Before we start

We make the following assumptions to make it easier understanding the configuration. You should however use your own, real values for these items:

• The domain that I want to receive mail on is “example.com”. Users are like “user1@example.com”, “user2@example.com”.
• The hostname for the mail server is “pegasus”, so the full domain name for that server is “pegasus.example.com”.
• Whenever I use the term “server control panel”, I am referring to the aklwebhost.com panel.

Preparing the server (VPS)

Start by deploying your aklwebhost.com server instance. I chose 1 GB VPS running CentOS 6, 32-bit. When the installation is finished, we prepare the server to become a mail server.

In the “My Servers” screen of the server control panel, click on the “Manage” link next to your newly created server. On the page that opens, you can see the details for your server. Click on the IPv4 tab, then click the blue “Update” button. A text input field appears and it is pre-set with something like “.aklwebhost.com”. Replace that entry with the full domain name of your server (example: pegasus.example.com) and press the blue “Update” button.

Now it’s time to log into the new server. Open your ssh terminal and connect to your server. Alternatively, you can click the blue “View Console” button to get browser window with the login screen of your server.

ssh root@your_ip_address

The “your_ip_address” part is the main IP address as listed in the server control panel. If you use the browser to connect to your server, then simply login as root with your root password.

First, we setup the correct domain name. Open the network configuration file.

nano /etc/sysconfig/network

Replace “aklwebhost.guest” with the full domain name of your server (Example: pegasus.example.com). Save the file with Ctrl + X, then Y.

The second spot we change is the /etc/hosts file.

nano /etc/hosts

Add the following line. It can be at the top of the file or the second line.

127.0.1.1 pegasus.example.com pegasus

Save the file with Ctrl + X, then Y. I like to make sure that everything works after a reboot, so I reboot the VPS after those changes.

reboot

Give the machine a moment to reboot, then connect again.

ssh root@your_ip_address

Yaffas and Zarafa need the EPEL repository, which is already installed in the sources on aklwebhost.com servers. They need the RPMforge repository too. Issue the following command to install that repository.

32-Bit Systems:

rpm -Uvh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm

64-Bit Systems:

rpm -Uvh http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

Next, we add the Yaffas repository.

nano /etc/yum.repos.d/yaffas.repo

Paste the following text into the newly created file:

[yaffas]
name = yaffas $releasever
baseurl = http://repo.yaffas.org/releases/latest/rhel/$releasever
enabled = 1
protect = 0
gpgcheck = 1
priority = 1

Save the file with Ctrl + X, then Y.

To avoid compatibility issues, we need to exclude some items from the EPEL repository. Open the repository file.

nano /etc/yum.repos.d/epel.repo

Then in the [epel] section, right below the “gpgkey” line, enter the following.

exclude=clamav* clamd* amavisd* libvmime libical libvmime-devel libical-devel php-mapi zarafa*

The complete section will look like this:

[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/6/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=$basearch
failovermethod=priority
enabled=1 
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
exclude=clamav* clamd* amavisd* libvmime libical libvmime-devel libical-devel php-mapi zarafa*

Save the file with Ctrl + X, then Y.

Import the GPG key for the Yaffas repository:

rpm --import http://repo.yaffas.org/repo.rpm.key

Now, let’s clean up yum.

yum clean all

At this point, we should be all set for the Yaffas installation. Install it by simply entering this command.

yum install yaffas

Yum will check the dependencies and give you a summary.

Install 359 Package(s)

Total download size: 260 M
Installed size: 639 M
Is this ok [y/N]:

Press Y, then Enter/Return to start the installation.

Installation will take a while, so treat yourself to a coffee and cookie while waiting for the installation to finish.

MySQL

Before we can start the final setup, we have to configure MySQL. Start MySQL and begin the secure setup.

service mysqld restart
mysql_secure_installation

In order to log into MySQL to secure it, we’ll need the current password for the root user. If you’ve just installed MySQL, and you haven’t set the root password yet, the password will be blank, so you should just press Enter/Return here.

Enter current password for root (enter for none): **{press Enter/Return}**

[...]

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] **Y**

New password: **{enter super secret password}**
Re-enter new password: **{enter super secret password again}**

Remove anonymous user? [Y/n] **Y**

Disallow root login remotely? [Y/n] **Y**

Remove test database and access to it? [Y/n] **Y**

Reload privilege tables now? [Y/n] **Y**

Configuration

Open a web browser and go to the following URL.

http://your_ip_address:10000

#If you have a DNS entry already, use this instead.
http://server.example.com:10000

The initial username is admin with password yaffas.

After logging in, you will see the setup wizard. It has 5 steps. Press “Next” to start.

The first step is to enter a new admin password. Enter the new password twice. Make sure it is complicated enough to be safe, but don’t forget it. Then click “Next”.

The next screen configures the MySQL backend. The only thing that you need to enter is the password you created for the MySQL root user.

On the 4th screen, setup your mail domain. Enter “example.com” in the primary mail domain field. This must be your own domain. Press “Next”.

I believe the 5th screen is optional, but just to be on the safe side, create a user account who will be the LDAP admin, then click “Finish”.

It will take a while until the setup finishes. Once it completes, a popup appears that tells you everything was successful. Click the “OK” button. After a moment, you will see the login screen again. You can login as admin with the new password that you created during the setup.

Extras

During the installation, some general self-signed certificates for the app are generated and installed. Personally, I prefer to have my own self-signed certificates to show the values that I entered and I also want to make sure that all requests are sent over HTTPS.

Zarafa comes with a few scripts to generate your own certificates. These are of course self-signed certificates.

Let’s make a home for the certificate authority.

mkdir -p /etc/zarafa/ssl
chmod 700 /etc/zarafa/ssl
cd /etc/zarafa/ssl

… then run the script:

sh /usr/share/doc/zarafa/ssl-certificates.sh server

The parameter “server” means the certificate we create will be called server.pem.

You will be greeted with the following message.

No Certificate Authority Root found in current directory.
Press enter to create, or ctrl-c to exit.

Press Enter or Return.

The next message that appears is:

CA certificate filename (or enter to create)

Press Enter or Return to continue and create the CA Certificate.

After a little activity on the screen, you will get a prompt to enter the PEM passphrase. Enter any passphrase for the CA certificate, but make sure that you don’t forget it, as you will need it later. For simplicity’s sake, let’s assume we chose the passphrase “ca-root-pem”.

Answer the questions to generate the certificate. The answers here are my examples, so replace them with the correct values for yourself.

Country Name (2 letter code) [XX]: **MY**
State or Province Name (full name) []:**Selangor**
Locality Name (eg, city) [Default City]: **Shah Alam**
Organization Name (eg, company) [Default Company Ltd]: **ELMIMA-Systems**
Organizational Unit Name (eg, section) []: **Certificate Authority**
Common Name (eg, your name or your server's hostname) []:**server.example.com** **Must be the full domain name of your server**
Email Address []: **admin@example.com**

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: **Enter/Return**
An optional company name []: **Enter/Return**

Next, it will ask you for the passphrase of the cakey.pem file. This is the passphrase that you created earlier.

Enter pass phrase for /etc/pki/CA/private/./cakey.pem:ca-root-pem

You will see a little activity on the screen, then it will prompt you for a PEM passphrase. This is the passphrase for the server.pem file we created. Enter anything that you would like, but make sure that you don’t forget it. For simplicity we will use “server-pem-phrase”.

Enter PEM pass phrase:**server-pem-phrase**
Verifying - Enter PEM pass phrase:**server-pem-phrase**

Time to enter the values for the server.pem file.

Country Name (2 letter code) [XX]: **MY**
State or Province Name (full name) []:**Selangor **
Locality Name (eg, city) [Default City]: **Shah Alam**
Organization Name (eg, company) [Default Company Ltd]: **ELMIMA-Systems**
Organizational Unit Name (eg, section) []: **Server SSL Certificate**
Common Name (eg, your name or your server's hostname) []: **server.example.com** **Must be the full domain name of your server**
Email Address []: admin@example.com


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: **Enter/Return**
An optional company name []: **Enter/Return**

Enter pass phrase for /etc/pki/CA/private/cakey.pem:ca-root-pem **Replace with your own passphrase**

Some activity on the screen shows that the certificate is generated.

Sign the certificate? [y/n]:

Enter Y and press Enter/Return.

1 out of 1 certificate requests certified, commit? [y/n]

Enter Y and press Enter/Return.

Create public key from this certificate? [y]

We don’t really need it but I guess it doesn’t hurt to create it. Simply press Enter/Return.

Enter pass phrase for server.pem: **server-pem-phrase**

Now it’s time to configure the server.cfg file for Zarafa.

nano /etc/zarafa/server/cfg

Find the entry server_ssl_enabled and change its value to “yes” (without the quotes).

Find the entry server_ssl_port and confirm that it is 237.

Find the entry server_ssl_key_file and set its value to “/etc/zarafa/ssl/server.pem” (without the quotes).

Create the entry server_ssl_key_pass use the passphrase that you created for the server.pem file (example: server-pem-phrase) as its value.

Find the entry server_ssl_ca_file. The original documentation for Zarafa assumes that the path is /etc/zarafa/ssl/demoCA/cacert.pem, however on CentOS, the path is /etc/pki/CA/cacert.pem. Update this value accordingly.

server_ssl_ca_file = /etc/pki/CA/cacert.pem

Restart the Zarafa server.

service zarafa restart

Let’s generate the certificate for Apache.

cd /etc/zarafa/ssl
openssl req -nodes -newkey rsa:2048 -keyout zarafa-ssl.key -out zarafa-ssl.csr

We get another form to create a certificate.

Country Name (2 letter code) [XX]: **MY **
State or Province Name (full name) []: **Selangor**
Locality Name (eg, city) [Default City]: **Shah Alam**
Organization Name (eg, company) [Default Company Ltd]: **ELMIMA-Systems**
Organizational Unit Name (eg, section) []: **Zarafa Web Services**
Common Name (eg, your name or your server's hostname) []: **server.example.com** **Must be the full domain name of your server**
Email Address []: **admin@example.com**

Then, sign the certificate.

openssl x509 -req -in ./zarafa-ssl.csr -signkey zarafa-ssl.key -out zarafa-ssl.crt -days 9999

… and add it to Apache.

cd /etc/httpd/conf.d
nano ssl.conf

Find the line “SSLCertificateFile /opt/yaffas/etc/ssl/certs/zarafa-webaccess.crt” and change it to “SSLCertificateFile /etc/zarafa/ssl/zarafa-ssl.crt”.

Find the line “SSLCertificateKeyFile /opt/yaffas/etc/ssl/certs/zarafa-webaccess.key” and change it to “SSLCertificateKeyFile /etc/zarafa/ssl/zarafa-ssl.key”

Save the file and quit.

Now, open the zarafa-webapp.conf file.

nano /etc/httpd/zarafa-webapp.conf

Find the following 2 lines and uncomment them.

#php_flag session.cookie_secure on
#php_flag session.cookie_httponly on

Add the following lines.

RewriteEngine On
RewriteCond % !=on
RewriteRule (.*) https://pegasus.example.com/webapp/ [R] (Of course use your own real domain here)

Save the file and quit. Then restart Apache.

service httpd restart

Now the web app will always use HTTPS. You can do the same for zarafa-webapp.conf.

Remarks

When testing the installation on CentOS, I noticed some error messages due to missing folders. You can fix it with the following commands.

mkdir -p /var/run/policyd-weight/cores/master
mkdir -p /var/run/policyd-weight/cores/cache
chown -R polw /var/run/policyd-weight

To use your new Zarafa server as the mail server for your domain, you will need to setup both an A record and an MX record for your domain. If desired, you can use your favorite search engine to find an SPF Wizard, which makes it easy to create an SPF record for your domain.