH COULD PREVENT YOUR MOBILES FROM SYNCHRONIZING.
define('USE_PARTIAL_FOLDERSYNC', false);
// The minimum accepted time in second that a ping command should last.
// It is strongly advised to keep this config to false. Some device
// might not be able to send a higher value than the one specificied here and thus
// unable to start a push connection.
// If set to false, there will be no lower bound to the ping lifetime.
// The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes).
define('PING_LOWER_BOUND_LIFETIME', false);
// The maximum accepted time in second that a ping command should last.
// If set to false, there will be no higher bound to the ping lifetime.
// The minimum accepted value is 1 second. The maximum accepted value is 3540 seconds (59 minutes).
define('PING_HIGHER_BOUND_LIFETIME', false);
// Maximum response time
// Mobiles implement different timeouts to their TCP/IP connections. Android devices for example
// have a hard timeout of 30 seconds. If the server is not able to answer a request within this timeframe,
// the answer will not be recieved and the device will send a new one overloading the server.
// There are three categories
// - Short timeout - server has up within 30 seconds - is automatically applied for not categorized types
// - Medium timeout - server has up to 90 seconds to respond
// - Long timeout - server has up to 4 minutes to respond
// If a timeout is almost reached the server will break and sent the results it has until this
// point. You can add DeviceType strings to the categories.
// In general longer timeouts are better, because more data can be streamed at once.
define('SYNC_TIMEOUT_MEDIUM_DEVICETYPES', "SAMSUNGGTI");
define('SYNC_TIMEOUT_LONG_DEVICETYPES', "iPod, iPad, iPhone, WP, WindowsOutlook, WindowsMail");
// Time in seconds the device should wait whenever the service is unavailable,
// e.g. when a backend service is unavailable.
// Z-Push sends a "Retry-After" header in the response with the here defined value.
// It is up to the device to respect or not this directive so even if this option is set,
// the device might not wait requested time frame.
// Number of seconds before retry, to disable set to: false
define('RETRY_AFTER_DELAY', 300);
/**********************************************************************************
* Backend settings
*/
// The backend data provider.
// Leave this value empty and Z-Push will autoload a backend. The sequence of autoload is:
// BackendKopano, BackendCombined, BackendIMAP, BackendVCardDir, BackendMaildir.
// If BackendKopano is not installed, Z-Push will load BackendCombined. If BackendCombined
// also is not installed, Z-Push will load BackendIMAP and so on.
// If you prefer explicitly configure a backend provider, currently possible values are:
// BackendKopano - to use with the Kopano groupware. Syncs emails, calendar items,
// contacts, tasks and notes or any combination of the listed items.
// BackendCombined - combine multiple backends for different items, e.g.
// BackendIMAP for emails, BackendCalDAV for calendar items,
// BackendCardDAV for contacts etc. You can configure what backend
// syncs which items in /etc/combined.conf.php.
// BackendIMAP - to sync emails with an IMAP server.
// BackendCalDAV - to sync calendar items and / or tasks with a CalDAV server.
// BackendCardDAV - to sync contacts with a CardDAV server.
// BackendMaildir - to sync emails from a Maildir.
// BackendStickyNote - to sync notes with a Postgres server.
// BackendVCardDir - to sync contacts with vcard folder.
define('BACKEND_PROVIDER', '');
/**********************************************************************************
* Search provider settings
*
* Alternative backend to perform SEARCH requests (GAL search)
* By default the main Backend defines the preferred search functionality.
* If set, the Search Provider will always be preferred.
* Use 'BackendSearchLDAP' to search in a LDAP directory (see backend/searchldap/config.php)
*/
define('SEARCH_PROVIDER', '');
// Time in seconds for the server search. Setting it too high might result in timeout.
// Setting it too low might not return all results. Default is 10.
define('SEARCH_WAIT', 10);
// The maximum number of results to send to the client. Setting it too high
// might result in timeout. Default is 10.
define('SEARCH_MAXRESULTS', 10);
/**********************************************************************************
* Kopano Outlook Extension - Settings
*
* The Kopano Outlook Extension (KOE) provides MS Outlook 2013 and newer with
* functionality not provided by ActiveSync or not implemented by Outlook.
* For more information, see: https://wiki.z-hub.io/x/z4Aa
*/
// Global Address Book functionality
define('KOE_CAPABILITY_GAB', true);
// Synchronize mail flags from the server to Outlook/KOE
define('KOE_CAPABILITY_RECEIVEFLAGS', true);
// Encode flags when sending from Outlook/KOE
define('KOE_CAPABILITY_SENDFLAGS', true);
// Out-of-office support
define('KOE_CAPABILITY_OOF', true);
// Out-of-office support with start & end times (superseeds KOE_CAPABILITY_OOF)
define('KOE_CAPABILITY_OOFTIMES', true);
// Notes support
define('KOE_CAPABILITY_NOTES', true);
// Shared folder support
define('KOE_CAPABILITY_SHAREDFOLDER', true);
// Send-As support for Outlook/KOE and mobiles
define('KOE_CAPABILITY_SENDAS', true);
// Secondary Contact folders (own and shared)
define('KOE_CAPABILITY_SECONDARYCONTACTS', true);
// Copy WebApp signature into KOE
define('KOE_CAPABILITY_SIGNATURES', true);
// Delivery receipt requests
define('KOE_CAPABILITY_RECEIPTS', true);
// Impersonate other users
define('KOE_CAPABILITY_IMPERSONATE', true);
// To synchronize the GAB KOE, the GAB store and folderid need to be specified.
// Use the gab-sync script to generate this data. The name needs to
// match the config of the gab-sync script.
// More information here: https://wiki.z-hub.io/x/z4Aa (GAB Sync Script)
define('KOE_GAB_STORE', 'SYSTEM');
define('KOE_GAB_FOLDERID', '');
define('KOE_GAB_NAME', 'Z-Push-KOE-GAB');
/**********************************************************************************
* Synchronize additional folders to all mobiles
*
* With this feature, special folders can be synchronized to all mobiles.
* This is useful for e.g. global company contacts.
*
* This feature is supported only by certain devices, like iPhones.
* Check the compatibility list for supported devices:
* http://z-push.org/compatibility
*
* To synchronize a folder, add a section setting all parameters as below:
* store: the ressource where the folder is located.
* Kopano users use 'SYSTEM' for the 'Public Folder'
* folderid: folder id of the folder to be synchronized
* name: name to be displayed on the mobile device
* type: supported types are:
* SYNC_FOLDER_TYPE_USER_CONTACT
* SYNC_FOLDER_TYPE_USER_APPOINTMENT
* SYNC_FOLDER_TYPE_USER_TASK
* SYNC_FOLDER_TYPE_USER_MAIL
* SYNC_FOLDER_TYPE_USER_NOTE
* flags: sets additional options on the shared folder. Supported are:
* DeviceManager::FLD_FLAGS_NONE
* No flags configured, default flag to be set
* DeviceManager::FLD_FLAGS_SENDASOWNER
* When replying in this folder, automatically do Send-As
* DeviceManager::FLD_FLAGS_CALENDARREMINDERS
* If set, Outlook shows reminders for these shares with KOE
* DeviceManager::FLD_FLAGS_NOREADONLYNOTIFY
* If set, Z-Push won't send notification emails for changes
* if the folder is read-only
*
* Additional notes:
* - on Kopano systems use backend/kopano/listfolders.php script to get a list
* of available folders
*
* - all Z-Push users must have at least reading permissions so the configured
* folders can be synchronized to the mobile. Else they are ignored.
*
* - this feature is only partly suitable for multi-tenancy environments,
* as ALL users from ALL tenents need access to the configured store & folder.
* When configuring a public folder, this will cause problems, as each user has
* a different public folder in his tenant, so the folder are not available.
* - changing this configuration could cause HIGH LOAD on the system, as all
* connected devices will be updated and load the data contained in the
* added/modified folders.
*/
$additionalFolders = array(
// demo entry for the synchronization of contacts from the public folder.
// uncomment (remove '/*' '*/') and fill in the folderid
/*
array(
'store' => "SYSTEM",
'folderid' => "",
'name' => "Public Contacts",
'type' => SYNC_FOLDER_TYPE_USER_CONTACT,
'flags' => DeviceManager::FLD_FLAGS_NONE,
),
*/
);