Re: [SOGo] Large deployments
On Fri, Dec 20, 2013 at 11:41:26AM +0100, Albert Shih wrote: We kill sogod's that has been running for more than 15 cpuminutes, as these are normally stuck in something. I believe your sogod's must be stuck.. Well I try this, actually only manually, for example I just kill some sogod process who eat ~150:00:00 time (since yesterday) and that make sogo crash (no more connection on the web-gui, need a service sogod restart). How you manage the kill ? We run this cronjob every 5 minute: --- #! /bin/sh - # # Kill sogo-processes that's been running too long. too_long=15 # 00-59 minutes ps -u sogo -opid,ppid,cputime | grep -v PPID | while read pid ppid time do # Don't kill main daemon. if test x$ppid != x1 then minutes=$(echo $time | cut -d: -f2) if test $minutes -gt $too_long; then echo Killing $pid ps -fp $pid kill -9 $pid fi fi done --- Can I ask what linux you using ? RHEL6. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Large deployments
On Fri, Dec 20, 2013 at 07:35:40AM -0500, Ludovic Marcotte wrote: On 2013-12-20 5:41 AM, Albert Shih wrote: Well I try this, actually only manually, for example I just kill some sogod process who eat ~150:00:00 time (since yesterday) and that make sogo crash (no more connection on the web-gui, need a service sogod restart). That's because you killed the parent process, and not one of its child workers. You must never do that. There are a couple of things you should look at for under-performing sogod child processes: 1. make sure your IMAP server is fast. Look at Cyrus IMAP Server or Dovecot with indexes. Dovecot in high performance mode, with auth caching: http://wiki2.dovecot.org/LoginProcess http://wiki2.dovecot.org/Authentication/Caching You might also want to use imapproxy in between SOGo and your imap server For us we saw no benefit in using an imapproxy, rather a tiny performance decrease: http://dovecot.org/list/dovecot/2012-February/133544.html and then it's definitely not worth the hassle of having yet another service running. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Large deployments
On Wed, Dec 18, 2013 at 03:55:22PM +0100, Albert Shih wrote: We at the Universität Konstanz in Germany have more than 16000 users. Can you describe your infrastructure ? How many server ? (hardware Virtual), what size (Ram, CPU) ? We have around 30.000 unique users daily. The sogo-servers are 5 virtual machines with 4 cpus and 8 GB memory each. Top output from one of these right now: top - 16:17:22 up 15 days, 15:54, 1 user, load average: 0.16, 0.09, 0.03 Tasks: 277 total, 2 running, 275 sleeping, 0 stopped, 0 zombie Cpu0 : 2.0%us, 0.7%sy, 0.0%ni, 97.0%id, 0.3%wa, 0.0%hi, 0.0%si, 0.0%st Cpu1 : 1.7%us, 0.3%sy, 0.0%ni, 98.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Cpu2 : 3.7%us, 1.0%sy, 0.0%ni, 94.6%id, 0.0%wa, 0.0%hi, 0.7%si, 0.0%st Cpu3 : 0.3%us, 0.7%sy, 0.0%ni, 98.7%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st Mem: 8059428k total, 5849244k used, 2210184k free, 540264k buffers Swap: 2097144k total,26476k used, 2070668k free, 2298216k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 6580 root 20 0 273m 115m 3844 S 0.0 1.5 36:49.53 splunkd 7997 sogo 20 0 381m 62m 8796 S 0.0 0.8 0:44.65 sogod 6438 sogo 20 0 380m 60m 8108 S 0.0 0.8 0:55.09 sogod 2730 sogo 20 0 379m 59m 8708 S 0.0 0.8 0:42.99 sogod 6035 sogo 20 0 378m 59m 8568 S 0.0 0.8 0:44.89 sogod 6459 sogo 20 0 379m 59m 8164 S 0.0 0.8 0:51.07 sogod 17130 sogo 20 0 378m 59m 8672 S 0.0 0.8 0:46.98 sogod 13702 sogo 20 0 379m 58m 8600 S 0.0 0.7 0:43.08 sogod 6428 sogo 20 0 380m 58m 8356 S 0.0 0.7 0:51.75 sogod 25734 sogo 20 0 376m 57m 8896 S 0.0 0.7 0:42.47 sogod 8076 sogo 20 0 375m 56m 8616 S 0.0 0.7 0:38.01 sogod 2725 sogo 20 0 375m 56m 8336 S 2.7 0.7 0:35.36 sogod 2690 sogo 20 0 372m 55m 8388 S 0.0 0.7 0:38.71 sogod 14427 sogo 20 0 374m 55m 8620 S 0.0 0.7 0:36.37 sogod 8090 sogo 20 0 374m 55m 8552 S 0.0 0.7 0:36.86 sogod 23322 sogo 20 0 375m 54m 8244 S 0.0 0.7 0:28.58 sogod 13543 sogo 20 0 373m 54m 8448 S 0.0 0.7 0:25.63 sogod 9580 sogo 20 0 372m 54m 8584 S 0.0 0.7 0:34.44 sogod 28024 sogo 20 0 372m 53m 8780 S 0.0 0.7 0:33.48 sogod 7722 sogo 20 0 374m 53m 8640 S 0.0 0.7 0:35.03 sogod 8991 sogo 20 0 373m 52m 8272 S 0.0 0.7 0:23.42 sogod 8411 sogo 20 0 369m 50m 8496 S 0.0 0.6 0:34.35 sogod 6863 sogo 20 0 369m 50m 8016 S 0.0 0.6 0:32.21 sogod
Re: [SOGo] Large deployments
On Wed, Dec 18, 2013 at 05:32:01PM +0100, Martin Rabl wrote: Am 18.12.2013 17:24, schrieb Jan-Frode Myklebust: On Wed, Dec 18, 2013 at 04:32:41PM +0100, Martin Rabl wrote: Am 18.12.2013 16:28, schrieb Jan-Frode Myklebust: Are you using clustered database servers? No, just a single active server, plus warm standby. That single server holds all data for the 5 virtual machines (= 5 SOGo servers?) and the instances use them together? Yes. Single VM, with 16GB memory, 4 virtual cpus and ~30GB database. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] SOGo autoconfiguration for iOS and OSX
Never mind, this seems to cover my questions: http://www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html -jf -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] (untested) configuration profile for iOS
Here's a simple (untested) CGI-script for publishing a configuration profile to an iOS device. Put the attached CGI-script in $WEBROOT/ios/SOGo.mobileconfig and add this to the apache config: Location /ios Options +ExecCGI AddHandler cgi-script .mobileconfig /location then open http://website/ios/SOGo.mobileconfig?email@address in the browser, and hopefully a configuration profile should appear. A few hostnames needs to be customized, but hopefully this should work :-) HTH -jf -- users@sogo.nu https://inverse.ca/sogo/lists#! /bin/bash - # # Simple CGI-script for creating configuration profile for SOGo # services on iOS. # # Jan-Frode Myklebust janfr...@tanso.net ## Wash input EMPTY=$(echo -n ${1} | tr -d '[:alnum:]' | tr -d '[:punct:]') if test -n $EMPTY then echo Content-Type: text/plain echo echo Bad characters in input. Aborting. echo $1 echo $EMPTY exit 1 fi EMAIL=$1 DOMAIN=${EMAIL##*@} REVERSE=$(echo $EMAIL | sed -e 's/@/\./g' | awk -F. '{ for (i=NF; i 0; i--) printf . $i }'|sed 's/^.//' ) # No idea if these needs to be different: UUIDprofile=$(uuidgen) UUIDcarddav=$(uuidgen) UUIDcaldav=$(uuidgen) UUIDmail=$(uuidgen) # Create signed profile: #cat EOF | openssl smime -sign -signer server.crt -inkey server.key -certfile cert-chain.crt -outform der -nodetach # Create unsigned profile: cat EOF Content-Type: application/x-apple-aspen-config; charset=utf-8 Content-Disposition: attachment; filename=SOGo.mobileconfig ?xml version=1.0 encoding=UTF-8? !DOCTYPE plist PUBLIC -//Apple//DTD PLIST 1.0//EN http://www.apple.com/DTDs/PropertyList-1.0.dtd; plist version=1.0 dict keyPayloadContent/key array dict keyCalDAVAccountDescription/key stringAltibox Calendar/string keyCalDAVHostName/key stringmail.altibox.no/string keyCalDAVPort/key real443/real keyCalDAVPrincipalURL/key string/SOGo/dav/${EMAIL}//string keyCalDAVUseSSL/key true/ keyCalDAVUsername/key string${EMAIL}/string keyPayloadDescription/key string${EMAIL} calendar/string keyPayloadDisplayName/key string${EMAIL} calendar/string keyPayloadIdentifier/key stringnet.altibox.sogo.profile.caldav.${REVERSE}/string keyPayloadOrganization/key string${DOMAIN}/string keyPayloadType/key stringcom.apple.caldav.account/string keyPayloadUUID/key string${UUIDcaldav}/string keyPayloadVersion/key integer1/integer /dict dict keyCardDAVAccountDescription/key stringAltibox Contacts/string keyCardDAVHostName/key stringmail.altibox.no/string keyCardDAVPort/key integer443/integer keyCardDAVPrincipalURL/key stringhttps://mail.altibox.no/SOGo/dav/${EMAIL}//string keyCardDAVUseSSL/key true/ keyCardDAVUsername/key string${EMAIL}/string keyPayloadDescription/key string${EMAIL} contacts/string keyPayloadDisplayName/key string${EMAIL} contacts/string keyPayloadIdentifier/key stringnet.altibox.sogo.profile.carddav.${REVERSE}/string keyPayloadOrganization/key string${DOMAIN}/string keyPayloadType/key stringcom.apple.carddav.account/string keyPayloadUUID/key string${UUIDcarddav}/string keyPayloadVersion/key integer1/integer /dict dict keyEmailAccountDescription/key stringAltibox Mail/string keyEmailAccountType/key stringEmailTypeIMAP/string keyEmailAddress/key string${EMAIL}/string keyIncomingMailServerAuthentication/key stringEmailAuthPassword/string keyIncomingMailServerHostName/key stringpop.altibox.no/string
Re: [SOGo] SOGo autoconfiguration for iOS and OSX
On Sat, Nov 09, 2013 at 05:43:47PM +0100, Marcel Waldvogel wrote: as it is integrated into WordPress without having to write it in PHP, it looks pretty ugly and is very site-specific (Perl CGI and JavaScript wrapping WordPress). I'm not asking you to publish sources, only asking if you could share a couple of hints for how you do it. I.e.: - Do you just generate a simple plist using string substitutions on a template, or is there a serverside tool to generate this? - The generated .mobileconfig seems signed by some SSL signing authority. Could you say something about how this is done? Any hints would be much appreciated, and will probably save me lots of time. But you are free to link to it and pass „?dom=tanso.net“ so it is easier for your users. If you want any special feature that might also be useful for others, please let me know. Thanks, but unfortunately this won't work for us. I can't use a random internet site as configuration tool for all our users. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Active Sync support in SOGo
On Wed, Sep 18, 2013 at 05:22:50PM -0400, Ludovic Marcotte wrote: Since the addition of Active Sync support in SOGo would be a server-side implementation, there would be a per-mailbox fee to use it. That fee, would have to be paid to Microsoft directly. Do you have any ballpark estimates for what that fee would be? I'm worried that such a per-mailbox fee might not scale very well to ISP scale number of mailboxes. At a minimum it must be based on actual ActiveSync usage, not total number of accounts. Evidently, if we start working on Active Sync support in SOGo, we'll definitively drop Funambol support - which is probably even more exciting then adding Active Sync support. :-) -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] ActiveSync question
On Tue, Sep 03, 2013 at 10:54:52AM +0200, alge wrote: I'm not sure if my situation with ActiveSync beeing a show stopper for deploying SOGo is generalizable enough, what do other people think of it? Did I miss something? I completely agree (except we didn't let it stop the show). Configuring mobile clients without ActiveSync is too cumbersome, and my little exposure to z-push didn't convince me it was production ready.. Is there anything we can do to get Inverse to focus on ActiveSync support? Does it need funding? Is it a big difficult feature, or ..? -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Antispam antivirus
On Wed, Aug 21, 2013 at 11:49:04PM +0200, Szládovics Péter wrote: 2013-08-21 23:21 keltezéssel, Jan-Frode Myklebust írta: On Wed, Aug 21, 2013 at 01:23:45PM +0200, Szládovics Péter wrote: SOGo is not a mailserver. SOGo just an groupware extension for _any_ mailserver backend. So, the question is not the antivirus and antispam for SOGo. The question is antivirus and antispam for mailserver. Antispam has a place in SOGo too. I'd like to have an interface for the users to select how strict the spam-filter should be by integrating with sieve-spamtest/rfc5235. Maybe a block sender function, that pushes out a sieve script to the server to drop/move-to-Spam messages from a given sender. Also it would be nice if the SOGo webinterface had a Spam/not-spam button that would move messages to/from the Spam-folder. This could be used by http://wiki2.dovecot.org/Plugins/Antispam to train the filter. Block senders? How many senders need to block for correct spam filtering. One node of one zombie network sends about 100 thousand spam emails per day with randomly generated senders. Are you sure, you can stopped them with this feature? I don't think so. Blocking sender is a helpfull feature against other kinds of spam than zombie networks.. F.ex. real businesses that picked up your email address during a website registration, and thinks that that's an invitation to be put on their advertising list. Example. My mail host gets about 250-300 clean, real mails per day (total incoming mail traffic is about 2000 mails/day - yes, 80-90% of them are absolutely spam). We deliver about 500.000 supposedly clean mails/day to our users inboxes, after virus/spam/greylisting/etc has done it's thing. The SA drops 5-10 mails into the quarantine per day (newsletters, advertisements, badly formatted mail contents - really spams, very rarely few false positive good mails). On our scale, managing a single quarantine doesn't really work, so we rather deliver the suspect messages to the users Spam-folder and give them an opportunity to check for false positives. All of others are back off to senders. Be careful with that, so you don't get on the backscatter lists.. The successful fight with spams there is at the gate, not at the mailbox. At the gate we can do general filtering, but we can't train a general filter to suit 100K's of users. A spam-filter individually trained (and customized) by each user can be much more effective. Training can be done by moving messages to/from Spam-folders, customisations can include blocking senders, or tuning spam-score. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Antispam antivirus
On Wed, Aug 21, 2013 at 01:23:45PM +0200, Szládovics Péter wrote: SOGo is not a mailserver. SOGo just an groupware extension for _any_ mailserver backend. So, the question is not the antivirus and antispam for SOGo. The question is antivirus and antispam for mailserver. Antispam has a place in SOGo too. I'd like to have an interface for the users to select how strict the spam-filter should be by integrating with sieve-spamtest/rfc5235. Maybe a block sender function, that pushes out a sieve script to the server to drop/move-to-Spam messages from a given sender. Also it would be nice if the SOGo webinterface had a Spam/not-spam button that would move messages to/from the Spam-folder. This could be used by http://wiki2.dovecot.org/Plugins/Antispam to train the filter. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Password Encryption for SOGo with Dovecot and Postfix
On Tue, Aug 06, 2013 at 09:52:46AM +0100, SOGo Noob wrote: After reviewing your advice I have begun the process of swapping from MySQL auth back over to LDAP auth, and can see that functionality via LDAP seems much greater. Cool. I have a quick question though, does SOGo have any user administration methods without falling back to an LDAP management system? For example, our clients normally have one user that would like the ability to create new mailboxes and distribution groups etc - is there an easy way to accommodate such control or do we need to look at another approach for this? I don't think SOGo has any user administration features. We do our user administration by internally developed self-care webpages for our customers. These just add/delete/modify ldap-users by talking directly with the directory server. (maybe not really directly, but by submitting a job to a queueing system that then talks with the directory server) All our mail provisioning is handled trough LDAP. If a new domain gets added to o=$domainname.com,o=ISP,o=example,c=com, this will automatically be used by postfix/dovecot/sogo, and users created there can immediately receive email and use the webmail. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Puppet
On Mon, Aug 05, 2013 at 09:29:06PM -0500, Pablo Carranza wrote: Has anyone taken a stab at putting together a Puppet module to install and/or manage SOGo? I'm trying to put one together, from scratch, and it's been a lng and tedious process, thus far. It's probably not directly applicable to other sites, but this is what we use on out sogo backends: sogo/manifests/init.pp 8---88-88-888888--- class sogo { realize( User[sogo], Group[sogo], ) $packages = [ sogo, sope49-gdl1-postgresql, httpd, sogo-tool ] package { $packages: ensure = installed, } $sogodirs = [ /home/sogo, /home/sogo/GNUstep/, /home/sogo/GNUstep/Defaults/, /var/log/sogo, /var/spool/sogo ] file { $sogodirs: ensure = directory, owner = sogo, group = sogo, mode= 755, } file { /var/run/sogo : ensure = directory, owner = sogo, group = sogo, mode= 700, } file { /home/sogo/GNUstep/Defaults/.GNUstepDefaults: owner = sogo, group = sogo, mode= 600, source = [ puppet:///modules/sogo/GNUstepDefaults-$fqdn, puppet:///modules/sogo/GNUstepDefaults, ], notify = Service[sogod], } file { /etc/sysconfig/sogo: owner = root, group = root, mode= 444, source = [ puppet:///modules/sogo/sysconfig_sogo-$fqdn, puppet:///modules/sogo/sysconfig_sogo, ], notify = Service[sogod], } # this kills sogod's that's been consuming more than 15m cputime: file { /usr/local/sbin/sogo-watchdog.sh: owner = root, group = root, mode= 555, source = [ puppet:///modules/sogo/sogo-watchdog.sh-$fqdn, puppet:///modules/sogo/sogo-watchdog.sh, ], } file { /etc/cron.d/sogo-watchdog.cron: owner = root, group = root, mode= 444, source = [ puppet:///modules/sogo/sogo-watchdog.cron-$fqdn, puppet:///modules/sogo/sogo-watchdog.cron, ], } file { /etc/httpd/conf.d/01-SOGo-local.conf: owner = root, group = root, mode= 444, source = [ puppet:///modules/sogo/SOGo-local.conf-$fqdn, puppet:///modules/sogo/SOGo-local.conf, ], notify = Service[httpd], } file { /etc/httpd/conf.d/02-SOGo-shared.conf: owner = root, group = root, mode= 444, source = [ puppet:///modules/sogo/SOGo-shared.conf-$fqdn, puppet:///modules/sogo/SOGo-shared.conf, ], notify = Service[httpd], } file { /etc/httpd/conf.d/SOGo.conf: owner = root, group = root, mode= 444, source = [ puppet:///modules/sogo/SOGo.conf-$fqdn, puppet:///modules/sogo/SOGo.conf, ], notify = Service[httpd], } file { /etc/httpd/conf.d/00-apache-server-status.conf: owner = root, group = root, mode= 444, source = [ puppet:///modules/sogo/00-apache-server-status.conf-$fqdn, puppet:///modules/sogo/00-apache-server-status.conf, ], notify = Service[httpd], } service { httpd: ensure = true, enable = true, require = [ File[/etc/httpd/conf.d/SOGo.conf], Package[httpd], ], } service { sogod: ensure = true, enable = true, start = /usr/local/sbin/sogo-services.sh start, stop = /usr/local/sbin/sogo-services.sh stop, require = [ File[/home/sogo/GNUstep/Defaults/.GNUstepDefaults], Package[sogo], Package[sope49-gdl1-postgresql], File['/usr/local/sbin/sogo-services.sh'], ], } # Script to make sure all sogod's are dead before starting them.. Also manages keepalived daemon: file { /usr/local/sbin/sogo-services.sh: owner = root, group = root, mode= 755, source = [ puppet:///modules/sogo/sogo-services.sh-$fqdn, puppet:///modules/sogo/sogo-services.sh, ], } } 8---88-88-888888--- sogo/manifests/skin.pp 8---88-88-888888--- class sogo::skin inherits sogo { file { /usr/lib64/GNUstep/SOGo/WebServerResources/altibox.js: owner = root, group = root, mode= 444, source = puppet:///modules/sogo/skin/WebServerResources/altibox.js, require = Package[sogo], } file { /usr/lib64/GNUstep/SOGo/WebServerResources/iefixes.css: owner = root, group = root, mode= 444, source =
Re: [SOGo] Password Encryption for SOGo with Dovecot and Postfix
On Fri, Aug 02, 2013 at 05:33:15PM +0100, SOGo Noob wrote: My plan is this: We have a new cleanly installed Ubuntu 12.04 server for mail, and we've opted to use MySQL for authentication and for basic storage. We will be using Postfix and Dovecot for mail transport and imap/pop respectively. All of which seems to make sense so far, and much of this is configured already. My issue is with choosing the correct password encryption. We need it to be compatible with SOGo, Dovecot and Postfix, and we need mail client support for all major platforms. I'm working for an ISP, running SOGo for webmail, postfix for SMTP and dovecot for LMTP/POP/IMAP -- for a little under 100 maildomains/1M-accounts. Earlier (before SOGo) we used MySQL for user-database, but have moved over to a LDAP (389ds) for holding the user-database. And I would strongly advice you to consider doing the same. All services are speaking directly to the ldap-servers. When users needs to authenticate, this is handled trough the ldap bind() operation, so that none of the services need to know anything about encryption schemes, and also they don't have access to read the users' hashes. LDAP/389ds gives you proper multi-master setup, so that you can easily configure a highly available environment, and also scale out if needed. Obviously we need to administer the server too, some clean cli commands to generate new passwords would be great. What would the list recommend as an adopted password encryption that is simple to deploy but at the same time secure? Lots of options for editing LDAP data.. ldapvi, ldapsearch, ldapmodify, apache directory studio and probably several web-based options exists. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Best practice of sogo system / user backup - suggestions?
On Wed, Jun 19, 2013 at 01:28:00PM +0200, Götz Reinicke - IT Koordinator wrote: I'd like to ask what is your best practice to backup restore your sogo system and/or user data? Should we do a e.g. database dump/backup of the mysql (what we already do for other systems) and do a user based sogo-tool backup? We do both. Daily backup of the postgres-database, plus daily sogo-tool backups of all users that has been active the last 24 hours. That should give us the possibility of doing quick single user restore from the sogo-tool backup, and also quick full system restore from database backup. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Re: just gone live with sogo, and keep getting 100% cpu usage... :-(
Probably also good to enable some debugging with: sudo -u sogo defaults write sogod SOGoDebugRequests YES and see if the sogod.log tell you something.. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Re: just gone live with sogo, and keep getting 100% cpu usage... :-(
On Thu, Apr 04, 2013 at 11:40:43AM +0200, mayak-cq wrote: sudo -u sogo defaults write sogod WOWorkersCount 32 Please remember to also increase the number of connections to your postgres database when changing the number of workers. postgresql max_connections 3x WOWorkersCount -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Re: just gone live with sogo, and keep getting 100% cpu usage... :-(
On Thu, Apr 04, 2013 at 11:48:46AM +0200, Jan-Frode Myklebust wrote: Probably also good to enable some debugging with: sudo -u sogo defaults write sogod SOGoDebugRequests YES and see if the sogod.log tell you something.. We've often seen problems with sogod processes getting stuck, eating cpu, so we've implemented a watchdog that kills sogod-processes that's been using too much cputime. Every 5 minutes we run the following script: 8-8--8---8---88---8--8-8-- #! /bin/sh - # # Kill sogo-processes that's been running too long. too_long=15 # 00-59 minutes ps -u sogo -opid,ppid,cputime | grep -v PPID | while read pid ppid time do # Don't kill main daemon. if test x$ppid != x1 then minutes=$(echo $time | cut -d: -f2) if test $minutes -gt $too_long; then echo Killing $pid ps -fp $pid kill -9 $pid fi fi done 8-8--8---8---88---8--8-8-- This hasn't been triggering often with sogo v2, but we've had situations earlier where sogod would get stuck on unexpected data from the IMAP server. F.ex. sogod didn't like dovecot telling it the progress during IMAP searches and got stuck using 100% cpu whenever that happened. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] IMAP Server
On Mon, Jan 28, 2013 at 9:35 AM, Valentin Bud valentin@gmail.com wrote: We use cyrus here with approx. 15000 users. Just be sure to use a version 2.4.x one. That's impressive :-). We use dovecot with around 1.000.000 mail accounts :-) Around 10% of these are accessing their mail trough the sogo webmail interface... What OS do you use? RHEL5 on the 6 mail backend servers. LDAP Authentication or other backend? LDAP bind(). Do you use replication/murder configuration? Is it stable? We use a cluster filesystem (IBM GPFS) for the mailboxes, and dovecot director to spread the load over the backend servers. Because of the cluster filesystem, we don't care which backend a user hits -- only that it's fairly sticky. Virtual machines or hardware ones? Hardware, because of need for direct SAN access for cluster filesystem. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] ANN: SOGo 2.0.4
On Sat, Jan 26, 2013 at 1:15 AM, Francis Lachapelle flachape...@inverse.ca wrote: * renamed default SOGoForceIMAPLoginWithEmail to SOGoForceExternalLoginWithEmail and extended it to SMTP authentication Oh.. I didn't know SOGo could do SMTP authentication as the logged in user. We only support SMTP authentication on the submission port (587/tcp) including TLS upgrade, or on the smtp over ssl port (465/tcp). Will this work with SOGo ? -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] ANN: SOGo v1.3.16
On Fri, Jun 08, 2012 at 08:30:44AM -0400, Francis Lachapelle wrote: Enhancements * new unique names for static resources to avoid browser caching when updating SOGo How will this work with custom skins and SOGoUIAdditionalJSFiles ? Will it pick up generation timestamp from filesystem? -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Vacation, cronjob and sieve filter
Completely agree that sogo should manage this without cronjob, but inverse needs to support Cyrus which doesn't implement the sieve date extention: http://www.sogo.nu/bugs/view.php?id=1530 -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo Slow Performance
On Tue, Feb 14, 2012 at 11:27:19PM +, Khapare Joshi wrote: Only guessing, but it sounds to me like a problem with your gnustepdefauls bindDN. Is it a working DN/bindPassword combination? Or maybe your ldap server running out of connections? yes it is working DN/bindPassword. running out of connection (is there a limit ? where can I check in LDAP - i have fedora driectory server) There's a max number of file descriptors setting in the Configuration-Performance tab in the management console. You probably need to have a higher ulimit -n in /etc/sysconfig/dirsrv. I don't quite remember, but think there's an errors file on the ldap-server that should show if you're running out of connections. You might also want to make sure that the fields sogo is searching for in ldap are indexed. I believe sogo will search for all fields mentioned in SearchFieldNames and bindFields, so these needs to be indexed. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo Slow Performance
On Tue, Feb 14, 2012 at 10:39:30PM +, Khapare Joshi wrote: My sogo server sometime response very very slow. I use improxy but my sogo server is rather slow and this performance issue is random. I think hardware spec of the server is fine. I added /etc/sysconfig/sogo PREFORK=6. server memory looks 1G free CPU utilization average is arond 3-4 % Assuming your backends are not the problem, maybe try increasing PREFORK a lot (and remember to also increase postgresql max_connections to match). We're currently running with PREFORK=60. It's seldom that that many processes are needed, but when the server has the resources for it we would rather use cpu than stall the users requests. Rebooted server, restarted sogod daemon. But this is bugging me. Sogo should be fast (:) and faster than squriell mail. What can I do to optimize the sogo server and what are you guys doing for better performance for sogo server, any sogo configuration parameter ? postgres indexing ? apache config ? What IMAP server are you running? -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo Slow Performance
On Tue, Feb 14, 2012 at 10:39:30PM +, Khapare Joshi wrote: server, any sogo configuration parameter ? postgres indexing ? Is your postgres database busy? We were struggeling with high cpu usage on our databaseserver recently, and it turned out it was a problem with the session table growing and growing. We now run a daily deletion of all rows older than 24 hours: DELETE from sogo_sessions_folder WHERE extract('epoch' from current_timestamp)-c_lastseen 86400; I believe there's also an index fix for this table in v1.3.12.. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo Slow Performance
On Tue, Feb 14, 2012 at 10:52:08PM +, Khapare Joshi wrote: the sogo server and what are you guys doing for better performance for sogo server, any sogo configuration parameter ? postgres indexing ? apache config ? What IMAP server are you running? CYRUS IMAP murder Ok, I'm not familiar with cyrus.. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo Slow Performance
On Tue, Feb 14, 2012 at 11:07:34PM +, Khapare Joshi wrote: No, my database not yet too busy. I do not see much high load either. however my /var/lib/pgsql/data/postgresql.conf max connection is set to 100 and changed the PERFORK to 70 That will fail under load. You need minimum 3 postgres connections per sogod = 3*70 = 210. however, I have tons of error in /var/log/sogo/sogo Could not bind to the LDAP server ldap.hi.is (389) using the bind DN: uid=test,ou=People,dc=test,dc=com but again I can access sogo and all. I am not sure about this error. It could be thunderbird or iphone are trying to synchronize the event and somehow sogo could not bind on that particular synchonization. Do you know how to debug this ? Only guessing, but it sounds to me like a problem with your gnustepdefauls bindDN. Is it a working DN/bindPassword combination? Or maybe your ldap server running out of connections? -jf -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] IMAP-proxy or not with sogo webmail and dovecot backend
We've been collecting some stats to see what kind of benefits UP/SquirrelMail's IMAP Proxy in for our SOGo webmail users. Dovecot is running in High-performance mode http://wiki2.dovecot.org/LoginProcess with authentication caching http://wiki2.dovecot.org/Authentication/Caching During the weekend two servers (webmail3 and webmail4) has been running with local imapproxy and two servers without (webmail1 and webmail2). Each server has served about 1 million http requests, over 3 days. server avg. response time # requests webmail1.example.net 0.3704111092386 webmail2.example.net 0.3742271045141 webmail3.example.net 0.3780971043919 imapproxy webmail4.example.net 0.3785931028653 imapproxy ONLY requests that took more than 5 seconds to process: server avg. response time # requests webmail1.example.net 26.048 1125 webmail2.example.net 26.2997 1080 webmail3.example.net 28.5596 808 imapproxy webmail4.example.net 27.1004 964 imapproxy ONLY requests that took more than 10 seconds to process: server avg. response time # requests webmail1.example.net 49.1407 516 webmail2.example.net 53.0139 459 webmail3.example.net 59.7906 333 imapproxy webmail4.example.net 58.167 384 imapproxy The responstimes are not very fast, but they do seem to support the claim that an imapproxy isn't needed for dovecot. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] Re: [Dovecot] IMAP-proxy or not with sogo webmail and dovecot backend
On Mon, Feb 13, 2012 at 11:08:48AM -0800, Mark Moseley wrote: Out of curiosity, are you running dovecot locally on those webmail servers as well, or is it talking to remote dovecot servers? The webmail servers are talking with dovecot director servers which in turn are talking with the backend dovecot servers. Each service running on different servers. Webmail-servers - director-servers - backend-servers I ask because I'm looking at moving our webmail from an on-box setup to a remote pool to support director and was going to look into whether running imapproxyd would help there. We don't bother with it in the local setup, since dovecot is so fast, but remote (but still on a LAN) might be different. Doesn't seem so to us... Though imapproxyd seems to make (wait for it...) squirrelmail unhappy (complains about IMAP errors, when sniffing shows none), though I've not bothered to debug it yet. :-) -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Why not move from Funambol to Z-Push? Many features will be obtained.
On Wed, Jan 18, 2012 at 02:16:08PM -0500, Ludovic Marcotte wrote: I would still very much like to open a discussion about this - ie., Funambol (SyncML) backend vs. Z-Push (ActiveSync) backend. I'm struggeling with seeing why one would push Funambol/SyncML. It requires 3. party agent on all phones (except nokia), and then one could just as well use a 3. party caldav/carddav client. While activesync is supported on all (?) phones, with single config for mail/contacts/calendar. That's what we want! What I mostly fear about Z-Push is that we'll revisit all the device synchronization bugs we had over the past few years with Funambol/SyncML and we'll have to hack around like we did. This is very valuable time and know-how here. Getting the Z-Push connector up and running can be done in a snap, but refining it will take some time. Also, having the Sword of Damocles on top of my head regarding the licensing agreement doesn't make me a happy, happy, joy man. Is z-push that much different of a threat than the Open^H^H^H^Hchange- replacement you seem to be doing in v2.0 ? -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Why not move from Funambol to Z-Push? Many features will be obtained.
On Wed, Jan 18, 2012 at 10:14:38PM +0100, André Schild wrote: the licensing agreement doesn't make me a happy, happy, joy man. Is z-push that much different of a threat than the Open^H^H^H^Hchange- replacement you seem to be doing in v2.0 ? OpenChange has nothing to do with ActiveSync. OpenChange implements MAPI on the server, so (all) mapi compatible can talk to the server z-Push implements ActiveSync on the server, so all active sync clients can talk to the server I see it as: z-push implements microsofts proprietary ActiveSync protocol. OpenChange implements microsofts proprietary MAPI protocol. The current z-push sogo backend uses CalDav/CardDav to access Sogo resources, the Funambol client directly accesses the database Yes, I know. I tested the sogosync-version about a year ago, and it looked like a very nice solution that could be run as a completely separate service from the rest of sogo (pure caldav/carddav/imap-client). Funambol looked like a very intrusive solution, poking inside the sogo database directly, having it's own userdatabase (if I remember correctly). And probably introducing version dependencies between funambol server and sogo server. I'd much rather push my users towards installing a 3. party caldav/carddav client, and avoid the need for anything serverside. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Backup only changed users ?
On Thu, Dec 22, 2011 at 03:10:58PM +0100, André Schild wrote: The backup gives you flat files, so your backup software can look if these have been modified Yes, I know, but the problem is that full sogo-tool backups are already taking about 8 hours, and stressing the backend db for this long unnessesarily when the users are mostly unchanged... We need to find a way of speeding the up soonish.. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Online translation tool -- Transifx
On Mon, Nov 14, 2011 at 04:16:08PM -0500, Francis Lachapelle wrote: Once registered, request a new team for your language : https://www.transifex.net/projects/p/sogo/teams/ Once authorized, you'll be able to start/continue translating SOGo in your language. For the initial import, it was necessary to ignore all strings that were identical to the English translation. Therefore, even if your translation was considered completed in version 1.3.9 of SOGo, you may need to add some missing strings (example: if the translation of email in your language is also email, you'll need to add it back). I've signed up as team lead for no_NO and nb_NO, but none of these show any existing translations. Everything is listed as 0% done. But when looking at https://www.transifex.net/projects/p/sogo/r/all-resources/ there is a Norwegian which is 90% done. This is the version I want to work on! :-) Am I missing some routine to copy this over to no_NO/nb_NO or is something wrong with the setup for Norwegian ? -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Customize a tad of SOGo
On Fri, Nov 11, 2011 at 09:32:27AM -0500, Francis Lachapelle wrote: I see the post here: http://www.sogo.nu/english/nc/support/faq/article/how-to-customize-the-html.html about how to keep changes between versions but that seems not current any more. Also I am not sure this is what I would want anyways. Any pointers? This FAQ entry is still valid. Valid, but still a bit unclear -- at least to me. It would be good if it was specified if/that sogod needs to be restarted whenever wox-templates are changed, and also mention that the entry is just about modifying wox-templates. Customizing anything below /usr/lib*/GNUstep/SOGo/WebServerResources/ needs to happen there, as these are not served trough sogod but rather served by apache directly. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
IMAP-proxy or not? Was: Re: [SOGo] SOGo+perdition+Dovecot
On Sat, Nov 12, 2011 at 12:35:26AM +, Ed W wrote: Quick question: What does perdition buy you versus not having it? The dovecot author suspected that logins were so fast that a persistent proxy would likely have little performance advantage - do you measure otherwise? Interesting... as I seem to experience slow initial connect (getting the body of the first message I select after logging in takes seconds) when using up-imapproxy, but everything seems quick afterwards. If I have sogod talk to the imap-servers directly (still trough dovecot-director), everything is quick always. But I've been the only sogo user active when testing thism and am worried that this might change once we put heavy load on it.. I've also noticed there is a NGImap4DisableIMAP4Pooling setting which is disabled by default, but I haven't found any documentation for it other than the bugrapport which seems to indicate it should be used if one is not using an imapproxy: http://sogo.nu/bugs/view.php?id=1243 and the NEWS entry: - IMAP connection pooling is disabled by default to avoid flooding the IMAP servers in multi-process environments (NGImap4DisableIMAP4Pooling now set to YES by default) I don't understand what multi-process environments is referring to here..? Does anybody have any comments for if imapproxy is needed or not for dovecot backend, and if one should use IMAP4Pooling in sogo when not using an imapproxy? -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Customize a tad of SOGo
On Sat, Nov 12, 2011 at 06:57:12PM +0100, Jan-Frode Myklebust wrote: modifying wox-templates. Customizing anything below /usr/lib*/GNUstep/SOGo/WebServerResources/ needs to happen there, as these are not served trough sogod but rather served by apache directly. I just realized that the WebServerResources/ could work the same as wox-templates in /home/sogo/GNUstep/Library/ with a little mod_rewrite hack: RewriteCond %{REQUEST_URI} ^SOGo/WebServerResources.* RewriteCond /home/sogo/GNUstep/Library%{REQUEST_URI} -f RewriteRule ^(.+) /home/sogo/GNUstep/Library/$1 [L] RewriteRule ^ - [PT] Untested, and I never get these right without some trial and error, but you probably get the idea. Based on: http://httpd.apache.org/docs/current/rewrite/remapping.html#multipledirs -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Update to 1.3.9 on Centos5
On Sun, Oct 30, 2011 at 09:12:22AM -0400, Ludovic Marcotte wrote: That's probably a sign of having old SOPE packages around after proceeding with the SOGo update. Make sure you update all SOPE packages to the latest version and restart the SOGo service after. Yes, looks like you had some packages in the v1.3.9 yum-repo with version numbers that rpm/yum would interpret as newer than the new ones for sogo v1.3.9-2. Those who had upgraded to v1.3.9-1 will probably still be running on wrong sope49-cards and sope49-gdl1-contentstore after upgrading to v1.3.9-2. [janfrode@webmail2 ~]$ rpm -q sope49-cards sope49-gdl1-contentstore sope49-cards-1.3.9-2.centos6.x86_64 sope49-gdl1-contentstore-1.3.9-2.centos6.x86_64 [janfrode@webmail2 ~]$ sudo yum update Package Arch Version Repository Size Updating: sope49-cardsx86_642.0_20111018-1.el6.0 sogo 161 k sope49-gdl1-contentstorex86_642.0_20111018-1.el6.0 sogo 54 k Transaction Summary Upgrade 2 Package(s) $ rpmdev-vercmp Epoch1 : Version1 :1.3.9 Release1 :2.centos6 Epoch2 : Version2 :2.0_20111018 Release2 :1.el6 :2.0_20111018-1.el6 is newer The reason this was hitting us is that I sync'ed in your packages to our local repository, since our servers aren't allowed to talk openly on the internet, and I hadn't noticed that these needed to be deleted from the repo.. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] HELP !!! /etc/init.d/sogod: line 73: /usr/GNUstep/System/Library/Makefiles/GNUstep.sh: Aucun fichier ou répertoire de ce type Restarting SOGo: /usr/GNUstep/System/Tools/Admin/sogod: error w
Could you post the output of rpm -qi gnustep-make ? -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] HELP !!! /etc/init.d/sogod: line 73: /usr/GNUstep/System/Library/Makefiles/GNUstep.sh: Aucun fichier ou répertoire de ce type Restarting SOGo: /usr/GNUstep/System/Tools/Admin/sogod: error w
On Fri, Oct 28, 2011 at 11:05 PM, Ludovic Marcotte lmarco...@inverse.ca wrote: That has been fixed. We were building packages on SL Linux but it looks like they recently broke binary compatibility with RHEL/CentOS 6. We're rebuilding them with CentOS 6. What about RHEL-6.1-latest ? Centos seems to be lagging quite a bit behind RHEL6 these days... -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Status on SOGo v2.0.0
On Fri, Oct 07, 2011 at 11:19:12AM -0400, Ludovic Marcotte wrote: Also, if anyone would volunteer some help regarding packaging Samba 4 and OpenChange for RHEL (v5 and v6), In RHEL6 both samba4 (4.0.0-23.alpha11) and openchange (0.9) is available in the rhel-x86_64-server-optional-6 channel. Are these usable with sogo 2.0? -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] How to disable spellchecker
I'm wondering what kind of agreement SOGo/inverse has with spellchecker.net. Is it really a free for all service, or will we get into trouble if we run SOGo in a large commercial setup? Is it possible to use the WebSpellChecker: Licensed Version running on our own servers for spellchecks in sogo ? http://www.spellchecker.net/v3/products/wsclicensed.html -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Dovecot quota indicator bar
On Mon, Feb 21, 2011 at 10:26:15PM -0600, Kevin C. Smith wrote: I'm guessing SOGo only checks before logon? I don't think so. Here's my before-login capabilities: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot ready. and after login: a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT IDLE CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS QUOTA] Logged in and I do have the quota indicator in sogo. (Dovecot director v2.0.9 proxying to v1.2.16 on the backends.) -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Script
On Fri, Feb 18, 2011 at 02:02:50PM -0500, Wolfgang Sourdeau wrote: Overal, I think the idea of a structured file-format is a good one. Perhaps the missing step to UNIX-compliance would be to enable the use of a conf file in the /etc/ hierarchy. This would be quite easy to do and you just need to ask ;) Woha, yes, could we please have that! :-) Also, would it be possible to separate out the templating from $HOME (to f.ex. /var/www) and make the sogo-user a non-interaktive account. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Alternate theme proposal
On Sun, Feb 13, 2011 at 07:12:56PM +0100, Corrado Fiore wrote: == HOW DOES IT LOOK? == snip Any thoughts, suggestions or comments are welcome! It looks a lot better, thanks! And especially thanks for giving me a pointer for what we need to look at changing to give it our corporate look whenever we start that job. For the mail view I would have also liked if something was done to the pane between message list and message content. It's taking way to much space, it's duplicating information that's already shown in the selected message in the message list, and there's too much blank space on the right hand size. I think most of the duplicate information should be removed, and whatever information is left should be squeezed into two data fields per line. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] ANN: SOGo v1.3.5
On Thu, Jan 27, 2011 at 08:44:34AM -0500, Francis Lachapelle wrote: filter=(|(givenName=janfrode*)(mail=janfrode*)(cn=janfrode*)) even though my SOGoUserSources doesn't contain givenName: keySearchFieldNames/key array stringmail/string stringcn/string /array but things seems to be working much better. The constructed LDAP filter includes the fields from SearchFieldNames, MailFieldNames and CNFieldName. Does givenName is defined as your CN? Yes, so that's were it's from: keyCNFieldName/key stringgivenName/string Thanks! -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] ANN: SOGo v1.3.5
On Wed, Jan 26, 2011 at 01:30:29PM -0500, Francis Lachapelle wrote: === Changes from the previous release === Enhancements * the new parameter SearchFieldNames allows to specify which LDAP fields to query when filtering contacts I'm having problems getting this working. I have configured it with: defaults write sogod SearchFieldNames '(mail, cn)' and also have: defaults write sogod SOGoLDAPQueryLimit 100 defaults write sogod SOGoLDAPQueryTimeout 10 On my directory server I see my search as: [27/Jan/2011:11:30:08 +0100] conn=6164752 op=1 SRCH base=o=isp,o=example,c=com scope=2 filter=(|(givenName=janfrode*)(sn=janfrode*)(displayName=janfrode*)(telephoneNumber=janfrode*)(mail=janfrode*)) attrs=objectClass givenName mail mail title company o displayName modifyTimestamp mozillahomestate mozillahomeurl homeurl st region mozillacustom2 custom2 mozillahomecountryname description notes department departmentNumber ou orgunit mobile cellphone carphone mozillacustom1 custom1 mozillanickname xmozillanickname mozillaworkurl workurl facsimileTelephoneNumber facsimileTelephoneNumber telephoneNumber mozillahomestreet mozillasecondemail xmozillasecondemail mozillacustom4 custom4 nsAIMid nscpaimscreenname street street postOfficeBox homePhone cn cn givenName mozillahomepostalcode mozillahomelocalityname mozillaworkstreet2 mozillausehtmlmail xmozillausehtmlmail mozillahomestreet2 postalCode zip c c pager pagerphone mail sn sn mozillacustom3 custom3 l l birthyear serialNumber calfburl proxyaddresses uid I also tried: defaults write sogod SOGoSearchFieldNames '(mail, cn)' but same result. (And yes, sogod and memchached was restarted after defaults write). So what am I missing ? -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Trying to run SOGo on a openSUSE x64
On Thu, Jan 06, 2011 at 02:45:24PM +0100, Stefan Fuhrberg wrote: That fixed the Adaptor Message, rest of the log looks still the same. RequestHeader set x-webobjects-server-port 443 RequestHeader set x-webobjects-server-name sogo RequestHeader set x-webobjects-server-url http://sogo; x-webobjects-server-port should likely be 80 for an http url. -jf -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] cache static content
Are there any recommendation for what can and can't be cached in SOGo? i.e. the login page takes 27 http requests / 422KB, inbox take 61 requests / 605KB, calendar 49 requests / 609 KB. A lot of this seems to be javascripts and images living in /SOGo.woa/WebServerResources/. Would it be OK to tell the clients they can cache these for long periodes trough mod_expires ? Something like: Location /SOGo.woa/WebServerResources/ ExpiresActive on ExpiresDefault access plus 1 month /Location Would this be OK ? If so, any other Locations need the same treathment ? (1 month is maybe a bit long.. might need to be sync'ed a bit with maintenance windows/upgrades). -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] cache static content
It looks to me like this should work fine, all POSTs seems to go to /SOGo/so or /SOGo/connect, and I see no parameters in any GETs. So I would suggest adding something like the following to the default apache config (SOGo.conf): # Compress text-type content: AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/x-javascript # Don't use inode in ETag, in case we're running on a cluster # where static file inode numbers will be different between the # nodes FileETag MTime Size # Add far future expiry headers to static content. Reduce these # to much shorter (1 hour?) before you plan on any upgrades to # SOGo, to be sure clients quickly will pick up new versions of # any content. Location /SOGo.woa/WebServerResources/ ExpiresActive on ExpiresDefault access plus 1 week /Location Location /SOGo/WebServerResources/ ExpiresActive on ExpiresDefault access plus 1 week /Location # Point this at your SOGoFaviconRelativeURL FilesMatch ^favico\.ico$ ExpiresActive on ExpiresDefault access plus 1 week /FilesMatch -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Secured session cookies
Do I understand the code correctly if I read that you're now using the session key as a one-time-pad to encrypt/decrypt the password, and the password is never stored un-encrypted anywhere ? -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Secured session cookies
On Tue, Dec 28, 2010 at 02:37:15PM -0500, Ludovic Marcotte wrote: The password is still stored unencrypted in memcached for SOGoCacheCleanupInterval seconds. This is avoid doing a bind on the LDAP server for _each_ request coming in, in order to check the validity of the password. Couldn't this also be the same string as is stored server side for the secured session cookie, and xor'ed when checking validity ? -jf -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Secured session cookies
On Tue, Dec 28, 2010 at 06:41:37PM -0500, Ludovic Marcotte wrote: On 10-12-28 4:19 PM, Jan-Frode Myklebust wrote: So maybe save a salted hash of the password in memcached for this comparison instead ? That password needs to be known by SOGo - because it needs to push its cleartext version to the IMAP server. OK, guess I don't understand the details well enough.., it just feels so bad to store plaintext passwords anywhere. My assumption was that when SOGo needs the password for IMAP, it could either be generated by via the secured session cookies or for non-cookie-based authentication it would be provided in plaintext (basic auth) from the client. The password could be hashed using a string shared across all SOGo cluster members - that would buy a false sense of security for a little while. I suggested keeping a (salted) hash of the plaintext password used with basic auth in memcached for avoiding having to validate passwords by ldap bind every time. Not using a reversible hash function that would allow sogo to recover the password. But if my assumtions of all clients sending plaintext password, or secured session cookie on every request, are not true, then I see that this woun't work. -jf -- users@sogo.nu https://inverse.ca/sogo/lists