HomeSoHoCommuniGate Pro

CGP - Initial configuration

in

... 

1. Local Networks

Go to Settings/Network/LAN IPs and:

  • set LAN IPs to
10.20.0.0-10.20.255.255
  • set WAN IPv4 Address to 192.168.92.128
  • set Server LAN IP address to 10.20.0.1

2. Domain Defaults

  • Disabled Services:
    • FTP, RADIUS, AirSync, PWD, ACAP
  • Account Storage:
    • Foldering Method = Flat
  • Account Provisioning:
    • Free Auto-Signup = Disabled
    • Consult External on Provision = No
  • Domain Storage:
    • Foldering method = Flat
"Force SMTP AUTH" tells CGP how to treat remote SMTP senders if they state that they belong to one of our local domains, i.e. ourdom.com. Note that if they belong to other domains, this check is bypassed. This option further triages such senders to clients and non-clients. Clients are machines with IP addresses in one of local networks. We force password check for non-clients only. This way, we can simplify configuration of SMTP mailers on local machines. SMTP mailers in our domain (or claiming so) but not belonging to our local networks are most probably employee desktops or notebooks and they should have user password configured.

3. Account Defaults

Users / Account Defaults / Settings

  • Common:
    • State/Province = Saint Petersburg
    • City = Saint Petersburg
    • Unit = Staff
  • Authentication:
    • Secure Only = Yes
    • CommuniGate Password = Enabled
    • Password Modification = Prohibit
    • Password Encryption = A-crpt
    • Password Recovery = Disabled
    • Kerberos = Disabled
    • Certificate = Disabled
    • External Password = Disabled
    • OS Username = *
    • OS Password = Disabled
    • Alt RADIUS Password = none
    • Alt SIP Password = none
  • Disabled Services:
    • AirSync, PWD, RADIUS, FTP, ACAP
  • Mail:
    • Mail Storage Limit = 300M
    • Mailbox Limit = 100
    • Message Size Limit = 30M
    • New Mailbox Format = Text
    • Allowed Mail Rules = Filters Only
    • RPOP Modifications = Allow
    • Accepts Mail to "all" = Yes
    • Add Trailer to Sent Mail = No
  • Files:
    • File Storage Limit = 3M
    • File Size Limit = 3M
    • Files Limit = 30
    • Add Banner to HTML = No

Users / Account Defaults / Preferences

  • Language = English
  • Time Zone = Europe/Moscow

4. LDAP

1. Listening ports in Settings/Services/LDAP/(Listener):Change ports to 5389 (non-secure) and 5636 (ssl).Suspend non-secure port by granting access to only 10.20.254.254.

2. Directory integration in Users/Directory Integration:

  • Custom Account Settings: st, l, ou, surname
  • Public Info: telephoneNumber
  • Attributes translation:
    • surname ==> sn
  • Domain Subtree Base DN = o=ourdom (Create It)
  • Regular Domains Copy into Account Records:
    • Passwords = No
    • Standard Settings = Yes
  • LDAP Attribute Processing:
    • Substitute 'mail' with 'uid' in conditions = yes
    • Compose 'mail' using 'uid' = yes
    • Ignore 'objectCategory' conditions = yes
  • Directory-based Domains = Enable
  • LDAP direct Provisioning = Enable

5. Main domain

  • Rename main domain in Settings/General to communigate
  • Add main domain aliases via Users/Domains/communigate/Domain Settings:
    • admin, cgpro.ourdom.com, admin.ourdom.com
  • Assigned IP Addresses: change to Manually Defined and remove 127.0.0.1.
  • Users/Domains/communigate/Domain Settings:
    • Mail to All is distributed for = nobody
    • Mail to All is sent to Forwarders = default(No)
  • LDAP Integration:
    • Delete All
    • Keep in Sync
    • Insert All
  • Objects/postmaster:
    • Re-enter passwords for postmaster and pbx so that they are re-encrypted as A-crpt
1. Before you switch the Directory Integration setting from Disabled to Keep In Sync (for the main domain), click the Delete All button, and then click Insert All button to synchronize the Directory and the current Domain Objects set.
 
2. Relocating Units and Domains between subtrees SUCKS. Do everything IN ADVANCE

6. Secondary Domain

Create secondary domain as directory-managed domain ourdom.com and add aliasesin Users/Domains/ourdom.com/Domain Settings:

  • webserver.ourdom.com, mail.ourdom.com, local.ourdom.com, mail, localhost
  • Administrator domain = communigate
  • Assigned IP Addresses = All available
  • Mail to All is distributed for = Authenticated Domain Users
  • Account Defaults/Preferences:
    • Language = Russian
  • Account Defaults/Settings:
    • Authentication/Password Encryption= A-crypt
A-crypt Setting encryption to UB-crpt (1) contradicts to A-crypt and (2) leads to error "your encoded password cannot be used for secure logins" when you try to connect with this account via SSL SIP or SSL Jabber

 

IMPORTANT Now you can switch to main domain and remove the 127.0.0.1 interface from it.But, above we have set that"IP Address for SMTP Send = first in Domain",so make sure your primary external address is the first in one in the list of domain addresses. If it is preceded by 127.0.0.1, either leave loopback for main domain, or manually change order of addresses.

 

7. Security

Setup Certificate Authority as described in the "Security" section.
Copy-paste /etc/pki/ca/ca.crt to Users/Security/Enter a PEM-encoded Certificate and press Set Certificate. Verify that certificate info was appended to the certificate list on the page.
For each domain of ourdom.com, admin.ourdom.com:

  • Set Users/Domains/ourdom.com/Security/SSL-TLS/PKI Services = Enabled
  • Create private key 2048 bits in strength
  • Create a certificate request via .../SSL-TLS/Certificate Generator:
Common Name: mail.ourdom.com
Country: RU
Province: Moscow
City: Moscow
Organization: Vitki Net Msk
Unit: Mail Services
Contact: postmaster@ourdom.com

and click Create Signing Request. It is important that the certificate is created for mail host name and not for domain or subdomain mask. Now accept the request:

$ mkdir /etc/pki/mail && cd /etc/pki/mail
cat > mail.csr
paste
$ /etc/pki/ca/auto-sign . mail
mail.csr already exists. Do you want to use it [y/n] ? y
Enter pass phrase for private/ourdom-ca.key: pass123
$ cat mail.crt

and paste the result into .../SSL-TLS/Enter a PEM-encoded Certificate.Verify that .../SSL-TLS/Domain Certificate displays new certificate.
Request client certificates to be signed by your CA: set Request Client Certificates/Issued by = Our Dom CA, set Request Client Certificates/Required = NoDo not enable this feature because https interface of your CGP mail will require SSL certificate from proxy server. Proxying non-SSL CGP pages leads to "clear test password not allowed" error.

8. Other Settings

  • Configure syslog via Monitors/Logs/Server:
    • Server address = 127.0.0.1
    • Records to send = Major & Failures'. Enable remote logging via syslog: add -r to 'SYSLOGD_OPTIONS in /etc/sysconfig/rsyslogd and restart syslog. Then check /var/log/maillog
  • Set SIP Timer B to 5 sec to avoid long invitation timeouts:
    • Settings/Real-Time/SIP/Sending: Timer B = 5 sec
  • Reduce log thrashing:
    • Settings/Services/HTTPA: Log Level = Failures
    • Settings/Services/HTTPU: Log Level = Failures

To let Outlook Express 4.x users submit messages via secure connections, you should configure the SMTP listener to accept connections on the TCP port 465, and enable the SSL/TLS option for that port.

  • Enable POP3s - go to Settings/Access/POP/Listener and set
    • Port: 995
    • Init SSL: ON

 

Bookmark this post on:
  • Twitter
  • Facebook
  • LiveJournal
  • VKontakte
  • Print

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
To prevent automated spam submissions leave this field empty.